From a965301b2ecb8da0a00977865796713386fa5266 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 2 Aug 2022 16:37:27 -0400 Subject: [PATCH 0001/1082] manage salt-minion start delay with systemd drop-in file - https://github.com/Security-Onion-Solutions/securityonion/issues/8441 --- salt/salt/map.jinja | 2 -- salt/salt/minion.sls | 6 +++--- salt/salt/service/salt-minion.service.jinja | 15 --------------- salt/salt/service/start-delay.conf.jinja | 2 ++ 4 files changed, 5 insertions(+), 20 deletions(-) delete mode 100644 salt/salt/service/salt-minion.service.jinja create mode 100644 salt/salt/service/start-delay.conf.jinja diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja index 389a95607..eb9f5ae89 100644 --- a/salt/salt/map.jinja +++ b/salt/salt/map.jinja @@ -11,7 +11,6 @@ {% set PYTHON3INFLUX= 'influxdb == ' ~ PYTHONINFLUXVERSION %} {% set PYTHON3INFLUXDEPS= ['certifi', 'chardet', 'python-dateutil', 'pytz', 'requests'] %} {% set PYTHONINSTALLER = 'pip' %} - {% set SYSTEMD_UNIT_FILE = '/lib/systemd/system/salt-minion.service' %} {% else %} {% set SPLITCHAR = '-' %} {% set SALTNOTHELD = salt['cmd.run']('yum versionlock list | grep -q salt ; echo $?', python_shell=True) %} @@ -22,7 +21,6 @@ {% set PYTHON3INFLUX= 'securityonion-python3-influxdb' %} {% set PYTHON3INFLUXDEPS= ['python36-certifi', 'python36-chardet', 'python36-dateutil', 'python36-pytz', 'python36-requests'] %} {% set PYTHONINSTALLER = 'pkg' %} - {% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %} {% endif %} {% set INSTALLEDSALTVERSION = salt['pkg.version']('salt-minion').split(SPLITCHAR)[0] %} diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls index 15e203d82..fafb6f0f3 100644 --- a/salt/salt/minion.sls +++ b/salt/salt/minion.sls @@ -81,10 +81,10 @@ set_log_levels: - "log_level: error" - "log_level_logfile: error" -salt_minion_service_unit_file: +salt_minion_service_start_delay: file.managed: - - name: {{ SYSTEMD_UNIT_FILE }} - - source: salt://salt/service/salt-minion.service.jinja + - name: /etc/systemd/system/salt-minion.service.d/start-delay.conf + - source: salt://salt/service/start-delay.conf.jinja - template: jinja - defaults: service_start_delay: {{ service_start_delay }} diff --git a/salt/salt/service/salt-minion.service.jinja b/salt/salt/service/salt-minion.service.jinja deleted file mode 100644 index c7bae0bc2..000000000 --- a/salt/salt/service/salt-minion.service.jinja +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=The Salt Minion -Documentation=man:salt-minion(1) file:///usr/share/doc/salt/html/contents.html https://docs.saltstack.com/en/latest/contents.html -After=network.target salt-master.service - -[Service] -KillMode=process -Type=notify -NotifyAccess=all -LimitNOFILE=8192 -ExecStart=/usr/bin/salt-minion -ExecStartPre=/bin/sleep {{ salt['pillar.get']('salt:minion:service_start_delay', service_start_delay) }} - -[Install] -WantedBy=multi-user.target \ No newline at end of file diff --git a/salt/salt/service/start-delay.conf.jinja b/salt/salt/service/start-delay.conf.jinja new file mode 100644 index 000000000..33917b174 --- /dev/null +++ b/salt/salt/service/start-delay.conf.jinja @@ -0,0 +1,2 @@ +[Service] +ExecStartPre=/bin/sleep {{ salt['pillar.get']('salt:minion:service_start_delay', service_start_delay) }} From 2bd9dd80e2e245be99b72e790cbc9c3aaa84bd63 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 7 Sep 2022 09:06:25 -0400 Subject: [PATCH 0002/1082] Move In Day --- README.md | 14 +- VERIFY_ISO.md | 22 +- VERSION | 2 +- assets/images/screenshots/alerts-1.png | Bin 0 -> 250878 bytes assets/images/screenshots/alerts.png | Bin 191000 -> 0 bytes assets/images/screenshots/cases-comments.png | Bin 206057 -> 0 bytes assets/images/screenshots/dashboards.png | Bin 395029 -> 0 bytes assets/images/screenshots/hunt-1.png | Bin 0 -> 171491 bytes assets/images/screenshots/hunt.png | Bin 195653 -> 0 bytes files/firewall/hostgroups.local.yaml | 22 +- files/salt/master/master | 2 - pillar/logstash/init.sls | 1 + pillar/logstash/manager.sls | 1 + pillar/logstash/nodes.sls | 2 +- pillar/logstash/search.sls | 2 +- pillar/top.sls | 119 +- salt/allowed_states.map.jinja | 66 +- salt/ca/init.sls | 10 +- salt/common/init.sls | 125 +- salt/common/packages.sls | 61 + salt/common/tools/sbin/so-allow | 81 +- salt/common/tools/sbin/so-allow-view | 20 +- salt/common/tools/sbin/so-analyst-install | 17 +- salt/common/tools/sbin/so-checkin | 20 +- salt/common/tools/sbin/so-common | 31 +- salt/common/tools/sbin/so-config-backup | 20 +- salt/common/tools/sbin/so-cortex-restart | 20 +- salt/common/tools/sbin/so-cortex-start | 20 +- salt/common/tools/sbin/so-cortex-stop | 20 +- salt/common/tools/sbin/so-cortex-user-add | 20 +- salt/common/tools/sbin/so-cortex-user-enable | 20 +- salt/common/tools/sbin/so-curator-restart | 20 +- salt/common/tools/sbin/so-curator-start | 20 +- salt/common/tools/sbin/so-curator-stop | 20 +- salt/common/tools/sbin/so-deny | 87 +- salt/common/tools/sbin/so-docker-prune | 20 +- salt/common/tools/sbin/so-docker-refresh | 20 +- salt/common/tools/sbin/so-elastalert-restart | 20 +- salt/common/tools/sbin/so-elastalert-start | 20 +- salt/common/tools/sbin/so-elastalert-stop | 20 +- .../sbin/so-elastic-agent-gen-installers | 32 + salt/common/tools/sbin/so-elastic-auth | 67 - .../tools/sbin/so-elastic-auth-password-reset | 27 +- salt/common/tools/sbin/so-elastic-clear | 28 +- salt/common/tools/sbin/so-elastic-diagnose | 20 +- salt/common/tools/sbin/so-elastic-fleet-setup | 81 + salt/common/tools/sbin/so-elastic-restart | 28 +- salt/common/tools/sbin/so-elastic-start | 28 +- salt/common/tools/sbin/so-elastic-stop | 28 +- .../so-elasticsearch-component-templates-list | 26 +- .../so-elasticsearch-index-templates-list | 26 +- .../tools/sbin/so-elasticsearch-indices-list | 4 +- .../tools/sbin/so-elasticsearch-indices-rw | 22 +- .../sbin/so-elasticsearch-pipeline-stats | 6 +- .../tools/sbin/so-elasticsearch-pipeline-view | 6 +- .../sbin/so-elasticsearch-pipelines-list | 26 +- salt/common/tools/sbin/so-elasticsearch-query | 2 +- .../tools/sbin/so-elasticsearch-restart | 20 +- .../tools/sbin/so-elasticsearch-shards-list | 4 +- salt/common/tools/sbin/so-elasticsearch-start | 20 +- salt/common/tools/sbin/so-elasticsearch-stop | 20 +- .../sbin/so-elasticsearch-template-remove | 4 +- .../tools/sbin/so-elasticsearch-template-view | 6 +- .../sbin/so-elasticsearch-templates-list | 26 +- salt/common/tools/sbin/so-elasticsearch-wait | 2 +- .../tools/sbin/so-filebeat-module-setup | 26 +- salt/common/tools/sbin/so-filebeat-restart | 20 +- salt/common/tools/sbin/so-filebeat-start | 20 +- salt/common/tools/sbin/so-filebeat-stop | 20 +- salt/common/tools/sbin/so-firewall | 19 +- salt/common/tools/sbin/so-firewall-minion | 82 + salt/common/tools/sbin/so-fleet-restart | 20 - salt/common/tools/sbin/so-fleet-setup | 58 - salt/common/tools/sbin/so-fleet-start | 20 - salt/common/tools/sbin/so-fleet-stop | 20 - salt/common/tools/sbin/so-fleet-user-add | 69 - salt/common/tools/sbin/so-fleet-user-delete | 56 - salt/common/tools/sbin/so-fleet-user-update | 75 - salt/common/tools/sbin/so-grafana-restart | 20 +- salt/common/tools/sbin/so-grafana-start | 20 +- salt/common/tools/sbin/so-grafana-stop | 20 +- salt/common/tools/sbin/so-idh-restart | 20 +- salt/common/tools/sbin/so-idh-start | 20 +- salt/common/tools/sbin/so-idh-stop | 20 +- salt/common/tools/sbin/so-idstools-restart | 20 +- salt/common/tools/sbin/so-idstools-start | 20 +- salt/common/tools/sbin/so-idstools-stop | 20 +- salt/common/tools/sbin/so-image-common | 25 +- salt/common/tools/sbin/so-image-pull | 20 +- salt/common/tools/sbin/so-import-evtx | 20 +- salt/common/tools/sbin/so-import-pcap | 20 +- salt/common/tools/sbin/so-index-list | 22 +- salt/common/tools/sbin/so-influxdb-clean | 20 +- salt/common/tools/sbin/so-influxdb-downsample | 20 +- .../tools/sbin/so-influxdb-drop-autogen | 20 +- salt/common/tools/sbin/so-influxdb-restart | 20 +- salt/common/tools/sbin/so-influxdb-start | 20 +- salt/common/tools/sbin/so-influxdb-stop | 20 +- .../common/tools/sbin/so-kibana-config-export | 24 +- salt/common/tools/sbin/so-kibana-restart | 20 +- .../sbin/so-kibana-savedobjects-defaults | 20 +- .../tools/sbin/so-kibana-space-defaults | 8 +- salt/common/tools/sbin/so-kibana-start | 20 +- salt/common/tools/sbin/so-kibana-stop | 20 +- salt/common/tools/sbin/so-learn | 20 +- salt/common/tools/sbin/so-logstash-get-parsed | 20 +- .../tools/sbin/so-logstash-get-unparsed | 20 +- salt/common/tools/sbin/so-logstash-restart | 20 +- salt/common/tools/sbin/so-logstash-start | 20 +- salt/common/tools/sbin/so-logstash-stop | 20 +- salt/common/tools/sbin/so-minion | 258 +++ salt/common/tools/sbin/so-mysql-restart | 20 +- salt/common/tools/sbin/so-mysql-start | 20 +- salt/common/tools/sbin/so-mysql-stop | 20 +- salt/common/tools/sbin/so-nginx-restart | 20 +- salt/common/tools/sbin/so-nginx-start | 20 +- salt/common/tools/sbin/so-nginx-stop | 20 +- salt/common/tools/sbin/so-nodered-restart | 20 +- salt/common/tools/sbin/so-nodered-start | 20 +- salt/common/tools/sbin/so-nodered-stop | 20 +- salt/common/tools/sbin/so-nsm-clear | 20 +- salt/common/tools/sbin/so-pcap-export | 20 +- salt/common/tools/sbin/so-pcap-import | 20 +- salt/common/tools/sbin/so-pcap-restart | 20 +- salt/common/tools/sbin/so-pcap-start | 20 +- salt/common/tools/sbin/so-pcap-stop | 20 +- salt/common/tools/sbin/so-playbook-import | 20 +- salt/common/tools/sbin/so-playbook-reset | 20 +- salt/common/tools/sbin/so-playbook-restart | 20 +- salt/common/tools/sbin/so-playbook-ruleupdate | 20 +- .../tools/sbin/so-playbook-sigma-refresh | 20 +- salt/common/tools/sbin/so-playbook-start | 20 +- salt/common/tools/sbin/so-playbook-stop | 20 +- salt/common/tools/sbin/so-playbook-sync | 20 +- salt/common/tools/sbin/so-raid-status | 20 +- salt/common/tools/sbin/so-redis-count | 20 +- salt/common/tools/sbin/so-redis-restart | 20 +- salt/common/tools/sbin/so-redis-start | 20 +- salt/common/tools/sbin/so-redis-stop | 20 +- salt/common/tools/sbin/so-restart | 20 +- salt/common/tools/sbin/so-rule | 20 +- salt/common/tools/sbin/so-salt-minion-check | 20 +- salt/common/tools/sbin/so-salt-start | 20 +- salt/common/tools/sbin/so-salt-stop | 20 +- salt/common/tools/sbin/so-saltstack-update | 20 +- salt/common/tools/sbin/so-sensor-clean | 34 +- salt/common/tools/sbin/so-soc-restart | 20 +- salt/common/tools/sbin/so-soc-start | 20 +- salt/common/tools/sbin/so-soc-stop | 20 +- salt/common/tools/sbin/so-soctopus-restart | 20 +- salt/common/tools/sbin/so-soctopus-start | 20 +- salt/common/tools/sbin/so-soctopus-stop | 20 +- salt/common/tools/sbin/so-start | 20 +- salt/common/tools/sbin/so-status | 20 +- salt/common/tools/sbin/so-stop | 20 +- salt/common/tools/sbin/so-strelka-restart | 20 +- salt/common/tools/sbin/so-strelka-start | 20 +- salt/common/tools/sbin/so-strelka-stop | 20 +- salt/common/tools/sbin/so-suricata-restart | 20 +- salt/common/tools/sbin/so-suricata-start | 20 +- salt/common/tools/sbin/so-suricata-stop | 20 +- salt/common/tools/sbin/so-suricata-testrule | 20 +- salt/common/tools/sbin/so-tcpreplay-restart | 20 +- salt/common/tools/sbin/so-tcpreplay-stop | 17 +- salt/common/tools/sbin/so-telegraf-restart | 20 +- salt/common/tools/sbin/so-telegraf-start | 20 +- salt/common/tools/sbin/so-telegraf-stop | 20 +- salt/common/tools/sbin/so-thehive-es-restart | 20 +- salt/common/tools/sbin/so-thehive-es-start | 20 +- salt/common/tools/sbin/so-thehive-es-stop | 20 +- salt/common/tools/sbin/so-thehive-restart | 20 +- salt/common/tools/sbin/so-thehive-start | 20 +- salt/common/tools/sbin/so-thehive-stop | 20 +- salt/common/tools/sbin/so-thehive-user-add | 20 +- salt/common/tools/sbin/so-thehive-user-enable | 20 +- salt/common/tools/sbin/so-thehive-user-update | 20 +- salt/common/tools/sbin/so-user | 19 +- salt/common/tools/sbin/so-wazuh-agent-manage | 22 - salt/common/tools/sbin/so-wazuh-agent-upgrade | 22 - salt/common/tools/sbin/so-wazuh-restart | 19 - salt/common/tools/sbin/so-wazuh-start | 20 - salt/common/tools/sbin/so-wazuh-stop | 20 - salt/common/tools/sbin/so-wazuh-user-add | 17 - salt/common/tools/sbin/so-wazuh-user-passwd | 17 - salt/common/tools/sbin/so-wazuh-user-remove | 17 - salt/common/tools/sbin/so-yara-update | 20 +- salt/common/tools/sbin/so-zeek-restart | 20 +- salt/common/tools/sbin/so-zeek-start | 20 +- salt/common/tools/sbin/so-zeek-stats | 20 +- salt/common/tools/sbin/so-zeek-stop | 20 +- salt/common/tools/sbin/soup | 121 +- salt/curator/defaults.yaml | 179 ++ salt/curator/files/action/delete.yml | 12 +- salt/curator/files/action/so-aws-close.yml | 12 +- salt/curator/files/action/so-aws-delete.yml | 12 +- salt/curator/files/action/so-aws-warm.yml | 5 + salt/curator/files/action/so-azure-close.yml | 12 +- salt/curator/files/action/so-azure-delete.yml | 12 +- salt/curator/files/action/so-azure-warm.yml | 5 + .../files/action/so-barracuda-close.yml | 12 +- .../files/action/so-barracuda-delete.yml | 12 +- .../files/action/so-barracuda-warm.yml | 5 + salt/curator/files/action/so-beats-close.yml | 12 +- salt/curator/files/action/so-beats-delete.yml | 12 +- salt/curator/files/action/so-beats-warm.yml | 5 + .../files/action/so-bluecoat-close.yml | 12 +- .../files/action/so-bluecoat-delete.yml | 12 +- .../curator/files/action/so-bluecoat-warm.yml | 5 + salt/curator/files/action/so-cef-close.yml | 12 +- salt/curator/files/action/so-cef-delete.yml | 12 +- salt/curator/files/action/so-cef-warm.yml | 5 + .../files/action/so-checkpoint-close.yml | 12 +- .../files/action/so-checkpoint-delete.yml | 12 +- .../files/action/so-checkpoint-warm.yml | 5 + salt/curator/files/action/so-cisco-close.yml | 12 +- salt/curator/files/action/so-cisco-delete.yml | 12 +- salt/curator/files/action/so-cisco-warm.yml | 5 + .../files/action/so-cyberark-close.yml | 12 +- .../files/action/so-cyberark-delete.yml | 12 +- .../curator/files/action/so-cyberark-warm.yml | 5 + .../curator/files/action/so-cylance-close.yml | 12 +- .../files/action/so-cylance-delete.yml | 12 +- salt/curator/files/action/so-cylance-warm.yml | 5 + .../files/action/so-elasticsearch-close.yml | 12 +- .../files/action/so-elasticsearch-delete.yml | 12 +- .../files/action/so-elasticsearch-warm.yml | 5 + .../curator/files/action/so-endgame-close.yml | 12 +- .../files/action/so-endgame-delete.yml | 13 +- salt/curator/files/action/so-endgame-warm.yml | 6 + salt/curator/files/action/so-f5-close.yml | 13 +- salt/curator/files/action/so-f5-delete.yml | 13 +- salt/curator/files/action/so-f5-warm.yml | 6 + .../files/action/so-firewall-close.yml | 13 +- .../files/action/so-firewall-delete.yml | 13 +- .../curator/files/action/so-firewall-warm.yml | 6 + .../files/action/so-fortinet-close.yml | 13 +- .../files/action/so-fortinet-delete.yml | 13 +- .../curator/files/action/so-fortinet-warm.yml | 6 + salt/curator/files/action/so-gcp-close.yml | 13 +- salt/curator/files/action/so-gcp-delete.yml | 13 +- salt/curator/files/action/so-gcp-warm.yml | 6 + .../action/so-google_workspace-close.yml | 13 +- .../action/so-google_workspace-delete.yml | 13 +- .../files/action/so-google_workspace-warm.yml | 6 + salt/curator/files/action/so-ids-close.yml | 13 +- salt/curator/files/action/so-ids-delete.yml | 13 +- salt/curator/files/action/so-ids-warm.yml | 6 + .../curator/files/action/so-imperva-close.yml | 13 +- .../files/action/so-imperva-delete.yml | 12 +- salt/curator/files/action/so-imperva-warm.yml | 5 + salt/curator/files/action/so-import-close.yml | 12 +- .../curator/files/action/so-import-delete.yml | 12 +- salt/curator/files/action/so-import-warm.yml | 5 + .../files/action/so-infoblox-close.yml | 12 +- .../files/action/so-infoblox-delete.yml | 12 +- .../curator/files/action/so-infoblox-warm.yml | 5 + .../curator/files/action/so-juniper-close.yml | 12 +- .../files/action/so-juniper-delete.yml | 12 +- salt/curator/files/action/so-juniper-warm.yml | 5 + salt/curator/files/action/so-kibana-close.yml | 12 +- .../curator/files/action/so-kibana-delete.yml | 12 +- salt/curator/files/action/so-kibana-warm.yml | 5 + salt/curator/files/action/so-kratos-close.yml | 12 +- .../curator/files/action/so-kratos-delete.yml | 12 +- salt/curator/files/action/so-kratos-warm.yml | 5 + .../files/action/so-logstash-close.yml | 12 +- .../files/action/so-logstash-delete.yml | 12 +- .../curator/files/action/so-logstash-warm.yml | 5 + .../files/action/so-microsoft-close.yml | 12 +- .../files/action/so-microsoft-delete.yml | 12 +- .../files/action/so-microsoft-warm.yml | 5 + salt/curator/files/action/so-misp-close.yml | 12 +- salt/curator/files/action/so-misp-delete.yml | 12 +- salt/curator/files/action/so-misp-warm.yml | 5 + .../curator/files/action/so-netflow-close.yml | 12 +- .../files/action/so-netflow-delete.yml | 12 +- salt/curator/files/action/so-netflow-warm.yml | 5 + .../files/action/so-netscout-close.yml | 12 +- .../files/action/so-netscout-delete.yml | 12 +- .../curator/files/action/so-netscout-warm.yml | 5 + salt/curator/files/action/so-o365-close.yml | 12 +- salt/curator/files/action/so-o365-delete.yml | 12 +- salt/curator/files/action/so-o365-warm.yml | 5 + salt/curator/files/action/so-okta-close.yml | 12 +- salt/curator/files/action/so-okta-warm.yml | 5 + salt/curator/files/action/so-okta.delete.yml | 12 +- .../curator/files/action/so-osquery-close.yml | 12 +- .../files/action/so-osquery-delete.yml | 12 +- salt/curator/files/action/so-osquery-warm.yml | 5 + salt/curator/files/action/so-ossec-close.yml | 12 +- salt/curator/files/action/so-ossec-delete.yml | 12 +- salt/curator/files/action/so-ossec-warm.yml | 5 + .../files/action/so-proofpoint-close.yml | 12 +- .../files/action/so-proofpoint-delete.yml | 12 +- .../files/action/so-proofpoint-warm.yml | 5 + .../curator/files/action/so-radware-close.yml | 12 +- .../files/action/so-radware-delete.yml | 12 +- salt/curator/files/action/so-radware-warm.yml | 5 + salt/curator/files/action/so-redis-close.yml | 12 +- salt/curator/files/action/so-redis-delete.yml | 12 +- salt/curator/files/action/so-redis-warm.yml | 5 + salt/curator/files/action/so-snort-close.yml | 12 +- salt/curator/files/action/so-snort-delete.yml | 12 +- salt/curator/files/action/so-snort-warm.yml | 5 + salt/curator/files/action/so-snyk-close.yml | 12 +- salt/curator/files/action/so-snyk-delete.yml | 12 +- salt/curator/files/action/so-snyk-warm.yml | 5 + .../files/action/so-sonicwall-close.yml | 12 +- .../files/action/so-sonicwall-delete.yml | 12 +- .../files/action/so-sonicwall-warm.yml | 5 + salt/curator/files/action/so-sophos-close.yml | 12 +- .../curator/files/action/so-sophos-delete.yml | 12 +- salt/curator/files/action/so-sophos-warm.yml | 5 + .../curator/files/action/so-strelka-close.yml | 12 +- .../files/action/so-strelka-delete.yml | 12 +- salt/curator/files/action/so-strelka-warm.yml | 5 + salt/curator/files/action/so-syslog-close.yml | 12 +- .../curator/files/action/so-syslog-delete.yml | 12 +- salt/curator/files/action/so-syslog-warm.yml | 5 + salt/curator/files/action/so-tomcat-close.yml | 12 +- .../curator/files/action/so-tomcat-delete.yml | 12 +- salt/curator/files/action/so-tomcat-warm.yml | 5 + salt/curator/files/action/so-zeek-close.yml | 12 +- salt/curator/files/action/so-zeek-delete.yml | 12 +- salt/curator/files/action/so-zeek-warm.yml | 5 + .../curator/files/action/so-zscaler-close.yml | 12 +- .../files/action/so-zscaler-delete.yml | 12 +- salt/curator/files/action/so-zscaler-warm.yml | 5 + salt/curator/files/bin/so-curator-close | 19 +- .../files/bin/so-curator-closed-delete | 20 +- .../files/bin/so-curator-closed-delete-delete | 40 +- .../files/bin/so-curator-cluster-close | 19 +- .../files/bin/so-curator-cluster-delete | 19 +- .../curator/files/bin/so-curator-cluster-warm | 20 +- salt/curator/files/bin/so-curator-delete | 20 +- salt/curator/files/curator.yml | 18 +- salt/curator/init.sls | 125 +- salt/deprecated-launcher/init.sls | 12 - salt/deprecated-launcher/packages/info.txt | 1 - salt/docker/init.sls | 55 +- salt/docker_clean/init.sls | 5 + salt/domainstats/init.sls | 69 - salt/elastalert/defaults.yaml | 11 +- .../files/modules/so/playbook-es.py | 6 + salt/elastalert/init.sls | 27 +- salt/elastalert/soc_elastalert.yaml | 25 + salt/elastic-fleet/init.sls | 56 + salt/elastic-fleet/install_agent_grid.sls | 13 + salt/elasticsearch/auth.map.jinja | 7 - salt/elasticsearch/auth.sls | 4 +- salt/elasticsearch/config.map.jinja | 48 +- salt/elasticsearch/init.sls | 80 +- salt/elasticsearch/soc_elasticsearch.yaml | 104 + salt/elasticsearch/tools/sbin/so-catrust | 20 +- .../tools/sbin/so-elasticsearch-pipelines | 24 +- .../tools/sbin/so-elasticsearch-roles-load | 22 +- .../sbin/so-elasticsearch-templates-load | 20 +- salt/filebeat/etc/filebeat.yml | 49 +- salt/filebeat/etc/module-setup.yml | 10 +- salt/filebeat/init.sls | 2 +- salt/filebeat/map.jinja | 2 +- salt/filebeat/securityoniondefaults.yaml | 2 +- salt/firewall/assigned_hostgroups.map.yaml | 138 +- salt/firewall/portgroups.yaml | 26 +- salt/fleet/event_enable-fleet.sls | 10 - salt/fleet/event_gen-packages.sls | 28 - salt/fleet/event_update-custom-hostname.sls | 9 - salt/fleet/event_update-enroll-secret.sls | 7 - salt/fleet/files/packs/osquery-config.conf | 36 - .../Fleet/Endpoints/MacOS/osquery.yaml | 706 ------- .../Fleet/Endpoints/Windows/osquery.yaml | 538 ----- .../palantir/Fleet/Endpoints/options.yaml | 37 - .../Endpoints/packs/performance-metrics.yaml | 71 - .../packs/security-tooling-checks.yaml | 61 - .../packs/windows-application-security.yaml | 94 - .../Endpoints/packs/windows-compliance.yaml | 322 --- .../packs/windows-registry-monitoring.yaml | 476 ----- .../palantir/Fleet/Servers/Linux/osquery.yaml | 580 ------ .../packs/palantir/Fleet/Servers/options.yaml | 58 - salt/fleet/files/packs/palantir/LICENSE.md | 22 - salt/fleet/files/packs/palantir/README.md | 164 -- salt/fleet/files/packs/so/so-default.yml | 28 - salt/fleet/init.sls | 149 -- salt/fleet/install_package.sls | 30 - salt/fleet/packages/info.txt | 1 - salt/freqserver/init.sls | 69 - .../{defaults.yaml => grafana_defaults.yaml} | 0 salt/grafana/init.sls | 2 +- salt/idh/init.sls | 2 +- salt/idstools/init.sls | 21 +- salt/idstools/soc_idstools.yaml | 21 + salt/idstools/sync_files.sls | 17 +- salt/influxdb/init.sls | 2 +- salt/influxdb/soc_influxdb.yaml | 16 + salt/kibana/bin/so-kibana-config-load | 15 +- salt/kibana/config.map.jinja | 6 +- salt/kibana/defaults.yaml | 59 +- salt/kibana/files/config_saved_objects.ndjson | 2 +- salt/kibana/init.sls | 18 +- salt/kibana/secrets.sls | 5 + salt/kibana/so_config_load.sls | 5 + salt/kibana/so_dashboard_load.sls | 5 + salt/kibana/so_savedobjects_defaults.sls | 5 + salt/kibana/so_securitySolution_load.sls | 5 + salt/kibana/soc_kibana.yaml | 5 + salt/kratos/files/kratos.yaml | 4 +- salt/kratos/init.sls | 14 +- salt/logstash/dmz_nodes.yaml | 8 +- salt/logstash/init.sls | 54 +- salt/logstash/map.jinja | 2 +- .../so/0008_input_fleet_livequery.conf.jinja | 19 - .../config/so/0012_input_elastic_agent.conf | 12 + .../config/so/9000_output_zeek.conf.jinja | 8 +- .../config/so/9002_output_import.conf.jinja | 8 +- .../config/so/9004_output_flow.conf.jinja | 8 +- .../config/so/9033_output_snort.conf.jinja | 8 +- .../config/so/9034_output_syslog.conf.jinja | 8 +- .../so/9050_output_filebeatmodules.conf.jinja | 8 +- .../config/so/9100_output_osquery.conf.jinja | 8 +- .../9101_output_osquery_livequery.conf.jinja | 9 +- .../config/so/9200_output_firewall.conf.jinja | 8 +- .../config/so/9400_output_suricata.conf.jinja | 8 +- .../config/so/9500_output_beats.conf.jinja | 10 +- .../config/so/9600_output_ossec.conf.jinja | 8 +- .../config/so/9700_output_strelka.conf.jinja | 8 +- .../config/so/9800_output_logscan.conf.jinja | 8 +- .../config/so/9801_output_rita.conf.jinja | 8 +- .../config/so/9802_output_kratos.conf.jinja | 22 - .../so/9805_output_elastic_agent.conf.jinja | 17 + .../config/so/9900_output_endgame.conf.jinja | 8 +- .../config/so/9997_output_helix.conf.jinja | 160 -- .../config/so/9998_output_minio.conf.jinja | 25 - salt/manager/elasticsearch.sls | 2 - salt/manager/files/so-api.py | 0 salt/manager/glue.py | 0 salt/manager/init.sls | 91 +- salt/minio/init.sls | 80 - salt/mysql/init.sls | 27 +- salt/nginx/etc/nginx.conf | 116 +- salt/nginx/files/nav_layer_playbook.json | 49 +- salt/nginx/files/navigator_config.json | 78 +- salt/nginx/init.sls | 30 +- salt/nodered/files/nodered_load_flows | 12 - salt/nodered/files/so_flows.json | 4 - salt/nodered/init.sls | 91 - salt/pcap/init.sls | 19 +- salt/pcap/soc_pcap.yaml | 12 + salt/playbook/OLD_db_init.sls | 14 - salt/playbook/automation_user_create.sls | 4 +- salt/playbook/files/OLD_playbook_db_init.sh | 8 - salt/playbook/files/OLD_playbook_db_init.sql | 1767 ----------------- salt/playbook/files/automation_user_create.sh | 11 +- salt/playbook/init.sls | 47 +- salt/reactor/fleet.sls | 95 - salt/redis/init.sls | 19 +- salt/repo/client/centos.sls | 115 +- salt/repo/client/files/centos/airgap/yum.conf | 12 - .../client/files/centos/keys/GPG-KEY-WAZUH | 52 - .../client/files/centos/securityonion.repo | 71 - .../files/centos/securityonioncache.repo | 71 - .../files/centos/securityonionlocal.repo | 8 + salt/repo/client/files/centos/yum.conf.jinja | 4 +- salt/repo/client/ubuntu.sls | 20 - salt/salt/map.jinja | 2 + salt/salt/minion.sls | 6 +- salt/salt/service/salt-minion.service.jinja | 15 + salt/salt/service/start-delay.conf.jinja | 2 - salt/sensoroni/files/sensoroni.json | 2 +- salt/soc/defaults.map.jinja | 23 + salt/soc/defaults.yaml | 1153 +++++++++++ salt/soc/files/soc/default.annotation.yaml | 712 +++++++ salt/soc/files/soc/soc.json | 258 --- salt/soc/files/soc/soc.json.jinja | 2 + salt/soc/init.sls | 4 +- salt/soc/merged.map.jinja | 42 + salt/soctopus/files/SOCtopus.conf | 13 +- salt/soctopus/init.sls | 8 +- salt/ssl/init.sls | 217 +- salt/strelka/init.sls | 4 +- salt/suricata/cron/so-suricata-eve-clean | 20 +- salt/suricata/defaults.yaml | 337 +--- .../files/classification.config.jinja | 11 - salt/suricata/init.sls | 30 +- salt/suricata/soc_suricata.yaml | 123 ++ salt/tcpreplay/init.sls | 2 +- salt/telegraf/etc/telegraf.conf | 18 +- salt/telegraf/init.sls | 2 +- salt/telegraf/scripts/beatseps.sh | 20 +- salt/telegraf/scripts/checkfiles.sh | 20 +- salt/telegraf/scripts/eps.sh | 20 +- salt/telegraf/scripts/helixeps.sh | 20 +- salt/telegraf/scripts/influxdbsize.sh | 20 +- salt/telegraf/scripts/oldpcap.sh | 20 +- salt/telegraf/scripts/raid.sh | 20 +- salt/telegraf/scripts/redis.sh | 20 +- salt/telegraf/scripts/sostatus.sh | 20 +- salt/telegraf/scripts/stenoloss.sh | 20 +- salt/telegraf/scripts/suriloss.sh | 20 +- salt/telegraf/scripts/zeekcaptureloss.sh | 20 +- salt/telegraf/scripts/zeekloss.sh | 20 +- salt/top.sls | 147 +- salt/utility/bin/crossthestreams | 10 +- salt/utility/bin/eval | 8 +- salt/utility/init.sls | 9 +- salt/vars/elasticsearch.map.jinja | 14 + salt/vars/globals.map.jinja | 50 + salt/vars/init.map.jinja | 2 + salt/vars/logstash.map.jinja | 11 + salt/vars/sensor.map.jinja | 8 + salt/vars/standalone.map.jinja | 15 + salt/wazuh/files/agent/ossec.conf | 204 -- salt/wazuh/files/agent/wazuh-register-agent | 184 -- salt/wazuh/files/server/ossec.conf | 220 -- salt/wazuh/files/wazuh-manager-whitelist | 32 - salt/wazuh/init.sls | 164 -- salt/zeek/cron/zeek_clean | 17 +- salt/zeek/defaults.yaml | 120 ++ salt/zeek/init.sls | 21 +- salt/zeek/soc_zeek.yaml | 26 + setup/automation/distributed-airgap-manager | 17 +- setup/automation/distributed-airgap-search | 17 +- setup/automation/distributed-airgap-sensor | 17 +- setup/automation/distributed-cloud-manager | 17 +- setup/automation/distributed-cloud-search | 17 +- setup/automation/distributed-cloud-sensor | 17 +- setup/automation/distributed-iso-manager | 17 +- setup/automation/distributed-iso-search | 17 +- setup/automation/distributed-iso-sensor | 17 +- .../automation/distributed-net-centos-manager | 17 +- .../automation/distributed-net-centos-search | 17 +- .../automation/distributed-net-centos-sensor | 17 +- .../automation/distributed-net-ubuntu-manager | 17 +- .../automation/distributed-net-ubuntu-search | 17 +- .../automation/distributed-net-ubuntu-sensor | 17 +- .../distributed-net-ubuntu-suricata-manager | 17 +- .../distributed-net-ubuntu-suricata-search | 17 +- .../distributed-net-ubuntu-suricata-sensor | 17 +- setup/automation/eval-airgap | 17 +- setup/automation/eval-cloud | 17 +- setup/automation/eval-cloud-logscan | 77 - setup/automation/eval-iso | 17 +- setup/automation/eval-net-centos | 17 +- setup/automation/eval-net-ubuntu | 17 +- setup/automation/import-airgap | 17 +- setup/automation/import-cloud | 17 +- setup/automation/import-iso | 17 +- setup/automation/import-net-centos | 17 +- setup/automation/import-net-ubuntu | 17 +- setup/automation/standalone-airgap | 17 +- setup/automation/standalone-cloud | 17 +- setup/automation/standalone-cloud-suricata | 76 - setup/automation/standalone-iso | 17 +- setup/automation/standalone-iso-logscan | 17 +- setup/automation/standalone-iso-suricata | 17 +- setup/automation/standalone-net-centos | 17 +- setup/automation/standalone-net-centos-proxy | 17 +- setup/automation/standalone-net-ubuntu | 17 +- .../99-so-checksum-offload-disable | 20 +- setup/so-functions | 1217 ++++-------- setup/so-preflight | 21 +- setup/so-setup | 1142 +++-------- setup/so-setup.old | 1146 +++++++++++ setup/so-variables | 122 ++ setup/so-whiptail | 821 +------- sigs/securityonion-2.0.2-rc1.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.0.3-rc1.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.1.0-rc2.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.2.0-rc3.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.0.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.1.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.10.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.100-20220131.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.100-20220202.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.100-20220203.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.100-20220301.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.110-20220309.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.110-20220404.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.110-20220405.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.110-20220407.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.120-20220425.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.130-20220607.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.140-20220718.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.2.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.20.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.21.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.30.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.40.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.50.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.51.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.52.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.60-CURATORAUTH.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.60-ECSFIX.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.60-FBPIPELINE.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.60.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.61-MSEARCH.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.61-STENODOCKER.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.61.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.70-CURATOR.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.70-GRAFANA.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.70-WAZUH.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.70.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.80.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.90-20211206.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.90-20211210.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.90-20211213.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.90-AIRGAPFIX.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.90-WAZUH.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.90.iso.sig | Bin 543 -> 0 bytes sigs/securityonion-2.3.91.iso.sig | Bin 543 -> 0 bytes so-analyst-install | 17 +- so-setup-network | 17 +- 611 files changed, 8015 insertions(+), 16211 deletions(-) create mode 100644 assets/images/screenshots/alerts-1.png delete mode 100644 assets/images/screenshots/alerts.png delete mode 100644 assets/images/screenshots/cases-comments.png delete mode 100644 assets/images/screenshots/dashboards.png create mode 100644 assets/images/screenshots/hunt-1.png delete mode 100644 assets/images/screenshots/hunt.png create mode 100644 salt/common/packages.sls create mode 100644 salt/common/tools/sbin/so-elastic-agent-gen-installers delete mode 100755 salt/common/tools/sbin/so-elastic-auth create mode 100644 salt/common/tools/sbin/so-elastic-fleet-setup create mode 100644 salt/common/tools/sbin/so-firewall-minion delete mode 100755 salt/common/tools/sbin/so-fleet-restart delete mode 100755 salt/common/tools/sbin/so-fleet-setup delete mode 100755 salt/common/tools/sbin/so-fleet-start delete mode 100755 salt/common/tools/sbin/so-fleet-stop delete mode 100755 salt/common/tools/sbin/so-fleet-user-add delete mode 100644 salt/common/tools/sbin/so-fleet-user-delete delete mode 100755 salt/common/tools/sbin/so-fleet-user-update create mode 100755 salt/common/tools/sbin/so-minion delete mode 100755 salt/common/tools/sbin/so-wazuh-agent-manage delete mode 100755 salt/common/tools/sbin/so-wazuh-agent-upgrade delete mode 100755 salt/common/tools/sbin/so-wazuh-restart delete mode 100755 salt/common/tools/sbin/so-wazuh-start delete mode 100755 salt/common/tools/sbin/so-wazuh-stop delete mode 100755 salt/common/tools/sbin/so-wazuh-user-add delete mode 100755 salt/common/tools/sbin/so-wazuh-user-passwd delete mode 100755 salt/common/tools/sbin/so-wazuh-user-remove create mode 100644 salt/curator/defaults.yaml delete mode 100644 salt/deprecated-launcher/init.sls delete mode 100644 salt/deprecated-launcher/packages/info.txt delete mode 100644 salt/domainstats/init.sls create mode 100644 salt/elastalert/soc_elastalert.yaml create mode 100644 salt/elastic-fleet/init.sls create mode 100644 salt/elastic-fleet/install_agent_grid.sls delete mode 100644 salt/elasticsearch/auth.map.jinja create mode 100644 salt/elasticsearch/soc_elasticsearch.yaml mode change 100644 => 100755 salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load delete mode 100644 salt/fleet/event_enable-fleet.sls delete mode 100644 salt/fleet/event_gen-packages.sls delete mode 100644 salt/fleet/event_update-custom-hostname.sls delete mode 100644 salt/fleet/event_update-enroll-secret.sls delete mode 100644 salt/fleet/files/packs/osquery-config.conf delete mode 100644 salt/fleet/files/packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml delete mode 100644 salt/fleet/files/packs/palantir/Fleet/Endpoints/Windows/osquery.yaml delete mode 100644 salt/fleet/files/packs/palantir/Fleet/Endpoints/options.yaml delete mode 100644 salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/performance-metrics.yaml delete mode 100644 salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/security-tooling-checks.yaml delete mode 100644 salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-application-security.yaml delete mode 100644 salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-compliance.yaml delete mode 100644 salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-registry-monitoring.yaml delete mode 100644 salt/fleet/files/packs/palantir/Fleet/Servers/Linux/osquery.yaml delete mode 100644 salt/fleet/files/packs/palantir/Fleet/Servers/options.yaml delete mode 100755 salt/fleet/files/packs/palantir/LICENSE.md delete mode 100755 salt/fleet/files/packs/palantir/README.md delete mode 100644 salt/fleet/files/packs/so/so-default.yml delete mode 100644 salt/fleet/init.sls delete mode 100644 salt/fleet/install_package.sls delete mode 100644 salt/fleet/packages/info.txt delete mode 100644 salt/freqserver/init.sls rename salt/grafana/{defaults.yaml => grafana_defaults.yaml} (100%) create mode 100644 salt/idstools/soc_idstools.yaml create mode 100644 salt/influxdb/soc_influxdb.yaml create mode 100644 salt/kibana/soc_kibana.yaml delete mode 100644 salt/logstash/pipelines/config/so/0008_input_fleet_livequery.conf.jinja create mode 100644 salt/logstash/pipelines/config/so/0012_input_elastic_agent.conf delete mode 100644 salt/logstash/pipelines/config/so/9802_output_kratos.conf.jinja create mode 100644 salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja delete mode 100644 salt/logstash/pipelines/config/so/9997_output_helix.conf.jinja delete mode 100644 salt/logstash/pipelines/config/so/9998_output_minio.conf.jinja create mode 100644 salt/manager/files/so-api.py create mode 100644 salt/manager/glue.py delete mode 100644 salt/minio/init.sls delete mode 100644 salt/nodered/files/nodered_load_flows delete mode 100644 salt/nodered/files/so_flows.json delete mode 100644 salt/nodered/init.sls create mode 100644 salt/pcap/soc_pcap.yaml delete mode 100644 salt/playbook/OLD_db_init.sls delete mode 100644 salt/playbook/files/OLD_playbook_db_init.sh delete mode 100644 salt/playbook/files/OLD_playbook_db_init.sql delete mode 100644 salt/reactor/fleet.sls delete mode 100644 salt/repo/client/files/centos/airgap/yum.conf delete mode 100644 salt/repo/client/files/centos/keys/GPG-KEY-WAZUH delete mode 100644 salt/repo/client/files/centos/securityonion.repo delete mode 100644 salt/repo/client/files/centos/securityonioncache.repo create mode 100644 salt/repo/client/files/centos/securityonionlocal.repo delete mode 100644 salt/repo/client/ubuntu.sls create mode 100644 salt/salt/service/salt-minion.service.jinja delete mode 100644 salt/salt/service/start-delay.conf.jinja create mode 100644 salt/soc/defaults.map.jinja create mode 100644 salt/soc/defaults.yaml create mode 100644 salt/soc/files/soc/default.annotation.yaml delete mode 100644 salt/soc/files/soc/soc.json create mode 100644 salt/soc/files/soc/soc.json.jinja create mode 100644 salt/soc/merged.map.jinja delete mode 100644 salt/suricata/files/classification.config.jinja create mode 100644 salt/suricata/soc_suricata.yaml create mode 100644 salt/vars/elasticsearch.map.jinja create mode 100644 salt/vars/globals.map.jinja create mode 100644 salt/vars/init.map.jinja create mode 100644 salt/vars/logstash.map.jinja create mode 100644 salt/vars/sensor.map.jinja create mode 100644 salt/vars/standalone.map.jinja delete mode 100644 salt/wazuh/files/agent/ossec.conf delete mode 100755 salt/wazuh/files/agent/wazuh-register-agent delete mode 100644 salt/wazuh/files/server/ossec.conf delete mode 100755 salt/wazuh/files/wazuh-manager-whitelist delete mode 100644 salt/wazuh/init.sls create mode 100644 salt/zeek/defaults.yaml create mode 100644 salt/zeek/soc_zeek.yaml delete mode 100644 setup/automation/eval-cloud-logscan delete mode 100644 setup/automation/standalone-cloud-suricata create mode 100755 setup/so-setup.old delete mode 100644 sigs/securityonion-2.0.2-rc1.iso.sig delete mode 100644 sigs/securityonion-2.0.3-rc1.iso.sig delete mode 100644 sigs/securityonion-2.1.0-rc2.iso.sig delete mode 100644 sigs/securityonion-2.2.0-rc3.iso.sig delete mode 100644 sigs/securityonion-2.3.0.iso.sig delete mode 100644 sigs/securityonion-2.3.1.iso.sig delete mode 100644 sigs/securityonion-2.3.10.iso.sig delete mode 100644 sigs/securityonion-2.3.100-20220131.iso.sig delete mode 100644 sigs/securityonion-2.3.100-20220202.iso.sig delete mode 100644 sigs/securityonion-2.3.100-20220203.iso.sig delete mode 100644 sigs/securityonion-2.3.100-20220301.iso.sig delete mode 100644 sigs/securityonion-2.3.110-20220309.iso.sig delete mode 100644 sigs/securityonion-2.3.110-20220404.iso.sig delete mode 100644 sigs/securityonion-2.3.110-20220405.iso.sig delete mode 100644 sigs/securityonion-2.3.110-20220407.iso.sig delete mode 100644 sigs/securityonion-2.3.120-20220425.iso.sig delete mode 100644 sigs/securityonion-2.3.130-20220607.iso.sig delete mode 100644 sigs/securityonion-2.3.140-20220718.iso.sig delete mode 100644 sigs/securityonion-2.3.2.iso.sig delete mode 100644 sigs/securityonion-2.3.20.iso.sig delete mode 100644 sigs/securityonion-2.3.21.iso.sig delete mode 100644 sigs/securityonion-2.3.30.iso.sig delete mode 100644 sigs/securityonion-2.3.40.iso.sig delete mode 100644 sigs/securityonion-2.3.50.iso.sig delete mode 100644 sigs/securityonion-2.3.51.iso.sig delete mode 100644 sigs/securityonion-2.3.52.iso.sig delete mode 100644 sigs/securityonion-2.3.60-CURATORAUTH.iso.sig delete mode 100644 sigs/securityonion-2.3.60-ECSFIX.iso.sig delete mode 100644 sigs/securityonion-2.3.60-FBPIPELINE.iso.sig delete mode 100644 sigs/securityonion-2.3.60.iso.sig delete mode 100644 sigs/securityonion-2.3.61-MSEARCH.iso.sig delete mode 100644 sigs/securityonion-2.3.61-STENODOCKER.iso.sig delete mode 100644 sigs/securityonion-2.3.61.iso.sig delete mode 100644 sigs/securityonion-2.3.70-CURATOR.iso.sig delete mode 100644 sigs/securityonion-2.3.70-GRAFANA.iso.sig delete mode 100644 sigs/securityonion-2.3.70-WAZUH.iso.sig delete mode 100644 sigs/securityonion-2.3.70.iso.sig delete mode 100644 sigs/securityonion-2.3.80.iso.sig delete mode 100644 sigs/securityonion-2.3.90-20211206.iso.sig delete mode 100644 sigs/securityonion-2.3.90-20211210.iso.sig delete mode 100644 sigs/securityonion-2.3.90-20211213.iso.sig delete mode 100644 sigs/securityonion-2.3.90-AIRGAPFIX.iso.sig delete mode 100644 sigs/securityonion-2.3.90-WAZUH.iso.sig delete mode 100644 sigs/securityonion-2.3.90.iso.sig delete mode 100644 sigs/securityonion-2.3.91.iso.sig diff --git a/README.md b/README.md index d5a8586cf..0662e05be 100644 --- a/README.md +++ b/README.md @@ -1,20 +1,14 @@ -## Security Onion 2.3.140 +## Security Onion 2.3.120 -Security Onion 2.3.140 is here! +Security Onion 2.3.120 is here! ## Screenshots Alerts -![Alerts](./assets/images/screenshots/alerts.png) - -Dashboards -![Dashboards](./assets/images/screenshots/dashboards.png) +![Alerts](./assets/images/screenshots/alerts-1.png) Hunt -![Hunt](./assets/images/screenshots/hunt.png) - -Cases -![Cases](./assets/images/screenshots/cases-comments.png) +![Hunt](./assets/images/screenshots/hunt-1.png) ### Release Notes diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index d48743291..ce56cd48c 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.140-20220718 ISO image built on 2022/07/18 +### 2.3.120-20220425 ISO image built on 2022/04/25 ### Download and Verify -2.3.140-20220718 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220718.iso +2.3.120-20220425 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.120-20220425.iso -MD5: 9570065548DBFA6230F28FF623A8B61A -SHA1: D48B2CC81DF459C3EBBC0C54BD9AAFAB4327CB75 -SHA256: 0E31E15EDFD3392B9569FCCAF1E4518432ECB0D7A174CCA745F2F22CDAC4A034 +MD5: C99729E452B064C471BEF04532F28556 +SHA1: 60BF07D5347C24568C7B793BFA9792E98479CFBF +SHA256: CD17D0D7CABE21D45FA45E1CF91C5F24EB9608C79FF88480134E5592AFDD696E Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220718.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.120-20220425.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220718.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.120-20220425.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220718.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.120-20220425.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.140-20220718.iso.sig securityonion-2.3.140-20220718.iso +gpg --verify securityonion-2.3.120-20220425.iso.sig securityonion-2.3.120-20220425.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Mon 18 Jul 2022 10:16:05 AM EDT using RSA key ID FE507013 +gpg: Signature made Mon 25 Apr 2022 08:20:40 AM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/VERSION b/VERSION index 3994a975c..c9583b108 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.140 +2.3.170 diff --git a/assets/images/screenshots/alerts-1.png b/assets/images/screenshots/alerts-1.png new file mode 100644 index 0000000000000000000000000000000000000000..099710f4f79fe62a4be515a9ffa0b9a954e39deb GIT binary patch literal 250878 zcmYIu18^nL*7c2T+nLz5ZQHgzv2Al=+qRQQCf3BZoj>odH}5-Dx2w8uopbiyz1P}n zcXxz>oH!gbHZ%YLfRmIEQ33$KvH<{)Wk~SvE4AsdyZ``|sF#X{i;|%`p@WmXnWc>> zp^K-3DWR!{r5OO=u~waJ=|6!K+^rU#6eo)&b2d(}7jH_Pw0{f2M&`PpHuf2Hx(@p~CZ=lKK0)%@e<7ng)y>+BiPPu;S- zS$!${hvkBqTA1ougq{MQk2GJ{vpd`ReNBHjK8}7ciucO)#MH_U@lTn)WRiT|rr8I- zhb`~Ly{*@>$MTDr^!6$y9`N(dEc-oOx?R2SY)XV+(dr{TkaPR!ha$+8@bnN+zn8zK zy?Foh3MUa%FdR-Vsu zs2;(0x1m{T*fZKUePc|$zFhzNp=Pn+3BhL-5M{ag^%(b-xAm_6+2);ALSezA`FgEs zpsd3TTbGM^j z;Na?~>rc76mC=v*NcoIx1W)#Cr6z2Ej|0Pk**Sb$N5k z+L=XtajLdubMw;r@e&DUy7x(Q>((3QAvim>j`j6RKlLB8Y|BGUvmDz;PV}9|`H9M^ zjx^-J&UZFmXC`SH?hueB3%9ixkpEW4hArFFaBz0r!F)u(x%?=Y3< zJ!;ciQYX$2qZKz5l@D*of)0tzW>x9MeUa+b03cf}=D$KxB`JS0U+hRl*}yZJ+3X;y zF{RVx>U;*{n%~-;zAQF%?7k1@e%hR+#cy94oTKv}o|~UWi!B~@-Dqzn1&0gb4Odzj zrrbDZ$!D`$rik+(_k;=`r_3u>v{OmIg&H@>uGXN$f6`xqCuT9@R%fv?-C7&SmO>?s zGzzpY$S$!kSE*c?M|-Hlph~|L?a9Ro&Jktq)qqsbKpYrYN*GPFn(dz z)Z9FJV%&d9oFscUjKSnpphKEv~ zt-kP~+(`V+FZ_|ZVLnF?BebYHXiPk z_9S%E*xUNq?7q=^C+znS`}QN(Ti()rg$2Vz=eVI60r0Ilm+2Zskvm<7%YV6Ns@~7u z(x^)L^OkF(tNr70-b@)@t{(-E)E_0eTa~mVWgEBFR%7i>WYOQKB|g5vnP_j!e5xaq z*1^k)7`^|wVEdc1R4<--v6Cpf^GxE2ElmPf?{Ahnn86f$a={fWYY##9UH6RftudIt z_4dm>VBXMl2_I0?&K!^K?+6x|PoPx3&|^0ztP5$hxpdW#49^jXy8;8r<$3{fN@KDO zB;l`Oj=vUOC6(dt)6T;fe*Oo)F`(*0XDom<_N{7W@?psU2a(=zX+k3uDCvwR7?h*E zJ5JW7ABUp&>dHJ&+gPoSF_xS$lPzD6Fxd!*OFFEFkXBRq@e;ZGaCi z=%F8t#q^=@uR8HN#xz@BV7Nx-?%e)}V*_;t^eGV(QIT0ADe*%^^I$q>7D&Gg08S+VOq1FE8fc4Qy5ezII- zvn!Zi(GjTq6sDgaFT8PhFwqP@#=sDAgAn6Qv|)VFHrEDO^5l$+Kqi6IxM1-EHX$al zq~H|buQ|v0VR(F^7xzG&PH&(MtwWjAOeHnfunO*FB88mhRxi~cTc&>&uxaQLo8<%M zXUZ=|hKTf`*F+*;lwhL9z7CV6?A~#lSl0$LPe)flj??>}Ln6eI>b4Lvis~ ze-yoy(SXPYRFy+`RRDnN@pUu>(_&11BL2>If>(i))S<+>2X~Ml;N4u?P z2eQkqT(k&!FDil7zNttf13nuU4Nmx&DZ((jD78`ve}jR^Y-e0Hil%+iq^q%FQ@>&T zljiRqE+E6uJ0Y@cps3n4Qeht>!k}T4i$n;ETs}w@Ct4;-&L*)AbMCrA^%y`D@Z#>= zA3S0xkJn=ABfI8yQwc~a-fGgUSI^JMIW9CxF zKjJAWq7oz~0ZM|K-NU?!!OC&>1$w&;pz|B?BaqI}&W+5f;tK>EULX{U9} zWB#d)CY+Q*fCP-x45)pq1wFz_9so#I1gu=yg+PHG8fMw1Cy6>=!oD?@?(Eb z@8<*(YOteoZT9krh;6i`zKm^q2`)3*hf4)k?5;o`@Pvfzkl#Y8aDj;jwvLoom>@b1 z2_@mKH&GIOg2@ObIPmczW4x!H=K1UI! zLp`0TNF;^`LnGRy!~ZVyd>-@?#Sf2#N*_a$2ZK&W6`E!W{Eukp%3Ta+4ODycGok&$i^w!B$H&5aJm1$q^b)3%^&9bu{Xl!&>4Ed%e@Zh{UJ~8DQi{mqc6g@c#o=mM2m!`-g0aY934n6 z-I5+IvJs*NnOGkDLf%njBC}jy0Nr~;B|rD&{FshNNP;lbOPF5-R*?SpPDv*sWyIG> z77`=Ba3U^QAg}=;#D{7MOMDVhlhm;9x&g70taP;0C1HpMDzMv9xSMzh96qQftc`uw znnfH%lu>&PpOG``_ToJ0lXr3`Q0ubxnmO!ppt3`b2q`hpBte1}+5zzVwD9q;2w}bt zblgY|V?~u%|9&80IAuDPA2s9fA46UGbPs#X--2C{9o6G`)cK2!1Pam)@|4Ng{bnns z{>;>S7@ET#{>fc`u>0x9wiNUPo&jkPW*{_nc=TRH%+ju;dpoKU7ueyniXhP>$#aW_ z%zg}k$Iu4Bw2k@I9(K5721b}p908i!a}4i*pX7KTBfxl~{&zcBin?dORr@hEG@fzq zpq2ubQ5rdLC(H|l3iIFZ?1;H| z-#i4*!q*nPL+ho~a7VW1*p5x2gHGR}&?y7rD>Jis?XDmOfm~1yY1K7y7znlwhW^GY zlA{I1CRaDDYRKe6MWC22aW#hg#QI$)q>7=kdSUE&-)xumlPudqN~lW62Bk-+%C7qx zE)%M=NBlj=XCD1ok)Pojc=r-J5G09P1Pla{1S)N`>@ffB!DWDR-%P^-)zlOba; z!9YtUjHcmuNOfUQ{WhRo>}Z1yr9)}-$IH8S_TL zuw%)%!ql7VR{ewVF$GAH!lDcakqnP9*pwa_(er|Zzeo&s`*w|bBprUyB>+S9+>4ekSz zesJP=bYqHv9bxJ|PqI$-cQ1QpUL*ye9@nJry#FmdlSN;3?N%dK0TU*kOaF=P@od(g zz{He2p|t}i1{dl7)kgW^R8J)x74s)mC1-k1TVFMtK^ho><;O|8PGp&4YJzoqtFjOp zmG8CJK_`SSK*JJ$Clyg+!ydM2FN?FGe{kq-zh3xCS3%oRmtgj*er!8%ahS`EC`{AVXW<24<`8cRVC( zN^1Zo;@AKrh0>CmoWSBQ<+zGOp9~HzgJka(3bF&FQyMq%DR6}`S)<|wT8o5D5@5y~ z6EpI8Oz>C`5X|Yn;iJGp)WTsKxf#GZCD1)Xnyz)CeNjv^5fAskV*98Vr1zfL@U!Fw zttipbOS$2ozZ4i~8-VV@88%!cjQM(o^%U zrBK!I_}xZD=XZLCckM+Ym%s)dS+|-@!a?N(kr{;Z88?QQI?Td`Ad!^?KTBfr0}Z~Y zGz+=m1HJQ#fQ|bE@DTTHqjWB=cIg<9Xc#Xo_Wi3#+JK7r=;jk$fX;tj`_p094nla5D$?cnl}IA+#SQ)g6IG%91*K zC(pQs7gXGSku8GuIiW4F&CZiV&XDH|L$@bwX8#}VNE8&c#I3%sp47)m+SakXNY>Shgh6p;u|q# zQBl^h5bYWCo4BL22{rv{rPh$ESm+Z4=8)WQ<7_GmGwtZlB9hp)FY>B*&Ac(;0jo?E zO5Miq()=Zp`V;h3#j#;$8qvj9lm|U`+FBoHYM~`k%1<`2sQb12&)E9%GgLuezF?vh z`6g8@G$!UPFqO^q7~OHR_c&@m@eoxgI z_2q&q{FiRN4J-oF@BGhHCM+8nA|;dp$Wln(8v*@gpzGfvGUSSV$as3BAT|tZ=h*zn z4A-s_3`RfeF%=+spbbbvQMQ=S`xb>oDWsGzB*8!h6(!t6ek(@|Cq$dDi8%Qm4&}5} zluvG-8S|0T_>hLC zBtIcy*5(ez1eLrXM!qxGc`9vL8Y7MuD!PpQD0#chgvHkKP$(L$F@(R9f8|>7;2^l` zsHrX*jM=vg=K_%&#u5N&P+q`POKKJr>!ON@ecRvC(4aam@8Itc7EtNMD)3yOi;7=3 zfT6eUkZwf?2daL7@NAtsv{$3pjNUJRQ_aCLPBw>?*b+w)xhE$739;w5PV#45U*g4Q zZD0o_N<^W*)J&1`aQotwV<6TQfs|2w)k>G6j}SR!q5AXqNMS4n(!;k?a2~TG+vzAm zani%|`iZoZm_N{@!iR7U7O-t!;g2+R^?a^-aN9J<)gt9pwV0X+yB4%;;QWJVLpzbQ z5ROFV-Le_lBxN3g3WGpm0e=|iChU^@Ih{)gTwlL{2aO+<1<^$H0*lF786R$&4XU9s zZpR8~+gQqR(m!b?7#oIAMBo?dg`X|UQScjYXh+M4kMtoiAKQSHHz+R&5@&%>t5wML zB*)sVA`~Jh_ayP8fE3dB#V@gKe$QiyA`xS~4V<}fTCh6(lb^(7cW?mAMtyEI+-Mq- zb6BB#1I$Tl0l`49AQ31XP%_8`erWc1c|7$@c5rRu0hPT-xX`eeI5+>$eUUSd@ofMB zDe=^78l@*gp83oUYnex3?Y(b&hywe(d?V#KT$$yz(b92pidREbghide5E z!MKFEM;&DM*w$fM&u&QUBC-|?TcF1`qKG&r+ez*n7mE!w2jge`_^KahEpQKW@yQub z%CXj2d_amv6H~D1-etkyUEvP6c7K!Ns|`s=?$>Hh*UOklCJSf*m@)>}=^QLo`Iuu( zA^?irhR68^+#pR8YGSLeW;Dclw zDJ0i2&jK1?8H!qFE<9!YR()Q@CxrZ{ikxLY5@?Inh>w{Ps5eJTcJXwJPc6kFYGNy> z#K|&cVlC2I4121n)=ae)rWfWuGHRz4nRW0CT*kC%}5 zK`JmJ6(WF4+=2+dZEhGr!fj|=A|C6%tb_ei4ss5vN=x0ii?DC92z`fYIgOz+a%W~ zVhAj0D#`VMwrrorZ)(WQG2U|>gjfPKkf2~K1WH^r0yDb-djxYxS&4ImT*4bY6i0}V zRD${o+ckU_n{OWfMu&yeg}x|g6AmkC!hjAg+Z+M6cptg}f;{)6!^qW}#P z&V1|?Revy-U^H@(08csOLIP)&0`%jnrE1L&!<}cs)OmR7T(n-qe4v#miY*i!@!UY0 zG9_L?!r2(=)<=!tBC(}XYuQoUsc5uT)nqW zaEhXNv%v$VM(Ci%pTg<>$)Fwuh=*owITjI*F63!-Yg4r}yj5U^3CA#wO9M)vDy73Z zP7O!^3cvVo)|3Z_2;f#AmW^eM0>%~?4!M)K>;+ATNvpJE9~m8L#?I&jmh@*zSU;QU zQbLE*fyCk&3?Lrq)+XlbOna4zQPgd>_;gq$t0&``y;L#s+r)d!A~;BPBg={iLV*OT z0mN+(4?x*udKuC$uVGuzNekqdF8Hz$9M$8!9ufQ`w%f`8+C?KI>7KE{MBS4I*Z2?B z*w`a+b3-*o0MJc~s!R~>p=S)Q-kY|jZkG&_^bp>&qvzus<4iROO`FZop#f{t0X0D{ zW_+Y+x~l7Rl=gL+1>N4R47w2Sy-}Mw6c-0@`h+8QhFKZ(jlaJDq{zcABO}vIg+l`& z52>0cV71Svj8x7*Z`{l zDq3geV^-13uYz}O25`eBQG?CrRTH@QWz|`z2#Orx3G7%$@(ZJF`NgoJ5)sx2|8vqX z9FmuWxlNGbP_xxEi6sxgH!19~O#>P$_3}d7D(n$4yBjyNSF}F;QhyTTUk#V-plEZF zicDyjVU|z+taB7oj{~vH6vV(}rPy*>YnH~}4@deqB#z4xaY%`s)XNV`rv$3!wb!bN zxv@`mPYPQi`@10jj@2VJ2U5YDgDe~dkpuq>!(J}^9B%`=+lKSPWYsCeULlq;?T6$* zSBPWLT*DQz2TCmiE6qN^KQ>TQQ)5-uLTdlDIRynGVvCeZJw^9d{p7A2%l9Sx4I=Nw zXW#R|o757&IYuvWZSdDrSoykmwWKwMPo-9bgpGeK<6i#$g_SqnwwjvrI5h-|Ygjx_ z&L|104GrK`CBY{pwmn^uW#5*G<2dBAAHGVd|1=^zGld3h^eS|R;eA3@y z>snmj<(4Wo25B4_Lcc+IBS#+W=#7ENLfI&;dGdV#l5j1y*xH}!=r@S!RKqARlNAUB z=L*~kF}6u7D^-#RXfZI1n%w@}Vso5mzN{yu{kBq;bvdCMc|T?X{z82jc7qt*;rI; zadK*CuC5TswMr=Uh^|QcV7XXc&6>PIN?T5;twKMfE#3Ox)I1v=`IT5UnjO$mf78>3 z`VPrAn6)MJRI9)FNI-;&>>{;~5ieLILJb=b8E!3+jTP>F)-+WT_)V0FEYhD+qJnkQ zAU%L9G0y@+MvdqGdF;CCNRayGE#GC;xCK{yPJ`MZ-xjK1?p;#VKv!E3RpRUfYoHup2DdjNjeW#32kyg4I|c%5=FcEI*09+ z$dlUSm?Wc5Oqe=gquG$(B4kb0yl6&UV?V)kRNRj#7PRyzu?z)DOkAhOQGK|Ci0J$g zv@6gP5To3fUsx7gMX&+XyFCOnpdxgi4e7Sl9Xkr9ZR&45v_%Hyv{*R6%Aex+3k-UC z$l^ESL98ahBpA(m0t1romXjj0up`Ht+6YXj%#~*x&g8?9y#+V{NC;L4M zBMS?&Q^>f%SB#ihhC0o{a<)c*@ ztisak`A90Ta8SY7Q>9)$#kuk0pRUjqO|V&p-Vqd*is?Rk4L{<6Sj8@E%#F~XFz`jV zOOT^<9qJeLT#4Qfp0}x8R>OP!j??1Wdf%q_yML2TtjXXPG^=b4rWNRk2hnKA<16jN z&iL}rkQhuY3WB}oz|M>rmbN--rPJ!F>QK_G+xST3sWGt z&o<&zv1SyUZ?ElI&bT@Vz@q0P11XRSSG^eLps07&JH24Vi&5S|!u%5|8D`lJo5HeX za=fvxZGEL_dwgK^hWv`9KbQpYDI79;->RqS4P{*jAm{_Y*Uh@QXF`ZZ$N*j@MK7U> zfdudIfa}N3qE{8?ynO_=%Jck$P@=iVX}6J8WC2mHp6fUeH4$sK(Lzcli{_3k$t^_0 zGPJJOYlaNQWjlE59;$bP5EZeZJWx2Av)x1n5;~17uE`p@)0 zb$Eo_+!=Cs?DoUv0>1;-8S5#AskxDBFSI`XP_dn0{VOZ8MKSa9Q}zRIrBZt}=NVcW z*VXvHIb2>@^!tGa4dXK?F_{UR6??gf(PHnpuXGB_aUw-K`U8L5+M9DV)B}YeYgOyz-vz29 zZthEh6I$9!87j|#;`n3@UXG|^)0>)2(qL;(l~O5|Am={mlkT5^S* zvg=yv4iLZ@(OhvQ&Y@Q_&Xh>AHEyspC~A5i$fDInJ`&An4@~8v6P=WJ;sf~z`8vCF zWe3PIL`3eS?J0L-SctTeO*2Vv*1I}Z=R{C@ge(cHNh_G>4Y3yKj{>)}7LrX&xD{VqdD&`qntY+n{LKV=oek@(1e%yX6c^A$g zmkR?xx}VD{O6o|>w{*6+nhS5^PlaV7(QxN*L!~^m%MF0u{ngBOt}dQ+ZPhJxo3j*| zL6+O`e>9eCZp?-+P}Z}L-);GbT~?nqMr!5H$}$wAjFPrj^ZA&Bwy1O4fuWag$a;&> z%$R$-Sucm)Cx9fFNaK}P<%*^T;U*uDs5G%MA(_Ir7C}@%8s`{!Nrbb|ea48GDmfgc zNIor>%^B>7*hFOKg7Une);6k2SUy~K!4+QpP?FS8W&fjiiMj9+bQ=i84Z<W}Hhe6|zB{BIgir;xGn)h`bnu}(f}J4Mxv z9GP8lFcpDUBgS^aaoLLgABl*f(-T2BXFlWuw1e(_PDYe^KP!FQVuu&FBndmm zOI2AQsu`E{d%~@IjPf2yR271;YS!WwYXdum#0-W)*$}oa5#SBWPDp?x6v0O8AR*LB zVf5-#0uV%8X~c%HPBBM-4@%gm)Tt{h##KCD&~4%SUd4|l=B?!`@RC)+I7UiN9T(?9 z%GEKNBGD3Ixd0Z!y3MT!9t0t=J7-pG0BV=Rr{`s~KKXJitOx)P)6E!U?Vc|p4^IVJ z-zaJ+$~f|@0Z2XS{?g*|kEx+KQBO&ofXABgH7K95`xXa<7>T+HIl-60Ll+729I;4$ zZK9OOxt~W4NOh{d%@PI+#dz*RD3|6Z8LqqMB`O8NHK3h^Vk*q(R^>*iJ|1uV^ROCx z85BCS6u2$$rRmGH$_ii|-Lfp4gW7!FwsKOmqB-zAvf?R>I20)D3Vf|DV}xg8;ciQe zm7=t(steI0mP&KAwXkIl4LEDWv6vvPah1za`z@Xqf{!`&Br3+!4i#%y{a8j!czF|g zPH|S-t^qdoYo~%CEUTR4Ms~M|ZodVi=%isUU5phQ<5HR}L(0U*X)kn>Sk}s2_JJw{ zxfhi2-c^5)+;Uf!f0zoKo$3_KSTNxVf;@s_k3At>du${wpTHLln(ufhlz4z15*9Wt z#zq?TjTDx-OM)*uB2NmP1;)e$C{~|W>1mdzn5MhUW!)t*I}|< zIMr0H2`15sBK<9*vgg!WUNSj@l~nv;Z7ZpbSvHEj@O8sQSXZ1L|7sUNjSDYjBI6kqn$AIbM=| zxFOdT>TCTcdyJYclqSNYG~;W0;i5)x$zE|n)f}BX-v=WhJmP-rjL|@(G)|W%H@)6G ztg8%r=MyPvTnJ>a$A)*`? zo2zzt+2r9!PK`XxxD($@!MO^JxuZP6p;006UHXJIt`4AJX?n!e3JvVj-$AjV7XueP zHTN6}PK@;fV2l<1`;-_I1MUNR&Wdo#z0j=gfB3r35Y%B_H{ z=_J5d)sGxna?_cj<@f8`0q-wCRS!vx65`W1!GSv3YKW zr2sOz-7n-l@Lbc16hG{w&Z`4XIIOOf+#Ox=ee|{!*lqbr*4pU`1)#KYH?T;zyrYNB zF_o7d+h}lU)HVD|V_b;4I39A!gS5gBI^(^=6iqa6{DD&m=SyQXy#Bn*OX6R=zIt3| zarL_Vdi5}Kg#`ORPQ%x)RO-6w+R)x9Ha^-ZKYL@OuJtWqKB^+QEw)r{i{e#hfsiq# zB^@`sY;2D5sv9iCJ6|{BQWR85U2~M0EwRa=nc(V33%6{Ou|1dW3jITwCp=+X21s@J z1(x_OFywJr0-XRnhT}@76MNtjJ&7fJ+s^fM2Zt=&YYv2Il+s5^UUrszm4I;$l|JI; zdSO*zTzfY9a#DUL|EsWMp0qsz6G)+79ylWa(DwzKgy(7 zT{k+YA;@awh#ml^d0$@5AIq#R(yjJMb;97>w(Lb&y9F56p`Aknc1FlNknikHGrfoe zmFsauYWZp&Q?FR?UTCr3XdBh-?Dc_%(j(`Uew0?{Zt+mgB*7V_V$k_FPI>;XT~W}E zFYwqY;ZT@uHdg=uDA-b1SV2-)_}>Sm-=C3Y|4iVO7!<%A)>kejMnmHchcqjbLl+Un zZH5*tL$nG}!;_)=K+I$zrKF1uwC?YZ8?Fe7YOH~;2_$?5+TA}cIwmIjq^E2Ozu9gh zxVq%M+yWA+9%8Aqh5hZaEKT<=HjS`*yN+Ypjkvg)q$u3{3M#QT`*@E-dNSQ=O^7UQ3C&RxiQ z4GY8K5Y4%T@E;L{6(!0&@i!U=UBjBxsv3K_?;$(cJzYbtnL!c;KvD68LV{p86#Zh+ zYB{JdlxuNs&k#DjB6J}-I0pOa;#k-w%Ltzky`9asD0_NJ9PmxO95bT~h-+Y{s-rJ_ zZrQI;h(6#o_a(hLASL{gwQSADNWZ(`badERO%d8QfL`-pSCe%qC6vdG0-l&(OK5(( z!?@IVb+bM?z5mxT;CGkSYLfAw=0f=75tO8{P?gdrJR;Rv zHHd5jl&T}Yoteo<-e_RwL8brBG^TpwKv?QnlE7>dtWZ>lyCZ5*9 zr@r}p9I!_sJ*+N|Mg14WafAQ3B&Q@qldTsqKEdWGxI!r-=~qNNoAU!fG!j*|v4)Zo z>d(&0_>bQ1FfQf)Z3ALCFYscX+tyNJ;$;mNL5_lMu7=Y26!$(&tyaDBc(LwsvLJ{@ z_Ad;#81s>5koFd*piG-60qFHEi=>8F+;(iu8IGg9@C$a(k1*-iDT=L9~h*N zkv!}_uvV{CtXDF{#l`iw-VWfB`e(vEy^*E8IkU_rq2J-oPXA~gY_V1IX*P#%b{In8 zm)l!9Dn?Ai0+yi+I(n1s8~Ih&pM-{kiM`9iSXXkKOa3-_8<{En27AxD*V~i29aLJi z?EHLTQj4MHf5yB+SOhl~m3znKx?HTm`5zx!@O{}V@SFWruhy8^>~ud_y3n;+E*I{8 zeE^b>lG@#%@2xXFf?ulDpDYN1&|l?)#lMA;&13=FK24#f(eBXrk@CN#&nUOwVddmB zE#`iakx8eOc--vnk0m5ks@Gmm()T(XE>NP=>y1@ww|=_TzNvY%-Ei>GoZC0s=j!Q! zs?-SGAd^vOHDPi(9}+S#MQ(3Tg6j87&5?*df4)_}Uw^PQczdE~RHCO)tCr}z+@jK` zga?K|&vknvs8wr?ZwnG2V__xiykXvGe1(K;F5pQ1i|HrIe?etQtzSUgXf{2F?4$@%Qr|H}N zK~B;q2>9;~R~#nOiTi~HcDoIOr7Enc9Nwrf1On{IN!2oeG`dZT-}yutOs2bs(^)Q8 zODVkGZl=dQW)1ZPj(a6Koo+Ef5RWI*r2n$$%f7+%uE@I8opSd`+{J|@3?9#DrV49l zc-Zv01=Ybf@Er{L`r|RjWF|Y~dzS|DSvxk{wXym_aSDZeMA0a;Ld!p99^T#{3h&s-d)K*7b8S)Re;blR`e%qo^jG27WKZtLv4JDwxiy4s97m`pt$!uT)H z68uuE7Au*ZmvD7-H>XnbIGr=qXtf>g#3VxP=!Jo2PnJ0}8rRo2a zU2n0+p8O8i^Xpk{I;SyLoRP8eV!3`V(Pqa}zR_@Gx(xZR!a~p5x6Ug4-lZy?odMq} zoo;Y>F%c8Cq{ z$hzzh6bviV=DxOfXYlRz$f(lPP3L!q2LZqLw$kM0=5B0)v#f7vA?M@c)3s!;s;<@_ zzkcLztZO1=B-+V1_?+;+>*V!fvRbg%d#O;ResK`sxBJ`kG1cLEwq!oBP~O(ohK%tP z4sYK(ol2WEHIYoK9-C6RWMpqYd$F#la!dcU!P(Ay+NPnQWn{>NL_m;t$@W>{{4bqF zJ~_WvnmK07<8PK3jzr`5np}llFA)`Ext&~X3=Rn?KKonS`}x|+jkvV5B&HQgye(SleW&MRN4wxq z=iLQOwJNPa99k_yrVRi6goDcEs-sPJZ=U*Uqv5DVuW7IEwd7lD#?_fh^3`+*lTMQ>FxFOD^zRkc<7Z|XaHnV$qcF0dX2de zC_m;dFWfb{&3M0gwtr;ivi#%lH8cBnC(F*|q0UQ<+Qb0)w*;p*@m-SKXESe4Y zN`ooNcLtG=l7d>F$;jle<=}EUWu|c6-_61jyix)*8#}J`YM-W;YIT~Ij=5o^r88Om zf-L`-JKo;Y2XAx@?-Y){7~P`s@bFBXs@CWXd)T(Lw3I(iPjBWtUb$>{ib}V+yihF* z*)`miZpvhE#Xx_iD5cEqp4%+tHaD}K$pP7;W zWkg6Y7z|&tjNRc#^JBJZre6sYDOB&3@FF@oxZg?FzqFK+=y2{k5x$K**XSHp$ z6)RLIBhjd5hNUs`+6d_A=s;DowgfgG8&#=UlZNS>GOQKVEw)##XQZAWP(FC zhsMXp%Z|2>C0cA&V~!~QKZ1EZuKn+hQgJ4+SuDmX&?fWR?58tXNb;r7c6WD==ZlRi z9=hLr1X5`<0V{QeyeL0n{fxASBQcJuTi293WHk8*?y&yauLJkJI3IbOO)uGOG@+TB zn}hqkL-BUFvsQAuU)p4{+RKGNe>T~yM$Q$AVU}}IL4X=qT1tMtgQfEsqpMb^fe{iB z0VR!#)abNZ{^es=tyC-4N}1T`^&m-zB-o^JsDQ!_-P&EDOd)D7sJ zvxjqq;zL6``>lU{y-$``D%I`3?=&(t_C)q-qveyC_Upsh{0>IeQMbd%p7# zJT5#m@b*G^(n!Nh4mX4000%t&%4iC8zt~@1*&MG2AdWgeex#ipv$LwIs_)VZ2B@#E zhsAjvM_I?Z9ar#Oxk16>cKuH=mdRs8c^f6i;PKoAbv~Ms+bR`{ad2^wSsV$zF$QvQ zcQ4iJ_9|bJ&&$BI;lo88$`1gc&|%t}xJ5}Ot97 z?&kfb8tR{~UGn9L!xX9wn7W;AW?!E_HMF#t9Ja&caoc+w=8z{+sAs?3I$3}Ed3$tM zptT6-dAsx@B_m7V_w(I4`^?=M`p3>+j-Bpb_X`j1S6i$`Ke5P!#W=EL$g8U6mlyuB zUY#E+l9Xd%hDSwFEB9ndC6&l(c3BW*vDtZ;)ojj=#>&I9eL2NOqD^L0cOv6X#qnR5 zTy25uk0*u2;&Cw=kFWs15nhtt!C>O!;{}dl@mAX$yA`j*##r4hSNh+3yqt)*SV-fUs+CI3orZ(pTi&%l z7Au$gmX=b})6-QjxY*TajhsG8U`TbJAZMHMQtG1|(~1 z>zVJUaJgDxll%gz(Q6<0uKgNaE}Q`Y&By!(gi+|U`&-?e<&UN_=c}-csyevoc zZ@@-LEcXser+v{Pj69qzTWmIfrP1q;d}Ht%4$StS?6};HnT*Dx$`vXnEN3rhv|=x} zukOa<(AbuK5!fGwM4c!^w(I@dEcz;^|oqgi=xb2gtvL_^CktaaXfb}SE^ zrnerxEf%;9zv!@xMhCZ8D1!Q~c|2bC;fs~(C0hDT&jjtpOVzq>Lp}IRCXf*k5k8!r z$gCBrhWp|B{xGVci`(a>)K+e zyqh*~IGn`q{0Hz6ylH0I9~Kpn@?kNh2M2>@H<}e2kII!#*sQhveCI+~=@YHZeff~wbj3G3YO8o6Bk4j~dG$FuhBWxC`Hc=H4mR3D@*o$gtIR0YQU^}n@82xquBFcp@1F4ZJnLPo`529ga$4vYf~8VY34L78IoNOdhBE)A46zJZ|CLYd?@ZyO`?N#MWe zlq((VJDn{RYx3XJCleuAlCraB$f#7R;rXXbenFo9ASZR;+xe?!IfEmr4ll4{t@}!eE!tJZCZ|ZDJ zsDsbA7|&qlG{61EA`>b9-CcNiw1=r}twu}o=LbYQnKb(8Le1psgJ1Nq?MfLG8yg#s z&vU%1wOVnveXAW-TqBn`*{%FrCat%dvB-1#U2l5z+hG>i`SVVgitX#`A;|Vf431?l zlpntv0zQuitNrcyDiCD5??;Adt*-P;nyqaP6gvU}a$W+v&OaGTD*DH48k2tqrorrk zB&sjVzUN`+cC+&-UwfG@oA2jsajR|drJv)|)nD_&sgo-0-dNeJ)_CS4>-+P?EKX-L zL;E}|0DteV=NGh}HIKe;7esDuZh)cT4{qQn40^rom3rf38qLJe7@RDyY#bH|xzc*; zWqElSDc}2N#XZM4BhhbKo%vyR)|_37goJO$BTxMl9Vf5%{+{T}4Ds>qoOyvtsRZi( z-G|l|$t%S=zB_})5y<~FG;AP6`oHHt`>T1ba(W!>s?R&@w^NH&b z2znMCnMt=dxEXa#E;u1v6&8yuaMp zY&N{KuYIE*W7kg}$k6cSN;0C(a8pYvl}2(pGeARI8wCR+EGGx=TPK0!@?a76?c@^* z2@Buc-xnDMiIoG-7_!?VqoGB77sxA@^PvQiu)Gd>5OCk{;$pII(P_B;Xj{IN_T6!0 zbLxY9C+kOTlRiye!Wu~5{AnCh1Qaw|)IW~DdoelwjRDP8dVO)?-AdCJFjXx;0nlw7jQYkb~i(Bmz zkmz^6_1Q@c4$j*#!B0SS6%$rmA%WO`YRz8X+Iz0hj^{TtVFBMANhG>=ebT@^#(|Ho zBD;O?_1!E4ki|k9BLEJY1vK#ojn8xR&Wm!X+|IXVz#guFhld<$1c?9Gss| zEZ3jizJSMzf%>vJKet$|fXiz2m0zye1hhGkr8^pr7Fm^g#eBbYsfXW%*(1@@0N~HXdolR4Q$VQaaUT z5w6>F&)(Aj8kK6Qz0o{Zla5RwBR;pU>sOd%Vu`d_EuRc_x*L$yw`{P0}`f zoPj2dFVEkft?*oLq?>NEVR?Dmy0}Yp;KlD$6DjkXZEu9Di|mmMozRyt{{6h_t#;PN z6VlA3sQ2E}BF7UZzQ3fOzdqOi&d+c4bFZxL&ad&BSM42*I8~x$c-DkUIo(fhH$8Fj z;+rO6ps43UCbZkPZ$Bv~CwRSJT=kX`)T2Ph>7nj04jMwI%L31u1eWP0ZR&NUKa;4L zt`y<_@6(uU)zi~U`uOpzZrcNX-khcN%w5h?vTOS*!%sKl0n{yyY&;W^W`U}(Gk0XWPKcuv%pPJ^%R3H0AthkPhA;lM{d-wcb&T`K`}NvP?mqpqoSTyJLO@0 zyry;67itPqGc$*gk6N-xVmzY^y2?wB^YdA>)@>Ai9|CT8=|;Ujhp`exp)Y$`lmeq} zlfy^HAGF=iH?T;GRxph3fBMLeL+&bQ*2$BrJ9wVQD4+iK3^wjHZ zn5~#R;x<`Q1o34ZPR0zoXaTmYTJFttF-l_%QWnG$b^2*^PjT>5 zi@YVDrc~n;yQ-b<8rJrBZ$Eske%KZb^8ql_{h2C&Wc$cd3X?r0U#qWj5UGfocKfcR z%WTJwAAino_U^p!!Grz~InSpWy<`YofjkB-*73t1ST56UsI;&`vm}U@or=a)etB_z z{$D`(8FA*)C`qeP&(pMGYX*|Oia%i-CK(KXf#!O9%YQES8sSc;06UStxCW=lJ z2Oee}%WYYDWSFS6uCL8pThwhdGK(V6o4YP< z@x_t%bC%U|P=#&!XUx*f+ZMkR_4Ijf8f-}XI)0U7pgNgj=gys8JH#IElxo*+39MMn zCSAU~$iwi_~0~GKDU^yZA~ks?@-3xU>@5r1PH=PHvswZClcvdWx^& zlb&qNoGuXX^J9?Jje6*4+7v<6Bxt1A-5)_;^RXo>;Gp(>Nr%ZR0>PxIy*%;YxroJ1 z8v0>{AN^b-r=s}vBu+KPpW8@7J#k>vuf6!c!W|@-VPt#ef`}x$oSa--ykOJ|`%wpj zl;qF5Q@_$Rd`wB%qp;oh_3J$mVyi^=kpbN#>z@R{-Y*>crZek*Dhs&(Y zpWmbN7h1TXNpi?~y*6#Kep`P^PR>T+AgzRxL}+LVQ)CW1BP(ke)`xkj>A;>ZUspP+ z4xyEy_C1q6@h?7y1UM)C{oli3rQ`}#x zQYI@WmkO={O|2Znx7POi|2mA}N|eS9QKf;0ioTpuu(Yx=9PrN@xX6Ew^7S7+V;S8Sv~B(x0_^t8Nl-2ulD%w=B}guKYq#Zf6FVS75x`{K71&D z|6IQMzbkO^q`=+(OZM!S(h3fV)2B}lu4BlDQ#aLL^`7Iux6yf0V(_K3re?EyLBYxC zhl~B{nwt6o!F3G(ecP(8s$`)0ir>7}SasQV6 zPfs5+X7Hz~Wa;|PX!e)B%tgP|V9T+{kpHY`ojcF&-MhDc!`6B2(uZ#UHh2aHtIIFX zhwb6oYWiEz>cxM5?d1Q5gZ=-%`vqX2C%!p<=+KKJH|~do zupUxP=)o4HsC%#K3sI3&e29CG9zU*O*!15Qo)0P>cTe^7q|-0*iBe0}qYyHwxqHlG zjn!}?KU%K*l`Fd_0D3C$halwNqhss?gdk@PIDqZye=p;gCx3rUDBacr`Jb%1$AAA` zy^EjUFHSvGz;^H=aMntx&Rx6*D$C20k2ZsuQEg<4K3zVG=Rlfg-WO8wLPfrYy5m zP{i(54)@qL?LXJOI8Wm~btn}T6*FWh5Z8jjLII<4rpi#UuX7XKCC?5qdeG4K0U0tc zuYyBCoG&XIo9_3Cxj*|O+zQcNSdLt;28punuRL27E(N}~P$nTF4ezogeG3cAJHfO6 zZKCCAfxVrJ=IQ3ywXdjv1jolM*KA-p*;gL?_HsN+n7FOp?_b{ocy)Jja&kuclo*sg zVXRIyR)*221TS)KxFE_VWuFFErCoBES30m_(cILo0>~4$6l>+}gvU%ks z``}XeC|+z5fg9N*^aO%Moo2Y%#BaWYGOhSR=n=3l-_2j=r2qWl2t2H5bh+X4=dLKb z_HW<oWFxzyXxHA3;S~Ce$qiLU_NqvYmqOTKGvNaB-k=nEG(3d9;I;i z+rD?#uKY$UCo|jitG{9a` ze9m_ppXWQy%EexM{4zYbPq0~XoM!v57^33h0iYVCS^VY!v_!+g@?htcrP&YWZ7l8) zZp*<$tveU3$P8+*mYzPwv?--<8QRr3<9K}EsBq4txX%BH{2Udx5q10hUCyB5#WUn3 z?$fhZLPraham!_(Q1VPo6;z2rMV;JbV_ zedWsB-9LYR!GhY)jl;1pdktf+F7~{~#~Te7VwBjF!o*KmTJizOK_*|NtE&s}Ygo53 zlHLLNg+H8K%CXLL@+$~_b)v2e$m&BMpJ;47ZmmyzKU^D|oBcVJcfNl8y1d!W%4#>1 z9*SXD16ZQ&U%%uBYNEt$4KqR43*gayVb+p%K2D84kVpGn>gAIsmjwpa?c&_G&#+Nz z!`~j}?>agTA39o*VA(S+mHT+mHuIB)_@L9R3;b8Vtk(E&?K6t;K=a2N zFAVWWNXs0&6FFRWlFrP@N$kHKf(dRQZ% zxLCeELAwlw-f4MxikH}TCL0gtT6M39aGop?Ob<(NpTeR0)soKp^#MJnW}0bvxD>0C z(}Hn*YFe66^~+=2I@!1m*-v`hxRC5Apk?M7hmhBwY%fW z@)F8J7?xb+u0+zY=!cHA#djgm1VF)yHSAEHBi>sXt9h z;zRv`#iajk2|il^><_T))EQpv(QlrNIP7@J3|qFGKv?8}PPQm?OM)f9eM5eJ^Q0u6~OmX)IGR6GBorJjz+8x09{ zZ&eLuIrrCC_|>oXgQ=@roSk7KvuJ1D9~8E5Bg>9&(6d!GHVNy;!N@h6A!^(oKjgEx$gAH>9P;&TRI z`$xF`DH$G%m6iC5Q5RP-To!~6Ykc4fhoTqa?oI)_`Z)HAcQ0!7Ld)H#b+A zThO3*6QrM}6hk`HnOCZbI;3RdK{HbtBM3lYR2h2u;>CdTvlB(i`qKx+c_bx6yNi6E z1_a!NAAq!*gCWfTaDyIHk@64`-?u6;)-%KE!^6Ylv$HYE5z;%vZ$7LD5n=7M8)^QA z@DB|hLOG!&{e>pLH?yYiI|x1{^hOV7Dub28IRKu{vz0_S$%=_GprWFV9T z<|-7q0_dd?YVC+Z$jHc0Y~HeEetBW+$D=)yK?_(N6g(mGRwh-|2IKm}m*bei!^6>7 zCcAxQUVMD}a;n1^?Zz%hS*e*U+kuV*JF zt`(no;S8UzH;R*pgn^K!)Rd;@gD z5~MiInwJJ1R=@_q$Gg(?<=)M~x<_}Y>4+HwU{v_(!~?I)X9q96#)9`$hK0ZY0}i=! zaiMo`@QlZr4emY168-%A-j<>qZdFiFz-hZ)@aJ-(&e=TIC4g0-LknFG*!{Uw_6PFn zDxuwkH`(FkzI^@K{b;DIwRL=IievZg+w?MvPtgAPu2t{iC^j=RJOxaLhl(S^XZ7SuYeABTFjJ-?Ne7145U4XgRE%PiNqh}w_uI)DB=ntC#t zG-qIlxb4A&gaiT~pFd~9X(0Q)Hu|h!DQRcuEY`n&o!4)Im}x)qv7zzfjUZ{Rm1C$l zvOzrB<$*t9&wu4URTj|zUQR2&QK`QyXpFb13dta1<5HGz%=ofNM0;@Vp&*S=)|*92 zHA(E=g9kKcLxjH}kAtnve7moRs0t1h=C{u#YPY?>D|S*daFGdkcNPDqm3gz|KoDY)U%q^~*8G7BL9ks14?aeJm$B36 zQQd5*w5Z}fdr88kZ$0GoFF$@f!%^G9!0;IlDdN+}x-I)rb?yqam;eFd8*um_Sg74dc==(fHmLPS9+O(+S;e!cnshbYHH8b!@z{OBvp{Hz_rh0|XM!Ce?mIkIjIP zCO@I|Onmvzv(4wmyFw-G$gcXHboE5$&4DjK0B?12#1U704WI&;SH1R6bU{Jx(u^id zle6KH4vim7wjk?8@V%7NOm=lH0%Rf7GAeU(bDckb9v^GZp+t0cY<@VkYJ6tKsNf+3 zerFt2;YHLY2Oaq5c+n?#nByRqQze`c-~hgPc`}DC$Gt>bAXX!CNw6$QfkNC1ow4^` z`ZmCoYu64?xcvG33Wvtt(Qz}>@bV6t@#EHmo+LPdx}lM79yZ!>%U6MUX}G7S0A(;K z<;=znvm-4*u1kNCO=|Z8{SicjhHW~277Y`u$ya^`5g*}jHjk1VOSo$y^4s! zE8#(iWC73??%h6cDOv9nflVM_T&fA78~?^x7yE~YLq}cyOv%Xa%ozIhYb{iK{Z9z3pm7=jZ6BRn z+YvC$JLt)qOLjK68WYFUwzf9JMulYstI&oKqyVtq2pu8foj1N)=g^R6V&a&f;QphN z@;?L4cjL4J#nHGo=(>^Si0qPAe`Uy`B=WoKkJiVji=lExxXdtI4U9nq{rqp`RMOJ|Fa{EQ(dJ#EXeH1m0 zOFQ#J(_M{$-k(4HN9oyUXdc|`sQKB~cfZ77kEEm)jYf~|K`t(?6Meb_SOGdHsV*C# zcZP;4}h`7CF<~aW)l>yibXUU=bB^n z9{ySwU$7$RVbPrbJoJqnQn$RordB->vCwJ8``1P*D^Gn4Jf!M_2JsVddSG}0CsdZg zPS1a#wH$6t7BWsZuX(c$6|MigDfh7l^k~s+lVGnRsDiC6*0*l;Rfu#T`t|_zBF&;B zK_q~niH^{qpdf~Hdr7-VKqtb~fq!#*N$(u5wm^sZoGEKeEc zS;>ndhmhdw#p2*8d#I-x1wS)uNC@K}8URIR=GR*d&hZMt{ho@DAaKaqbPL_?uj0MF z1>kfUc4IpsjvNVOhz+R?^J}CxOlWgC*nN&aI~AU?06x^eZZ!J-SmPwbZK#sNz`&ze^rDrTH970 zt>*x%en3j84m&AQ3`)MpvAdkaqtkU;I)dV3P!%4wikkKu&c5s7gj{8~lmc|7UyymI zXf_H-djioS$E^w7V+~ki6j(jjcnU}%T0*RP>V7E9oCvhyXiWB2`Fh94GgyKyiZ)3~ zp|Hx^&MHE)8E8!AKxoAP}+U&pes(!A?=9&^f-q`hvP4jWTP1t%j}=;}jA8At&G^T9_al zYkq5?{*tFf2W*Dw57TZvKygKwrJ=dG`C*0R$ZT~492QpJoSYmG(^dX7_ut3?17hQ& zZiQa`{`wTw_W@{YZKmxFsN}`)TPrIo$!x=b8_Ug~Lqlbd8MxGvu4D=bwr1MWxkK?~ z%KNyHUD{M@SF!&-Iwd6~{OP7)TbZ3#T*Dc9uvdNH8v=GIACB~UGO2q3xFl6mmO$Z| z;ik8m=?N2`1xy>07;`sIgZ0(ERpCrMbQfRab4Ld|ItamG0BkTHY5e6%qFOh)0rKrX z`@*0+fQ60C8{qKv?b}8zN$KgFe0u z>*GrB)V&2T-}6^1J$0wQ=`uF6m7Se2m=$W>H_?q;Q>%$;Slm$yT9ttg2~t~^pdCUa zURG9x?m};GKje1V1m8d1%pqU$e*O4BOoa9Fq60<|7A}15ixG2O6a}0EkgSPQ7eqgB zNA+Q_Sw~0L4RvcZ4GmQZ*Irsi9#k6RSTO8NS?ve+@1w@Dp)b8vP236Yv+5;Upvm%@ zGr_etKqgGugU!(^ft^1gje(}b$-}b|J3)U55L6u$5YMJi00$OWO%8YiudoNoI+pJ| zv}1pN|8S=}qkvo_Lkt`SeXa|UNC>`6OXQOSAym0jQmv(d;4?HmH;~^TFvU;UGfCCVyW7)c{8D!u-65o z3m{Z0L8#z=H)@3{bJmvnAaDf=P$#r+F9T;tibcNc{W!TtCx7Je=FWYYJ3&$-w-5%v zp~ViC4Z$adgn8tx`6Wh%)689=J3cwj#P)f04h%dZeyQt1d@}d1@vF@rOirN2irEfs zgg$fD^&Lv$rRv96q4CNRj9CQ%$NakaQlw$w{jMc1v(=nt0m2>@DHjIQFA!V&fr5PfA}CIn?eDO69lh^IbBJ*Dh*M& zl5cd3URMNhs%d^zzw&5bOBk1%4Jqi@(|dO9a>uhkisLvwnfKUDP!hphg;lH9tPwD8 z6(wC37z2qqgU4GGEL+{S8 z>b~!H!U;A42<2DP6lr((CFh{QnYU+`jCXydT)TE{C)5ttSME~)9)uhtZ*~Rnm*^`H zp(wE66+koOckrfrAblb_{piV)P5LXuZz=E!FFbC+<>y6YVQ78c{W6Q;S=M;62u&BO zg$sBLP2o`s8M&UFx7>g?gZo3Yan#SxY7J26ge=VD)zhrHWo3PKl)OCVL3SuenjSWm zY({nUIW((N!1I&`&c9wwQ1>6Z4woQ^jo)LG*%z0VD$EmOb#gM5DE!>~ifZ+v8oI@* zcR5^~@{}J7rRUOp{zAl}5|T@>v`gkhMu>p*uHO25eE8H%hy+-Q&-US{U?2~`eI~Az zQsIHC_(lbilaff12y;~z8N2bM*6sCmMdpQXRRvm$y}dozFHm{8&b_2?nCklmL=3?F zrukMWV=J1fpiQ4*cZa4$j-m5RRz?OoY2?M*lSL6(nVASGTeRu~{e&jPn;l;)lzZ;b zvloA>S;xCe?+L=DXO}Mc`t|Et;jz|?r&uedUf^F65P@44iLXtB6tiX_q9EWY{i=Jr z1;s>Ql2wL_ajI;t(}TY8lNHC4P}fSZQ^dAfP%su7 z$fh^VYzFJz7Ph$~u<|J@i`DK}ZY&Ae*J!ig z+NIoR;6Vpg#A_sjhaNak+&BX@`Bz7t3~)hDRYU|418y$_JlY#^iX-%tz&Y4e<>n5J za|>qMk-_bUY%046eP$CYYe+wBbPqHEZpQEE9$pkB=upoAA)yAY_O~dzhOPTTHI0bG zu$w#?9i<@X7*)x6F@65q@93|AR*_uZw(L!QZn=O@QKgKFuh9W@-YrjQi79)6gaS(Q z@9%SRc7QaF)JQo0yZI`yR`lB>z|cEypnQ2T@!#2gSmPW-T=Xyf?Otvg3F*jqLNh{` zk&muD`uB~}YYz~?B#as%-Q##dVB>^KI?qosz!*feuNaJxFKL?T4bo*vUoXvrnu?bo zGgu)ZAx+foMZRW0ouK?s8DF>r%D8@>a7Y6M)?YoT0)ia!@o&g~B@fcUbU}bI-F9vQ zinkuT_>fyY#gg<@5BZtVHU-ofbVZSxM3<=w5#n5e-P@or2-(o#;YOfr%h+~6N&5n! zIeeZ4yHd_~r<5hyP*s&LJg4r;&qa{a9uf%O-F-q$jR~T2_f(aP$e~m)Ng>XYaTnkE zH%(y+p>bCMix!7ThyX43KwZa2DTr$YK@1oF{Ih#W4I&k!XGj8lU+&Qr<_COG3=#G= zsf`Xk9CGBwcG5;57oSO8;vA8~m&cCzik!rrQ;#<-x(&BEXk9d1D4L)Td3h&x*PVs? ztfTvH?;j2BReGV&^wh{R*ht;T(BwMLVGW}UNgie2;K07zy`u~F&pe`wzC(9l4=vL| z`QmbC*CG=obwSOaT-`(mF`K}JP@5{g@Qg~^1PRI3L7r3Yz#5yj-sS1~_-__qD@YPO ztmHC6gaqg+|yGvhW?AW%=(955eS-mot(ipiYWH$|-X@`bDgjUPJp-cVo@-77i z-DEq{aTvwcgifWzx7@pX_ldv1Ufp@f)ncfkMFs*^edQRxX@>QC$eJzq(#f4X>K-wm zO_yy8X!peA8$@UQuuzhhCo%W=_UQC<5j=E5&>U38Z`XA&n8=$wz6unz4>IRoPEJ;j zM+Q=qm_Nm^WCyjt83XjaB#1sQgw0CPl%||7$q4dkC+bL{TAL{*!hvyHoOs}O-WlR1 z+Nd1jZeFIpo^mSJU_?W4ze++!axf$Np^LFsj=Zo(0l9{uV{rfAWG`P|U#lTqBN;=T z-{skSym` z-yEn}70-^7FwNR^3r`q8j4{^iS=}bCy*fHNKn)ty!i7F;HzWltoT~DEC zUjAUw(LU(MY`P{c-1v;5Vzz!KrwEF>GiC`cM+xqVESJNMW0th%0~gXS4d7~8vu&&2 z1J4RGhE8xohRvHVbk3kwj0!wIIm*xvZVg^dckx0bR^&}olwq0q8loxhe@e87aw9?D zCRk=P_yyn~p;;(CKd}Z)_1>PI`dDy?EJd-pw?q)x)5>vthEm@RKm-;Aph|Kh@S<2e ziezPFtw)-Vun3zLL#m<_g|&{91AweV!s zN++56#w#Nh>HtuK4)fp=TORm|PnB-*c+;b;{%AgG+rr6SLR&Ahod*~|Xkkp_@tz^G zI*fxP-0SpZmkBr1fXaK@ZJbv< zocS5RsuHrSlB1(IA+k^qu)OMrosg#lz%VorL{!BFP#X$vKBkAQ+X^9slvOwA=);FE zoLxl6o2znL)*t?=s_XI%z==p4MybKT`l+`@G&nrk3p9i2Y7>Td{^K(~lFpMao#E3MSxZ^($tRGnsxTc@k$A8hmA+aDRk!Z*Hc zL8+eSDg{|(UcXYnP^3SZMarOv`#U z@vX(5w8d}C*j@%I5xR32xVcuZKT{HMy&CI-S7w!e>9 z#n6eplbcf2xMlO33gbghaa_l8gD29ws<@kDEoQ<#w*ssNo-Ig@JE*i&`?!Mwx_7 zpEI~a9Q9kl($BK0S`PGB{DhqFoW@m09zLS0H1YpVA+xO?}je5$Q|_eu;hEj|w`LOB&4ug?(3 z9b~9(t!NN*OXRryQ8TSjlR>vnzrP&sWjl7WEd8ORGYniWPi?TFy+T4;5f=epR)7V^ zrJk~PyXQTWJ?qg{F;KD707KY7vPttZFHo0oZcz8ANPE|{aBdtfIvP3n;RJ+6 z8+`2UB}Rt%L$H5@JE&CLmZlq={|v+oNyW0~HdIhl52m8cvF*4EZ(^H;B4MIZ`TzP||4yc*offq?-r^Vx5Vx;-SpXC-|U z&vNBYLmrZp^QaR+GX~ab!pS39`dy7(O767=9Dsfu345A}%fto%`6M&HMh|-I8H*c}hxB z60!)UH7@3tlsrOk2Cpq@I~X7>y2tHAFk_*>%8`(Y%Zz2#l5c^nY2}TVR8OAVn}_Ws z>M*(2$H!;=PRYhtLANZRX(^DeAWD{K|9|f(wx#Fgu1}G^QL9(4Bwt z_mZZb12?M0RLrNJThQ|yYD8f6URU+26XaE(gMClb&C?1}K=}g7xR+7^RUfL$F$iX) zp91k^@MvaO8@9WxxF9QE1yPLzn26_#f`eX(K2-*c7eBgl2j3M6JoB#k{s>Nf{s|v5 ziuJ6*UKo%~L5LCaYK6!-!4$eLy#r=%{)G+XQmB$k^%@oGx*f~KW)9e)P80acFw1Qk zdR>?2jp4S_nPnm5(S@=B2VA(p@Sti!IY84jSQKP00ZCvro`Sn0$AlF| z;9)-3#ku2c=J0JumJJjWT1cN-ssqe5Fdrf`!sVmDw%JOwWh?_}@u8wtcL16(z@bY? z)NxdxGAIO-t!oTcr-OTxL&+TzJ({s~C!|HNAkUzn2DTstC8hn)QSB44J($UjTmJOh zJ@*wofJV5KV%>Wt+-Xz{|21VP;sXZj*KFJ&kHh)O!VZmNhqUu^6cZX_<9^dAs#U9C z7102Neag)IIXGB~uq;VbtzJ#R?6C<4ogK4C6mU}YE-iELnjMubc>=f4X)-m!B2!?!H7d&13lF($W+?gRX_WNM93}cQ09_>N zGcmn^NVvDtp_@R)4hKE4#`__n6JP%~d^UOyH4s=h8k+*e&I4M@1iYwo2si3DPn?2t zRRLo92|+N4Tf?7t7se6Y{SGxga#Y}`h6W1)9Ip`>yX-NC+gO5;kr4nuL)oCuhks0@ z5)4R-z|q9a-{E=l6U*Xa)M48YY0oHI=@?u^PS@bf6&nc3n38K?61ujD%>NJWJMPR4uy!Z5$K{@vyHGuN)gCNJZ-qKiDQTx=j0w1%UrH^w?X9@0I-9=H-DYT@c6J{;D^Z0#8LKp z#ne;&`u+Rng$oy;!gb=eL5UgXn6~q1J@oK6kub%0Sc6RTE(a`wSMq?*{)~xmEv=pW zhf#%~(m`c%Qf?WA$L8wlnmtj-`sa#g@rfZ6am1a3l*;Bi2N>9VfZiLBh0;?Szxuh51Yh= zG*fl#g0=4O8kTzIpV5EVoRpuugy z^MJyNh=mY&NFc%(hTv+M!P&+fpB*a3RhVEnCsU33zFl~ELb8;U`p{;{5Z^$}K5z#b z5(FdGH3$b3OIHH_MB42=VB034Ztc=P7muVS(SFIjXV5w*h^!>tx@WR_uqKKQ*q~x+ z5?gDBsO3>MP8<}*tbX??h#{%eA*t6}Kk+L|O>YGh%}S)XfTs$>V(pYk1gHk$%I5D9A0~ z3E$tG-h$1AjM!8D6%;|D&z&*(=ZZ|f#ZNKrHad4Io>F*W)Npy-C(EucY(cXa;_3ukt+2{Pl|}b@6CG{TGSfEmcNT6` z289LZU0zwaA5U!XN!~dSDYV{Rw6J?MI%rhTJuZsH>}ajMCJ-!hXYw_~sM(QSI~{r$ zps`?rpbu36E#KM2#YQ_9peg&$;Crn+*D!pga3CYxh;_8Pz6FAcO1#Dq0*X+D@Kl5l z!Cl=6mI5BT9Y!=F8zta^NEt{&jme%YJ+$@EWyOet*p$Dtv+XCsTQE8?C>0;^>GG`q>A4P*XIcg3q z2>;*nhs@&a-n|aYr1f19p#~=Egupeg;$w!)0bX0}nb579H+%4G@C*F!1LySl(X259N}1ua zM~vByaeZy7s5o3z*1pUU%LmcP3v7*5^)X^pCt&uf!B_Vwvm2`SMtO!`w3_IJd` z#Id%wqkU}xVKC}bHc)6ihqTKiX1y0xUwCjIF$D2N?g9^ze7b*Vs3OF_xOyjO6!3zG zGtm28j@=Lma4>|5=eht8TIo&b<|y9kpDcGne4wz~K|{4H^EDG^1<0}bc{?WlaF7a( zBV3HQySux;qAGbAX6NLLaVh-0S!a|7X)x-keyZxsv#h|Rr2r#qW!!ca%lFKID~qk< zHO!I==1wb|J)$EaE;dmvSOwA&G?I{$_ZYy2bbu#*^K3YASj?3VBP-)y>4Bo_-x=r} zlbR|Q1dbtGl_W(d2ul{WXkQE}pw9arWPA>oa}C&p~w9v=ibOO zn3_#RBswcIR|1KaPNf7-Z=?&!%921=+J{6Ec0KIj(`U}ShO>Zq8>yno$=|;*7I~j! zA?U$8-c$O6e8~Ci$mnJ~11QamybLDaVvs!sC_2h(i!|IJeYeAH*tF!ZoSp+@_Y^r#@~RS z6Exw`=|;8pMTL?7)2Ae93LCEv6qJB?h`I=S-vQ48Uwn<+EwYCC!XYHxi4;I2${JB3 zX=rHhbgy2T`a9z@>I>#7aI00c(1%qHLMjE>anVsxQ4E_l9mQ+_h5f`gMu-F(Fnw_a zXB|PXr?CHiLO}%vX+pFX=B_}q+i-Fbj>k3}T%>vep;z>MVn^{7OcTRvV;avJaz4pM ztcgfCAGrqKd;i|OcL9F{EZQZ}3uum_(~-Bqq!AB%Rzt82qIwgcbX3;e9&QHV1yHq< zu6^J0{`wj+jl}Lc*Tr^dBiiqF7z!Bsd01lb8o2iIR6n%R*$%fVgbLQu(vm;{8KK00 z7I1S3_!^=Q#VQ@7WPta6&$6?CD0CA0&A!J^4!_4&sD+X*4D0MC$^^K(7ogEsQQt9u z%AtnDeyBEpsG%rmYScQ&wwHjo{T;EKn3%u@4@BToutT$@V^>cu&2~)HYg(v(v@kXcuzQbkN&txQ$OqS-Gg8AqWLrvVi!%taPJSRx416G2qp2LDJ~aInCbzCz#_%5foxI5nGCE&volQBX6?%#C=HrJHe&Cz(}7*k#EejJp{t)jN=C=p9<`# zm5yLAE;0PM4u!$K_n9idMG=M?|H@w%&`F@nxR0yCX$HQuoeGDUGWS#&7_+o-q z(^^_8lBWXu3U^y}zyRuX+g6bN#f6TQXz)g&lx^O3hVM!~u`UU_!pFy_rJ|uxk&*TO zHw!?67f0li9{3HS&3#l*tk)cFQ5pNAu9>Vy4O;ybCj*tK3zuY~s}r}DP2!dTl5Lm> z+q`uvxgX@j{q>&_m?oPCN@*9q2%-hZQj*B)oO6eZWT4(r~ZyKBASBH;;+)*$l(%coP420Q4g;}8*x<7x`>>qk4OIl>9?fJusJ0H z6ru7qVVj`jMFBNsm}Io8o`W4^lakfW`X}#A8(iv0UT5Hy4kY4<>^Gp z!;F~GzzW17U<=U*PaiqotL4fH3b>jkmtX0j1uw%Swygl>4Y8n)FrvCjJpB`tE@MOVkYrfgN~Co90VQ5fqfj+ZRpgk zZEfnwdiTz+(!=V`Ei6nGY*DuS^V?)sH%~5>1W>CS{o-0<(rye<5D&Mm?&5vKsUUA- zVSdBhDt@@+@QwDka%k~KjiW%u#5Tn&3NGghg55}hrdT#Z+w+B(^ujBWOvJ_=qC}ZP z3H^!Zf|gnfNsci7NQThz)jRJtu zezJrUs>XU0!QF`dVgZR_L!y>|n50`F6xaz010_&GIpRGSVY1`&b>L;?U5B7nC66 zFuM>#z}}-PKJbl_xrB-MrDifl{Y4fwqp`6EpxgmI9gbVmTsF)B&`pB%t7`-mt^=yE70a6=?!rTm9!zmCGoU&) z;H04b%v$8aL^fZ=kb-Hzay+UHOlAzAtg^(>AYU0@;jLQo>*QsS(bT2O6H`-E0)^>i ze?oedXal--FfpmUyz?DmCPB2oaEa%ZMR7X-t}Q7`mhAy01G9dEicKzqygY^RCXe^; z521u?1_i?af(<5$fjUBl(gbMMLP?Q9V<4(Ej=6y2?`!b09^uaeXw}3EKwn4)rFnpx zd~kY^O~m!uk5TZ6LXO>r4Zqp*+ZRL$#Oy|Qkb6zQn2?+6zRN%KC=&b=4ony%z(FdE ziUvZwS;hQlM=;en<6aC9!H(p@*fFdRBb=SfQ-WLez?U~soSKwW+Oh>)>8Opg@Z%A4Q4JMC7>jT<&#dUQ&T09X9KQ8GH8p{UIjBGHs}A4t>GKB)p2^ zf*U+jB~WrP+t)?1%!v3Pkx%ZwK;{b9i0fk= zKV@ZgSn0w6IfcSZQoZn}h)nbi`YMs1FyM$5Ymc`?o|ShF3QBxE3hhB?)m`90@XlCj zag`5lOBC_`JUm&dm)!H-!WuZ^Bnkm4_mRO%c1VQ5(qf?+(9Ut(hKo%Q{?uQbS+{<@ z0R(`i6n8<;w+Rekk~?Gcn^Eu{K6>;D4jMsuV3OlF7r2npBp_GRx@Rq-X@D1GjNf%> zS`{w^tGraTqsItXqb^Z50z;i7Ziq%g&ZW2Or~Zd5D}&+&T)#b$W41=mg=ngLOqkIKdmgE+J7JBZ)EmzbF77wbeKn!g9WVv21{ zErB-?aR_A$1pR7AWQX;L8+C6}5lrWxA%n64o>LvKDFSG3+c0f8i`P((!J{g+Wp5cO z%D)8}M|LTmjnC z5%iL5P|jtA)(Px&8d@h#=RAwuzM-}^VoSHmZY=)z@nah&GDz zksAa6UJab$4=WEGzj+g$nAkKqIm+h{PI11axc4( zX*Rx1>m~EseXXmih`RJ1dxuOT;$jlufZ|&5BiHL*qE@+;E`LNB0ykJia*pU~4@=9DRydj17`( z2?==Xkkau#t_HESkO3i3#8+~1Et$c_*CR3#Dg^`7aP%151Q-Q8e(~MKM<5Vn#tKDE zUO_=0acGE{lmzMFbIQVThu%t@*Vnl9fb0>3pZ!53k+>(RKln?p;FA#X8PtuWAYg7) zLSK&eiN{}{Aa~*bakye65+~^-UW=j;mp+gK1`a{05VQcKgK)8peRw?;ekKwn8TrHm zBttZ?tYE2LDR;t+5oirYI6Lsxcr;fa8%!Y}zZR}NdD)8>x1!SGrX4>B$o}YB@p*WM zN_R>s{J07tK5(lgxr0lovss|);wzR(s6wpHEc@q7#1OgX3zJ9V5Vby z@O|Q{a~K8-cb+^A2vv?a(g1`eh{{)yizJRQ_$(!cv(7@HnuA#x%&)%&*eV(bgm@@0 zk4WxFUVbfDEcy=>8N%PPZQD0;YZYuC2S^C1Y?|OV1NHH&SV29AYoI!0dXXSv=q+af zD@?#!0PngXCKB!f8>rVo%Dq3_$%kCcf?GCVOCaFzG}#3SL8#vaKxZId^nfQ#Gs)Qe zq6my(LLXR>3|SEp{m9!p3X{7{e_Eh=B1vh5g12As`BBtyL=-jBx;N0$enIX5ZJdGt zT=;az1zk*7Lim$9^4}kmx0YGG3{WLh(!n2K$saNj`s~;zCG0xrZLnQXtxq7%_&@eC zTJi++lMA@O3k8mn^f=U*EBMY(e^PO|8iI@^L@dFyB{4N=fc5v{q8s2g{A8L~+>=0F z_01b3u9fxlUMJHN*B$1};%wduxsnA7X^qFe*zI6?C&1h^+q zkR-(+8{mc}sI;IId?~l5Qo_Lk$Pkf(0~r{BQ3rQFBzXj)HLT21REsZI)C0P?i);(R zfGyN?+bt)4o&rFTL$ghtwgc2gBfkov6n7ORqbEbEfZ}s4ZAluS1RZxxr=Q%;E|g%{ zL{bgQP~`5MKfM8rg#1Hv6LQ@Ze1z4-#n)%1rn=EzngTzjrj{jp14t6PqT3eC1-uq9 zs8yDTR_lkC7zhk*3#l;T2oXPWw?%!W%AMWpeCo-~|&G*pX zpVVWp<0*0-K1Dj@vZ$(XGsRR4>HLuxavj5-L_Gs*mBaFT&mPGmyTmTq;{4yQ$1q=n zAAS)@U_Xu)()Zhn*BT-5({W(wiLJYqo!#sXn(`dy`IJk2=A1hx>bQLhQ77u`a~vEfW(LZ$GluIc8cQ z^=k+G3*1+(gp);Z-E(0xjc{M7_u1U2S_Lqc@pg}YIKf~H(U;MNfk!Ada+#n+sxQeR zNvQn0Nb^NEkj?{50fE1Vi&x8YA=x11cwH#4*yL0HlXE`WJYvwg%M zwgUuQW*}!WVhK)V002dlKB#%)NGkN*&_%qM35iK^5d^Fiiw@~<$3ZSK8in~#F63cTNO`y`M?+!@6lBP2;lOkOcUnhhyJq+H1b0d(2_4{`4S&Gr9=50g?x zk%k$Slo{E|$Y@E)NT`g=j0P!0DKumyBO{cZjF3`RN%kfyE7_sQD&v2>>brjDIp;a& zIp;ag(>dQxU*q$6f8Ouc>wew$bzj$YcVgSkqHPU^B{gOrt-o@)A9cF$kD1}=#ZJI$ zC|t=phid85_ZFOrhj9?-A-Y8VIepC`3*G48evleT7bL~eq~DL^gChv8KnMW!4Gk&r z;MTy8j!Yf%*Z4?=bs>jhbGS2E1R5<;RyK(s#1PxSy9B_+<8N(qK(>P1>8Z{{2WjE= z^{p@sq~i0Q!mKU;q*+g+PPLpHKaWlp@T(kD^`wew>jD8%0S>FC|Cum)@NFv>cw%{* zClo;2J+|X_N=5!!?@zt@pDCAX?<@W1ckoTxf2UHYsKg%opQ)ste;cg+-gtcL|Hsqy z@&7pO(t7^aX;+i?f6RUV@85F0b0L@jpP_zm2RwBQM5?Lue=fdMLFMtv2sqBcCabu) znHfdU|9scO)mZ!t3{!EoI}Rr$z=WF4V)|Bi;Kv1E8t@1Mm<{=Tj?6VY=D z=@>D^F>swao@`_vkADAmoX!(i9H453Dk-=j_`?$J3&+3$aOQr%qI_Al2nfChIGt3Y z*#1PK-%lTWk5*Wz5EvXOJLLtaO-P@olB8~+XHgIpIl;IANGN1IYJxT^xtG`~{P}Z# z>54k#01gv^l%rF*Zo67HQ8$1d0h|d7>@6rfPCcH?55cepdV=F=7f{)$*Z*QP|4uR^ZY`O5-QHe>VE&c`@xMX_!H;xj0s<)cM8pCU{*Xp6sU~g z!;0LPc!p7cnrUjPOhxSHen2;g0%Lu-B5_Pj3fAC-1jNky=& zi!ffH8YGX*BT;Z{&2Oh&y;>p?E?m&Xcz_!r&-d@@yrL29Hi;INBMQm0&8eGUB|;!> zuyD!IOAZrGpK25l4#GWbp6M<8H`oF zV}(w5&iD==!-m$ijbPCa%*&MSUyx#}A(hx+^CogjxMTUsB7X=6|iw*8o6hKa~ z1xTdUz!t|%K7dSaqKO=NWbp#{0u67l0pf+f{sefA<~@@IFAsqg!e|pX`u=5&Msie8 zq7K94fN)5_F(szlxYEVRsHJ(HmCk>ZDUR4SExAr&M7E+Z|4li+tp#0dYzKm6B^$6Iv0Y6@QzT`^gg1N zL=FytwS=ql;w{qY!!~aE*YtbEg&Il=3alUE4S>e@quzNysq(+Rib24c!WptM>^~uM zg@qxD4`F*D@xmV8hsub2H2+<%x^elHAl(2t8Mgg9Y=D8d>(@IgUX(b<*|BQRERTRu z=3$s%HIbpGfBjjanD*>2f`l1Iwq)d=Dx0k1QU&*g12o)FXbo3H;=M8_#^z5x5v5IY!uL z*o)L7RQlppN=izwJM@IYv3Q_haRS2uJ|+RX)m36Cu<_PNw4G@XVYHv4*7bUmq_z0i zMlGo&vUSblk%O!0UR!tTNkr^hRDvv!C^rD9J_i?qEF%(&(b%1PDQf^Irt{h_TW}WP znR5n(Lj;r+Sflk22d#AOLKb^iMa83u8wC#tFO!IF8c$U2UbVUo<`SMS1O#0+lMq|M z@_RXQDTd--vT%vP!oi09@KJJL$(+Dj_$DD=$ekZYX-||+P6pS|5e2t%hz@+=FIxy5 zlW@|oAITvM>fky;lDb)iyp!OZMAlUcDF{d#2eG>_4t#~_bKMNNFHw`7dm1h8+1{>u zXqByzJ{PswI;MnOJxcqPoUh?zqsI*S}} zQKv)>(jKA`Ku@+5u<#)$MPStdD$OnsPM`!S1#yXM(1bW?5CqrXY{#nsiRdmTyv1-yw5KTy;Y$2_$8ixGr5XWi_98vO1a4dM9{ZW8d14X;L# zjiSsbCS6Em#hk-4dw6&}5vFkRm)TGb0FCtmIbg|FYz|9dkrvn~W>@P`5M<-}y?f19 zkjW^b0S8Q+N_32tiimyi^F(by_zYRr&A#Byq{FlBXoR$eWxFAaPN1koM*iug32dZ_ zfvVu-0fsS^Fg;EHg@hfEg>TG{;2A?0yRd1T=@*nNh<&6V`qSN|6h#F}FmjqYfr$j1 z=+&-qJbELf>$n$p@znaA515=I1dc_&ykBe5zPnIKFUk$v*9fBcn+ssNgK6v5Gt2KD zNwjJ-pgGf&s23B+ujHc{voBd(=f#m{^-q*E;`aA72eZW8VSR6~Q|rEuxohCDCwOzyWDtl$Mfmlu7cQ5565iz zrFnavmWZ&hasv0DFeVPCz@nYs=76{qh2pSa{lF-m0g97AVWrkbFr~z4ypD@2&BciH zYw?ld(Tv5Rbpwznl@YRC^h?nM*akmUHRA>Y$L2M+F>D>wGA|0WP6cxFnUw;>(SrPjW^xi%`L=K7wNC>^Cp|&MDT|0%42|NY42tB$jI!1G0$eP zWGD2uNZ&7jN9>Jj$@}*rh;z`hi%3YA!FPj&HBVRO1TKVp1cZ0_hJ|eF<~2CCKgr1g z(|io1mdpmg!%`^egOZhyc><#g94`)C+6@*SVL(~Jq|P9nwGboPaH)_}Na7n?c_a-c zt}2#W-r?AgdHt)s;j(Ha*@ zcou*9H18>Y-eA@H7bTo0lWm1*!rLaN#&A+a#yc{HV;bheOoQM`f#55tQHiU1lfGm7>Ch2T5Uk7q zLE`x1qijPDpPXH0p*RW}06!3GM&zq7;xhT>zXeGy7wHz_fFfE4@E5=()Bbo8{6a8o zh(8vZMQd^F0#{W+^rO2})no-cXqp}M3Q_o!|A4gw+~;l<6ciYo92jWRhbJ)N9y~L= zUtA_h(b07h2|{;Tg@ zxU|608ftryY_}RkX9@C%LC8S>sg^qAVfXSI>I(`AitO4&X3wd*&EjWB%7M^An0A}R zW={ficL^%H16yab4G8BF_7dMv&9MkhqJp+VdpFN5F()VIZS+mzT#OS4s6Lw;?y4q8 zj0E6-vl^VZ$;)Chpt0cxqzlW%0%fgD$LkGy%X~S32jNzgUHSF2$%-h|0R?T^eTk@l z_L`q1bOz{po`&>*sMK9z&<6931p}aZEw|%=aVjteIIcs@xX1)Zv&s9-js+ z2a5DQUHN^hws<&l;{H(=C2$7EAg#lA z@+gFt9CnUrtSQ8FxR@i!HS(mU(-ZV3Rw=CF6=*H7IYzD?xxyx;?>D$1 zn4(hwt_Y?K%ToXoaDGfxjXOalQaV;;uv;lk)A-yuqNxjXv;WhF)yaqi5UGmH)?gIv zn6Znnt3widI@$y{W|%?Yb=0_(Q3_FL1ASq=um)aaX!q>xcVi~lKDz1zA0gaF0Jg}` z2qpd&x;P*+UmC2vfeJE@;h+;{FL2{HIa42dNM;R34pd;oKu|v=9tSM!!j6G8<-YR? z+8xIshLN$mih~r%u14Do*%#E$K~G1G2{Q1(GE1P(y+9>E#!5fdd<{7YJWp>yH}rcN zD1gl5Qw@T1IoUY+`w<6K(`80py8to{6Sts`U}DwVHV+#Jqwp3u!P{7|B%Q~NO=SybUmP5fZCwC z%90=qABit7nhko9b~`I}CX|(z(_-I{k0sRsUtc%mk!Ec;Es0VQc!+x7^39Q4`YAed zi@_Ugs(*5dgXM~)8om4x)_JYfixsK8#Q7PGFtRsMpu}VKf~~5?XDtQ4HImHZtw@jn z&zqEOu&}@Ob7%*J!Sw|PoK8QoN019~?AeR$Mc^vZ*+ZfT?1+#gYH@@SpEY!Zh%+hHzW|T9ba>6jc zz<~_>?D0iRO>r77`S{ww8j&c;d+gC8tP8hJa)@=%BZPw9g?o zzBKkJ6sIdvsx>4C5nVQRGSP*AB_@+?dk#(NYNRkMfF7|+>cb&yBAP(QU!yPi!2baa z7ZIn+h`qIdes909pPzXsm1=khP)!hr_*zR_J6>IkIX2S-qLCx28N~cG7<)jvyhupd z1w*2&;aW`w<#1k&oXc7CyLJ&ur8K(;!zU^ogp>{6+ zHHFnxhLuC|UnD)`CBeuD#QzpBjW*y6j!V!B#&V)qzx(1-5lB$H05~C^{DKVgw``fL zPGlX(7p@af5cFes4s4N;VMU&XPkj^_IOLY{@LygHtwBFF40RMuR4|T%JWX5w(6V79 zu*jZ+YU%)DnZw4GFg0YZZQLNdGezg#(S+WRs_>xkJ%~LfSX=aL;&(uYGw+U8^sKfN z26+oIeQjrUB2Y&=1}2?!K#cc+^sATek~1N@h~konBCz|;peapVCg4=YFX0G6Jp~ze z16(MmlL|=(`DVHO#J*jSbb(Vh)zU{~3V{2*#BZ$mL}#dJf)iNWvUcxzeS|wA*d(*N zP$HCHLcWbI*%72BL5AHB`~223xlEn|Ulk^tLV!q-Y^a=%3<}x+$bk(QpYt6{J<;*o` z4k4)_xgeG|8M*SMbS=)bB6L4*f^`R!P^eZC#$tMJE(_s7iw{oAAX~>HE=C}fL7|Q_ z2X+?0C?8o|jtSlYH49fZ*zxA&+uV2NDw|;aiFP>Y_N%GUW0lI7k0AZq&cmYt4_x<= z*;ha7Wlk>%!fJ6jskUT%^`o@h3~;{B3hU|V5o5{CnLFxG;!u#8NXP`8D{wD~{hF+- zEa_ij*9&|bc*VRAYyuoGq-6eMmtKS1fnMI)04@=so3t)mNDt7kwYDZBoq%C46U~gu zl(&YomH73O@*ArzDse_fLk#5x)=w_R{Ge%hoHbS>MJE%GHo|52xPi;(;`@=2zBRtIihT54+Ilgs*f$UTTt&zY5bNk;*d0ZM-qMV}B3mYHYM9`Z685*8{^o;Wkn)54E zZ{fzdG1=Uz{E`NpiwJHg_yTXi3<$ayY_JX8h|Sx#Z?CyA{z6}9~f_V?)aX@%Lj!Tew z+MoVdRHQto@QeLRL+$4%;T_o5{oti&-mGqQuksI#!#eQfptAQPiY%lX`;ZvSbuBGg zd@DYS&*9gBXe31#+~(%ys!nTQXijoE8!-W@_Uh`RPSr?jn~hF_2*tw6$|uJ`fHF|N z?MCB6Ly+f~*xIJd{LF@5H`$aR<3SzM2kMBxx67~}CzNk8?jA3=`2j2){_$0&uv3E(BHZfGRS2ly^L6#9*IIJg>M8rVLTI!Yzsr z#F5k)lwT%f4d6b+Q4+Q5@PfasmDSVb5jBtY%&7S#Utd}zeiwwD9~oJVEOM$JqENP# z5R*-Ry^BkNB#r>pNC#kU_hKpQ2x*HGyaoMp;xG^Pf@T0CcGiA)%7wz13r~i+u(Faq zNOd0x(^tkL>9@`dmox}sb z)Qw_VtYro_=*M&(ic!*NMCjwDv@kZpQo+QxwWWfgj4UhVkuP$_XYc@VBa$WLcBmLCu-qy@QM=>iMI2Cw72;fZ zwjNF)H2S_Ys4MiL+)zo;!Q5vqU^*XAfKvvxT_!gM_0wZapCr^uBW-&;SuElz7?i+& z`5nl9&@Dk#IVpP!3tb?z2xkE}@C}eq0F;|DpvxGRzW(j)N^k_Ck8!<%o)i#}&TDaV z*XTEJ>W1{5C}i*y@!JXWdyTEE^andPp#S1-*MR~+4bT89S}bzTKgfKLa#DnHLyiEB z*nssLBsqj^YWYGRyfK48YYaYDB^w?&G@0fXA0Ll0OnHe((`~vK3-I%sPE(9}4 z@&iZ7XwY=yBGhb22I*D+O%TW*0Kx~kBdYZ~$%b*AnJ^n5p1asYAo1iH*naW$rYE-$ zUeu)81Aa_c*ywDsnLblEjLcW?^y@%`LNOfs?i4UyX~Lb>qzA(~`=t-*2-uQ7h*cv^lG9UD zuEVFfaQqK-0l2Ak0?`6q?aP*^!%w8>A0Ko@YC*C>(kugwEc((#;#E$d8R&ti^XNGp zz?T8qREFYi=$CqP>YwgQnkliJOE)cJB2-yS;z6Cb9Kgo_422robuht|ROdhn61Dlk zP?-a21DB~cxIBzMKkdW~jxF5!{jt})VKZiygGw6M3Q-PCa%`TsNI)orLd(X)`=Yi$ zqp&D%1G{*lnFPl{X#yoIoAcb%Ei5h`h!lMS?Fph9JDR`^FAFsBP9<5y>mR9I;>czD=Qd8dpUSbC4%JQJ~;8At7$4FfARQsyT-tN@!USw~jtJ!VCaa zLfIh8gHcKLLa$@nYqEe&EVW^hhGq%`u(XqBcv*rueD%d#)kb>g;<8v z>x!>Jp)jbEs0aTuHvTT>G z8Ms%)TZuFbb_w4d+Fft=s#x4D=;GLnj#AiBzI7Uv2R-$Vzv?^FV3%JY)M)gq%qfO{ z)B9NV)B&rQ_=q5{!e9Dh2`tr8&50tKiY{wL+E|hgR@dIwbn|+6Ii5e*L8PQia`Hgb zF9wHa4640qrqsqX`okfjpQkdc*iJNd8^y&tnQ>h`eTJwV4_1z zOiU}DvX%_r3;inifEVKq6UiXBy?bNoE`Z9!5uyP61re$#ydTvELI|l)$k_p40Ts~X z^VUZ&>L$ZbqC5Q=^|l|4C`Iu`xDu$DR8N$8dwX-NlwwD$LLA63zqK*wfP3{mR-0;Q zQ_4a4#4#a+Sn?Tr3f5W%bDn#y9+OCx{}cmvn=0&Ia??R$Lp90j!Waem@8Mv<$GGd| z_S2ZIS9@|h)+N>&!QL9JUMQYOKJW-HBOJr40IS?pt5;W@xaF+VfAwgF#dbyWj|U-4 zBYa$7MVc93$nZL14naRGqufui+s~>qH>b0AX<__2aYaDBhn0=KWPJq_>Utd6+%>&` zu2MVq${|0*$-pi+Gss{M=mRjdDQQ7Kr-OffdD!#q)yUFd-Uiggc&ERtaY@3QwphRj zm^PQ?&ls4$S;o*=o)JZ6?3dEhVIC(g!n zt0sQ;fYWR~)R=RE;{uTlhyxJ6sI3ZX&{ZXjdyxec)^IQ*`7PpVIJR)LFbU}t9sP(a!@Fs|C0qVwS4!-GhS`0yiC-!&tuTz2wJc<(9E0kvNS?CWGUK4P_QscrRUTf>&IbSvN?ZS#{X!QBCs zi*J_pUoFWuero|gIcIdOTJz^BZs3Rt2({2Vzp zoahy_sq&&wO#CyS;nsX#*|Kt|FN&I)Uet~-A1`c0p@wpfk4q4)EU;)L*_d*26Mw<* zz)TfkYC##g8fg0F%*81{}l<6J%{wp0%Y<(L{HdZ5qP=7?ABK^j0T=diZ!Aw`2m5F-rGLKtdVel1J>J2G`xqi(^PSFNc= zc3iODwhs9aad-tB=7dHbvBJUWvoA%5kj)?%k2bwdN)n)8azUDUaP1`M4Rr%9p%NPD z!B0725I`v=H!*?54B({_SQ@U66O}m;UBheU^XO<5eo{nCOiMIk%jE4}*aY<`t&wXc zG_RXD3)&7K1l&MWMm&>Us$+M25OHz-^>ga>BGL6pepffOBICg$+&v*T{MbnmF zb9Gnldvf-_-)438n=2E;V%bB^;}s8EZI9$+?Q+**@RHy7O=ku7a7cwW*XWzDx3_<3 z(fd}Eo!Xa7%f_T-G?k<+FD~{r$>V3J!Fb4%*bflb2EBgdFO%28P8m<~WYwHJs6DZ2ssQJ`l|(;d3v(LiNr5pX7;F)63gm+6B=2j&CNg8fMf z^P(_KvGH|Jq$Mf!5FHGQP@e+`C(UJI>%tQwBft{cw7LVg9cTwtXx?taU<^_L){S0J z98gfAD*<4}Dj3sb1w!p6LznNKqP!P1%9Be@1fxkrri@osR>E&-nSW@lHj+tz)o4(^ z*38Vofdzp&N*2~U(ev1HWU_mWjm=%48kvBLmZgP6DWci21&SejAY)tGDijQ?=n~17y%m3yAj7)8pv+wuLC_v|xm>rWI zD&AuNIDrf&F~OjZCrKM_l2)eq5i~S%97cjo`<4zciCz+1qiSMFwT{1qg<82Gi=Ro9 zlPkT+O6=wFV?AZ*LpE%g?V+009I2+srcWD^CSFvj@-*5MJb1i3oH964y{LS7q>lW> z5UbG8c|O+N@e4sJN5|<$BfKBhm;X@6%U552A>V#r4R|Y_`cm7s$Cn-j5Ox#ANB{06 ztoOk`U1;PY^!+GYeQ+8Qb~Zv0SpW>2vcyhwsdMn`S<=@+{*pJrj-i+4h?x_rTWI^x z*B-!sH4fK6&uIYwJkh@g;?XR9+sK)#8m{-9Mp9lHv|XP0{@v;6)Hfn3RfHJCD(lpeXKSiOkE63_7s#6V)r1IlFA5yTK%lF-^4C!CL%TPa{bi zcGv5HnNaWye#H<(4Ax_^p(ai8DAi3CrInYeM`S2N&G_in3BvS2iZ_{mkv;FUx5zHd zwJee6MA8C1y{vS8&YaNP{YmvB!}61C>^qqs(ava2u3+O^;HQ@0HYCuxvL0O%9-hM7Jbs)cRS;jnfCD&tB&B8HHs^{ z=OZgvJq9LD4)>nvWA$8B%iOqbMFiw^i%Opg!RQ2gig*xb0vpKtX@L3~75zmF=f*Q5 zZZv@M2s({KN?orST^_=)M31b3?t!B@KwM=MjZ-(Pfl730F-RAD&G4gN6ekXkY~)ce zs#jqtkhuUzLA5b~5{<9H6{o>(B&1g25eZp}oQ6#1Kr2dFnXA*!KCM?;zcxtK6HVgt zx!S6g=6Vs0k>oYz z)D1^H&1zlWTuZt)-Q;6wcv>NMuIRhA`KAWp%(_5>msls&Cckc=`zg6j2JDu4px~@|sPT7I`=SQ*a5~oY*PO?6edGH}}&(E9^-;ewo zuk5=1L{hC$DZ%0HLo4l5M@r>#MoTKra;&M@{4&9!v}i!Kdwwgz<{CsBGn}=kmo5N) zC#+18DPwg(sYO9XEP$ur&R_}}y=wElk_}IopYWP7?8X4vV3d7oY@`Fs_<6(2GsU#% zf{=BL$v0ZdD%~co!!rp2qAwsD`BSe``qGY*h{&t}Zx2lEedSW>vOT_2uf;q7qcc{F}>Xl2NF zKjSf!vvO{IjOLp;>KvjJ0RaUEP77j+@6_|f`AK!6 z5C+H>SQqW-xG{s8O%N3e@ZkE*O62CcIH8rrFy=B|T%ZjTa@y zzKm%&~ z>>n?yMirtGQ@7sgHgU|s=I!t@6@nFnV%Q zufuHslRgq#6|>IY6I1qM3Cc;CuC zZr3$&H{BcPD3^p}ahXol3(HY021(^DsJ>TADw|h*S<=_lZMhy`CIpn=cT`XY|Bp1W z7Mbz?kyrFL#m0`Li|?YBZqCp$2~`#yZyo%!vO*y7_R==l5Yc_-!?&|p4p_4MQfq$P zXfDqg^w!5x=s|cW)073RMQ@gF;$y?(CRRZ@nKIH-NiPjmZU$eaF*>*0`~&~i2X?;O zuB2IdG$>3ZFTDz!R!g&=KC2pCY$XuqP=#aAo&FLj(gU&UQIx7$;E zXuPy3TsT4D!N^lPdwYQkTVJ4%M&9h%W(+(8@fp`w6Nk1InYDNJ_l5rcE7vZ=>hj2? z-QMvA{?ui+^*>rgcqOg!{m2yX&{X z&3*a^i+0y?0j=7h?gt8*y4Uk8MI#yp8cQ?39(^nt0W1L?JHdNY|9!7j-^*!z8<;p| zzD{3JP%QCF&}40Rzue@77en|%k@&kbQZX-158C0)CTp8PYSzah`r8$D6-WA&|>O!C$4RyW2MVRWYtycJBrVj;Whujc|1HBn!)$`~l-Th^wrZu^ zXR)_3|G89ysTY2~4Lx1SliI_UD!M-e8^_{EXQTq-4 z;alP!#}c`PV`w|4W}CmG8CD(G&$RUcI@&!w^=2x6-v0Y=Mn=XNgjmvR27W+@Xz01@ zgWLseFAVs013pI#D~WIywVe}qlfLbCU;*QIz}k|kaebYWgYmWi5$J(E#p9RZtdv?> zBlPPzv-Y)`zKgb+>&rug)e(UK<^-|p$V#xzq(E6$dNOU(^$xpbDZRpVOHEP-H7V z|M1-z5YP|9OQ;Gpn&IrUz*EVxdpLB_W9tVu!LG<_Ysdx_?c}CdgP)s5S6tWB(yAM} zR4<+OP0sktnVb44`%`oVFy84uH~BLcI7M&adPdwH0BHP{p2FJ~VnCIYk7<=M@PY#) zi44rda1S(%R|58g5w&MjR8(gMx_ZRs3svBd8O;^&CeYo}ghdrjXi8pU#00HlbNi0Z0&%uClp9C&McuvUwiNqTC^&Hr-@Y=yBOY{qn(lX-9cu4Ra zT*mt&=S#v76!OF#oG9$kUI89+p8%VHl8Lh_YFVQDM_7Tpb2Z)+ZTY}auvF_{_JE1Q z#JLPj^iqebO6!AF<3_Xw+bL25lN!B z7`9aaw1&fq5jZEh8t4NsY|RRurP>Ax51P$S-uNKh$`kTE+`r5nPn5KRv< z{|jOzAnmYa+Vn!-)}QCmgRfL$aj~&RR#vooq1-3*PEf#CiXOH=--P9vVTS3Ub6xo< zvRLd=ZUKCw-Q9&Km#3Cx;29OQwY@H_=6N~l4Y35cA_5IKwh*e`!jj7kM>|K2oD|-# z+~F$Ig^l}CMBX0wK72ob?Vo5%(T!9S%o9>Q=M9k|69^T}$vhFK9UY|+;7)K7A`%E4 z6rndhK`9LOnId`}lMWm?E9}6r)rHiZ*pDG4gDEEQu3!~}sSJ$uQ#!v}nDJ2oA~iBG zi3!PpMSUTX^Lt-U*|i@<)(+9avG@>ZGQjUc{Y151*8RuD_H{~kEROu=G@uZ5j|H&z z1c1G2dKMfqet?*PV9@uv6HZgaEdazvOK~<}v$3XM$r^%V9JW7!$#CPTN337yBNlUB zbs=1Zs;brKxdQ}eg|{y(EOzPc1aBIl6A{}RW+kY}B}&bG(YwV*r2sx-a{hb`SXNQ9 zr#PFp!#0b!g-bYCWd<{qJ~f0}Qt=6Z7JPqy(${B!a>Mz5&Xok6}3P6Q}# zFwBzZ*wItVNwxnqZ3|OlcNBM6Wytg|LPCzCB2EyKB+u?N$SnmWR5#1=e&>7Z5Ki*1b2m+(63T0h7JH=`g#o?htN)6&M*omXGA#Veq^ zs_Mv7SGw(2l_|or>_dZ!LIr5^eu5N0axSc*2%p0FxPS44aK{{z_YWgK70(3&^ zdQe6x?DasA0(xWD5s&W!%=EZ@8y>6LrUL;{qadRjgY}EW&ULj~W|yewJM0~qu^k7=xeojh5ne&pjDGA2L*rqxt*$tL}#& zw4+bDaB9;75CDNx?Ay5NJiu5)mz^2Czd(Kl>$c23l=RWT_S&&~9JfjfeV3d=o{Tj< zTNj)(Q*^{Y1qYiwuy-EKb1;63fThLt{gaPqSc0U9L3<=DK@n+KYLC|>WAdONcvU+f zhtco&^j~hFD=6h9-hB!zRWOt$TKWi={Lf*oBpZbag~+f7iyOVu*||BsN$5k!L~Ss< z2vm-Lu~QKHBeaykK?Lqh3-6Tea1cN}91t9gB`iUFBMBu6%MFcJ{1maj07+ScEl#IQhVV zI2u?H2t~KSZS%ohTxMir`W|;K5q2*)&5cpvV;BisF_j?_B7H7gA0SQmwXbNjlEAJd ztYsi$2stG{?CPvulrMr+sEU9Bm+Z$AEwF1LoK^rY#%Ir#q2&+DmVJ+_ufk{-H^ms7 z4$#GsHpO9k;+--u&6-RVLMI-m2?P3=D@vQMc`!an_sWXB1wXNgCEx;yGgpwXxtn=~ zL1Ta+JmBYVJWZ9<^e{BE?9tZ09>V9i0mLUHMTBMyGJgV)140RL1CWjLp%}D#6qd25 zG|OlDLG0*(y$`Y*O2S#CKw}WC>fi3ja14S7k?;*Dh?O!D0KzgrPD3=#?#10?0jDD6ENmeU!q68R9-mGWL@`K|eUa6n3oEW$gS&(MAwTzJ9r!FN z$PP4;#frF(Kh+_l--xFUXc90Vq9lDN)N`b1jTDs3hM^!+h0&oP&NYVD=6KHM&uxbu zu&zA{DKmyOXmDca193<|&<9UZV_A`>+&Jw9ejG_&_zC#*mbA5nA$sFy3UTSgAXgU@ zLGWHK-)K9rY76a1((!r2T*v2~z2NNk3=jX*o;JfH1lVlZnh~ejt$-1RfFQ`+n4<|5 z4jqIs170(%S;Kng5xn6(tBi<*lk5JT{eMT9!^t>Lh&CF%2#V0RM-WO#zBz}M8`jP| z6h~y_A_X!`vN5p)c1cQZ7Zqg!!PYFC48MiJ5(Tj+!b3zc02=}(SjuhT=5_};0&^Lt z_afnZh4wE|=TPAEECGAj-rgQg{(+-7ZJFIbrH2PHaW(qCBoqZpi*Gt*B4OABaEn-` zBIkk`eO7>FFebFZUIUp89FoIuriKB<)&v_D4n7nu7-fO=P8AJ_5IjA@!G)zjQ>6l4 z24zUz=UTFl!W#uWV1ygA49H}AT9?jNu_Q`lri9IkPA%LkhiPHSw4H3DvG z-_gIK5o%mGxj>+L$_XI98LY#I**#hY$CpK5RjD%cx5N!xVcrduBDR8){)@Fn1jy;zF#Mn#@h^CLvkyJ_zmBU@+w^Dp zDdymjfNW+keu|RN;yD_CXFH{47ew#!pV*hh<>mY} zlGUn#SGA3+e`(;Y%OzCR)ptO76PnOuh0}#UU}4o36@y6q!a3Y+r|mn4e->)78j!Kc z7<=n% zSH2vny95R4fq)atsj?=i`8l|wu+c!L$n1^Y+a9zkcbPLoNJ3m>EZhyFUVh=76e3? zQw@({?#-K{52{C>@5(0#H;tslOZ23{gT9N4qQL2L29!_O5}|Tng8%M2P!&oMErUQT zOLB)K5V4my(xI#_KmAWk4I*m`x=>%d20juDxcTC?{q{j8R0cXa<(N7oQo$yBCEh%1 zQN$TX3G!0Or%xPia8|&<@YE&beACkngbSl6ay+2{w0#jNDZ-%!b(u^>p#ZrNwZs4b zVdoK?TsSojflq`j0*)_h1Y!SLyQg=PnG3?M$Bt?&W+4#_Lb zzZFp&PIz+>H*sR;jCQacl1=0wWE2WIz{H3j5^RJPKVWJGbGHR?x6lzHW|f3Khj%09 zKj^GI!O|ka9HPH*z@bjsZ)o`S^c3ADR!C@eBW}NkSO97^NkkTa1twNj<*+QJ1mRPG zFhW2s`2ZpjnBzFx=w9CqKE)t2i`=UYbO#4R7R78nT3`%PMPOfSmr-)_5BK%=#|sRqqIrM~A%8gs^$EuIu7HEXLJQ>#8n5WI zgW=5ERYIoVz{|TFB_HWS-KaF=PEZSd^70cnnnX4Q8#*|7ti#O(F^zVRfenG+64U`V zZr{E=QPGJTPex+Wv(0+(o=D}unG%9j?)UkWTaSz$$52jiLggXgEbtuI%*{=OObfV$ z-2!I{4jfEyM%kfVZiKn*9!MMo6wiQ{LJ~N1DHXe=-yqAt(`Rt|CpR9@^J@Wn5XcJ3 zO<)~Z)G%kFGyUjT{gmd>@fw-rBSavNB5lg|Kup~+#C=YAmr|hk_8kcTOcC~wQ;Zyu z`YW04#HKg?az#ODmBum8@(UO*`jW2Ep{S!n&aeU#H8${eM@)UNfRIe>Fhr!%(z;Hd z(q6%8jFbI1bcvd~(VR4>zz}U5*>4B?IKr5{;`P@pxN~AZ^28g>W%7GFdY3ifz(eNZ z4#Ng8!EeI@7y7F@Iu~#S_!YZzO&MN82hgXhJg3o0RfL~){)M|o?M`F<;?U9202G!M zPIZDgO$RXzp_xvJxj&bVyMP>NH&IjPV0%H#1OcoDdYM0G#-q}vz-xVn6p{G2N`unn z&$_C5B&09`6geu0NA6{c;gF}^jJyL)*=3>o<{*rXdFcz{A2xl-s2(bO4rSv`(|=O= z`!8`M^DS}hxva*9?PtK`Nh`f$+cu(k2EQ8d3;J%%gi}HVM=9<2Em|=?1Gy36NCIFb zGE%XW<9!;Lz6P=*!U)HK)G7ia;NHb*5sFD(TXgbKLIoEStC%5k&ygWFg-?HAKVSM! z$o##u=8g?2Qep12BAD7!@vD)oyOFI-Sm9M8&?f^ndEA-xHI5&C2PYSy)$`JaIPGkS7 zY_zB;3d_sA5HbWNGX!wdxrx%+1f!%f0{mPloCtX|@fC-6;CqM;Z|fxQi_=^SxiGd& zBA!@RvblM*t_Jg1DQQ|;4*Cm91M{JkooI8s|;9B@sOhr)_o+a z+3DmN2mk}f(P8Dk(n|8?8msmTHzrTy-KgBb;*lLc;&Ocwtrt;}i5WG<>zW#IophE;LIh)$IO70mvs@p)<%8SHx?A?RW^Tc2P8=9gh;hyasfgod_ z{;B_biY*43R%e&}_nH~^DgFmMAE+8~X}q4aXlM(Dw;cYu z-AcSH%=~i4wl`Lvp4B}(GtaaAqC{0jxTVUv2hZ3fo*OqtZ@rTjZ3Kt^f013(H1IE z+}y&+V8U+Wt+wlUQk)&99a~mx;FpV94@!!koQ&XC>piH*WI@|7epY6_DvZ%|OlhUq z0sSz^xBJZQK6uW*#*JJ*Wh-^haiF(U= z;H$`}B!+kYJeecbSbn=iFswH*J5ZIGVq4G`CY=lJk8(mD)9p$<5NYh5mxzG25^uuZv=N+>LPMck+mPlg! zy-+WzA9|;Ehn7vO=Tm)Su*KIl(Y6ep%T{7ZHX12e^)A_cr_E36h%?iQvCC82wu{!c zg>2`yPqMkF9%oJ45@vt*gb=SK&iGNRn1i{8Na z+ym<059M=R9NZV?mXS}05*-Ia%-fJXrETtdYdTnrhum{ioio--WNL@jmQ{uZ$4{G{ zrOVL{Y}#D0$+E9n@b=#Qx^riYx9#E`lcVD{Ic;MhWn{yUJ#7@MytzowRpdc$GGoxg zWbYx%eiZ?+t9DuYPT6#a%l+9R+6jtjmB{R~`uS8Ns#xCa~&R$SZ?LY#UgHZHUG zTzAZ?g&j0ol{Y1RrAX1%_r-l0_Dtcfri}fqKShd;o;fDV;vD*>Ct9?mywu~!6;^!60{d486gL+QOKDz2jgC7u3Z-K z?C~Q3@hfg4Ll-31YW^6vN=(RM*BYG-`CA8{2DI z=GJX1Iq^MF^tiHsg{A9Nt~-Z39-8v|N8RkE{QC6MjYmJz4@KIWXuiHD8M95zp{T^3-^XK?3w@3<8*gzzYnrDtT5nMwNc`I{&Tk7FFk^Ui>_ZT`e5>6XX@SZ2xA?gZGVBWY{km$ zwfbmJBMhuC*VY(fH|!r*&2C-(Oq5*7>JfUU8A0V(|9z z85iBwlZ6AqjgkJzi7^Z=i@65vZ=!Nm+ExyaWoEw!-E=+UTjJ96(AU&?vEvnM7NSLu zk6iZ_(YfLI-F;L0M$Xxhwe7Z*VYTXKPKukJ>ME<$U7AgQ`Ra{s{mjg_n!KK-wGunR z1u{h33w)0CCn+1!UCEo?^XJs2cW9;=0K7&Fn}{kVSSWd74n_2(C=9n>jJ%cuH44b^ za1eO{C=4`ZFDPyo7iS7G0W^YUSVF2T6cZaUDz3hYm@>hhLmdtu6qX;Kv7+Tk%)U^; z0xu!vTri3;hXQClGqV_KKp*uggZna|AVCESqvz2| zOUEQApopdZTa+(N;tj%17`g_*CF47B?gdUnU`fy~dCJG1sPlTPIRwPUP3aVteV49(?5JVT z$xrOc>U~}KG=%eOi_XdV!+tF|7dA4r`y?gB)ti;OM+Qc%UoK!^IV&n0NiY1P;e1=4 z@VmlnpI=v7UbCvbj*;bQ`qAVvaPYM7YVf4qHG~f8CJ8z{9+zb(OdCfX);5L8e!t)zfwigB{ z6vfs&-OkMApvCE4)x#LR^?3)y^G(qQK4nYU2eh2CNxl57xrfnNXIyb`?4Iooqop|o zozT^BI&UNDf__cOys&sD~~{>o&;cz4rVk=W#k$h&NvEGvW;5+;sBJJ0`> zz!)dKIVugW==DLW#c(9Bel&(CV1e~L^P>U*#~)7RM~|+-5Vr_fr;Pdmv$E6Z?*mak z3M2?&2Hht({8SQ_ZNcJ{Fj`53$&ETRs9ymD%rOVp8DNq}Q}%^a>kiCu>4sh{77r3S zFXB0f&9KVt{{6K;5YQ+*q1uA33&FcOx=?qTgNtC(mUS2SF`ma9LR?u@RS<7Mi9Sm^ zyQKU5wUsQ?C%KKQ9#70ndKvd!6Im89>b9I`s3C6yN6sp(pYN_Jye$@Yd@d~8x%OFA z&nF4p>=>8Y=((64Z4R6KO~Q!l)epY)Uooy zy6<)Ihge+L@y)@r;!yg?wy(K)QHvuq($}e69zC`econcbYTV{l{hv7Ox?cb(ri&q{s^t`Wl?9>zb*aXp=2}{d^&C@4!ozz%a zoASA&GH*5Cy7`js)FBW1?|marlYPg(G^{tLr%p5X_owaR^7vLUBbR;h;ov%`ESTFf zZ@=?ouYJOrW#`VC{I-tPe9dhNVP4*wt_j9X*LafjPUQKGKYf4Dc$aLaV(W+SHAPFl z{0)*XJX+NYZ@Ei!9ec(nKj3#O_GI~a6=>IQ`0%)7*XKO3S2IFZzLT>K{HgF!t;zS`BZ< z{Z&0OtggR3iRQ*EIx^NrB!%@dzC>Qn0eZA{UCb$6_;C3LXy$AP(@)7_0oDT=3{h;M zg-13Ta1qqpOb`JeTOe&T7>zs=zpkiw!=NwGx`ToQKhix%bq}siK5SGwvdlWpz+F7E zUX*|PgP12zSR||n#TCP@cL8I-pe*mayi*51S#y4%mVYv8%rO0taqY<|v6PL$;{xho zyLI`P^Tlozg4vc$s73tX@}}WU@8e|QdB0M9qN4>Q3km>EVqRm}e_rBAudB0oUgvzqWqu<``6_L>RIMB=yTo8LI z;`$qg3ECbm?vWGOq6SxF^JU`?IB~^X-C5XhIA}@H>AIRX)9zr;QIUU%!#>``l-vRdQ>LEqX#r9;Y03`kWHKTU_*JvDVv?4cFG3&>uYNn(K1f zq3PnjqdMuA!r+EBY1sYF!O?>0()U;6&qtjKOxlZR;umRd&Ubgq#C0l!(r%0|mz-1Q zr5~if&Khl)_eO@dBzZcreDk@2D2>nayA=BD?blh3&`by4D!E)Q#8MxZyJX1C&BC^d zhR=bkz-mu$e81A*DEpUi?!b@3SDdqjrQ6@#4mWPT_>l2b=aiO7Q0wgU;%v>XXvv!o zngc~=b9994Z8Dg;{8j{p$dt0rcl1;`6n!4Z=@f}xXQM!U_$8mi%$cR~1~pfD&5WMj zD%FZ5hDd7m%%4lX+Ku&nz6+&svezaK8&x|yn&eHe1=i$_KP;)~OP%>UlWQ`HNeSc$ z9Jd*ADF~5|N)K}NU>kl~9+ zT21~m^@fiJzy8>P=^(_NLm(~p-E))j#LqzO@*bUUv>Oep{|sNk)YmnX#An6kSwJiY zNNND{LA8PB@J);k>vEmhM8-dZx#oYc;5IOa)!}b{P4_;gP8Hi(H&xwkQurZvew?bV zFXiLvy9ob2*Z@n14mk(e&Lk$MpOySE?dkfQ@ya^q7dJ|i%O$^dvV9y)yV^PV@}xs5 zgZq(}es3flaTNa{e zomTXOiHG&)SBndy8yQz{o#dC&pqEGrsn?wG84qIDziJY=F_8Q9yXUjR133qt+b(Q= zfB7zTYIFoS7evx< zGdBxoE7$P4{~%Tb)WeeCLfZoaDh(qlC97 zPxR?M@oJA$!9*d8lmg8$v(8*6hgH=gMnQp)c=RJHxK7}eZNOZXdq3BR8lGPEGZ$4l+1(- zh0K(p%tX;lGNg=UmLX##Lq(Z0CmAzjE<{hay7D~(ugc`o+gq8n^0+Fv%;jmXB*l-jX}xe5q?XLvHPfYh1|=mOK}0a`XCm&m4?M`n+36 zlx3KX>As+-itGU@!}g`+Pa~%mva~+&uQbod8~S`c`NL9{Hsc^iireb`pcFqH3Vscy zo0Z>GbMGiVcHZ1NcRVNimBIXJi&;Bfod83#lD$Tg^hVAOqBlJK^P1g{$jcrG7I)Xl z-Jl+v*KMoEb3slukLu9X9ZvJ_?^MX;)0=6`|4K?RFxAOsRneNdHt8LIFHKBqKsj2l zB2**2a=?ZQa z3U_oY2vuQY@AUbH*{g(kCL_AaM~?10?D)R8)wgf#0q2;pO_So4OzsHD!gnXkS|TsV zUf(PIK$Rm*O5=U(V1YJg)boP2`g6QqbZY*3A5YlY4^grI(okNb&M3*>_%3^o;`#TH z3R(0tjqUVX%g6D=Gfd2lsTRR?0X;G$YnQr}X9^>@_V-B7 zI@c=vtofxDR~Vpf?9#}tt$keO*rlH*^Xi;(EHlQJw77o@e=R&#)tWCUXwoPxXyQJ9 zII&S*t!v&pOl?k^=8Nk|*@sy+Hzk*@h^Wi1aXj2`#M)la;I^k(UsY<~+q}WgDH{hmO$=LQ_x`7r^{-N-aYgga1>d`+K@m%xD(o#1|SM{WKqjS@a z)z<>$3JsDZU+uW2&bhqRIbi=K_2t;*S5sCrP4hKla@R!{Ti-u+)&EN2VD9R;a6mnT z(q_#R_xGypF(+)VnD-v+_&{?lLUiFx!Do$u{<$yguLGj(8Yjm;f9>bwQUCpFZsFlK zPCjO*ISse5Nk#|TV~wUA-zZqm@vxpw>lPZdDctl2M|`I^C3jFG*n$Qzld$E8DmVoZ z3RX~1@Cv#Z4{g7}BO_1_z{D>vEQg?xxPet~>Q~oRU5BW;4&ViQI5^_Rr%a9>4V9%8ylgTBh%ZlU}av^{)pv#4ApD6 z7lWSq9?3O8L!yLx=jVJU`U>)mG<%OL+ptM8A97GztgK|p%YKKjE{%1g!rGw0MiB!{SCdLwgJzns+>@Y)nW zNweIex0J(n(oRh)sOo(3f@Pw&_~ohjbyJ+$2`5bjM^w6g_42#j=qR7d61@?;(<{(9 zF#5ao)}p?x4sT@&YkzUt?|YFFXxOZ|;Bd^~r^$AS)Eg<1YP73{1{3z0#~aga2@d*b z!z||GeW#cuL@t;Vi`N-x?02+MZ?p>LW~1WU%Td<1Gr6nq%~Zs+ZbH(!wfCajPqD{V zY`jIu=%ziDY~ayD$3C!7_IrHVGe2%HPzQ4!OON6e@rG zF00WwV_)F1)!1s;0sCO>h?#HpG~pu*UadE>*oTjF9Q@dHcewJR1MQdf)UEH&v#4ss(ofk>L{INOeJeNLsQ4jOh=P9iS@Y}GY^E- zj;-DL#a<@Y@oG-TK=%$omI!4@>0KOc1tv;bhx@m3MqbJ~ z3}BQ#Cb9DjZDHvGEsbRLGZ!y*xh}pN7#M)>SM*oIiACM(PELnFOK4#C7u_ZwV+z?h zbi@N=69P7I@DhhLkOt+_XC?ELLod#p<-X<>aX4R)?t(SL>;4gnF@^ZtnB5${f~P*d z|IAljB3ShJsGl}PA*W6Ws^p`|#c>JaOk+1Y6Du5JQ*EM#>o zA1c{{p@jw=RzoQZ))!w+njg;d8Fz2dH#drC7I8oFeJDLj(4lMJu=wi7^ToH<$)(qy zr+%x=<;vOL(=0`^DI>s5@uQtaQ0p6ZJJS{c!SkwXy7~k8gcm{sKJ-U8zn^3a)ZXY5 zc5B0pa*A8?26WGI4wRI9?ztwmQl9r>pQ6c#g+qR$nvZiem+vp%k>@T=Rocw2Uv)3c zH3$}2#|2tB(adpI4EItkZ>Qz6rxTcu{BW)8$o-MG{Q+CbUIYkk6%h75x}!@mbK{=5 z2Iq-bf%F&SdG6*WL)5g^`!z>+1D==;DHnb@SLyjvA2{t8rWS886t^PKslg<0R5m3}>bw!nsw1>1>jdIAE$pGxPjp3Ir)i#N)zuGN=`w5b=J9By;puQ+GJpYVCx*Y>=HeWTx#10|m=i=T6(FE?g< zbCQ!&EvWW$KhIyij)vkH-IqPfOJmE#+8d)j1m%TMg>2P5pQe!KBBk37)fb;h>w(kS zdT$yo-gJ>|w+}K{dl!BCC0g^wkR^X{uSH1m1v{3cuH^$k(+s(S8zmjKsTZthaZF?1 z819%qE_C-y0A+at*Xz)g5lhNTnjP1!2vfN=Wz^WaHqn+Bony833^C~Z^-$l8PO$l6 zRmsj{|8N0n`^HU|HdAOkzBrVS*ZgMSw$PLM*pTu)ZBhI6J4_uM1ws$}qtgwBPIBw4Ij>z5dzz`1{-K`t+A?p}gJwzZLwC=Z(dG*s zXSS=VTzSCf{dY#I(jO`xBkA1w#@1Os^l4rbxaG;4hupmC%M`C%vjrYpRiEa_{w~~E zq1P1{B{1;&S^)sKk%q!{{{5U{ZMr+@N=wt0;cI$iRZLdMM&Y>Bce&AXCD*<%$K3Nd z5;wLqqtYw zR9^M1&6uuZ{~6Kp->$Jz_vw^>mjxc~nx#xLWN3)k;+plfv(q78Dh>x+Fkta&O~Fc9?O}*_R=NP^UasBzep1T0ZOO? z=y&q&6%pBttm$oBA$k|kkHe&j-=jx2z}JIN494uFvppOlU%z>S883T{il1WU?{fH# zT~XI=GVm4g43aNyI6j~&-QgC{$YnCHvh<`}deU(f``mWhgA^s`CD zJ9TK0J}vGyhSBW{% zA4bJ@;5gkjW=<;S7Ht_j|0Ujlv1_`DT6|jqI0S8S1{04tuk9`KSzFc^oDq8{<($eH zldhGk2mAtDI}GM8%ktHtTncidDiKw6X&-sjShhxaB2ntvAXvGZ-}8VSa6PLVZ0!WsUy676@=MUv-*-OefXn6NEtgd2BT`jW=5M`J zU#l_rI`V84wGB(`#z{@Rkarso+Q02OP!u-hcV(;ZT2wX8e9}n*4(U1m4z+P9ZU+^O zW!CL_xhtyLP`GIJo%VvRVhvLzxA*te^sHV+y!I@6XtK0khtfp1wK_)Svl|?XPg*BD z-t}SXP11KEQ%ApRQ#bC6bgbPtDd%)zYkT+f!pc(3`L;J-syRIkeqGlXn-Wjyuq01P zls)HnjoIA7QI3okfi@Yhj9H${%Fp(jTx-xf+X}%l~YTemZ}-u>OIaQTQP%tug-F!G?cLvzly1E{8fH48)%^Bde9XcH~~A zOPhRtr+lH9Fa9J|%WQ)LS5$m(uQS`AQ04a3eDY@Dd;?ot(oZ-pyjeH!bj7tkoySa@ z8FVb-0{b%dh@BhTz3|le)<@nWtP5ZGI6U)Z?u5*DmF;qPdF1ABvc!4A9<|;M)~a3+ zhl}D1M!V=3Ue0>^s;@0PUL5?UV*X>wfLP4lj>wM9e>WDDQu#!0I-D0h9=y${-F~n* zFa9obKfV^E?xD3-W(45M=a9m8oS! z9%hBq&V-0W#pOOzEq%e2%H;NXo`uP0ja3@okZ19P>oaC~?#KHk{c-a)7RD?)TiG=6 z^M^jauT;yv<&e2uAzrUpfbr(mZ~CrB-2Uc@eGZmOl)hcMK|7#KOw;(a;@-tQcjxZ$ z$r;NxiSupVCi&!hNvoiPF8bRvWW%nf$mZENxfI>o1ynFp(G3 zoJVq7oWxbHc=d+FeQBb&b7NwoSNDy3Bag2KTBJC*$k+CC8Cu+U^C5e^=o!J{iQF@XbR?>1+i)XG0=@k+pdwEo1D@|lTQK{4+d;d2`wMKnYT zIwT5E^J+=lw@gzFIc;>$d1tFs&xfCyrB`>4KW4GW-Fi<*TqR%)KHBz8EdqwUF-eO@tA4Yvg={eS2->{k;G{K3vT?U^^L8zN9C@5ke70!DV#2A@_EE9 zA3L@^J59@C9B=mSPus(vQtSTri+=rhZ|JS~PTjqs6*JF7qk?a7Q^v}hUcBTR_lmyh zWbBiKhIBToz#KQU+5yuexAW1+OoXMEGxEQOI})%G7oT{0dZPu;itrP`{WEL5WUFtt1C z+n8Kg?Ut*_d!N1b=c(QtYx8>7BVlSG{g;21&ugikToty_$3Na_3(4ibPOWB)wM|jn zxKZYk_FsKtw&U-WWEubd@4t>elU4rzlWAAG>mLrq-=xC-2OgQ<&Hp()PeT^g-#`8* zVWXGX_}`gZa&6mg;t~Gcq51RuBCBNo=eWMf`u`6XB4G7{nueNM5cU8RM068w4-M)6 z{u+rD+xB(=)ULu167vx!5zw>qrfFe%0bW519RGl1u3Sb1 z`@i5dDWqRS0UVIq^%~gWXtKu7ALi%x1*sT@XSBfWSa0)NTUnh`QrfWX!O7i6DTwgA zs%n7hzaPnzVya|lGH4776E$R#y64j)HUBCK{ zZL6VoJmwN=Y>X&E1nzmW1Sqb3clL+JH_u^&x(b4hQ{ir4dXqU6C;1^5jOpul>NNV? zxw9I^6p$UDQS=`I?~3Fv&xxq{KM$vtV=(Z_PRz@+<=H3M=3yAL-F?{=(y+x)>pUkT zvw{M@{~Qv}^m8YO>Jp~1LCOc`Rn)1Z1g6>GvAm5VvXz8~ZT=PX*KySQZECadfFx3F zXmL}({s4p7aG4MK{7j;HX?g?ZJj_3b#OXQ<#8@Rh%pvLT!d^Se8 ztFx1$2q4Mu26q@p0Wtj^Td^mjN^hbeEN{h}5k@QD0~mMc4b=Gg^XD#nG@0;$22G3Y zf7S^es#-(RnFmlYa7wO(>_L_medLht3pO(5hOr;e>dBlVNC|3rjprfijp1N2Lk5-s zvCPHRvyXu9i4cUsFl71;Qq*UzT{~d?c4`YIzPj<0c=QTFF$W3{S2_xSi1uE)Vb}Bj z#tot*=DtwBKe!TE?HC6oFAs z(jB=<6D9KtXLJWET3cB>y1R+h z0+uB)ZNvbOUwHVsB8YMQ=qQvzhk$C=!GljQnTT~x#$zM*=3~8`Hx|yz;7W5Kt^&g zeg^@g^;@@MUmXEuKf-D!(Sd*%ySn-oiW4VJkQW1?wjWK;verPpZ8U7;pm3E~f zh)qy!u$#E$;{z;F%TyD{5tNuH;m#sckp4l_E2^A#=J3R zXVuE3AkKaNL0}pOFK;jAZS!iZ;im>S4bV`*VykHXANP1%t%F(2>YK^uNlZCUjaASOA;~20_c60xW2C8Ao@vUDZ}(d8gwCq9?|Ahy=L=8 zXb(_8E?dK?kf-*-HQ~tk`1r3ZR9t~_zqkMQTwpuSI90uUv?b$Xq}!7Sn5bg_4M7aE zzX!f-Ws-0ZfLzCSn3$wYS_A8c(mex$00Piec-Krt(S1gX7$@b}nHUC^19TXyfch0N zQO6)yOj?>BTq5NPAH*sPLgSC9|4A+VVn94B#_?e$e_jJ(=%N%5zv6z&x_-U%rAwCr zgF5~Kfd1M}QNB+5L$kD!Q7=`vTW&y{CQVZ2*El|;eN=3Xo zu%BhYh$A)QUt@RJCr$coPE6%+5rhm}U7{K{1%_bB5HyI39(8kH-@RLbodE7tVr6Qr z2?r0)2Z)_xNEEU>7)bvB@1m&@_43)-S&&DbidpN%oUlPi!(N21%1UfB3Q&jtY%0(~ zh8h2L{kNTRlL|Jt!M5qpo2x_-gqRAlu-JmC2v>w88tw&*(GhFQ{PpD~=0d(^I#5iYJP5ur-kU{7K^Vqw zRNvfR219dlxaBdj7Bazol4#-36C+II5RU@`OYpDR=E9|tGyDbTjh5hDbNl5>9wOoh zrRf>?jltD;E6U2?xBt4KRZ9FMQz}flT+rU$4l3vxZS7XMFy|<3y_40)8s>j*jXY37q)XYQE_#|E|?i% z^*wm1)9qlgK9O`i1b}BVBcmV$VlnB=Ey}mk6aF3Y2ah%?u04b|s31AJ7gFo!a$wq< zoE>l!s=K86@1NaCNnaOJ8ivG)0t1o3+qSrK)W!TW(no%9%J>`8+Q8%gBj=WIQbk?+ z?~mE$`TsS=eo*=0!%9q~s&a|<5b4%GA4^}1p;rX?gxj=!hEhna9$~JLjM_qblDO^= z&mlM>6hZ7osd)&}1H&yD&=C!@xM?P_I9ZRZXB|E=f$q=e{W?8_;ckT3!nh$|{(HfY z!tt6=ZA#KD;(ybkIQxEvl#(y20H_hIv7q?9lI>oSHI1k}5IV^Em6=RwgEB zXRiXa*esw|itbOT^1u-Lh&X-V{etmbit$fo40>XwQ|(1c4kpgPj`TvbDL?slrq~dV z?TMqjFFX}~qo=u+8Qww10JD%VFP$w4v_!rQHtSG9fXb!U*9d&Ds`e+^`wrcA_Mbj` zw&&HyoiC!JR}u*{Sa6)e$qVNl10>03!zGxp{}H#IKu3v?$)Mzd5sQhDoQ`xPki=L8 zyI>aKa|TKucKadqo0&uzv0dJhs&+D<4V zK(F~8#w9_$_-I>m#0RmVtgH;aosVE%(%`fc0Z$r_nF3ioAFJ!+2Jn&st24+*C8l(V z+aWbIHMX5M4htwT5!*sds1M^0VF)q)ZY}@kY)fqzxMa#E?Ug z8B(ZFks<{HcUlIE82Gq{d=e+~z}GBpXl3_e!Ai#{|EWY#MIFVNgJqPY8icX&ozBC8 z7j$$$hw6gwP&X2OQLEI*$X($M-K#PEDn|Z+4hOk!5D~j^@d>}?UgixIATL%@R+h1| zvx~7Y6WNBcNDhX2U{FzXqOtk`Cm6Ubh03ALv9Uw>LP#)(l_p;HM(B;2M6DuD z-N{6SfBWR;6rIC3)F65Pgs+88?)o~+kzoaqqnOx1R#sJ!Z4Cl9aW%#1NfB2JTuN>lK~Q9n5bI=Z^Jkh}nD4bW`fgx3kCLgHCtE31d8sr-Z|rmn6IH55UI zpZf6YqaYz0m@mYk3t`fI}UwY%9NDVPPvWk%n`+d$fatbcN_@gAHo@M1$y6cVDg zxUDzx{GT`iQDi9%Il{(g9~K?OUqijx2|Rf2dA6EpYl1I9tQEnUKZ&{1&6|%SL!u;i zi6_06eINFi3`F~2??M}i6$4WsI>-^-SLJGxFlrXZ^NPfd%9|Ly>#ni4zhVu%UB3S= zfT9HX8|+yM=(+4bMuptpJXs3=LF9OlyMHP#-wiJk9Op{s&ws*~Q+)dLY1jV!amt!F zQXG(*Ln5OKvLl(+9lFgr$K{9aJ$OKb5k}kIP$6BWCB}1jJmzmDlScDuP~u&`KF!s8 z7DELvW5#&ECA<_&Ss@*dj*mY*W@u~K>}Uj~fcxr6#99(E4|OP4wQ_3qFvi&&+$wY1 zTO)``5-00}dJ+-g+X+a6tdiN`j2al38-U~Dl)OhwESQptMgY(a9t=D~i0stDWW53f zQE|sDoQkc+!0#sn5e@vnWO%=V``jkzgJ5FUAHfZv#tp10Je>Gzb2wRu0Rx#pp#TH% zCN39y+U0kPF=4zz!H%M>YJ~?Wt!4P)uw;h{BM1gYMgxLU$>0j**HCH9%lB zd(vUwBgnr{W>IyL-Q1uU`y7eDO(KZ%`0+9H!Iu~MrDmrKm+3ipEqCnLL7;+Hf`U8_ z{X1|?HK@>kAgmx^hiez*gOl%ZwmPDavL6x&2<7KCYi))Oly%@xM~1O)$}R5#00NY~8{XXoN>K`LgT%9X**d^wD8Sl-I^9Yv zEu1aBh&J#FR?F7ZJmZnR4ABhx{q|64#Y;v}#889^m9@vavA`^(4GLqu*Q;cUyQ}yf|ErW5n3Fe_PJqw1#M;3YjLgE1+>Tw7y^p+N>hC2R=tPSJr8ta#?cS{z9(`jJZJ3oK4; zTX*iP281;5If@Fg4l4md?~^IUt|=4cDa2OuAJeTDJm%jyFkGM+;^;*DfT^2lD9q(=2; zcCL!Oy}bjvTeoh7@WAu=*3#0G)3?=580}Yu1W;4kUXE6pMjSk9?GsQI#}f{POFd?X z>fjI=j&kyCMRKDVc3MHq=EgUdl+%XoF*pMviGzbfq;dkpDR6KN#By_St@s@F zCYYUb43V@K`-K9vJ`tZnmGc65I0Hj-($eU#@(EVd0Yvl)s@P-jo>&VuFjl1JcdwhNAH=K zQxRo7EN}%=Q%-oT6S$IsXet85BsLd6-j1d}E(7*6bWUKb2Qzj=DQkK(`4_C?=4bk) zmS=rlE@KPg*aid{>8wztGoLhkPD*riGW2!K8aT;KY!{Wh4k`sCNNmA z^Oa*hWOfybu>cK;bs!S!bod*4ZEXHi9d!GqW>2Un`rpB+?%?b^q-72*0cAx+X~aCl z@r#(rBO{Y}R*aLm*H+Qd9gk6d)j5*m2wlG^KGb~dkoAP{5Gv)5zyNW1gbKDBnqjzJ zNYvbb_y_`UKalQS92}>`mVx3@7+$#IJ~g*;m;-RzLd{brqwaW zeGda}tU6o$jGARZcPE~ZnU<|V&}<^&3&@c+#)BMKnuSv*<1W~Y)uw%(Nx zmwVUP$cPU>Q;9B->?Wt_(JB<t2djt#)XF#0(=q_=z* z@>)?*QIOZ#=7GpCj^ahw?uVk}!p~!P0h*a68<1Q>=i?EMT7uRhub^|9?8niFOBt^e zt`UIarCA)r^>(qbMK$#zL5Kj3s{Tli-FXm}givAW2U6X5B<1|o&+qci)g2uWVHK=6Fnz(M=0mqB|BaMR(#Z??Vp7=Idh1Jq^_H0ZWvz21%6MTj3f zvb>yey+cXqf;H90!ZaTFr_|I+ucnc@JKymv-Ss=@{G~hlHk?sayu-Ui zYS(xJYO3jhd`AZ>tgq+WYP%s=$gLX_1Eqbr86$t-IBLB5zrUS&57iY8 zIE<~FOS;$vOf}|8JJnl&S8{8O*_QMk?LP74&GppHH)np}?nqSt?**^a)YQ$l|3(E? zvDutZHe2<`JG$XNe{ysE?&-;xRsRC5p-4mhFYRd(3_oqcUHyrQfB(;;{r^j>WVgcq z7Apz=-(n>a|673E@tyQt>DxIfd3L6pHyIQ`n00b;QeHoHURinL+}!xE%3s*eud6up z;8MuB>Q}@ys4t)GKU1W6`?|}c{|IyAWPRm#+34RF$Tt4J65*@81uQl_QL@Kf-NJcGelS0IrFhDcozjzQonO-}A8%!nQ+iU%^O0qL(#O6$9M8(v

0>ubF;hYR&C?XO^0WpOru7kR9pw__|U)VCqL(iT^oEd1b!Kj4wlVo-{tw>)g72BK6BDwTVZ26XgSzMIRI# zTVBxh@7Dc9xq0j+M4k{;X-GzgIe3#Qjig4n51Yzk6V%G>h*3^}Y^$u;kv+KMA45Z% zSXiD}IU$mBDo3xvB@@dLb61213etU9%$iu9_j~f>6VTn-=H`!(QZx@iyU#9y|8Vc) zxq=4Ee7D7?2!VF+rKSe*_}YaIEKZN}*co=_P3mS=wth<$JTH)8bz;X((TCwVmiPN6nVJT^mB z<4!78)qg^R%j@>*Iw$f|9XvoDKKU?drny|HC>L_4n7UMvO?`#j35uO}(eOsw_dAke z3AY6%3RGr9yO{Axc6$15y#f~mLIShH1n}ADshIV<&6{q~oj;PgUX&{-D^|=>|8zYK z^{*qBsyk~LmTFy9x7zM{<)6`%+2ca3D7sCi?qaHM_d(#iI6{cKACYY%O5_l_D^F7v zxcF}6-OZfOMJ<7q5N&DTTj;oE_QA+f2;HV#?7PrDIvFBl^xAov4~|NGsF;@Hx#}Rs zO}fV@Pf^oDf(u0YRcJb)?@L9zWkGetc}f8e^+!nA0c~DSd=E*x80Kq4w+bjZYWU#Z zY-AQ^unS2!;3xFE7;b4yk}e04u^=5JXdCKIGBxY6Ii_b))?X*#K;WSux2v{DqlLhvrDKfDInp&h^2u~pVh6NB9g&aB}NC` z;hPFA1YN5DveiG;=gC29kV7?oJ?0&h zRi02-iaOG8Dz%qMn!hbHT1!VMtnF@J*%ZUlL0;YbCzw7?gYP@KQ~6iDj~lOI1T-o!56Rh zVGo=kiuBj78{^erUn^#sD3QaPw2bSb?`(Ye;Ne5{I;nx7A(ecGtHiDtJrlI6+=g6< zq6<;ML9T_+;{zC7DN>pe`>!00C@4*2)n)Vpen-K;rc;y)=v~6~spNiVJcj_6AMbxD1yLYbuNP@hZK!605!YDbh@HRd( zbUg;mYORlkSTLv)_q9!Xl5=ULpRqjw0Tkg!N0NhdX2$XxWbYXn#VkZfxw|255YgD$ z+S;C)2)z)E=+he@1C=o42CxDOkyQW*p_mzq{R6vKm4}||#dB+O1YTHGy^LU_AGJJ5 z$=xWG?mMV(=&^~4Y=6FCAY0;=QPzd4TrjAB*gTx;f4+w4i+Sm0Fsp{v9|_ipB>@)HI`tE!bYi5J;r%nmLFo&dHfFbiVaUsGfUGQ4P*6|^ z-&R)E8XQSkx_AQ=pj&tXUl2m5O{U$4yCBN`kWfayInH84;lhROFa#%60;+i9*B4+d z0Zzze0FBIiq}amXK3p@NY~*Q%h3mnqD}ZpG)fV$b&j@34_mC`dGpvNT0#2khQuQj$6qKL6EGVa zheU8-1Z?%0dfjbhFZs|3)`;n6l}3}DP=C;GBDMsC5te*DV!fk{Zl7Tnd93(MZoSj6 zG9kLDARgGlG?7U2!ox*D!51PxwgYwS$ zo3j)y^E2)d_TT0nw~#71&qCw2R*_Zve)~|sx2iivEC!0P1GKK8$U2DxJ%((fAZ_k~ zCOfH)QGyO!D1b^Kx(vdAnu*~tmUgD6B^)Sr!=?r}I{7m!?m&-Vpbj+=Qq5+$>o;v8 zj5m}*tP7%`krkotwWl#bHuLM}&rc%8sSxkSOM!50{!{^ku9@*SXbe5IY6nK}1k&|D z0?ISdGJ#alK@hD-BSZ+IU?!B6ORGOC3jmE6&2Mi zaG4OOe<5N?I8ENhCO9*+h+a2YiG(BAU9uMAwP;WVz1VepT>xjuVny~fdxPIQ+@{O)jzWh}9nXJo`@t?9fQ???deH43hn5f0hN&EMC9Z@II5g(i6|NQ_!9Kz(2 zOff1~MCTVf>pkJ&*w{SBqK8kwBaD&jTU(O_Lpl`TloGRs=O@+@i3ZThfZ<1@X@phz zLOluD7tw1*-8~N6hhgq17Gi%f)ktVBL3N$v#$W}%auw*S0r`ctXE*B20^ZIFjN3k6ZvJQp*b&)j=^3AN^i(FMyVKzJQSG4dSJtxPabebV5Qv zN+g18kVYn=Qip=IUthVHXNuU@hnNif9-09Q$a8*H>D(LWe7nlJ*kmSHofQ-T- zHhhMcS6F`usup7OgHr|IT_|!MV}~VD-tTsXDf7LU7E-Jt6; z{&RM*JdtkzLIpTkz~3T`eprTiA%t}!ZjwK zX}1pEx46Jw+c26UDqr*I!tCLepYBJt`L7KsO}ob5?bYP^c+{o0n&U8qsJLJQBR@xCM7O;NU3) z@%h?V;ryWTTugOmOeIat?3qloYU zZS6ie1RwyO>{tkkn$vyi%iJV%@f@7w*M zYYm|PJ6s`PK!ZRO2c(_(ci-l*bEu((lFvZ1n{?MfQxJz+04jh5bWR9|T3Sw_q@mqP zrib0@8^GoIxI@oc!Ame|*>?Ixt>M=-a;qMRx9)CXIM~`!&|$Y`aLWr>MP@Svk?fg{ z>o*^T{GLAgKDGAVPd4%2V+^B^a1uvyRSYwk0Lm&lditv{0;sIyX)D@+2;MaK>k+(7 zaGeQCFK9eA-acoK)e{Bd=E#w^7Xt4forJt2Wh9Y>)Xdn|#!#EtdLv+a8`62C zf7}e_6d>^i40t6W{pnrIQx5(U_nS7@yxupH4;EN6{{1C12#N=c&xExybB-#Ou zKr&2p_2JIMF@bgsTmyQ*#)N@LIJR-Rb%!KM@)86Wm@4STI^L7oi?RhhtZnGeS?Pk+ z1`{?n>v^00>K!PrWPvi)SIuK!ghWAf>}984bmGnc&VA0aHwS@f**D-j$v9D`VnSYB z*~_pQFX<{o+#Ri^hnjr>ErIO0RQ=l(FO6WI*c0YiA3(_73^7J6s-fuec=qdwMMct* z^TQc-ypg;-JTQx@H4|mf$0&*iB^AjviLDBJBD&B?Ko3Z7b#@%RTMkkhuZ{!vmTU zC{zg?iIdv{Wf;m3@@mQ1j-5ZS?bzx^TLI;Na6esh?y|U6d&6;Gz7d}G_hNVM_9zIi z5;?zFR`WyMy3?#YzNzh$Uhf#CUK`*+abl!|0C1ojfHOIcIrXcHbM}Dsjv@UDIbiv8 z<8gpQQm857P^uuUE|}?FOHO)}%76$+8iAu6cm|%N+Ia66as@y^0)+}k$iH|$ ze!K}Zuo;dNG`v=knFZ+GpF$-CN|bc6dOb+ZXxP2S(y+!z4Zf*;(#_Pu<(GdNQR+K;ap~6W+p43x9cYqYHy*+#Pc9_ zel1$om!}?~<&CPq+ne*P8vJ(%*E(?Im|OvIka?k;aNF1S6cP@{&to_bL9z@qDw%&A zme+$U5#`!C>=<=rYiL!~BjqXU;Az)+a+-uTZ*}>J+D6fSoq&Sn()(+S9<&b>FgMP5 zM$6>A2{(WG`r;S!O-_0PJ0)Zk^lrJG@nslw*dgT>O1jCwxbbiin2 zLQgP2Q7-&3;go|)MNmH!!C$g1pZV{p0;)`Eev}@h)mgB-RGIBmfP> z1r#sb_^I&pF=5aSUH;+#VymGcyP8zuDHqC+MA>FlgE5j0HhZ$hHJib?+1ajvfif)n zQXCBE^-JKAiU0)S*cx!DVRc`ijFyQ1Wa%NnUm=8dcxsGT<=_DR4ycjzm++$gnA@z| z{s~#SCPoJicZ`7|W5=MWTi_y#(CD~0CyIoz6ATN&SHYPY%3mXO-BJ*Vk@qxwXq@ZrhPJaiHfZQs!Zx5m)0pAc20C00k9l*fl?Hn?ogoT0|r^UM) z?kJ1^6v1gAK*oDe_JYAsj&N%$Qgr3y)FWiRWE_J`X<-Qf!88K8Ea5Waht)>KnQVxX zvJz319H{uP1!%~U$A!rq0psfJWP0nN#-8@%;Rbe$AjyIrRM#pbAh145>jA8GH%B_` zpG1`7cHMb%#vMRmy?D{P!eT*I?csa9TqB2Q7rU8%E_z*`V83K>%j~nR|Jj#z)nW%F z?#)En$FB+4XIivwa?;+Nrm_0b-V5KBkA`ay+ux!h4}^NCAx)uGfB=Z5!qE`4woW1h zy>^*RuhxGIAP4C$Fd%jvMa3B9UuF9v*6-Z8RNJR4DlGg0-2~+J{fBlO)dl?%#vJR= z#KH;v5zvg(T?555{iA?RDgmG_tC{NHnCH|?--|-3=Bi=`TyZwC%R#Cr&@TB_harj} zgsohBtI%yjEeOLAU!nn;a|Z+jB5}x+$B$V%)8~MKhoz20?8QsigiwN>jckE*^l;VX zMZTs;+*Ar&9Fdkk>ix1Eapk6i7;xUxsQScF2jn>sat!sF&5CuLJ*p?CHUL5<_B+@y z=meu)eGI%A2U%Q$brtk|?O1ToV}OCA6cp&%pS7?U);=P#HTQ9|y)0XM5S%zpfA83S zC45lHFG&7DZGA-x`!hd^il(=Q^}qYa3=12oH`O)_Kkaf^6b+NTe{OaBHoC70%1hmO zh4;fxKFX}SWhlRJ>S{_$Yb#MqM<8a~8vbdMDeZ0-6_R^;72IaHhjI}RFxmdtAp(|P zMT~U6df0-4u=(${Zg&{zhnp@uqpDs$ndoVBda&@wd-V#6L6#+xhrCA%&l+rGaeX`h z`PeP%-N*ZVpATayK)8yP`{w#wL;-p-r-EGpJi$|abQlQ(Deti!g|`>~GxYlRtrl*% z!l(DukE+!oK)t3We7{Og)ehZ4H>u#Pi(v(OFN>Vl=Zm+ZeVmry8+w~O`@h=G%Su8f zk?WT)2B&_^Xxtxkoc_ayeHji_71LWRXindixTEXRZeP*##zl2q;(z@wfLF;lV(2QQnV|h;TE%AQW`Y; z9|HrjNAnGE#{L+p$WZv}#y@;Kin$f#gy>x#+`l5a2#4{*CcPa8Y)!U`xidh#bp6tii)MKxG|GAT2H;B3YvQlZO zlS@mj=eh`Hs>oDNMkz+awjhm}u)B*I!!O+GH<&c+D__1tUwCx+Ilt^x{vL|E5-;N7 zd=e5&y(d7s5;$<+q@L9Gb7V*h-FZWo3=x4MP^ppp#t^`&fTts32O<*wE?QgRa%;7z zI3t(pZM42HA~YU7+-N51?d?5Kepr0AO=<=w8XH(+=*f=v*VF*3KtfQ{IbX;0;N;^Z z17x<66k)xouw%E!c-SHBUL$>dpc}*PeRFb0ma(#vC-TdxW+R-c3Q}#^4|i;0-tj%N zUsL^~dW`ab1OqU7AGsLPOLTOj|M2mn0gRL;m=Hyfd9<608>^j6sB^P6oSrKi%oh|9 z*^6Rz0ho)8!DgA;7rs?|aOd6WH$RuWe#{H3nQp01d6AUQf;EM&J>g`mSR50wQr4?_ zO0CWlru2ig<5ZxInuLKsUIvH=Ao=9#n=u7(5I7+$JMi>Kml(4@Qg?0mw6l4D%rO_3HN+Q#t0<&H z4(Jf87f48uyT&{l{qf^8_>qMRRZQuCe&dzQq!Xz6yDcQHY zXkG6E|3VJQf=bK?|X$szIdNX;s>G_%Kx)?Feu!+G+@QBZ{Q29RBmF^D9dBS(&K z>J{V*@#Z8i6HQ|rpI6X}24fdl59b6Kw?wxDeXuPTvZaoEG^ULIyT zfJl-KD;REORpuC}!K6bc-n_V0Kb*@=@du#EyIV(mM;Qj#O?`G52HU-OD_R|o@=_|M z9m9oeTryI^Jc>1`$pQ9?eJW?~bzHw&h6A(IFB9?X6(8j|I8K zQ4B=h2-u>9jtZG0LMhcfJp3}FWJ2m{J4zX!U8$o+$zfp$%2`|hbA2`^uHSuTEdN%< z$rn**8jzZ2s1bx|PFFUY;@l8Ud&#mn&D!R-XFplT%$@pO8>w}w`<`l@IKQUR?Zkl} zAT)@gszn0`-34)|M!=7t4@d^mEx!6`QLArEKx#ZaJu`j#oAojPj`{woQpB4OtB*{l4@k~lG&zoZ8yTF9t2$R!w(V5>S zVQ7=cf-#xXj@Fll?7+=NMNB#vXxDQjOWDpb3zL>1$w#x+0qDg`x zWibbcdK3V}$v~#{BFl-}V!d3Q7(6?PUz~*_cimfiU|!`#6g z;9q0!^)4e)0C7jm-7nfqKXaNgV@tXmw#!;H3YwA_z=U@69MJn-I!p9p}S|+c&2mA-Ypc@Aap@JX{N=Hv2 zS(Oh%fkZt9uZmP@ILO8`FW_g9p^`Z!58#F*oS-*f4(O!>$Fn9nzZl1%)`uMm&^aN9 zTcCTyeDKOHfHLJay692{=96Ow!&5hn$RtkRu$c z`fPn0S-1Fq%1P?H$=@Mf5E&?zha(%k5g+bgexf-+N=n3lIm7-m1X z?2K<8L3kl^2H3XMKtgV4C6^W#A1zCez@|1GYelP z%}-=f{xthCY6?Lh3YT(ESxM9B&X5UTqO9y8OeLUq!UQ7#Fh8{>gj!2+$`GU<+`n>P zWG!!O0E&gR>On3D7Mk541pplvB@>ve5=Vr2j(Gs=7@+ejbkwB)^&Hzlbp{DR z8t?%T9dVc%3{>wtoUsTb(h$`@`CVXAmo8qs0p(fHgwQ6|<9dp1dg1av+Z4J<^7v6Q z{DQMH7V%bYtfF%837OaC;kl2l6%qTPAhUr4u0=Z^t1b4}$A^blGw)sJ&zN7pscrJ@ z^{a9H-^67Z*Hv!a2;X6SE32jA>93o{^iq_~h=VUJEp6DuPPB6PK3%+gIcSJgT(bpM z>x5DR_KoQZ%Q-TcjvywCx*l}3+n`gS2MiYGZ8&^iS@)1 zzn5p-SbxWFr+w^~8aeJ>*OI*VNS^=ro@^U!0U?Euc8itA=Z>ZKc}biDS(aI!bRaPu zZ8Om)pBz_Vig}Aat|XRUKLESW@^u`jLkrZLnhTHz!OVav6oHuq6o|xS2*sdtLu7Dp zi-PFv`1XB;!jER2Ddt%*jJg>^)!7rT8d8r^+O%SkFPKr+Z^NrW1M~zpwFy_RvPG1n1lAHwg;Vo z2+knT5(0{!|2YGMJrVP!vzpalx{zwv{;LQDAhZ)8WSZ1Ir^W|0YZ-$QQ?~}`|5s$% zT)g2pVrmddkqboPM>SJ2(CNUwI?MBb8;6GKOz@r8s<9}oXCwDd3@>Nn6o{rmSm5NR<7 z$;qjMh7^Ik0`(6_qX`8uoqd>3#O0V+9!?Vajlp<~wMOA45uT6;yJB`4#cmfKw^nN^ z%$c!`U*HnKk>i>g1&vT(A}+!%C`vBoIXJYW0a-B)_?-_=;hoNAW-@QDpKU%$@Xf8anP%a(;wO$bQ>4{u4JJ+v*>qJzw;S-=q9 zWnl?K)Ie{VL4+1tt}Wa=Hg244UD>79%Iaq$Tn2^tJTgVLAm$dO>QbEZWJDWBeUz1(W?!>p13bEEv{D!7a!u7!X^%}aCKQqUkr8C_q)BH?2cAE2FyDU03P{*$&4;Ho7iPyorl#~wr@onIF<($XbQSMDeteL) zBpZ(}NJ5QVPd8KL<6b{L_XapAGOd;h1lVLW>p_@)da>gQ+Rbn<-B6h&C{Z3GpgqnJ zr<;io0-(3)4w|KXyLZo`trMf=;49%o4mLgx$^I)I!7EgtlmVv{GGM6Sap>Tm#xDpF z63eZp;ox!(<(%4npBw8Mxd}paZvSJEW{A>52#;c}}m6aDqZ<~b% z8&!p+-pCAr(d^$JK@Dmvb87U&N{@l7ZPTLpthg7LHMY{lnZ|x6UkKHfP*=m;irwAC zTL-GCB~J}f?9kyX)sOA=?e-YrVO6%fI2mW6dK!j#w>GXO9^Pk4>S*S zjvwQVT5TEfF-OrJG!%0kS5_@jLA0~zugluGA#b(Zgm<699%fHztzP_o(zkc-&~ndt zsarM(thnvTd5;60`gmA1d19N!L}&&9nH53ZFi|O*c*}vg)!EJ)-E#B7ANDTEH9aNLk)9CpKb-q$B5xnYWsp))+6_Z3^Al&8^68zM&FE|!(yAfpnvg(dy3kV zGvTy!X%-*k6Kbfyy1o zVJU%A4#vTP>E4jMh3q* znK>F=m)NJlDTn+iUNK7)KcLfInPTcJUciQqsuu5Ou!H+Jhod?rN79|Ab6m2M$Auq!3f$+zZ*B?z2i%fV`b(n?yCT^&Of- zt{9hlIu-WO?-O6xE_$vYEBecRvzo2$TPu(+srg| zYDD2!aC%^G9dmY6K7KMGtXpW&9N3M~lgU=#_}XDPMYLOUAJ>+C@ej8K3PndPq+>ND`b^*p>Kv6+e@vp zr-h)RDE!^>;NxZ>DTXMe<6T{EwOO`IpIV9ecGh70`5*eDNaUW<0AF@@rvAR(xOMvKGWN&pI=wbIW^vpVi#W>QEU>4%;9=+jtv)W z)1)DtYyC5C*{wZ4^#Btd7CRnA``O^_l~4FwwMq8x4&%m+qi)Hd=Xj2{m{q%tw9cjl z+av>*Ea9;F^KJx%4aJ9!W~hELDQ#D5tR|&iCGQ1;$;+jytQp+YQMP2nU{Y!blxfNwo-)E|zhA0yLB3D;L20v>dqL7B=@pRwApr1;E;6}2KiWbR&U_2eRZyCkP{{?a*%@tLSXl8ocPJAbkIzgNbJ$E#waqup zoJ+4J##j*<3g-?o#eEJt4`kU1{e>Y<8`9%J0wa|(E^$%WM84S7bq3v^&Gj|?7~#4P z@5rAhpt%RL)jkz+E!Z`NR!q}dxlbR9L?;vV0kV%(<^Qb(I8nvl`>$E`t6RDW!vVW^ zjSUF0EO*49)r-pyIu=X4wD8u(S-qPd1J==%d|LRHF|kL4tKR6zs69ULA_dWp@InB| z$+I8*t?NP&(P8?nC#jbiA(rQP6!cyQ?I<7s>ZsA6j#S^l@vDW70>h-zs;a$_km*}9FX-BEG#vY!o2GCSOwmqrXmn&g9d})e8f_Q^r;kh zxNsei8v#RrXT<+0d~3XjlataoS@c!w0i%R$i3$u2)S}++t`aVBRy>3$(WFU}FsoPw zR$=;Vrs}%$(`4)W4tHB|Zd&Ez`qZX=h4T!r%uQKl8?k?TtlMJQ2*qRBmMaf!Kig5| zbz)sZLnIJ{>B?e8_zTj#y%8@=S-*Y^IGupUX4s0cKC0Bn+d^sv;lX$nbYE$8^-O@B zAt=redZSu{=g6Uh!B+Ag-%t$1r~v0tNFr*SMn$zVT3K%j0Vfh=&ZkAaBlkaud2dBe z0O&az^#Im3=MQVgpkEZ^MM?NV+%QYY}xlgxlN3O3h zr0>~3_557B8yI?MVZS^e(j=Cg1Vr=!r`H)bzkF|ij}p_6tLk zfWn}@xzR&7B!R%f>vQ+`ok9(Hp?*C|vRlQ|t9ag~J)g|y{|SW#nlg)M3w5D}V#P>d z;phb=pU@XVF5H9W7Xy+f!}|2KWYD%xA8l+&vC`81d~gef(Ac`guHUL4FQ0|@n6IQh z{aE3Kw3=lPAM$rb(NB=}3N&7w`m)6C{{%`@2IaTW*XlzC3cC-&%QsTB@L5I&0G2is zh{5VjtKQ>Any`6H4vP#ybuw`3{%|gsh!ZPs@?AZCezA`qGX|-_S&C%Seo27TT-brR zj}?c;pCzS8VFJ71SbP9uEss&P#7+A3FmEi!xV@a*5`K`veMy)vFsc$)UVw$Xwe^|b_a6)}jkK_sue0j8 zdF)SPtENw%KksJ-fV(SZpLmIp%InSBtF{acEqRrcGSY=9#EBx9;TKA-*(2fe0j>f1l z9lC7&zm|;)2X29*g@lAycqS}LO*wo^x8~5tr^TzOe#D>^s{OAt(A3zrAQ;?u%Zghm zDHhkvddK@N^nZ|W>_GjKc>BBsQx77>%?KPn!v2u=vZf0$FHZX#rFhJ`Kkj#@KiaeM zyBC~(X*kEB-SDY*uSuyq{g%S)lIUQ?h%d4wA#?+#-l?e4DPnypcC3G)pF;Mkm)kH4 zRT&+=J91+_1Qos2_T|L455R5ox5D>RB24#irD%#u2-?3+-W$eI*Uv8$f4~mhQ_Gxs zq9&z!*Xf?&y}EQcJ6h!v;T4!x5mK7wJP>S;mQ@ysh1l(lVdbYfv&t!yr6BX8#S!GJ ziCaME5+>vTSf3yXK-;)>Ol$;jhIwnm)#VB|8ua2BP6R+oBsGDB8Gz>7wC0Zd%-}M@ zH)jnq7N5BLvoULyT*4Me%Ss; zu10zqo|R*5D@{B>T@TSQsSY2mV05-K z=j`RPuR7$UE5lL&%~ruBZ?lb06WYy)u? zJuqjSKkQaGU75`l7X^!X^Aa(BT*&-chboEXrIY9+?mm0gld60wg%)$8Qx@&&2Pw7v zPlGiUyWMcSE&aCnBfTxwdQ!~Bkn8$0O(3S(i?7plX5G7|RXrW@#?DOIQu+qHu7s%{=PjaJm#te#i-=W56D=!qFmt{S|!;pdpB9ul(dY2W#;8|!}m(H=9#A9w1y`ueq$IYB)f zMV@Cnfl>U;7@gHGy92d!O`lh?E+H;Xo>n%}`eh#zq5Wm_| zt_5s-%=79MF)=YTuo*Pr13I_QsH`W^Jo+BIYUN5fdwctchzKw3OS?~=I3dP}1>9yc z;CX(2=i=gG;Ui@CLqq%0*byOe(4N%zvd+#0DoKep!$iyX^5x4LuoQkj-@*p%5|Zbp zTi}JiAO@-|cU9fW`*}KhXWsS0hr2?{osEd_2aDTXv|z)A4Iitjv@g{Z|4^;Ioscl% zX;D$+1(P292AunMZ_rmA*@{g#cHJh(n^FshyD29(SXjQ{>W1B zpTie%)hW5UmegF&Gl9ROCKm_VoL&{BumQ(Ls3Mgy&le8IG9AMYSqW;C#lRiEVDUQl z?mhI6%a!6*9Mw8^42X)0^GDiu=kDF0lPC9K!+}6(z{rt`ln-4S5610lK^Y=+o>QV0Ft1f0pnFS1iL5pO}(Y*XPI3a9Af=`q0`@6XNFjWd>Rtmb(M@H^L&i;#X&!m zs#C(gbLZ49C>a`yL(<_43mtaLKeT?fr9l;^&*`fdYu0R1bL-Du6s1Om_5nsW{o1DO zd+8hh`;B~BuI}4S{grj!Dk&*xOYgvwD#)|`w`z4WoJ(2S4C`m>b8^!oihnoU92(`8 zfAz-?);YYHsacou8zGDH*zUjP7tCm{s^FPtUUqxPq2z>%W%f&sg@laGbeU1P#pKe9 z>36q=)K5~aHTG+JYQfbN>Rnf1^WH^nEH538TZPcj(1!-&6(U_qH$j<-RqjHr+;*$F z*7eJs8{hu@cL#j)g#SA7lCM8%7Kq^kPmTFoGX~l|Up1DhyK}#OVldm~MDnxL4s-n- z9?1O)@UnA#|IzMj*4pC_2aJz>W#-;>oX_ef?ILN^CFW;KdfmRZWbT>1-z+~r#?Wu( zwsxWa5#^P66b*Wr#Zaskc z0G--kAF>XbD+R;se@MN*S{or&07opsl_uTOG5C+* zuWrK1d_!qx1}pjqzX5D{;bt3;43#h)%ubb=pZ7h+vz__fhZ!T_oXv3-zwtJ$O6oRF zlE>HRLmir%n}2=cS2rbTj%U7sty!O;?;b5sU6k6ziv??z4H??W?Y^!V9vk3x=Dc?6 z2ulFA{}Vd~&Ur4YJm#y1`bvY-^n!bu9k#Z$_8g>8+JN^#OmIZz!O-tEY6Y#ZN*Ny>>i8k{)&(Hh6A1ZLn$<56yUl%>#!Ls3+nlmfBI*#vF zcgB0^|NJFh!=KM@`#=BO*{DyOcBlTwc1qQMOnd&=f1VZ}-L-Rf_y5W*`O*aghLrx# z2X3z#VQ8N5-+RMfKix0fXSAw=kEia5UxxE)j+mW1Y`Mujy`=4#+%Yfb{`dDgj91ra zW2EQyW0JGHRk^XG$B)}1j6%(S{T*@Oyz7n})mTYF$F^4X;S1;cBqgUN7ykDtrJ0|i zlx&)()!D*i-n?!|*Bgfw9_vb^d#8pon5u*9+`0r?k+MJo!aq}gmf2(+;92FCzo!!sb**U;_ zo{slVm2=H8*Z->a8u@AS*^gS$TPDo-WNBfsa62uhmfP*)Ejl=;VCARs$Ii!V@y|~j za*C#+gE>S^ZsSsQFL*B<}WZ*z`KeC&bp-*zgK4=gOa7Pb7{VC`8^7vyG#d~zsh zS@A5P-;XcBB}rQWXl>HBr#`R5WYO`MP$Myx?2Egh|E^ual|yZu0KTM#$!(dxG z#67=F;k%fQ&8d*VU3a8bL9WmnM*Jv>#sS)s$B(yJWo!HDHESfGEDjPYD?ETpK~CGV z0Lk&##4X>Wp4Op_NP8_;#L&w^rp~d+QL7i)JCO2-3m4RMbd(Shh|;~2ir)Sn!&|lv z*g$IqoNTkIM9gaQDH)zpl;9@RLHr0)h>+{0wCUrK{z0@n^janupZcynd;X=Pf(ihP zYZ_kkb+?M z0lB!cU#)RLqEo=@C8qW{4%XH^`Lpy= z=%U(G)v+(~JaTQ$A(~JAJ>84u(H6S2_lPf@w~wRYTbF+R<2r>|L0j&)TuH>Bm9f?( zd{Pt*J!u0jQ`!$1YMEMw)1Vt~@Ei?-`Z`AjW3RgE8$O%BcARzG<7(Er%6UmLD59YngT@?L%E(jhnizuafEu#Y#iAgsN*?Z6JycWkF6q7$zGj@g!|t8B);eWt_usz7gKz@( z?OIt>ZkPMuL3>PmVPh^DsVnSFc{-qM^!JkqJ?w_eXl?va`t9qHW4dFzr!`I=y40^| zS%1l~=ci07gGwW6{7Ucr8M$2_0azyn&41xS66zQ_28aE8>_0*)81qU#DzH#2+jsDC z(fxD*8@SH{c>+>2L{swv0#X$4+3;I1W_!Vjj2A3W_6Gj3uD>OgJs~R^JT^5h&TLRA za^3MPuWyg>RBI8|uX;>-?Kx|_OE~bW6;h2KLSDFc_~Y_*-yV&7TS^i@_!P2viKZCD z$85hNt(zFFmk5yrtwaWji={6>C_aECZg^S2N)`PeWd)?fG{LL@E6OFPwxu(Z4=MhV(b zK_YZ!(35^NUBbmd;=`Ae&OjM|x?#_wut4}q>FEh~ItUKz7<(!roPm3I3AfA&;T^Y^ma5?z;X8mhVJ zrdFR7`4wKL!p1*yZL6{0Zu+Ue%7*wAqWf`jxJr)Ym^)n>HFF*6T>&39LUXnC(hGA{ zc!eXjFsK29WKd0;S41@+1u7-Hb|@Xhsxv62%a}MIH}|%TKP44@`*vTv$eqHfti5CP zi=?to6h?r}I=1mGf{K+vLbzvmDC&!GJ)Uopo!*!gn1MnhC_A9ovlx zgFrlbv^#h4nWsMO)(4W8S)hVM)c*wU%Qmf(%P1(j)~m(8l0uDwbW523pusXb<5rT= zj)6BU8jrgw*{Ptlr5YDa_i;%JRmf#DomjE#c;xbIsCTW=qQ+OxpF4s--&p^tD?_&; zzPgWZO`Y`tS_w*mS18S&nhMo5C}A0J_IS(^PKPc%>=d=doc+=J_(1Q0D%FN(qHxqK=t^F{kL9<^n~s52 zof`i1LvwoW^5xEG#+;53fjfyUNpQu*v0s?FL5|Z82t*h7Q?0J^&c~Gq-8*CBA}lqu z*z)3X2KZ0}1%_ipJ{2oNuq~!0czj#Q-2NDjk|G9z+^$7$E6Koy;rK4Mq#wKDwhfEc z``h%&AY?@XBF;NAc^`*MJN?xP$YvwBJnVQ90bg9+&OScMa9DcXwc+t`>g9L2$HL?k zbeb5v3pG;l&=Q^Ay?UXHl?L&(2=V;(z8&&f;YGw2oo=&EjPbp2VemY+O`o5O*+$_v zkN1N4_4XuEy}dgPW^X)?Jt2A!j^og-Fa{JDxjXZk5ttiGDo~{{+11k9`ndEU9Ona zP1XB4Iqay%4(LmWI+9M#Fsh{GJld)6zg?OMzfq-{BPWuyhY0qef zM2W)8A^xKeHDwlNS45vrs!ncQ^R=*(!BD;Kul@BiG@?_q5-xw~s2=;pp*ig(b1D!X z-M2TSo}l^_s5;U=?M#1kq++h*p*D1Rety0It;U!!W4_`c6Ld@txIuLBp7R(s41@w${TFFGx~@1BvDSM$WxM{>)ZP$h1zE9(GM`_K%_lb)K!o(8}EP>8oQ*Uu4*6s1x-^CAn~VZ-ES?Addi;gK5)N5J@p)1@UH zgdM#D5DeO{wn1J}xXzOPkBov?P7smbu+A8$sVRp5NLhVk!oRfuZ9;PIagW41U|3m- zn0&-5Z}Am?5IOW6iIP{aYE#yD0rLCuaGanA$pisHkCS&=b8V`y&uUW+g?yJ2D+C>w zKlZ?-&A`CG=lMEuqHwPwio^&axMW(z{oB9qU-~`x2}4}uUhUkoY3Y6f zCV%))o*N`;6ORwQzz;clZgs9k^~=Ul+S+$`HlWWK zj%813ACs`DuE72zgWep6ukf4?;=A$HWp>>adL>Xxye54RQ}m;1LaB-Ok}sxwMxO$M z50R%oaMKyh*%cF`!8RALD%FB>&oCwBZ?K9QvB1`LF-PWOQEX3~5vClRQCH=ugE;B) z>zm!s!`~N0pi2tMZCKS(iVVV}5DGs`TmkTCK5w3oXo>YgV%-nn$7s=_{#OoC>tO>w zZP+8`a>ODl^$Mo_`Vwf(%(rq|dSO#fnYl~AX=q6w-t{nfCM}i$YFBsk^j>Br zMT)X9-ugvuUyAhJR8&@Kdd)tvK|XkW-y<7R4fOUSqcq~KBe)YgCHqf$Iw`@j_9vNo z37=~EtXcQa5Q(ZbsG6M&6{@s!G!p)&PoI8z-ManU?i->FA1u4S|NO7V#fG-Mm+dpv z|7>{AxsS%v7P*x63119N-qghG`>V;f^VirNlkY6L;`>?7Akt^!3bFrG+(9^+duFkX zRd(>dmt7w95mhwhpg)W-$_UWR9f;e&8qlU1T3Ra60Y1phZPLh@WihT3HTiuE2o}_C z0Ph{Br`I3dve`Zt?uMY6J`a8fnZOZrUNeG?$U?qW;q57o%jeJX5}~=k$7zicJ%ND5$kyO z?`bh4KKz3ivH6AmaLO_0#N!WI+5Fh`mO)T9MGb%3{lK%vTHEim6{ifD=5toG5i(8I zq|p#&rKK}avB&-qshxdC*6-HiSvKR;BKuBP1&WIK;4enNgbo9D2MHa*ZoQ52C-2@3 z-4?UFrONb4U8VbYs&E<3-`(4@-!dD7|Bea|G7Go7pkv2mT3gd6%$hx0;0GqZk8Hr8 z3c5@S!(0S<7A`3-ue&J@A3mIt>OGQ`=|b!lI{GZ5%6x7(i}tjPU8{>P^x1ds4tD_K z(2fj-bwZD2$Vqhs|Do#Jy}nER?}nA444-ze@8bS~@aw&5?1HM3odBuCz!NgFM4XKz z2ClBrSv?M+)->6&MOXMp^z}wBAPgb#_lSN|{*?lF%b!l%5Lq}B;o#~SwU)+KbfA<# z3H2-M1bl#R5`G_hcv0^tq!85xz|#;hck(}qH@^-pi7!_1zziakg-_V%Yzvag^5x5S z7X{HP4ItuDgmkHHwSLnQc=gcAXBSCiIc6R;bwUI$Fkh=GDs5IRE~{W-wp%MJERJW) zf~%#)*ohA619h%A#77)FUm?;+f10!iL}9vK^Pgr`&-zo(olQ#W3jc^S?Hd7=Nw!!p2lIQGx?P+-=lw`}g95R2+QYwQMd)T-yVs@Bs=X>8KTpKi1YNg5WVm z(2nBxuFyWe9TWCA+b#XiPJ|L#o)bLlB5XqX5H`749TivQxm*!Wc>^Jnh_Zyff2RC| z;Bj^}gSD#A3C2AuRD9z+cBrjTaZ`TZYYP)2K_8Cau5MSiSP-9{N6H9DyZ7wz6;;B7 z{f{d@K!J(VCi=>Xl=bYAQmeMZ62E?wA^4dv^J+5~u(xcbQ$)n(eU{xK6;>~G|JwY8=AivPNkwR1N*E7v^jlboD9idiPJlVfMSZ$|Skd~^-Lt_IIJ zv!8)j5e%sH#b64rO0+w|>z(xBFza$}3Ch30#p$e@zFLbwpoj2?0T&XBNHI?9o|u^E zBvnbmeotmb!s5e2Xxm1LRX4{69G?XKA?jvIqkJyepg-READaW@guU+gzMT-%4exrx zV*N>x*K$XKX`=dAEZl=eyU3FWvxjZ^T53opGaR-WmcgQM^3n&L;m1ZvkHj8PxECI< z$$0VPNf%l-C>lYXvXxL+E{~r$@jNY^pvZ3Rk4kgjPAv^iCt-e2Ttu4v9n|~SJMAH! zzbCp#e7F^h@oICbX60VUjTUxS1#M4N>X26S<(MNCaX#b5zfU8qpc*!&)S}tzg?ezR z_s@P?8onGr26Gm!@?CRLa9rJ`83Q^CZ&!CDPKx@?5}v2nbJ*dHz>YiU*gfyrqsKYU zq$DQAH@bhu7y{Uu%e|vkXaxrc2M{#H_5lIKfSXi*e>HsQP(xTCA)`jak^%Y7Lscu8 zC9&L=ZwDy{K@YKS!ucytYv<(Z+QHIN6bD*`^g4H5?|-&*h-7@C=bo-IXIkVNWoVFO^M-Mq2~|^UZF@8G=KG~2_Kjn~ zlP97P>Gm-9(W7k_4U4+JP}%Sz8%X?cXvK*?J*_KSQC&E-c;oz2KVS-viY{~~<(C*{=2I(1nh-m&& z9%;Nt4;k%2Mi3nFq^C+Y#5DTKseSw8*z+|g?X21?FR$BKva^zM(zf_KLrT*P&Yykl z2OsFRZR0z=`W?OJv3?5Y83yj~KZZq|>Vw2gPS1UXDpR%*x{Juuh|JV`Bm>W85?RIgu_FafFBFXrX616SN1?00aYhYTnu{H*WGRoAi7D zsSjdl4;FmkFnn}|Ur@%=!M3_R&=;PY zLJ&u9mGREqoR`4cXvXE2urK>2ZJTDnAvY6~fUMio<<97D{wm>w2S5KAj_4ZEh)K%B zsJuCk4#j0EHGThd_q+aYRQh6rB^fe+<)`(5;UgMjH9gB8FYJ}{g4k+^odmoPL!P^V z%w5trz8#l-pLvOd&5<-_jZQ?Zm8*uPrj}Dyd*;0EfWl&GhH!KL(}Y10DbvJmIyk1`T(PHH>-=DJXyTvP5Beh)|Cf_X@(;aw7;~@Jo${+1l{|z z9?6p%2Mn4GTCBA^KV0`2TAbn0Zo11?t~`J4T$`$@D*8yDojYZqqApWhxs=}DxmhyA z&HJgdiss>p6U5N0AGMGgQwmtomlZeD*jQR9eNfPxzCJuQPQ9k*S@R)DC3FO%-Ddo4 zdOi8A`=c*@ONG53U(Li$W2UaY#^Fw$jZwC{I1^LsYI!A!kkHZd>|^>Ly*Z-c_DkyL z&MGR0kW?jlOnoGKvFMXh#{kY$78x>fgyv(KMaR{vhp$}(3?RILnn$jV+mVtmt@ws) z*`Ju|n{%&NZCYG#@VbJheDEewFH_0yofW%nRrHtH2^Bi-ix!=EZtzm)(Axr;7lR{4 zz)?O}7BOK?hYh`*VmpLL2g~$XYT7@+r03Cb)vDX?#IAYwutKsh?ZG5f2f3V*Wls*q zFJ=}I@>^-;1~IdT{89W1$o^dqyr>hH0*U2fK@?Y1FE?Q@v;*^+PK8H~95HEQS*z(? zmy>QsS;Jh4G%zOnp?c!9Ab38H58oifxq{lcu`w~i-}YfLG6>Q9(SKzVGs>=It-$qy z?tTaMWt-XN$0aehw2ZGeuq;yCdH;}#B0g6^Yj*p@SQjvH?nn18FlRuWTSii;LM!ws zu9(#%d!%C~lXUsYJwjc8#lA1LU$kgML8Z$hs{RF&0A2vR+mn|NUbU$3`_Gu zf|lfhI}?5aP;MBTm8sk!pCJxK?b0iIX9#eqv2P0EkZaQBx`9<i1$MQ=fs$E|u52di3 z({qO?`HUK*we(ukn_@1wxTrM$D{bh;Tr!Sn`XL+hCVBC;@bOZOTjl~wJ$}%+or7=e zg*J}iDLJy^54#WeJb7B(q(@UN_bu0v8L-_#)1z-k^}7`gC23={v_$&jTpf2s*2O0c z&9XklBD}SX)S?|dM+f)tBBk_$M~?znQ^8N=-uw=DSXql0h<)a zELFz7c1b=l3Bw^SM{HcuqhCJ-HmAB=K2xQ9=teQy=`XyQ zeR8Y$RddSTL5_W0%(78>(~Kvo5t%;j^WPk)$kl5$uW*bCnr$9^C?_;AXi#tqUt zNR^~sL3U|pP!z7K-TzQ_+@<8?`4QeWu6y_GTMPGs z1+Oxr9bM&oIs_QO84c02o_uZf>l<3^6}Yo%p4Hb+w8l6Wwgn3#mx>Bt`YI_VOvO%s z(M@@jy09K*4#$|xT(%~E7U{N)Wm3-B!6wx+Fy4md_GN-mTk#l%2U_{EPAe0oja+aB5i3Yd0G?wZK;AzMDVeJv2o3*kq0W9`{gvKr=R)j0P4ni=Q3Mz;ghfRPAT?hhITN6zjTk6obU%w=cuyuqK-M_^ z2(JbDJq00lrv1CTrbIW?ug$hSD-^xvt`>B&-?*ly=)N?eA!M}PK z@uy+5+kz5ft=oh9hQ3dbQt%uD$NIR;Vv@;((IO#YKp%>FL|gi9QL<=#b#>nZViEpL zC{Zr2el^ym^cGoLFeBqxGt~0ur-Oi4p$Iz$8`s<(Vlf9I+0oI_2cpSnK<993QTl0^ z!Nb$_?@BI{&J%0+2K!D;WBcf3R@I7L5jYZ_Qur!`E)f}3c=*WopVW(6BX$)$bS#5{ z8wHyqga))6*1xU~TJ1d~NuWk45se_p0ZG zc8*K^T2X0Te62iqLyZ@z9aY*bno~dCKi&#Hd@YTmUtR(Wp1p8E20Qqm0o9!Q<2`;d z@0!8Me#Z*azWU`sAqQ!zr#})yo3MIfT#UdkoR>s@1fb>%UN4qhDr_9C8vA)=dSW8@ zKi13bg~btU!(2iTU7}Fv4C^5$AWywVd3ifYB3L*0Ggs6B9rO+696W}JX$L`ophWRv zKE%l{tA~=3P!6G7=*>h$`?KclK{}F?#Zb3Jg^gT;{T#sDK5^yaqm?}?{jsn`#VQse z-M~16Z#ke~clow{#w%5_m)eiy2|YR3>@O0DXi#{c2(mhJH6i}SPTyqhKmG2Cw`r48 z>kS^XvKnw(rPS&-A=3A^jB_hCcdV2zhuD>YBs?n%;o zg~WYIdBk1E8K10Acx1_zU!Uz|*{~XR4N$kM^2dZU0Gm^%PO&Llwcxs{YM3%&Dl`ut zz!fYOpfR$$1K+_7>0aIQyS?j*73YAzhYT5FuyNzHEZ@kgeaOR#i+d21r_Y#SIAg}& zvX8^m0ExJHs@f8avb74+!(iCZqurCSioGPRGSQBQ-ecl+rVZ#Q=dZ9W3gFG-iLn+G zjr{qw(Ti%llmyhVC>Ln@W{K=^UfW z@QwM6Vm;!p)>UJb!An4eOr}oVX``Qc^*_lDdvW1@_WARwJs)~LFundw%HFu75a=BV)rymJu2qU)}W9w7zp>0z~b5qjqU)>6EbE;~{;RQA-e>J{fS z=k(rC;~KqiNLIo)lkv?JeO({4 zUjy2=b9OMX2kW{EgWG+(Qm|0emKh5z3UQFmIbCL3=~O)xbm~(*Jtr_ZKRdwiLC*m= zU$JCf@BmcXox68$OYupcV*W1hXGN;)sTZrpLJu8p>A13rEsQl%bu$`|O6P^C9Xz9? z@mI^76|v5eQkTDs0x$Pp6`K(CQQNZO_tE#pb2qN7x1PI^zHQBWAxN#8VMm6ciu$Yg z@x;cu=%^@1ggCfBFZ8=@Yt+8+7X|e{X(!))@&HdmLn)3kme}JU zd?uDs2MrXK)lt#Wd(7NE`iwr5?Z=T~3`DtEX&5Jp;l>KfE_KeoU$@CSwy@JiodVhF zR$13A>fN2b7J41^3V-4o{OW*lKyqfAYTx?t?aG7n%}oaVTX5T_GbjwtXTy0zz1>?B z`rHuY!Rl95?{B|;y)e<|3W?*!!Y^BM{ZE|eLtg|zq3AOI>5d(3L~ev2b((5+=@Ol7 zDO8U!*Gi0PUft=X{Ut=sJua%(+o-5;d85yp|NQW4cTy_6F4N?4&fWp@tyTv%Bz`${ z{`7zBUdN2uveMUUdPB$Y!dTg$X!)(H)6~&>cWr!2>CO0*xs{cS#AVRyop;LDi7_6U z4>iKGpaIcF(TWOd3Bi@|v$e?w#J2Y^@0LvJhv@r(bMoqXUb<}gN#TuE$8RZhcMnS0 z1#MFPJnK)U)~ZhLZnY#h=ufkKv-;)Pe?OM?s$q#++MSA(zQ3|K&T!qjq^IR8WKWK? zPw^+a2wo5XSmCfQkK;Vo|2T%~0?C$$g;EUj(PaBk8NWv?+F5S@vw&mAdcaoKeX0z)e(aA~jBKR2Cf-H7 zM5!#Gas0;?laB=-vij9ECZ13oWOdjz+Gm*f0_|Eq)#in5#wzKJ%1et z>m?;Yd%pOBu)_q$>S;SdRaNSrnIVMP1S=U}2pI{x$=WiC`WywXL};4$Bs;GLE6onm zqf6{Ac3%=vq59fNkkEDJC;7?}2^-|a0#v#glZ_k4O2X-fRCf!=6nV4ik+L9&w5R0&lZ815^;}%vcK2%p2lynj^ax02DN~Xvd z-$oNvxJ^dFF&9E%9}%Amomyz{=K(aZv!Y%-%h(a?(ixGdl~7m{r_`t37ybFzoiKfLjp3$ zF!Z~;;nmp0(rZ+Ozr50()?RtBio}BexDWLH!!byuqTjOi&4^5)wV`T0be)ocW$v1A z4TDIgo2HfuC>=pT;qO}8yF7uykygnm(*d?!6!a`^ zu=jHj@P2-A@qHM!d^U^xtDJGn+T8_PRIyq!a{F}%Q6%#KcI{3++DYu^zJ^ol9z0xT z<3)6r7%*62V7am!<+8-*&YUQa2F6RyQpArvDPnFol-kprL;o3=;sUHfFCwlky?X5i@L9}_5PUsp$RB()U`L*8r@k3{Au*H$Kp-@3JmTd~qqLJt{jNS7)ant=4|ckaTXVyUw; zyiVJHB*5gv=u8i=9fla+Lq9VKNRq%{Pz%9S+}Dlh6wGaGcEj{ZEaNW(A3gdN8X+cB zMOZKiZTI(n^g$Zq|NGhMEE%{6oY1;&?@^c{c@Wvy`k!!}0yopHp$F7X7n=x!GTdRX zPBXjaj)757t3&D*6PSkMES(|Kw&&fb!(xlr zzizhI{Wl9#^2j~is{M|4u6uX&+J{V!C~b{)IlG_NcXW2XGiUJXVG2u*-jtPIsFZQ1 z-R*Ndhs=39XX1hX9HcV2d#-pj>MKdBT8`1tDeu(FR{7+kmLaa?^|rmnS;!R*jxu&Q z)UJoJ`>M>lxgkcA9!CEf(`i(~zPT@=8oj&iugT2&rQ*LsJ7!fxCapTvl%cJy?fZ+I zTnG@7o<)dMjEr}D^p8#SYD@L*>1b;kapVL_$n`zTbk5T4kG@Y=Tb%|F{<)?GAEfrY zupp_Gjb3`7L-($=o1eOko3MjPnf3vPRi>;R-&cS!FJANppcI61$hI)5b+Ph^L=e=x zr+@t~A*JT@GAOEfEgjBi(3fd5z>Ju^Ij)UpWL;Rkw;7VZ-md8g*Oy(PTtyU)-9@PN8zW7m)3X-r8H#Wx{w7Q ztM?J6_IL@_{n{zezJn_Iop7jiIf3Nv*a-W*Vzdy-q<#DLQ6AT)g=qqU(1}d{BN7M+ zAo%7(A?7LG$`0y?ix&qnNlqCc@;)5;C@c$t64vu~A3y@5M!ctUh8`RZ2$l%+#3Ybb zE;zb8E(3>89KtPOF-+sbR=Vj$ix#0-yi0i|c5<^eTj(kQRiq{Iy|vpi5QDSnmFK^& zttr_{AR0W%@)bB&(3vv_NzhKXVF}f(5SVabyf1Idc1lFLwhI*$C5Gtm$Fs?<$M4^J zkA4Gm65JLD6?=f&(_m#2cS+HC!;U}_i##Izkfe^<2E8SZEbDpz2lqS`~Y^)Vm>0^&{`zHD)Fa~3GSqu zoq4J!!4di~$d%wBH2*?&sJ)G%04K!mxSr5jOHnOEzXJL_y4fpXH3~K6dZLV6Ez8DR z+b=6DC=h&9GcL)Dz}HT^6gEL|_`)IUCe1DTWrfHdd@RVLtEzwC9PC&IVL($f;O7{X zdapTImm0Qtc|{F)@YlXJdH!BIi-#BbE}41oY2%v7H;>mBX3L+roKdACE19`!wrzD6 z$4@7`m71bqT!rx;o-YCX?{E9!D(Wfjf}FV)AV>Ldz$7l0-w2^ZA%R+4 zT1ejLlBgWhV%~}@LU)y=$E)mxdAul7Ri=@ILrwn+$&#% zybRP{z@mhHWcdF4!o6*eF^%NQSc6cP0y8;Pqb$(ly-A@v$C@&n`dUN)m;w@QR-3i8 zxp3<5zI^FK-WI$Z@|#SWh~0}>qX>{m)kq0TN0JGqh^>o14E|Zn=?Pyr3mK@>LlV z|L67V?ww|*D0kTbsYBVPhbCD$FQQlsk6pnAQKOm~0bL;@sT34R?ALtsoV%S&%JB4lPy zS1N`*!V(xL@!I1SuQ}}-Zwo2)Epj+H?W$Jb`!`JNZj1&yTFD2W6!66A^_t`P9xaUslM zv77BfiH+m=M80JDiMIkW5S9XZMrX}GOB;Ol_M{ASN5Qpp*|NJ}Jd#n2&9E+489Nu@ znRf+K@4?(KIpQiV70G#?^fmV&MA=XzrqxDWy50&;C}u(E85gfwB`*=YB+FgtzN92n zZO1to?9n>}-<7xlF9IjHh3CnxN2ce_lwd14K&Xe9o9hqsCDt$_KF?=A8q+g9p?HiK zJuB=dB_ZE9^15#DvV`qC+TYRjc+VUZs5?&QCU9`{38OHk4XS0UopAkrn2gxYk@-g2 z$TkvT-@x}4N(w3siKsb6I|?L%#`4Y0FG3y3**mVYvInVb6cczZZ|MBRzA(0%bfLTu z3TK~~5lUi~K=e@LP$4cNcnQh<(P^N_bne_)0xO5Bj?Qy8%|V0OG72;eI#2kC5Up{Kk(G=h z8p`(_(;lliv+%>H__2TC6ELwfjGLDkHUw#Gzsf#3*iGn%<(a?n*3)ZqD1a|f~^ zT}uDYpca`&%u=a#?m4T;R=D6Z4*Rr-it8zyO2yzv;3L!VPMrUrFivmS$0bx|<=A{D3};Y5PzC zJ0dAZ80?&PvgoHg-&5)4{hwdI8gM`)g6gEn^+k(@sd5K`zo6d#PwD@XMq4OW7#79m zeYBein55Xp%FN4D^k4#l;&e@){FYgs0X%sz%|a%=od2vR?a;Nf)Oj8V--rA^u zV!)8XMryv!l<3Bc#Yk_3fz7V$_16^pwz>>HvTfS#-GL^b$DA|ztPp?toMH4fS1iB# zM7CeFwZ_sZ{@UJi8~4O_H&jzgtWC^HD4xDF^kMCx+Y{3F|GhK+eapgU3$0!9LPyWZ z`+cfu(&Im(osaA^AG1Rtwg$#~CkL-@?PygWdMpBN0j<1On&~H8#yR6f zGkZ!z2ExWm2o1jL&6z$u+`F|!2r?Su02F%l?u|s^$fk*>}By1G3+x?vf= zlj$_9=GF{2f2)zGlyv$hn==HwJHz|iB$!wh4@K8av}FchH&)Bo70DTRc})T(nT)#N zqE};`aP1XVpWB;%tqQSc`z(MqlG8^Ue}gn?jT@Jpn=1!sOe$dzMp&>5{D=9mp}89& zS84v1U$qlPPeh%sosWpC`@3hGAXWx;(`xGU~vA4 zBU6LP9rf3L>`a>&$>EH1NIxSaQhBHLAf)=!wCt3kc=CXDFH*OT<7+RYY-?tpL{3W1 z8WpAs9&CKcwX;q0y7^`q!{-n*N4X8cVhi`S1&-DCu(d;qbMDFV;~2hc1e@MWoJ<%& zH7dN;W^|w%?8{X5Bf^nbAV7Y7ckA8VVC53tjW(`?cun!CJ-_^QbM-D1fWjfH{C*>I zge7VizhEjPF+DoO5RYJ{!6)#f9q&Pm#uTS;-QxyO>jrj-s40k)ql|T?=@H&! zz0(cjt?H{UrCYEXUC?=mg2AFLVyY=&mEgh`VP}S~WQ4Kt^OeV9JcU&qjHw3D_fL9u z&6V;W6(+&{nPVfeZh_O8j+Da+ljzExx^)LDufxy{tquFx4A!Pz_3Y9}B^?&d&0qyH zb&5M=ycpLeqJ>V}l%PFA`0h7sxyCn?rydw^{+%HZzfjK7NC2Z9VwoQ9(QPuYU;I^e zWDd$?8U5z3(g?W3Rt|&ve%ai!E0A!)M++w~vFy_0_8aV*{dhgy`u6?D`>Ot1HpRT@ z*i!vczW4?1k2p8%^JG8PFUm^jM^)^|SsFUzfTiBAQfb!XMSb7R&~gvRj!B!p8dyaP zF~6VG(SP%m8#gOjFE=DCHF}=#Oxb;Y(~p5gNr82Ge;$|?)VjRR=o9QFbD_9**fSOR zkUNGKgAe>p_nFOW0@>hKbOKuucA9hp!ULXbStd3C@yKNUZp24wmW|Evx|X|&`Vk~B zc2b=Xh0N$`cYsEjFy`rZcj~8m`>VFtkQ?zzsKs-0#e85A>7#GIep;hPqiEL4u0`?F z6tK>f{ZGAKev| zsWVAG&hBbQZoeMuB=N{G-Lgej+)Zx1Sc8H}i$7t^5Yi`Buo&-@Uku}ylf=;C@_e~c z=aQQqyNm*~^A=0X$d^)ZmZrD<87bi@RFaLvQeEDiRBy#&+CPJcDrhkx~vuA{7@=Tlf6ozc3oL9R27Xozfl z_s{QfvqoH1?gKS<7AVuvW2KMx;@XWd*JEA$%V$hpLfFgo$dbCE5TJmDs z^A2Ur8(CMc?laQA^ZR>^zkWHcTshOmrWc!R%t0740iSbH zZ0WyJY~<#aiGz<0`?h7GR@7(v8TFm=n;t&+-g@guwOLEL@^(Abab~Id>J48XC(Zr) z+i1V*EUjV@y$V*IqEST2vWj z7V7IR_5%$bJug_p5>i}PX_{_PB3L0$B|cf~hy=bUY+5wCX~v>g?_QKIT?SS!9PbD! zz~*8mTSB@K^CB#jseiMz*7?=B*Nh6&@-W^K{5a`?jt1-d$WL<%-WW{H{nH$A?19y=G1g`?IxrzwMZ*r^0}NaRy5<)mwvR2Gj0Anik#1cNj1CZRgO6 ztidG{8%bsBD&YEbZW@RqRNe=eDfHb{w%e3N|iM5_7e*Skl2YMGdBuh>slOwJzt zN$H15<_Pgq^dLDQBOfC+iL$+N;jnT|?4`8#%s5!cbb$LCffnx~B@d3TWv3VH!i0B7 zpkZ3l-UA07Y3Z2YC`V?PYj;^Mc6yK+V=0x-w@n^LsV>ppVf$ES7f_EFD`gkiQ{~UB zzsMD4-Ir#1ZPd=4ch)FimGmm0GWE%mPxBK)#_8DR2ELfA5AuezcD-)D;^J2CQ(=?0 zT8(r+&N`Fp&2dA~+=z{Q<4HB|sHslrd;k9!dk=7~`~Ur0b)~(h)Rl&chSF9Mm5?Mv zBn=};DKtnZX)DQyipolob_r?9ij0N^4I?dC+1!uUb$!S6z3<~b{{P?c`yI#iyRPE% zdB0z;=Qz*vc|L>5t`nJDll}D$NCH20O1)xW6UNN~nF-ECUm!-HFgGI{%6b2Y$+o^g z665UYoAi>Bmj2f4hFlMJ+0ZFOYVNaYqMU8OM*e4FM{AwwTOs{=E#H>1xa64~C3Do$P)Uka3B|h|(1Z$aabo6E)SX@L5x2X1shtML zySsN7Oo?LMD)dn0E`Hzmi~uvf$k^G7ya=FPpEtm81p-urWZ@%wMhHkJB!97YaOpFFb1$pg&|7wT9smXW8m!F=dTZ-sH*O zY`DOJcVmxQZ)xdt>J`B#;Whw}lj_m7LQCVm@qy_Y?G^fHFRmQAdBQS1PtUkRkHe~s z%%*LPG6~y}H~F-;)aGe=9_mTqzL^>QxBh4owsB}xrrlePu|0Fbi4x~YoE$=i@4GlV zox)U`1z9r6%3^~KOI07jY0pHRLZKnUnvL%MuPpdXl!=E>rd1Md6W60{9KmjS0D?KS z_Mbn0rodH1^Ax2z@g{kS%?1g-=6TZX(?ikC%<0-TlPZ^IFM^E73+~tV@86%}^C~N= z#~Gcc)V#vw6=!1SHrFUMiyEy$DGK;81G}#6-=~iUXsQGe0p#Ndckb)66ZP&9G94m2 zb?kUQElu?2VyxdVnpGxR3O(zY^JF_ic&XWMG@3ig6Kkup%KFI{oxCP9eE1$hoFdlg ziKm?b7KI&AY6$ARWwYnZA<7t;M5-mb+lB1xl#Fuy5|6uMCl5#S4rdZVz zB6aAl>RuF!FQn&BN=o0E|3fq(01FG~Bv@FG)+$E!k+O+(KueUyz?=%1c zxi=3|Q{~<|4wB$^KS9vLFlOxgbaPX4Dm>wS$TPbiO5U%F*!4!g@X(r3_?x=jKIj-8y zbBBkct$DL))rynS*_Y#rqZLjbAN1AjO!LT7M}F4JORu{>ae1(5)YOX)&C1{1aKzb7^)(G?J;L9AiZel(8)29oa z5*NjE6{!}-!>(qr*ACYTWL78A99!U{PhF(`tp(t2t;LRyzbrNyePL@2ii}XRE6>qh zoplNH2(%2Rrl(XWEDWKNMge_@j*-waV#bVex{zkPcOcLs}D zt>`tJn(8JAcWl}vJ~<6Sd)BQ!!~zCbs*R$g*Q_m{_L^OhT8-!ueYae@@Khdqx_40yF#1@;yZ}TG96stxNKRqP7sYSmy zpIe4qJNH=T^O`N_kbNs>?@U~>XwkfIJ-HsM#lDEDs3kpZM>DN5j8g+ICkbvDT2kWcNeif%}xVxvFWUG?@A2+5r{VebHbA#sN zj~1DxE?eK5z9`=+b93|Wl}Y+GwF`^Q25ek&%r;UwD)0H`j!gyM&b$f6U;8}7yI4`e z%M&q=V)-!_me0#70WnE{rN!6T0W4ecP!ClWBoW7yBNd6CNU*62H19(N_oqkpz=~_u0Bz)P5>W_zeuLD1EUA_;rafoZLX?)CCdAqK{<-%Riy(JyE%l9AaQJa9nQbp)p6B06y{#I`d| z9RA!Z4hQxb z!$*z6;7m#MDSRz5$I@F-GN6G^k$4FQGAfVQ>ep|1VDz#U02E>unYhJUKFt>rP_zep zbba+Ww_b4@JET}2e2b!rhQMBXA-k=0M0(wH5fS(!!0T&^6;7;YTpFfxOpoa-Fk8%y zmo|cHpwt>YX3POTuR!AHc^1$kUSDbW@>)w}x&nUUzT{XWfC0K^6X{xJ$>fI~$HBmKq zd~2pU<(qUtwDpl(40Yy(>pas0p++ISV+%k)>MNcOoeA#?2FK~4X{gC@6%7dNgnZ&i z&{FH%h;Eqt1zeh2p*1kEwWTqqRP{isSf8qTFFnCRxnkFgZ835U4?QG)zCNK|IBdJw zGtI{t{a0pn3p@4Ja@KptR|a}LT93RrH%0Efp?O%E>#jiCfogB^HADT$e6~ZF2{*P(d`YVuJ_SBRIY*XD2x~_XM0~$!q(!=&b2L z`Nga#nDDE{`}54ql#Vp3)S67V)Gg|vyPPE=%+Wa5E8evRr`JC`8>nmq!!Q*i=$fG#_yq z-zRgMt{N(otSrEBkZfjyx@HzqYe2sa>{@VY6|6aW=T|bGC%FHRwj~tvgmR#Dm|^|o zb31-Jv)EMghDnT%%4@JJsQ$QP^&JqfeP+xMOH&Ye-zkSb`H>>h6I&*X{T8SGh;urS{@o$+d;O-m&3d^x7QQ=$GUved zy?>nc+|j+Y#Jwu%_?ri3d^aVPzP6E?+voPshi>zi-JO=|+HAivxU9f9Onsd5=$B{E zc67Zstfl6nLDWN#-l&!Fzq=HV@BeA#FAC!v2uW_P@Z6x`csBV?H^VQus_VuT(i1OW92_Pr{`#$>Uk?+qPn`& z{)$Hnm27U_d6F9$TYBZCLF17k$=&U5C)7Q%Hmdd>vXoRSJ$iEZzQ5H%cJT>qGv$pJ zs3pW@J`MlXxGyqn!>~!3Pme9~FU#YP2S$+NQzbX~x zdA+A`LX_OpLj$Ic`gri@!cK2qwY-%-tTu3_^8<%<0WTvL-C5l5-r-uG&i@fDHXSa0 z@i2e6;qjh!_rBfEX}Macv!qFS!jAy2e;7rN{P(B(TN8C)&oB$7B2VzBR+rE29>GUQT)x`oBNkPR{e*g^W*qW zo^3O^CUh~Uxx7-^@mR;fQW_LQMn?8wO*u+A1Q9Obtw+%NBdVDVZH2%XHyi)*a_qUu znfnZ*n-``<>O~QC#rkN48foOpw3=JMhy%?2sZmp#eQZGI8B2nubQ(G|#5R%^aFN1? zu2OBj8s)FN&#j|SUdlEugNsLQnp(^8%A2lAWFB--O#2E28lA@G? z@&9t4|2R62H`Jy{cEdD5a7Ma&p7ASOnrmK#MMUHvR7R<` zs$n|OyZ%e)G1@>C-_@H&#Tcd|YNC34#A05y#E7XYV9~IQ+-M_(G+#L(=4j_06(|~2 z+8LjdCpBP5a+IXbV(H1;)kzR;x|BWu;7?&Ue9I`%`Ut!k>Yi+Kuijk^gY-CFogdQv`7LAl3w@?^Rp_R1Me#1)*?XK&nlLZfR~X0K-S(ri*qKhbWzHKGRvhm1PeLd`OZmV@c9C#D zG>I|Pvq|t6<)}Tn#jc;jt>!LE6o1xCto*t6Yr|5XN2Mvr|CQM8INZ3;HZoD$nfCut83fSwF#Y@v&Uf6OJ8@5mX|*y4hm_FC4*u@ z4aRn9#HpYl7LV>F67}9(z#L&0zaB{F&tM%hrW`uYi!~`U_#D#ndQoCo3ypHxY|6U_ z&z>#*U9|o6&hR5&3}*cqlX<|?&41*~#kH|=r`|-&D2s{QlRP+P=SJ<`t)q%lI_F#e zHz3KY9y*Sik#pQ1@h(*Mt^I07xUdL)7EYN9IY26DsWhOA-tBrjn@;@_A@SiNI}e$y1DCx zFZz}kYjRUw0Fz`Q5oAF}!71Nt~z(AYFBYpL$Tep8?CZx&XFyjE%SVT4U2iV-#Mgg+z{PYEtO~9nql*@ z?#ZF1+u#2r@i0p391<85R4E835Mdw>H4+q?`Ec_ne{=JjLvz8YOo$`SZ&BSvKBYis zwgwYu294WJ&&FhE%7-d~nIM5!b=j5GSKemj{+B=j#l|iP20B?$+Q(6}p7*$}!Y2}} zEnvgUfN{ocg~(0JyZM%j9aV4#Vj)xAB_n7e=$4Eb?`P((BDAG`5XNb?j2 zHwH2;R4Oq9PfR^W0?+q9$6Pdy?Ry|xBN@8XeoYC^&+V ztZQn8y^Oz&(>vBv;r!gTnY1*9^7W#lflX1g&Tsm-e`sa?x{wOW*8X2qkksrDJ47KN zfBpWQ4DQR7oQ&b!?AfzVPTLq%(5;zB%1lZTisdFsF6Z=%D{fB!oMRO#zj!|&GEcGH zYCa#0g>ZskD=k}4%n?2b4Mb{L)3xICXSA$hFS^k45TtQb7V~uX>Pt@9u2^vR_S+tF zPF(ozJo;(b&}E4ap8MZ*tIk_nq|*11Ydi0s&7ExaZy(W3o6fq7jZ~C=k#O8jnT52# zNc=K^#k%d;0oDV~+IKmy3OREer^9G|^%)Pj?`D0t}3is!)Ue&I0b8VVFRGOG>7DH=!jl&pV zro*2>_8EWa`F8KT5swd#@pi8QKM7=_4|pbJ+Uq8HSjRvB0nBlQ#1FM3OU7k^s>Lo& zhEV*RaQDi`xB>qL+jn=eR~rMmaAgmmyZ)8CM5ULMR4R@KZ3G?xsKB%K(utOE6@%gnK%<`)>T4q2oP~ob_}$#wbkZS3eQA=yb1=F zUNM4XD-hNy;}t8!IS1*i*ZEVLoJ5SyFz1SLqwK0Lw%f#r{cL z98N_b{@D9EsJ7^?DP2H-&9N^N)|q16#kJGxN*z$UQ3g@d_)-MkYy3H@xQ!DqS3Q@$ zx+M#ksVa4Jh=f?i1bmFDOc+c%r|(+ov=L{GB}7R9D6zNJSALm%p(X2mEvdqt-(Es4 z2}F5>5PB8u69@QLtDm~xA)w$sfBu=t-?7G#ht@ZofF>b?rLk*vL+Ah}>**OFS`|Wl zQ8V*-yE^y8{UU_;+GofRAxA^u!JLu@V?FJ}*^pfxA{Souyei*g} ztrxPvVr&~&U${877@2WyozR_OcY@|;9nTJW46SMg@rr{O4x;D$b`ytJXf`;!6YYyM z@@#HCxVkh<<1dLTY%Zj!4DW_hP#mN+pN{;SpZ*!S*akze{6IP%0r7&(u*LT%O;Zln zHe8umip|4^4;Pzp1vwKt$4mVY0hV8BNutMf;1mloC7u%_!74Qg5%p+fus?X)Xt(TY5u97Ex_#ouh+QS$ziT6H77QZB#Y4U0Q5%a< z3%8c~$bwR1J8#kK5RJR-nUC(!g7e0{RG}mSr>>4D%~KqwQVf56CMQTqA4v`p@w7%x zaSqaTNWH5!ZWQqlakZAqrGZJO7_p3XO@C3XmHNs>{{AcdC;lg^UzsTTMfEGA>n@+V z(D2+&#~~v|OkH2TeZe}b#X$>)9C`ok__mL+x1Co!J2T5D>W`BCt26SjeUlLCvBWHf zFxW_WNKqo1-h_ZsgzU+=G>WhQBU`pJk5huZvEa(+KiO}I`u^i@xmfcecc1ECOV0UgtaMkn-J7cgk)^VN1Dgh zIx%KL8-} zvyKpWA^kjeW84J&h$EFUBfcrGS-ZCFeIf26&4Wk4K265-l z6rj0CM9|%fm&}MlX-o5wDI&U(`R10ruVxD5(}xdp2?h08ZY}c&qjj8mzDj34j4Th4 z`2u_PBY?=N1qF4g2%N_6+;gyPD=@)U;es>HnAM<&z+ z3Wf-Us8EkH2j)8Z)lv5<$Ns^*8wuw&@svnaH12=3xo0*WP2$>$@OZE8Qy0dc#Oa{JS(BUWm9grIJBo`^ z<69KULy`Kc&6^hoRRdblb?^*bg~Sy2ci&UKsL4=^UVL?E=m&A=7`gkSRbiI~v;6$+ z=_#RaQM(iB%9wJ3DgHyT?b+7mayKazSC`;o4$1`5%4B|~kfSh1p140DOP-D66oR=M z-WD=JF7TH&V<;#I73Tb3obu)dHWUd!&b#768eI=(UXkG|iH4dVi3|R)B zq6LH;Slo_6r!6F@04E)UClXZh=vBov6%~RIr0t=c>nb_{CPT0QQxbtVywc zK|gOh@qP*Dx+WhEJMj`k`;zH`)(1>A8pNXPE2^XtsP`6)e8L=w&#{GY50Y;1v zA&&izOIspg9%Vaz|M^n~8mf--{0MTQ4z+>toz25Qi3lG;5667Rs#94qij z_O?R~3byWCc}pK5^Fn`ua_3}D`}qf^FFmNXq-sv=hL2M|)OcxJx~AZHE2zcYT0P=r zTA|X3)~t$iV~h4_-kcCNxIuH;R|o8IyCW^X0Xz$`hA4WEmsdAP?(@8m*r{_KCoSfZ zcXJLd>MxUV3@fLv;d>>7*I>aqW3LjyyaULVOz1Mll6e_KN_~o)!2v^h^-|?1vr&SaBCKtcb~VU#Q>k-5rra)MbR zo85(okcm+tB5Y~+rXX^oo}N$6_-ZN$=cGu(Xur8mqoBKfTdaT52+e9a_tT|f_Px&* zI>$ZFyeAz91s2ZfJZ8G6AegWLFs;M^P7Jntyu4}5y+4Y+Rm#Pc7TxGt($gnT?+0Bw-C1ZEVfpp~%pr^?&M&c( zE;jmyj&pTxLBXGh^h7x=G6f~I@R7>L;EtCqFu|-uGpwkDrg7{FnmRO<^>2Pk0OZ9< zwPUfF3i^cU({H=XF-^VO!)l0bHJ8kJ_j=JJ`e(zxzM2&*)VEE|Xpscr%GveZwJKZ> zkI+ZdumT6=Uqw*+(irI_x$c59KJl%^y9~jsWSgyExUEOtebug)x>Qe0%kS>~t)yfh zGtmY0DjSx3L!a0gtCwD|bdtLaaJO-y2b$HmS%|DpJHu(#2iaj{D2(eeR*oG#p? z(04O6!ekO$g@fCY=oc;KBUVg6zRfIcO8)_N32T2JtD0lCWq)6@b@z>PH+PJ(>C@cf znXRu%?&6s0tWK`GCMw}?QhCj7VQ9^#Mu zFiV)h4HQ5wzh%t$;(~36taK$S<;R%By!@bAcD+pz*n%G5?36)XIlYG{-kmZ?TDpqk z;!!+GR<@$BwIu*}TO^#e)?h-4pA+=r51+L;=SKUo?u%1ZL`XZ=HE_Ymd_~6zj1*qA!S~-xiV~IPUqe z%Pg%V`svzBM1*~b>~-zx)sN*aMGM3tMvcg|kbuXIWt`6TuF%EBRwP8>H%uB~llF?E z)AbmjjjcJ?Aezx0J=}gata#}w4`@zc4B+}40Jue|epn~+ky84$SqS&ZJP$aA?vYDc zThFa~nRNZc&8>H_{O1Zgf15FWyq93y@iw7D)aJV&>+gdWEgbew%$XtgXo_ojno;QT z`=h%_Or}F)>5W(mYaPcR0fR+GzFuB9aAgy*QG_>^LtxAr^+Pw<~_eZR=n-f{`Ba@L62!d{fa80B`a3ku1W4GUH*UoPh6JqG7t`4fp;&ACTg$cSv4n}S3O3c6U-f8P<8gSZ#XRhO9t zf9b=-qmK_x5-afro*%JBZzOZT6q~1*ExOB z;>9o0OhpDvKyN^s#LL4M!7#}_yUT7&mIkcR?1<#yN>rf}1zjn;( zOm|%bytYFNio&Tfpz0(UBPwpav@H6iLx)tT*`_M{=*gDKwwau+QyJepjvYH@AA`~} zk|Tx5^DzR-WX6PL7q8sp)wTF;l~ro=pZ-Q?it`)HbhcU#yXO3H);l4ze!rorQBcqd zrMYj`XH88C*Bta?!@Z-E4-R_YVcxY6EBz_v{a38J|4YtFt9aVLS^m39Z&}hk2|}%( zyg`aX0Ul@eSVc2|cbKb9wi8a2I1LbJ7+o7eC81}AFV5&;!*j zu}Sqm&GNXJPXtAWDLffzL1?z_b*sh6N2KQA%6eI@A4aVem6Z(4N6bxk#2J}+y{NFD zlqr;2LI}W^v+tDttar%>QCStc?AvvrDHWPRtmO4xf`#+~N+8G{JalL{LSXiti>Z1j z5ZIm^>8|r*3@3xX%JyVXWzy8CFQQYrV}(e6De6v|A|Q$B*2BbJRSM(X`}cRiZ(lH+ z1~Dct&Z^OXSs{Hwl&QBVLlAF(E7&F#p)>X!XY4~%6HfvV()WHVpP>xHcd=zDG}{{* zhVF$-X!m~0318o^t_`=5Pz%_Z@*QQZ7$4%y>Y;8yUnlglRDm<8wovPitv`D`I9kze zE{|RZaL8{xm-jPera(to4X1b4aXs5EM4aPlKudZey886x%gHUx*KUZJA|bI{AGM4{ zxr1BxXOuxvjB;uu`=KajOJ3|x-3<6Y~PXo zv*?Rcx5bGF`0AC>Oa)=nMX_(`Tr%cI;O=?~A?k@{wKxTI=DJY^Y0B^^=JZRx!EM1o z3kLt)jTM*h;IKA5K)-e_+jl&vQ#@Etfx{u#$c2Ywq3il=Z9qIUMXN&6SB%3W~uIa?yia!)p8yPm>cgnV) zTR$bV?~Z$PVdwAZ&(-Cp%D0}~zG-KFd4mJo6n##T%QF>r4hW)=I|?O1kW(HuV@BPX z&SOd~x#1#DNX8DDYLk#t2>U7q_y84XAjMQ4FO4z0V3@|@hWDbCn)P~(Dmt2js#kW> z;BqCh`R+`r%!I+@f#Djmn{;1t=Muby5a59>it$#exxv(hK#)14L)ncfoG{@80VE<) zs-62SKt-L?GlT~NiE%Wv3C+rv;*G>Srlj^E+(UsuD|S-VSjZ1VWhnqkhDI(x(lbwl zgjdz>9&@kUD=AtwSP)*m#KZg^H$v8^4ZTUxIIr$e4u-UHJ+^>$Ey#EJFx@ zS)!bvdK;Sy|0QNU#iCyUeSp)!O~}=scjG6DVHEl+Q6!?l#t&F3ZFMSr*;*brRkc)8 zk1U;5Rw;0ihM|q*!$ab17o2q0Yju~ZVx;T?YC6F+BhBzooiTZ1;k`4U zfr{Xw9_tB(BNY{WaM?wqMfEQw;I?X!Kk!Iq9cm_@LQJF41iGE8b^yMTg_@$zv!{N( z*HpQPM)nYNB%ks`7lAdXR$iQ3Y*?7K2z@&*2aUiHs&RXPTpaszv5CnbUW7};>Gpz&0F9Lwug_jlni3@r`lV7Z#sK9WYE4TH_LjXi zWcA0w)mdK}@AP+VQY(D#dShUsn)YA%zV2HKpZ%@x+fmwAuY2>}HxIn3%{ENZvkXaH zm^i^ZFLw?4zW#mtKIZs!mAspN5Ri}jqu+L1mgMWlDp{;}qw^p$*2LN0feEp~vGGd!uHRNTZP~t^^E^wk zW|{C_efLh--O-{axdK&ecC5t&Ch8oT)VhU-G8^_(NgQe#*t6UEs>UR?t z{T?0Kp(0GddbiH0N}cZ;E?>SZ2qAFF^xdNioQ&ILDw@=sdc=p3`7rKZN}<2ToF^Yy z9%c17ZNReyjW&CpeO3Dzwyb`}E15fYAFO^oxr5)%AvyLPr?va?UF)n)0&7@7j8dore| zJ6=Ac^R0Gho3qn$Cf$Ce@A_tAW^iun(U+MQojtN`GW=@SyM}}+4bgJ0G|zWGe;;85 zG5z@GYDBccj5*5wXWj`PA2l1Biv{bzz|gD>a@k~SE08Df*rk^p0BZTO9>uuc$fr+Z z8AWLJn8KaEZ!)Vx! zKDE2uKG>J(?S0aA!4=gfYFD@axEy=+_vNd}Zw?Mw{`%1QwU>TezN&R#$le3PFPt2> zVfT1Rnav+-J0$J&|CZ>xHm1rcxN7$1%+qlWC1?2G?FCK?_fZKEI!y0u-i;Ed=zDx< z>=M`moPR`O^7YM{{75z+9U<=V;9B$CU0SXT`fCMDc!tJ-H9G#uidLgOW6TZMe$6(^ z{m|^|8(PaFTm6Nf02-jr@xP;z6etW)ut%*Nt9w==D@0}CIbE0E4Q!XtZM?ke!X?)4 z0qB)bG@RG()$xx#tpo8f4GRmqPts)*<8CIWGiFP-K1WiBurRyL(j zmx4KEJx>lJ$qX`IniLCQRC0H*+Xe&^o7t+P9m{_W2IE_L&!t{FS37uiAa&J+(*jx$ zr3?dw@}=~uLWCw*B`6R}r2IFmv)e*{-E@gv8J`T9A{rjRaxv-zhIQQ`@?vBwP4sdK zB1(5m&=qs-_wC&)%#(z|4@WoAV@Obg@tm{6H2eHH$9ZHp_R-3KSx>UFmn!D))Bwk( zBLIMueu6lJC5MWnDAatuWp->?J3?Y!ZEc+bHOQ+GI|~GNNmK5kCnZWF@nIlwiZ$;p zdC{Fwh6N;fAxcCI%iy~3gaOnUEmaDJl!-8OY6$|_IYQ7bzCqJ?9FJ13Ea!`whPURi zEaE5?kOMl4*;&*;?@udj)%x+aPEKz56(Kbef?dW~F3t|AG@<*Qsx!gGMr5(YH4G8H z`-qM(aCkG|#ntw!6!K>d-Q^vg0lAMTcJ-Py=eGUeFftdkszHT~8`QkWEY?yF->dKZ zA}2?zMrOP)%IR*$KSB;$?kcddv6Zwo{n#dSMPKuKSpl7MFMAq#WGC3!N@`rpYxASa zERCJ6r78-MqLHC6LE$yURiQAFDP`aBEBw)aT#(XbjyM&tHvh)@K74=CBM2x142$+a zc!4j=VG1%B9AuZ_ql|zES_5vZ>W?PgBC0Vjt(AA<;+CSfFMC(o5S-*xwGa0lu?88h zw#(bzGYA3j(YCDMG*yH-?kC`1)8E?LZ1~I4!j-Ml+PUJH3&soHo+%!|X7OgBS$a~v z33-{9x;!-&Pv|j)QvSVNvpRdWCB2AE0JznmwQLNlxdmu2ZgfBUQxjrSLsV4oPZH)f zG$_nj9?~8ais%J~Z4fmM6v2dWH&VU2=Nz6f5syM9+(FD)1Cr1I&Nbhe$Q=9S95)+R zY?~M!`K8%4bCvK866QszXPa)$DWr9fnrh>#wZfEn5ZFT@Y$kHpRtX37oweWBlw2}a zd(c}16&Y&!tP?L(7Y~{qVOn4L@I%v(%5X>92e+SfFb)MUPp7D-uipPA`?lSxo7Knx zQ;I8>R7wa*z?3Nl#lnrArydTbsdtyHW7=~h96TTZz-@F>XT=H|7@WL0<=JZOZKiC? zIe&4b?X9wgsR{G$DNK19`uX+Iu%T(z3I3yU7Z`4@-aagvF?ro6Jz1}P3%ssve8(t; zG~i#vge=$QurwIXZT)!LnS}33J_IY^uMCj5xmu}U*4lG5`$^pU|tChcJvd@G$)&H!C- z%}0@Fm_%a?Mxks37|2>0KKU#FthK2d60Eb&3%wQp9W%C|C?m!D44&cl)J+V}@x(QH zxb+5^fzWzk)r!(!%B^MLTXaukT({|vA0De8*`3CLjjx?lRFcNki1l%Th$htM1HTKG zaZU|TN87Stsx*b5Up+Wr764N@MbBva(47nwdwikh{>XWBMSKz%58-;xHx4edtA!x| zWmIImsryjn44PI}$Hi+6VplY(J24=OjEqyS`AT^A!{!@9U<(2cg5x|^TZ7!vA3d69 zX>Ubh5L;v$TH)Yme`kteYDW4%OQtFhbtmp&)dOreS%~5Q+cz{lLxUs6ts%w_K(&ZZ zO(K!ss)DkB#$GT+{JKZU$)k)4Pr~wD2V&~lt(%Y!g;nvAEFi0Bs>KE<*!OT}28BY` zgsS^|R2mz|1VV3yshBDdOQPf`oc-%zcC^YHpu1`IPwE!2)=Q>?MZ{#wNW1k7I<)|W za2ZQ;Iz07~UPz}Z&`hw~zGHM{-YVY%3A$mO??dk<05DCrs$ajv+#|CGle3?73)CL9 zw>A)ov+!LON=h=&CumdBuMm6@4(rf_efl&!JWFTvhSyhyF{CyCu&s{Q5e- z?0MYyfDcLO9i&ckw7T90Qx*7U8kpTBpO;M8l03C4I;%Xn-va!#hBwWdY)41NPP4;2 zT!QQ~MXSiUzsBo58YcTxVS7z)laM5L=j4&E290cvmaZS|9O-{f`pd!Zt>)85`(5zV zsZeTlGG6RH zW{NJm6ab3JLZSA66uS(9(RN0F`p7R-&-&714UbNEF(_@V{5?b{-x*DzlrT2eE(Foh zJ3F@xcj4kT4zm|GLHG@B$Y>;C1M=*H+j&j|i|S6)O{U7gCzhok#~?tWACHFlh?sw{ zcaDtUQw1*0MG(?0GSl(&Vq%a!W7i-MY5Zkg$bFnxct{e0w&N*D(EHvem4M}myJ9-w zDaI+J06#}6TjAP2Z{9p0lZ=01O)x;-X(b;%oUJ?!nyYt8O385ypUy(0pEoxT1DROa zWNdeI1SFhqZu^+iuqf*s=0FQ$V%}f@X={7BwA_<%6rx8l*BfQ!DYPddKXEZ5CN&cc zh0H}@mXu5xr)Qo3BN<8m>oEl7o6coi>e58QS3v&F8g>6|9VKEb~3k4Q(N0$Qtw$aXHEjyVw74e z7^N~D&qz_;@>ujSpBP8?xpx&tLGZjed*>r7*->99Yae%-a8Gr0p`u=bXZJ`HbEGT| zh2NXkjY309MTu`+Dxx5)vOc3*Ii5C&DRnXbfS^~H!16;xz)HXKvwTEA`uc)|nLUOo z7m)(z-kr1q4H!!}#S}1w&TFzWe;R>FMN_?lfEMw%yrn40Z^$a}4>_z!{0R!{0+Yzf zXpx1tOrZAf_ce>!?w_m}RQ@xzdks2-%r7n^} z*|*BdziLf^|zB)=R)1{5;D3B4cwiS~j;2cTvC2?$FprWPt zaTKhE*{avS7NU3;dLa4+UQu_ZQv5WVk0@>1rsTLOUAC^gQgztW8#i*imXjsZ^tL!6 z%OzyyJpDywBH%!>W@*&0I#4$v$A#1J)G}b$p{Q1c7+%BVSID`#9-1?CzM0PUY&Sr; zeBAX6ONmtV)_un`<|KLKMNZF28e)0M!|ZPM@S6pj@AUa&edl3$gU9s2{6Jnho=u`X z`}7Gd(KKQpAC*Sk%H&si`_88@UNjJBuI0n*w>Q>@_C7j7;f_%1HC61l&`3}9sXZ-% z8ZlXFjBmKMjTZ`}GEz|+9UENCLGw?56H@lDF-CV zO$~B{2Oj;*qCh}*|ny-(bBf`XX(2SmkePN>24PWIC1(JVmLlFU<) z*>gjJg3{>Iu-p1f-HZWMF3nJstDlFRM#wLL^Kzkmp1Lw*&^J_(A{6aKHtve+H(we_ z>S3ab4M2y{wNkhtYF!#?s@9h`zkp50MYwtxec0?Sw*C2)kM;uH^f>{YVW$ zgh`2OaO5@SC}a727Vvj-8!C@8u%Vl5 zNY-h6dw1y20qum?A7^}Zt!MH|m937BLiKz1?p@5U&j7V#+b5YHT3%$@a;v@1?yPm2 zUuLdbbjV?}pM!~W>!yK05sl@IC)cjoA6%6+GNf@{$EniT088ZgUkHzgsH~2%8OM>| z`57CUwFXUQMBW1?rZ0}Y*UZPikdP968nev6Lq_3>kLO!i-@Qkfiql>i+bs|X=>)%E z(T*aA&62BNQ;??Rd08af`!ds}8CG5(+l7H92bS!D=_F*$10}d%e0`Ki7&I4XWd&jI%BV9PoCZ6(J`7$)F={E){6yPH*=2$y2e>1NIEA1k8Fyp9|Z7T{nD zIW-I<-PG;n{-*Kt0Hotu8}%PRa(kW7<7GX9)>zP8C}=gWBSWNPlTvn>!Hfn16j}Yz zd#DqVijxB*z?=-$OQXum z8z?y*0X|YbGUa>{G=l1)CiXl8?#t6nYvIe}w2J76 zbqoBFISE#=(=Wb~&^AaNpIY(ZK|AX5aoq;{NlU{E_5%SSPA;U{P7P2P3J-Mr=T4Tc zQ=cHMn`oq{uN-RMGiYUtmPb`%(g=17?dg#lXy5zInp^i_uT>NV^PVK2mDb>`xs zvASb0oEa(RMZh^CFL-t1Ch6x&{}JMU#5{zWcME0_>)Tbpk+BH~bC%3oZVWhHIyCt) z#XQRbb4Du!Oq|hryMAQFD86R+r~JW8o1k8lUE&X496hGgsYUnA8|-U?cuW_@sT$?r zt%ZVp9>JAPyO>BT>?HA(ItU^{ZdjjxtvE??^7!!>aE5#vwvPhU-?k3}wz=4C+ zTs}YlC3Cs@OYXEP2?meZ=;D-vr5g=t*Eus`_6b9eO~>REdgEqdXF3uP$EA~kjFs;>JpyJ0~~!k z)gJJ3CfD@Oy5lp?_~nrk(}E;NrTJ}lH+k!wYB6Z^E?zZ0E@wG3LZ=K_OO3~;Nk#|8 z@RUvU{g;nH0G7RRGE8WFmsZV1oO`!TeRFA6olCihD^!_cP?cz5j#gLf1MNKTyyGuG z&*K(U(0h`SlC)ZnO9xu|s_Im^Rh4*s$!Jf*x4&rqx-{*=v`euWbS6xBv zFD!KaLJuwGBMm-j+SE3o+%!}(DJLf}KjxjZz3`;SP>8|NujO@p)D=@Cx7ZIt0pN@Wj&Ybip0wwrpXI%^d@DU(;Xvr zHf!kU7#?&R6Ob<3LkDJpY9$5QSE!rGHNp#kiyF1VXsnoiVPKiDj``2JD492XR8WPw zN9?IL6UpgJuYxyeCzJ3TJJGcmQai_;#~=pSMTvkWDy&?`3J2#N?7-#Uj4GQbx?@B? zfzA$N&9&vDOm1E@xIDOKXKPa2Is0FX5(H|0{z4)IT|Gj>DCWd@;5gz4UPf2<`8vN7 zl~OBBO-Js^#S;!`iO7f12{h4KLfev^{gH$}rf+AsgTuFP-}Wuxo4!10x5?7~Z4>8y zuJ;_{GHrNv&zW{B`u=@f%`8TU#a?)v1ZEiRav|q2ws#iUqTao!HhFcIPHpL8 zAGyxrMG_WW8s-Burc2IJQnGQ>NY&ckzoVj0%Yj78N zJaU?I*pgA!MvYtOSzR2BR!?o=!u_BD{E8_1X7YxFyreA2PzZ%KZ@w~dS{I2gpMv7I zr)o_1Jo-XqUSzDShjZwZRf^5Sn$68k2I_`9aVdQ*`J-+4y;;V%`FmryVEwMTd>6=u zm=d8y=3W)q&!j^i3I0f}xu}db<$V7WH9ODKU}D(2;zx>&(@wL^I6hJ!KVj$yWT`KG zD&((lRz~#~+q>hj-Nj#cwPmp68j5{H!Uyy z_U$m<9W+kaFp)3Jr*}Imso(&MrGg_VbDce4%-4yNVe1H43+w}8(gJXn8y zcp&7B8!J~p0-3LP_GMSFk&y2o64E%QiF|pZ#17EE}bc*0Ug3KWka*uI5F=*^gFRN9tA6Gkd9;8F@ zq!+A=VN`#TB6d~>dI?0?_E&97{0g9EvP~RW?nc99%KyNE6BYH9K0Kd3=+Zfv;SJ5q zxa=TFs4LWeuU@NByL^d`P6=g{eS-6HX}4S#HGxl>hia(Z{d*_?{PB(ktahSZW+Nl3W6HV|CX;QGw~l7k7*eti&`E z7Jp(8RKR1Dj{?nfoP&yrxa&mGkVbWA6Zj@YGyif@#8A<)7 z<+!vS4#`pvAY>>!=90~Yll1GRU$aUh?Vn#&|M|JH`-YYSx!EsGkJUTwTW1`eIdZ`B z!RCrlFJ*2l%2Qo>-|X|&@f)S44D2?`t@(1%dW<2MyzA7xduDe04`wUKgCe3b=p_Vp zvXYlfCqyz8$s25p-?dQj@}SfdoXiZSIi_zA{nv}=0b(-;(mBNm>htG={uPcZr#zWJ zIrkB4FssUbBcKTKt&0Pzh1Sy)54BJZZUtZb}2 z#Fr4dp-&uzDvq9;7@<(}gfE5*h8J%VUg8Ou3r;T~L-=@aY&v35|(a zjMR*QGBFP-U&i{nDJ6d1-g6ljsk$+Q%?*EoH;Ouf(HVjD*C9~X_Bu&%ZAp#*Jz~Bs z3(#ALmiW{Zt5^csFsiP@YZu#bs7(R=1-MQ)7dFUWu%@Tt6Rs@S1x!NZP8jiIOEV?B z@3iA+AB`Hj6Bzu2WDM;oA>dbS?K(=anXU!EXJvC-_!Y{(Hh)A8_+HA7mC)6$! z^Mx5w79&4bIXOF*L|sC8!z!&Juus4ejT49Cx-C3cJ%1C^yYOynNZ!ITpH`aoX)e$E$@YgH{bIKPd3kRn*3jR z&%kyLNk9E&Kdrc#1u!T&Oa%ZcixpHpSL?w{#FmLCuWjw@mXMf{+UmVcC@~kMD&+-8 zmdaa2y1hU#y9_tTCkm`>jo*l;u>%Ql+t1ezF18jPe+Oy}dx3H_gPC9vltDRIr0vf^ z5tf01@iseXVnWB~je;N{A%PLziF|YUSlx&BErG!t9Y7OimDRrXVQaav9J*q^U}{Yd+( zB8Cl^!fcAi?%k@FfA(@w=GE=@@MuRR&^)qY2P+5bgU7#p|DFK>au6^df)muoDt<8ZcoTniUBfIb#1wcJ zPC-06D3`4YCuz&AkKEjd-VTunWztNu^%krlBN$V})n9xwmoGeqyu&AYQFloyy_Fqj zBs*YRV29HH`uK6TPkr=)TAuD4wtpGrf>;xE>eQmE=bvR{?5O>DCQrG#rbd{;a=+x) zxEHJgvKQ?U$4k5l?9c6&?T6la3<3g(ctTV${rc5t`v1Py>f(f-Uw6K?C~p9xOY`Mb zVMWN~|I%yZZ^}8LAGpi9g(^-a<+iu&H0F5C$SRB~bAnB<# zZ1GPMV`I*)!rEH5aEn(-Z}aod#l~h4#;(0McP-~!`@#lxB)q`r1x=4L8r z3r7L=xC3JR6nzheO`3}r7ZY`O!spq&c<$UVVOs#7o}xIg`#d!@!3l^;2}omOpCAeq z2e3{K*Alo?fC9k|egYXp6>*4y<_gl$;Mq=U42?1(x`xX(x554c^{`OHLbmPOw@(cD z5{I`ic_8=24OJ*Ii40~hsWb5L2pQL|woA*~(|6Y%3O4V(-b5*`spI{MG0jU1C!8_y za0)nhRch{*>2n@?e5&7A6uVYqlETIM_m?JjjXCvHLw}^(fXW*T-RvLgnsW1F-8?_7 z2c;kBt_$Zc@8hXfp?ab}FV1Gzxq?y}3*+vJ*BalS9<(h4-9c}?QIkca3)fbxa$V*x zdwW<69r254WsQUGxV7F>KlT!{bGtvqiU8)XE3be;8N9ut@L7hnAxnz`3y1EY46%9l zc;;ATE4}e@a%G|046}|dnR!J^Q#1AW?&-G?yR3gVa$@xMInx!>H~#gG>+al}IBVC~ zS&DDRDa9)*BSEtCD6D-tYIxr-uNH4>-f4L1K&d(vxXiJxnG25&UIVF3T)ndT!Je$% z>YvRqPO-w7Zm_b;Kynu)cK%iK4h(LBGz1YVkSB_s@?Z3+jguI?LEj_Tah^GO$2Z|B zDwzF%5#Zb-*b77Hdv#sbpDYdO><&!}&;+{s3nB^^d-PNN$uuvP7l;%}K%6t0cCXsG4>0&^Ljz;o>5PRp#(IaxB$s_%r7DeGXAK+nF;p@OzN+Et zR$Wnukq35v*eSC_&8BECV)bdlFN^s;^Q~>#4d(7qL(0K30sX$ZGja;C1(&})SQ4B5xIdxJ(dF5&sZ&0#j`3`* zJLU6W`UF*-XPVPSj&l1m)GNWhN5PAsf!piftL$I9b7*!?Iu(>?h>k}XG z?@#)m_Sw2lQ5EBnh2{CLP-d~T#&q@cVtbb3JY&(+nf33AP@-#3Z`4|}=rc{faq`)W zGW*rLWhQTW9C3AW*q9-vKTn(-_h|Cjly#G*wHwpYNp-AT@RXI0W~VM`OzyOI{X8DX zz1bndm9PHm(V!+$u9NYof?0Ww`bRig;+eW#B5>*fFFi;DkG;>Lpi{eXY{ z5gCP^lI#Baq5u8YiaHIiyEOOLapC7}@X*bh(t#zf^A{X&?*E@Jxo0+7K&d#>3G!;c z7K1;XDc-tfbN`OY6^lmw`^Wt2&$=ia@E-L4`oR3olsS-{Qv#w-lIEuT%Y@E=xS4CednM-yZkJ3<(3X`TBuNM z+M$zbr~mn#O;59XEtBc#^49lNZure}%AIe#{;d=ocH>5Dgsoz(TG%aP3Hx?^Wo^z$ zw;l!9}i3E z7S`JDrsTO@`2l&`V?8C>JMFu5YZ{?H(2S9-g-e$72-NmpAA~UNIBPBJ8Mo*GXN4?N zV&b%EjBk3vi@ex2;l!HNtM3CNNucpdslLrj5UI+qW%{&f5rnEQWo5$rSm2h`84PF$ zri;N600xy6E2Rex^!D*NZ)h|$Xu^`DgAEN5@|8<(dDRw=MIV}*`d&?h zZfCv9dDXd6Xxr&-4jwy}Wf1G+_WgKZcZ)S^9st6=aFp5oA+&nK()Rq}g>3?-1sm26 zw6!^sn3<%$_p9^WaT#`*-`iTPN;pzEe3^z^?($;Oprx)BHznP+R|;dYx3^2*U1!nL zImjfvA5E<-wJJCVrNX3cad3D9K;%xFE4E&EEu>g&t*TkU)uPH$oP%+G3guIvWf1(~ zh2nT-2np=+&2B9C27w*3{K{Fay9DuG{rbsD2?ynJZ8toG6n*yGVZ{rIJ@~EB^tr-m zi1e>ZLLb-fA(e=5nWB^ygrgAhU|Puj+=iJ&B$|n|)0^kU{F;xF0RRSw~YoEMn5jcl|L0@Wcn^!pNJcI0$P`=RYHbL2Pg&Z?c00>1? z-onru&w*jNH~5DUc;3LeTv)l{uA>}>qviWnAu;1SD>vE=7^CY>B1CfF`B1hr*CgTJ zS^zFvYn#f8v2cv?5Lo^CHTYej$3smx-Rl*?CCc~nkR16X<{LLYBMrd_p1fe78a#aV z>GpfjXB}DC5qOl-LoSVM|M_uYF+q$2s`h%p8LP;XJuuacGbyy7D4#~}HC!&5umF7e41x>LQvfQyTHTML06Yn>qZ?kF?=gu7BAfLDjH*!AUH7<+rL7QT9`~9Y0UXwaDHUO>l4CbBBEQvp>+)D3;zjtn z{X? z9C0^pV@JIkX@83vbJjoqThz$x&4rI8KakFd4QPCuYeoYntd|h3^b}isqr-fur3p^< zki^2wgRg(4JFA2tGlb1bg2HIAIE82xGm_mZC5xI`r#Sd|I5jkq(&kBfzhxF;V_C! z0|(WzyF=6Gs>g=;J|`7j0xP+D|9tn{x3?@=j1tv=$#Pn#rx_WizzZ#;A8EVS zmseH_M`dvUI&}hzlavs8O^l`pd$xg7B><{#Srts-KnX!NLm^iVbQpR_6e~po(tqAl z)e7-CdpN4FY+d)zFbkc{U*=@CR@dyiV!N?(^_jF+S~{oRUf8&9pkJ?Dtu>KrVr@oq z?lN{v6M)xC{QB7CbKQo$u05crsBdNc?%S4i?{eq>^K#cqJ^~=3um!~~dVPO`rR8s! zn2|ZJkigC*SBBM$v66 zHgusJownn{!8Hb~)Z@F4<+YQIfCk5h^@2`Co#F+)6~)+eVS;n$#-yyA9Ia=6U^q^5BlzIwE`G?Gd^)(UhB?B zrz~EZqNV;-Y@Q;F>Z{%34)A`w{43`@Tk`t~iF|{fi*Ry7tu1zmc~t^Q1fZQ1-w%B& z#L1Gk_jUy>)i&^&r|A8$y!;uAqfnO+H@G5Q_{?nm?aj*VZh^Wt-zM%`Cuc0OgHOu! zh-IHNVMX;E#0eIi^0Pp|cf{_XZ_X5oneBICl!zsiz;#h6wsRrGE@yaCpm59> zv-~w)#a^*N4NSQmZR9D4y%R0nhF*}NOGWDP#(r|OizOCqnb2ih$GO-4 zIyY2XLd$v z+E0r{ecWK(qs-%$)~h$Ovf(m8CC z#low$ZQDxRb*Q^;`qFi0MlO@Tz54fGh=m)`o#!xb^vYX+cDxi5^eEy-E-JFCLixF@ zDIOr)jeecE1cj6&Sb5069o(gHX>0!8m<(iGhD1O}|44R7K2^5e1Z+Bnpv`^T>O`C% zz)6RXns$!QCBSLnZ~)akshe(3X=(W2DZnOE&b%v2Et!hsP1cNl%-cr zzik|40#42li964iIHVqxtLzmwg$m>PTwbLFmVAx!k! zUB0qviQZq5!?U-NP$ibuYzNL=(KYcEKE8ba1nr1u5|uy*y=>2)STj^x=+uIBHgM!U z=C-J#U|~Pk^$U*84YvZHTa*ko0^fAou)>pSMc6rk01KlV{wJOk&g`@to>q-u2q!2h z5XF>mkwoERmKBRcs(1hXvcJ$v31(|WHGnJHF|q4Xy9~*F=q+_51;RFeMLOWxQGS%^ z+8iXOG@5y!SmLKqlCXLkqoN4>CO)?1;aZ%|)>vF;B3Y#CCN04L(5FR*d-+{P^4D&uY`i^RQJzGlI@DA)D6Ux#XsFp%?noz{wl?M3F$5K@JY1N!SoS^adyib zT0M6>8$L7ega-mVQ-kg$!&E*tLC1$q*)LC%c0g&~N@q7eKcn0AiA6oi^!Kf$$Rz{` zEhT@8Whcr;eFG7*@rf}rxk6PX%s;SQ7Q({z4bmyoek_|FO%Zu*+8xu7sdBN~-ycZ5 zyWn7UPp4?-Mf&6js|`VZHFsC%gDLx?Y&525lcGiU3E)ETk|_&d#sTzOfkf(I%E=FN-jb+bl_U*I%)= zA$@#T8T>fGfthT=eQXSDvv@bk#OwB@=6y3Cym`}HWUaAzEIYE-Q}3-_yY?dsd!UY$ zyD42BRE&A=859b(pIWD8Npu6KK@f&AX6F>vFr)8XLp(Y*2_PP#G`0i(x` zr%j&t8(g4UUCQ4RW&m^%H0?Oj()62Ye$V(a$wDX^iZd==96s-`)6RkQH8la0LlVvG zw-DxN9=hZ$NE#e62_|#-KWNOyz}GIlSZ;80eH%)`GCCC|qOn0**Zak;c?8iW# zU5>(yA1w>rN|<6&p^+Zm5kGCpqlr^Bbg{+W*r)=Jtqdu_4&X5#9fS>U?1A{-TWz*0G}W=bSrlB<{)MMzHI7$~%WyLJT$+{wav+eKu57qR?iSE*Qh zGW2x3NDUZKj-b2gPaBxplR7oP$ffeOE?91)tJp}OO0 zMC;ePsZVpJENnCnN=zxS5i)kjKtZ^Z(9>-`)=*C@X9iZx%#e)45H*_cM@t*~diWL6 z4vrNda>L&qHq4G+u5GjV_{kL&UzeN} zbvT_bP?KUoG^jjT+A{XMp(5s}6X(yLfAyd-2PuDH^0r@RflkyAG_IVX{@UgyR)bNd zDZNst2VZa4HKjG_% z%YcL-J06J9P#bRh_qQQkFZ`&lF(~lHK1}fmK*IcJTE1sGt$76-mMgnnU@4MB&Ia(tr~Mih^wBMolP+X z2flVN#_l4FmM|FS?b_E@6%F_S`A-PjP7Tqw$EgdE@RFv=(n#OhW`68rUYl80S4WSg z-McLuuP`*_$n+XIv`3)QX)9QGbZvTTnMRn1$KGi*$63WblOkD%iM`7T$-YA$5p@9N z9-!;sOf4$ZV>)6K*F%^Oo11HpsRdWa<;fgyR&b+S?}g{vQ+l)J^&AC9*}bsh!xRp$ zXpl9BP-h09#gj3KS4fPaefzMlwP`3oC9~T-xI1EK8RD4#kh+p%IdC!e^Ej2fmaog$ zSXeoVmH_UDxX@JL41Ne80Q8jer#^IT_n;eI8)gd>|C>F{QS81}b?d^o%T$5{>z4@f z+(Hkloc3xV*dCsH+5JL4wle4d3I-PaS!|N#X z8S!(5HJF-T(f!qqCY1@9NL2P-VqW{oj}8Y6mnJX0*za)c)FJhgCq6P>)uNdeT-H44 zT8Gb*dwi&rnscYAU$n!PDFZfHroC*j{Jck27cn)LL<20_#&a())f+ZS3!g|#Mumlg z5D_KB0GBW^`~hVVu`Zp)?Da{~-M+{o&K^Sod4m$Yotq*N_y}Dd!gJCXefJ-I`poCn zPMX}s-p)?Ushm|bA`Gp%i?K1-^ZW%1@FVOrZ04I}G3o}a%-g4e(3D)VsHj}n;^E#b zMqxnwRx|kpT|N8f;gKTqfJIa9Fk-7@HO%8Q8X+-2z|K(wWeaKU4@IZhYjAQGg4u9s zMlf^+{2K|{VmU9Gb75j>new;OQ)01Z*9u<=jRgw?1B;{a7(~T0irb zm+_0#)hV$h{5Y{N5ikgu%|pKZ3bj|vKEI%wW^+>8%a<=_-amJ131hYU={Wk#Q)2BN zRHs+u-e;2%GceUtk!iI(4uQuTANw=|VVJT*?Iuy_b2|lLOdiMDUc+Pv-%}{4m|_ys zAK*0PMMipu=UR=P%5(%grhP53?ykfRo%yUl3T9<}I7906{t% zEFJlUS+L|+7#EQ*-3sGSZ3;pG&>3Q9l;6eaW?e>WdtCuN;pHAC62aJqj!P3RdI&K* ztnQ()6_6+G!Htz;d~`&3f@`>~Vd4mUib3r=a9Y*y0Nn+=MmA`+=hAqT*=PuX4I5yn zQ8o|ED>)od;WHU=$tmPGEV~_RB{vEDkZf5-BFj6x>)G|N;(q*aUN$B7+>@2dRQI!W zEI{Y6z3J$SZ*pGzDQ5PCZH%EJ1=|n;8`YNFs_+Z7-JQ3p^0Qb~d`m@ov}gh{v}pnW ztBBm{UQLx5x6F0)v8R9CpQxeVYw~85TgR`=cRMtq%k51! zwdapKCZph-SKni=&T8*5Q#{LTyO-UxwXiU^sCr)LT$*kRw7qqLQQPzpi76Rv%1-aj zQJFlc#B$R3(Uo;K_V!6GU8q!A6_k_J(dccD$Z@M$8`S0RWF80@({9h{&1_J{;rt+$Q(6T2~-xo`63uOp!ZO?xF#8O}Xf~(gU zY5IV6%tyUSF6p>(Q&l_jvM8&}zg7(k+U>p7_1*b?kKezmzp9`zdi3%2lUxderPkD+ zTGYj8&9IXe2r%0FE=cHo(Ou{iO&4}Low1k!O!f)EA4vsv8+3l+3y||n7GdsL6c48lQ zmngL>}87qZ$t<<6z;{^lp^`U0yM z!9$8ABhoKw?U{@)qp7x0S+L($)gbxDUAw~Z`bS39-f(DW2xV3G4W3ui0$-LB8}=on`o@Kv#Vg!IpIy)F5QYGM?G6163rNao36R5sEYCefn4sXx!Pu z^WENXfsG)zB%wkGR2Qvvs8woa2FOSrh z$JA#DD5e0@2ocPnZpZ0I0(|rV^D1%(2oYAj=ctR$zP5bXwK@NGG5bC%WAeK3FK;iJhjL8ZhwyAEbZFaH1HgPwQljfq}v0m7#FI z!iX!2MNvtx7#NFEpP-%Cy42sppr`-KU#*|N_5&6$!eX2fv5(_mQ;{Aa{#r%bgXF*=xE2jAVw@=#qDg5BP zhY#m;7AqmYp{JLr+xnxnHjpX=5#T4U4j0-0CJQaASpP+u74{GmxI#51!EO{@qSXLc zRx*}wsKMj2J-9ABR)@g4tBQ=`;zWKZr0XAz7g?IS^(fA z;f=yo#9EHBdLs!@LU>gQe~Ksl*S);I$C~5K0>EN+myMV_xvvY<^#sP&g|!d|N-^e! z%YC5o&+Y$ZA7^(`^#W!exvQ$%a0)McRHMFI)pF|i@y9SzaP{w4kgTuox$OE0{sWux zbU7x_si`hY9{OW{niXw6?3ymLOTxbNsir z-UwHM6>5KhR)aO#J4F1BumAi%N2cofYi!QP6V!iYa8?Cqymvf)jsHD{*2BDz600j& z-=J9|vgp?N)8|8PDmWSyuN4lIYHH2b3So3c%vkc@Bi5%AS1#{tnW`RRnxjQ6;<)<1 z|FzTb_U_4;2p(xR^IW{)=W3s_G^yN$H zXG(I`b18{#4#9b=tG76{-OxFuapS<(Fa8Y3>ZfNMqS7*`E>A+Q_t4ZfeKOow(1;0j zS~Z9{TM(CpM(w>S%h+DA>EoJUUpBcy#oV1zvBbcLmn0&70Ju(({%wayT>n3>!h=@E>tBDD0Y7_4(wkCA&I5 z$j(+tE3w#ZTyl10=#!+Rg9!e;@9Fvnr^i40*?3)jpSdX55I7^{iEvuhd3cfnPPM~n zrfs&S9nIB-VPGI`jG|(dPr+#3vhbxX-@~46;pO;U#^&W!15=9^mmVFuy1u%|^7FRq zX1o7TNQjAYC@HuqZ*;17tW`JHPW^UolIcEndvY3`FLK>thrI+nCJeTz{KBGD%q_qc zinVqMZC=$EI-X+xm15Q`_8d&z+j@^sk5|mN*3GP{Cg(=_mAUp%pRi^dodt;C6~Gk@ zGm8IGIvMPR9$bB%ocyPd$Z#D4BJpuiZ!GQ|P$6gl;0ehr;aW`FNg|nYP8}~1oVV%? zBM>LYhxL_(@f>#7^8PYd?|V0@9e7&rN6C04}N zrLVcHV(x3~s_NqkDF@WwNd8XDEAx{6D|33vp-9F3yluVjg#UR4?#K?7mu2;LTwdj zT8VF+*P#DdGpMl_m^2W?*R51 zLSu+S%|J)Tra@(2G2?^O4A|G&g40dfCFV@_{vOmuI|h%X&IcDZ$HMCYsTR8lC2Ml8 zE^{TZOaw@1YilefZ+K18i*J0=6p(1^^W0bHb+{;YRVboLB&2HXvP# zyUj!$7zd*rV&7s=ZUrR%ImoeBO;Mk|thca82J;py2;>0368_r4zyb6O~GFR$5z5e>A5SC;fu%ue|`EkH`jkTkLUc5%P zfF->~w4T0w_*suYd|4x;d)O}DTyiCMz0&cye_dS>VLEW}=H0`u*}c|DtCd-<@?v4% zBPJ!Kr5XUku?)e7m)6(T3W^m#cz{AFLA>Ll|+qukhq! ztK_$%ysLGX2?(ekJbBxjbJQPrGt4Ef?T@~+4uo3jfV;gx850Bsa5eBisgds!^(A#% z%<4Lo($x#=4%Ba>g}JmcJ}qKd7nvh94)vEP5;@WkM#2r-GZI)U61z7cEaLe8Q*!qi zzee9D1clj+H8ICF0eDUqpn=>!gJ1Pw7S zMXlzwv#;)06ou5F>?{~6#tqO=ie&+=U(T_PigUdcd*p~@w|N1tfDx~>Uk&`bnEPz| zrpjU&Q_pN%)#Y4@03bdW)8MIRdQ_P-s6R8kIUSc~-lIcG{o5V#!f017~Z z@UNC9cWwKWnRVe5-LVOB4S}#Psyr&3?FfXy&uiZ9DH4}NpfLT{IkkB}^(8#vsnaZ2 zaHCpvM)n0Gk%S5%kMBN2?Fje{r_b!s!Ok!hLKTFgm&A!rZ{XW1@?#VP_*!c9_Fl}Z zxQbl@YK5Nk;6YC?e?EZPJRsYbf4#xVDs1bjpKd|S}G8oZ0wt4!+~?*mrzbQtmz zR&N?*>&eP^XERH!;PA3(Lc= zhlvDYBO43KA5nlq?VcGt&i`op3y17pWKT|e8<0OXUOl%)y~ui|wui6OO5^kX&E2Br z6>X4-9`K^oW~%IpO$Rg^&8?enRrB3>6w^yamEocs0Y$UHbOn1z>FY>RkloZbtNT&M}^&P26!7Xzmve5Wq4S>`(BS)gvz>?4y_BBsAz$vKTUsr8$BHfmKn+ z5>{(JE`!sIT~RtU0y{>{O`A3ax2X`C3PzVp>WFc=+;4$&3X?8jEl|1Rqf7LlY&3rF z?te`%VN;8Uu1Ekz4*-9j$l*V=B*cViCo$#&`64Gj2jpK!o6wf7Cm(N$Sp!w#`KC}T zrz5Yg7nmT<1Pr%9=%2Wasj+x7Ogl9oHD>FC8MS~|$l_zc-^9G-7zn|Kva*F`iblv> zMq)fFR<=lpkXl||KIl%9fzZ>HmOkY+=iS{gk~kX-2rAhW$1@UR9ss&R^e3tWN`p4S zhfsX8usel9^(aKI{Dx}GVQ1CcO4l|@P3L5CAeK8cP2KcTj4#WzF=Tlm$u@RpMK9*G zu0TOZi0O7tqui|Pw)wKUHuzQ)6bytCX4YQ=j9zH?zzfaz4gl~=8{g>Ws6tqXJQ{G#Q7XA+Rld{vHlPWMBx5 z3G9F-tl7jUMKv{(1jM32ZYvsugJ>LxB+K=ZOjp!rW%voHHwpvc7dvFu-mTl0%PW3Il>u{vKc+v z8O!@gG(dR#eoIqI6g1MEqP^M#(wmV#mHL*66_PaUVqrCxR%khQ-?SU!p*QbH?umdg z_4P-u`=0-{&?!^iu){(K__En73I~5^Y_oIV^{_DaHQPD~<`lsIa>?`FUeQua6 z%4;6D>wa&_UcA2!zw#?X1e%FLD!@3l!1;p$HE~#& z>`yYf=aBZ&?Sz-!G8qRRL1}z_p$Yn(*fqIie5S3tOTYz+QP-rWPi+|FWVPBObW37c zE^~(O!LD>;1TmrTaB0k%ux2^2*1KCNZ_0O0#H*c{o%?ieUIEYUTH8UK8;U2%8iw%y zKzE06jiX)3YHXfA@# zSCw^=GZo;L#f&wt@gvW70mxovM5o$&31APKDFDja~9325d=_F80R=)s0?*vIq4UtG}r8ZZl7O>c|q^f}JUn5c#^FxEoctqr{Fo^ZRz@SvaHqQd4#-a)V-Q? zU|!MElv=n04CLhT6}mZum+kh08sfXo)Ot`sUKg5ophV@WeeoxTTiv`vwi#emKx3%< zwv?E{0SbxR3s;aiFOgJxx5voWXtjKB0*7 z%0+1YyjpVcwo|)|EA^HD*m@56D(o$(qD3vrWrol8uawxkq^Vd_IznD-Zed~r612Aq zA30!UC^i|-YvZMD6I;piv-1~Up-ve1!jWm7l2-nP!c?WqT;IJqV3bUt5nx{t2JjbN!^i4v(|irRzFkMCNo3 zjxG`pTmob=^)1z(vtsT}Q0%Xf_a)7n71LA6peGKzh_&oJeqF*KoG*pf0Fn>8spe5(?X^;V~M$l zn$>GaCx}yY@j{D*&&;ul7mJoh)Q~jAVn4~ssL03eG$`uXn&314sN82DC5TIejpfMhpcvPCT<>LP~zVOuVu6x4(+uvT*iTVQevZz!Ha- z(?7-;@J3ap-=`Nw6Tf&$3pK0}=I;9a{(5*CO?BZux z&&4`T*IWu`pY&CCwi$_KNn*Do8U1@rO`6Kg=UIDOYHL8ClP)Dlwr{_ks%B7Sf|r+9 zuOqtNJKjAHnfYg(!%V_-2;Y%mq+@7pv0&*$>h>~QV$bfs<)(YOJ=b}Cw0igXPnSp{vYPVg>gikKtH-sQ*7b7p zl+#ATk}3ltbJ}NxoJ%~RF>konu?FvNhc3(K9vS7WBl%dX$FxwDOOvN=)$!>+CoAc= zXHnv5S6?^A|Ipor2F{US_MC~Hr>w#~}8m(DGN z1&4q<`pU&Rwl6eE>#w3#%-^H~jO(Or+u+wBbmgqHoH3eIx6`t4Z*f=W zK=QHTYysAo;|7*wM81tJp=qr>iFwLI5PWWK>8FX$YMoA26gpIncfC+(ubQKjn%LTs zh7P!qc?ePCauc{hhOvK;Y+KsynE5F$N|s%@dYNA5&Yx#e;)aFsHXKRlXdn<=eaSI( zBgT#$n|yB{M8@=;zRI@QM;^* zE|aFVe%<3mQVu`sYxH+bN!WL)f4fKcCN)}}_6o7;eRP#9rt$a#{bI3*{j%}1q}r1O4DXXq<#PmW~n z18hMxYfh_wU{(dbWS8i~r%j)J<@ILii5uGsV2~m()ro>EW4zMm%B$E7K~rRxf3;WZ zj(~MGoh9}XJA)goL^sSimuj0R0qjEAry>1DD)WGo?lzO3A5RnaFGJVS>AhLM^br-Y zFy`SIdlh!pjY@wGlsupzBDY;&x9Ml{)O9k3HU+{u+hVpT8VC*_YbZsoQc7qzu&2n` z8%5@@Fz*I(hH#)pZ}1SF8sZB(*n)A6+2+w~b_73N47NbaOBR{{+2Q&}ew5&rz;C=} z+fYVO8LbYk>?S3}O+E+!M5n))5|o|NQF;(Y0B|ca3xri8M@u0h%kfn3sZK4?1#cO} zpmT9Av5;1?ySdERlp+pL`5LE9oJJy~!H=yDz({92lJBDlq?y&B#oe6lEBa{Y(p34Tw-Uii%`~ z3JCNB;&Kpeh-%I+vS`4oO~UZUeRs{snH?RC(>oB*a8bKb9J4C)H3v1pJ!JL4o)GL+ zGImgjbQ<%~FJT-NNP#W+v43&Q;=tTWHZ-NayTPw1#o2$w?T*8SPZTw`ip=7ZMO{a< z(kw_4DLw$=UIA%hCMw0n|$B-fEJl6&ir)RC?Kl&$pZ5TWi zOILgldeS;tV7(`7e9*4pm1+6c&G*Z#_fTfLN!mOw2N#?CbD58)XA;^fm@9Zdv&Ql* z=7NE>xacfQvBcOPPh_QJcv|JH^eslIZlKnjT2-cn+|Pd0<6kuCC)0!*z8P&+=CD3<M_;YrZlKyjEj4G45i2?MVcSTL}cD8N3|qw29GG;O_;K}@63 zS$22(2H=S2%%(E(`YIBm=#r2T$0ji2)x7$zgMzWRQ@*J1Z0EvIM+C? z`@`hqQf6i^0tBPpHt|X%PF+A65gI^#N_l~?LtZLPO`bkWD5*)w z*4d}7)719v+c!w<+B-(bIBd3cNwaSkRgCT1S79ZQ{4iqXfpupyu2qTB7zl)gYVFd$-JvP#7>v zZZOt<#&HeHJD#k`zuM=+g5#paIbk{)zZ4$_IcgvEEEh-BnJ3p#WQbcUbZ2ZQhkJT2 zXt&gYU&ZzfrqlnFU1xFUExJmaYv0NZULxp96yw3csuoolWBulDoB3szoOr4!(-x)s zen=TOC8P5GoQT|kQX0NldtRQ|^%WbF7eAi<%JP3~W4of$GIz5*-JC!sCUw}wA;)Z4 z+9_Ea7pF29hJjMkFJ#ppcs5k9ZdB+#(|29>@Mo0o3>)>7JOwVh_<4Nmx!A_7zAC%> zF1q^q(C3ZsuA9$$)m}-%D53N3=c2b&%cL~NyLduk+Z}2F0RfnL1?q1dUVR!JlxV0i zj(G$`fo+dEe_{@{tYqp;p%FyLgG0@NJ=H)}HEOP1lh6gLZ$63Od|Vy12|!#z#Kl_07ye$=9uI zyZ5MdxR+Eo^80AF?l;16y_5Ql^e?IoUvOz{?z*v8dVcWI*1h&O^PS|&FvkTJo>%0J z^FMw;Z}YQD`{%|z4IfqcO?T1kKabh1-(~nnyDQ5FTe>gs>Qn#bY)HcP+1;=A9I?)Q zebjFf-0qApQ@d#pry@u|DdRgs(kqT_$xf=MQ`2#742jBrG-SoCRF_XaX9M=_Jf2<9 zKd{$-H9o~A%9}3r?C@Z*(I>bqpha-m7{fHLmE zv{pbQ18R{}IwiX{ZyrnIEx_bHiiQndPK#`9ZRzBI7`#R*`it?tlqGiUD(W2c$9jG4 zl$Y_(C;t9M80x*=Y_{-7ZaxK9)cB0$5A1zfBr_c!0x3m3ogtQ;BDUC_r&Qek;a<<#Iucs~);3kOAO9s8D8W(_S1pP?S z9P?jE#r*vqf6Lk=gnX5bTv^Uhxgm!KfNJ?9tM++q!aj4BSn}q)*N$VQ3=GXIqiC|_W`)E4EPegfp z7;9wZw~P!0RlNkoA^`=O|65?vWl-JmHQQkVqz=4*of8BK`hQ_bA-tFLW?cni=G^mV zgSk(VK!dK;s6BC;*CxdYG8FLtSxuQSqG$;;SICB+UW%g`6reqIz^vT5|DLx_!;?aP z%x#`vB{Lv05jYBeswL*V9SS z3o0*+pFww%s?4KUNTq2LpDwIV)<2Non?IqfN1a7sF6TP7boc-H#dhIs${-ac!orOH ziy*lSI=eB|^@WSF`>+RqDK9JQF!)-(ZQBxr_p!KQV)U1)M$SR-o4#I}M+{ygqr>-I z+V+|5F*i4{_7KbOn=s?BFIZ6vZ${l1pk`$>U}*}I4G>=CoMdMFAdzwWE9JA*)VnjPH_;D6~M! z2e$Wp4A*?%1>$Rdpjf4jDEFfE?%5bolPXE16ZW+@ncXAzW4W9$sP-++!UBN<8%Ay+ zlv?qgb;k|_Y*Xz!)7Nlb$f{dT7e^kIZw#s0bVK`ezGe4KT`z~eY@c;^#;C#TWIHbY zk1**&w>m?~ZaaB`2VU@Aov1c6X8K|TR8eq8iJCff&y3-yzM-uEmzIXU7MtdTW*|23 zHcQUMA}X=*+e_;S5T$Xd!xP^O!_bYh70wmbw2_eU@(*g)`}@`4^r;0`Ehn~(KIEBu zZ;b0QUxSo~y_HT-K2Wsb9HCI8Eo~XIhB~2JOZMi+wi*GiOsCJ3r6viaQ^JQj=_=|U zDJ(d2iYzv4*iSL@(5WI~Qj?SP?>TkX3cAm1dY>zoT4K4ZqK5$2h~g?wm;B zX$T@Lmf#3VlvL0`?2X!4^+uZ7J11npG_rJ37J%F#346&jxsb z2KO?Ij+zKdjwbBfgbfEiONn=>wg<3C79S>5%W5^&GBht-NYjvhH>X^Wu3TWOc4tsJ zcFL6szlQNtgMcG6vU>OGrR-ODX->P6Rs?5ELI`C)cL^Es4$@yxGtb;dv7Ok-BWWf) zSP2}GHB11H$f_@kHXa@sS$@VYV7;w|b#Cm#^6q9n35)BF-CpW;y>8P3yI#dH6eJ9-dhH3XOZw;cby~{a_}zSdy6!J=@boSH1Bdv13O|vpu6+ZG<$X zu&_|@7YNE_(}WG?DR{F2xp!~K?jS^e#>B)ttc8vrJ9Q*?5?^RudVdfI+zy&jPo^N> zDDHSv)H_KEQ*bu`eW-n&W>1bn`Eoe=YnNe`xyR#{rYSa{j*=qDD$Oi!x}Kw8tot=P z=biEUl_zVu)t-17{w*|5!^*E-Q-0axEamv8eHN!hbV<5p!>?l@oZum+flNBbvaJE3 zhnQmlkl8PEx`d&&mho$O_F-?b^CQi~im`T=Xk*KFP8T{9;wFD0yuX=nyfyoC8Iw`f z=`+5H$r&2hOH#d>NWntf3Mmn(vqDfnqN1k|+P-t=^Q@m((FTlJ06&+yA;lY|;U1BBL& zH3z95ZG;JIQPD+AdE~ybnWVql95!5pT2o7ivd-;r!^aJ4v$}xg_{K#&| z5I(k+0mmNf`y(9)yDA56UANmzy2QK{)8a^+CiLvCvTabQC`1XORMFpWT+&QpYZ_8nB9h2{-eWN(l~yhp^bB*eA7 z1nw%7Fo+L?I3mbM6)l(8&B&(|!(1|M8r=)E#g4b1Kfa`)>H@ld$ONl6=RijMO&tm` z!9bMaSY$yJ4r1`ffC0~dg{97V8x5Rnaz6nE1R=(=ck$x44t4rA$N#o=Tx@lp?Mrlh zZZWC@4q{W6d&hd6YkimD)xjG|0u3*|={7c@*->lrByBz4?kkPAoN7IsvcJQo9*T3l z-21s}@31_kd8ias%unQ31E#S`pv$4>U}oO|$7OVmpF9~%VJ<<#J0#vXgW-m6H8m#4 z<1qPea}ybx5Q@~(h<2u;nBQyEu z3>`9L2~otS{Np@o)|Z=OIO5p*KOh#EP54TYZpk9m7rquot;}o*Ze(!&ovG7;33>?K z)>`t4NO(T*l49r&o1|l;TKBVUtGFFtU~b^4Z7k*IYGa4N zoX~3I%z(g?%SR0}9tZhHx)g$G6n0`jmA9!!XDyc1@~u6ms0&ToCW>yM!{i8)q~r&0 zu-P17zBSidZrR+}KTdzIUkHg%9c}dCg;$8D3>y(I@t1XfsROXk$$Z{5+<(rY53w03 zYcmXz(|apT4Lhv)@nK+}mWYLytNv07O!C*>qW0RZho61^rTst8j(o4xGw@UKC6BWm z8@M`>S;C5{R&SS$jS%(-uAb(b5Ge)~_#O*Fvg9j9@NO5Nlx`qC5Ec}AHZdobQr`JA zMUs3QtwjR^cY%jWU=b@fwGFTi*aB`E*_Zl%%4(=iQxZqOZ~C6nk1fAYS_&r^F+Pn7 z(bb;Ocj3}4mV{d6N2gSe`OF;`&i1`q>)Ty|k7QoujJx}K6>F*#&kPKE=7|A;qeoMI z+`2<@jKuOu0_dHCdh%gQ>JkcNFwF#yp$ISh$T|ap&ZL$@t_oYK)G|(z&>8B7t`q~x z1D^*ReJ^*8eNVUQ4%x;ukaN zp#lp6nH6ecK5{aSSX@lu1}x@+Fo1Lak^O;xz;9X;o_|$oUbqwVz%er+QS7 zS1mM!{J_ps1_e=Z3`^TatXyfiD}p{;cp3T3!XOpeS1tm)DvjZJx3(>@yO?XlhweD` zHrDZV{m>`{LT3s`Kj!6guZA=-3?ueT(?d;2&AOn-T0ssUCAL^Ob^@nQ6j&)c3wbGW z7iHOTO`N<*k-c@`cGAa+mL6TZ{;iAk2(49uK$tS%gfjh6a^X0dmg0B&+oe|WcCjKk zT@eQ(HXJW{A>8E1Ehh*7`!Ke{&La~{QDHp18nc!^=WLEoQ|6U3-7Q?&i4rSQhpO4l zrY2a8)JQlL6L7H?IRy=hifWcvZ$OhAInHqn_ij?TeG5=QfWscfjFB2e#Ho`K_fI=@ zh%%{nsXBBnHm8LT?jZ1Xj-P^y)H7#M`5@K7{Qa6?%(8V! zyEPv)zBpSpryY}8o?k|$&OOpU;NX|Xh8b&96_0vLZ_l|sXhG!D?Cnx!`QkFDdsCD&1M^5XN?pQrA$@pD!lp9~f$kN~lcXvk?&Ybke52)B{Kz}jGS zy?N`_Wg=UuU&9Gk1puX2>)9ngWFjNbWs%zuB|Y z*)4KehYKG+er!Y-X@Jw60Ks;~QfG+YLH#4(7}7%;W`xS!GW{{9yEaSr>5%soQ>S}) zDC_2$Sebc!iNsk3{aIeRa8LC!Y#-GI;60hQuez^A4TlNg1ELjS3f2|yMc3O`nfkdz zqkUlAs96|i5gp>7k9Jn(xS>1~wps#Jt0%2K1IrZRxxP(1l{U2^| z(+E&|D8>ViOkKD8i^rSj*OB++{f*XkUQes(RGlJA9rT^bO%x=`h=p{@R)oH$z%$vh zMcf#a&0}aE30o;`oR0cS{bl~6Hjt?x7y*WeU3cyV4iSSaNIH0{Q8lLL%Jvz>hRbre}3<;>CnR>Ml!lo(#)Y|#JMR$$8_vB zZBNyOR}XfJiCR>Ho+zS;+x|Qs1v9oT)9fDv-y-ZCi-?GL=*W;2@=2dkALlF*LO@mp zDf8Mg0|9kO9(F7gL!B(7rQDsg+0>5;Jk5AGcXkw+hDOwUhAy=}EbkX_`;l zj7G9|%s4{mKeb-wy=hLgef=sW<=egL`7^^%GXlY-?RFMhP56L%#%ouvX3g6gSIY`| zv?ll_GLulcktlZcOj{AdZMZx1^nD-iA? zgzyEtCt)BoX3QAzqLJo#oI5944&lsC!F!p~YIeR!6H5@~F{E((G$<+}01he&{0qnE^PXviWE0NF#EObbsv-9=^zzOc9=0#fiOX~3p;?@kh1mC)c4R$?OX(TKo^83$gU#-l8=qtHcvbWWAFKUZ zVRPQ*56szXcV3AgLX*8&V+xou=OasA)3Xjba#_dwngjT>#m6WgH^6bYpO zS?gKpD+)5oDX&PnATb%7iDM#@p<*Sa`OEvjL+6BKm`2!S+qQJFEsnFxZ&$7bSU^lC z%QGjdk!ha(JvMauRUGiWDKUuV{?hBs!k?Co#R5U{!9V}R=cQ{TqOV%3kp&p(Pd$IN4lrn2R0 z3yU`pBeQQUNN|;*f)ZMOZo$)!Z}z9MOq@V_3Z1}m@@~(x*&J#n8+u!hM@Qo$&}8bZ z{&cM{6(T<2kojIrMuHm)vsm;&)azofhT2Wdq4o$|50CpX-?t&LwJC92@{m6wo^k{R zOy1lF)Z+>@AD8NP8p9LY@XoR*SG9HFjy;3tDgrRfhDg>7ahRg2wPSIM{rX`-XKT(%TMtdQy&YG;d;; z?sgOiyX@6UzNCU0112n-{N&{uBjl%G=puJFg;!C~2z{K}pK2l`rGKYb$= z{sJNabHp70Ljlb;MB0aih5n-R@!OZ@HS2HfeUvD%s3kob?$E=>e zN;{!-qgn@DT-trTx+&BR4I*>h89SFgxRHO=N9-sfSEbfu1%7xT+s0zJ@-vJ;Qiguo zw7hbNuJ378`2}e`_AgjHuzBN>U11?T?%f+|Y7pM?-C1v2PzU|Rl2s#K-`-l?kPp3kDKDNh;_si_Gop9J`*HIn8)N^pH6MF+>G!6FL@$@G@zW-KIyHXI z-0C#du*F3`k9gjY?E1Xj;+@k{w*1sw(1+Xd&j(waveW~LTQRBJU}$yge~ed@?vFD% ze@SlT>}9u-WV-eH9ACd}N)f0jJ~D)`RRdM z+UtJ&a`kSERb26KevMOlp6&Yl^g_!${;@TN7SYp38jq5xc@ciVdi-Bf?l$A40+QZ1 zjxQ?DoRfF;KcA-O*9n&I$8EjvHRXS_07=?~G5yjlyA()&A2Gx~DgM`E1G5U3d$Xl? zYG_#BzGP9ac`{aR#$|E+e}AE*89Fx8x_%$hQ2A1i1rG2CcwK0l&+PPFv~Nf)hdZK7(T93FS= zKKOXksv7~<{im*Ri>=-lS!Qun@$;zB?|rt;J}nCYB^H872w9!Hyry-WMgVJ(=UcBP zAy0qXIwTw5La=#*pWHo-&>{$lS{F4{HlJ1MI>gI?I*0h;~nIj9GaWSKXxs$ z+`9DyjZyVmC0p<+#7H7ppz0;l`&QM{3?8GIutofjBDt`jH{GmQe?o0Xbo8s59<*wu zWuj5QD|goEVeMGmnpTJJz>N&6h;1KFBq+_OyzuJB5(QgU6hnGNz8Rv_`jk|vhl?)j zuhXfxvfd^O$socs)*fv1AFRM3ojpsk1&oW z@HHqXXmU#o0ghuI_J@iJABD=Wzw1y2i#lfbYkpf?e8Oa}$=QsUkd3M_h2QSQsAPwk zrB$^%DkAMqbilaBTXy_<$Fc3m4#A6gY<&5-~r~`6y@fPZ|Th_MHx&LdA?Kxfxl!;Bu9c25 z9EmYYE-V6P7f{=)%`xo3iEO=7bWU|kKk|Yg-@!t~;vG7>O*c;<1X#{E8wGGD)=SW% zsaR&tS2gDL^CN_Jwvb^zepiDK6sg{+!YK*hD3C@U@iJQ3_Hv#uN6$mHK3t0QF zm@VGbMiMyQFuQ+CjGy4a?39bs+yHf_yOHsXor<9_3ZoS#n}8Uy!q!fOKbg<3%8PfL z3QU<<5Mh%>ow*492eLcmbqU>+Cq*YKIldSgZ9}uMi53>^ihFN=LfiKqhBcupLN!E# z8Si+f&!@x(lm$nQ9otB0rZ?cjx{8?T-IzTeD*8-Hm(X)i4eI_%;8_X357=BI^LBdW^=nWP*ADR6BID7NBp7Xu`KN<|m zGQ*JFSj!S6OO`ByBuOPIR7ho)P>Ilxtt@R)S*A^r5G7g|OO%RA$x=v>G*Kc_eeX{* z=eo}CT-P7J+x5@6%`v7vpZEKo{QeR`(?M=_`AVQMkKO~_e7c77l! zDd}Bpz!6Q`Hst)k=kMaVNcg|>;Ix$h!c(Ffiat0rHf#ZOi*^;%0j?H~AfxL-51}GT z9QnD|(Pli?T=8iodR&<@l#wwjA=9gimYzx;VE!qg-l1dk7xg9L*_CB;%;zEIJ3 z@Ul?Si1}D_c^+QfW$vv;FsB0z7cTC%8I`Di@T2?q70M_hpCYrf3&wzc&ZHV9VbwCc z#Fg=lHg%?_47X!kk_L_AW|*dC`U7p->F}t&mDL|V_9eU#WydsCbr^p7%9}jd+BYEw ze5zO=+B}Do6Sp^|LajoCEK+7kS>mC}3`x43d)`ZM0teEzq~DcG-YKgjPb=375@^PqfxIwK}I{m9{u!qn+&U5G&{Ck$hLb$4BV{BAy0L!bjOUk4cY`xU-; zINN;CqF{pv*X%l-@#vS4x_1J(?lj-6fYdM<$IFT-C0#P@z4TKM&tR}VD^9_xp&EY9 zm7FHaPTDq=36F+QFf$L}1qWE#IryL9z#8r&I%1X#$HU-qL%MW3poy6;=JgveK%^lE zjDzgo9-4QH;nv)U$+a(AGwy=lH`^v-1dDd;7DdQNr$U*b9&f9`@q-^AovWI44ItzG+9XP|ER|Kh~5e zG~6lA(ZdTTK$TM#?F~{Rt^t5vajj#;wKd;*e9I>l!LoRhuF&j{3d(fGRpiI?ge7~9 z0v%q`T;=QoJ7J+{FH0E$4#Q|zd9ndq=M9MvEZJ8P$G5sfZ&<iiyM(T~c?VoL(Ayf&7Nxgl1o@hkbH>W8hpq7>ebD0F<$}}&a6Wz7nK+N;r;tw0Ev+^Gf?#ry~8iN z?WB{URQ|`WYivv{%X1^W3l%-U3q;S>>X*T%o^ER1tQkpogPN&2_^QSHLKD9#$!a}- zBTxDztR&6$sC2z829n-|FP`%vsBBV|WP$*8px#5a31>RbUaR)uJj>xojFQUI$x&dh zsFDZGD!yG*WT|2cTEcS`c!3h@HbKwS1**~63PO%i7jY$Z;$MWbP$s@DPXn4(v;uNU zo3)j5U1WoF_cFOeoHnahpY24HQfz;!q5-{nP5e~YcMp=cGad1X90hYaiw0k~tRK)^@q4+Oz&m zGke=dw#k<0)wge3g(k=8EWLBETl~du>ZdtQ-5Tph;W8cZy}G5v7ARID$TH-C?0EN4 zjt(y=z?io(O!iYyvbr?&C_0)S4@y4CfR){h0Y#lQf`Au{?jrHyXv+ysrs3{}NA}q| zT-YyQCr~yjM7EtzDU%5zCFdo0HO&W6A5^5BvKLO{?EpR5qF}^yZjcbiOoZ~V7pSp> za=kt4V@?Gn!tcnkI={LcckZ0wR$BxN65K+G$tvrY`s58mW(DP>$A4uPY$=J`NPmi1 z<~~C#eu3O4_ri`ap@`W?8e0)p+6}WRWwXFECATXvg_LEsh}>R?k*7>~5Wr)zRvi?K zEIeo9vxhb0oafWH1Z(*ZvGBve&=e;i2hGCye-HY(#ruy*{@O}+l}!-NDM0m zs}uXx5o2+5^yLR|8|I|Axp9BD4Gm8h34<_&1iP>SHJ0ZNv|03zv6ed0ci#5(7gqC{ z?gfrIkj~l2DJ@nQEU&&Uw##ge6kG;uu4b*vg~k53dt65cXZ^&G2PYobNnyabCE^NT zCnU8`2B#tic8a&z=ru}9D-1h>OWUI0pdg>kKO!-cV)>tV21e4{`=q54yTbnOOl8s4 zAwX)PyXF2u93E5-H>t$zi%z;1-kAU4(^6AQ;_=kDSLSqSHUgInkHwgbeFaI&;hzW8 zFWtSsHmFnUS*=G#%ypsM0702!zLqO#pPX@TH<1?QO?{xb^3gD&7mxmx@r5Q~302@P$OtH$wYRiKxy$p&&^_ zST*#9!Iu~aQ^Wu|Kj29}zOE*ZQwAIJC1o@_C8iB9ohTGx&*aKL&O=`yxGzcHhJ160 zqk7uS3%?U5dU9SyoRiMw4p|M>7GXPDUTu@;6jdH^cFd8!>5Ur(9(7pWN44!xMJtoD z{f?B*?EY7Ya{lB=5nI;8KNK+q79$BJ$lPK-q$%&v14nhW+l0VcBs}317^jW8B9va7*$T zr-J)ksfH}dLSg*?OOrGi01-mf0-U3xnUv7bRYm1IqZL4!C-K|FVFiDI-t;`wziiO@ z_49qzFjY-iGoKMXiw0E$Vb7hTJudSvZQE4Aj;~Civ;$pR%#XyQ^YY!hGu;{kX6WfH z2KRMs`0|?m$e0d?%+No1X*m_&hL07!eDb%dnF>IV_h2m<--urMsbM&gh!O+#ofDcB zjI(RNan~K(uO!1*bIEaPca)J7q9`M`eimLuki-$ob9J2`9nx{zDoUk_*Ci!Wf$)5~ zeI&*c+uJZoV|R_!c+6QH#zsfj0+SL{^a4Ml5i5mVl+lh<-p?7#!Ge)u9pKp{FNY9f zBt&K1f0jPV?!H2>fq(G^bVwAzTCU?)bvgL>(MdXZ{?#@qE6jJPcq+=A6HF|opX%vb zeB)-o{OZJ~R zJA=CzV(d;v*HP#Ay;Q=06Ox6^Dd^)e6`_zl3LSo*pJ(kaHgheXz;wxc1ju)x7+Hx9 z6j=P^+Z0Q}4$;VY@92;)G+!~3-ENHph~k#3)a80huh(hxE>9cf+2f-KAOP@W0P|wvtOv%15mpMs`k^uQ{&= zNx%{oh5~S~F!oOuER-~Dhn%f^FkueZOA@@k=&=N3Q*2X&T+KGF=c;$OwBfST=MF=H z>O1|sx8t0ohZ~FwIu1zCo0nugEj%x+Nc-oRC6%wf4LxF7HpA%E(a#QJ$BZ2-o<|Yn zQ7jI`Rwl$9u>4|F#(FK*P}~KL-|WYUwjMz#qOLw;o!d}_8gnuvUCTz`yT{kJqXK%L z7gb?18=rhW>|LX6%hWL)G!nz#oEsj2l|^non%1=UC!fRep-&FD{ywO=;ec63Ll;<5 z$9|})`V&$I!@Y{*t17IVNQr%(-YR2|weeYrq?K(UIcmHXqm->%s79w?$YhL}7n?J8ga@%DnmkG3)oRYJ;>?wSi2T{lj6Q-Urk%@~`QlJ1sof})d+Jtnz5wt< zJl;+TP9hj}7(ztO`H0+67xcE+K+VZhP0Tb)Kp&cY-jdh}Zt5kldJ1~)vq;!{R#ba| zm3$5-H(zZRbBv^lg}5W)qvX=pYfjF`8-M|}<+f<2-XdrwL(qWSIY>=+5nbks)I$c> z08o)(bXnssiVEsKWx|re6mR-lTVVReloJ?a}A{1-w zNpF2I8aT2tPHq$@FE0Pz{Hlvs2G2${YFu4p^V$3;83QsalCt(q&ec&<_jSBM6#{{A zr@3o7e06~RmRS)wz(12vzKDz(6SXA#-A!Ex8_EIFj|y35f=^)UD2w>Bi_Xd1ru|*C z)Uw<&?0LZwLdk?ft@nYc#}1`r z$fRHn&ax6GrPi(cFci7+<`(R&aCWKeZ?hzqOI1f#xBw%}BGk6<+{M7gi}_2oDOv9M zrLns~vkQ%HlVWq8WSk5;{o36i`nbizH;on}7y)no)^p|=ErmYoud=^L8~c&lS`Kd6 zW592+R=EamKwb0d9^gk80U^+hR8$DL?~bT(*DYe%ox61DVfpUW9N`jqO|REgzwz6b z^)^pY`k8SvbZrrs^ZTw{7uLTv;L<5~9Q1~lNQ*tF`SE)Woor3+BFF9vZwc~M&9Uu( z7YEG2X4oo@7y^-1HrBqTCg$Y=Cq&RUG8V4gC3BJeaO5rFoRhLf?!DThueehF7_39Z zjy_W2lEngCKCenkQMxxO@g+-_{)S*x<6Xr#p5vEbnRbWt2GB;LI*7UF=k!G}g#()F zE66?o`LdeHsS_*9gU+sBCL-;3vw2hVc4Qp<`d;w_8?t$Iz>y;|$bzAad&oHh2AcSG z3Ygw6!{~d^A{~Aaw|Va4DSji$O18OaZJBAlA`+E}yM0dKPt4(oYe-lW_UD~DyQ%n8 zw|^R;p5kS{Vuj3D1K50(?tg$k2f{T&rg5cwBSfF%A91loTEq{9W6s~aVo0pjX|$o- z6yfY;;Z{j{&9pk|U)T0-*_F9x7X;AWaiM0=HqD2RpgGy(XLBTY9lq2wZTS`KLI>>Z z#HCR6Nt!3}VKF{%J0R}4>lg%ZzsbTN>jQm6`g<4uXDf_0#)PTo50Iu&QUZ5|Nunf% zjOil_b$Ug8?Gl>Ydp;xmBI(<<)o+D2Jseg{VsR~DHlfS)WsI$l zfBa%DIyH<_z2mRmllvruh%1%mK{>|I1S0raeo1_OG76CZ&VIA>rU{2f z=n2PDwGQU3@uux%S`zzRrbqEp9$sy7)-?KP)n|aJ;V9l&H)$Km?NZ^=$ypH@6wc92 zNyBY3jcZya>GB8Y^K8F%1(C*^Aw$z#KNZ*xMjj+Fp4zhw@}ueNzv1c;?K3Bd%!cZB z?YNoBvbo6+HXMsK-D%pc(cNC&SkXlc)Drc}K`e?*UWgUZRv^n7-Qhr9KJzOWGhs;S z`>Mbd1r@d0u`7%WV#2ucB;im}tq@i-#FpU}cUL4G>Q|_5TBD`AB|V+fmh%U;{Vo<1 znd*Zmw3M7iw~CLeCNJ$j@7FoJ>&4vdY08AI|32wl0SU~45R{boM(DhuI})v@3^Gx7 zv!%(S25Kh49{d`}kncRNc?lySiU?{aw(;3X6SXrCYwVOP5C8T?7DL0H)kd1AvF@i4 z*Tcormj(j%NPp~zL?{Go1KSJFaeOMiNop9>@Z?H-mVZdukb9nQa?>;_=iSp)UKEnu z((S zsvN`@0~2OW{S-`D#r>~=ErkdCJK%K}&s}id$l-(XGxs4pquh)P`F#H3y{}GJU=)zA z&RLY>7Qpwpt|35D#V=>dk=k%&Yr0lwX~OpqUazlX`)f8@MuPpy2pWR`qoMK zH~?A6!bSbT*O4<2iqus_Coio`_tw}Jya`ygFOxmT)}5m-RYpS7LS#azjLI&(@P;5+N&3qc2P;Qt3N3p zG~(i-@%h*fZ_f=D1m3m%o}S3Fj~eNiM4Iq5nJVO~|6jO83R?wfeFW|(=}DPq#k#1z zo&W9Kf|h4h!{7Y_6Cb-n6`&e#i(6KHTSFWZ{qKACJ7R@@BTJu!q zuNVoW;TWk5zC3BQ?)k}Y!7U}eQoP}mY9u%zCYM|#M%;xJ zA3;kvZGUH>#n@HqRC%`$`2(Sy!<9oSbiSj%4$K*^PvAYybN)V+cFVSHk;*0Y>1*-}stHlAA-u{B1BG#F_%?>vd{J(Ki*Rk3}u^+B9d0%PDy)4fW}fM?#H0ast$dm zm^rE2nc)82uDO5z4|o19S)0&9 zbxWx}m>2jNn9Dcis$N)1OGnso5(^4H4_khfyrcBEyL8Lno*BwD}E~732nP3Q==WJ64MgrB~50X+v zVJH?<;S@P|aYXh4;b9C2nV0U)mF$*%_T{Hm*iqW}TaCxZa*X##j-Z(FA zgKpoY?jlsy8m>W4O)}VE=8uHTJ1{j$GMyWV{?PpZ*!c!Ru2ME5^$8^CHv7@ntMbCj z=g+^7DZ@xNHgbs2^ zVB5^%vAX~A>7z%TH*MO)VV^VpKml`(-@Z)~Drr_dK*KH%j~2W_Yr{_goacEAlsKUg>YMVaP+f5!^5zn3-In zedN}NI=|S^i1*DO`jrU zqz_jepa|X#aFek4^V!4urYDYXEZtW9YR;z-XKW`MXzuIZFRb0U{$4ecva0%T%f55q z_qJD-E|{==;fy^A2VLGN{n)=C&hBf@_+-!3b1fXr6Na_w-S7kuAQOj6$;t2jWolPT z)u?T;AKaoRX1na0?LDXP&OOnM*yr?LmUS!xP~XW6Pa+>l+uAhsJH{m%P|R-~IWt4bxAwshK|a!pN2?q#7Mw6+ApT z&m;7`?}hU_+cnzTZ)p9GRLiMTlIgWEy?Zx-;gJ9W^XlaC9ur*e$Q?_CL7f|IWN}+aV5sR9vv zsT*!{pIQ*aV;AFL?bCT*=FMN{`9)lD{V{r_=|7)bdeyuYC2M!(F1UlRddyLoa!ZJX zZsb0Ry=pPTjh{)#WK(u`|na#;43qb5FnU^M41WeA`!I z*5)<3o}6AiFSL7k{6l`yE4O!7jTblWS~1oG z`8xP-`ohqEY5soAM>&oaAhg%bu|u@AwZ97se?8DvKzvxNt(Sw7jKwdTdn=Nrrh z@6i^WU~b;d8TO;vjwrQTxMImqb))t~jJz|A{r<1@H+#l4v)!9~0uHtB9(~V#nRT0O zUAo6sKRNed>R{`2dm8s{FvYR_IY zPxUpQ1*xoResQ3PjaWu@mmWL%`^I?%ID;|!*#tef5)cqzy>g{KIy5!kRz%Ss({b~n zpvDGsqXbC=U0%$n!LiPZ8iw$JurPgFQWrQagmmKXg6T0~@s{DAuf|@jkOVQ~a3x^1 z-W)n@T;(w=-3QhHKVg!(O^`3Zjp@nB3cJ)27dk5sW422VNuLg_LnQc!nAp>elqq>XnF%7Es+D zo>?X)!+^MSyv$3HV1Dr<5P7aZTX&V_pt{$h?HH5~L<2L^oLgI$5A)&kXNk^}Q3bShHkT7& zbh06s-HWXrowF`8NFk*}X3mg|PDBMA-d~=d0`TWCWg;QpJd@ta9_0qK>&fev>HVaY zBQ!;3~x|AT25TX7cOLlu8P^VZJXnorZi~3#Vkq^o9sV=KKeKr77pUa zaV0^ZKrE$qGhPMy_>0!J!HfdBFG0k}f|4FMFfz!?-CdDShQX)E>xuYe@yV)tv?X1;Bv9rql z8Ijq|Y9c-DdM0a@6 zgt3)K9;)3tO%85{@exMK{RP0AO9_0a4r_t*Swp76Sa%G}>+ai>`htYhYL;XB@?oj9^r| zK~4E529JS;CloZ7z0tXs;9T9GLd2w@=$y5p=pI24%o;x31B~`SO0bvr8P>IzC7M3* z<10YyLSGF>Pi2#&`8AVwhIU}puyJ_Qw$T*5)|={tjS?)n_Dd+P%J2xA|z$i2mpZc==<163eg3P%4=d1 zfIDT)x^$5+%W>%GWd1m|PJx9?Q-)gNJIkU!{nzqq$< zrS0-v@9$X}aiPpBCvukIsM;!>^U(s%0cxTAG@3x9uHo%b$V1_JRinFE=AE89NQUo# zHJ}{(QS@~D8@+v|)&rTfh78($ww~VJ!U55j%F=IW(ADKETxLEfoAyD%2Lu%XC^@z8 z>PV0<*7_Kpn9b#Dc&C-kC4BftB_)|eh(*8iy}-iC zdzovp?r_uN<`*$#K-}%Eml8K^V}7y$hjI;RCOG zb*KH_4yuQvoxuh0;kFb`dKX^EJ@iBC8SD$cEYpV+K-Fcyk$CU`@$a8qICg7Y#VGOJ z0{uuZ$^|9JCIn5s>-7lcWOjoxtv;Q^Zlp4{^B2h-cBgoAveMh(w3z)zkDedX1JoBmfQ&>NAhLMw7RDcsoSk+K!K&-W2LQysEnV>y zvT;tL(>j^#B#>HKBi)w}@jQW*g^4QLV5`<)+WMPfmK+rRGh+A@MH>9nG4$C9F4rc1 z>z#n|Z=|K|6=B#0g&5j;O+?Gh^BqBF6=LJ)K(u zBalX`XO`%6USr5L&R@32csaqcvf7eUh=E;sB5E5XTrw(S#*}#Ic4oyy8dd4)P6T`~|vu;luUsG3sH!}~08zSVS?XWHcms0&)OvWL}(*u~F|-jH83 zyVd-}_A?@TbEaL^uJc$$e)Ol*{)x}L_r5kfJfyo%j&pI-S2VI%EqTnMK0^x5Frh~zU4bg}W_zGwItWNd_TFr&Np_8l z0_T);XEYa?HBCcH{r@5pUal96jLyYHBes5X0&Q!ujn11|OoFotGDE;Er{PQ&08;n{ z;whm0E-(~^51xv;W;9ii!sbu!<`^xf(as^td1bRWGRI~h^pP}0uymQD2&nM`_r6H# z=ly-6Sp+;>a-mO%_BIqdWb=u=0C7!w-HIb)Dx$+_i&+CoNV|R54Brzq>DlHEC>lp)rR8({Ax)C`P9(#L zZ35d!*278(c;U{UylY{46wtFLew@$sazTGt2xD)#}e=J-T0l?Vh2etT>1(U&f zFd5Gp zTrQLXkkPq;tKnt!BDRn5&2tEawb$EM=sy<^t&fk-xQfm}zY1B1aKBAm(YQ|j?aBF#7& z#L*1{fqHoAm9|RRfLy5rFKpFrA|tk+Sk0^83#5byB3^Q#NXRwpmMK8 zCFo=jT!Rz~bScvuRq`}V)H*_oi3J!#0LBHZ4a6%i82Q}dBN(!~HJG1ErcEvox3)wzd7zVwgP`an&Tq6RZ@r-*}SLn8n^kAzIuzO z+D%7@rw7+w0>>$AxfmKavql_!ntrkeB5R(K@4Oy0UgJG?vBqT%hvV22_bOU3?4yKv zX*aK5@11jP<)SMz7$6BUP!HDQ+qZ8V5wGc2(UKjf5D~A8-18ExIX4P$@fT9%u3MQQ zvhIs6g`}ZjM9w0~59xGg>qEB11G^Det*5SWdfbTkAbTh}}ff#^Lk4R_56RXB1FC(V6r@5U( zSJKoFUe;zlN03s}oXM|7e#aW@ZLJT5lx1u;HC^*UHCE5_?8!A>i_aLZPdmLbsL73e z=8JEA>fC8yb>XTgzSVttYvP}pO6;F5WXBlS+O>W|CL>>+%{iOJQj|1DtRAy<>V4Qd zcULSA7-*S14rY0HZQ|W>D;k2bp_gmKELM0*Kk8Q(H2l? zN*X;0X%b(_NVy$^zeSsB(!2Ki@r-E{;}Qi5nz%f9GF4NrOEwn|9ctgjvpGO166k%A zk@mZ;Kjj!+M-&ozX+6$P^y*><1mIaqU^!h{V9D3iTenn$FE6!0rHAWr4~2qi+jAVk zlK}?^_WAw7INgeb34JII=B#eRt$6R+c17QHobp^x53qhINb(U|&$mNYb^q@`L6zyU znj^GqAJAS+XsBJntvmg1g~94Lzs-0fB{_^!pHD-6cV~=NC}tSN0bH-IZxlF+B1hBi zey@_coVSX|=(ws7mY}fH+Y-r91u3GIv)Ana*{1tIJmeRM;0y^z*p!JMOm(rj7q;Ip zf3B0pSn^$XI|{Z)IoYF1vxMZMXFyFJbB9uYlO>F0PCyY4f?u9i+y(>gsZ z#QIrk<-^OA{IBYqEV}lqhqQPo`eUlk@oHTlsH>k8dx+$qRT`Jx; z0vV%O-1>egr@^T>v;VZJ1=5n84wkW)a@-|SgRt#Km)G@?<`q22tn}L!Gme3>!lbK( z=fs&o>T8($b!vUeq3K*oR4$wiG6WV4*f-Pk%^Z?){&LQeG}U05Qpci$sFOfIEKt02 zRjK_83kwx!=hlCEXC@SQQgv@@}=xgaGI z8NEoK;ZhXrso9Lt{{OoxPtlAAcZ$^ zT`@ipNt|M69An5E#z}CWNC$`7as)_>5)wnTT_9p~VAD(<1(;(GNLnREx>DQU-Sw@L3fUW{ zVo#?1OA8>FAA~qN^a4Nt`*6S(#XaL}AR3jOUr*ZIIFH$XD>q&E7+1ewpw3j2n9nzB zbtgBqoZxhL)PVMy7P-e)54iPoDP>0=*c86hl2cIx2VaIb&i#HG+tIWmlTBhA=tzy4#NWL5)cEv$~t}= zvr*SqtK-g}hoYQR=5vnYOhkEzR}~EzsSSs^$22PAeO*OGh5TUtJnP|tyfWHfuFTo&9!W__*;&&K60Tff z<1R6D6CDrvK@@>BFNp7NVAi0NQHYFu%3qJj)uA&0cD%62V*_Pd*+z#U4PyXeUjk>L zm|zYFfBLVfzUKKIU(OP6!2esIVrIy@=*T6@;kt(OD|0-vrAK;9R&{AvSa{hyyFr`o zu1$PfXVAB3cE$Mo+MI=7#07u7-LAvyiiyawL1cvVrc>fnJ|8{W0v@@9WS z{x`3dz}&w=VBm^UfI|tOX%GD#N+It*+dEGqiy`qKE2ns$?-l(eCW7 zKgNGkR?FA!o8K@vr$nWv`EQFKIjGM6`)9I#JF!wlu?}?7Hgw~Jde-l2dynGDx@~NG z7g`VPqP3#6w$;bRq$WBK%j`D4Zt`JG1 zulC~CkUSlDPHMEnBf7kdHk<*|@z<5Zp*9vPyP5Cbt(Z4%^M|}0849ZTe-6{zpK+-~ zWuf-Ku5$h zHKrDBNzHd`Y}?I^2?Fna+aJ1dce~!d>yG&Sh}P-F{*TOyPOF9G?rlF}aq8&;!;{PN zch3)-_UoScbD~CSE&2J-oy#dYRq6I;183Nk)qQb#+9KigQ_TslT{E4IXF0nayM5U8 z^X!6_{~at*Xe~2eKVPeOmFu>$Ff!|}LoQ?VNA3_XTI&4XzaRAJ@?ZZfe^BM|p9E6t z|IDT6^q;vD>Y+IkdoS{4&35>6vu@PGKa3(ndljBz=9ZGus{-b=%P)JG(z{>3X3Sk` z*1OOiS6JG{%lsy%S)2gglmGkkv}+2a@b^di`wxFT&Qkr?r^N#7O4jpw)i;8`Eqw2bb@>@@!o0rDPxFe@oUsrs?x5;zQGdJMGpiSz=^( zUVG@FPUaOU%L+{VZaKXe-)uy@rUia<|PJh9I zLX>4?b+BgUc&sJ8RA?Wy%!%_8JS%?k}%atIlf6Ok)BPN-ELcP-xWLW?WI0V@eZH06rx7kufWy&Kx-s zniLFza$=sB`fMHY3C3^U#cj$J5|F7gK(us$futVZaJ%>y0b$Y+ks`&gTRsIE(p|fD z735t?ME>>y9xPz>jZwGAOP%+mVJ^_qp~Hv&WS2T@QM!9MCH#QDFKL1%YID6()9-~> zhv%_8Zk9U-uW0_EaxNNL%pVt$`e$V%n1vb5!9|M@;>4y^LvOBl79lfI&MNJ!brX35 zpT+sB=gAjO+*TX^wrb+GOZ_@3KMZJ7ZZ!W$uXvX8Q zUv%Qv&{28P@rp~U z;0rw-+pQ27nsOG4!+O7BlwG@cduFe%A`wHK&UlE^4#PK6cOZACxoPdAV2ZdpfSy4< zGsq9n;p(?W`KUc4n>LA`KIjOm2FNFbg)tZhg#0F|4Im`^ z+e_haQE22q7z@$B)eMoc$7F{-^xfK*H(MrEf>FbaUaHzeiN}!IFsh@pO=jc2SYjrj z-fNm|Ui}bE6Y6@2o!uP}&UKqM$utE3a3pf4Rt8eiX;P1)e49dtx+ro(3B1~yf08eO zNhze~oU@uF6UPuoQ!`3oD=Z}1_xmUq!%D1yc7VHNiJHZA$gqE=u=?rcNho+fZVl{l zYOC)m>=a@Q4q(0l%rVqnD~!l|6iO^L@V~U$812UV8sv={&JK^=&$FM5;0Ii{Y{BLw z3coMfF$mGcq6j15`}`t#;GZjtB6wih#iqn7Vcn~45v5k6>XCXlux4mkI=j(UOQDRYHc?pb{k>W4(NuiaZtsX7^69-O;r1% z`NQ--k*5-RZYKhvUsKMi9MxK-XJc#ooik+E>eG3xKFmI3pt#d1HFwnTKb8+QpSx+e z=B>vQYYq$!vG$Eiti7h1V{Lw^{acr!dfPaEkYf~&$Tg=8I0YRslT%Nk!6ootY}Mev z#^$TSTPVoyhGmjCOT6;_U|3DswmJr=%H&{VOTox*1Q;Mf2#NE-St# zD}+})dh}=#Mtcsd`;DF+Gp)k&ed@`E=1pd!3g_jE-3jWD|U7U`jCVaB!`rCxAuahXPnpvREXB zAwHQSeJLEQ0->%iN=k0Y_J{gBX8#3_Xghuxx?OBOVFokb`{N>j`MM2PCM=~K(}nM; z?qiW0Fe@^XSIv{UXtayQZtm^i;Y*r>OE%U8Jtk+i|13%11ppQCA5$sx=~p>CZ`{7! zKgR})NAp-~;pK7n@TbOU8qef&pp}$-27;~cjC?qCb&2C(SKs0=;4^?`e18*FjVaS& z)@990nZPoBi6U0MGON0s?h4Nfgelru=SfcMeFjm(Y=F5NhtI|1 zC-!rgfbZjVO->!`aL#GS-#GNM`QA|&v=3mcV&3^Zc2UmTB{gr;Ms6+u&q%~dIu7PhK~iCP00Jiw<9idDSUd}`pRUmx+%Nh}Qunv#SI|Z}RjeXy zG#xt(g4338=GLe%NQIbW8iZQ_g~>*PBF)JUFs!lW}`rr^=7Vs&Mbq4L)3nz3oCWt|9 zbGJ&6Ef4_$b1QQ0Vq;?sdelpo0B_tY`o$!ELT7~WJP)zcYv(H!F}Xx|eIA+2&LD>P zI3!}z_dN6*V%;!QWw4OAyks3ueB9NHl}3H!4$`eSY<;Od)Seftwaosue_~pBJ<=(b zV`CRD6`Bt%@xZp}T3wW3oAip*DBT#s;XzKsPVlGqpwh)9B|F2y!Zf1Ue-3aN66ggk z?Ni>d_aa|uq`MoN2iFDOPMfytTf?_o77Hg_O7-s>(8;vHV0_%s+|93ZRwoa-q)>d( z+kAQbq_zFJU94P_`U9ZYEnX~jSPo5nur-L84fi3jP`@P{wBUA;wR-2yj~v!8e7osT zz_f3oOb52bt{k0{aHQ7a>x!2uQ>RY{n z)-ZwHXs>m+6Ve%lI~yOX458MNr4T)@@pDR}&Ev@VtMi8xE9)<7vcb*GjYO9!^C#pX zc(GrHvsmTj@z_3Y_0Ip|_Tg5iw60Ccs?QKT(^yy3=ws4>4vM8cEGsw=;UG8lVVjwG z`Rm@??~Q@7d1%QR!3Lpv`{9FNEr_UQdG4v}yrWpxH;zjfG!uWy2tf%iFlF zpvk&0FPFd5M1*dL)fB*6n^Mm6L8if3AIv-S0=8W+Ktu#4F^jryBYI)&x7u}Kx7Kr= zIlX`0MC2wMY@ps_$xN6z<~CZrH$z_2sQH}uLicweW8E`GMbIgx3#r^fh3gV{n~xi&W1F9p%0r#@+YW0%aO z;c#7#0hehNZLV?mQ6<^M)fs`!#YP8yxeL3hs)(ro*#J9RPp^kubsTV>;$FbK3Y4sm zGKYgL>tn{rdmTt@;;w%atVzJ3)VH`*h(Gy7cjhK6k;j|7$G9M7uAl+R%E}VE&Y_47 z**oRzLXm%PGbvv(&tL+HK;7UWiYI7Eh-))(J~y~9@uSC23TOZaP}H1+*3n+06uxE? z>xlK*>>8{xLx6IwZnY%q`Cy(CEtN64j9-M-@lrkNv2Fc2cVW>dO&WW6;n=sX5gKtu z4KZ3@$9DhC!Fu!lg;x(c_N`5NY9KC1PIu@ncrjCSE%G&_Zfwz}+X-$0j=kyj!%ZYp_ln-RmX(A_)GyOvI*GaMeOfvrx);2#ef7Z61N1fasw_WIkxP647CeTclK z(CTabICiKSmRT$V1U~^V?^2YKwr=16&KT{wXKY$7y=z^|2G2pPI+HDvz>R{|Y@Sy% z{rW2o5jx@i^YRY`j6X3LjWf8A_Um(e=Rr+MDM{ONfZ)#g4POv0kvmn&Oc?JVVS{j2 zWrfjQ!}R>a0TQHqgh6(M>eY{Fq@z0-|4ehE!SRBPU+L5wKlKIzT;wn4VCthTuO_IQ zK8O#Rl76Dl>hQy9S0?o5#6jiAiA%Bq= z7MgDRn4nAcQz&eCPYT)Qi}UDLg>~eTpmS`gtUR~r5)n@z%tJvlv)`RRacx#5E!hvO zHQ3lV(dokuunszrBV}tLvT!X)d{_0jBH;F>hVb;kRvkl|P1pofLw@Bc;4M}a9QA%~ z;gnBT!e$y6Yz@=M$cPh`7PWy4CF4vhroEtOb~Io5YC{8_AeSM_ER*NBJTzF3K654r z(BZVcI$@R{^I;mPs15D65FEz1%9datx1keGoH#K!g3Q!YpM${*33Z^Ve&gCG9-2m? z23+dq-`3!s>d6dq5r@jEr7e&YZ^{X&FIY_z&G(f`Xgs&iOIi=w4w1}h&Wbu@!H=L3 z49*|Vl-N`X#hTkgP~@JdGrdMZg)MLMzW(E9O}*Xq+{X=bBTcyHo31EVpem`Lwj#iT+)AEq-9^s^Ih0MIX!CZ-b&4RK!=D9n)mm z?G^jy*$4IheUYo~-if<6d4$|<7cy?YrBU>4lbVg%ZA|U9J31=&#Di5W zPiv`eyJFDz*}($4+CFxHTqzQG%ReIjC}o$6hC{*!7ruLz=*+C6t_b~PfcCA16z>+g z={L;joaxkib$nqN7Yu;zYc+40s0)bDAR4mN`3gB1uUS(Z{8QJ=XU#}i3-P(xHa!Ch z2wiA<@)0?lcry~j`uFXN4u1+~=kQ^}oWe|}Ag5(C{fvl^D<54Sl%|P&}L1m*3k|uCSF^0UR*Lb@kK@TB;!^rx{ zjkf57qErAMMEct@yKYRVIHNVbW@l7XRMkRiRB7|!a;a&gkC5?zRPV7#m8UFICQvR# z@N;CIGgWg-u=bWF4Xwj06>Z)rhVVIEw%hlv3Y2rp!zr-qYkODY=Swt;N2OS)Y324j z{H0e^+w3+YP5UX-dz&xz&FkD@ooi*>Lkh(JrnOhe0LR_?_AQ}umhdBLWNB3;$wV(q zCVPGtpiZ0C^c?!X39BD8#r3W~YnI9|D~Y>?dexhHX9u||;L{K567S|;=jVEuM%l13 zVa>$Biof!j4E$_t_^iXfjL12fOE~wMFB;7ovzgw4_(fn@Kr_@n*7O@JHcE>=$YVhg zQa)&CX=tQf)L-%NbPd%jDF(u6b`QkCyNgapVw&kYKc-c)ipCNSU{v_SDWZK5Gm@t> zVRredB}?1`1G~}-NJ=3W4_L(MR~EC$8B$GR+QjK70;LL3j#TTvcBTrM@a_E+j;8RO z$yyleIRp<a+9@PuiUZ*E`0c(uRmqETagpFC{&gxV1VUhxp4LJ<@-Qpki`(&wzOqFgUyWA zJe3qM_660@Fbxd}b!4)Eu?iR11`rnm5&tT@=iD^Fu8UTqS+@C6inl=c3_zOjM00bH zMo@bH*CknzD|6hNe`i_x&|G@aQDwJsp)7L6^a1OSj7KK3YHqm<_4KlSv7Oy+2J=`w5zfrXJVZ}& zg61HtN}+Gx{zjm!Nc_3%J9q9pua#d-dzTPW4O1hRlewg?mDOEz#)y=??=Pr8MV5MmKxs zyiilr8u6`7-p7X7tFk_}3Bh}Vv0OCW4D$g^XdT*2gRs!)Yd7k9cmJ0bVC}i8x1Z=W zi*y?veZH06-7=J_qbHY%Tc2tP%3xzJLkb~s1^ITSQO;C>LOFX3F5}utMQapV{fz6; z?*57Gg%`nav-oK;WE{=irj z<}hSrsEE>#5E2^sY*2<9xQWcqKvITcp}Pc9?C>9A+;nfkLuC8_6N=Y(0}`TG|FtHk zb=9V~xieyn(}4B{CirQVkBcVoAt1a2>tO>?dqimnHrSm+ps-g59t8%9Vz0iKp zNqU?=Kb&?&d{Oq>ABz|Yg&_Nh!F(_I@Jj(|(nd&R`LnC>hnEnV@RP4z*tlMbk^}^D zSB$I(SRyXDo#WKq3~ahGs1QJ%K<~-_INA}h zlYYe-?T3Sc15pegRGT0~UIr1z;BE_Nvuh+^mP6qfZ$IqCkPU6cL-arv8yR z2e?j?ych7jr7waRiSJ~2spL(?e)7sM09X|_s|Q-}$v#Xg&Q{QjLV z%$*T_yldHP*P@GaM>bQne!n~>>GvevWjAjOShF<2q<^#fTayD!jLY>sx;9P-4()UO zRBPXosaYFNDQT#yhh!8Ta$Wt}ZT0b-?>24+R#M5Ozx+SXU@Za>RX^_je9tJxsZ2H@ z52zGE&oUn;`1#BpkER~s2QB+Lbf(c5g`p|=^~w`2mO9I&8LoW z&5VnWe@$EM5($BQZy=$W93@Pp!WQr|u$J!x4Gt*UFj4D|u?-6i9k``0Jtkew_2rl_}%XB zLIjZzOu%!*Q8ZRRX!Idu3UCPI)L4br-}>>8#h7M6$dTJs?p8T)e0Z^Coc`O%CAy~` z`@LKITrFmep-0w@6Dzy_6w8p8z83!19z~CxF=vukuK)hwyIqM{y2ffP0KirNA|mq7 zvemT2Ip0xbQ`3-TX4WfA8XNak{2c8Ux2fl$TE9gJS_8`iZ1(PVoME$KO2OlVql=cC z&Hgu$!y$E6$Q1e%ILO}2!pOGU9slP(6(mb^O;?t}>fEdB+cdw=DXg%DwZvDCowRu{}>I@6KQDeDv$5sMzgh)+TXY z+umLZ5AodBucpxX-&G_HxB7a-wrgy%$;hbjymQ3uB9B2W{y&cC|I}=_{a-X2+R7bX zYWb=fPiysJd?;xoktRm%jQ%yX<3+?>7?h?Wb=qHNy*k}!(^C94Xmg0o?P+e<9C8ZOmy<4{Ju_EE?yzG?4 zDq0!ebnCCp_+nvkrq$^q8|;i1-O21vn@wye~{1 z33=F1e_~p+DQQM$KX2JsJ!06fUSr0Xeg2`YF~|ACudCchFb0+T&9<&%wb z6!2Xm$8z=rC_GVODTZowDgrLf|AA9#Vxgm~dCSuN{&4;w=j?obW=sNu6BZk(6r!TXz+6Jcp zLQ{eVlVVT8Y6MCXyEi=>%3N+k5AG>La-r&r^Ws*SkX1@2d>&7@NEzUte79XDfdyDW zq9Wm(ma5$A0#Qa#-Ti{wRNo>Z!E)8_zAUeM1WgJ9#I7g?d`4yE0BX*ikU-bn^+~Fv z?9G@*ALw5i#} z-s+07mWt~j-1}Rlcc z6y8Maa+?znod!r|&Fo`AF*&Q4y#z&j?Z%B_OXp9`FddRY*epyIQ7X1?xm_)=9yQSICLM07-I_?y;GZ>T*Kd|*6Rkwtg7@O zrmxsIT4V$+^%fP1^OQcjYScd-=wWW+=~3-)PNmnw8sprZ?;4Gtq_c{la@3ma|Jdsm zMY*`QktB?Bsy#?WAtaOnA(D5gO=VTHu3m#G^GMneM;NIPKom)Hv^>_VW}dVn3Leza z2N)=b#Tl}AP%#^R@tQRUnB|CQUuJqh;t#{7H?OEzS&3Nc1zyGUhDtCDNwWzO5*-xU z1;DRgID-_(Ww$693x!~#Ei-PmmP4@u4$BCk%*>%VUr?!d11p~=rH})27dhdAKG3N0 zTcqb!QqH-s5|G}5e6i;*U+zFDLNhCjK4KmyS&iTZ#8xuSTiR%{Z)m&kW1)T=za~rc z{vX(u67EJ>tev9HWGkrB2P+;hd+6jDTco-osNlgD(<7wE1*uympINyCe}kZ!2q*-~ z0y%d!FWvv{-8Ld0}}i)6SWrbJwkOoNRdPEaDBvSl4*kW(DC{BJ-+!{~|3=E5Z3j=`2+Q z9MJoy|57e}4Sr(Ne)6~Vsda8u^Lzd7^jT!coAj%9{gQj;*!r(E>Q^lc@0i!4a0xfx ze0blot?SRs?Rs+c=#M(FNyOg?P?B9WVj&M%2q-ZV13WDgw)EC538_q@(A=_Ugw z;l78FsfE~$_~V@>JN&_Z{OO29bpU?^4K+@IT#TjA9!x}kEs!>m*Di_#n6j-U zHZlqdNF@xauE5Lx@L`k*I|>IRJv9BgqCrKmjakyy<3p2bke1}NJYy@|xTwWg$wCWP z)kE8JcK#^KmGex2m9&-tPr-g0WNr^Znv=tfY_zwqV1*o@dG)EJCQU{3GTN;nG4nFw zrx1R*c9G2g5XZxl!z1yN(Wh1c^+JU?B&`BZ6p0U16mt~)0Pstl19Ill!T(d%U;NDz zPzi)=<&!vNMfZ#8YSiPLZ8FIo2+d{EE%1!FT8($`!kH}f z{FD2O!p8D#`A>+#diyOI8XTvj&g>03qiRa#e$vuyy+6h>rH51y!|%a1HDZRW1-)x?89=?Aty=N19`$q_uKV$mJp^Jgd6ct%e zdQg2prb}UwwbPBy%pZ<^M6?0i%i%Pf+UY*VTb#^TlhS=k2Ms2K+GS+gImAbzB!Yhc zEX$Alc}#Q+7#NsXfh*d)ALD+%tvk6cG_(bb(*Y-t=__a{ z&>9Vd7mhDVK6U09omA`ACx&0=Oc&YGy7y0K)_h>&9-Fo0N!R;XisatVt$LfJ}EAuwE`Lw31K;?bs577*`-79xrH7L$8K!kq<1DG2m#yL?6PE zQ?u2Ki&HOYVZP(5#`34^rLHyc89bZ$~MC#8fJbIGo? zvrDZmHw}I`kliScfuoow(Hyfza>c^M$H)E-Y=je2WL|QAI}GTbx5iB4hE6pz-!nk{0Q)-VlVXDqR`&5$W_ ztiY$tFteNG+*i+^fY0rGSWN~VAx^4HFYM@Ygv1GO{Vic7YoyaAp5`*OmQP~#a%~ZY zuz3?IGzmaB0=n|LxEMF|e4p3u#D(3v+tl?_e*I355b~9 zAA2%Zg$>hJXNiPlFmb4n&7bqmNeXB5@`pXx6+mtc5#rT5Ml=Pg8CSSVp}Hve(4DN@ zmn2qj^=lO0RByMKk0%)}V6!rCKzIQVW6bOD3^Gv#py&j^rQVH8ajO$Kn8f$a6)FN2 za7r`aA1>IIB)3C;K#~}nv@+%t;V-`Xt#c#>Xl_J!Eb`^G(A99>--Wpp@gF-WXLS;g zHMfTA*|TLUI&0B;$cdjfU_t+UIXVG9Nm$t*Ze0|X5SN zc9H=J-E|!JCl4C7l2S#rXF0Wd_^G;P3%K&k2EUDJ8=$`65PlA2a@wZGpY7< zNy%jPI!kE{2TW$(+m1|oA?Uz@gW(5Yv{+yvA>MWlkBKa$WX5NB7aHWdj%~pT>YHdB7X*9idPjW*HeTm)E~u=!%r6Y02`)F@ccR*Fo2Bu zMGj_LVBMG7M z`?x^kK6aLNi&w3fJ-GY2FEN)k&nSOCG1{S3QJGh8;(n(u85j2UDV{!Q(D~m+KU?$1 z!sf1zyuNH$K;Us_U_Uy{@el^f~P4TR`Zn??cGRm~I2(?M>Iv*Qr2`DN( zN%^Y@z{ZoLz$6@*CuY=26B*;{^v*8=ia@3xI~XKlKipDVW2GQ~+g8qn@)O#2NO zXZjfSPlB#km>HUfD@gR|AJszZ6t&?|J!_SrYmS-DuwrjO47`oqc`-JYroY!SmFlNY z=Y_6Mqm7icXd_#f{82cuWD9%q-`ji49j+-2M< z){E&pX(W^vTR-@TUff#~oZ}dz&2yHm3|m79N|?=I>pu&gd)@YR{)VSzI=29jL~jD8 zsnBGI8%B!D=*l7N9a0CgOILENGz=+HqpQ-R$DN<|35Xh&BDnCfhr7E|(Klt%fXH#-&tYq z>EmWlu}R>I40pM-7DlRu9Rsp>9Dr34YQbphufZycCwLnQTa2HQ20}bf(Y9=Hb>O`o zy|4OZk>fJvvC(dJq!Zrnb1i`)Oq{S3UTBXepup#4isw~IRHu(u=I1|ui;9(BWRQ?W z#W#~@B%nE}kQ_3SAzo+PVZfxWgv^jRo`}Ksv|7pcmBesDRvGWh#&Rep7pm7lpD((P ztKr}grXBC3;R&yIq5c`vq3DDPWbo&L#DG*?XXcMSPoZ62o_ir;+Rs|r41jsp)*+3d zP7tG!T(^s&zHjlZs`l$Cj2cnB&(6C*Uz1gm)s0qKt`iBeLY_yWh$Nr@`#YxfxaBei z1#3Sv47BmD(R%PL|4trJw-@R9F9lP_p4VQFxX$rOM>u2O7sNi23eccI1F+X%`!iUV z1K6fiFt}P8|M>Z2$+s(u;yUXFMsoRN@S!NasBM_^bDs<2?+~hveP|QW(`+~_uSum z+((PjZ{~@=rk$(i6rN`i_F*&C*(-id>Q|URGLj8yfRtWHvF9N6j*ms+&JT zn@2SH^pSYn^){A_P15&R{^Yb0*pp~`sHN2cd!joP2!eAyojQmdjV0`SiQp0N2;J`1 zm2Q?0fW3v){q0z0gH@~zgC^mSllF{avfOmX?0Y2Mh4gfu!#s!4ie}4}`IH{Xzi08j z*WmvB8^@Y>xVnzJ82CjdJHsc5^i{22bJGdmToEz1U^_7!szj~mW%?@Tln)6Th%YOu zm&@@mlzB8P;InZ@l|0v%vH~icFE+LaP!mSINz*oegCZc+ghuLluKRMzNsREfy!HpZ4 zo^;{)Y1`FeO6LX*ESq+8ctl}sEvs5Y2RuPa{Ri~iD4hK^)MiYOfl-SuMjW(Tkezh% zCPRgX?*FWsMhkMCH+25erMpQ<g2taZFN=1ojpy;1bKfR*2J}d0Rs5! zRG4LABmk}IpZ%0JO*g?(^_JRgw-D(l+J5i$7SXO8Jla-qtr5zQft)30^L3EBTrLrt~FkmOr?0K6t)9 z?X(v!gc8)u))uS})l>d>@T*=dBAlIBR4@>}NipR^Yc)iK;2Q+)f; zrFoA0CZ{FX_#G-`tw08~&UsSF`{SE~9MuQ+{|kOwItM*H|F>`7uC#wyKXpZ3Nxg`; zKehf)Y;XG?EkH>8_QPEYod9@5@``Qd@4>7&fKB_DSizY^vB7YV-C%?K4~c(4!Y#%| z5>xp zSt8)j65I|H#Vdb9ji34n&{}GEL}Ay_&Zh8Ze4W&+Z*O*bdwWmY-{FC7*kaIpid9z> zR{aLF8aH;V-6CVVXG=$fUrk`Af=tV#Yw>G<0du@_eYW7@Jz%-#Ft_ZmlJ9$2D(QNh zVj|)Sv|pvKwBSVI`y!t-n^?V!;tAdJ`k<4O>~~s9p=ALx?$EP)Cn#6#Yv<#0<&F9&o>hZI2i8V)Lg|(+T&!CO%#A(Ivsy2H8e6sXzup)F> zt^4-v0}h)(ke6P-scjmTd}ECo6ajnM#rpXIk9J50CrzxVqF{-U~fm|3&bGk3gWj+-F*w0 zP2rt7Y{aFNdUP*=(d}O)ip{BHpf5bj+PAl0t4sNh+?8$Qf=5k+yK8*kiH5^dZBv2h#j-`k=%cpAr;H$SQ-##!%*w zhh&L<45(ghz{y+r-1sT{tP+%1;t~>Bu(qGKT0c_bQkQ#@n+>F$ zs{PiOBO_kM;~883JnVbKo<}FCb(DYfi4u=>CD|#5x`60zOX@CFYo!5Ib)2zgj01cd`=~hW^w45CvO@I_*GeVGd>RGqR9N|(MfIgpi zs<9Rp7CzfXLVsJ1KxikUeC2ykOQ#M=UT$F#@*_PhtqJRxFF4W6>{w=fjk9S@Wk5D% z7GzSVxpS@WK4BGt*4^dlk#aRqvg6p(avh2LgjP!8hPZUblI=!8MC#$flBf3pwm1XI zA-5$RdAKI>JgqhomeFU*yBqJ?-eXVv-a7~T?%7j6Ey3lJ=8_k`-)Ns!scV(7q`0|O%$JY%p2ypl z*=v~2-r^2t8pJWE^g&WExmsnK^54_om-~3S@Wd%L?^(E)p3X(uNuT@6B;wYE>_=@q zE3{bwMU_Pp5?0J#%WZvn*I6M6R*)OdgHIsb&a<(27fR^+b-8$}>Oua8gx3MJ?QX{a))Ar z4HiWUTQq6HkP%-{E``3`mtyK!`N(jXT1~(P4@Iv=VVObsTo6DyJ`gc7DDWm$B=$ z6zxT^d55nVPb{9-c2>r5VJ!{Ilz92a-z_`AEQP0BQ69=*aJ}NxT(r3fM|! zI())|(rVW9^KR3^zWOF6j-sy z+$7RKiIWJqQGwhxlP)2+nr?jx*lx7bN(Am9U>B*LPHL{50`)J$h0#EYosyQ&3}FnF`X9`R=MYl8RQJp_@g<&dz642V zNLwnYgW;x@w|uP?Pv0(rS?i9jzzy@P3-}w7JH_DALrYXM?Kf00FsOIz^Y~N zmkIlHp+=S@?UZynZdwuT>)I7|qjm+3@83d4rqEE2gH`lHSt8mPz0n-xod7S-eB2VgGrRvfp*cRDsU6rpkAd*Jh$fM z*lw}KQ)qJ}xgHOJhzGEop9kZkLb(f!L2ongX&HwTycI_N0J?YP!JS(f^o5|mEiX&; zb6q{D$CoKzJpuh_U_Q?ufVh(AGRqPthXZ9MbEVBj8v`Dl3ciYBEiv=$;YBj84RBl} z0P&{NIVvlhl~EFKxW7WzhTQ{kv3Ounim(B-V2R)pC06*{xpQV1t*2T=cxf2D28yK=DeeBEpigA(3rX4*)q5^n=<>jpO~D{5#sseAYE()HH8 zHCwmk`}gl!E1sz17>B>DPeF*^zLko~_p!~An8p|e<1OWc=wmspEfe-wdG-!&7&JC+ zIz=Lj{w3mDdZqTvRE3rDcJq=)Allj(Ue|!Dc90m(X5JLr`30ur$yPC0;J$7~Q&575WYSK6K!qu^`jYxu$ zKYej+sbM$=CQPZa+pRja8OKJ49cuT}_w%ZIZY#ER*sOm+Yv_TqiHX&YfA;X%u-tKF z@7`{KDeGchw3#$K?hg;=B}NIgZM<`$w+32L7IFdW84**`TgPSQ=1H6_v(A?OvJN9%N;#$z$t}q>9t=ZDKWx5g z)z9=%Q_@mvDz2utK-Yr8?CZ^7-ApxRNdqDdQeF=TqmOQavn^n_gHfZh{dZtYdra7a z(ZxL4*Kt{~Yd@N#S9C6^E%Vu3YpMMh4v6p<%1C1W4lU6&T_67dO^f*DhPh}BGmb8u z6I41s#cEP#Z+n$rT@FMd;k<@@!Jdho#?^w(Ve;x^QvT)$uhw8h5|7 zS>4&Sa_0Hlx1N9o1cZLzd__um>#KbmYY2XW)A&66C5 zHaU>~?0Hg7ThE(s-p~6GQstOXH+uRG#cYH%?IA^hg?sz{ zSKwK`&&aU-ALSqQHV-;5N2SfACpTXIHX>1D)7Lx7N9q~<>2}<}X?@c1IaXf`j{ncp zpSYwDq^l)yD@Ful71rUny4!E~uI%`7=SX|KV<`)o#v4@Isq9IdS`nyK(Yx(`6_}gc zCO0Kiu7S?#pBuFvgbn|8#LKW@NX!3zmhON3_2?hP@88*E_e3C7~>R<-LD0`7V=bM|`GiYEe?{NY1Urtrb284{kRZkTLQfO>tL6)`WiW z0r!?=7q~E&`TyArF?0y-6a&?N1*2{IKR?l)|6iX-(dysw*p_Gi(jNMsK~lfI-lpEN z=)PRn*y8XtY}T1e6;JOyKXu%CP=l$VM~(iM`c*4M)UTF?CJ#Q^+Z*BbTwK2O*7%{s?b;?!%1Qj6S91#^Gjdw1hxy^AJ|r~db=yc*G4zF@HWfH_VNpZjE}nAAV^aCU1}VY~wP|X-CF61T8F5c@*wC$w67;_r9h|AS~YAb9R={v)*AEK&;;D zF(Wv?X-X}fVzjk@CAV|dD}|z`ue?$h)Q*mZ|E9F6PmHsbP7p`hWrS&ZfgimK;~6Ui zhTk`_`dfBgff}j~3W`Idd2%s|^@N|Qv`}LJWrW6TeXh9Q2Kv=0d+6tU=CFwNS`0$V zJsCHv_-Ra0z~hYXD|P)O&IaWU)&-xvemu!?|I#V1oNZccD*qPM(sny9?^Wl*!*|`= zX?0f0&EB(gLfr_D$T^wO-LCIbO4R#NeD~zq+P^}Uu5ad3a{B$l+2209s>dMbI7n}Q zWXdd3&|#V(^ZKO`ABwp{@BqYXm`z*I;1;IYZs(LjT&k47G=(H!MXg1W4(<0*hT=$p zzx)cJq5K7aoTq)Ihe1tB-lZK7&qOLzAcN66zdvOZBwu2Pi7AA(uz71XU8$6SO9T!u zx8G7L5*V+aXG(7+7nn)b6-(t4qfA=XTnj{>IV zUy7(U_ySD15Jyy}(HEjbZvjb%4+uUescC8rWDq);flR-{M-fLRSm`w`zqQ7!L;^4OcVSJrhIyoT7&n@_v!vR_MyYDmYSnv}zjW<$7@7>bRQg_NcjBc?Lr*au~#14fXRQ&u(pEqqeRMd;}Y*+S1jWdhS zcIj>Cy_C!UV8qy6#RuhCnZJ8{?!=F~87^}l{Y>jrcroiopS#QFUe(>*wVjS%SoY!I zh>>qy`)N=Vk(Hc=M|J8DO*k8Yc@RafJQs%uM07%+-r@t2dbOhBCT9I<+nciM%BjwS zeNE5mIM&lIi;*2B`aI|&JK!Afi1IRBvt{~tKEI-J5Qh`%h=C++saZhYOyAkt#F_{M zNniQ&Z>#g5<-^ZHCS`a(+gm*pVP6 z^|QF70GnT8BSM1!%n58FGA^94f6=XUtg6aTkD{put61Pr#!d!^64Mg5a>j-1m2mPR z&_s7NB~Y*WN->)H?-2{K*WA*F+a*YjrtPNL6|7Ml->NWn5>A5HIru}-{Ug47Pz>0= zhkPEHPp~m`fYB3~%UhA?wxztvhMqaSwRYW#a(o}rSU^VPys_S^5jKLl3pEkn8CdQ5a(IPM7BiXHx!OlCAq zJvowKl#xSLKVLr3<_z!b2ZKK5U+u6$TN!64q*!;7-Gs9aeybU24)Eo7Cm}&>l1e$n zpt>S4fj*L_Fsf-+#-<&(`Mm{^k;M6ohFOM)Q=fNkbi`ib`VZ2?^ectz@aLOXi1=;> zwnUnsPnn4`|JvlkeN(=#y!>KvZc5aXS?5m|9T_#c$%=y`e@=5)v1Mhm_TR&oY%x>x zuk(BnFt2bHmydJHqQTIW(nfI@dSp^iN-`qQl9o+XQwE>X#fhRAEr$$`C8d6h#_}Zr zK>}cG;thO>{gAC6H$jx6gyEu@}GzBQD znQ4j2q3(m-C(sVeBNI<_*nbaz=s&8h%ueI*l|D(*I*B@f;VG)4Z6#$yIVI^ z8S>uy&EC0@p-9b;$k#8xiH}l8eyJogaqbEaDTd6guyO}^K@h^p-~(@;M5&OLonxOx zk;(kxz0vs)ANI_h5$p>?Dx@!h&?j%d0o^#! zVo_IRWt)~dx#Tg@nAm-MKVM|W2&-5;F*AR!h0sA#FbgxEmC>PgBOh0z@*+DvLz`I2dYnQ@a9SC1$|0xF-}np)o%;>7Y^KNQ zwkBqGgDgYJAUg=O!;Q4IZ_y zdA<0L@dF~|ZsUz>Zv40qrMT_>Fr$dW%p#{BF6Oi8*L|nY%mP0Fq-zoKxf2&mWB^)u zUHhlE*G2eClwSRam%}x)PKaDR zUJ2aB{L!#SDp&lJSc~Y8<-P=#km=W4X+1diSWhaqasqYjRXIHy7^#$?s;e-n5qJKr zKG`<0GUEf5M|7njpU1=J%yrBYppSz-D{6s`sJld~$^Qhvkf2Mp5TNL+ty8j&#=@V3 zmjB>Lh5`Eo0jF|1n?<9;d0Gs7UauR3BEW>$1?Z)xtRBW_GX(z{Lg{6dA3xSl?4orhv;tYnJ?Z)Pk<7m~X2Ve{K{CAdp6{E*ab=ulO~xk!k!!Z9F0g zhBl84bT4+Oao2dq(OH;MSvI&X$9yujs|kR`K+$JfSAHX*bqNJl#Ft3BB5qzq7IvTE z!#gR^{IRBA-|;Nw$BNEvvCB^|sWT5QuQf+3=T(%_gd%>|#tC!Z+54ruHC<_KEkmOu z{|xZFp3%6B(4TjbPw#Vpm^ia2eh+eMekpcZ8MZ?4gWTwpku5jX(V2l0<4j>I5%wN{ zK<;n35jdX;YY(>yPpuEUKkcRPQfRli9i+mLD=@*y0Sv6KQa@8&YZ)N;`rxS225lO* z-xTB8@zIqe3M;YM_}w=svTglho{ zusVZhXM#+f(H6q(Z0T?)wg!XQ+^>|PRRI^E9 z8M13tz{UIvmgEK)OfS2QP;+PPb1FZ-f(5myzOCIg4E($c-t ze5)I7V*x1k9GcnH(2+~DH(WYpaL2+i{_qg{2~6&x)8pUIa90}BOhjePqq%ZcY0rqI+N2W%umh= zZ{9iaM{D2hzelk0IlF!9J0;N@or{h(dbdwOh#EGN44DEgBz8ea8Hx;<$|`w_gs^q1 zK3;cu?dx7WZ%5j8J*ZBe_A4)A@1pgAfq5&N4p?7Z@9p3>ifOa!@`IJS-R==yR2>xc zA1%Nblck|&XBH*@H1)~S$#+Vku9nPS@elxMl2jo>!z4BtJLyo zjDzd9e4s#zMiQ+?v$O3=D(qopMT;*IMx;gOtTMXroj*UnQ0(xnD&k?WVX2Y@BfdR6 zJSrMDZu|RTh5_oS*KZ!%Nkr=4L#SdQcxOP7Zw)uZ{YLTC?Js zTrb!*X5qqs%*(5+tS0h!C`(cYm9EpP{rb9vtLX>p5&o7v#sWH&MV@|CoEdZee9Adf zvr}EXX6{P3_wH~86TX0rm2jh-wtGVi+qczL4!MN>dArX`|5zqxGEvpih_L5+w}pRIcRQ>1Hb&$c*JT~ z>W>B`&!PX>uY67KgB~h@!R*l+M5SIP_jJEk=cvX!ec zWlD8kL%+wxnfhPmnbdy2_AaN@BBjZZhkVqGrzx#6MzYTBGYv2>{muZ>g(maAef=r~aM7i`qyZUyX+lN-GmehI#f{h3m$sA#%Fxh0pd`Z` zt0rk0#o7HL;U-5#KO2T+j`r9Vc4*}+tHe3a^cvjpD4K4lGwwq{ z4XcR*MkHJnJmC&4x{kCUmqT==C`6P(n6A77(1V*VnaWqb_+sbkcHDmu@={X4Oc$2e ztAYkdAO;1o4c^jVw=QmjYxNwCDhmE-w$bAQIcI2t1M8Pa9G8NG9Epw)Dzn?w{x#g87XG zuIF$-vb4=P8i#NCw3Tflft#RDdV%{$1+t@Do{}}i`q{;(8&lrFq^7ofs4awQUi=X- zC9>7l%4|c5K2f9_ef36ZN$$!XE?ItsmcjH=k28!q(b2g}2hgO+-llHBJ9q4Oh*8<{ z=?XX!3jHF^RD<9Z8!pvE2My}Uc0!Q$nmU&C!HvwU=^z=?MC(;tTgOB3a{Gh7Q<&yE zT`9Fu#E9fFrUGKakS&7NPpUUo#EGnuWd1;+52@n{DMkfMz=CA9Ox3xMbRUc9J_zEh z;AE!6`wK-H;-N6qP4jap#UfV(^R= z``fP3eIOo>fq+15&L7=5&~cEa;5S+Ybj zqFLKiQ=I{B?%;Tk++7Zxp1=!i=GJZ7TC~jnI&}f(oBZ`>7d?;*#2`_bduHAZN|}eH z)%OC2`JyhCVTqI*+$O*}eY3P@arYLli42Q92Nm+~haed6EPpQwo6w z(gqG$=ZK)=HzSpujJGxON+4_(NQ9W4J_PG}IST(2<%qULE6M(69<-hP52UF+Od_ggj(HH@% zm}#F-)1qMP4W!x$WihcgYmioB|0phgGN>LcyBqP3@(b!}e}XNv?$~h>k1L!PO0j+uDE*Pcy;^ZbvAAK>As&5w%~_t4;qRGPp=(#ijOb0 z6*RJZ5J3@G1Ls?lHUpF*c3Bk*M8|G7%=cEb+^At)qN7yYjL> zfvzaZI5Cy~=E)F|8JxDD+`_+|^o9+y=OPN;SwL%z{5&1r+xuwz{K=br z!1X~ns2@?p9xh*R7I(s%E(*Wo5PD|Dn06dGbTCW!YJ)Vr9*5BYLpS zI}X_;3}3Kf?yPH9bx*CVU2J63IL5cvxuxTNlv)ozsTC03^-}s!m-d&s7frMAoK~H^ zVA4hVLGh-~*H<+;aw0p$gE&t$_LmPi3V1_4~j6jb@{W?&I~!Y$kd9=;~Mg>A=y3E!NvQ z<=aFKKUv{8_F}N1O6I7zsj2zJg@*qk3)>%px^!Y*gh6e_=fH}uT`za)zoXkfPl2D_ zD`e;2Pvr04w99zh{{>z5|02hxFw@p_SeySoANef52)2L!$t|_+|9*!29n(hi@_&EszyD&n z!T%lCcWd)?jY|UpSK23d-(5C0L@#%4%=wcQfo;A1`zUU0PM;D@ve1HlP3-+m=ARgM zd(YRqz1~&Z-al`>vhq;o${x$@kEvDkd*fNxz5J~~Kkff4tg*Ykc-_g#aR{++Z5e?( z@(LSe*xJ)R{oActdHU_jLv1$4Di5AGhOx6=!3{!^>PRxEH+Kc>L~vZ-8Gg*uo|c>m?I1HH1SKRK$zQ^^m_u5}oo zu8w@7kfJG76Mf`IF4E8y+at;4m{kmr_+1ob*1A16*_$SQ0U_w z(MB4$kx);QE1jid$`-Xq;HMNw1=wdPP#GW z(9YzSh`?|_9nA?-kuTkdrp{^ArcIL2c|NeUdCOni`+Nm8mdv#jABNuFRY5S{RZfG@KuUNDN&lBuseUa1Ycwtd z)%`4ULC>_X#vRN=V0G@kpB`H>_{rjV2W_=NSSFr#Msv72ZGim&Qnlch322TQC5Gt^ zu5n6)jO@(rF-zv&i%SNWUXmOnM+LwV#53+uu{8`I!kOfCfs_IVu(~SDpcP|Y!hPE4 zqt`ybgYwPComqJHi|JcXZO~R^jq^NaZlxSwcJJ^Q zsu0SWi%vCK4@oP&>$`e`cK%SY4q zKeUUQYshjKO5PCTp;Ic(yY1X*gaO0Vtug2uEL-hN<>#4#K?we}A_zD$95GC4B+f7e zq3lG&8xKZvDIc7oie7-@;pO_IpRfQ9aOOyJIuJj- z_5FE$R=Ck^E$S%qe`A~_qFw2sXcJBn`^aI!1aZUpwzP=SdV{6SVAQ(|@CHu@{|KY; z$;q?D#V!F4pdc6#|DX>>&Y!~a6PXw6v{OVyWqEnZz<4?Vr*9?U21;NpDgfk|PwSp6 zw1;O*CVC;oPiuvJUtaW9QavrKUtr#&S0?c&XyJ3NjktE}!`?r?d&{Mi0#5!GP5z{1 zyXwx(ne<2bvu=&Z>TpFg(;8?h z@j0hjIMODf(tAl6s+cCbNU~p%u%YxD#fa7$D4+o@bQ@{z_wu^MH+46)?%p!f)Oy_Q zOpP>I;U^bdI&&i$K`7+D0c!u0J)5w1qU_~u4M}oqnvu&-f=dOJP)oxVeiOuv5F%sc z6NoRzVV?P;Su^Jd=URkv!n{z}xi;*q7np9*W!YdSQB9M#AjG10!P0=ar(v0*0$mDd zsu*uB12cHIP*+I#GmeG3EVHJ4Eg&IhR^BjdX{Zy>Ajn$+bDX^MZVoGyZ%3fIWVq(& zo#j|fL%=4B0OBMGEf?!YCd9i|%Pbw_6Wc-D#brcc2a7PiWJw`pCTE_=y8bgfHub^eZj5V@?O~s@@V@2yISmBUW zxdjCU*ZBjZGA)wH`^cv+SJ6Q^6{zLAmgA&hmAZHl2LWbQv`KLy(%Jiph*SE`IR}mU{joaQxS$X zdp8C5KZqj-_cV@Op{9`!XT)Ffzv}6*X_LhDKvqmLGwUW^eDpMp%bG=BxFDGg;v!@6 z0-NjikbPe4ub?${b_T1y&WeuP}^2kU1L7z)Wa9)RsrMa2mu%`i(hyZJ;6OrK7Cm8p7yx9HXybvHJa6g6k=&xl@0QT`TCq37Tm~! zk^z;2U^ETgxPo3#B>40tBcS6#!RbL3%C1;*V-Z3(AqTgeGZPTn1AEIvJ2b}+EXFN5 zGGvulo!E#t333L@xc!tTwT8cP;WaR5|`F86h}z8 z(bBTUmjV~j{|He`L=fvy>GM}2nqRRh#HRv~-FH+iyvc0>S-eXp(y_{V3P~I#4ivt6 z;IxV8q%nEj`}`%5gPA+qZ^{u2Bi!K`Mn~JzOoDIB1o69Qn=gJ|35t^az@t#TR8~@w zf_b!_XgB!oGDifxQ^&0m0|W~h12r!B%rwpjcL(K8;{=lgC@C6P0Sep`d+GCKR1sV@Cn#R-LG*`)N6V{zG?=Z`^W8Q~pnHdh2$9zr=qUf{Tq<*D#<|1J5_q4l-LOxJv~3wor}@ag1+eEs?1l8Rv2oGdY)5 z!;m3%ye1i?+_Js00oUbx=3}#0Q5{eAd#)Y%oeNEsdH26p{`qI71`kcifW_Ipi2?K4;Kc2*nqTr50vr8 zvr1%!6o-=_U3?dr1SgUNZZt^NxldX&Zfa3jS7y)Np~4P>FsJos*|Fm;qV0GN#gOIt z->;Ib&FN4C1Zc^OCj=?(Jd1OdmCN4T3ygH?D*j)|Ac)Br6>gY)hI8~Uh@x}&dHGDy zKh1T(Kj!;S(ou8pM;ra%0Cd=Cnt4WIBoH@x5s|p zuz&`LSgbX5wa%fZnU@O9)QQ)$gu6z9bQBCumjcnA13i?}h=e8a5E>=m6k3Z?Ce>#^ zWI!Tqbe;daZd|~UeIUtuH4GfpT4>!?+Ix(ARiof<`CFdGs3|RCc zi}MyRcgAu}S3;eUnIGi3li{D;))&gmsCm~mM74dTBBQM=e=9(=C%IjZA3r`e(wra; zkmVG5jC*tm#~%&IdZ%WMtM1J3DQniODZrxP-L$<%_K;rlyWP5WJ4L;8M6=2x@i}9f zzI(pofpg{)DEpiGH4AKOZ37IQkKR1&Qqg<2TZeexqS^Esz{L}Rai{ED`8F%u(`dJr zC151ihp5AN@%ZVrNCdzB?Afp+#Y-(-5N~xCML|=a_&sqDg-dzTG6GH<;gn?p$UZ7~ z&Vi02c{GN4(e=|}bH7p8+P2la?Zx0)N@rIdFD+Q_sydZFzH}XWJ!JAB#P`&RPmYbz zjQoyLMuxpd6o(kx=22J^VFMDoV~jg~&TLICr(pAIQ29IW1~Mjy2CrfZU79#JttVAg zRcXJw?MNmkfsidirded2T|5fHp3S}taFUZwe}m-h;nDkvo=kYn^|*L99)-OtX>n3s7C0Hv_rVByELVE+Yq|@Sy*-gPc@% zN%&h34{7fB(KGjSp*8P0?B$B1@mt=l)1wvedZ|a#as$e;UIRrD#PJ2)9baV}(eY&H z)Ib_T%Y16J?wFJ)Ir@%pnXHC1-}*q9g8<% z-uTUK`lyEYU`stNw(HzE>IZ*k6}Xca40Rx7m1_VA;eK6hYD{7;UC)&XM+=T<>3bMQldz zoqK7L#q2MCNPv;_d)$1%nf6tvyd+nZuObmzx~-;srTR8ayG6j*`vN%BP--sbo&~bH zT{~W}22n6ry0i!V#|$6-&n`TH77;geqqdvkGz1SgSv4Aw>4f`@#7r zmkXOq`F#f77@m~M;0=~K@P1Co?EQcxS9yc5=i2jpYVW4;i7;}VpcrS)#G&ql`SQ|e z1AVP?D~CIOYx`3xP2|odHG{O0?!3u&TO!e5a5M{ou5sIOxJ&R%x9S_?bNl{9ub@0N z{ZQ?&Lu$rqk*Td)?5W#0s_^yO`nk()4O7REBdL&9ETkEgOO`^ zE!oxk*}5;Sk}oGs$c-=N-qvukox0ffS+r#n5%W;*8eG28N!M-?D;Bm()8zB}xX#wq z?p2*9LAeLtTVa0c%(s>PEj7f>vB|A%%)q4KDy7$!4=$V$F=*CcSscbq{d#OPK(I6B-Tye=|AA2Y%UZj?;{rFrL z+6gnOqW2Bjm{tr^pYo$y9?G8IK9}WtqTGSHmIE>pzi0QIS(EWHhea<$($nQOx}Ab%6w!1 z6Ok^(th1dui?F-l!-u1{+86zTL&R`g(Sp8Fr=1bKt+D0kcR1cCbVqXYUj)jenBu0Z zw#;pQ?0mJ#rqt6s%|dzu_@ngs%#+e;?$~?xXLY>+t0{d% zxAiygP=W2kOAt-QC`i{hVk$(pE^PnJIf^0h-rAt1~wym8-smckDpwty)jZQ*Y;O0Uck16W^rFwz^L*D z%qkL-yXGY*$96d~;Y#z6p@&y@d@!ffqsBLF=K4V+9R4zh8nei1SKBq;hG&&f z0k?oq;tZB*kHcOTI}M6&)70zC47x>s>28Wl(Wzur_|%RYNIVMObO)lBv*NIO-DVDF zw)}J?(q1x2OH1$0g~`3M95o4@P+r+5%Gln-^U3> z?91Y17yB}J2;b#aMutYx(+B%=ldSkuvQs#t?C65$+||M)tHOS>nPDL04+81Z)OF+D5xGK1QLNk_Rx4+*Z* zT{m+xU<|k5ZR+sCI@LaXWYDVwvtt;N$T~SXS#{!=)-Meo9KaWE)1kv%CL2rGBf?(` zngaa4Dz~zx*|OZEN1nVO&XnZh#JSEDP-%8JkT{Mts(nZf#&C3*g}BQMg^&`v%jIRm^Y6g>wcXSn0L z;{5Kn>G|Q2 zs_q{_uim`bNs$5;CV-()w^y-e7Vl*^0umwj`Zv0C=^`(QchWI*aI($wED~Tj#VKdB z=D&%LJ$LRHHW&$05wThS#5Hrdiv?=rzPUeS$DZ0Bf6}qY<-|pqGtJiAd>k)T;AVo za0C7kdNt0hp$J9*_&Rx8!Wlu@8|huvmOOQ?iUUx~b|#cvFqol*0iP=?UlYBH{_l^i z@FJ+(Ecp?@+O$t<)eduup5VA7lv&30gw$^}c30goPI%mTH=$G9KdQ+oNSL&{(buBc zz!VZmdQe$CJo`!bS#xlwknnJob@P0^yey&<+mx4yc!&)#Cio%pZtjj2T<0_NY}&ut zachr^saZ0*a89$KE{m?$b6KHgcf`8i)Nu2M!Q;0$R4qMfYUAHje?dfG&Gqzviy`@` z??+@;WKFdg+F{Tlr5A}~@7x=`E_b$W%N;GxwgZQx@}Tok=hoKDu`w>J$UX7!904^n z7M70={zx1hH8+OfiG&{&hN0#L!ujvAI?wIHFp3mNTs9U&X=5v^V)d@?o0P|eWR31_ z+UE7g5oXULKf68+9a>_0DP8lAGiS0pY?ylc#N|;X%eLQF&u;Y zwqCg1HF?{AH6w-H$wT2+_VU=dso$?}U|yVc;k4nDv3vLQGP{vCpkx*T31A6Y(Dr#`rE641CODHd#wr)AUU*Ooo;^%rp5kbllw}cV8F11%>t#KA0*8 z8dN(qaon`G>REVEw|}|KJtj9tpRAyhsZ|?WmcGf!&ArJr%RYZ=JAMf){?7qRw*Ti$ zqND$s7xnA)4DVj=e>=Gy#>#*t-I}joCv}h8M%muq+o18Q-_w$luiqSd)cGIFe60%0 znSP=1*tjQLeL+Q=WR!FO2t}`dt7m>YXf*C$AFuoPE(f;$Z~OcI$M0u`*T4Tw#b1od z{IBqYB~{pn-}US3{_}s5+sM?cW&`7#l}D(&Gfi0^qyD+eyCGRK62FhinfX6I%yy_D zla@?v+r`gWchW&AYTE69{JjSb*1kJ^q`%7;qXq8uJO;Fl+_C=Eh|GQJzJdQEzbW5o zwAs;dr{SPK4y15P&<_;ZbZN5JrFcR;6^}iu*ROMWQdn}I{W}Xn>y&0ZXt6gq@`3fNBC|FQ`k_V#Fz6v_ow6k}D~sgj+vuC$Ybz)zDJiDK zqHEQCjvNKs9BWJgZ0zaNr+w>2QJgxZYVxn{O{1uGn--3<#vHBqh7pf#2A7nSC_W3T z>+*A`tNn~92E3-f9mXHyOQQtv^yYnP)d!R8#Jf0_aXD%k?T{Uo(E`flhcs={xG^(MB_M?YABV;;+Rg@= z4U8ztLQ!zwUp^1qE|yc8mcsGQV#A_!&>WUP#&}aD&EM#FW3nKpKyzra~ON&{MT#rc@W|lMDM{GMac1b?9yzE{*derCH z03%s#7{Qey8CjxFKrA9zd0T0h*w%c2BAU+BD*6m_LiOl1juJ?!AZ5$)<$aNQ(hoL3 zbj0_)MPh#r*sjm0xmZ=E(<4gaHHA4yC+LHWKDZ0vV;?t)$6z0qF79ziVO8J38`C@O zY}Pg1D#%%1G|o1$sY7YFx!T1EE9R+BLVn}WhvREB8bnmEA0bu7T+8NcANn)e zHE{}RF4|xjHOeP?Si_*%1bFd5F+^8tJzj#>jJ8^Bn+cvOsQ(F+k3d=J<#v)RNu?xF zzksK7*6!@>;r3>q`KZF&0`VN_bXLROS*d;B8P_fRien`x9`Kq85&Nx7@38+sLd*dg z^euVF{i)>r1}+)9&&PXC=XM=CCiAnS16(L=BqbFlY{bSKh>F(qo<&ZXAmO|XH1eOg zJ`-DIJ5d2k)+fI^=h{Z*3^Y2BrdQ@LysUa!oaxcHJh;b0P;Cz}H}>mzJo#h2zd}f@ z7_5EeyLrrwWm{Ek7l*o3o^W4OXB%p5eEd{?P`K-Tg$VE5rE9etzlh&k=l8Q3Q+XvK zFhUE=EoGc_NA2Y;MW)5dgIbPZv(WGxK;y^`nRK8B#r7`#dpTk74*|9S*cWdqJ)b>? znw)xiu<}tx^30gAzoL%m#-mx?JiXaF<4k`D1J`hJUrD7?gQT=KOPBMoQnIr*yE*;8v6bWVU+` zdLB3uO%^5Er?EWdX7yd?fAD;MTI)K0-f=|k*D;R|<@@g6KN_cmcO5eczP=6ilmSW- zB#+QZ$3GFQL%t=STwa4cqtvO9fx;v`+smsh58P5apAltad0fj0Fs2$-IEGAFpp3h_ zck4EvT{4w1mQWBzK+!Z>zg-vT1BzMv9^_jo7SLM7egAmPFZQ&-1k$@jR09+fO5UKu zMQ2KFOIlU=aU=?(muq0@fWT!5U!L`-ZXC7nX!t#udP|;<0-}o(ybt_K-lS^@tcx#ZaaCerI9q=$(+5oarBKczA$yG*)=f z(jIDx-i4ha+W?rDX?O0Bf6#hAho4Oo`jOY@H*{?eiD;mjUY7P_&LhNLMco&gdd*=k zp`y4Sov?YnFkB=vY`yoSl3teFjR45@{@+X1qw0}-OUZvOi~rIE)uWe6*X~D;r*H1! zur|KU+3=GmPpYeU{jsFtO9VOXXMI)M&7NI-<-mt^Ba|22(#=nd+2>QV;Lx|ZN{3#r zvr&7r{#%{ZXJ5i)$quyOK`CzA17dIvfeOw0U9L*a$JB+S;0E85QSsdVvoc4*XVUDdj9X(5dd{mu2A&PpShr(P*s0XkJwB zMn1OrXYvA`uvzt6@H>`qoXZ#h7My=THl`Q0uqIY^7Eb7oJ5tqpqr*H;zFk+_{cHXYiMSTpL|E0w~UcL^A;T0GAo4d zg28tU9gpQxWD3F=ae-YK`KO2*IQhL4`dTRFAkA>cAF(+=W)2ebJUl-Eb%mre^L9@B zcBFeuyDBnH_R`G2-UQ;EN{hSaWT3DVnPIrolwdh zN0E}ck()%o3g8WyK;*y+x_>4p;U1k{Dr>*#_QTVC9oR{1D@iVx8z%b#eqL+n5PA8O zSMx8e?ws$o^Tgap@A7}^;yef{%vKlkl&UdMSH`?2ra zw(Z+aL_kOZ9-OemAj31h+7$qF%mFJDPklN=advUZah(5-K3xSo3*Il5w7G%`gFMpOejkccTmxkMVj?3XMC2iG9}$ih zC}H0pT@_VT3tX9iJ1t!R<0T`wP{o50=Rd?`14F~e{euuv5akVV;ly_kVvtQSx#l0<+)46T9ca@8L|R?^o{ z*PeCH`N}cOpKGlzDjnJ1F2epd&i%nZ z_H7lfY-nHtKH(c$R5X7@q!|f2(jHFtM;EvjcS0bA*%RMOW`0j^e2LkK_)g?K%qGWb zLh6e3n1vIL>PoRUx46t%pEjq%h8%rPeSoi(dPpuuk~Pr5S4s}%p0Sce2A5#z;^Gp; zR6R^fOKS=v<>xI7U<%ptFD&fEV++k(E)Rva3f?ed6fWFbmZ915X0O5tHeLKD*61tT*lXW=LmQkd4 z7?Kb;+>aGctO3Syq5b9i-aOPN09LeDnaG~kizeV62pDn~LanAbJOe=;9JtlcsEPWB zIL5q9jXsSZIhv_WreS?ZqT7bv97-1JmcsmXVVPKdf;b`tz&(2^L5bCooz4Z!1tiEyD(%y7HM%t{Ku1SMA+!LwzTNs6 z5xR+~!2;|lm6*d&`r%g+%NA4;aN%491q3c^;<5y~7*i=LunrL>PYceQ0wyE84WdkU zdUk0yZt2=+T3}^xafn9h1M}hj3!#}PDlo#KvfgdKurQD}c&VQH6pzq?Mg^W=rAm+r zLz#=GPn!&;{Y!b{)Lz*7GpiF4?=B4#ZJ(-LIr4Vf;3DPoX1nPKN4IE^Dwi!SM~ z)ba}AXnf=PP{sRSEx;RpglJ;OiSptYH0sdWh=3zA#U~P$3m&6_%~o2>R#!_zG*ehm zzv_fYLpAB^I6gI{^>gA%kx_TUwjH~#J2$Yp2@h=gsU>>%T~dPB%#LS;)o=+Mc)SpM zdGF0z2dpG%(k-KX9GB|59Oo;lIGe0HKYO%*m&d+}0;3KvUWzl>E(%QgmA}+bX67Ba zp0_A0LIuRdS!&!f4elppV#6`0I>!M+U7j6WIb~`4^RsJieQcKWt)E;UZ9omY1%VeaVvH3di6qEt!W8!7 zWH^j|W%DL(dhWjx#Rl+;PQwdHJKN|4b|%ufWV{U|2scoy<-(=G*9B6lIL79CY;h}G zCg+`Tf8(N$I&qA&%_i{HAwrR`fR!No!?e<$hIl*RG085t^8q;1E?j>2%p*W+{}R_^ zG9v&GsP`DXAvPsSL;PQ#b1j43I>O56g?f5E^uN%hN3gd7Qu>%}%mW=QB6csCrok!MI$PFLsW z;jgb~?Rq_hpl(N^vK>;EI!$`04hR8GN+nWzqe3Th4Sjhs2=;>6hotmI)$`0Ja=DOr z=;fbMRZ(%xvQ$E*N;}cvwd~>h$yTj@?VhTSe{dw$LB9&=L}KyHha3dSMq2`a2&K%( zDQSnf2xC;5*d)xSE--IeT*`Ln90uS(z zH20E4p?_YUlrQ@|6jEq6_>WpExby%}3hX_rFS+}Lkv|ik32-meFwXd=DI%H3rTzV_ zqC5Y*?db;0(T`(d1=VLU@)gLyLvctkPuU&EJt@!Rq?($JhB<}Uz~PSE!06U73W1&+ zLKJYz`!Q(s(|g+(6Ww#LNJ5gBAgjE&gJtT4h)HGhEBq}^J00t}OF29~SuHs(_F%H* zVg@l1fgn^NeU4~Ep|teXF4<>lY3Zk**^iGP3r|$`yxwlmOcISV3@M1z+g=Z8#TNLl zEG;e{v$h0G8Wgk|!VmQFhoXVTvK@P=K~y-|GK=}a*{kj(Y(dxcA^$kXO=lPA5)1*0 zM4lfC&m85Eb$yLYMOE~8a`R;v@pQNhYy$as3r&Sc1`-jt)jrTjDjh9gV}%@D01o0T62p#~8e%vB0zDYl1^mp3 zW>^_*q#$6xB?4F`O#vuiHHVWxYGS$vnP-)nnhN(sonw97y}j4T6fOQm+z{(7uy-$y zetGuh$E+qMv|kvIzADFtKn%JEg;Jy`;BGDI`u}**5w$V=k^d$#c10FCUP1SI-nxzA zO{eTeo0CHmfT zTXx5}+gW?uEp?}sMIKN|WH5!RB$v+bVi))nf82HA!(l=)1KsG0)cj`zN5HLH7QmN? zm=a3ZsvI6R5k(x~p@|9%t`;yMB<^5;qoVW)&O*<{LUnzAG z{YX7KByR?Of_QHhVCYwF${CvI zEyXshWg-}AB;_^gi-!J7rOxC0fCmZGNTvn+LfjYXIRleQgZaw#{Rce~9z^2HfVHv_ z{{gkWD)1N*>@hkf!G+8f*h7zw17(uJ!&2~8H3mS&VBZq>1RAuxc%kIHBEeQ+(dzsS z8@}dqp6I9RiyQ~V_yMwa0K$s;`rK~QKL{5O5pp1Y9MxUw3I*)wh;$v6Sj%~gF(q{3 z+l^^+jx%U3MQvEyG9DW)A&HP+dG-v?NNWO8$L-Djni%lP!rh8hh3(R_F@R|cc8 zuBrDG{B5k_Y7;Xv0$aBD;+rzW6%Fajg5Qf`JK+Wx7wpn zok-7%D;W2KyW35lF~Xy)g^wo@%3njx)qazv5F6fI6-;8`Z2}BQ`NWATQ~*)h%QRYQ zonOC20Q6nIaic0yRnnFL9E(5>|B)Z}?`1I?rn{s)FUH6Bs@IpNMpa!BR(are$&~0Q zbSD0uEBx(S|KSc`%%*2nYQ$9nu{YxGE#j4B`5b+l?_{RD$A);rmI@uAS7R45QpM$X zuA{g>qw`>a2d-JY&1aB z-taz7fd-YivYMLo-pwG*028R&OB`=f2=D?T{A?h6huWvLdNFEqu2tOK0`(ao2936O`n~!p zF|g^OOVM(0W=maaP0Nwm{xXHvM(RswbduIyx%I4y8O4A=;}l;4^>1 zdT|1P9vQA%ocrV|MDHL?$RI?#k==t9!?@!?W%TW*OK~2@ng;zdF;vM%RNh))ArA@C zf0}gd+4j~3V!_GKSX|yNWl{;MOCCj?f+3v=25DGy;$(q?{NQ0W_Wt(M`B;8o=|+&j>3PI+%-hMz>3M<%>2vBp7Tax*x$R8u`j)Tog!nP-U z7Avx1%jJ;%{l!k}=r%!TI-oU8s)GDg>E5 zu_`1DfH;+&3*$$_XFp!i_X^TE?lg7DHtPj&&y{7zc5?@RQ4;Ph`+J2b9kS^Y6+0)F z?r<%=?0QhC3X@~m9@$zx$tLrz@2fcJ*feVCOuO`lgWGhle=R|J)LH=@b1zO^`hxC9%AnAZ?NGDhkIp%D<<8c?w~c!coGmsg4o)@Mpu^qcR=-+3kT z(iFl7B9W4a*Cc7%LI$jdZXqyLq{xC6Wfwvpi~-;v`{XU@$y5ag;S3luC$HXJF9TBd z|4>H4or`s8T5xP>Mp+7KSrB;?Y4}1&#FSk;(-jEYfFu7JA6K_+#{fBJTTX+zrGu7fVFYQSt@IBwa+tq~5}YA#$y_vEv<*`W+{npnTv()YDst0|F8g z=t&}qUyG$>grC;9F8N@Iu&jjszLRHBgo5AMS{3+jhj|PXe>3tFtpDs(=%k;ETv`)l)TzgYQAXp>KM}ovk#b&Y_s4<-qaRhy%4=f8)kdg_$(LhHm>DLD55BYZVLpdB`0Bhh#wqi5{;m0sPh7vWa zkMOz5LT)RUocqgln8xz79Qy{#Nu)dIG$Ue2VCaxbNg^A8k<`PB`kVQdf>5F5rt3Vj z$L&Z)9AZ;N@OGg;2}4_sBsY^Vc>W%8S}+4SxpHd8e*xI^ZAGqorCZw&!n@%-h6hAn z3E?bUI-He?`5dDNjpBc!kN3|v;etnFb!Vl&TzTg!*=lU?UC%I;#yTs>xb0--;y(7O zPQ?-ZieBePKknff|304OtXKsHJ0bZRc9pbhXT zH}Q*vD*tv0z*ZUTha!l2FyNSdmkYmbK(|>d`s*X@(5Mb`XA>BS;$}y!@dhP2Yz|&c zr#>ue%sr@@DJc(mC4AhK(3(_+anN%XdTRinlKlvfj58RP6=dQOf$IfB-`Q>mJ` z@R}hh5BG8KhC3>9L&9)DdWyXULWU5quhNq%kHS;>Z6Ll3X6E>yOhQ_Z)cLf_HaS_@ z82ln}$OQ-?0VJLb0|z^XHrg+7TVA)jei|(TiVP+ZVBu3RtAB+(4^Sbl=jKjxkcvR< zmTWn_6D{8-(b@DL(c2#d0Eh0c~(K%g6%x<=J}7kpw5{Ug!Dy^oF+eQT!GQ6kOo4)H-i z1XD+P=diJx0Vble_&DUBIH2FbVvJcz_RpDW;~qXBLQTe9LIVP9Olk2j6c2 zY))E_fomYaw@0mlb_!TnQ3(BuCj^c3cf{1SYow!EufRUhJ_H%XdXOiGTM?S4(Y-(l zMi8e&l}oHW@QqvmCKFrB4~Iz4$!0=eApP;Fzq^F|MuR#*?EnPP3VMC{@V6xl5`of{ z63C$;bOmI;+!RY8UWl6bQ9|vmh|!hh&{x@^vR=u?$3P?_F;)2Xy7n zaC)|C5?k$1jw2dfHp{uEM5LZf-XbTr8Sv#c!)D}>1g$~=*b9vfPy*si0>Fp9+?$Gq zXe^L^l!G5axUaMj$UhYDqcJ&Sxa9{UkT`^8QtO^fCSLetFM_HdgcvdVhTs~#X=cbL za52WBE10zXCX5(rPt73TwK!UO2ncqprR>A#kx`t0eR%!of!GT48~Z}Im5z_mjP&e; zU)_BDj~Bj2KM?1F2S=A*&m5V**wpD1S_2rAbV=py`e3 z(J3}GGz1vDjgL=Z72^Y_+6B=i0ArDNxy_BZNih<=3du{becIB7Ho7R;Z})_CLXc6O zjXrun06Ave4?S$mTL{m;5PJn(@{E=A0Is4ujvUKF>H&m+Y)8@^vGA#}65=v!+AC1E zhY!U5qe$2yeKqWN~^vbXub4<7hxqc7!ic)LBkJ@7N3K^8RMnXpW z>(d##_eEFjuy>R4Ugy7fkqpy?vm=ZkmC*HbXZ|ZX2%+}braacuLs~KcpSYW5pFe1* z?E=Qa-k{i7z2L5!iwm5ATP~dW14~;DCH&#M7 zfT50Va1ps)^JO-|u;jre2$+E`nLCs`fA%Z^HWFlT5h4eEAF5;(|D^x*k~o8f$MLdw zPUY)7VL7uw19*WAM#{a!BS+N-pwZ`__JUFwfea_kT?Id7Qg??{O6-2u^)`W&Luf9=2mS|bQ}7(DBm@_Fws zwQb*{!=A+V^NQVRHhLGdn!U;<>cs8%d)gV>S<|Bu`Yc(~X(3GfFa4qO#bY{m4i#6w z>uAc6$)eYfx%npbu4_te@G|_ zq)3yYi|NVV%SwYq<6rUSZ7YD8pyxDLy7K|S6zqI+93(1-`<+$)wVd?h#(W@G{-3p- z|Fs(UPj3qlMf3mo8Gg0@cOusg3eCe!f6Dnfg$r!&R*l513VB`lX&^V@zdx(v(p`-e zhl)EEGBVFuTluoH9p~A8C#|_eVkF5)@UT*obJOR?B1Rk1Ul%>uY_$Er{}@HYv<)g+ zqtkofV)o;rwT;zkZ|+Uz1{(uiA1WJY3=8Lk47)BWw|*8{K7ZaTq$<$(t+I>Yfm6L) z1S$LRqdr6pYzJ(=^Yt$}p+TM%E5~@_3!vR!xVU=E&tz6ZWd6^E&m@*{_b#ASDC4d} zpP`?WItD8rDskPro<)xy8DXL%I*Fbd>3Jk)W@f&B9{qLu>1InUIVHzC!AyYOF;KYl zAH4cDX1XO;@^C1mrcpeZ3h#ee#xr<3ekz`stSpLzWLX8Jqiry$h!~p#CDw>BP^biD zH~^_gA1vK5odKlc?mq;EURn3_`SY{bRRjyR{~oOlo7fPZgSOMBG0VjhImOOom}XnW^k5AJ~r+se7i=%L@Hdr0W|T49L()jk}m3Lim3a&lB!#&~Me^ zF)usR&rbEieS!FI3T?xo>1JEU##RNYV5+??6@w;_NNU7o2jCX{fZ92{2es5*d{@GF zIPF761@x_?_dq57rpz`Gge@i};qS^^$0w5Q49}mJyOL+6Uy3iV!Y$gfnAc6Z%EG(^xR52lyqjA0LTMWMovNF2YTb zfTm=ai1_2mtMQ2q#!6!Lk)4#x?%k0f4Fs2gECmA@!`mA73OO#RwnV&jkq{zPx&P`H zFrRP{70`vqhI)Xy0*k%|@Sy+PH}Hkl$QhADX@>Y<$u5E4Axc>Bizu>T$ZwogdIed< z%7aAoc^_u^#Igk28n7INP!)i2O{Kh?GB=S*4H!P|?fM$p{;;mM1Bg-gGWY#zI=kmnE zgZt_q;*b!%rLQUI4$|iWFfv@a8^@ElegL6Rhp=;FrW>k3Fq+UB2vuVJs!*R0GZL)p z3JIDjWOLj0?3peooj~Tc)8Hiw@+k1vkzM+kpDeh}&M=%s$@dvHTKFFc`kyoa4kR&~ z3-9AK;8b1cg$MwT{v<14E3kn7h5p;6(_ZJK2;YarBK?18^d|FOB}ySih68^zuwGE} zsS&|O82zYM?7RzghX6Xxa8{|JvNyqd;4ac^;bwh({am>25b`YHA~%HF1i(UTmB!}1 zPZAT?;#>fMN4(O0ZU@N$(eS{pi)DiZh3nkET7V7dGMcpw_K&9Kr^sQ$BSR7^X>+>+ z87xs~1LP#3K|y#D61iMhmw+^=#_^to6jL=z4bMj!iqCWGPuGb$!|3i zlO=42$cjN3^?i8w!Kkb*I>d#G zUXqa)Gwh{eRFV^N^ZOICWBu}Fxt3y=*URi*ki2_9ApXm4S}pstKl>-wE$OmnPbiHg z<5i!Aez|WMVoK-+)`KHvvREl%hXVnz_kGwL1De7-^`lXq_GRHw}bgOaMgQ zD`N$GQycjK2ooDD4=z?#2<~pZ^``=Y-UZ0V5(Of`H8Clpf6xu`>%RuQV=!_QNA1^x zDyj=Q8`$4bys@PpYovZgxVYkxtdzh98W!i~G7%xZEGa2b=W=y(L%Z^l(@tJWfmA|>V^6J{x0AvL>qa5wN~r710Pmu7Lq}UR z6pHB!%KAXx5OvR@hZw}vXI|Y=xWl3Bf<~PjKlH2-=MtNbDGH#P&||^NyVT(}rVdRM zG=>&=hCp-pL`C2A?rDTR6NssB8wWJmM4gM{0%ZaZfmD9S@h8{0d>ZqwpX7jeme96D z0;eW7dwAbj%mh+{8k6{&LFj|G`V_vLm?y6B2$9=;szry`sY6K%^EcaH9ysVkT#6F= z0aU$xgZJNM8IUZkJKo;Z*MV!Hd zC}Kr+K(h2#Ed@XTNWx$4tNH9zX7>Mxx9s~EFt>?f0+%mz-UmQ}2LSm9LJ81-$RFkR zQt-Y|3Q0h&1-25-QbcNysUHcy%N_G2a4I3=djMY$Up_R>B~0oi#P;KQByuA-9)#fA z?JyZP*qV5QC7a96@ts=RZ*A>`yMOG@)aZYjdpPNyRlEFE@%XVakNp$+#>L;im#uqSI^luV{X*gLVYz!&e_WQt9nsGmn22i>= zN%6>PQ|wU$!h;hM%^yBs{|OMTL0?K5u6D4&5)`qTB17$GW~=~1%l9k#Lm1Gv{DVlb zut8{`s!}8*6@o%wP;eDgxp+6~I8!itjLW;;ICS+B2zSs8)KMZE$p|kK#AAb>bGDGM1pO);&1jI%0!Sn1ECNh7&Xm%@NnFVh_U}Rf7oiou3poK9$%9nq zbfJSaG=aC%`(zqtu8w|4k-?%@p@~ZRlI@m;i;Xf%XxY7E>7@ z0VLjbh~k0>2Oxb&#vp(8cpA$7bsQX45o!y1b)XtWG)zgsaTZKD6A`D_w%0)Xi0=`P z-t~R9m-V4Rfo|V?a?c}_rO4g3^YdT(OTe3-TWmX__sus3s8iX}To87^GkC^geuu!x zhbHJKS%B<}0!9D^WV}1dj2?qeAtg73*wUfy{xvgpR%U6RQD6xQ(+OhRe^ ztip76x8ty8pXoKsO2+HGOU>TMvEdFsOZQZ_Y19PAdIr7H_IsQ=9|k@4NcM#;#nH3R zE=H@=YsqQ+)o_gHlb^9O)nm_yISelM_aKYNVM1<77(){H@x^IOh~^Jy3}yq>S|r=^ zTlFnCJe7m>dBMFRph1LQ0=Q3zbJ!CT*`?t3_AJ8#Ah_fKi4Zpg80o>KJPr06E6kta z`aTZaleoe`EBm_oHH8H}A%Ml82qtVOC^!4X7?=u}5*a=*a023Tt~rS;>RG@}wGO1Q z9c!&Lau@u%Q;F}jYcK8lZhjc=#tJ~55T#H)i_0GFBOKo3;<{4wIKij><94846|Y`V zdE-2tf{F|Oi9dV`F|Fs6zOGJ&uDUf-797KpS3InnoxL3vRxaJS5dQoP+}37&ovyD2W@N?~k@-Fm2069{H1SE2jOjBGrr3qVz zw=$jm|D+53RsT4-;Gi{-Mk8=%v#_XyZbQO(%ZG=!#UH3H_5+cDa0zEp`^Hf7oaI&K zX(^C&xb2SNl+8lshni5U7{}2&G;L*qHrPP{j?8Udq91xlx@(gwO zlaR({u!j(}NIl5HAtaqz_?|+Qgq1?bw`aZdsWYxMLob|^Pa-U^hK7kqJoaz|?0pe_ z`sNOxCaZ(4@7ymBoY!O&7D_%f?GdIB_!GGqEHI^X{lSZ<7dc(r=BH|JpZmTTr+WLn zFL3=LEGrRs6NX==dd{)bWg_X-q?%I)8Vv#flX@+AZFT@GuD{9^6KZ3~!A1H4qTuqC zD@0Yly_F#3z}YH#UjkD{N~VH*j4HQ2|4}sdhI>*iNBNg8`zFpde)tflN|Hxxb!@Ij zU+#{$g81#m!9?Q~pNh#WV&KX*_vFOpnzz!G5ct9k(kSBA`u)2J@;}nuMr5vz!}m`f z8~pWp_vU)(mrb1f12Q=)=<#KX8D zti9BuZE$JyZKrhq&(Z5OOr#f=d&k9#fm)(TVvp6$(=~2St`p^aV3vPuBJ;fatL7J% zo}coqt~Po2u6k|ye&aj2*1tBq$i~@J#1>=PzXkDOrAmk?zO4UO|LICSLo64}k8M@y=fz^>g8LXV(xh3N*mAfs^S3b%#zxE@Z3hX#OH z>m9rO+d{w*p(Y-ii+}@dIN)c+J3z|v4m<=Ecc*NP#F-4xTu~oCYU0YVYNDPwhU_R2 zc?9H-^}H#geAzeje&{&)90W@!Ra=>sB-5<-!y1C3<3hUJm?l;Rssnv{l4Ot>6n8qCACrrQe@qK9NVH8Ne`r8Z_VJzMO?ZKq}# zK8%fEw>*Uf8Kna}WD~{Y3m>^){ zu6{hTiQ)Ln2fOytIowvnln(|ZD~Oqs`@;Aek^v(4VNhv3%rgW}CozI{#@egH*!o$f z$dPF@RsNcpk)G?V8ZiNkf%=6WAT62xDpiV-lMICB{k2+9}usWgq?7 z_97GydkIred_ToQ-ABycz?uqWuD73vNg6zJ7=6V;m4GW$@8UdH52Wa4CJ~`I6m;j> z@wTnoU*;(I@7V_e3>~AodX{qf6PS&MPQKb1EdCnw|A15n6Y|?_tR%U<43#tZ7-aw_ z;4YlV=G2so-)MMh{&K|msHSV$|`pa~}(qnICq-l#pZ-}%Jug>!V0 z$cAcz+*(K}DnToOJ0p+>kqIMKfjoxHl*=24`vgYPay|Ks2P8TG#HeQ6{c!IVj10yx zAE!=ju>tH5KRJpaIs`~V`ao(Ke2H-ge2CT`Yh-arEFu!Yn@kuc#6NTdsQrn?4sM1Q z#$NGGG;Bk=H*yY0_lV`r4r%bQswhGttgF%q@DEF}>u9G5!`aiw(A_n}a;lh>bi?l+ ze-y*iFlx^uv$WMqPDR(+Xs}QZg4P@9Lpo*oV^bArb!M784}QuVvW%~O-1Wk)eQ7^j zXJIQ!%5tJdK#G7Y?I`kFDo)JO1Ir4t@S8Zj$Ze`2xzQ_iFWC5_@f-oOV5U3>G4s@b z(KHk*RG*(&g~C`J;RC=3K?__qV)|JKG~$-J%E|%n_Yc!}&auD3)>v-s@Hl$pa)}3J z**3v<(wmi5Q$8nX+a5E!obyu8?|**Gxx4xr_wk+CwB}oG%G%tLRXXycy5m$1A47n* z6qUjgu`?Y9{}dF8YH=j=&+qfU@;T}NnnZufOw@mKYxy*ht2F@(rPC(b57Nn*DeXT1 zQG_NrQ4F5niK}shzv#(cbS}VkvgMN@w?q^pijXS6duv%)ucLM~M>ND3CJe4Vz{159 z2#(eSR~xYv#V$>rj+%usHV33Rz!ho)n^#zwOQ3RK9;2rPx2aXQ8U5qqO>>x?bDuri z<^JcAa-s%Oe=^bQHIT`8O`-RIqRi&=KUKTtTiUItsP*5lFO&9USPPZhQ@TMn+9XtG=cxEy)7V^o{!;a`Op#>FBCfVb_`yn4fqe1d(PDTpMmT7Q0ps?kFlkgivsmp*f zQR7s$wQT^Ha0H7&8ep}%>H49Qxu(0b8e00xgH3!bly_e_$8MwuUc*BCmS#S@j3GD1 zgOt@g*JPiwKjkR>w!UY=#pV9PJ4T}O+nOZ(&h?rKPM%mDBPN%>;zL{~pTyN0W}iLj zZw~6{PtF|fJ-B!7ZOm!t^)Fq%tN@!qRHM6BenNpkvSy^N45J+P2g_>8%ZVi$Ead$R zMExH<+FV~>9~Kryi8GmWL|zEt1nXChJh*+~j<^A76i8Ad^HP9*77|f5-oB;7aDcHwE8}ScOZd$fb8NTpw6A(2ltVsCHnY&_xP^2IUX zFu#J6(;i&xYvHwvP{6wXm*nj|;$5nf5199LErb`WdN48^mmw?CCmi`_i{yrR$-04| z#3ze8YeuF;>`O15wyU|rpw!3~D#PFxrPyVx)My^BySy#Jeuvs&ejyI{eWz%qt|J~x z2#BQYk`cs%AD%qchQbQkgPVxB3ZnPSakGm{N-6@dalVw&eyK_Rap-ls;njaUP3E`e zUh>IsYBUS~{#a}~Wx&(7DRH00k*(2G^42!Y$13f3ONv7xPaN(ugXn1xUhvvk25&7S zQ4y?N6aail0VS@@wBH4CLZXGFyHU$_X7Bovens0Z15T?zdN230t6nWD(RjvdK0b4Z z!M?M3uzdfcPI>K*CO&owlfC&(B(vys(g@2tF27%NR%J{ zLoMv{pMM$fIdLWVuK)b8rd$8+KfjMWEt~4z_5c2>wYRnLTL1fB>c3K;3GBEHrw`@| z0p(Q9L%b}%j$O}a zy_5YTu76I7LCU{%Rlum+eY>{vGe`F6$x287*~{*l2!`K{~N3PK)}zhd0yCL9io ze^UZt7Eybx@lV~%RR42|{7!a7ob!T$g0Q;2s?ryCLaOLy7L$|d3Ji<}Jxkp?_4M>8 zl)%H(n>K9x>c{uF2}!#d+Cz6o!NtWg zq|I~nt$=`(heIPHird3IevNPP(1mp|@4dR)k&#+SpF@=$jjI*qC&zOn*iF6#IDE8M zRgdoYAiG)Qn~(X6QE}JspJj!i{6%v$SI;N!IbmzE=G*p!_`S~t52~xdMw|e{;F@?@ z87@N&k1Lu164(3ak-->9sk`ceten!e8!2(1`Y?Rp8qx@xFZYf~xdJ&7!qB#Jwnlpyd%@b^ndL@qfxiZ~qHWB2vC%ftYO zTRld{Pyjh04gF!9IsrJk2hWb2F21@LSzHAsLSj4xxjEnXW*LVM!2fums3JQHm|oEf#Pi-+@P-4?wm^YolYtkva%h8j*35IfP~9I83!) z@Vf}W3|z7|=F^1T8?Q-EfPeI;Lhnmjos2R&`1l@9;T(PD+@9lGzAO|@=l6)G9=F`N z>d%WpYYzD)n{^bQ>W$XlI#@cs&|2Dj6fjnU^tc)&Ne*x(Y-bbHAtXb^uf73npaO!8 zOm_roO%W}BMy_jkUIMkeywpWa{tNUN#-TB#>UsTw*a%8W;Iaw3WW~goLG0?3Y=$Bg zg4__$KB-A;j;csk0s*K{1kX+BLy8Mo@Jh2BPV`jx1LPpL22dLUbUTkf{?0)Mu%#R+ zUyj?1E%INz$cLgq01{1r>gb{k9;(XQckWQb26o|hofsJ+0+ZJOe86LrTQEEk#Xr)g zYBI!qH~pJDpfu(`!w*3+TM)ao+=9!q-43Sv^Xx*oH*e-?U?PUX52UO$evNKrDF^O@ zw7vph$qn4Z6P2d}Pp9l3`T4F~=V9@+bzOP$zMR+gTfQp2s{hsb<>=*xM`51*MuRem%5;zKhRe;m+B-SH zrf5BU(0zdkbOC)w^>Y;Eo2i{$DEb^suo2SAP|ywzVFXOgZQ3bmvlS@+y-|jeNiPsz zDxg1s%!rs!Jarx6skgu1W?@I9O7KAnclL4qNENbUKoW4`cu>6Y2D^|4V!MP0ePN{F z3=kgz-hbO_VO(P~0X z!C$(79^r+b&vW&RF%T7-bnY7%fb5u?G?o*smewrpeN)&c5Oa-z|mk@>Ug9}8C3g=h4b%BR>mjU%g zQ*k+j1Nh7or;VLbaHb&E!cYPdsT-j)@@KI-b@E+jCMFb7{yl|_4GJn+B*aIs<~I$l zq5}$}se?#!H4xVOyFB(E=D%&z0S>VVmapW~fEf6|fr*i6wdh7f3;!1{uEvjecyz#- zkxYBS>zW)+991QN+#jC{u+WRc zDgXdGJ06S757l(k`8-QYL6t__{KzVS&nMY4vAZr43=9}d0HNy#2D%IIP};~w3K_Ny z+~Mhq7dnxnt=T*fTWO7l<58hcxQSw{65}o*EtQA3nTo=Hn;t?4GL4)J?M1n^0fKD` zL*c6ja1%j$_9YNEJB>>XTI3U+{>gs1*S9tnp9BMf092{Oi-UAQL;Wa@nH=!AN4Y@- z#6Bmj7`ZcvzeKAGcK;8`)Q_K9pIx?G5YQwrXr%Eh)R`= zIY_g{$YK`y72My(&?uA271@ZAsEiGCX2OPzWip$X&`q+k# zd&7p+P)I_|z>3T14QX!9$k>TwHSY68PA)F%jbb1P=vPpqYT$*K5}$qD$A^lP=6I84 zxPo4~&q@Hp4~EYZx`mnK6>?orfe~v0G+z<^1N-cBi*b&>KOK=32OQ>yB99FZJP2nJ zSesk}I!|nS$hf5@@HP~0)H1kAZ~l5JjyWJ}NDM&4R6TJbUn6u~;0lVgS1txPb8BfTp>2pk?LOty>J=TG0hhv=fBB1<(_)S=KFW-3)qHiPRdP zRxtRzSFNoa(5h<1NP{6g42WvA;n>IoPB=L>&aSR$`aOVe&qPXj>g_?iA~TC9Cis7d z6Ba82E$PG7w?jkWspONJAiF$$(T&WWsgcXW&`EGkY*k< zkU>JZKrUrda7}4+N03tUNCY0f22Uj3y?Z%9u*(DF!Rw$wmImD>+;dWb)nI8sgF29+ zIL|@IKeMxB^ckL$ngUHl0wN8j zP;fwAWJTu9qV}csKGajz-OVWEg#wg>ZU;xl9Kf|7)3jEjFXuWw6td|M&}I4aKIFw? zsmSbMLMk(IOVPtNosNQ*T4wNYHSgY4BX%@F#gVT>^*;_-&T*#4p|_f?K4{#_9N1d< z{=gXQ2U5lbdpGE(7ztmys&IRqQCLc92UpW>(fdDlQw0>#3--lYpm%y(>f(}M z{X}_;B0oQu$aw(XUPc>C%MpD+*0jj*w-(CE%HEjIesIMRc&G(e=K-mK9(gRYbrud9 zDRWL)fZQQHzYTX$Ti5bm~n zpF6MOs%T19;|U%jrv8wxkX?k^v>eeNDvj5;*hy;?r9AvTC#LO^VE`0wbn0}Yd7=V# zPZSCe=nBMxUw9Y-K~gS3^Nijj4hq>o^nQoPafT*_Ksj)|UxnJ7xR-6;zWwhe5*vaH zI?ii(i7?GV)_Uy7RnuG}l(%98oqtHk8oVN-en&^(dZdL0Kq$0zE8^m+YRKR>+)SoW zJ7edDq$R4ueH_1lw78{*@K79vKG2eB9C%=@H#t(cI8%mw#{mL5D$1_nVlQQ1FUiX3zz)x*BnqigGBPh1_Y6tAci6Knfm@ke3v1WMS41 z5BB94e;pk5lQTdO>|yak#QwP9^E;Mu-ZS?uu|Lqdmhos#?JjL$_S_Eb;o{*Q#j{{dor3-h;YxPmdm{dp7BoKfjf@P`OLDX=3>_J_4&fY=mC_FtTcK=OzTz{S}CSfB|)cuR?C#vWx`SS9$BTXV0!g zP45sAQrW$?zph990i7(i;A{9^d>zB2)*->u6eCDyr z-ZD>5!jiz#T)o6|X@T^Z{n>U5d(sall^6Dv;F(WX?ZgKiL7p7nx=_(wQ*p-+Tl@xY zW4yXVClSvmlMa}rqao}XN)b{hAVP>rObcCnsL(eu#*|XWq;3 zcz3w9Nt@OMh6Or&Oj@vQn}Lz&zzLud`K{SAiH2}I094I|pTvx$YNVod?ZeZK z*vb0yLyu6#D#a9gN&?@!1!)@p0F5^!93-b97S2dQ{(w*lYVU~tW+~$~tvZ^oyj92{ z?kMsUh;%AGeq<%!F>(pMNEI#SypDxZ7d?MUtxQc{blF!H2ERmZcR0nY#R?I%$`g$p z=s&y!3^`vytVlgDD5&}K4S8O{$pr~1Db117B~LxzYC3lcl@wW5Fb#*03KP>*^w6uf zFi%7qg_coRqh7mlJu6u%Uv@+;P>v#ijOij$Eol4hFO`XMbnJN-_j~GW&jab6k$aAo zHZ}}Vs!8lRwSD%)Orxf*&KFR-zD}6DLeK3Fu98L~qn_`RPnejVecWq`efcktb+rlz z-hTmV|Np?Ye?OF;|NkRO_rL!KyAw|CEqbZxqr1~H-O|y)QN8G-AxNj+JMq;Y9~$z~ zrlr2Edw!&OS0;UriX-2L-3w})j><--H9bpZNR&VIv+WM2-m9jZHP_9){q96(!d4~r zZFKEshMYQSs{?Phc$Idn;NLWOMr-zaN4h-kHPb3?@u#UPedJ$@9mLCh;-1plIdl2j zl5WpauPq%d{UwcOGA&a@)4xYreSbBF zu4maWe^{$J;jGBReQulCE@tvI)SW&dEg?~1m)=@|eoaCmtX_QuVrA;}UK>LtmlqPA z$C$rSd-bkkbMS^wM^UO!(|#`>>u26)H8H?(|&#dX*w?uF*J13 z>7(ZHJS?c$Jd)y%g*UF{;qXs*6Oy*6?CO_CS*3E@PcE!N{i>jA}=OG78*0S4y z0V&FhbIkG+{UW^Kb#awklmTi00m7d+U9tTjht^b;&0mmWLP~2;=0* z)=s(_o86RPr6$P6@S{D4hKh>rc)nMpTm5y*%FQecD_Ax}^&EM<`})Ob%Fr{NoNBA! zxeCXRuECa(vll|reR$h|$gb;a5s%kOU@`z-R4yB+en?bj&kXW(E$skZ{FAmDbn+dKeHCN8^>Z! zWj4n5IDdYz!8gvDiMQ^U*!147`BO@Xw&A>u4c9dI{9iXQs-4VGnDn7d8>RC0NapEk zw_^X9IT-r!j8AsR8#TJH&A*u+ZPd$p(BD4K!Kt0*S9H86{bF5;y~j%?l&FS_Q!nx zY)$Q;dXaCBxWdT~<}&+oH||iFZ>bHOy!CzhoBn-QcPeXr>eou_VSP`wnANR#^6g-z z_VahQPCGmGgnf1MI33h5ME|Ibo9lL~@ur?NJ-_sNj9%_5qNS9Vf7-;_!wo_q;dFkh!} zjpmP~+Tp_wE}PA8UHTyr|6N~rr?L|RD{VoBz?;_Z<3G79Z?cIDJ1R1bWuEFCNJ~0q z{DgOOde`9}_Zbom(jFLHeMigLR?zc1^k+wBef692adPOC2kCB4`ArbJ;Suc9ixs# z8JF)rDv-UF)Z#Dmf_GUUVle(oVX{rm4f$3|!{U10#>UfChxZ)|UF&7WwC>$S_0SWY z5-XRbyT5&CpO0ucv+d!`&kjEbq${64-n6c}hvB5WtZd%7FY9_dITO@N9fif(OW6#5 zH=OV6fR)Mxg{K$J1<=q@KXrbqF**F@gjUk=ds*-qrq|!Iyb%qdPczT?Czgp;RvZc1 zbxD4C-HV*_jdH#Hy^lRhzA7I(xsrlwkh{ofOfh*48As!o{~Oa@?(Z?*o^&E6BT_7h z%J+uJkC)@RIX`q{TsH=~Ot6>Ne&tSI)MhVg*Nn9WoJ4bXad>rsst;TG!msb1f@ods zaB&Obn6Icz*v`K5zJH);__uH8 z4!XCqDq=^tW{!f3QFMKS$ghFeqNiS+Mj1vu{$r(^Zk&krJc@_Z968sVCEG8i>uv1e zF+O;CD=bs}>N6OF>FVurQ(D>fh|u*^*Eil?=3iBK)+t58nJdk`WW|im)M?@9m_PKb z9>Z)rPtIr_Y6yg6Wx!$Uqc6JR4M{@7ClB}(e{_Bw^UH0d@MTd3^CSO9I|B3^nbh6v zDQRmK*sk7n5^*Zn@GLrQ$u5_Fo#~nCo-Ze+EZnu->CM#U5>(1)U+x;=5$ux~)cnI3 zVz`~(Y(C;nc*7=7WdAwzdiy9trnIY0^{7mpGH*W_P*oVve&BRw@lFAncg78GCft%W z6C&OqsR++Y60=5#TAnQqd> zRfo-9G8_9p&0HVm?#O)I%>X4iPVI`9eL*^xi_z$ z>Hf6fWD{t9@$E_assdBm%&Zf#UmsWB7kT-|qe=rMl(cB-CsI8_pS8m9Jkf`=~3IAS@`j#%fw2e5-)j^9v<)EzXlZTQ4^CmrP+HT zcD1ZKtt`7PmGkN9rN3ZF>(%6f8yLVATFTbfZ%jYcbNSiMoM?!CaTuzMu2EV2$O|he zUdt`8!mF$q+a3Gyf^OLwv`HVG8s1!$%O!ioi}%m1pS&>S_F_yIixt&6Z9#w)5Q(UhOtKrb7k3vo2LarDzCofzt0&R zcQM+j_$JHR+c&;C4p)>nv9!Ios38AcUGs`#Wx0ZHSC{&F$+LeLxi}44(tX3)`TK`MMdk#;>b>7w@de zWiSga&f6=~v707Unz^iH*RwHkc3cBmZ_iR{PB6ZyWJ(B&omD;WxTUe~P;D?J;6z@l zq3-0;EXy&6t|rfol=9Ru_u_y;!?X>o{!ZqJJ~65VSRkly*4r(2Xr#iSx>*XE1qFM$1LrU{fTj4`CmJg@yNKP<%*>P6Y^d;gtS2m-bt=2mcz#WXv%Li^_BIuTK0@Vn>=*Ah^BnRS zb`@eCh+aAtRqcnA>Nf?PIM{su9{X?Rox_gWCG11o6`!lt4|VC(_063h{X!EuvqYV! z$`GW#i9uxI`DFvA3dQRe7pRgp8;RSeB<7Dyx4kx9CD2;=e5h6Y>5SmilCXt~a)~47 zWq}3L&UZxyje);!Ud{IyODIfsYole}B;yT4)U?4aokEG(?-jWIO(@$}q30g{CsVYF zvW6XvY(=Mkbfl`EH14ESS6Bb-BuUT#6XN*$iGCDRYi6~qJR1+Xa6`CN^+nR^(&(_| zb$`FemyM{i6)k!b4xKT=_GNG!v5|AU85CNX6ujZ-rExQd(GRILj>jh^_%MX)GEaX) zjBnoZwmPcvXX;xpKREJbd)=qDmiG3pmdD!wDfx}}RF_UnKQuH5i-`%YsX3Z$D{5{= zU?9)R_1L2QBKqHd#Vej0>hnXzUg4F`bDe)J{OE)451tzwj%*LTzbESihv>t~;Am;B z>@#_j6<`fo3MVf)IK1XL^P*J$s3z;z=OVK{!xIMtP8G~+eq5a8ky$NwEiX(`*~@|J zOW=c?8;2V?pNrf`>EzvdI3=IIDSPn7Ex`t3*Tjx}bML13KD_r=&gOl&$3BC0q`GAM zN5`?umKXd7Il2xcRe1c_Z*kCLMctes%R*V!hMNiI`fK-}-J`sEU*c>jyc;^5wmOJx zY$>Ft@;=&@9QUbL(b;uetv4xRNvWnLXZxeh<_iT&{M`~ytkq1<4cxSnZW*YG)nyt{ zDlzGtb9)_QU^sm7SaWQ5Rl-Qh&l08`(llXCV>~itUMdNRg}1MG^lpbg)Hg?Cd!%Dr5 zf<_~*if3Al%?DP7acY)73+r)qn&;fPVOl7+F7-ulkNur3VKWOm@FALky;n( zdym`y&*=@P9KV~j8+}eyom$}kA@Q(K%`Yy1{rlHbM*jv?I;Qq#Rva?28!A53G9Ywi zp2@E+Et_W3e-4NYmKEN^**aq#es|kS%>_0eebar}Vdt8a8*fBL?q28^wCOe-^vL^d z;{zHDbns95y&D70xB9++Zs@;m=1Y48bz|&7F^7(DY@4AWw*7X2V`h8z?|nR`bL8rm z9Oo|T4CAuruRQ_+LxA|N1R?OW+G`UShG3Cs>Bza4n4=2B^Bwm6mR^g2Vr*EU1L;hX*%sUjqSq0_aviup4!&jji%Ap>rZ}VRboI8?&x0v)x=rH`!91PZ-Sc%d{Rh znU>B9_BR-NYo&jrIdP`#rm~t>%cvrp)EOC>RNO=L#%C^@JFS*smSq-h+?*mgO3%G$ zEMC9b`aPe7xR2w6f{hoO!9gA2EuW;X?VLYS@bPHy_<{Eh4eO;0CsyQptWh+0#hr6h z$J%j2>I>@IuFH(=N9_)^=X9#DxvQvVP*G;Nc07<~3+$p*NO^QN@olNMn=w5h>Wr`FPWGMRZ}(Mj!5JL_*#qc`p=mWteIDT3)xw@7)cWsaZEk6jTJfZ4b&&K?mzO6 zS)5x*3FEl@6OJt<6ZuK3IsBAC&8ON`4kxs)S6=MZfAVer&09wwWZt!$El_4Iqpn*? z`>j#`I?D;Hh7wstal%cmYzY3dZu{`S1aXSice2o2@Prz`YZ_v;tgmR;P) z?s1OKK}6_P;jv|jQ7_MGNkQ5}^w+!X55SnJL!_=mO|RIoV&9K0#r86uYqo|(mFZgN zdyggVb?kPIw|uksJvd~vEp2ITN<^lsJ^3p0XV0^%+8TGhf084BIvaY#G<8va{*97W zs*26qnZ{khZ#c7X-|W=B*DkS5PIL{NhlCth6dRR-(XL}WXz#Lb-+fuD?VgYJt*%y5 z8gsvcHZtaWSu0+BtY^$DevqF3UFhvoyD|l>d$oiPndCZHHZcupzp0H)nzoU#8jpG? z&qOUq9&Wg~ocdO>a?StM+LeYw*|uSlCEFPL)-XttjI3EgV@;MJ#=g{u@M4lIV_#m8 zC0^NM@U}1{OPZ{c$kJet!8=(BDIu~ncHiB%9^cRJIKJn2{yzWi`+CmnT&@eImAr7S zO)|^Wq50D~tuit{xWWL7dm2M~B_|tGH6?Oia&as=hSJFFIcKk;VOO7j8-s0GI`X${%jXAS|^#`&J_JE!F(PAN!^7Ph9%0_23HacIRW-km`ih5nQ#Q$tO zV%b^`bah?gPA-J?@IL0Arude;Zk?;42>lcD{KFan^X-}ys7C98_{sfE!~9pOqnyES zo0Wps^aG$wB|4A;)sz^$mB`AlZh`W&%r6K;;yva<}W)mz}|=yNK{y5 zW%Bd3{eE%JeNUHsCH;3~VJdr#h1!B6?q~e1$IXED!3jN15nz-&3jag?iMHN5K?oR` z`q*0|-`3x0TTN|SNnt4@4pq&eLR<(7IVc@_PC6FHHn!FBraXjo6d%E?=#EHqm=Vt9 zY8Gnh|Il^IERKQqs@niVV1XsArw>+=%@nhx_4FhF%gF}e=&UK$Mm;O6aw^aZ z{hmbGv`-lWaw;&RDC8G8zn+{dpV)FI!H!EyORM@#yI@Ly#YNHe6>1*XuD67w-gKV7 zbC06kW)eyl-Hsxw@6W{Vd_A(007Ip6e49v+E*Dtsmx$KMQ29~KjZ1Wqyo zTHC>ygd4f$9e6)8v!zw}7nB6*SUJVs9S+y!K5Z%9*%7P%+r%po;5r3kl+Qthgy?QH z7C_bgKwN#j@j_MAXN1k0@^E z6uk9(otfBAR>J6DYV=z&dvv)Ytz+L))2BCTS9n3KeTZ}2RnNrO7MmrVMXtAjMtMLV z?jd4Pa`M!l%CH$Ev&KLXgpVl5bFa%3a?yFd9@_Gxli>D?Q?VoX|D`IHhP$oUcF+B` z3N$qMlrjcc8n{RJkSCNiE(xk~Ws%pU&+Kfr7M3y z1uP>Ln65rdML!#=y*0->^S~K?kXuOBSGj0D$IkL4LaqIkkt}}!|7`S#7+hf$mLEdC^!R4Oj`d?lANq6)7>-o zrs;M*(E~nK_LQg;TbT|Jk4U z5{5Wq>>;l1n|FzpAUAf$7xo8Y)xh%n3CG2T(_umVke36j4}6^|(uxK%FWD9L8%rND zFtAu&HoRmDVu4RYw8r8}>`r+alY9%Zq2VWe=oC) z_=rk;hL4f$H+3#FSMzLN$J@_1#T@%q=Uh;I!=4TrUB}=*4iXBwa9q&c;NI7d2b{zIKt|psva>AlwaJ4Ow)}AzZ zsxIWDmT+{mANFA39H^}wlat~=Y1Mz4v67jUWxZTqRt5*_QT&C^Uw_oy3Y8|A04P}F z+GMk=1qQdK0>3I|dksqPfglZrs~4+0w}>;`CdOVYimte=t{VrtjT5hYIGX8S86We$ z3fYnmS+bZg^(`nPbexf2Ge3gW?3Km0Q!AiYq72L zMRL%{59}11?SU7w{L5YL_11U{e_govqrm-#h>Od|V5|81-!Mn9I;WX z38Upga%BF}z5#fFOEUb@-zNf1Ay)&>@qN<}rnWnCQQi_WkM_?Pb}#g%#KeBwS&^hr zm&aRd=w~WM5A5>fM68KWoi9|$^sE-I(q=mT=Dwetr{f}z7+QZnrO~wgB|YIev391X z!++jb)p1LBWb{IEdVdx)O6)$pk{;zh?!~{ZVxyXI!&MX>>(}lyj_9_$qo(`k zxGdG0D{^~zfw2olk8Po&<$@aEBUBT#iyW**tOF4NP>VM}EvZsuv%9yb#zuoyT-=G3 z5h^mQD~Nh?pXVge@nBabhf$yV5#(Khg;fNWWqnfNS83^LAd&3EzYP6gy%4<5h&uLH z9X%^-fsSkuIb-fv^WjE%r(2$YM110HXVB4lmTfEzXmK&1OmAnwpoy$Y#)8@(%hbUi z ztX}`3IiSvglMWPoN!15^UVt@`ytzc1pS59LM2wIl+r}$Bm<}ie$)(F|o|>z=75RWf zEVEE!J1*rZn}|f2+j|21#lo!yw}@J|JjbDX{8*N-@lQ2)-a>nx;GekM9C)QiLiN{= zHld8`>W0lpO0`woj%cU4b7li%HNWP@XH{-H%1)RSTI_j@kb&0!dyHT!|8A6f-s-(dVz(folpE*0P)6K-iVqMO^={gaWeH0HFMTJ+#+} ze@~VCGiky6KO`;wKOg=+)Zd?G^6%gWfFT7#lat5Hwf>Xw7;f2(L0e$Qf5!Nd7{GJc L$kMO|=@I`oCs&7T literal 0 HcmV?d00001 diff --git a/assets/images/screenshots/alerts.png b/assets/images/screenshots/alerts.png deleted file mode 100644 index ac8a1c82810b4193289fb98e9250a8a32932afa6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 191000 zcmd43bzD_j*9J;=h;*Y!iF7xJf;0ls-MQ&*5K!sPO{kPgcb9Z*WYgWFmoNLax#vJ1r&odV973C!{(MZr>U|=w%UcFF)fkCc@fq}O`K?2T1 z2dpZ?z@RN!h>I&qiHlPyI@p?8SewAWym}v>h^(TlLE^XP$pU^0gNhUN&;$1~uBh}n zEZ*n9ythxH6ranYpt+dXAxI+P;HXI0sk~_UffH3iMeq&fsUc;Qn3x7KI=9LRtV~j} zP@U(A?^@#}`1bmg<#gI};1(wHtsPB_lRBawhJ6C3U~?)lDIw&$2s}|HJUt97w|2U0 zD;7FBY@TetZ~Un%ET`~XCCTZ}y}8@3c?XE>6flZ#JyKr8EbuD?PW6jYpEY2pBwsfy z3_a`SofAuDeu?|ST|Z5k_Pm#uPL5T=q?ML^8rg&z2E~|JEd>r{0%?S!%$*^R(t)Ul z+pzIf*da-rklS-+N)t}zr1ljt`rM@pMoUQ4b-pf+WC^zn5piA~SODB4 z+LwO95c+1hgYfJ^Zt4ZYHjT#Y2lbd^)}RI|Am;17!>^ ze@YZFO4@gDF3rT_aFTwesWj>dT)JTjIZq^?O5>QaO{|CGvho?G|9qAM4hNINESx z27l0>b`UYR8ACnmoDY^~KFE{|;knq8ckrPw*eGI1Q32Wdi0bHvVvokrDgzx9QNOf^ z*&&d@htK2jA~XA2Wx_l8hh!oj2PWzh)gym;fUxig?L{ExBcU#$(zn}G1k14JVviJg z@sMerGei-^h%;vXRD7g@5ijnUMY3+T{=^BZ7S8$kX_l_}0}pubV4Nfjr~&ynLON!d zJ~tVLWGngto*QZ!`dUls0(&)@Fa}Ta+Psw=;WT{HTgeB0^p7xJP?kJbe~10>!*}ZL zcX%2>cvRW1@RdS1scpJ!J|h!97dEgXA_;z9(pqf*$M%|t!W7jM-xN28%<%!#ug0$? ze4`!1sL_By-R2w3D1L8ChoN$@Ov(AU(zeew>h?=(!b-|ZijX!oyBuCKZ7OE0#1C2# zQ*Wojzjjv4^V@q@;|Nj|y|4OSwhW ziDr(Wh@O4Qz(7o2L*K9VkfGr9Q)T`yP8#`Y8@L+b)?z1*=%QAZ`}mCJx}A&;$xrAJf;4^`9^C*aRg&T?n{VDQ65&_!ienf)$p06yXA=G+Q@}D zN`KU<_|lJ2=*bV}p^FXPS_ZJVLN?)0Ne= zw3;%SBFz3N$vuUM?JIkoQ3Qusa&Gb-_g=9d6B*N60(=4 zvM;92TG0jLsuQXestuzUTMxFJN5e;pOiBAAGITiWY)*JcB~zVJy}7Y%Myvy^$0oR^ z8cWKGmnPnf&y?hjUrrTO+Lrq6=x;sLyE~(L((d8?Hp_ygTjvtSh z*FXed{Eo@*wc7#C2QC^r4m~TeUt_Hjw%Eo*roT-OO=Hzy_OXGflge!6GwS>W#=MI> zBaxxhKb9mTDHOaF3eDozlv%`C8pnK!)~p>}o?fzE##e<`4PU-JMW$5Ch!u+0^k)ju;S2Ks}3xA7ut9iQs)9JSY%j7@aJm37W85DsP(wV=2fy{?ofKmHE7ApdU z8QX`%5a%(bMLIeJGo{XE_mg|a(f1<~aWQ&2C$04*R%kJeLDN8IKX$4f+pR{m&Dn?j zN)*lSi|@p7_NW`Et6m6)v4_S;R!As+!u@FVQRMqs2VUp#_kjoFJo0iAaAP^wy?S_)*{q}Z%q@L8T{}%MYB9Z($wYCT;Tb;Gd#@KOAII|j^W*a= zhn_>RK8I&_ejYP>!2Xa!{=>+3i$(P0+T>n#0h)vuFDb~wF`B7F44J^}OOq(;tZxjV z5!}*aE2f8g%MBA06ZjL9i4rVAjk3w~R)4);5+4y0gqk-Kj&=~IhI~44en{}frxzYsjuSEw-t|>xeZ%4&%Q99@3XhL43jov5xHQRUG>ttz33eNueA+7!!BAs&F5XM zhi2gVHhMlgQ{S>5J*d?S^PO-GaQT=CYuRN%1j6G!;cVw}PRHP%nA{%qT2$N8!%iC# zd1J46eVoAYnZwLo8qrfFoGoLjrsNY#b8|gADwB z2z*{-!u`66T%8I3>lohR?u%l|;!;w;Z)GC~6BCf5xvkSi^Fkxg)tH5fx|6z`EWeSh z4YPrIq*NB$L3B>cKj?XuCA`kt{lv^4rVND ze0+Q?tn4i8>`cHnm>k_fP6lpFAV=!IJNebm3lm2p2MaqV3tJG?UB3o~w$4sMk00ON z==Z|pD6&5yTR+is=15E|*&hjf-xS3dMys)qVmIt_pFfR{> z;9uYWUswLz@gFVK|FmS|-^VQV4;Q41X+GRG-0%piK+}37*QCh7h)=Iu-h}pNh%`~%?IMjD$Tm@{ALgk zt-g(GZIf`(QoUz-iqb(ujgn)rP4WrnwUMkLyr*HC`LKHPN&CBi1|$L1VwuZT-!9@k zERH&kva;e8-*htt!iE-_zsWO<_TE@c)OKGd*vHaSe4#7JT)87(m2B z`au$e$)XY~^QKkitTrC*cexyw4Qp-NRTS7|w0eZCbhZ`2%Ex5)ERp#U+)jdK=~fzd z5tV2!zPe@jpv6{n)-}6Thhx&UJ#*6a2wm3okkvB8q9brEctT+XZsy)~H~#^LRIPQ~ zJJx|MOgOD;ek$_T1>F_BY|i&lpVxjp>)KA|5k2|EHYLBc+bi=b#WB{SnyJ=rmkRxm zBmesrv|JDtewt~I>*$>$oFl(8D*9;?Gg6hAun2Qs?OxnR=4Vxd6rT(wPQyGEP|Ng) z)SUR}p5F7|MUM#0=dQ4SP^(Z;NA*tTI8R@#*CbEX#4HLNDuwdv+;4Y&u)C%=aPDq;=;eAwW9l)2%K_8mW7Av%Nk7Lk;KjBtNRG@_ORE@6 zm-K>wCtzsqR+zse-Aniv>nhm6pNvwlU>B{bh=xyiB^PO>3R!kQbB52-iiEKo(b%g|K~3By(y0{(-|_!_q&xHv{ zzEzBB=(l({J!>*H)4CYSLXjhvI*JCFR#y6V_mOFXUan=?UFbN;?QfQWzdmYnVAqqM z+b%^HMuwB4V9V!k*fH05+IYZLE#%Vo#$aff&S=o{a9QezX?`Z=x^xfzz6Bg4yPIl6 zQ4gG8PD@}U20Ri*nB@M2RZ$SfKoaS;u3w1CNg5dc#0*SFqGZnz_!i z^$fXnL@g3^$?;TfL|$m;c(Caf*8Yg8zbIdJy6_%*s(8rStn)lZcKYTT`K^xYl+f|c z6pz}8$9q$CKI$ zOu6ZFD7aBg3-4AI|5Uv;Og{9{vL?Pb*&x+x6Rx?`g~vjLLQ7I#BW`)l91)NHn8xXjyCx9r<(`q-mA&9 z9HlSZaWn(6)U^3%318^scTLyC=Ez;rE4F%WkAIbBhANqDr=UNEcB}-nPmC7L5wJB+ z7wXha*HC7FM?OcQnqrf3KSs(Woy0M+)pPo>ZfC!nKpv866Qv>U|m+NepDY-ampq8A(~eeKdZ+ zF~G4>q!Hm_TKLvg=IPQ5QQbn#JS*%XDsD%J(CK&uTk2C!9ri*6zLjJ144wBzR9Y#b z>_t);(*B5%l^X@&-xa*CJJth9~80A?tCMl1*z#3}<=Lz=y-)1eRhGd+-x{T0j*$yKTcF5`lOljFn zu+*PSj?vVW37DjwrWY5&rQI1)j5D1 z7=a-22)9+w2TIPP)%wtYz5&6~aatBbKFj86k1 zMYASfk|!Ed;)nRdq~wkpQl`EZHO6p5zwI)x$Wc4iso15S$E}-wGlN^GoJ40map$h~ zb_Vqw6;w^u8{4H)>&xyu5=RQMshoX`)Rx@AJ+4|A9j<`H59>I2USopdF?Ej_D`pz_ z$E#^%w*;x`n2aDL=9~IUAXbN95tDiR+}0hjX~P^XSan;Q;-5H3Wt?GH>4i{o@e2yu zE4keUZX8H_xG6U13<1q-Vt;<9pR4Mv8F|@TM1g2oFX_iJ~}wfZP7;>*LyX<&0f#fVf->1PB+B(=OLr=qE(vo zNUn34uEh*zq~`$mRBRM%Q?jEp@&GLovCOb@D9ZDM*X!HA!!6MYI7**=vB0m5w=I{L z%*y?6;ZI-d_G6`9@)y-#Xkt9q1-4^Sw$8@E!{Pe#gsDZM+4fPIt?LkYi095tLHze52g8?e);Mp6wKpqO@c(GkUxMB2HQAW>wT1b zrQtfda;9vx-q7M;)S;bBDo_t979vM4f?zveQJ5rmBcu`{rPAD(1q9#Fcz;T6 z>lZfU#u5^ei`0ti?#W5%^Cd~-aUDm4;A3DkR$#lk#t_hpu z=8AfH2%#=6Rh=!$yj51X~o=_3HT>hDF2qxnLalbOevn@dnTdGi+Z$WtxB~kH+Lgm_A&J z1to$oqzkbe)o^H>0HTp7>cBKfP@~T(HtIaKf!n2Grbnh%qR-LGmN8{jk)~+_pNsA(o;6*R zj`~HK&9LjUd?N|*6YI|V*2xGFRJ*aaa5*=}B6xHRJ(p`Z8W3P>IU%IOQ&{g~8GnZy zj%GKO=rB9T#$`GaTsf0;jzEPfpR3P8TyZ)h@+czL`;Z}b1^!3SC6y?cy-_lPNS70u zqHmA(fr8E4&IdOT3Bn{L=NH>-R?=}$>{Bq=h0{6as-7H zXomA!$wf~VWO5F}>ZdL>?Krn-DrUh{NfzQ}s&7l)Q5$unp!VEjnzaT2XUlGPbPpu| z7d?{LBu>UugRlHzh86>nvETEQ`Y@2D_pi(OPsAN)Z<3*WD4mJ3NW(nSby`?g`a0so z-UMy_#nxja)xlxN5U7!NbO&$Ujn%Fb8TFU67T?rUAHe^XB z?X54C>uS(NNMbOea46C;Fq+XZoNv%t_!bo~e$dGHz6|=wGfw4XKKE$a5u#H=w6MHCqNW$z&pjo$U4O)!Wi5bgL3oPlg4?$$0TXjxP9)erLrB`m z&%ED6Ig!aLHioxu%H6VX{^Ns*{Fr4^9D>>OrV{Zq!?@N{_0*nNN5Sl#SlqB2n#;2% zr$#+-w>cqiX3X?Lzi=xWX5$S*8c%2lFk^3du=vTJ-j_ab()n|ZX>)`Td)la*#J@QT zao&FvvPwxP%zJYdz0lPXvc@PzI8e0e4oqQWyO^d>d_Gy9o2N8H0l?7erm3RLVsA>L zyXkYBw?>&TNL6``DjOZ;iF;QNM7E~nX^w`}C*!{<@0P~tchbZ&Kuqn;%0^@mCzSmX zuW`1S36|yk*EbL~dJ*bFO}umU?OmoOj--yD>eCbMN0;{8uM|2zoR4f6_+;c>{`=E0 z*MQThbHNBnQrW__sSKgCmte}v&4L-t0tb%egSO{O8;bh%npD4tVIM3z5oGL`}aVKmRo}g$N z`lUM3yz}hX$PIc;s7(|&5yzwuZlA{h)sd$bNcLmS?$J`F9wdXGzGb9IA1KH=Tz(cJ zMbhaR>Z3(aA$w$RBzSy5vZR4apDyg}@#CPp`=Nr#4;jSfttlUxBk6EhT}#r4uR78l z8~>hp9%<>9^>csqNK6H3Ue^W**r@o`vB6ebK!u+QCJ_7-OtnaZ`5l*Mpi783x z1`3*4#X8l#A<0g(*7HzpbHw7e(_bGc^L$gqHFoAPe-L~+T%Sl~m(ru4Mv^CQB#VnN zU>d-)$5D8@u9WPMAZ^lZbmFk-||_S|Ns7VUuOd=-}- zP3BXgE*E*5WP>ve-Op0W;IM$MS0mnO7n3mu6~^BG*F(M~)rTgxu@?GJQf4Cm-c*{N;aL*)vN)Nu`^=2cE7zrehZ*WthQis zy}f+a6AmK*sM5Ye>)V5xZ%YjJlMK1(6w=uf9M|ut8wYr4MTK3qr`hVdU*sISlt|1A zAQtSkeCi6?GO4k?PS|r=V(g}n zzvP%u%xH8B>}`vrB)(WH%|~Tds=R1Hru**4wbGd^tl!-1_8q}mGUAM%NO-wRY++Ta z1F_?E`q}r-%}1!XwBMVVVRhk#fYvx`cc@g+GPQ%d%Z`@FYwjAil{hzpM8+K#k7iy@ zbuY6;vO|8_#(0tLF*(ha#u2(q`B0SBJQ;I5 zrd`OXYd(tIzNmh4^XhN{`CBTJSU>j(kVH58pqk@muBwjfdfI?8!S>&}qiCt5i-i!U zp@%@O*KoLLWuYXuJHfK{N|Ye=8>HNVvVD8oTAv$n5jx{!iTrm*^K`g4Yr3V>d1kTm4o-ej z)?nvKGItkGgnfpibWBsTwIer>)S>bkablevU&cK&N2cfzE^G75m2Rx6;|qk3sCLj% zttyBh@$5)Ceeyw^86C7is|th(3dUHsUvkhmt=T>|)Y!lTHQ$qN;wffopb*W22w23o z1W=^E>DjL&@g}%4l~&21;%w){T`kTK6qR+wXcEo`$cw>R*unbYcvap($0p&SF{a{umRfve_WqMaSzwrkOh5ld;hlZ8RkHU?eM zfdMT$-(v1V_llXC0CPUlQ!^_F7iN2{S;)z2(n7qKQc`5|?=cp*Dq4W>?6oeVRMn^Z zW{5^V_!({|)oBZ)eeY}l`G^FSXuc5VbL#7V_Y-$l&F_XUx3x8TPZo1Wh+94ZR4Iul zki`9C$h1Jju;VEx(z?f0-3=ix8jvzb#A=D}wH;Ca9DKkk%Ns%W>LY-mNdO+g3Sq4T-E=^jS6Fa{A;fjh zDyKAwqJbPgZ?O6AVv+NI*Afn_+gDMNa9wc9U>qbtTwgcvtK(`cO^^Lo_b4iZ^9pun z`yj^xp~eX5^l|937%(NU-$L5xY+m?zTn9Cw+bj>Kk+I0h?$8Qk@pgZicC=uCK}D_v!gsXN5(`e?)Inaa8H z{&R@;%5$99uyB(b2@&*(?K3}MT!;1>`_WkGg__Xs*GehiCg!;#Eyz)~P0A{PJ9ip* z;-PUiz%(IG|4MZg8~rj!d#fCzelLapC_@x;Y2`rK(YIf_#~+a;3ezt4(|d-m6WE4; zTJvZRAJD;ucN8ivwJvKseExQKD%4S!rn#Lypl=dG&cE8iB5HmTJt?z4v9}UbgGl|d zO!YxH@-oWmq4pj`Z^d1`U#Ar_&r$Y?*}UcZga;@LQZm4+M!yI4cTXOc{31Cfxn`8P zCiQK&(W~yi%Q-ayTXhzthIO+l13v_wRp=P7auY_L1AkHc(zPBj<~- zEB5=IqW-IlQH6B&3eL^PY19M4phmO#=-)Qaq>w4^SGPjmDEWtU9#ny2&=Nqbs1dCi ze2&gFvim<&F(ys@)xP8sadR{mM|Pwdtz((ZmjA?DQ4W0bIoZhGwmJ3cjs4i4=+Uq32kG?!$!BCiy*Wgzv45*W=Jt0w__WL_?C)rPq~I6oU~K2Q zK4@^WGc5Fb0zd$Hj(9em_LQn(PZ{Onjw%CzM8nZu>ds$Zo4&Wt;}`X zN~5S(`ynD2bm?w}8ojgjo#YFE#1-CKI;$kZ^k&o}2>p7QP6V}T*25~z3nFy-HeOA) z#xDBm=yJD?h0JTe<$Ns&TUEz-#BNN-6<;3Y0%56HjCJdj}uca~Xh0{*^RR8gR0FoZuVnKIzdFJfDAb@CAv&hXsq#aa_r@gyw zuhDY^cDHrsqF&ISK{@BGBSffbpmneD5;QL{c)9*5GNOtfefY>YD~RBW8E8f${#kDd zQuWrwxvW1TEvw~lo@i0Za3!D=?vFLya0&g?{c9xt=d}7A-CmzuB>$M0ji?`FY-h5< z3f^p!;Vb>}$?$G}S5G#T+uD8w3-5Cq34R7oneTzpmt%8;! z1PTWXm@CH(oztsM=okyimHN!-Bu4U;bL|e=2?61xo<05KC7});mdMrqo!o$sP`40F zy1GE6b=yss5e8LG@TKV;C~J9$i(!}OXI~08f_8P7*o2`5JRQNWbM9+kgP$X68D<`i z>7pAEQn9ov*wMbSQ#MsPH#OLQIT_6=Q8cIA%Te#jbnriHwgTr>Mh4W|rgBsDZ(n3C z42R$in8eljaP2x9>Na8qjx>px{9FVsxjc1RaRZTk>0KH?12V%Q!er$p5;;7Q7ZWjtxeNpY7QQ}yrO=s;a zi%Z+bl(%P{2FqR1_7@$bwq$@6HWas_F}?-JbCxvklL@w0^?mHUZ?8|LSTM->Ii1!A zANkTp3Z1C){v1|rgDQxStFQV2%J|My6$Ani&im}dm)*sHn=uf$bG6FTgvvAL<(LEz zSzh2-U}4>WIOdAARn+9;qUMjW-yKWWX;Gh^YE!AZ}a(BNO9{aoXV#Szl-Foec{MCLNwow{KomY`=L+jJ8-yWiXIGE3F zujg(}%sLOUiH$C9F88q2wC!Jl=k36Vy>6{ZWAMmWVQa4jGaPB>!t}i>8SS9#6 z#Ux=#dehujli7GF=r|WU0T9Fwnf%_Mgp33?;`EAsBu_dmnEy$!p59mE3BxG{iUF2N zV|XZ$TbeHV>8z*i8N~MnckUZtO@`W`{$1|&8wLjlos>Mq*@tFOj)3D+%By+gg{iq4 zmvJYkTw7KM1xZIFrQVIi>QW3H*h$F?+TW>D`}O=;^JRvJUpvW?#JFQsQW*44MEze! znH8uHNUxSCZ;2E_skqQZ8vS8@6Az$Jqa{fAu2hO zzC?mOORA7u$iqoHZJwiLrGq=h8C&>lp1*3Vu#OpYl44cZja}Rw z1r)_g&vU2Z!2U!szi)G!eS>XH%rEuXy7l1#Q`K|~!F$*}ylGm;%O8@In29RW8>_QjX2&<;0%*B>!nsD@<)3{%a|KFB5*~Lo?uXAP6pZGEATB)| z*DQkZO_SmB_;GbPcgxH*^{jVtrHM3yfchKJ@m zOZ9w!I#c4|>O@i>;Kh^%Ouy)^>fK(b`OFwa@X-Rb7ec0Tx4_2kS715SK4iobr0VFY zWRR3svhB(9IqK&*k`X>06hB})7+i`J5jHKetyxJhsG4!UT6y$>;8~4aQzO4+K}AGa+K$1QfC@Z zIFFKeI2(+0ftnu$U0i1ux6eYE@39*sXI5}x<*9d{B8+wDoQMbSK}awbUj5p}Oq?6$|2`;Yplqa)-B)hyo0APdXDoTSJ29#(7u9IcU!S3rFn0q^2F>P48P&uy`-kmg;^&F^Ei zI4_puVl4;Es%~R5uAT@tTx@<_5(+F=?x-)u$uk-}kJE&BA=Rt}P3i|?whjpFkp((W z{B#rJQ-C|G+b)&Sju_g0mNBbhaZae~_UL#6N|zw5uUYbNC5|QYElj5vc4(}EFrOX| zB~PU%5RkIvf&p{k0mW+Gw|%3zO_+SW=jI-3j9s&Ts0jJ{Zee-Ivr76~{v| zgv>F%y4|Jc@gD^9o;J&ghHIV-C*~H^tfsK73s?+&COV@*%$R5MU)=Lr6R>AJF1OVu znQ~iF_VxK%Q28{456B5BMl~5TG^D9gR&YU+B7tLN;lpi@5a(Q`?K{=m(wpZr%)s%! zI8cu;Y`ZnEYj7DvSU~YqIQy6*%DZv~z?}y#pT(E-sxJWgYy=I)`nl)?Y^7%pL+3a5`g;E){}oRB-3h*^DIg-}$Nh@Y~rBaRs&o&UJnk3z&M6lanxD(vGht8*BLRnf=J=oUcg4qx6i|EAU^IhxTROH{L-~ zu<^up&U?b2yE6i_B!`O?j|`HQwMh;X3>$Fis{BQ-sm5-PmH3|?^R1=fRsu+qD2^7Iae%E9mFz%%RagMvaT?e5%XDA3DcdG*bw0J{X>+zu zNd~(E*mm7*b9DKw-_8XZMGA2@33UW!3f*2E9b_n_v{0(|q~}t|8QY7TFUKA<$PzpK z8);Auf_-TGz6Pg=s<3*_=W>M4z|c@dUY_Yq@ap+smiUtKmz9UPRHl+}3qWioTQYu9 z^w15gX9K(@94S?V@k4r%0kwQWqJGbF?ov0c{OYi`ldYW6=WIbVhp$A~F!ZO1m|4}E zxus8$!u+gZOl)e4yxoJS@{?xFj6g|R`Q zL0GyVan*Hmm|?rP4T}v1oIsiV8!ie(=FJ{(_-p4AT#W!ux>Ynw%t>ZZ`Ultn_HNUBb5ga_Bnf}fa@;V8O`It z{?tSY-12P}@3i^I^QX;}W7ZbPH&NLKPn3dv`KfMT%;pp{NME{~BGPeZA= zF0+orEy=KHdbg~;by8CE+mrcT9k6Bg8_muMc^oIvU8eXF$tqNFR=zNpa9#ym*k$e* zev?(x#Yj=>`j1ar0#DZdk);1O$0o{%L**xjxB}o|-Ut@Cz6b<`;Js{V_Jg;>E_2?e zL<&zDV;*h~)pI}uIcOJ{fc%v$SRyQXL2XTqnpe)*>LF&+&jQ=_o?4Z$YXJKbb4kK?wZvtf9N|uEPWG1h7Qz z2Wu-)u10=KTR44cUmtg51 z1{0r-ZbXzk;oro;@TPK!)Dvu;K%N?zK}y7~vJrh6=`tHuvTs+fzUO2)Fs z`GFz~>+9|E4{+1kL{GZp6vJTH2@$$IKzY$p(lwv}CuDLbMXx^6k`%xwAJfm|DrE2y zu(iy$ijDDA0!Y19o|{ofe4NhTCL&|r?y1@UH^ZrH9T0ItkwVLaUM&V7iqtx7JmgTB z@IkW!3KLAC37@6UbwYej%0!b-TRTdIYF&0npy%$mu_M5a9qi`>#c>xi@xtmR#@Rz& z@B0`}pITGT%kdoy({JbjxPNFND13+jvw|~DG=C*eQ8Bb*57O)pzjd78as6{_i3o3E zhl3f3hQkYD`sVNA&nN_=Zh-@+bkTIB`&dbN?dz*$SG=NNccq!ASFFiF9(){J-;kmp77Wqzv#dt zCO$#hYpm+okrIu6Z~|kRo;rWMozK%xy1Wf3YsRfV0mP8dLEra8Vd|3+s;~I^erxG} z=2i-4mS!)}_az7U=@MghC18Z@?DAe%kM+S!r*R4S$2WPOBEC4`C;p*K%_ZPeEIzk+ zmq>@UW5rtGYh%kw(X=Pnr~KwnM0+3PnPcn*%fAn^4(OPs@12edpJz)J9G(_gc#CV; z9A+OSRhDad3&0@4-p6K<{xHXY9!_MnYzqKqXXXfp?GOqNbKcACvZWm$`;PRt+-#wA z>|>kgkMoixhG(u$cUydK-{-d-G-1d{?zvsEknXwre#%Vt5YX!pqy?}k1bK})Tu>9( zSGgzV8$3@VQXe-9*)M({@AiYKwrN381pA$8WrzE5?TtB10ip;Gn#gQh_ce5L=j+wSyNdNZ%kfm^!E2QKt}YUDGNLYmt8X7Zqls=C^GV9Gj*6 zX2Fb}`NhMi9DWp75D6hCgT}zEGCz7D02B=XY7WyENVAXLT~U5q90Y3i9wwTc-$4m` z;iHo|-`lHF!TBabuRgI`>wYQ@TvYR?7b9WS(W@uM0KYyH^RTI@!9j;|v(k@s>OD~%lrIZ-f ztur2sMNZOX-mv-QYikmlk)dJ)dX_O}JQQUSXPH(;Q0u0CxYh|F^9es?G3pRhRolM3 z8dEwpHvw)O-~~X9WCDR*90dFgDrH9Dxz6<&B5-l2W?m__QeD)AF;Z-G~2K7c;>3GsAvW=4a-{ez8%J&bKdK0m)+)vECR zM`?<}2MmL*6<{rh8F!6yb2}~82|J$jsCM&he2#4`^1a?-^*CPV^}+;`oi|A-CJ(#? ziqIqd4^$RH*cw8)n8TFtLm)A0>7Jl7fVD8p?M&45VDK50ygYV8xndfR=brB<^*wky`?!Ff7?$ zmVfX?zkL{kS6wJZ>&nD9`NrqCFzdILJE-mtP-mo`tnq~k5*&mqHSy4DR;dmr?}DtI z*ZgIT3GB_GOtF~z+2_V)xXXn_Ol5uS28YYt&IFIN60Dz00fJgrnoSs+&KKh=0I(3S zyvtoVXO}P)CLHRuh+DY>f=8iBI(}i?rK3uG%*+Evja1?uS7!$$WfDek(=tpIDn7n~ z`l;AL$BN$+oA)R$^#I5Zr{Rhr)Vzlc7R;M3UjG={;SAX9bNE`eV=FA{EEfn>Y%eN@Aap}+b1_7hqv#XJ&)I;RT(@KkfjnD zwo7}TuML2g*fAjDL6lD~t%0a+PeLdm89_$O4RA8nc`coB9 z+>D^<Cp{p0u4wttHxZPrq=jd85 zF|p}%m&B4=^+@S!E~=@s!&jL?T+%VO0PP&6aIPffLRN)$m7|QB>=y0_vm?L1_wf(O5?obq@=w7>foY;nXrMBB$VT5w)IPj< z)7$)7tlnZlFply(SYDUIYyd;#dP8BUdO`bz9Jo<^_D}9M=msmS7hNHzFMwD>{ACp& zG$CdV(1Q}z>VB@&R!D5P2ual+kjUDE_=O@+Kp+RizrKwq)^S4PNi+4KAQrr5gs2$< zvy>BC0~pYbt{!6=b^g7hUALj)#2I%N=YMdK9wb84{W8b6&o9b%m=F~@4M32{!j3VB{o^JCCtKO;oe}!K2G#D`u++@B3 zdHm5C*~x0EZO5{oRbdUSZ@I8OvBDpD1x+3w^og+kO3CyzhSvyn{F$??KycpA`;`~70O2E*a28V+`pzb`5ESx zj-EyyxpbRo3UvvfeZs&w)x60zLH^b^EJF!epqgz%OkrI>RcZs+eIAGd!ie&qS9&rH z?I3YDDY$`%BIJ>TyueQR;GiN84fmSyZyf3W5YB0vu1k*g^p3MZanSQRXfHW3kfxtM zqQ*bP040h#mHvv|gK&snubH_z~<1W*pQgH=N zNwxldoh8#5mB<^UQZ0~Th z9lC6NFQ?Qs)`4^d&Hjz9r`z0NcX ztjp8rJMqQ7eh0|lpEflFQ-l$7(5Az06=wkI4j0k@G8WnR;Fp0v*eXvcleMeglzYNB z_O1dxsYWL||LgBuuU`YGIC1oG7W|D%Gci%44rGyd+T0)H9FR&~^0(()jG_ zw=~L35kYYqreT|_!(Cyspt_ybyEJfA&-Z%O$($nemyKqMk`lU|&bS&$_5-CJ2q27~ z>qPT5S8@v*za(Zk#2y97{0-1d((g8YzVj)nzy21$pR@mc1mN=d!oJ?@Ut;$!=ko{r z|2`s!@-wnyp>lKm`a60nHZ=Dz7Ln=toUd&1%%}YFM8B{94Zj}WyVJ)6@Z|2D>xQvujz8}8_q_g#q1F5h zR9X?7m%0!BuWo)1^FN_jbP9L8{=h zC2Du7GT7`7fX)YeP`gULZ$Fe4)faT>rHuU`RYk5Vp;k3h!0<^O&ng85!FahxjVj_H_`gs#zfVCr5~2*9O(Vm6e%USUl3;8c8lq3$0<9!-M(n? zuY{y18kc{-`;)EmuO*jMf)Cyk&`yRQByYTj2ALA0Jf^dh+7 z0U2b14OCeS2XeFx!M3zHuwXA}`12~kZFIo)G+mHtbOtV~QMwZUo2^5>_BQX_8^3Lc z+}K=~?LSpJE~iE}8U%T)m7Cdw{y_Z8T?Lz>)1%OwhyV%$UW2mPgih~Er4&oDvmO6h zU6Vp^pymBzIY&Kmw)Vc9n_p7|aFYT$}dQ)q|~sS7A{9~kDUXS+H4yuYGU z*Pe>mD)8v%)0gQF1q4VY%}CBId(IVWM}uJ-NKSC>2#!v8qi)dBcqZ!jq`%=xXJgJ$_T2GKUsW`nxfg8J2{eMec=^SD{f#nvRQk!o7YwDxR~F{ zlKmPuFqJLXV^HryliMDJ3yf2je%?;M8!S@|RX2{lxefiCgP&W(pSQL6xnCCc7$*OW zApm-(EHIUFLy)Qs@msq@k^90AC`Oxd&=`-)R4vi5gKs)D+JFG#eN^j$97*Rl@FV3~ z?fKb5ucMuO5Ecj0hw|RF&ac08xQj_HXj#G!ak|TWM^j~^H-OvxrVUd0U_$F4r>KK~ z%C^k#hfXafmd40p4R*H5TMKIIJ(psgdbIod_v zzLSXDb{>Zf7DnYc-SJ-qB>=-AaF)NIJ0$Tr5WgZdNHKMvN!Veo`R3cR?l5n%3YT@7 zrfamoCAs2m*0fOrJSwBiT@1PM0z6AYkRA#Sl#K!qKrIc%!^sC8 zN24fTn=o(!rvb%+*on~l2e9;O6Zy6C{2-j4yP#jRQ}(+rvEgoKYy3xjE&A7?gM+M z-kxQ|fo+gf6emMtDFCv7b<-L zo}0xu`Kk(h3>d#R-u~O=FJRX)Y-1~ZKmUW-%J#pD4gb7h=2fB%7uLWI!di8Hc5JeK z7-N=j87GW+TE7j5j7HuuCh&Hef={1#Xxtp$RdZT(8HE$iETkX`^4_{N_Ax4*Em(_E zUGPV(ppPLnq~>6TpP^G0vEuY=ng6Y&_`ShpA-2a@2az3D5zeh%V_mzN!-bg45RU^u zm^9FFFtoUURmx9=sXZEj&zi#|$v~%vSN7l%ab)82K;15&h{{vJc@Oye>JEH`buM7< z;O*GQfFTZiX1`DS-`o$i`%22b$C>E~1YqhA)+FVrn2cUNU_J~#)+b;$mO);t3@mD+n5`EV*1S)T8a7JJq3)rcF-JV0HI+&($dm!wIh}GY8YW=jo)NPb7#Z7hhyE_J%1I1yVA3cyU zUXx};5Wwf zDsT4w@s9L6rW(RuWD9IftFf{}BJsDG{d+$b-!G_f3W7`o%b&*@5JQLB;G9gVM_0Z1 z2kiLM-}%oIVacFWbbUUrYD;EmtlV*FqS^xy+Ky&=I0?ii!jl=}AO6R-p-#wIA>lT% z4KlbNY25$iw*KvSlYrKeQa`zBL3-}jIr*Q5_K$%x-36{We$c1?ei?th8k-0lFZ^|xc!q61e+fnO=0{%_axAAZbGOEOAjEvx#UcA;eD$LF}v z=l;nyFNUBPh*ePZkL&cg;H>{^?4n%Q!_S@fUUH2(z@r$$4YsY51dhvU9&^;`Cx&kS zFFQ|4!^YuJ^?iKITltAoM4-KiO*aWNCbAe_9&SqQ7{GF2{+WaOFH2A!S4C7{yfZ72w*th_KEm5C%QnvTzi+G7UZM3_ zJ{UzTMncx*Dj;K!obs`6h8r5Pfz%!@A!4@v8|glrxd1?#%tAzPgppW8Zyoce}60DvQRxl@XvD)ZgCzf4(1>ICf@P z;iH;;%L;v-fkIqY5#zT0K^JZ=cI7ib|GWXHcz{Wi_Whg+R2HVU*DiX}?Kk86kM`Yl z>7N3K>G^%LV!y|GWNqYAr*+5vJ#)(%mg7=*Wl&7;3W`{bZ;yZu;kp5kPGP{X##0zT zRB~$1jsU~uj2{fCFwZoy{~Irj4F5+w-(%3a%F6I)XZfW9$gPTp(FlD55+SwxuZlk} z-EVXu=OgB2^ey1WACo(CJ#(*XA&pn!V5^wx27vj;rbYfKem8gSTF zkifZ@|6ww145k1}MhFVRt{@<1OK!k`+keKDEbsK7ZOBk+fj1cVZnd~qfvff`ay;yp z+|n^_IG7%1}_z>f5tVl3}N zsy4n&$2)es%k~DYvfpe42tdArW0XQFj7Hy%t|IodJQTa+dXf=->Iudh#B?EPAg0XD zDU?|PZdNwJx$Y1%KH~FzpK}TfdOtK8Z+Hbc?mRklAuY;>%5s;#zZ4FNz8o0Rx|#jS zx*Pu{XkpTUp=LI@+Bar zD2se2fIDN;b7*0BiOI(ccAi+?e^1H9qUY2tiKzpU=hZY)TD`^q2;YeXa%N!qzsZ%r zxy5vUV{g>1=`~K{?XLuPpD{4!j{}9qpQ(?2VW2`0)z}C0=q*e%oew@Q5V(%yqhEV} zZUTO$tfE&xbqaCg65z&KU$JeytA2e<0S`l5H`F~ATT@w{vlw<*KlH8L9nf8*VElfR z^op23m6? z(f;Qf@mT9|FJ8{?Mc%%CYt&deI<8#53_S?-5!!>W#T&FOg4i3(TY5sC#i+46CUE%& z&=2wy-+^VeiJH10H|M7?44s}SfWb-dZrh7qK^jMYNngFp7=M);6gjmBP@t4; zfa#q=x*te-HJ;jlJi$w-XF1>IAEZV}5eZdhaG1vGbew*469!o@YGiJDX66UV2!SLb zC;9e|5(hTEztujU9Ml0)9dE*5*wCt?b72^NS>cSBoaCO4=8YaLn#|hGvkx zGYa$#v`p=#z?6*{kF|dHyGFvXsDo~Cgi?i#KA|r=?M*!6w1)>yaYuHQZGN_By6q@e z(>e&y&RYpUkP%zhr3_afS$7o=VkNgI067i-843H7ko|kVA=J6 z>&DadU?-^MHUNW|ADz_W(MF7DX!ouVu0@vkaoo7eEAPxR9FeI^a0FC4?=DEy&|Q_I z;de5RrGE8Ig zdrwd}#)~qV#0gb(=JLsRJ4-x2VZ53o48%OMW#d3=W{*j|d+Qpvk>cOuZTGGOP}Ri= z9FIaGRbf|0j8sYXw$Cz;^M%&ITYQ&yNvTjSA5pRZyLunks|wn=nYP|s7eYw7W68Z z=$;J>FX4RuaGU85UDvxE(Os_FssS+hr&G)pYmI))VGg|mMt zE~X8&1C^(O$1*@XWkimTRJOrT$1fO@cAEA}Yfo*ijHv_(k1qYFv+7tk6AvMAz+}Sc zf-7qpC$llga{*~5hU*e2>$>pf$CCAINzy0c`Bh9Jtj2ASu@vDx-I${!@oa#BAyBj=ktC z?g6B|gv55)12zjfIhNMBovlF6gYa7RrE5qWW*;Fy!uyNQ`PrriWYVvUM$P7l%-9t6 zN&RjfF8R~~B~TzH(gMElR$h1b`zKVK=1OHCUJuIJ@cOud&t{WRlFT?O0X+VsTlinG zT(}c@uMoG119|`XBMC*K9%V%2hFqxBjY3HR17Vi{AHT;^2LOglpdN9lrkpiw&33BJU(3*%|XbA3oq*X6)TpDgi>(!hyu zC+?|rN;vz$=o2$qnj$!O14$&mpUYkYvh1eV)tG&@Jaw)R!~4y9i+72&PlvWD?5{ZG zw{lPDVtDA;GDl;`hD%iFofAa*pa?asxf&{ol;ncL1Z!0qPCZ5px4J;N`x%S>f{pun zqC+cl0cjubV5n`}pgqcU|0?N#I3e=#M$9?z07EAIp5A^MvL56)`9){^ew?*Rv7Vt0 zl3_gEN_p65!JTxF_|GE!My#db^6~vi^23@Y7wTNeY9JZ&Bc4HS;U3U5?OW&4r!{i% zPs$ZttJD<-w(1%iHPvatm|sDuX8Yxic-^hFN8 zSRh)R0}OakpNedQb({4qV*ZQa@@F93+2~8OC}C=3SnkLnP~^wzzlf8DUzpms^2FJw zwab_v>YfW6_nV*ZdVG2=01dS+p=dTW`ji?=WNWtHcpNOsn|EipOzq-RI9*{|NkkKl zUiqdsyEXH}__XcgsMAW(Iu2ZB?fa2L-^1vbh}f~CaV*!%W}mv~ z3G6`@Q0UUDBC2G1VhXP%-j{&RSumScMDh%G7w-;2MIcQFHpaE-o8wxcEEnTh2XKm7 z_|xwRP!p>dd7U+0?MkJT92?;Zc3 z6|f~N1W<|DCW#S?MH`-i@Plm=KamWaPnT~zzGTnOSo5%p@IcY$NcDlff>MCBX(1Ui zU%U=dnz6U}lHBOiw*1p?jm4Z%SN9u)MIW=_=3VaD==61@BaN#gH%V}dXPa#E#?LXP z8cmn*m=-2@m4!oa`Q+-{LL&L-ow$gt<>f>r=StyR13GocRHC!^1*^it!yaj)>Nin& zXBn~H?cYN0TZDOHv0S-An)9PZdO0M~CL(#(B_wCsdUii{l5imJex3f1MZhE%f9?iu z^%pE2AF3r@@f6j|)aC~co%Z;i=CZe@c2EoZK^=rn&Ua?xLs>oVKuR|So~3d4P&7jr z?e%kBzMRS{fB#a(*5_b4@a45LQ+w;-#>r1Pk9^q6HtQeamTJ=wQbK1AJtQ*egk3)} zgxi$u0-YR2-kHl^*S8QBpY~b;HRP5!BWytM=CUd$ntpwPsw!0P zbF()VBYykjKF~I?Ra&Zt6{MaBQS__W#}RGveD)QI8T$p|U}6C#sBhU1Gs&{3%7wUJPo-KUr`nL54N0}5RBxziUAv(=_)-+v>O%TCouLrR@{)~R-krwoxYY?|mD;HEy@vy~U}Sz?w5(`YPEV8gxL>$rB= z=_S2mluGG)qxJ)-%t0mR;UgLfs`PjZ=Il5+gM!U_2jcPm%Q$tsQo>_q7a!w9QCeCj zPE^NBBOf?TSKvHvUYe8I2)ZI&W4$qdFV145>nwgUAM1iXWggzzZpo_1da;358;>&$ z{I;vl9;!ckDJ{db&LdOnhI2PL2k9-I1QP1yZxXQ$>)uC&vW*Xcwn1Y^?3FJg8x_tX zpE}->=tsnlx*Z2y!*ue2SuUoWA4=99POra+Ke5CKd^zWW0tMDkhJhIAhmlwtphwQE z*1q27J6dw44h$jahZ9`Tv&#uLxLXHb8U~(ji(R9bu+x)cT7CQ7O7*~C&d%|ODgp_I zTuPh|Ol#RpsQsIUJ6dnM98G9^zS`ZlDDlu=*V2=A4t9q$&gzw#Y06{lcT6}u zJ+QzK?hz)$b?D%ZQ0R{}%Uq#39*q<{j8c4dlQgH3yAbczn~?Ph%o0iB!na44#}b6i zYiP(x-MjX|T6#A2_Pf90CAQe-mXFbSMa!gUWG z!Ht>0#qZw33p{UpyaX*O^WXzK@2i$W>>Iw*etkwXVRzh~dpNbH+iUvz)!C8d=N;4W zvJEQQcKrS7jb{fd;_HF3mvYH8^paH%1_Z_bWG~nh z7G6F}FRb?DOWDB_TaAFX(OPgQ^}1Gh9;BOu#ZAcLBvV=LSf|BbzZHt}hl*^6j+j*~pGuKMUN=O!->+i!T6P!NNsY-n}8Rq@g z6VksQQY-8wwX)lPE*#RAPUnk-jsMRtqDR=4=9DFIH7FFE7j3T=xn+M(NG$q#;7)K=WN(`G zVr{X*0ZxmLb*>R=Nb(B_&$q(`qZOU`tyFZ6*+KvsN+Qh8Z(5sdgx3~JH0@EnUwmXM zauJ$fH%So^pKDN_Q(~<(Y^g3Qly+56q3T$2`gY})ZQ99Rvd`;BQ*u0(0uFJ`m3DUO zEKvoKRy-r)q!c5FroobAzi~Hq6IH%s?DS3l#G@B0uf`}_GNz)WaHVhHdVe~c3L1lK z6`W;o_UK5~v*P-aPbp(5Tljlj)u&BDd1Wfk6S%W>QStRCq&$nn)~Dx|qk=5qnXbc5ioOuv9rks(cXg`H5zvIPN<&=Dvb7xtJNLkW%Ym zj_x~J3CX?&c&W$li_tp>buFZ)rvH{|*9 zTy=<3X8rf>z00TBADU289~G3RG@uon93w6U-QFP6y4bUK%r4`8&iXW~Hs*OZMV`5& z--~vVg-%&&#T`m!EV#lUXi+n6`azXEV>^hS)O@apfBc~1K_-p(@@U_vzGJ{j5k#x+ z+8qap3jXZ_;>Y!{-s(K|h$HOGPQuiSos!CCSg-}Gp62iJUc`*TRcxJGJ6)h(7~ZDU%xO&raKy&V!`x9h?hz^OgQwDwstRUge8| zqjGZA`zd20Gt8;`-8dbzZJyN7!;;ZR1B)0M^ydWLy{a%(5$s<#J zX=#o`QGl5k)la;Hci>Fs6Jp7u?4ejAa1*C9>==wolpmY2?1RFaCgaDfM~+)I4rc`; zYh+^s=O@N965e#dlLn$7oKosjqw*8}F#oE0)V@bkfI*91QdR{jgZC(yFnR9 zfJ?Dgo?a>Q+F5HfvkBTIZ^nOWwq{2gJ~)CWa`u6lcSN{oQ*Tr%643(jxk7h)Z{S-- zy$$sul5|D;^sO>_nAbb&_$hPGSN3cICOi*gDVm2j=QL7kNgVJlJ|gfoOIf=3BfX_R z@GEvXffG|eq;Q|7#V8U%_?&sZ4EyTQT`!OVFTdvEO&wBkV%Hr{q$6F;!G%(+w+TVY zm1G2F`478{y$oE@&&JvUic9enu3bfOzgy}!JM@pel+2ydMeMxHtvuji!h(GQYP4j4 zuaHwoPuZcNG|W_<W}+W>cb-7}btO?5jne*E!~k)1HS4cxYsGvz}%m+x!005O7Kj=40 z6<#4z)6A1iwN%BLP<)xxsSP9R;Yz=L(0^<|Up7llEiGoNpD2~F;;0#N?dZL#qQ|-R zNVX8?1%hAHRmLF0o9bs%J{G?>ERYiI2>)Q{hxEuD=g7!QkBe2JgI1qgW?(|Kp^>n4c zkX15*-uRCZWH6gZq|Jk(AI!q<<9Jw&{R*Sj$x~UOboOMFJY{yq)>Xa9JQr}L9#yVs zT(E+kR9!!NxuH=H!R?tL$IZC=%0bwEu9T3bQzTtC)u#s^-ArbXC3=v&9qbb7EoA$c zLh0%js5iV!QHfNMi!29q&ykS1L31PZ8S>j|jD(Z7BqFmU#3p}q{&-T~{5)K@NgZWI zj=QoG#=?6f(m$J3nC%Oh^%G9gcE_j7w_&%dP3w~nts{~Zsoi!Gddv{H3WRtl`-P zZX|*mzJwE~$I!vt&g18n`v7#UsB{1IQx6(g_x&d|6cm$a{lsPFU^s+nkZtPL= zey|i_vl#sDj&Se!qiV*;VR|hUw@I8*RZ)Y)euDTm9Y3FtsljuB#7O!w;r(m>G*OJP zCY6cWs}-VN9);%7k`vi?HJkKbbb_K)>*sZ(>0j-tehki?R18jCiHIqT&&(JXyM?>0 z-sgO0y}80OXPE$IV0o^TjvFF17@t{W+U{_{7J9x%zqth?I^%6sN^}2;8b(Rb+Hij1 zhp=MNJgCqpQOtm3>=6-wGbbN`e=kn^kv2)m3aW^Q>KyL{2!8kUwAd>|jl)OrN(oa_ zbT)Dl`SO&N-=}6&*D$G<1*v=rJKpN#D>--F3!CiRwI%ahS}VPI5@NBo{CwGE2$Dt% zUGq8CtlW%DJQa5tO*7vqTBw2?Rosvn^qMCW2|&!!nvWlf?`@Kdqe&$%n54?>&nKrZ zkhLT9Cu=Ic#K@+cb^nOmYh9ELZVyBchK(iq2uF@iOQs+bj}CZrE4_=@SSU+qvYlwo zs?~EhM5f+G4v^Wz<*9J@U(BpG5EAENVK>+mv&D@hf3NH-eqn}Gf%ndY=>zd334*25 zyo3So8msnO2+=&2^dr37+UVxw=cO!e!X~bBTh_vR)Qq0t0&(>=J_#s^WEp63vQOw{ z+7qSc976(vBWGlNYN?!s5~F!1T-cf-nGvqkFJ7RV_7ybigkqAFTe>^6M=cYInv<=R z^PwX3;E~Vye^eO2zP){Lv~?YQd!*FP?&zJS@ZlV3?>QD+v+Cn}lVV4W1!COPUD7-z zE9v4;?GN+GZ;?$op#d6C!im_fyE?k#nB{;}VNI9zHAIc*2f&`)73Dd(T zYgI;Cp&~MIxjBCB2(pck+YLEbC*V0;r~&14W8kwdJjR_ped{O^IStC<%lxOTykCy; zNj#5d7iKi*K~tY&>*zzdbv~0z_&4<9I>c3pq;81l=wIV z`RYiDS|v3;0G!Mrv?g~7{^I?Q1Sn_L>7inj)aVZ(7mZPrMy98Q z$9f?7Udz~tu{w+T4lV?}IfG*0ciS>P1{l3QrB1ta_6K(v_3UeoM=#=@>CApsc_2#H zhE2e`=w4&x(@J2uVkaeLol2^TA`g*J=Vt}mMh89R@@=`!w8QxAYjXp9mNh81?S*o_ z1lg_0_0~vM{q-}D9%yNwUVtX*jb-5_s}!USCzc9 zdY>}aArxjP3lMMCHfNhEdog7O{Vc1JXGFBZV>cjrOABB3=&MTKSjjns#uBdp-~>jU zI*Z6w?vU99c=A(m$*8(JK?pP+cIoLUY{@?-UZa}2ZFr7#znE0|#GLk| zjH9@-fP$Mlb)SZFt#kGd9iC$4sn9(>chvRD(_JWb=bOpuY%8JcS|c|X>)Nm1X+|rj z+*j^Q4$VaRgm#1?b0_b2qi-Qx3hSHtOUCn#do=RS>5E588bT#Af2?T3S!yrJ~+A1q4v2>+IuldrVLtG zR=1)tGu5F4OPG3#`Cu;mxZBxX)s~Q+RQ1sdeVn_vJAoO*bVu*hITuUZA?I6dw6w9Y zlbWN}s#FFU5=)BTN>Z8Hk$s$e2dKF^x9R!MqzT>qKT2z70Ah~y^9?ncf_64nSd6Qd(eWH&8)!Sc3d zW%r`TV5a#gNuI^0no}XNvAxlS8E4h*Lvx5jdr7rd0EaE7XU?piyOwlR9-jXe`QR%HV#5EVnPR2Ax&ZIv1Rxp-8;YSIha`rFBd&M+C>1U zDDChwd7Vb<3Pz(`Y=m1I4LPM3N=|F+t&o}3zb*^d^RcC!kFGX)q(AL0oWySv3MrD5 z%&cY?Hm0atOFc9UyzQ=1o!{hcZ`6HzkRZq`#XNUaH#E;`zq-2FTl;LWYW#QrJY>H1 zo~O5UDzBZxxRc8eOtO28r{-*2VZ=_Fs;eMP{Xy)YhnRByVRkUptH6x9fCu`dWF?bHfK% z`{(2#Bf@KT0$T87I%H5!q+(1-k152!j4DVfnrArG|Fl}ngjM$_OvpTRGneGV9D2^) za75dgb}ldsnzw@)^Qo|YhlO2$6X5`!`1gQ1;r9Rw%)`(}?D8wND-{uidaxI`Wn6f$ zQKXH$qnhf^APh5CbjR4S9>DKGB%jK4HFkYb@0BWHENQ zT>80yKfcrRa!pxc}2V zz|4)33NF5Vbf0F_%9G#1-G5qT;e&@S{&<@&BqdC&+kEl2S-OiO6Uj24uvvO7*sUyt z@L)fnHl#r;XiJMjFiiCF)iThCSGG>w{_^ji1V*D9TnFTuWhL<}i{&ANU8aR0wHL}f zF+KptdEns*>lb!!KLd>op-kWTh4whY9XUS46Y{s@OOTQm4FnVN0Y_Oc4ctgSKQ;^H zvKisDYnm1Pw-5Nsk9Ej<`4+wRdogDif=So{u^wy3I%p${t!E|Z*E-)WT=g~71|;7# z(&TQj>Q@vWze5r+x2Aw5m;Ye`|6)gTa?b}XeZI1G4qq7B)L;m2J@&)e*VyfGDE!L+ z{_=nRv=M7BY#AQ359gCokL~0;m1H<)j7j^iCMeE?uCof2YnTz+PH_K^x1bAmynxFV z>8|7VL)<0LoN543(v+54kf;$=!WD+vc+BiBeOC zO&tpS>;=#o&29%2RYmyV3r|(h473y`mSzraQo* znY#)WTeEhG6wzqe%M_c5s^L@P!>-lbI-DJYt}rQU%^a<6+|vGOv30`Q2M6Bo1iiq? zbXQR7FYovNe~@1e;XzWW)VfB7Qavs&tP&W7|ETsLWR?0z6gfdiSq`_h*VUBtt;~n& zb`bj^RGx#3t467 z!daG91Wju8{XGtVvIQ_q9vU>RZZ#Llv_8S?w4fxuII*5--Bj_H+bep9;DJHakZsxY zrAnZ}99w44tp#!^Uwy#2Yosf{BiL6!GY@25?HT{#ZkBN#!vroyLpkvE8L0sHcNP)# zQU4n?c^yGaRSmBF(XGU9{T5i||#p4j^J3`$`XM|Pw@>qEh8YAe_&-7aaO-1rG5IO+~y>NgGkJ<>Bb=)2WjQaPe&A(a@ zlY}1t9mj!Gp5YjDsj-=Fjnt@ihgl65nq>5PZ^Rer*BX@Be<7meWFiwKp~?O_-ig$| zn`qO*9oqmt%qr3Q$l~3VA=9G~sZnpx!D!TUlr5#&2TY{rWt@xf3dM&4(5(QM_~!j5 z9A-~_1#U46h&^W|*Q)id9tW0^tCB|ZmLLiU=X*oGcFZ%N0UP&aoL#@754TfB#(uQ( z{7b~GmK(Syy=UIt?hvhTZ(=VKq8b#dHl{l6^GxS_G0}%RgmVZ84aK9$*LN!b z6*;z2V%kng1s+9AXt~0bqmmkg0cZBWZPW##7t97qh-M$4=EA`|WY!t9=xWjlSo}RH zh2`gebpu8RlUeUg59`lTZ-YU603bdl>WA?PR|Or_Yl#J(UiR|UzwBiw+ibFI2NeNF za&xU{aov5twUb(6UDVt9L6Lq(x;l8)%@z85^2|0NeVpB=8FC4>e3vsT1*( zZrKyTEWo!S!foI@f~^h}aDy04HU9*tG~#p(YCPRab9?qN+7HN3mdqr08kk`S6%Th} zvYy`>p#5Xq#aY|C3_Q>#y=n4AfZ8vAj&M#k0S`lnq?$%N*U4vkx_>YmHhOZnt-pZ) z;o90kY~UT8?iwx~{gg)Ftylpp5`pQZ2ecB8DV&6W!rvOSc6EtERRB5wrmDjn31sM_ z08vK!w`2{q*5jcf9kMO^vutDJ`d764#_ou}d5xXRkCf8E$k%Os>Y?>yvK*RqN*8=W zvNXFi{OX?5_1I;1;LC(@f>LF+c2Sy#4*hzkz`EdK>Y#e(@%E>|LX$SVK!2ccZ}OBB zboEr9fWax@y5Nwr>P-uw1|0y`_*M9Ls%b$vPEr80bbFHKPRmSQc?CR6f&Npe9Ou>; zp1|%1ll&;Kg2m9x?r(}hyAd9Uof>}NDPsD-Iu4>b)4>U`w%dKY2v(lL$hd%1rTV&O zwGT{~%d*ctue8%LyjgX<3Gm>Pdq81Pre+OpyklOv)Dy-EgK9<4+r@;!bHGE?;so@} zm{L%Nj&Y)Ns&gWv7Qw?ckf6plyfOWKeAZRt!(fKmw7cRVJN`QZc5O^sZElO6dxO`c z)*nsAh^}7?dEvScVaFSwgn>uKwxoM zvs44F8q?xgDVB_kojN=TAisiKIYc6?r@Wb0OP^B_(1h4P@7iZ2|L}<1%9nt+Rj*@JQ#J>+YKmMYm z_i$UoBVccOQrA)wQ$Kysy|P+5Xj8RESer1?-v_d_3?^>dXe!W7=$$~#$Rp15+z}q| z^pVB0wBnEv8YhUQOYamB9BSM>^-c@z+HIg)62^S|CC#$eD%k>i*Cplsl@AOfd#%39 zsu9OztF5N{pjA&!o}VU;dv3RD6ugk6 z7)#)?iXs$UAs2E$u4h z>x%sV!v2CGl#b#X;WD(Q63PtMq-2a;wN7U-T>(2QhxzSDwTDaXvn35bH?M1&K^Ccr z8uO~7O!+wPu6e>&JGx(6gLY}qC98k?7>`v_@519I}QMF@b zQ9b&hl9~>7{r#zOCiPl=4W{N3(ATrFHGLw5;6e5uTWa*L{I|0{XTI{AU`72ged^!z z)*0%fNkFqgX_7$@H-VSsn#u8%;42IKNT7c*j=e?e5C#*lo2csY5Dz1*HgHh))h#`u z+Nig&$xaTvLtvl%k+ITMvaLT;Y(308vd?w2@XBADx#sjb5JJuRf9mG%VYJlKl-ZU* z-yNw%IRjTF*J|`_6%sfMlc`MmHurUMebZ21%@W+wm^0EkChMIqmbCq0nf-38mOqWv zKHZtNge228Xj`zcP&ed%ww>VQA2rGF4QdT zst$0Hx0|3#^+9H4MJZ1K-;z-EA@2|}a@8u28xI#suNu+h0Y5E29Cbxg=ty61h3Abp z_G#DyM@I{E^cZuqQmSK!)_Xxj#qG4hJewHwqc1l-^tL5b_05yh44X%h*U=?#VXq3R zw_iF~K*#+OFgv|8u2UB(fp97q))$7XK2z|Q984#MR0tE@?c&N5uRV+EOGrcZVi@{0 zub9??SKz_*7zbU{6g&0tXguPYXi_*XS&k~5x|pC>%s})*+*!5F4M`|B`BjbXXft)n zod!8ci#NLgT0*AeQyQI;yQXU0OscrC zW%t2AhK_p8PJ^b{A3$IPK~2C6C^HeesTtlff!2n8`j=L5yovg4p{)yPnif zUbRP`466peDp4nER_*H7G#>l((z``hOr9KGvLO|@%;HQerbe|S`%cswh0KfN2A%t#X^>6%CIdRI6pM^7usQ_oXUWsKWpqmcFd9ZdClv2ueET^C=Rw zlk0p}zjWkw#IF4CmglqilKoK}JJs?tV5TGK{Ped0La+u?d9I5#2DaE;o;_O)(u-$b z_k_r)p*9`_b#2nx7sy}luiKQW#Mbs*lQDjf+eR$AWx#V$SG2*V{IKDLyyAws~ z$Vv*`S1(stf10?*!r`0Mglf;COTaD#2-@3h919Px7}YEza@-cKAm09D-&A4R2w^=x zPW9KEGdw!VsZuFY{YIJ=a3^c8%b^-h9Ryd7lG%$|G*q~b^n|#$UW`(Br7ppp z#Or;$T(kZxd-v7xGbh`T=n2Mp(X72Mj@$LlLZRw&xjQm`4?XVK~eIjcdEOei+8 zxXP*1?T#EI@5@vTw$(;EWp9I8oo?S`EtK8CZKJ?v9hY^we*P~|!37)wNl{q*b2xA0 zwoD&{LR;0Ix?CVA)c`igwiS730tsqWgq)~3$X8Px>LsMqk%=$!~v#=F@>n`a$JI7A}@r ziYSdkJC9cg1`y;pgI3_lyd=m+=3YLx%NdSGD&dkRGP_5!B~bH0OG1^=SM2Wa2rtpW z>~56hW7W6>4)Ab7g!StqT|y*mNr!xHaJyjS_~eXqoFyD_1sCKH4b0UKTR4Y^Z|HoU z3eA=G@u*pX1)WsxpdrJ;NRj*hpp-Uo3vWzm$Xri-tE{Y}vpbdyc00q%OR@#-XQ4Dg z{7x@W?KdB|=X_{BO3uQH?7@+geU`)i<)~6I{h+&(AkC`JX@k(n-bV)hl|6z$(25$D zpq*jU#WrPh0G5s%muj8d z9WBa&+@M;dW+17L9$H|ih}Ts_o%NK2IPH<_j(etbdC-I-DmB+}hulsm&tQnZ)|e$e zme9aQ^-L%Y&HV4lf(+t0>4vONF8K!)IveFvr{KH=nnq+>S~{N}*9ec!<$=m%wlGhK zvaYu7gY#I%?C~>bdrx6 z?^J-ycjU_*b?+g0_Jl_B*>=V9l_6znZS~yzehF0Eo04|nVXYmp@)XNY*1-+7-*2)J zbMF(bva{+7gEe94z_F;8imMshNjr{GMxv)&&a4fmI65Ih|4(N!w$!eQS}^(5CKxiE z#zt57bo1!N4l!mT4|G+!BW+~G?l(k&nGA!p4sVuc3Fg)sZil^#GEiCN+R@6$(*0U8 zy4{trWy)Tq_Fy*4Lg>i5T^4HdtJunXs^RyA- z6LtdQiN`a}N~9*S_a}1Tj!Eqzoh;=&$4SF)VR|m$&_OLAr4)qsL{$vND&zAoPy0C?pGwA^KKR*+xTouL>evDxUzuzb$+MaJAf zTdq`2oUL+azhOm-S+PPdt1FRiG@@-03mrfCzqwvShIu}9Gp_S#>oox@>cYsjM%){QmH{b zZzAkbS3`F?xU$Cb9Mk5#v&9Vh~?uu#ZqF;T7$48sCFL%g|eY|*n)v{+t zWM}n4c>mbZe$RZ-qW<`d-5ayXRD~j0*|EZl_l(sQxE(NSubviK6g2jiIW%JD*s;>P zl(=#0va(aiP&YLjsqy~G&`Q$tvLac7Q-L2gX3xf;OYf{f&Eu-dU7ktK6T4e{;(LN- z?fyB>x3k}OJ4Zx-A7tN4@ggNeYr*0tK17+PLF?;+{`pAKCCJILh_KPUm=eaGVJBt2 z^ktABl^rZGl8+>9j<23E*#o7+h>z0xH3exIRC-dSK8Ur=fe>di7rlpSCBPO{sGwTuM`042aH!IaYy6VU`k2{aYX3 zJpe@FrJSY-C1t959juN~@>}z%x!9h5j?D~u)eJ7%8uHUQcRQVxw?FwQuU+^C66#=_ z8=^a`l;*>_k(o`1!PY(SFb{D$p_h)|UFi6Lb|`;ltn1@6qEE>4NW?wzrY)4H(tO>o zcOhxh$5e5vXCV{2#*sMt=RqPV%53m_e99GkbgRTex!FJ31S`wkSH9`t z>MX041(Nt`Tsdx9%mE_a4Vubb$3injclqEo1Ofoy;L{8c;DjIp6!v#*Ak&fbCoN2=xzLlSAm3j0xNwZfJ)! z63oDd!%Qe^J`g)2EAMp7TZS*xkBvxVpG({5w#w#K#SUHc5N=xT$$VmxEfc%#$C!u3 z6yzwNrG9(rh;g~>&L=Pl)|imBX#~l%NZ!oMTu|@#LT3yas#+zrY+UylZTa5O?Qw#_ zHVG7?v6bR*0C&W@e5cK&yc6_&wfFeWwsM4XgzDz;3>7K@DVDp7*Vxmi-!*ZelfO4DsdLWJobgHgOsbNb z`gPONStEhB_WjACCq)zL7;VZbV8+0Rqj7Zi0$J`WlP3R-p{(TRMV*4fGp~~*0k~z2d8~lzPVfS%V zt|9v-I6k1D*W9*~x`31J;hfbol|>hlxqH;pXOKSvy?DE;?sDw|>dWD!Hyh>=ACJr+ z+|c3lFBKspy>qvS#+wgWF!U3kG+mg!qpIhqhrS54(^uq_RAi8GHOc>N$0EO^L$4U>IaEw%%Ez23?YSFLTnj`$-EhFx+mkqcww1IpBV ztlfNOdR1qFcxrZ>>~`nw6DjUDm%F*eqC5SPcQFd@>? zG}$a{B|}%dcx;im``=>d=bxpX9Y35q(B^=ShH(!&gEqB`2y@mfsL~RR`6&k~iiZbt zpKivnBAc^7&S$#F)X1*&@&*{YREH^Jf6Owl<=~d3%Z=PfS5Ol_k*A5n z%zXg#s=_4H7i@HQYI^U}MW*77>}pJIYbX1qv4+vvICJ>z@l%2!W~8g++$;9>tq3OZ zWBov^yzD|sez2N@w|9y;As{2_h?KC=m+)=P%-TP5Dmh_g3YmbJ}-Z+%-|p5J0RIBqt^P5O@D5PDP>IqC9HR8Fy{ zD>01&rNrhM`rmqSy3`3=nL4c!v2R=liN9B-?vF2q$hkQU6x^K=l{CS{<5Q|vqp4iC zU;EgZCpt)<9`nJBRw~9&{6e-K!(>x%IrLtc2?g5-<>}>-0VnsWJ7ZFXt^7%x_@B{6 zahg+>MWGJ@iC<#CiuVWR=+CSE&!QMmcyY9)I|<6k72pjp?`k~+?p!vjAq;wcOVEyE zF|F+D^f3{LFQqh4W3RJ&7jfBt5iz@!30uAUvL!+D zoYQRNv~4p;Le9nEBsKp8jn$TM8br5@v? zbGbH(grD=Y>uRgx+qJKn^pya%-x^4%Or<4!eY-iqj&)WcPlKyGN+grfLh5f(}keod}w@$1okpN}9tZ`}P@>la}}L4+#506W%pp)WTV zwi7bmYVbp&|02*Ni=jK9@{Col?5l~z zLW`_=Zx|lzZ)7$v>`y$nyE$%NY|w6NrG*S?NQ)<8RH~RQkz6qBflgm+H_yvUri!J; zih#nh>iI!OrPHix?jjlVC~+Lqt9JM{23~G&ESf~k?m!m`{83lqGnYKp4`AB6H^Bn%jfd2PD^Mhb&4M@`4I#J1G9*A%*JX37ma*k*Q%L%mTD_uB3b9C5F~YI(-y zy=kbG!iDuO?{*F+g<_)b+-!TiIoN%cLSzu(1Evw_0810O4t#=NRSYdY9U&U}h}Rc! z3(5mo?cbl`t#qmR_!#t%n6uT(^R&IxF|gI#4%uC={K3A^=YY&|9#Tj$}}Lt5#|(Y{7HNx9MN516jXkj_K-QlnWddI9on5nnqP{ z_1F~;ClklgYsx>6Gk(zkM=2(laxll#+j3kTB>9)82bUozL&Zq{){|%II~4i%M{;m0 zRpLQk4o7hVxIO=N3n4b}&{b*my#MVV!oB|Aul>J=@W+Dszm@R+RFF%onA{Iljd#0imL0wnk;qF7#A4V3yVZoVTVRaD3Ah zI`F-K|KA^2A3+Rc>gT|GK$4MBF{9Y8FY5> z$B9OtY#^L5uUUB%c$(z}Op!2}eiw;wQCf4mYaFb~%>#w%px?O&J~rig?;=#6T)Yid ze@s?8Uye$boUEfP_o7V*It?Av%QXa(0e?SJ4xZ{%=R>-%%mnW7l-Q8kv7QK72qC?- z2a3a|9wWXU!)n@A?j{PGVA=VhD@_0xD!@Y0CcA1JMqHin9DNM<8l^zC7_72cFa=A_ z?%g{9C9$2AUA|f=!zZwN{76G0x!HiK`wS>h5lriN%O?ph z=EMQ1?>}stxnn8p9y{PQC$UVYI+g|NP^rvRbq8F}2$r^h9aM@mX2B_pj$~@gC_Q$B z?hAo5Z)abg=0aIN9m0gE>>Lo+%yT(wJ8;)bXcL#`(;bP3OZSc1h{#V82U0^Oy!d2D z)PiT}cT!F!C|`EK#5~CHVboO<&T>}c%82f$cP+}R6~3tA9eHIt5Fe*;4!9t=Vc*^9ks|kNXh(yd_&%RWU(STQ>hp2v*u$9n z_+2o&DbsrH=(VUm3wwRJLUtfqIlqiSG3(*w{+OXczdl85tJcchQM>WVUbS*F6!ucS zcHP(>&`@3tv9CFoxI84bJbG}i{HoNVy6g^`%fg@ni}yF2Aj!N*lgVj5X6ncknF>yJ z9C~jFzZ0-T>^^ohz=!L?B)bwYgas;jSyw>0aqnA7hbjDSAIrdkKIb81IMqNVz5On5 zy#~>al23>@FQ>oUA+Ubs~C!kVNmegV^qp10JnQ}h-5j^@%&7O zD9z8_Jv#O8MUv^wQ`jqx0Ywc-ywOVga+;t4Wi^*9!)c6+_gI7KzLU9?g7T zt_im5=BGh6c1tJVS2AVfR+fMpKC`^qD)6C3mntT4Bh_}{+fpC~*4J*&Ge#!WfOWlD zn;B-_)wAV(A|61>+vRZmW{*fKjLeqwTce(J-RGVB0#E7?eT`HLt#lvDFL@090!WCxMPU!H!Z)#&u8bR^xtU`ByN+sN05e?by` z%7`K?5Krue8{zaVszOA4`43^>`w!Gr5=^t2l-;7JY_g1Vf`73Ke)``bnS$c%|?*p7wqveOZPBQ3-jszcXL1fqIxAN ziPP+=S zT9DlIgT=1=!f?4cYjn{s$jk+|vGFFxE^6B{k^XnzxxXO!I9Qy%2=iSM2`;ObUCCyK z0t`1+C(Dj?kfT?p@E4Vi%qa})Vy}$z&6X#Ae8M52f>49!XjEF>-2qU>GmwI(@1k^^ zDTE6!)?7621IUw6yS8Q&7Ar!T?iMo-M+jsHgS31P=EImGbkcMwifWhv3Uo?wvske0 zY!C@JeHYLZs~v8@p>wR~dh{*3Rvb5%7DXZjfaBpZ5y5rDQ zREc_jVBuu(g#Qqs5Xx z`Z!2_is5z!VQ$MJ{Jab}-P?^uqpn~PW()k&DnYQ-9Y=v}s{h67LOS%_WG@>lg*5$ZVz9S{O*u)ID_H{))M&6e-$bij2`bc4k96`Zo`J@b?IQN1fyj#%9?b?!@*FfrC!QeKLrr4Kvop zk<_Pl?DTCc4}uJMDN`lD#w1h zlhiX88VsJ~3nW&*ieVv1htQS?8&oL%ySC9VzR)B%6oo7CssQtwCvps=MMDkgqr1(O z#aHu7`?MiiA~fB`KIRfy_7}f|c?U2vhXnOOSBK6ij9Mh6b ziN6X`LhuOftV!a&_YwXBmARu6egt?b5LovxD%lv0CW}?|vq1brIJMnAi&C-NgMpl5 zhGd*(B`_`YMG)VHiW5u;GX)=TrbY+A)^fmm-$-*1ka6?vl~hQ6IDi+pe`RtQvW|B! zU|1LCg>wdKodw(1*E_mLf85-EghIhv1ayi$bS0H3nuPtHf?4P=0jLnljkKyW3qOXk zA0O7AzeSJ|Q%p8a)D-uiUhr3UPZd%NFLP~i;M9*V^VdlwRWLe6#i~zh;;(;vAgAae z0YIjfLj5-mm?>F6t|$w+2>;~}fx80}CX9;iavh1kZ-oP&4j1Uo3n93ThQs?8r^3(I zFQ%Pfx*c6~;qMn9V~GhNL?4XwV<1*DE&5*qkxnUUxNigO;Y&6f9{u^q|MMCiz=!U2 zdpP~{*T|)d-2t3<1E5YM&A!o|YLyOi+2C&6b;u6f4V53f5IQ>E1Mf~_ z^5CKe4pRZR4>aHke6uKTtGGY;2|&|Q=$$q3jnz05KL>|*WP6zOWXKlo>hAb%tx41KFztvBwEeS=j_9vyvH~jx@h7N4ABInw3iKL|^4DvE5Tpj9Vz&^XjC;(_=d8ggGXzxvs=))(7N#OR^%(P# zA-=3O<*^TwX2-ECNM7K);QC?bg?J#rvp|LD$Nlz&v7leeX%K?+nau9Mw!!{eaMU}|1#rU_Po5^}@}29_nSFAn#Qfh?#*RHcey1qTG} zC4$`7&0Lsbfv0>1v)n67wjJ_$ZH000Jm;8St#r18yqHOh;@LSGdr8bOI1{xu!`fUx zaDWVB9s;ZU-0Pl48WbxJW@;&yAV<|><@j$u0k)Ylc8+Fs-`j}GCNL0|-gW?bR~2rz z;`v=(M9}Lk!_zTCFaf{@?wbt)NBJ(|X$~hmZFrIf%{dSlTty$b>jAKYyO_Iz$H*YI znP}Y2smW%->4s^5Zi*zBpZD;s1Fj$KssIz;?;?Vo>V2r>s={UjcGsTl1SqCc2VUEx z@LbzMrgsg)Icq9D#|H)T4(v5e?<9MgrqQ;;bzyRv(=Zeq2ih%beFn=An3q|NKNhQ) zHBma{gfl8Lm8?UjYC*)!R+dLOXP6HK+)TBy6Ox^_e0+d_^&{|1#KKj_j{MM%gtgX26O4j^QxD)yIGt&dB?Ut^%@j(#T|{@viUG- zERGdUde!)$5*biIqUCN-1g@RggSPj;Qx+YK0`&%?aA>l=uuVF==ufjZ=z zh5~aVvQ&thdKq}44KP)Gq?V5k_bYOwa}zKfxYEsyu(ff@7%TESXAdZ0>5e0h3&bA^ zLk78HRav~c*&{HyBaiySX1e&}E^VVAzHznzW-3#Xq^hN$ zlT2+N#GV#Jm2I&+!{84*Z--yC*q0ma0yFfM3LSAx_Ub%wxtmk3=0Nx{C2Vm8Mn(>_#t==FR~f1&Bh-YTGsF1y=7a>2A{rX*U+c`B8B^Nv zN1StyI_<9a-(C$h5nzal+yTR)BJg8xW!Ekjhb=v7P?8qeVNlf9>xj+0BT4ScSAP9S z-P(R4$Y;$?ZlA>~=`6HaB7Kv$FTj9ZUvAX>dUW;xuJy-~eHN4F_*K7J0rZRPNjHU0 zXdy5ZP7-5a*m7u&f;@H$V}i@pbY%6KXO;#qG_~rY@|jhjW}Kyzin-PacS%sH`~?n8 zl=$H^zbHon1cFPm){5#5KG2$dhLgcI2fCY=wkdAqA}g7=6Ng7?<3j14hJAAU0}asC z6hu?hQ|ic=QW0)Y35>ful|)tEbq_HRPV81_iZVS~UTUS6B18M_j%?Gei-xm&b|ujx4uQ zk0IBova@d%gOk=uNfR?1FWb5bZ4<*`8Pq)iiu%)QrDmNw=~eXrDMIM-}72GUrZ^GEHbM0t+J z``c+7HC@epD00JOYzaF5?WOJ3%VVRcw8;e*WVR4=|99>|y}9JDcyn-b%ykFFX;9Xt z7<-nzylm!en{ekoQLE-2kQJ)dK5lEv)w#Ox?0uai2#RWN+&XA6LWjV3>QcUQ9w>r~$)1P{FMu|%3`lsfe=An4G31jPPu$#ZoOzbPse9sYp z1<;ed`kA#^O}Lw%-LNBJ0RO57*OMfpDa3}xHc??7+uEef+(xbo>pn#tG?MdnFBB!a zaePtTvex#*TT8y=1hSt}J{ai2G~fdJ)}(M)TG!xMZuBi#bvZaUCHHCAhjzo2weC07 z!1NrAw`-Cctz|!+4q$CzZ#UVpSuVVJ<-wk_opWnw%G-c0Zxh!~&121lQgUdh)KNKM z5qDJJ=Z)u4I;iB?@Oh2K_SPxN&yXGbH~Z}(?ywdN6&|k!iQImah}-t^SMkwo_A;0R zcT8Oq4bR3{@k%3!p0-?B`UKq)WGJnAnaJRoU1OlA2~uJZPVrBN$!l;MQ?wl|2Tn$; zcd|K;x6Ef10RSRSRvVT&(e;*hHD)KfPDz&)e>UPb!7L%7Q}Q`_Zt?!b z#JvNkZ$0rTF(c?nH-WIx+oNi)QrBGZ)(TDBlhKP~j{K-_24T;mCvC0tk>Hj}rmROh zh~JAH^Z<%V+cy^?D_$C5c+d2?f@7QpY1RanVI6Rluo!*z0F|#^(==8&U}7OSgC6xj zeY{k?%yf?XaT}cUz&F^h;L^E@8On@p&DgjI!yHc9WiPKF`Zjgt4jvV#UyrjV9kTGN3WuobCjh(5lx9)01xDxRuVxl9N8}0N@3_y;CvsiL_<=ETEnFA zUOMEPUJS|&HV0GAOdP|pUV8boinbJqNG2P1FUYJ_V5r^g>)v;`W}fP39GXJv9~gfW zB{xaJb?(cbUH}^l{q3!jWE%Mh+QP4B6VUrDi}XZ>!@YdytaSK%p4bKzg!>2%UGw7M z(Mo}#G6xJBN*V62h$`7dY2#z(OI+U1f;^y|9qBm%a&QZGeVdtn1zc=OQ3>_9%(x-- zp134iVjEVVQAF|t&CDv%9u3S;5>#De!Pd{Fqsw>5+4b#_X}kLRMVnkZ#Od-W+_xz=q74D~A6Gl=Eia5#_xjTW3fGYD5Y z9tJ)5oY{HNq)DVG$YWhcM$IZchebHb((_U!{8G5tXjP?7#=T^n%n!+0jbXX!f_$&T z2aLTBo0g4rGD+Oub=pr(cu3*+t4HXvvP4^{jFh8EWyb+iwW-`RY*g=YO|8J_rkk zX`rRp^?7`MuUtZ!h<6-DH&;z;0+yyPE}hpo z0Qj|)5w_<7{d8r-(ZeHu)55@_c1KB1z_a1FotUtd`zKNF&&${%5M!*5t?PdGNenO^ z%hin&6x=jS#X}lAMN}PFghn81f7BFo2uJtWr=9<^kb-&lqyIppFjdD|=>Y zjgXoJVaX;hBBl$V`Kzp~Li`T+oHk0Jp@Kl>v~t??vt-!^dU&-~YXH zFu;Mi2mE9;NIXmdOdY;>NICGp6;G)q^gxrDgVw19hIfyFt>4p6^LH1nLgmqhr=P~7EGDpy7MaUxM+s!jBkhFB+^ zpug_^Zx8?byA@1BZeJl}@yFlwGobdLEB!(ZAOLdMGwdS1AG6ed zxB@K!x2_LbE@BEj3rH@P0^o{^3QqOM(fJ0Yme~ zFIUaM%W}X6aFawI_vhGn;4=UCFCm$51(KM9l)v$~m=SpOMa%VnxWXTQ11k|+K_=Bt z-LYR@`jjxht6ES0m9Yr_8P)*+ZbZ6Hzwx+gumE1gVLSRetWyQJf;11)gJ{yhNBW;j z4X)~2@V`7m0N(%qELs_kZVJO4sPczjo)j>JUWj_nD8lu?>`NF26W;FzphN?iUw0|^r@R8AomB#BFO2Wk-1*6P=NR2p7`~)x$_Q3 zm#-elGahO7cBM+dXDzrx+t2JI;Kj)Jy)tz^S7;4FyK~^oK!1*^4rEp(?_YX*qu%{! zH}>n_e#rd=VY9efwL+#`Vz$#%sOXJNPdkqVjCkqIJp}s%?3tc;WMc=ZXm>TE`JBoq zT-G`{tUt<-@!00vj^iDKB*6f1$!cNfZ5sE`A-Ed!hFf63txkH3rMRK?$Zzbh0ao-v z?`!E6{0K)JPI#6XV$xgBA@g{p5jT$>Si1+To<+CAxMD`#>SmRVh;=X2c)nb-8vx@Y zO)KEocn<y96ukF?vM}syk{1zh|RSP;_|`> ze}1u!%r7+oIoON!Z`iQ@ZS82f;~4q2!8r4qu`Q4R2B67&+HnNzqdImC?I6w41FFY! zFxcWTy$?26U?k@I`8TfOyH)}4y+No9p76he1dO)S43b4i-<0#UMgb$&5!nA`HL!=I zXxI_?DupkAZ$?lidGbT5Z2uR){N`R8_hh^`+s)Us9c&z*{zHNBKNtEPoMV7G)k2d7 zVQ3`E!x9rk{H+k!*elN8&H&*=a^*=2>{`P%4OLf6E_fHoeAc}9-a7`R97AX+l!FDf<(Yy|p1GW5sIutbh4to(1i_lcqI06BwqV*XY?I+3g7;!NES%fWc zQhftPvJL}Q{UXi@im#i&FasMQGaTcS+GvCBi_y>~!0pUCU;vckvas-C_K9v_2ZKj~WZoU&;ikx2YYrf6spKk$0g8%1X36)bGH_jj3bpiLvp zk{J9<&B3qfvPMM*M9R6LJ|H7hPe-VKdPHVMC#S?HB#7~wU*bXa5B#kBns~wMDJG=F zj7`6#03bXLvl9@~iy-7bd z=NsnbP8JWn(o5*nRKNEX;($)y+7P?-GFt>65AAoq#DWBe@JC=XvF$xB1wds8ng>y) z_rnQ(`#0dZ-@uRyn#hAqpNQ?D%`vF^WJ0-|Jf9cy6pC3cQOU;*>o>m?#L&3_PNox^ zZh_9H2}oi}zkU05qk4L3Y9K=0%n15`3?*^Qzz<;A@GpVwTkS&Kzfg@8#_oN31VY_(hk^$HYQyux3Imhm;k>>d|FZEci%KD2w>3IClpt$P*itdFn0SN-DE>@KqsjHRwUOlxO+AF7E)6eTf$YJme; z`M-5LOurKK9Krt@c}R@;Vh@!%mi>wBlH`hPT^zj9 zA73lgRdmPOon{$yp8k2WwG>G=*DZK+sUmdh`}{Ht_KpO zvd~1(rOCQ|=7Y?a<|8<*U!S%r2K!MIajl%hJ1CT{_))?q% zovxY=bU1uCD&KX%$ymr@8FT}0h?Tj14)Am^%D#G;AJNR^z%wX=n&TqxI0B0yqC<7l zLNA2zdF)-fdID@QC3u%N@JHVC31e`&h(5#e5p+feudip*v$JIF?steEes#J~el^yh z@lhFVtd0mzG)*vX7m_<0MxV-~@ld~re&JSv+$~DUrc>WTA6+yCLLy%1Nc3FzTx!_) z0^z$a0AxHpJsm!9Y#nfBprh+MzZFWLK9!;Myb3PU6)_tP+qWHaFyO?J$FH1=5k7d# z7J1e~kdJ*DkkC?ei5m^WdfQ@dZTBNvmtB~z;C%wRg-te{0I26m85H+?(I~()(}{mY zH5BoRY`b-_clP9m4gQ@^@}Zq`BNFaz)D;qFRk-xXO4ReMhtBIF9PSocf!0O9c%|I| zlKvtj#s%MpdsC}KwB15oc0m_9H>t`b5qM~<5d^E^sC1dRR?hK}vJuO7VVm8!f320j zzPTVh0sgV#*~{hN^cCT(VQkk`F@hqTm&U*q7#y|B(O z14o9*X?-9Eia1_I{AQJk^>0@LWdb!(?`{j6DK%K(xiEll1JSnJZ=#s(vOoy55CjY$ z3(iMa5w>6sIs~%TkMs7>B?_#&d6KUO+|{|trS^3N(Bh5f5Gn%_3dEj`=Bjg6gOosX za%X*EHZK-zd3zyUy=iy(RaE&bB8@%C|Fs@Tbn~9P#N}xbOB9Oj{FLZTS%gq-gSci+ zBZ)F_!`_vR+NxJW3r3SP>w-kYHSZHg@RahkP!N<#k+!uI&m#M$3u}9gsC$svcP2xO z_>_;`qTcZCH$Vc;pzg(lnuM*qkYK8O#W7|-S1`xXiCkeV|qV4`$Kd@aEcHIj!zp7>59OPj*SiG9~wvs{nc_&bAgZKy-A(NgK8 zy&~TFAqy6h#?2>CFc4wj-Mt>Y>@!evr;~*riiZI9nU*I36QU347l0LUv$MeAJ#!89 zz4t&&zDn&h_mEnstFsa5K7rM5s`|_-csN_$OI1&N@RraW%qT`RX;M6})sjqJM(Wjn zsO&g|<4J?)c>B*MeFaX>l>e)5DJ^hr=tQH+o*|n<!i5}mwy{-=aDqXGl3WCz67 zYpW2coci~-pc52Z%$50Q&U><>jeA@4^b6calMYF{nhg*38_u1%??YIQ#X5E!X{Mee z(Rnu4j+Zp4TI6zNTL;m}!6gk_@V|yZdnlwu`wsqGy&%B^1;7$h-Ics@eDWbi4Ib~y0h|WRfX1*X2P#slV8nh}m=*hR zZV`C6EP2m9F(7E;3b48dB0#%%-Ci1dZ-eLuZ51bOePgp*(wM#Uu=|9LynLEuA?Wt9 zn&Wi4rq0~%yP1?B8gTmkTf+Wp@}Wl_Dy6J`yJZk>*wn|3FXrWjv7}&_nS&g93Rlpr zkF#)Bs-sF3dx{?*G++ScY+)r;i<#Ea9HN$?IdvqEq~89KcS-O}+6eSxV(WtRKPQ-vA>Uyl0Ig12<-hb>_27ei9KndKso{mHyNICj%|kCkcd9VM zeX29t3qlvSU3quU&(lgoa7N6vzjq^Vf4u1F0+h}?()pSR51bZJADX<$1j$zy9?=QM zhZ%lRX?yu*Lt6gs2i&+90&_mXbDy5vc%s1Wk9EFkqiD`mzXeanH1rUfkPhoM3$gs; z*@kZ&;4~2Xj=c~v7sBnUzF}h!okzL(9fCr*P8pm|bJhuXGCPY52U^9rUW4#r=Ec^$ ztY#c+fxe1}x?4{ly_B%B&FgcsVA%b-gXH%cez#~edkWQZI?%Aa=Pz( zr8&^4NoqoI8MfG=xyVX5vW zo$r!JaI>Ppr$+=&pOlr{5x-hhRDki>u1jjD3-h@2mtpxW$M04`Fv zbV(~$`!$~QSY42x4K?It7-9}A#&JKPd+61z*8=b4Vi)3OJAg_$6PFvRbK7}SN3x_r zAh~SJ(WE~mRU)!VVSbM@_$noF?(STkgu!w8SeGtT{00GoheUb`KCbkr=IVgLF3*W>7+{Ur2o1xq}3d~A`NM#+E|PG_uY>~N2u z-Pr%S(Dh(5-gjv3UFzzy`2@^aGDg;Ov6Cie4`!L}MWXdQ1vF71gA9iJx36{j0f@>* zUG5TP`Rc+YctNqDyJ?0CbJY$v>(6--?;0mHdJ?ND*YKad!Pd5gSc?D)NZX8oetrlJ zzfp(6fPp}kGQ7EKl4prlXX7OI!@jIME#jk)C>?KN=^CVsEi;Pmq77-;eR_G5ZS#^U z0T$~WUhlbMXFTt2dq9!U*AQTLQg5EuV^X%$_4?aQNdLT1p?fzXNKO@;uFIZgb(T4;`{o7Z%`PuwqVuqqPj-le{Kp!D_Ik zo>QRaf86Gcdk;ufu^Fu~L)H;4j?N+hKV@zhLvB-F^Y?ZM+)*(Qhb!O$EE0e4T zR!vLg?Rb)xT*RWA2$>B^qxa-JXAajt9vmkMSUvdy&xM_u7%Zc>XnCK!CGYfiB}e%Y zR!k}=8+O0g|1cX(0=Yk@adMVbeHn#F@&jv{j9*`=-973seEn>w<4U-zD{Fei=O8V^EB zilyRfP0vQq(DzduT|Z^bN*_ufmIx3`l_dAQu16^cu2OzGI?rra|9GoK(i7mB9=~wD zOLgjk>4#UoODRm1Q>Xd|sTuTc1TuY_7n@K$F86IkMk5LUsA6U|E=*U%ALb(B zZdnQJKR?#zllTnp+!HSTxxST{00ZkTU;W5bDYq?ev2#sS==~&~xGMpbQEdYI&i(ZF z#!xd31{M!-MXGE+_|jGd5#t}Wp9Yn@3}cY(HpkY^+XvEX&!n2p%f=2d{q*+AuqK?P z#P4itw9xqb_`7+06iT~l&VMg@*%cQR@nkfJ;8Jap(0J2)OI!KR2z2$M-pAahlUCraPqhl&{Ky=e?r$m9LnCLRv6&ypcOwUH^X&ccQgs7ixvrvEP;R+83qsZNTXu$WN$7+_8QHu!0S~8p?Ov-&XbqfsH`$w;gu&11FB=gk&cNBZ6a{AE!sV&WMT|#D8g% zomKvZ@pf(0r|Ec{>FG?Gr|ow?b|jkRg+sGUa_*l0{&pumf|4Y>!23*H9y}FMp?TMJ zJBO!Jf#*bKM0*v1lIPE`Qv&)au~Ozp<1K6-h4f44^aS=WZUF_8Gng_$=$C4C!MkAt zx>;ZI-?ziCi3YHA-~PN=R3QT_63)wwphA3XRvRa9D_O4L_$j(>bWYA8;42Zo?o7K) zRt+-BQD+8Tp{Ej$w&?!zXsAPup=(XmA~t!vTD~)rZ(p$}dSeNl60^bfS9m8%DLwuZ zU;q~^9w(UPQVFm@q%#dte9vN-RZd4_7z{w+SPf!9KT}3#N5b}aB>!&SYE%oIUu96@ zQ)5QY#A_Dw`=WrWGNM;La1Uqp+{BzES(hz`jg*S{R`66p>n%!PLzGFlaCZ?gj=-fhr@ zHUb@J3~-^e+RjY?7*yQoPePI@@t+>WDFVSM%4-%0P8%1Qa!*l1QvjJ1go5e3w-hCh z>c9(=&dR~|{Tn8)dlD^e3IUGfP9z13Y0JWHkYUAWW0)D-}e)!indj5wdUqEeSysh;sP=Nf~c7xa+Jk7+?(ya zE0~|zZ{A_bL{q{rr9@bF*b2VU*yMe1Vw&xjA`W~`Vw#x}q*v^5I=4lPp( z`Am)l@oyW}W&Dx#B5{gUT=4K|y)|$7;-9xE)h+aZ^vKAtrdx4Eey|pGkDZhIiDRHpD{QOyoZ{y91P z;C<`o^Iq5Pl?3Np^oTaJl8dK#y(&7tip(NfJgO}hLG$|PWfkTHu5`o=1aUy58FB`q zV8aJBVz|5C`EqByNtKIb))r)V@1bhfy(Tv5czX56kG@J+SH>^985+m;@eJVhIW#<7 zPto`a00s(H3}S$?FjSf?k^dREaFy)SKHV*&6zmUI61J?5Yh~b?={&&r9~Lkw5Bk-+LBkXrP$$v@H?dURh(MK|m#^vmY@b{-&fmRZ9qK*NZPaCvf@qYw_v zbRn8~7xlI8Na$ZH_J4dsc7qD#9_@KbQ&Mdira%dy4zJ!26(JP8{PcY|LUq1(A2b>o ztv>ZBq`~ZRPy0b)QbX##1A3%_V+0o~RuSY;Gin_%nh?HDuuFcXfntp74JLDymFYth zb7$J=!<`d83qlqGu*CWjt{>JuA9E^>NNYe}YB53BHN6dosiJ_=RRb5 zxy15qYzuRL5@y>QwlW3!&w6Gc8z~_u@_ju9=hO%)TeGo#Vdo9`SW7f3 zNcC=1<6UU`Hql}{zu6X@Uf6;_uSGirX$vrY*n;H5E*b&YX|8SokCt4u=h&;zxk`URaZ614 z=Pqm4R$XY&Pr?vd-yVcwK=3%zZ{rFHm`G@&!22*2nF{4QfYl0=C#|oBDa#`4`fZCQ zd6lnoY0;w`D!AGpVW(t@UV@Sl(ShL$$3{lZVyq#a*;|EYUDjlkQ9zf-1yvC6C=M-v z^dG@=5tD&F%wP%9RZwcaOjVlYq_T{y^00+ZQG<1TA~c@+S#b2n&j7P>sz|>3AM5SF zk3!Zl3!=>T3{E9`qP9wI$cS&IzN(wOim z7rIDu1M#{gj`1fAjVePdhj*uEW=QAW`M$-CNWPpx5Au_$oi!9q5t%#B>BYtJ)Kv$B z86!f5(uKN)Mb3{C0uXpDk_BB8HAK7`bD?tIfbly6O6n**V7U~5NF=x8JwULNGiyuW zb|InN#)V*@BD-UFW!@*q^pS`fT~`ggeOoZ==RS&|EfPO?i|U$yvu&A7?jLQF{~bm$ z=rB0I|0w5LZ;Z^8)%BvwmEe%1Lwq5YgT4X30#G0mpjQN|ZUD08TX~yID1jXd?}GI9 z*Dj8wvons`&mBvngP)fSCr|qS?YRGY*U#q=M#qC=`ub6`&@Ptqd@P4ySEFQk1KJ*b zst=zC)jauo&hU$0^2Y}Wa$_*07Rwjy#DLKFd!0i#0uzL;7gcA*{M4WW~nYs<(RC69P>AAj`TNO>e5(PY2)3Q-&9oX7r6>8%s;Q@ zAHSh0hK{d6M7lA7`>BF;jt-0|kkJnhLDXe=t)R;a9Lzx!r>v0g_^GCy=dhmdc>`WYK^5NI zV4i^jSMmGr43mF&P=Xt$#Aafdoz(Lqd<6&3C+y^z?wJ{v!j;WniA}VTOZ1*cp9V{V zb6P72gI(FJeXeWcTT{DuY7goLA4}Xw+WfHJ7uh8@esX3wDcq}Z<4v*hunB=g9V+!< zipohIvyp2^OB6vSq%QehxPj=Ukx5s>04kaylvALL4S=ZrCF&;m>WirTDLoA(7A$b# zNo`(kw?XJZgV5?Aw27{h`by4nPe?(=o7~ce4>)4NWqfd4B9v8ih-H4J(a_R}g~NSG z4FzUr6!%}@=LM}V;0P#F+XdLTL_yMJYpC~JyP08 z(tY8dA^r@AgoKoIHwY+F(hbrbN;lFi-QWGV&pGdT|8MPY z42NTnJ%+GYJnN2Y{^p#t=N7E>%#cq-eOjQa!l!@(+cU zbs}Pc?s~=+c?oRw^5-P`nAd=haD<`_fNH;#nE{#MY4ODe1KCAD5u!Pi3NbVX(k@-B zzrhq{!6`HAD!F^!532xLYemy47VapzXh7jBy3*bhls3T@NXHiLI|%gJHW}M4EnAkOb@I*;aPVq z<}1v0FsiS{C`S0O)JMU&8 zQwLN8`LY>Xk?PZXFD}DZbYS?It9rP`iH8 z5iDwWJ*q2Hf9WGKaRAI1q0hZSq}RdJPaM`lM(Leim~|vR7l2onlCmC691?Q7PIA69 zNC{<`__oS}A!)QSuG3@tb>yRl<<(LeTk*m1)Q|h4UlN;XzkEiZ2JT3(B9xOsET{z- z{3w2;))Zi5WURY@`Yrei!62i0vsc?`#^Db%RB0xL$|?4)Q6aM;pQ!XkqUwSHpMkWNI1cmDc5=t2%?dM zVjn|maL;jtg1_Tx=!tHa`t^X%NS}>Z;NAQ1Q?R70-p<7(1W}<F{D#8sp}CO?4pI+D1DgdSETXXp>E18`*Pxn}GlZWoiW$$ewXd8? z9hLIr@ZL5I)#V`y-JZC)_km=T7C@~5O2 zJs?(U3W_NKw}EdUrK63{wbcv@`3XvZVc$E7#_x=2?u(w^JFj$=Mv?stl5df;ioP?( zrDal+-XY!=P-J?2hnJV#xog*V-;LwrZ$KXT4?L(6=||_avknF6sl9=x8CTONVzs{_ z<;Z;*Q=MDDN%k4f32zt^q8kL@4)VEMD?!(p9m?PG23oYuHUCb!62^#To(vgQ(;f78 zxG{$X)fK_h!A@tT*P%2U4zfx&lEX-G;(>At&T@UBw1aca)o~{hoM=Oj_WdO+>aN`R zJU)m@(u;bfdJ{$53vx8@}U85%u~cWB#htyz_X3A5ar0uaB=y=}sn zjQ&?(2Qr6&Gg5`;qw*K1AHqeiFMnU~@Sgfj3RuDSnf2Lnm<;HBP|nCmLh52Q}zVAOLBYwI>}>rFsZ$m z{ddwOaDc_M466wVB(dnXLTFndxDQrC-4?-hwhWpK&7cH!VgH&Z@VV75C<7D#>n9YbLG5g8LvpN0OK~IK2sQBy3`erQ{j*N66TbQ?TD&t84aOvuwOa!xOP! zGeC{j?t%FA7`ee1Hhlx~CLG4jKVnMmiVXpOrS))o_;M+;y+(iO>o#Q4aC+<0-Y%a#@bK{*uIik!vt( zu*7%xsaEGyR1??RR{mD58F}OS_b3fmR--gkh*Kd(?)N?hR7WYR`PpU5VnMTXJVv%$F^jcLy_Ob&omWqW0K1}+SDg&%fx zi+G#ZSwpjzEXFWgc{R3<7802S*Y6R?5v(SU>JKC3?0CQ|m6%>sBl+%4^sA9lBe}*kVLrw*?t(#o zuf}Be-(75riAB9HDdjCFzPejeoIG;Byz1fJQONXw284_)7r!G~IOh0X^0#-X*V!>{ zQ~Nxj*pdl;GQf4gE)%y#iuWt%qg*Toyl{jg)yVLZ=yV&+ExiO2J9y!Och$B9ShXCN ztxTppK^4$TT^?-dxb`*;g^DV!pS>FE4oWInFvK)W@dHwo(te9IWaKc<~+ zlVS-bVG&=JJUcj0vEHoDQ+}Ygd=`5{th?K0F}gp6dXkZX-ETc7rD?4jy%|H0gkZv^ z;D4-F=4PmM{%?vKVd$-0UGQ8)Ek~@S;FR3IGw-}xYPiwdMZ~BiVx(Ah(%8wJQ>$Yr z1pd)-Xj6g4x9R#{9TdDG=WhWz^|C6wlRMd$6ouv)`J7E8Ll1HLDY*f`AKj7Z0qQlG z_k#xyUkHE!)`tL57L^IM$t3UX8&xG@rL60Ghlxb@%_HrFy#1fmXtBhJ$4>}4EqWxT zXo1VaR`9HG&3=P?QaFBW6GRn91JEY&y*(SLd;|D$S zr1FThK=!=1vnYtw`lc0;DOXQ3A6db#I{!vdFT^auWj?T1kfP$DH*5&N!7dvs!>tAuwBgVcRT&a~y8mywvf4c->p^Rn!bm zsWz%bA!%lLPy(mOgJ^O{Y9{@jy&j_4~Zd5*$QVOuvB>clB3+uvJ1k0)DO>|D<+&U*!s1jS*8 zKK?+3(z=0DOt*8cgLbCCm8c+52K0Gv`L|0TIifmx7GZbLk=!1r7jf|VPIwS87qU%e zbNsw;Ni684SyM$sX_DKJ=_OU5-9@?xqz$u99Y(Jy!?9Yo56!bcb-UJ=6zKSzr1mQt z`LOPiF~4Afs0`@EXpQ&hU@oN5i{Z^|$ryDHHA=GwoklzOos#wAM-uIKx)SFC&T{0s zbrl|CsvI@1k|`4I%~!A7jUbXv{p79o3wx2n_z)1aDYUoi>S1>!x~-FG`GJOe`{uI3 zB&~T4h4Jo+WPt2r+Hbc_e{<;}wxS|aWbALtMn0L8Dm#U|inZ+V;-e^5Wl?5*^7# zi*VYb-w-h26}>(8Wg@oMvzfn)6`3&TmWS;5l9;q!J5QCB57Mo`NyB6POK+p&g@kt_ zg7TWBuD_{(Tpm@{_lPg`^3UQ>DF5hq?4O#R*mjNZncy3dG=NKTRk ze?Ci(&w7GlFlyXFTtgYgp5#{ukCBp?=h(>T*4LW9(@Jg&4b%9L1oKLLc!(-oj-TrhxfcS5U5UrE+SkX3-$IuP@g_49wh%w{8Jtf22REVX$2K*Da!xWpF1VT3N2Rivz3yN}a=4V7CJ_1qMl3Ds@f zcIR>y@r`!RHP~r~7X=!fI23eUH|b8|h+NM5sjXliNY%z0Qy5T%-GFNkFGnhX^q~@P zow`=xDPZmdlXDQkTT`tz-AmecIb0UUH`h4;=52mUBiaQn!oER8DE_`z!5JKs5? zO*$}L-Rxda1|$$qwT#Kie%PB{w0@3+FNx<1a?#k0D)6Q1ekyZV1ypw)rWyy^sdH{+9gvySDN_?LewwRj*{-Kt%NiCxMV_JdIFi zr*`Mc@ML|AT-8Z$T6Pbj)*ZuRJHibrSl&BS+|Q4&`Q)PLLxhE|Dxo|Tl5m51o|T19 zX#?t1ON=BZtV_-ayF1^^&OH7STPB{0GIxJFic_gYq-UcO_#xt!g`SB_Ze(Pz*Ih}t zNZuqo<37TSoLVZ3uzToqC34^{wPSN0mBFV#_OndMO9NKj<&oCNIzV~m>^ z&dG;t&jQk!so17-m8h0*hWyp)Ne-Ie_u-s0&QHKS6%yf#n-t!@Rqf5fva;u0ro4mBu0C90F(tm*R^FUkyMCYf0JkHs>5~Kz!7E>fQ~+Enj?+qV<>$cG z*VbrExSV}>WAlIXp$ER+46H{lPUeazoDEbJEtX{ZG{ft92(oDIj-PVUA9cMWJkfnD zjgOGnF(SVMVqq2&TRpH^!6l_3`n)GRMI^uV8OIJ!vTR_@n+Bfa0B zMm5ek?n8UKMFh5!jMXU6PJPc}@g}W@t+w~;h{(TBhTmh*xl*-p#GgF&GbMk~^`l)t z=QEsV*RC#(Q(II7gcTAN4!r+P-+nO%@t*GUhms^pO{UjTgO7!0aep~Gz3JbBy!0T) zG3|$^rx$dyp?ep_-cRkh6(|+bV<$&tv0n9hlPIlkS&JbsqSwgSlum5>;Pbd8@e-nM9 zS><+a!Z2qJ)1!yK`3unvvAkIX0uI+hCB9BDwKd+)ShG-_AQ(Vl75U|A*AZCF!EEt7 z_cMMabFov@_<>hp--F^>>9#_~6{IpS2Lrkv?p;O1E#{_WqvT7awqV9*81p|QUF{R9 zxA69;OUK=cgCTO{)o+zL`4Hqq(XfY5E!0~YXg8$S=dt3MB>$r%>wW&*sfjv&&K%WjL_i@}Z zUR4xQ4kuh$3f;W3ZpP>r!B6@BSnK|qZwNeTAgKkD0Ft2c-oDrz#`X6a34b}mNM}i< zoT;uj{sdIZ`G=g@a>4Rtmex6ON#?kjaO!0^x zF_l>570xS@Vec2BXErB=L!C+|S@8d&qbL)B znLHa-W8@?ga*kxW>eXPx*#inQ^`g)FjQdm>Mx_*|M+zM=cg`P zB3+eV;30@T0v2FXfK)VsTgR+l+*2Lq2RB!9H+&p! zm#6z|HEux3VQWcZ+68rj6Hue^7GGMMZ;EL5ci;BYK+=3Bnz6z5*NBAioFfuSf9z z{M&n&;bUYI$jkjvwOAoSiaHEw7=K(zKspH)WY};6Vr~UM#3n&L)pD@q-YOuc44%CG zQ4B^HWJ5pbA6iq{cG9%#d>(D|x>0kI{VaG7jm)AZ8zs}G66Ov z3$X1v80jvA5-juHdhPJ@xh0{>KIBUS=d6AiCr}cE631`}hW9+(*Wg=#ywmV%5l3fG z(mGvD4rb|WES?~vK?+qM;uj$5NHtAI9o}oHE;xVh%C>~8GAfRSGPAujP;Qr1#3~9h30Q89n{G5 zqVLS-CUn6Yjd+@C5LkHaH}aKs(ni+p8hqLWV6H&mvToso%^-r@B;M@+=OQ4#`Xx1i zLa{muvep`_2N_!qq2vT8Z44?*23(c7@Y^e(BiW0e0?Fj9z*ezDMA>Zf2gqLbYW$83 znfGO)Sz!qTSA#+pGS>UrP*1{xU?#|Q4jDDg!RBu%aKXjMZE;{{K+EX{6?3H6b~Cp# z!Ug@Q!`PwzO~!aG9R3SVC;t2)zS&Zvo-KfU*dJtn!&x8AngAiwx)5iU$-M}*U0~k> zD2}b-EzdOj{;AzB|6;NJuMdX|0;uD);AI7E1lOdLO$27BGf0fVzQK%e_}8ex*GvpH zc{2k55{gv(3n0@%omT=SiAz*qf?EL!MY3LJmwW}mg_ci-Mgu5a^E^OCtv@f+4N>U{ zQE2mId{z#{g+PUoKtIkO4??8^W=)#HG;qLd&a_PEbX*0M{Ok-P1iDQ zfzWf_=Ezq52G-4b zdSHQTPu|onQ#z_!q5v28KWo+h{Wmb`ik#)pjCDnT1ky^iTMh>k`rg z@TIaj#Sg%6avPz!L6^eYA@0|X`%`vEfn_fpqK=!37MAB3z@wSPnXQf30WzSl`&Hhb=q~BI=nU>lz&MBq+`}z2P`|pn+6*#a1Kz5z)Zz@Y!~ zwipy&ZrAfrvrNXd5rI}8=mB(7LS}x~Llffqt@qpM=yD64yOJzS?+L*c^bPE4{4jR_ z_aB2HaJ5TqR*tID55dgOLGy2Rc0f<5U+@y@$ImYQy$+O*Z-j=CsMV$ZKAa>Ap;>nG zkZDy?mT@W&z&_P#3y723BaV!WT3x@Wi zpj8g&87G+AJx-a+P9Xk9eDg^1?{3{6fCWYEtX@k` zy9SCuWB5`F@kYWwhkc6py{t_ja+F@1QP-- z0K!=bc|;@?pc0`4M@T-9LU6CzLfPgc4FOoFL?9gn-#{mG6^J#uw4o3qxwe5#@a>r* zUmFw{YcOlI;SR#ZeUrZTK)Lm1BRq5N2Eb@tUccW?R+z%t)6L_}Vn$igy{TQ9T*s{8 zl=;Y`yjA<$HKgyOzlN8yA3t-I?v_3|b3B#cG9T(bS~zz! ztBRRAh#*r2+jj#syc!m2Z7b8 zP79-DHvqqctY=sUD*S}1lBXP}Ebcb^W$yudp7(DB>V%X0-wL9}jL7s#q9F4lFb z+W;jDG{jAT0o;en2#pppQZ5oy#s{s?iU!=w6@bin<>}e*D02W)@m2=yq=P-M1>JuZ zj+i2P%>&}G@=&W+-1$Bo^MX8~>1e9vme*-@NstqM=iJaW3iw9KWVi`FVP+JnxAT>O zDxSeNq8~>p)Vq8CYv;lRW*Mnt_HIkmMUhi=6I7WE}>=7OXXl+%rtb zufT-&+G(M30!Z6;hxWiJuo7xMAbQxn!_2a%MHSJw1X|*z&p2ijKbeEW+)m;f%w$6g zkXB%s2GT(2YvqEXr@&2Y3mkjH-B=5GKCNNgKfxaB2RX04U+y;7fP<+e#mU2gaCx$m zr-NNQ33f6+{O7;f1J1|hW-hWisGt5AbeoQYV@YyeVs-_X&|eS^^rZKtiOgZl22eQ0 zb3DOI1Cb(0CBi0xjq#2_#u@+0V@Y?%?>xL9*rgJ3J!G02{I~cIfKzt+Z}m|xL0aVP z$b?N&g9bD6tWa*-#p5u6owbHdV2D=qTQgFiuc%?Vh<>&9av$v`6 zzg-)0|ACe~TO#u$cW-nvQi^-p{{vcj>Q|MH`%SkQ8B)o&z^VCenijaHZ2`o{u4NQF z{Z{C7(BbZenA)-naSJ(+!_XDu{sc<}@Tc%xz1In+t^?OY@u6rSxF043yF(6Z#k@r= zL%=XuvP1#}b`r$SEq{8taQ_k*FJ~T;q00vr%l9;Uh70}fa$G$Txo!5dy>DjUy$ z>J7LKS8kWzhHh&a0oWyYuwYg`dQ%9VUit}=fv3PmHDlEZRa5Xxhp=hYjDuV17C1MT zfmhFml*p_Ie_ynBkD1k(F+lm4Mgm*Pe6?C)l=@R)7q{HXIWHjhzW1%X#;t@Xi6j8- z?z2AJY*&+{cS+$ahAbfb9k>HKK=ZW?tDfd*zNusipk;Fe=k|+5(kpq!4Zeii)GQDK zY;@IJO_Ga;x&v+&dOy%EdoeiYOwBKP4ZH6sXRs_Y~Qxx0JT2q<7R}u{wDi zCJ;h6R)?^bArE=Iiw${A%V;&Ik|pFn0dMJ#AmRwG0rfA~7#+PgDDj z2UQc*hMYqfl%U4Bj$6qcN7X>deT>DRn3?o$l)+aRHS%bR}R?a?+=Q#UtE1 z@J3;uf!O*&0BodC3)q4yhwwye zj}}gvGf-BsGZ(7a_=psd+w@*PLQL6)yMv3{j>i?Kd$l7)=H)4T6e53zBmt%B9)3v< zD=_>#;~_=2-pKPfHv8vj)VSQ7!U6%;?1W$ zBWsq7G~&lQWS&LD+Rn{y#|pQ(7ebKS3JH_rol~8c>bhE}y{GVpa{u|5vmu=y@b)d< z>b=0b36BcB8=!xkW{fG4Y*Qc6X9V~!s2!~OdBfa0E{-YdcgBLezdbN>)n-f9z2-Je&P>cBm*GStcb#zD{Q0ajNQALZ~b1ov83h1BE z-@xw`T6=FS1KuskfXx`;iq`b>m% zEq#Ie@&bps(I$G~z9`A6aC0-Q33}JG)%3I1(%C)XtoW={o8(niun$mHqf;Me=dbrm z^Vj>aS6ny&IOH#@!sc74PS6(x#)?I}HuQ1Lz+~w?xt>o4H5bZi=*UN&9j<=g25mz! zn*uSWRo>}mv(~K89#QJak2I(K&jno6h2hqX{_6bmPeUbeu`! z@5`z6X#_PX^0YMX=#pp);}yk@Q$HO)ehdUcqhL`*G5cotq{c4-f>Z+z%>?++vp)Jjnjf0lWW zjTL){d(Don5ULLh-NYPh9wm?>+bi#{9h+)-d_@G~b_()e#M{<*dTdW-2!z@ErLr*~uLRjD* zkrUj&yk&X%bn)#{Mohy94taS}@zFyAb zT{)aM6-cm%!}&lb!7sQ5uu2{YGE*>IguKB~AEOJzx3Xac?u%q#`cJFAC z=FuQ~FCBPAQB~;)gfV-5{JA^8xJ`3EXfuVcUbb9G&3Q0CxbwCr7uDV7Ct}(5*=uA4 zJfoapbeAhX#0>Gn^bF%=+5=lwoM^?riyUNbOM6V82>RCT7tn2DDl!j+IO=7?PufMf zPm;nZPd2Y|8>w8B_Sy*u;)@1~#{Rje28wp!H&qiGi=JcMz5m#Hm#WUUH2K5+y|!Ae z-H$`FUe05SSBckmcDW6ox5$nedmCsnl3TkFcQi-ZpeFymj7F49M(%i)Y>c?Vn3Pbf zDoL%Xz_D${O?Y=Jq;gPNUr1^$&<)=h)=pt9-$u$k?gj68C9BBwJk=8=1;}0CyXUF? z4)_7xgGwVsuf2x2F{a|4PWZ*pznsr0iX9I>81u&}0yJ82GL`lly-q;MwL z80qX=v+d63()@a@UqpTeqUjKK$c>WJ=~)NZyC=vT5l*~;bNl+^BQf`IpuTCnG07x_ z7xTpWQfMR-`NGn$Iq%OkLdvEoD>Z0{z0zu+NN@+B|9d*;{Aj^5r{q+mJ+l!9uk)#=M=oh+%C?l6Z>qJtYBS3ZKV6_rX=EGp=_~857jtX5wEW?bcvKyovqNk&WuZ1z9-1!XVyEvJVqLE7^nC*nwhy{ zBkBY4Js0ao=9!+(`Gj!Px#=~Zd{uYIt<@VzHeONj&t*Z;X7bz=hmkq~ z$~(g6j9>Fa<~OF1d$86gGej+4QBG2tI@Mprfs4J33{&8A=I%Nk^%aY0FbD+ehd=-L z`2^UOv9Lt#4Pk!qwQ|T#u-Al+Xe!a`=%PXIU>qMhM8q*oQ+?qUQ6DQycY7sAm&WiX z;=|g$2xxi$+l8ZDur#v3$bbF0SSCHatrK2^{zN2|@C#%HQ=!(;hURv{U z1QAk{NEPjQHTzWY|}p-Xp)V2|1* z3w>V=x>wKFIQMjEQw4^R2g@YN&~7}@MBMd_$o4ywIzLrootT>(Ti2lb&Yehof7dzx z$MzKdEB$(y?O5?liJUb{EQ?~NEQ`(%ap!dpJf z;rRte_wcM22A|-+CfiR_Z|#1QKWh=dv$I*sQ*5VS8E=men!G6V zdWluRJ$a#R?Uw08KkL=?(a)Fho-e{@scdWY?A|EhYelCWVS+ONqgs@ z-rtXUJwf5v5dU}2T471*XQ=M>w^V8(G6|4b^FNWc20bQcA14l9wl4r~{=yxT{1jMx z+{0I~isfvPK8})dUJ8%7eN_;rw=F=5Z*!5N^|7hndJ`K67ybG`jR{2uw~k%pj$;`M ztag5ZmMb$x)|g`b2b7gg>>)0la~{67dRxk%D_* ze4Yv}G?kekqBGe>4g(?gOFQrC)%7`9?vEVkl3q()!^Vr26L@C{}NJi#8jm!6>=6T z6}dQ@qnULvP5RgEvkO;LjbZ98sqd*snoBXqIW=#^ox4L1o@d>7OX%%+u&Cd;VuW`B zMJIjF4P`_gEz~J-{(@;La^jJCK&)gs9JY5AKYxmPh1`x=HBdjKBRyM<=`2soNZdTXmH?>;u{4L^jb|sm|rcKsO#*EgRZSvFzTGl6wpH9tf zZk=JsWxgnP{^>fE{l@53X^nMs$|LuiJ6PL(THFd6 z+}B^hp)a+A=0o>J)P@mvHhvRZyjE%z>P?mzDAGgjzcPz$}sz#I(f zu~>M#i0m}Dl-NuggPIIySx3=A#h6u_XctT517eub*!jOYzj0b0ZYvLBa=l$>BCr`n zc)B3n5nmk~M8c4w3mVyH$m^}!hThA#`f-IJ1^;m#Vr!$NQ4AHLA*MRj7Mtzp9-y{2 z2pT{ElLl;tD>vV9&rd1V;-3-wz9|d3C$ydo!yS1toXVv{9U}V#M`uMBSc#2$S)!_i zd5M#8oL@*uRYg7}LrOD?Gb_#x;Va;y9J{l=UPTFG3J$g?Z6xa_Fr=A3H)!G-ogTUr zL1?tTfM?a)+{3OYO*Pq3pFnk{{Fw4?jRBr;ss(w;Xdm*OP)a48^#wZXQ^zyC&HRY# zu@uxk)bCxu#2dyz-S#c0>>V#bwi&taq2ILIW$ZN8r9X)U!xFM@+ce`ow$0SQP{+;w zY}H&p|0b)G2nTz=5EfY~8ZY%Ua2++|U0eb;fYydX>d}A9V2A17&C5qWzNw6gP0rT` zBcEl}*b&ZiG^kc{(`k>g^=1ho#(Pf+)r}=?e4V(@aUi|Vu6yaq&xyXYX+B$8=lzN9 zYiIs+z0qLZy5Sw1aE{(2IkBb?71)+;m9%bD`Dm3if-q@dy$?h3#m7Wos< zlY0YtsBw@v#SIK|4<^lu94vsrRUmm@p5+Zy#)o++<8qxw&mBsmLZg*x>hQq7`$%SmahWZj z5wCX4qnduvd#2hxPh+~y%dO9_-BglUHEyfj^#ii$PC-5mc&G{OL2U=;j!?30N> z%xqX&@-a4Qt{E@Ab&)p7Q;&X+ZZ7ZD+fo-Ky(^@I505;4aquzjSUEc{P$E$T@C*k= zVy504RIgS^<5pMm)WLoV1I^IjKK{Q>kPSvb!7Xh^-0 zWGDAirsM|XA@JtLtDQXmD<<#%p$xpY=tSEQKC#x(`}g*9hEyf3<8C`pJVPxF6!pwW zDNyZK|K>AI@G8dOEasKpF*Bu&07Uhj2w>?~n&!~dRO^IoJ*Cs=M1d+rd+hfK&P>2gT* zVC?fliNothp9P9mgfjRlaYD4~NJh1|Ela7J_1*jiHoT`Be?Q8D$CDG4 zpn*)1)rBa3gLVAtDfi|S1CFkQ(}W)~fBWBnmsoTAuLJwv`MVnxx_&JhtJ41Kod19R zv(M<>V1IMOiw8}aj@=&|9%Mn^)dYT9`*4ZC!%Ynw~_xm*Zxy; z`LDnAfBYX&6%e2v%sKRTNY#J*_E_n_2OZ0c;EC+tWhM~mOyJicnP3w7_g@zg-p8ht z_aYw>{|?>yk56MX2wcvTFOxz=%C?FC=eks{&bs9)j;CZboD?M(SW9Vi*h;JA?7nsg9Bh4= zdugOa_LKT={HDEop&#x~6G%6jce#$2QLt5g8|I5E+WU{l_VT{ozxJOvKhm)A>>2&_ zs_0~e@NLhw)s-n)MxNzg`>p6c%w(YZ})y~hqHC9~0j1VHte_-;%LrqE6eHF|jo zY?qC2mrd%=HG(XG<9>nNswG6K#HV|ppv{hq>y3Qx#)r)+4xD&NvXy}}D=5(o>dghP ziG-}>@985!&&yNm2fmFe&PMmKK#^K0;7^4@g}xcYnb#@;zRb{R+D7^{FG!|Jze^=7 zXqgZ>8NcQtU_CDiGK`iYE$@wOK*S%Yij#4rA_SN_gcW-mV$dDjn3p<0SvI1!z)SK- zRgT{y3USr^OEXs$de%WN37s{uhyjHdYWF?wkK%QQ-m}Li&tHyjgbSlr3Y-L(R%AOV zy&7DA_vpN?@j(sUxM+5NRaRO&F6?sr*3DvZ(K@O8BOmhS=vS`W6VTj?CmpJN|5K=U zc6OE^5crnm1QqgCAgKNN=Ba!SAl*L0p?TZW1)w=9q&8ZrZ$R9mWJMaF2`#4p)uU}V z1wcnD@D9|c*tC;MR`jI`O>Gks6fiwD?8Kciiqi^lYa#1_(gGptxo6A;$SnBu#bCP1 zX5nZ*OqRxrEg8pw5`@k9zk@xV;~tL850O7Edf_bT=suAVWxtBu4+uubr>4GfeG};U zbaQdBtr+n1%3ew7d3}b@y6;pJqf!MR$wr~r)rKA>{=(WF{v=)-ef9~4xm3U#8I*&t z6y(iW+>2134#*60O71-Gtw?hPf^%CBgf6zeId(JWww_>3<^fNAio>V|)O_I+Nw}Wu zwR48u1E7Q5!V735mG)Wr0=$V4930#HR zM*cDIyE7OOTna~o+h)z;%VJ^DI|FbeS=H@uZRoi1=4ycD`Da6b=+;<#>*LOdmYhm? zVixPRS_UF&OweLeH<)^NRtmYXbnk=ybb8EB|BRQlL zGLbR$#sO|c*MJ8NR^#LXU+ass|>b6~LFn+x8RC6%~=J5D=mlC3936KQurjF{qT-uG<3OkoFhAi9Ty>$NFH=gq|uk0azTL zT9*na71|7d(pR9?+@3O|cB?cPI3FP~UGK;KV(_CCS)Kb%%B;d5#iVvezm8aOC{%NjC;rTJD-%&b{eEX{y}Kkq7&zck60f~0J(m%E2oyUOkh1Hx4ClQEBg855us9oQa`=ZvTjnh<`j& zAD%XyWN_{ay!uhW)Cd+iPhuL+6k5WZaKLdCAisM zm+Z|iLMdY&YuV7Roj04msukuZI-AbfEEvc;YkThS{^1Ewx*aLSoiQL|TJd!&KUrHU z0(F>1IZNv9s!Om_>CJZ(QnZq})hG`F?`8ug7kmuL6v1$31veKE8k*d};7_6_<`P!A z34&&w7PJ7fa%3IZc?E$>%t?Ebhb_k-mwG3C31Rr5n1S|}y&JT-XaKBq#5=SfP>x!`W< zrpy#x+yxHujn6*fF3^w+A-$(d9ZHsN4%es1F^Zm#2s?S;bLY{31ei2sMcz+sm^Q<{ zWkThSLAYI?wcjtfA1+;UVlFKksGB?jcCJ;cDkxS$~0M zr=DA-@OLsjejV!>nV_?^;Ch})R&vBgp6ETsVZGG@KM{_trlt3r+3wNSAh9TnQLg+R zflHjWYrcU8D7>aWN>qGdRfptdVV&lD?9A=rFZdEpEO>P|QfL{u$lPPsX@xuX{aZlB z?RL_xRz2rDFzA})AfccC`ZGt4_~afxz#~&=Fy|UGpYqzX>{4wk)dVTxKQ4Q!M(qEx zc;TYg3Vp1vHV;gEA+Gex>*~^;Znwx27>rBV=Q|I{kT0T3-EZpF%h@j^9n=fB%lUO# zrxc%X;+_)tSzk^5RmKJ!X_)6)t32_ZhRSP7BT5I0aYrst=?QP(oEP1tK&|-%=a|)Z z-S9b0Y;00r8WO5m>+g5>nQW4=j;q(^MphRq`%lW(l<0d_F~>w;dAg{h9kEe{g75eB z)#ehe-?C4V-LCcQqCamsG|P%zr+EwWc-^ohtc51=rH2q0;!set=h;wrWEBX!6~uIp z;&fWesJ)cl5UH(p+XRg*voh(Z40v!FCEUF+H9((A{K+zr^m6-+Rprb~YJ>Hv^N><# ziWL`eQRuE&)*7lZ6FYNo0E>A1GJtZ~2B<67%JWcROoB+e5kX^&KKkBI)UsN_<#Aao z{+R_}m)cB``ksjbRF%u;vNj!16YBXefw97KA^^KH370 z%PK*NhK5Fi?7q^jLj$1Fa`W`@g1T~3h1@1VW!J&`+pW~P5F>7?JdaJz%dW)aK(Gjr zJ}hN*kDv$%>7G1I{^&kny!n<;2o^!cmv@q%pI3CY zsueHQ0Lg7809)Qmv%R>k4&m=|B42i>5%&;lvp7u<^&SVcA}7=71%{ci=yyChiQdz7 zd!|y|gg|-LXxv%s=Ik<}XZOQ~m31XC6rpNK1$kIa+AdeO%1*8q@t!9*XZgBWR=oi; zBCG)i+OFSoAO^CZDaiIr8+YOTi9~evdDw!RzxUl;wON|WeeyS|%D3?glZ=CQF?Uk{ zo<0fcEAU>RU}0OZUj}m4EG8Vjh615qvfaKfe?Jp-RpX>xIKOl+bU~;K4}Y4GxRdGQ_kK>p^JL9fm$ze=S1N1vG|rQ` z{X0pDzPn6g;+$f)L||#F?NgGWGht$>rmo-br!qWXz!)7!AWao5{8%cJWQk!z;9v$} zs^GdJ&#vBFMfVw}*Zo%e!^0R-Io#5`T4w*!Kf6oN3DNg;*O>Xtd=5O2i?}lrC<;8|4mJ~3sa#30^ zJylkzn$=ri`#!Y>{Ub6U zk?3K@x~`rRy5|cQA0qFEFQyMkoF-6X3rpSglar2jUZ%`K50KW&W;d^MdeXx~@Lato zc{Og%8ru!Gu%`!H4t5ACNTjF*MV!0v-$XlUm0p$+ayRt)wCv=bhtaV3dnuk38mKj0 zJdANFYb-QOV;V?EHh$>PSclTR=Ci|ve<=l|pjd4V#JXACGMKpGP)m&}-?0l|_@tXfH`R?Y@Na+)eJ>Dw+hx z`H?oeYfhS!*Vpv9i~ffS?{+XtvXwl zj2M#Epy7u{SXLI%#Lg_~@7fJ;-VZ_*R(|J+P({(8Ug@12c%)(q)AZ@9I_HvSbpIb^ zUjbFswzjQEgCGr3g2W~yr8@)(fsH8LAktk@k`kLxP(Zpx=`KmBjj|Px?v#{}2Kndm z1ZGK*0IRy3a^DASsVy$AK2P{5ayB24*1w3{d4;iQXR!g&S_XBrdS;ZdGbWu@G zo5an%T&aqU;A%&NSpu<~+OfWdf0sAn@W^48?vV@UmqYQdp7?ZnGIJ6sFc&!k$wb7<*BR=hBQH?WEG`c+~*{6J7>&G$TQ089$h*!~}FCvYw zkM{eg3Wm+YQLTIU+QuaZIQJvnt22IB#UVfN7#V9iCBD-)+@M$(ndOR!q;#6IS56Wm zeHYRWmfHiE9sGmWjxru;8C+R0BSxLYbz9>Db(*i&)0fl>)(u%S4&H73r= z3~brC5Klf538VTAT*SFtA@WH>VfbN@eAc`~63LQEZmWu0s*AW(OEjyHFODvv;D+r0 zv7q=@p6!V7<=C8rMM7?mX_cX8Ut}w6Rqp8aWYS{Xo*UP|J_&3lET#J)yR)gZPm+Uo zGVV(VSyA|o&FW}*RFTMCZN`GXh!D+2-h1e%MVGFEuen{K))|$;gYsgz)=V5~%RYZq zA?c|lad!Z#-!x?RY&Er_vQo)o=UWv5LIXc!w7IR}=Py0+N<;vDrZ=g0*Y85@-1&acZFe>w*2F|2O9c+({B8{B;^I^66pX>FCyd?v2pKg4Uy zt$Z2(saInDEyZz7R6NU~o!#;5C!i@3|c*#?gbn%GlX0_)~M(zS~=K^x!_2Q@-= z#Ir*AnKS#dj&Uur7t{-f$A~pK3=~#3R@;Ib*pi>x{07G-I@K00abNU7g>06o;ti=VgiwSkvunFntc=Bn{LuR)y41Yv6MK4u^H z;|U*QF8!L1%sEBbO(_~7!~{v6bdh4iZ1QC`hglm_fwE@{lAk4qh4xINf;&mW40)s` zbjB)cxTb%=U#QW}ovIE6$!8_Uf2ICPjv#@80@^1O(+*M0D@W5%u%ZL;ZL-d6ZWJ}b zBxyc_KY(j3etjXC5ckxJ^jQE_ur=;D7d~}!lq${MRBr;0_s8q~l#Uvb-=)y=tQk>f zCQ}i+@tDmaw^>63*W>w*X_!GjoxS_$g!1q@p?ku6BOVt$J?R8Sd?OxFv$Xa%ZoakN z-R;4r6uz&7V;BhV(Ssq{Vxutb5KF=sSWJW%lhu6UzKX7)Rmh{A7ZbydwILPubSa3JEFP|U~I98~1 zTB*P*QS^shgf_oIev#OLbwMcy1K!&K8#%4pw2^^Vu*N|;*7C50`BU0d@l;{w?7alD z_9FmgI+LU<65^#_Q5|>@Q>|CFn+Oo}1o1$DnNHH{)+O)Wn{9VRe3^GR{~iBfH*R;o zWzg)rxp{}<=ff`a!AT*zm|~rH@7N3z+9kh~najg<%=na9rU6l*o-Fum@x^f49|@jx z4b9m^(#f44?rd{^$yGG9ku7Y^Rm`sTRs^t6LR1K>OGWgkyP*+g8FWtF{s3zNDQNl@ zZnMCw*3#wUG-y<_dXqPKfoyVhn5x;K=|-VY(bGs9eGLXmPOLk9R|v&tNxv6W_Pw~0 z0Qm%t0Y_c?i}UXRhAvHp@Xw!T%;Wk*zx33G-o?rs;|iHO01jm*CMI`<>wW$aiRT(%^p{5ii zhftnn5wGT*dQ7}6em_T2@71BUMmlca_FE)qbX)%ScHP#m7FcCqqZheOS6Znz0>g)? z^ANTcfwD0E_QPEuE_8k_A6_=w5`RW#srTj(V3nQ<1PQ34XG?e>fAp=a_REcQc`^hA zrtK~Bvin+dv{9ZzAvh$dvWY8!-?`%Tu@9e`7u8-3NVjh)@DjSwyL(!l2PcT9zd~Utw4V7~HT{^{H)r9N#PF~vE%~88_gn~iqmcG6KH>F%}+Y@`ri#_V-^gAs59b_I{EqC$Tq>7z9(4u9X z(^57gu$-XX5%avw4fG{6dEZ)M=_JPYm2^px%C7|N+-S){NL)MV@jsg-`0&$|Q$-B& zbQ&pL5fXgqD+vbY(&)P+Ch0+sA5#+UNt#T4Jj(cKYkKv`-bnUMsKP5-#kMHWBzyH! zr*N;`d|O?ZnsbAal0PDnY3#PKXkCBXxfM#DOzKAruQ{iC~W0k<5N<8w{w%4VnceoXLJl!Qv6>DChNnZ z&nB90|QI;^WRk}lbv6BEDc)lE?MvdMM>-rsWbs-nQS5j}}h<~a>% zyFewTU4Cw+z1-Su^Q5Po`poNs6T{Yx?TwMF%AsU4;~{C4)7q^l(@ADIYn zolfpfi*bDw)uk3vK5Cv@MZWF;kvFld5jND_00AXYCz;GdDLgil)h3Ba@~1`0COkGW z4caC7ZrQvy6p>BAtX9WGIt?q)ueMoAD5S*q!Vrq2$H(_FzUFa_yon>JRhbF)0dA6w zFH5A7R+L6V-jtqfBKJk^6sH`|l{6P*_qg@es|{pn)KJ zhz^l24dK0OS8E5qn;QgXQ^$@1@U)-p`mtIT><7|~k<-LW_WaDdEfXEXjb$mxJfAsH2bm^UbdBHPy5D7+y zqMh&pf`5{kwJ-KE_Kg1U@!o=57XtobO^k)zF+a8~;gA6()aSG#85ouESzU{Mh7}>z z6QxN_Na=rnTPv7>;UiJH70bN0|7^eTF_1#J#_y-9Ct@f&bPY729*dc8mgVlom@$&% zkOc&ESUxuXtt#*(xqHy4W*j@Cu*~l z%q>63We`8?u<>e5hH5L+U)YawfT!yONbl|=SN0$l$PKAL6Z$0PddlzHw4Fpm%(cIo zZshgAA|2M7nyw#AQVFnvotw-lc}{uabhf{&&SHEk9tcjqs%ld~z!Kl6n$5?1*GNi6 zz8izXH3B<<98L8HkCNd)5Ce9+sgX z^|w9hS1A{QeQlV&v><4>lshZGaGX#1(oH=^rm~R0KOpg6KV?STs{7nBG`uw=J*-Dg zm`%CfkT(O%uo^qT9Zg9tAt#j80Dqm57>Q|`;`9PLqlkl?v|lk4+p;(TSnxDNTsO)O z(KY`h5dk3eUZOY7CsbX=*6}0FdKM%rMarX`!^{4UCedum9q;+rY@CIx3h#jCb7L*% zq259osYtf8hUlNp-5NI7JYPQ0+X~Tx5$5wv*~>8u<%H3+Y9GcAfTjSOo-6)zUZZLv z%u<5E>UW6f_pUqfQs2roKToK+3g~EEOUMXZKwG!Z z5eP}U`UuB>$NE%#1PSXeXPn{Lt_2@3t8!a8m)b2~rWlrnebjZ0m#G1lDwC8r{NAg6 z(Vvu2x;Y=HwF?y0-+3&;ch2XhDFsAWt;sw)hgX)l$*2xhVn`D4;e1HyR>n4I-MY3GoF{=V6>%TW5ck@phWils)agW)M~C8AZ!_Jasd z(wWL+@5XA%bf(MU0&%O zZ26E*=uKc4E`02?-HaVIhBI-z@{ZkntCw~?k`hiDgZ#HR&p$a6f4uR94p9o#iU*Dl`Hg@CCDm2)T9J5eGw|abx5T>pyc%!qy_j{0Cfs-v;C0w%|da zH=d`G{a-u7AK&{w9Jz?%uxiu)+t2*nltW=Cl>D#p*&meszc!!$?JLR*m)Yu6=I+7c|MSoN{kyv)aY15IB+$0{ z*9H5JuVJCk{R$PjbMK!JNq+mKJ?hf9TW6|nf8QAYw@>ibI|G|STu>wF^#2dp=7tpb z{CoUgh``cq!Pe3fn`AG2B3@HlGQ`_EWiq@vRqyc_Rd}#i7n)b%XA}2N9>-;zyKQOS z`Rs6XFlSXy)-UI&)qZlszh#i zEG$X;x1$_fr5oV9ml`Ee7cW;b1q6Zq29M}-fAXA3V9W;GENaR0ukwfigRiJ!U$Va& z)oJ|1wu|(4I?l=GAP&qX`g~aO_$&eRiJ2QDJzS@WnH=DD_0R-f4IA;u6ZpQ!#%FuZ z)E9GZuOl`(JY0w3w0$SOBDAme9gb%=x7&m~_-<8FAv1HUypnokeCQL~;eHzM_y)@C zD&G-rFnfk98eV;`BM6sfL<7cT6;KMXCUOWAyPt6-hU9#lj2_>YA~0-%7(DB(cZb!EuR@g{HEz7&lkCQBeG~;O8+HU?Zo&epKgLg)l1>l0VU;^Gq?!^ zIhxOBdoYGwT5c70Jz^fL@sdN1VJh1tI2b`BDv0Nj<~1MjGY+V6*aCqZVFJpViK;4V zlaPW&9a-{eU~mm(JkYiP--`Jq1E)3&u5;u|jR6$zUEi}j+X~;W*7%vL^es1j9u z8`vULn*-Y?%oTZA>Ysq(F$#D&j&k)zdCFu~O}l_8u-q3UOLr&W83FD5%5=bm-^8O7 z`}r=c9g^~Bw^D&5p*q9Qeu`P2yhCtG-ye+kNeE>G{H%vUfnu)W9)QU}r{8j7BXeh)L4J8!?QOb#FD}*>ASP)PB=C@Ui+a(-IyIFCclRuk zO@g}_WqbuW3VdLwl}F@(>0{|Acv!8$wRsIOXb`M&fzjEo%7(mJa_qW;>w&k6cT@Gw z8?L)YTiJEZK<~TI`&eu#B-AH}j~=z7{8I4x)hyVum)7WaaJ3CGX1KpKvpxx{+X5k0 ztXovEiD$pa9JAX@qOG8OTY49M_TlJ~c@*$}WcT-ntOvk&R!rT4z%1!0s}zb?;WFjp zRKV}@0B&IQ_5-c&fEBfK&NJ{fsEp3#30ie7U%?(o1>`Lz&oDx;8D#o!g+F#0P+}Fy z!4N+rS_2M!DW}tRAk^x4RtN9(Rltb#ao|C_!H#C1XCDz_H3z|GU8D((AU|0LxD*?n z`ldtn3{-GVAT}cq+u#`?pg+HK6RpIyJp`w}F6cWu5dp;T%9uI;j4i9XZHKSiv<;j? zqfDepFXI=$t_0&`hqwXH6^W6ZkAcxzYeAR4T;joGU`IiI5Mpvss0zmCEL;lQ91fx;gV zRCu2~+qaW`@?mZxoCj91N_EQHL0Bx;h@x?sNgxRF#^1aNH$|w>V#D8E>(WGs;38Lu z*D|oROwfc2c={oqvB{%&Z|p7>|J1I!dO!>AU%jNt8F1%E9WXo-3HD#6eGNicx*p0u ziH9m9X=_$+CR(@1*<@hbF`~URTX#q~-^|n3sD3%@ug8eHr5<4DK(D5^{2F-SF#DX$ z?3?38bEafe_K&|8?4u1h7z{o5&Qe|EZ|@yJ=0=F;L%`e)Vu&|@w~+c91k7#>sqK%G zxhTgFHBUsi4BIhn%;|T=52Z&oXJcQf2Rp+!9biMQgJdmuq%sHhOv=te_rzjvd>S7& z{1N6Wuj^PZCnRst_2DaAfDS;Ua}1obD=aSn1;Wa%fHBt`Z51F2u|+p^x`-5M=9j<8N zwB&1~Z(#g8;~ApvZ}-Bw7o^y;F*r+_Pi!b2riEVuj^XdJ@H^M(=ZpZ4t!wE{#Jy2} z;o}qD0Zci`U{>hryrMDcwcJP z7AGm&4U(laCtX|d1rbt3Agj`O0UJ4c`oRJR*Cm_hT5~{89D_GPG5q#tK;ENxl;P8{ z7bSCPiKvSh(}077t?e#$Gp%pFCWZaYp$o`7g2h6Ipp817XB8R3HuDaWRlE<@sOz9o z8qT+9;t`)~+y_E0G4lKQsuA3^v+SRx{wg_P%wV2ot7*@2evj1ZhfJ{F-3%#RsU&}$ zV9cxdrH-!-vm6zSbW>6j??=CR40k0ads$cl6+CXB?rn6Np|4g$7o-X-y1J)X z!eQGnnK1Z>-PGZub>qb6T?fYhJV=Nw zo)6xB1Lfm!vgg&2J*uh*y3Wm}jO5l{kkbY%YbMyniC+fpk`S)K+B(Q(cCa~`EH6%H zE*k9n=Wqf5&uRj&J*i(#(dPJMBf$oeH(gQ0v$?_Eo@Z9Wv=?ZxeP z=we@hZSpN*wtU-9{RckAURm^^M6mM~8D~%*N5~-gBYJWp-53fU+ZQ=EqBWgJL}`O@ zi&k)YV|kQTFf2vrzNkv_M6~*S&=2*AB2MyY4?$ngF?V`;w7zSZ$*E`^^)tWx)}Oc#pQlLYiWuBytzpaXC0&3jdt;wHR&cRxh^NNyOGKcxMBs1>>{v#OH9i``m@j!~rj zHeXLos{xov-9nibP0f)os}9%$qiLL(M6VNKqqLO?Jful8UKRBcAMTUVH_TUY^<)ox z+M;Nfg>dJ~&|j{$xx!j^n!9E%=Ly5FB;EaB4mh<|rIX8)S(`gG2SJC3L#_-lPlvP9 zzC#We~v;i+k_-%FF4`iMGO=ZW=%sbhif}L8)UM*&u0V?81ZKM_rflt z+wD_Rvvg2&z z059Z(;eT=Nd1$zc*=0bzhlXIK@?k`b95oXOT+VrXfMe_rDHr!(b;;b%f1Odf4BLkY zJzeW^PFE#1+FQ3Lc{53l=y7x$8?Paxc zejsx(cuilzCyAfmP{!2@7Gw9zHm{m6zKP4-9em))K{oMOZeN-zaRew&bkSC~kMiTcX* zobh7wzZ#o3YqTG{cxxl*r6k-qYGX|r`2F4keR8l+W(}-ROUH0NzpqJ9A%Rb0n~l6rW*LSN=cW5Yp-cJ z9GdC}Uj~&3z;z?G#8B55s&NX)_wk9=ByAX@eT!ODj~vAT4|?D10|_bS(H$Zd0_-ct zpjT8RmrKz}p;a^5{=lj#)P>>IWr9ug5hY+|{T<^9?sQ)Wrn)xvQorbANJhae$}73- zUKb?rK%NU&Ezs?z6c|Pz1C<)=?>$Vkit8~64acYSn_Z%1F03iMVboL*&ewLButb>T z`|{5n85DKQac_*{3niT^{CWKN8F9)DUc_Gi@Ip(*6rXZ~)s^d|ZyR6LEfBTylwN9A zVyFFR2cqIFNCY6<>muIX(GsemQr}fG;mp~um0*U9m=eg)0FULRSe{3uG%s z(0li4j$*2Zh+8L(-+pgcf1XO4*nWwORu1gs*z<9U-)MV|XV>}qn`@w1RWjq{gd1MI z+4%9{(hcZ3rx8lH;sv_eNir0}Z6WU!v#6K8q!tm#&R|>&;FwQk$zc@;;}iV!^@I5Y zFICWL@twH!N`kw#*)$BlO8|N$D3gYCD56;o;*a9xA+!YydY-kD;H^O>zWa$gj}@^M zV-7n(_r5kTC!zdp2Y}5i>UY;os55+bm1^lmfNASu$+HUGTFND-?CQpPW3N2ou=*QH zhkAJI9A89+@fWDth1;ZrU{W}qpBf`@coK%ZY;!&;WJS!s{QM=PoC~(d5OziCY&-bA z@cj$W_gDhLuS0fzu3Ks^nyk5NX} zA57mWZQ70GSO(56t|+v_K+mfy@MV(MG{1_(aGQ2?A|pZr5=;h3m*98OzfXiASTHl; z+TG#OUabsaP#6BBHJ3SQ?*SI@2Dejhuw?U?;w#T2HuLzMYwcq6eXhaQVnTzx*EbJM1K_M0c)cuFt)e|n0UblV*C zmVQZp=9*Yi$=bzLMIAfCqI63%4RHxcM=Bqp{VH7A6dT0R67;`&E-(m!SZ5PtLVTe7 zgf!w(o;hD&um4f}o{SRR(s?TD7h|!Ip-0=#21Gbv&Fz*s@*TS(v@&yu+2<-cPVJOA z7Aj0t^cXDmj0SGC4pXTw;++;?>t$~b27tV+;3;#JFx@9Fvm8}Ri9MiyI*t2nMG z(Qw1cF5hG!g$M0zY}@h8J@3DMxZMQ$RYMERW@;!A#U4+Kq`o(oZ4L%6%V}CUZr6Vg z)P2uaMUs>ai);z$z07By9zN%G1z&0y zTQGBkougNn#oK>*oii}wQLTZ_r*H|C=XWs1YQ98PbA!b&8DU)Sl9!UnZ6~t2*k|;0 zkiA$*g3~&^qS9vU^{tsmS|rj{_`X=i&xT2^jf>g>y|T%*2NiY}-G;^fo9quY8s3iS z9_&<84`S@ug7yY_UVKSf<&p*RJ8Yv8zrP#)`j^i9k9zs{Z5l`_Z`d#r5K7 zsOf|i0SHXWucWsg6^y?g1tU+PW?i%RJ>?Si|)awht-ICE{f zW@IQoH!Q9Hw@;ctk5*J~__<+XX+`-@7VV7V^jU#zuD9+R-DA)4la?sODbcV?^@04x)L-g*uabKV)zdfh^dM0g-m{z@0wjQO?OUH-CSMw(RZT41q?33u3RGJTKy;W< z{rC%`(FT|Ukk1T<0hDJAeb~{XrWhs3SJQsLH=$u&tJ5{FYbyqi(i0dTAQ-n6N~yOn z%w}SvE%@5#*qHpa5H6DUL;0U*p*5c1_ zwkZ?~bCphfbhyNjI;{{J9J@c@KC5|&ML=N*DLxn3BCaigA~*<`8uOx@#ot5cGq9&k zrvRRZWN!W!XDr(36K)40n!pZAXU_9bJ_o=c{h%s5rv*f-k&=YwafNp*qkGshPqzlx7 zcg(9!OVctNgqM1Fv@up`nB+0OK(@9xWfpZS)y22(RxNl=@~P~@;??5|q&NS=JN>tB z$rJay2@+GTk1pUt+K23y9rq<@&@=P^0j)1!gYRi_k*lu(Ac<=$v>5>RkO=dU+%p3A z3{v@?y-Y~8%k@J9cMXX71pFhLAb;^wFRO(w5_Y3yb-PbMd;;&!rdgaAMW0fm_w&|g zAmRCcT)KaILx28}i6xE~LkPJH`JhAoLpE{|Q7(|aRNcUb2&MJz;U@^8^#N;q6T#nK z24)-iT8wjFgBgZ#?ll9rcNCE7=5ZZlBc=8}@(a4JY3Wy3C^Z>~e-6go0@C1aR5`rG z->>6T3;TXJUiYJX82fIzkIzQwFMl#_7Efv38!4&X_xlL z3l(Lud^iSW!@M9bOuC`4}*~E zb!XE}5L??HJexWo!FztJE0&%f+DDie<5u_ANWSJQ{G)3Whj?oIN>sODUecHeLns|N zSGEYN)r}hOgOYK8jI#oWh;@ZiYt`=$sgsU}kU%4<)D?GN)^)YhlaXOVIKU`N0%UNf z@L5KF@j%Zz2QELg+}$W>i0`e?EWW>r#Jb$R{Es$w`OMqbdU|`=u6`h`$Y$O!}2X8NlAZU|U_F zW#IoT1pddPVaKGwgy9K76|Uy-&<(+noA<8PgAvd$K!c&!jw!&It^w1x9u~-aez?Ki z)(1e)km-31NGWOHS%JKaR|&z8qY+FRHUhEe%D~Wi5=yB8qZAVh-ChD>!SkM*v2MP= zz`+!FsOJEX$-cK@wdpTV@6YG)e}5qzF8z=*OM9|D~)h~IFnSQO<(W0rloUvdcGAmTzXomKG6rkW~fJw7!NwFf$j|NUS1``26Z znWU@M0G&f0FmY~iaM<2|m{w52= zgGt>En&#LIavxxMp{extHh3d>;jNJj^rPd({^fd`qDhto`wg&zcRf=k9)0@!n+v@n z9>=Eo`lseKw+=)f01KJFU#kE0wRA7>T@~|AvpJA^$2~^=&I4=`_Y_QeJ0$EoBFP?Z zZr?1jiO)|dn$}`}a=aIMuuFkwINE;t}FIhv9H`;ALK0bdcke@(pEy@WAFVVNIY|ux76X+ zk()q)2Jye3$?cuyROk>;6J5<^OuV0j2BJS%0mov>ZmvBVQz?{9&RZEP5UP1-JtyJ0 zU1tmQ7iFOJCoM$GfAj@|#W4WLUN4=`PjRT2e(&>Jz4+($eeK?j`{s$?2Hdp(aWk^D zlfu}JP<&f@sPL%#3W0EI7y<3|8FkB?s@Mt5dQ9lUzo7*5n-a=HU2QhBLZWc%@I>(+ zPtV87(~8f$EW}ac5mICGSX-6H+C~obQOZV2Uu+i*^y|b+EBwyrIX0sm$vY>CqCXOO zZIpMX2H`TlyvPaWBnouH&V=ov)VE1G*THz2#+xf?3yRh#asXxu2N@S<-2~u?odEoe zjW;}IqNwXkZl4xxoWWe)VqNSDK+ckYv8nz?zRDqr$DG1;pt+$`fl3Z z$PO49FN++4IIw!#BoKd?zR*USk%%gr1ao_?3*aO|F69o~&Gi<#q8Cm>r)KrQo8&YxQ{d`l-b=Y z3`7B>`L1f1{aiP`KzjP#r-gl^n$WTbZX!VomB9Za_d)+_fj-F86I6eO;+vo^w4VDe zb7mnj_RC>rb7BO<+n`)r?lj>4wc=oOXvxsQW4khrES!%v7nN$ZU!~Zk6r>Bh)8aee9sFrv zel8i6{`g;AGZ^YzoXo%!wFVUTU8T8zqOxOeA1?hC9X#t6ke^5TBCyG?1PgIk5=i5Z zoCk{Zs*zj3z5S^C&1EX(5m3E-KA3b>_gQ?dXb1c*Y9Lw$z*X&c<~w&}Xd-P$BO&H( zn&J;o)|#oj;&jFxfLIfN0@LXwvA6sQ;IF42!G?+p8Fy@eVDRvaJ!+UO{0aOJ=noeN z3x3o?ejMwoP>!)680REf0W*;UP;#v3W3s&2h+(H$`T_V6+zNq`L*V?O%I4>-to8Z5(h?PiJ*S2P6r%VL zz#Rj_Rc7{t-y;DufC8X`yX{1cefe-+`(I{PnViI#C}Y6aP!aTCiyFxn1j?x!pFu9) zt`k+mFJ59e(~VmiOysnrfsu+ggz`6fsXj}shL#?i1{GhIV7G3VSN^;oJXYi3=f=5P zuQH;W0grgk8ujiTS(ZUUoR{-S3m|s9V>GBK;q5>NZ3R(4*cnj%-a_7QL9w2~0)o2% z?IgKW07PuQpW}^|Jp;H8e|n#Jj7XOT-NIZ{=Hn))S8&+^k3uzYj1dhbTUB~yCJqB9 zeg!0ixc3=BBQgN8aOkPf9GyvxLvaidLIME*e2CE&vl)Uxt|@!DG4u%gkd8AVe?;7p z*He18&oVnoxlnt7!cE`d^g2!lSs7ti zzQ8P~7*y_IS?yrDw3@TmX8ng30RH75Dr|F*S{YDq#QF&^%}gQBgoF4xJ!!Bx}xMUiMgbt&q>m^mi0JF9Mj>0D;t*lTgk4Nr!nNV2ac)+4H=}CA^oh2ACGE zZ@%@-085CHjAhh&z!GytAUwl&?-=(h?w>$uI+U52zB_1D3}|HGttX={FF0A<0k^E7 z$D^&BpOO*}LoPu*Lvkv5?0AbepnVd3@8(>O6(@h#b8gHQ;1bdPRt0j2xCs$3Zwe`Y zA`P5pDLd)oHhZ1f!n%(4)^Vxsg|5_IJX@dLkvg?p;c(Hz-svVAA)m(0t%Dz-V%;gH zL!-xnt~=vL&4PS#m-4W)Uf_I3RJ3s@@!fAwCJJmPYTctY-RR_IWj_&5ndf74E zo7=fQfoGY?B){`)h4)I^_Kn!81Xu77Q{(P|wR60|7LYC8X+DnU4%}kL{A*j)*W`Q8 z0C5V%Cai?$MvsSwZ1{t%eFF$B?=}!X}CG2?>14c=SLtK;Zv5Q=Ua*s>t z#-gG0x3x^jfJBWdYDY!~N2x)p4~o^9bkBAxQ2QB1NWb+KKryMNoI6AJ)yDw&duktZ zB5q62-fR|X6etz0dJP%_cG=EKsMQmNClIw2B0bA|K53_(qxXHqD_t`a~HV*ri z(=D-X-sf$Ya3YOx^Qt&i+y+NUZWL^WcZ)SOIrl>xS|H&e+5#Gjh$(Urh9V{rTE*@n zqjYF}7GaS7U@MJ+#h>Sr7g%Ofm1=3G{kfgOv!K8j7Tu*w{mY#j$r)&IKCQ*Q0nTGL z%*ibM&7ky?XtpCFDx$P9xpoSOPYul*pupZZ87Ebcie}D( z;L8#9JQR4ljrtY7$Jev3Flt=JzUCbxg4<e97GMw`zz5n!4mSX4QmC;}Gje0S+kgg!tR%#jezv@4f*ZsT#jI zHl*lRVhR+El~8w_xwrrnaM*r(W_6yb3jP=<;IqX$_({}thiy9-_=`r_-7t_krr5sV z?l|N5I!2)MdP2!aD`Bs_xprDDh%rhZlDZf{9-Xxjp3ZzS$;yvizvDz=!IYU5CY6Lnd&xN3U$)Jp6GvX(z-E0A)a9);uV~UZYhGk#oq)! zA%9lZ%*U_;r4->)C)st#(cZ*D$AHmw!|HY>S57oI_v{vzm%CC(-5uvyFUId4Am-kG zLdQS}Jp54=8t0;KSAM4nHjZ@dcTWGB<}u!@)0d7TP1-J#MbjQ>Wo0E6d!ZE1G8Tk^ z7o_yU!AIT0QA1NBOlyl8WMmdYDahV)@mP1n+r`YFfaD4^1qv@G63f8v&I!BqnKdTp zUw{t@1#K2U1h;e#P}lHxPP)Xf2_2^uRht!x$yz`|Rc|ByENE>=j^2~E6NwQ0gtK8pb935XD+{_lO!;&Y%@ayEBnJf7)`l` z+5-(8zWVu*Y6a`Ncb$-T#>mOr?~>HK-dn{ckx|{6?ffKYdfLP%peq9N=?I!9Wab2a z40?S#xof0!k;`WnH*Mp+UewQ&`yB)gHkhp{CDzA7f=C^)rdxfup zpDAbn_wfbso#1Z1>gb@P(?D5TOV&usVcJ7nLj+M0_6>Y<9TRw|k%XtP*QP453F)FG z@O^WL-nT$eX4Ua>VM{u~3UJc4LQfHlGF8L$@D4J`D<%4cq0@` zdHwPP!~&}eduzX3f`3Dxk!Zhmn9@LhaurTyV#d|aGn|jD`RR+XZ_3V~%pzV}XpZ{! zBENbQ!QP>t?b?2PQJrm8pC=x9+D=ua$9WLEIm4cQe z9bXgI{hIhzFD<}Xp{4}f;Iy}9wV6*S5vFc|Z5Zo{bH$$;hOp_%dVp2Ryd=rF+)gCc zUTfeLLw}_7PM8a!c??X3DomCJg>u8NeVnipl6hb>P?$jUkdL?|wmK9pPx6+QIn$Aw z;Y^dPd8Fv;Mn^(Ucxa*a?lkcGQh>DsYn|(J-Gvl)w#Tcz6GO0TxeWr|F3r}{zRIk1 zJ2DuO48yH@=0i;$V`}hp);?zUb(}+yT$djMQ?`&nrqQs#%Il7Rwur#lYICo)y~T?p z{JTq3DxEhvTuo@JoqVwCX%kePCT-po8$55@e;4eIUds=sKfI}Y=6pe=x{!<>%Zo$u zif1MhEwyUSFNWyr88uhM2YNQTtH>I4e6{^o90E5(X&*OiQ1;+5@V;(RjkDM6D~@^kj3%PC!u=7{)Am z?kCHj6-|UzeCBB8)2WIi4rC;eE_?t`%@sdYQz+5d=b^4XyA6**l4OX}WKnl?&{;5{ zWcWpSKVSEDSPZeOyC1+))j-_0T z(6cmD_wYE)ib(6^xA{Au#gahaQvo04+wL8?QK zL&i+N2@c-(=W{ThfG1dA~fy!%0^Nv6#H_8&6i33Giff zn`~_=u`QBXUw?0|b{qL>#Ot;2As{T}MQI(xfbh?-*OCrZ=Q3#iBIf)h@(k%XF#Vef zf2L8)Am#v%rBzR|XeCM$jTr@*rHg_R`>+MC|4k+1HO8kek|LsJjkA?vHHLc(hX>yS z+IHH!6Cfz7Su4G9XnJ&h;s7hB^P0U}Tf=P&gCbwQ#-dR;&O^VW#7_Jbj*=SX`&oKh zjGWsFy|m1*_prm`m5f-?v~5bH_BbDCMZE6*2#LTG4n!kkmKcd`jo;n~B@!QoKgzD^ zej4h&+oXX4B;iyu>QGxC`JPWNmb}NFk<9*VJ9080A#1ur@U4G3;k2MlO zCg!>y30JxmCc`Jti*1%zgBezdL{*eP-YHglHmfZ)SWO1zpIiCmY2iWbX-*eKIY~IC z_MNpe{u9_FKcVsyv;*_Qgavl(`}}i}ScF~Vll;v&Kuqamw4cl1atYNagqCTTkQiff z15~6Gb^Gt(uW}|?MB5%WnO4oR{c>~=X>II@Ad6+kInJ1 zZ=;$LlpF(|^Z@$J=}5YCQw!lo)OBa>u6)s_djYXOsm=uwrV1BbF#rQQT$<@J{-&

4&+bd!HA6N2dyG@){CfI8<Ds zqELhVi4I{U^dD=g*M;OCiJc}F4xe2xb|W( zf|gZP)HaZWn3|bp)Eyjq`p<*^#V`wrlQ_T9V&%dfS0*O-ac7JbN~(0!nWySp!UB%LZ2(89uU>+r2&v0zLAT(fUt_Q z+N3$FzxjkTr>KkXghYjToU9f!@_uDbG?+)c310ZrRA2RrDUp{b{qUpyO+8nwClf`l zBBZ-;X77ApvQok$>DI~1c4K=xaPzCJuCKAD{?5v zg=wc7RXy|nRT>_ssrpo7gOZGA#|gw*C*D=DmIHF1)WA!&)!L+ONqFYrfID27ZBSA2 z=SBGK`N>2hN&^1F{6?%chCnP{D*es9kWnKa(zgmPP^J+#i;ZgA8m^|> zs~aXY6d1O*yUG532O^U%rOy|!`L$lg5)Kw>GS=xRVtj&dAbQ2$6L$qxD7ka zy++^r91eViRRfpqzdi2YHLlVuzpK`5NcjNr zLNU<0FprC~NF2SpD|`3J{}?s{6kH{dtGdLnaU6_Lios6g;LZ6;^pArm^V*W-PD$Y> zDprl>atVs<2ya)E=+7i^qbc_%KdNjL>By3sgb9rH2k?Jsp~?K#BixG@oF^=c#L51_ zM4v1|+8PILRLCeZQVj;Txp!|Y^FFM!Z}d9a`CVz9Znpf9$#(3`!$-K0FWY}pT9@x? z{Ud2-?=?`O_Bv@7=OLbo*X20&oaofOzAB<}%jZyH9=Y``q0`lEdA|BUaibLWf~>Ep z+v7p8S~T(wn}YXWXyd=$$iMDurYs5U7Tu&?aHFhLSc4Z4EJ@mO_>{9vKx%!Y#OzGz zub=$CegpXWB{W=k$;yBDfq(l}rs_4oOjn&`5zzeiCH8;+d$WWA{Ehuo#&;chf{r^K8{RWH|A#pSku!YoL z-|l_IW%#;a7=#Vn!`%{>ueyo$1(I7sIbHw#CV|UmLP7%M*840aybTRivI#58%i{o1 zy4vY}cpCGkS zW-x)Wh##C7Skc5nqOvgnE7?a=3)KL>#AyehUOWXT;6kUM<1{n}rJmtNVlKJRzrJm4 z25BR$oHPIp(F!CvUT^ zH3JOE9w2v~k@HXy^9Yr04>HVqv>s5gS#8g@LDJzdVBl*F={dg^>yPl@Q}S7aSA$Uw zknJuYhDbOeQdF2}`=Gj%J(xbYB7#<`Z~aB2`_GHQGE`a*cdIv^wQ>EeW?rPFrR7q+ z0_m8HOreBH>!pI$t8}QLgYCJFG?!B_7;vMTY;!3E(+6O7Vz8|dVPC3W+yC{G-XcJ* z3uxVk;9&#x&`?Cs5YP$2b{mC5;QMPRdz?xrkJAx}<_{~u* zbMj6h#DQ5<8Ubu!eW2}v=9~Vh+jF3#sRX!6Cy2^$gz~9qy%(SF?Abxqw_&Vebo1bP zr9Ss4B&)HXbHD6T_&t@(@eb&#;i6$D6L?^BA}NP zxo=I1sP`PM4i<=6g6cY83+VvH4(@A1y&fQ+fI_+X|1owJP*Jw;x>rO6L0|;w927+9 zW@s3?1OpMIOUa>;5~)GDy9Oi-q=ca*q(ee-Xkq9MNzXIi_uqB)K4*Vxv0OS1F!Rp) z)O}yq?*eVH;to(e#QbLEgk}9j!1!Mqr{D?q!te)m91EQMLBAh#xN03S`VRG9dz1NC z6HITYm%sXXAJ_YzJElLpLu!RPcxIqdwpTndSwV7Lfe#qjZlE{S9{0tlaeDijl4sQ0 z-#{Etj>GX!gQB7h(5I=5*19`*fx6$#_b?l`pn3l60 z+j>y*tOQ}-G=`fvb2w0;HFKk9@u*OBZ|=LQ{?h@bD&!x2ADtUN8Azl=7?xeK_@(ge zTiT#~(BaCexJS_+C3%<}K_kGn`STp~tj0jAYl)(<;Zj}R%QZ1<`T_|9@Z^n@S*T&> zrU3b>fI_Kys?tus%2zmadvhr@3zU~6ZrDqF)wa+5am4SwX@G06p4ks-jdZt7*66%f z<>q2sU{wr9K0xnC%#@e}fPw7%wA@l7DIZuU-GB|XTBv?!x{Zjz0nu0fmviACG{=Fv zLESj_Q1FWG8x+-5M_x{`8w-!)e*}G&N;wiA$zk|Jz>{V`LO1(DhDU;J%53*w|AQIMFHC1CPJ{b@7C>-7kLU z-M9z{Y>)7E#ZKgZzgq9XDW3)ebm}wr~>}=f7eR9A+WuVr*JqMsbgQh z>5O=7Pu@@qlIn%+F``uY;xwOfBVk<}K7<;PN5Uq9q@uHLB*uY?)o!l2&M-SruKf!A z&J8QMw~e6HxYGzevLP^r>hp3&)4);#KnnaLeSLvH80$I%>`YEUnYk1Uav}03h2b~U znb-QY6D2R2lbyU$a-$^|-9GLs%_OrQ)#%7ttb8!=T3)#7IWg$kQ8#wV+|Tlt)=wsg zkGTBkA+vo?{tF(X7rBJlfO=?xa;&S|1KG0l2Ef|sBwttHicC9ZDPw5BXRrlD z+O}>%P9S%yjA2!3BPF*_|BA-7I{-Yt1ebBL7oO;1=8E^)5?qJl1h=|t!gY|m9K{=SJ#nCo?f{n5CqPM$-i~(1Oa`nY?b^7Q3qTB$spP@A4wL&bX5gkC~_l%Reb4Qm97Z0j#eQG=8gWTxN1BA`J( z7Mtt_`g8J(C|%>iAvD5_^?qA4i#-1$v}zGAK5v5@gz~~nMi6wLL9D~d@AJr8iBvl; z{~Y)GP2kj~4B~DTK!F0kTSZ9D_6)ShH)aD!-P)XRf_zD^kb9!?q7k^#F@55d91O59 z*IM&}_!cGeYIrGijT?c3yo8jdDgWXLJ=K$TIJBdVI4{g3G*)&Gn05)Y^y1MtT^DbFn9;dcS z%X^13JAoBY+!u&g)iWOzHLUrJU#)N1rJyg3Td(bPXaUk0`hFFB-nJ6p_W!T}Dq3x) zY1jp@QkN}uCt*ExkGIsf0dQn1Jn1%u;LkOL9d30_Pfs^4<1g*yH!*N_q$z0@q`wAc z^=A?v8)u57)TAWsLQh_(x@|4ozAjA3`OFwckKk*3lLHbWG6oxzK>NHL$TMp0c6$Wl zj@G!{-IcG&u7IOJ(|T&P4y2XgJdKI$Ic~TOII}!Hza*o|*QkV?rH|BL_bW(P0)Mb~ z=WjZd3ZB9ZZOz}CZ{sHo#z2)Zqb#LlQJu|FRa0UIehNIPQ{OgmSr}^;kJ^E_CY?&) zN*mZ!N*OYArQoX8UG{A1Epi=uV1r%lTIoLVk{x%#%cv5%;f1fYiCfA~o>`@bBI+8n z%LM#mZEw8{VQ?z}18-8p7R&&i_Vd;_^MoteEBbzWHZh&s*9u!gNUMNGbC|nsTdrVv z$(L8Gi@cq?(66_KZlwa&I1O}VD+VdhM61sE5%{PXIz zYu*iff}Wx?0jyNdx`F1LHZ4JYvU!7p=M>(H1}aNiY=*mAQfn z)I@5?TzbzFY$#jw{OgC)2;2x>2w?&hN5CU|lDP;6`za=ArfD<~Bx4*{+Fo*AZ{B6N zSDLb24>q_9oqPrWq8PBolsybiu9dhQ1*7LL$kA!2>2))~_{+b}0U2h__eifS&}qle zpv*iJC*9fMZ=s`ZJ6IlQp(!`PwBrlBd%#u__ULzHV!ZLMBQSt!3i*Mw_Bgfaj>Hjp z3c#79jfD(=-SSH0)d>9a`a5!DZGJ%K?WXN=V|DbmMCYb-!W0lU^_BR0y*=W4x=g(> zyOH^U>ZNujse9AyZ6==?9KOYOQM;dzUGG)MR(9St{-vFQYsT{|HO?z1Xt@twsby%ZX=&~v1M}v=- zyOsxuBlYs&`>-`u{M$RByQd4FVo?ch`Q8J*WhPv8)xH?-%Ht(C*%HsQ{D_X%)Hn9G zW@eHnv!mdDl%Tj{KnisB)ZwleW9RVKLV9qA4-?|R=52q2XFxb*Ooa?_K0#arN_f4x zo`d^c6LZ`w@mTV+?+@OpT%s5=Aq{=uHvYYYbN;)US4;CRQVU2keb_5DW14$7rNB-e zv0{q#`TC!6aZ+B651(!tMc=v4eC=`1yy-LNK2O(P&zp@kY`oYyMdD=MFQ|Kpt@IFW z$Ys9TYwFb6_?NW@qg%F*ymkbuY(CU}^m=WXnzAL)ukNmkesVDK`GfwEI2PkR<7$=R znmBV!+Y0V}w-m>4@mgZdJ_5JJ3y-;=3x#qZDTvfOkPA1%b?|-eh-H-J;i1YiOIts; zprdyyJ`tex{Av_@Ygl-YisUm|3hs^3?$xQ!XKQ>HFzeMj)gA4cnG2hY>0-k&8XHRT z_o=XS>4C!I=H!3ceWKMNqEwymY%)BTnqu&~Y5dGt^h`tV^5^e(0bWvfGUaXF<_*9F z9Fbn|yug8l4B-U~Zx$xN(exZekXk|KVYv{mI81>jJm3fB)-UdQ_N_IAQq8{IW!q&mG#74!*-) z;+QK~$&p1-vM)XJI(TK0>1)6zS14nxxZhz(PzArHBOLkGWtF}2n|vZID!cr>cmbCM zc532DMYk<&UC+7!bdW5fW4En8G1PYg=9Wq3g2K*>$c`C%!O^#xZa!*tj-f`sN6MNW+JT)4I5t<68TOB2(26y)JcUc#VrZ?b9`U>`V=mb39$A>X{-FIE-wss- zs-i5`cWKhH*a>aOuAV%5RWN-B#qk|di6UuV=Q-^~urjxtfPIYylNQj+52fYVt}?}Z za>Uj@sJL@Pwt5P74%qHD?gl=j-4$B~Uoia$b-wbo_|sxNmZR7D>@$)*i4T6VZ$;6Q z(sUY=_Tz-o831Z?@q)YVsRxL8xRXw4sTQ^wCmG<;Fh|yRa0V8#JSutP#d`7(#$u*o zE79P@t&=X@s864~N2w0TL#}SxVE!1tVHKOip0qpO4}r*WCE77a3(Pg6 zzpF2Dat!2mzd3EqeP$cV0aNSb;%Zqxg!;{nX8(E0++a^3T?IRO=25#R8)9o-Vvsw> zPPX=LPYI}zup3>U?G|ze1zNA`4a+`Ll{q*iWUxH*Xnp)C`BBmjYofr&?2)HAQJZeg_R!Uu4ld`a|L6(kt*!tbnOt2%jYdDy9zC#M1;)|qx zvTAu41ZC!Gco_N=e zXJRMbW=8Of3Awd|R068eNfztNO&j6oH~yqjpG-E+W?ZMw3)^0_8Da9sJLdCqLAN8u zX{p;O!yOSHlNU67c15J?+r<~A=F%$NHYV@keTrZI%t_mc$?c%_pXDO=ce*Q6aW7^Z zboy$x1U&(y$_L966QP~!>;YD_BL;4`J!_i@fv&kqC#4-N7yG6NG>*_&v=7&U@cm>P zs1FMR@U!(0t)}A$iduO5kX{9-9-MNDnYD%Qe1~%0DpjDv%fUgb4CA9F^EJ#oF2i57 z65&5E5eBEUo&VWh0m zC?)@lCz`?Z5M)?jCYI-kb(%(4W)IyQh+h|Vp(fi2rheRYB0J2M@j7o7d!bs%+$S(8 z!pZ=9OWhZP-0oR0n0D?z3x9CDnvf9pD^Bx9rMzTQ(*iL1s)e$Ci_62F6>mV_<(jZ#K1^&B*ujD zW2c)}gR^$e#nOXEd*Fmc%kBS4!I6h}%=+wyp89qA>CGUQT~6Zm0uZ{U1F;rd7;RM$ zO67y@l)Zmm!hgHM=iuYQ;CCU1!7;n9uhpuK?}yd&>iAg-V0)Zj80nX!Ym8bQ5Rhf4 zwA08DPY>tSJbt~q%4dhP5vU-Dc{XRX+^et3W^S3o8l=n{PI5c^69=Nrg?^3~I)hAv zLf^gC#1dzAn3!7`(98)AS_}<@UkXrG!k&XJ%4(1}+&J)RWCjUsz8So@l*z@Lm73*u z3OQ5cYh>R#sVOmoYF+CRKioN(Ji8^mkSNeVC%%ma8+>@nlw%<9ll(r_z&zzkNL8jr z3*wD(k9XwTO78}()(5b?kehT%$BX(>FzMG9xqB@$=?=sf)L7b0QSpZ%WZj|L@ZaB6 zwWYmfi~P)mWbWKqy)|%Esf+hR)*_kX$}jnN=37z9)c6joF0rpICRKM;d~$qQkSrIs zRzk?a5%w!CaN~k$ov0Q>kaI#*A*JC_P5_(tig%7PMa)gv5GR_r4X2@WEh9z`C?4ElNRF)Ls2OC!jDkFZfc_Hw{T@kTTe4iRyC;!mPDy zB%Ux*CNiA&?OkQZN4*r)(lzva-#?#p;)Ix;Ox;e}{V7>H8n-w`DdA+W7jpuPyTqTINWF6FFOy0&=#(H`8` zg#FDGiIf=Y+&z-8a%LJs1jd54&$-UV7wqLO9@^wiWrn@XIZgY>*^5io_CL-cBox~& zQwZVWkR}qc|Kw_dsi^K8N|yUYB008Z>Q|uwxu=g;PK5MMeRBHpo0p&9z)d=Ffe44L zp6aHfp7>gy2K9)n+Mg~}D_ul^Tl>u?Iuw^-sFlZTz0?_9E^WKecbC}7{qyjb9it+f zdc&S-(8OFpK(3BgQgMf&)%FE={NZYlUS)HEfuGg*G~`rc*Pz5uJUkr9aP=zsVYrDG zT>2Ja7|SwCK6$TVFg+}QQ;rDohQML)_kbAuLf`3c$=>=^xGW{|w{Z0i>|lsmeYPmP@z3%qiBJ-~3IA!p}j7s^aBU z4m_{1e9|hLweLQP?X#6-dL#72wvwyR4Ak&ZAr7m|Bm(um7dU_jxMzSYWq`6lrgPg4 zUX5zSI#ax8tZ8(%i(8{Apb;n*nMRO(aSSi*c({6#f4Ii!`miQEHQlwPnN$M{~ zxeSFLHzVBehvKM@B#R$GD?8QwmG#2MzcLozyX{>=6^1=NodbUNX2SO$m!awCz2wZ`vk zsfJm|mu0Orp`}7@Rfi)>ZTv7~WzMs}jCKxrcx8hCo^^*Zv1wP-X2+m_F*%N*Px4lE z+>c>?=tF73_*Fwyu{kmp?dRsXIp?Z$TxoL>U3+Bgk23X>znYbOZrL{-?S7KK6#A`M zo!K_mnZBZcET-3*DKOIU>wtZgUAqruO(Vj>Iu+N@rS^Y|Zx72~`Nh??Y+OWSX7GJE zIl#4)X(FE>Uff>}RYnI8Q80RZf5op(&*H2e*VtcKQi>kGR?we`UCMLWc+6b&QMotj zc~V1TEtU9}*j3JVeFIyj1hYAIJOwU_tS-?{DOpt6@KgwyWrBE~tBgLd6bqDw9xn^F zKh;o3Hyxf5)s9>dbqZ7z#AE0_i&0EaezYpFAZ#T-PDN(bNpHp=ohT(XajY&T9HD7F z7!sqCIBc3{`hFp+<2t_VU>AP|K$lxwh} z(svqW11{-@Hzh}U2YUSuns;DXROt6Bb`?8%mK;3Qr&4_Iu83)1SFUtyX%VJ1o)|i5 zlxCS#S?uG~mrLnB-MomxvYv=P&peNGD;sl>0uo-vi~UHJaD^-$dD%AA7$%j-lm+NJ zWc+sZr!i*=uDFx8q6|X(Oxxj${a{-Wy8p}2*b>AzqRn#%#KQ~KFkb4jkq<;98lPHL z_Aeg?m;co5QgI>;O@uJIS8hzW95Tr=DY5cv!Wr_P6(@VuCm6l+N=``lMUEx8KyS@G zmUp=c*+KLd-dQXq?x(l;vLn%~9d=0T`mIkWMZq>DZ!x(0Zjq8oF;Aw+KG$|nOK2>X zwx5*#<$UeBFYf$@9&v2$J_23+jMoVz4*2>UUoX~ zcge<1ID}SC*e~4yh3>?=vgTKSsx=3@XwUR1ykP*ZwrAY6g zyNR^)gddnDQ}0H{2FKDt1oNtlCEDaJG$jv)@5k_VR(-e&_71NCWEMiV?#}e2cNP!C ze~INW>b<+=u|_K5yZRPs_n_Fc?d;`kS;4AaI@qgVufuYc!$(WGW7MK|qmbWaT|*tLXB|`Yc}ngJ0^% zh@zHzhW48~yE8K`-KNMk6s6$GrpIH@29-pzg*W^P?p{1)l>AejSfIK6)*bS z59-PKVZ|4B9w`eiphJHt?(>;7Qpb&OcJeKt!`@J^!}P^eq>2j6(Op)VkM|!s9@xC*Uf|X=n#b?_7#V+dE?_uK9%nBMGtrO4e5FIGsv9}UOu?{ z?+XvV&a8}LF!3gzIrQ851yj9Ya*`dx(rwe@)!2k5AF#I;=k9b#vb%h1N8DunFh%Si zGAD~G7aOsYz3HJ&y&NK|AGLxRq9GO0wY>Xmx8SfgX1IVr&=zle^F3y-S(r86kro`^ zsJ7QbrH($+Pm4MJTJ*HvVk4F%e{Mkcp!2l}%?USf%_Ycae4VWJ`@u%Yby5uJ8*;}< z*zaBaYwj~##=H;6kCuiy;%@9kwd{ews*JP?HCgd7k73rUTt@57Eq~G%884X2{mm^j zl7$=PJ?Hm7Xj^kSKl&q$snFZm`$X)s#QyDB1gcJvH^H^15HLc+sIu5MDag1N7%}()y!!VjpEjamkGU`?hzx2$Z7vnQ$&K>^n!4Q|P?er=Oy%i+lqwK&!XGD3PL9 zn9ZFr6QlhhuwPm4Df!hxlL)?Pxjn zt1Xr9hBoo{nY1SI9Fn(>fk5~fgy!;c-lIU9ew1s`M>s3Ln;4$>=)F;id2{RI$Q1R< zyfOyzyzl!SjUt#?KER50>{~r$mGimV2%X{;TzJi}Wiz(@n-2(HV?KT`GjK3(pG`I~ z^TYf>j#ca=K-xO44FHRIqgXmVnY6sTb`zWg;vI@eG$**(sz600^60V z`VR={@NWhF@m{0oVmEqmKd&wi%XpcVW+R8ryr=zc}d%Drd(bm=^43pIZ=$3_kxH&o! z%+VYh*EV}A?0BbBs6P}vT<~m`jIx>r`V#NSx59!)T;WoSK!yO_a8&VnHQpBU`*xcb3K>Icf@z?W1vl+Q@ zdn|;7qbHwmACQVTth^vHtct!}ye87uo2drd|KRpJpt0truI*g#8JhXk1A|xVzr;2- zn--=#Yc2E7h>`}5&hW`}mz5QJn1$|VM7i`(KGL7G zBBfXF8@3=}dADZxZg0@jF6gqZGe0H&srdXMOmi7oFqCz`2h*gUN$NAhXC4$Tr*Ec! zx|S-s2xN4-7-(fmjI-Qgex?755s!i4!ezIdhyMB=f*1a4=_;ftb@?Oc*7k-ivR!N4 zAYX`|m-YD}d)+hVjk?76U~JhUdJSPcI*)B^dm;DTx%EkgtEc6y;LjSF8lk}lMWf1#Rd7N~4qd{yU)^Eu1X z19nd-nNxXkT*RHpPzqy$8ESV!`mhnLu@PRQX;u}5g{_YoW&I`-!H-0dGOs?+(@#^ z-3Q{|;~Ib_xw6S)pe9jJg6lGY7F)kjR=9$OeDsEkMnXhOn{MaUYu0A0 zCD}5hI|sVbSE9E%!2Jx$5#C2e)6yQ;IjI1%JN@hv)Isksm@SW}9G|vxBBi_2o{r|N zXe_JufbYC#r{snp4)-d}Fo>>hL$?{s8-xBDq*Z6-9@pz$clrg}+(w)(PFpHcBEj?}+8C19vS zA2JclCcnA#l%W(Y<@kdSDWgI52=xdY+IbdER+P z#CE;sQ|-at@9|B4cXo7!IQP<~md{d|l+jZ(d1cDnPzv_B<{oYW`u8v9J2LzH3()p) zAi2-b{Kz0;H1r?;`R~sHyT;%*I`N~#x(PMW5bF+(E;Fqsi=3mjGOsYJU03n;(jzim z6S{iaJ>~WZT+w(Zc-Q2U=JE2}5Q0=4A!P z(VOmeUwa7dy%p~!Ou6`IBWQ(6t7@HjL^RyY!_e>!JFbTDzkd<* z^hMd9vj6Eu_)nkpfB8uMe%v^Rnc3ef zM^s}%<)6HVzn1CWF+Wjm*TEvIIHn;iZJU~J8i z{~7upozwP9R#}Ntd)4{J8z0{ZsW)s{M~_ zS+VY)>bR%hyN)Mx-;orEk#U$f8b1JG(-fnxIs_w^IZ{TIC3AQ~@d!&(P_uI7q#!Bz zym!=oKH|j`nmp1q0VE6;jQ&j0KaFx-D6o9DkrkD`nR#I@_hLh*etPqfmgFK3@Gw<1 zU86$-I>44a5DmHlA!pHO`=@{hlKwyqF+-Gr%$S>D^je<-l+!y5a0G`Zk}xVgLa5Y#$d&#PE7KCo*XqM6mX60PM;pU_AFeV?VBAvbhHM< z+x427-2k>X7v;74tCMDO1{g&#igb4Ie4jznVSjlJyzeio6xu&(RJKH}-hPe>!sZ3X zt&Eo!_!&BLIRLK6CJ>-I;pkdzt}jr%T>IZ`0n4u;azda@s=M=YZe?+9(1rQxrN1YS zuD3Eplb$%>VeQH4$L{&D3UX)(FL^ep!*^f`OeU2*1*dRkJUv3eP8hqTqJ_o#tzlwu zX}eO8@Pr1<;y&LKEttiMb&8bF>$ZKJGc+!Y78kWEUItVqo8izEvV8fCoDjyYWWy;Y zkf-E|I{^VpRlh+T+tr-z+Ly5D8Sg!f8I>$|6E0>vA$azDPNw~8dA~WA&tX*y<~LEl zyPEsfoWTO^K~!fADegr78lcM8&x+66(DkD>8_$J5rul?T6}{#y1qmaYGk-3s^eqye zoDIw#hdvy`iEY7a8Vz6_W*Mfu906J?X?%59aRE z%v2}7{Bjd0QSEA0@_naq^6$iFri3DZxqJlv@w%bMc#?O_JWhkZ>s}I5xmEvRy8-zr zd1hGZy~c*5&T?~;uX#slHKJ0jb})a$8!>>8I}^fy467p`U^_ix*^HUAE!TLl{#?&t z4{(1R&w>;u^D%ZN4Ut_LpAWVETE(*+@kS0u_KFN9ye=#M91=C07q*FJSPy8NE;KiDtm$^vRChrC2 zuPKn)GrOF}GFi@I>|?sl8-L zkTPFQ1#MPX8ehgDAHHuoiI@~W&o>tUcXGp-8Mq7=oxlEk>I~4X&fqb_*Niie?~dv+ zG9qUB@HwbcznaAb^Si`l3+Qqvg&*+e*$wPt!IZUZ+|Lgr*o`=G;Lsk~2&f6nyHH5Q zBmkkU)@!L|=m6Hy$_T0c2Ozix_qaBM*Gd}UUk14?JOdkl^ug9Rc`haep;O~bhhZDI zJDX-@7%_4O6}Rk#f4=I5(aV#b47!fRzPUo;C<;s6ImhK>q}f%bNE4D+%gGdR2JemLf5XO{c$GtX|DB>qZ|EsHGl^LTh|bn3yEy7@3> zuV#Stz&6IozS&stey8wAw~Q;@#C_a?D$D;3tVfJDx9#nyn{vHzwI^tc2;<|dS(okPPck{)Nuc-tOqQj%U{e^1^S;< zMmcMiwt0;MS-%9MN>ax8pokozmRfn5m`a`=MA>$$OHrKk0PE ze}J8+H_M^x{buk%f3d9djrj|&0R<{CSRI0SzUEh^EOr88jHXMsw>Ekhf^Kkx6hZx+rjho6|!| zyA8lR{n>a_!nsk6!#hkCfRvM)p_ew+=DjB|uWRN}zTE@d1l=yv@NT(A*xSdor#3x?LC`3{t-ywPUA%$vqNOI~7CIUi4u!sC(VLYAm09rdjfi9VJ zg>-$BpxfRdTKjjSEI2~Kx$~~F*Hpt474a*B#sbNLw~_Y(KLZ_vVWIFq${MLjQj!|} zoj}X*<@Hjt_WY~%fvbQ!$tq8MM6`4qGG=8_c5f!7P0b18lF0Hz+>}2T@rl?iL-pPuhv_oU!n-2}NEBiN#4pPW%J>X%2!;MM-Gs zN!LZ)%JZ=CWjLl|);K}?WqK9sqd2?E+P7KPAd}ro#LaHwjM!x7ZLms?8j)7=)H(kc zP@TeMm@SCfhF1eN!e_;62J64BrS|f_v05FSZS$r){8xj`0Up!G%A`r z%Nx+*;Ne>>T;yyp1NbQEE&jL*P zxc>05rM^J`atsqimIZMWYYd<1lPcdzKizInD-bv`Ew*Yk*|bZ)-bXXaoncQfyF}3B z<~Z9#7;s+DuprptP!=4Nxb~W3$spLm>NIlUdZaWkO63>@E?DZ9%rS^|diLlxmfNMR z1Q{r)^xJSpRv#+-tMaf)dU+y+;AuqyVrfxNOE?aFlxLvCVCSWj^gcp{F5pnujyrwA zF&?WIHLx@%rj||GuREbC(Qi#^O5jp)42o=HF5(UmLL(iunMQhl;Mx9=?1)~W9xt)T zIrF;S#QF%EIIm0HL!6nz?Mg z$C1==H+=V)s2!6xbbU*;ZIJa{kS0`|>XST{W|BQMwoH$^SU%Ij0va9h4O7~gp}jPc zy`Wlo{!#sfM#v7F1KYR$QNr7FMLb!@m-EKnzB|-iVR4VN|xHbXm{#z_;w92ZoH0( zJU}|K$-Q+N*J|Ym^dgV{yuQpnP;PsLg+WPdg2y&QntU8mYORYnXVq*Pw0TOG)ile3VBh@sgjX1bX|!OAJHc{&(G=f*AR@l z_m1_(y!aOW-0}N`P`kn7R-aI57^1ood5fnF-M?7dj?h@}?zxy1Z2GF~6C%E4mjmfk zFc)%-UaVfK&h%h1p&b=CrGxPg=_$4gj`AH{*}Q6=m2DR8PB(3mtf^E*gMH&;!eo5) z`UD*gVaPQv?fio0d%D^Kdh87^%JG7F`MDoGI}Z!0tzM*bF@B3Cb!^$qXuoqXd6)~! z3Q8X}p#NA-`uuMbtMMF*jODEfuZj>vnS%LJhW}R3vx*Id7fDAHC-+`D46!vgB~;@3 ze4!q%))e0moUzZ&2=P#?<+Pnq>i*RC8e#D=m0*|(ukOKM-$L9W%;(afFO{U?^cwiq z&HNWy;tbah&@y7vgzNS3;Y9mSD0UmDrYe1LEMHJcwbogc)4){j3nM38M2A9^;)jtC zR@E96xCO1cOUW%7GAqH^<@LOP;64%5XC%zTh|2;R!6|VyRFN0L*slmRPNuYSAsbv7 z1O6MPjTZLl5IFGwp^f5W{0t;K^#?)TUNV2EW41s_8zY0sdZXvFQhG%zwhRsz{?b1# z-iSIl%RsfcVg(h1n?Oq_L2;_`egBC{cA2TKxl3&BNA;gO6P1Qc;qEixDKXRQ@hQ$j zGY>2|fA_T}1#3FBJBat%RjPLH^PlKQ;<-qXd#a@JZK@HdAoU2e`60@xm*%eU!30rs zAI%7i!;Lhq-;ldE{T&_#ea-wV2oii;8Bn5veJ2?Ju~yd7sD^teMp%h7Gwy})!8xEF z5Ix=rCITtsv@Kn3#v6j~MC=R-NN?))HfJU?*eGg4Bn$o!nmzaU&BIh)EiX~4mB9dRAq1-43Vec_u#gq~0u1oAhqwN7g(j&XiX zQC6&WlR^>%32i9%Q4OrGhlrUc-nY4S z7VcyQb{K)JW52fWsLrz}G}dve#Acw9ZnIILIPT>)+i{De10&D&vbDh1w_$He7+qV7 zMV=bh^FGJGM$sX$cmt6EwpU%yDM7AWuj?tixH-h_i8l{7CMPW!W?pV>`zlbRSP&Td zdt+lx9UD$ErXLD50G^#Q;!_*9^^?D=l|jf$Tig47yM3~WsuL#rA1C&tR&rXu*0;De zUYyv>6yMCk&UrVG*9DMspSM?Nm!O3kvmj>=-0HIld~W-{R$#WRbvCZ^+umffs?+70 znb_tGhuZUDAnC+zP~Db7_mBhbR}~WC-Mx)oA!Eg3rl`UNEc4ix@40wy>#DZY zX5O<$g&<=|#KrBzT~NDLir2X_OyOUWziEW9znmnCUa9zg4IF`4!rESf$Ek}ezL~xy1rjD37f&A0!I!f>z?+S_X8~MM^8S< zTTf^tnF$xs@nS;#VO!y#C6B3@H-J(BG*;$76;>ok2c_ z%hTZTm^I!?c*8QwY-}L_SD>GAq$bLZf>1%y7x3-zz3>sJQ%AW6!(_u8S*1a}a{eL8 zHzo){lxqOEhJhQ1 zu#LUzN;*pV@d8E2jSDhedyJsC<`N4Umo8CNyDi9WLAyZ{s8Q*kozVYCf?~kdi$JG> zT*XUyGOR4rSSZ&P#ovN7Nu%;@OJL~3in~U`D1_1|Z**~zi(n#l@_IuA*amtlcpzBB ze97>^5|U;r@iS8f<9Tm2QN-@L_cI!mK8_4}?Q$p7(1I^kKQVqmGivgm;Hs^tm>cTC|j{d(-Gki80b^s#;*MD5z^?nVnzr@xV)S zO5So$#89&{b)VIXk+3w&we3(dq9f_ST&KqQn%Rur)tU|YV$fxNCz<53g!N*JfxOvZ zt%>t&?z3yyqmI*Oxt)35r_qm1S90MOQ#Ozzsr8zAmmT&ycvs-;D^E0yudW45aE5*;9uT}{K>Zx$Zn7A6z7$v@j1v5vGO;s0D+1MLC?wj-kq>xizSV; z)upq2v-!o3wX>hk+iP|n3FKCA3_+_NytTHU9Ko^{)D}pm7)u}Mnc`srmX{MkWvU@E zE(>}+&A)}wZkQxsdR(_=mm?WB}i5%J-}P(`7< zm3BLwmC9U-wO3g!02owe0Ahg>fYRAf(NA0VJEm6?H<4byVsm7!pXh{qwL}^sBT(5b z*y=DznK?ZWzgp?NPp)WLa>qhoEp2XD3C_h}E9}bysU=v0yWLtbEF9QT47_2-J*Gn% z&SatORy624#AuG;hfc{aqz^!hBPr+VY-d6@6a%0N4wnH$xdmq0nwhE*H^Lu zTJpk}^e=HVlhSzGMM`uB#Daiqw3*}s92S~C= z!%n!B?kPL;d6{ARGR`FZ0@h(CR0@QPossN+@l z*fr5k*T?o)p~&3)e^uO>F2gP8187nM+%DN!gkSVqr`>ArmWw!~-nut%n3y1c8gPm6 z#JU#}U%2(dgG6yMR%L{!`v;IA`K#kqXuk{zX{pJP{I$m3!Ku)QE2(CC6U4)3g%Nc9 zZs8=4QDHXn7)vj~*B2SIjnT@hj+~-PCLY)LGx5!OqATN(9D{DANI^^ZBeDbyE7A;2 z_z5$cl>n^`JPzKggB^E4b-&~+i$ZR%lbT@yCo3&lwA9$;3Jk3ey+HMGrPJlvz&Nm% zn1Z`-{gLi6dSb{h-mbU;s>mFGtHU7LlQy5~7kWFWM zPSP%b@BK6;~W}i2f8}km*rd*Iti9ap-CcHQ^Xq^X<5k6P2 zqKTLAg-fN6!Z6zl$9wtZoRcUn@^>r9FUUu>QRmrvYarfz$MlDM44+SDYKs{2{Uk*E z%UYH$6L<{s9Tt*>vv&81XnLyC7ACz{$(l>_hf$@7a>Cq(AB`7t2Ffm?XJd@m!EjEg zcv;%lhiT^po6kn*^|?FQ$FC@hX`}!O_pT`igfCoLUC|$XXj862R&ml#`ve=T9 z$g@H-)UR;1xPF&X$`w$N?G%#p;;-?2_Vjmsv@>ln)wyPu_~G?-(sbpXxjP1tb~_C} zfUa^z7<jktK}kf5jnw(OWRy|;mpr$cQ)B1X zhF(_Mtk=pl&czysS+9}hYGajEi*epMY#fT6if;l4QYej^#jlTEBCe*|<$g;}STv)e z)gj*1UzBqz*>FmTXzQ_NW;#Ea^#|b=NgWlD%VK5OT88y(i;1h5}9`2U>mGCTZSUTN%JPLU2Puv(y z-TzI0@%XOH44%9rA3o{Pm1&ygyo{_bCpAnnQQ+uL`Z z@bNTG)w+L)eSvxd{c3&Xu8bAoyq&e^_mmC_O%Q!RLW24Vd4?#Hf0)aPj}W1-Rql-# zQ&u(RN0ap`pE%I9r*7<-w$~NLY=%`{df7z^x=+itf9SO1BD1{v-6n1)mQf)hBC|y2 z;&L>}7FY10Pei&|9&Z3UEX|~n%jQ6C2ov2%m&Ikn=a6)WBqZ-;99c?JS@mE=Irk(~ z{7SPb7($G8QczAgzKjl1`YmOfj^C@cVH7PUX<<%~EoC8%>$FfQxw}}#0KOD^va0GC z-b2Q{jjL(riUxAw3m(>fe42<`>~xVKhZHMm2q)qQ5()eVuw!c_9Y16R$)wHPZgqn* zF+n-OgsAr5(_DN0HXb=kmf+dQlHlJ#%56gA3~z&-yQ#N_FRzll#1`@7G^N8dUgY*7 zk!h{5nL`E^rILrFd_!%+t$<8dR^HY;+?h zxw}!7{dMeRYNxu8Gqb+3O4_1H=A&5u4SijQYK1tDTndz&o-}d@%($lS!|oUCbs;+c z)mKZpw6!Nn5t|WMc}YHy-noZwdL^+wpP{doqFFF9-aI>xOS`Z`Lp)RXn!MP~dh2-1 zVen1zPT^46?;I&^`=H_XYtrJ%BU3cZmh<|9?rp~A5_y%s%eg=lduf#I9BP0SZAQ&F zM(lF8od*2dxQWn-2=`dLx1`LunnLA+dc1te!uuPqQ(7=-2Fg;<6sb9THRGCEQFx># z%n=#OmunW1Cdg3Wk}9#UyHA!8mN%0V*Aq@cQFkSDm5{YKbTfw>8Se>q8j>|vw7Qnz z;z2eT)AKtpUga?r5!wHTxwnq0vTOUb1yMl|DM6$|Fz8$~NO!1| zgmibebT`r^Qc8CtCEc~?ly2#C&&&J1pZ)A_yzle6zdye5jlpm@L~+Hn<~8Se9_R6+ zLrM2skPB^;M|WGc>v}Z}CB(>lK$}3)!=TYdc+mx?n~g&K$$~3SWi)FYIE^EoiM~ug zeivRIxr%KCdy*3RzVAf50l~2zx%FVJ<(fQ*pd`VHinhTB#&;Da7FrytEEB`##XOJM zOWQyk`54sRKZRqEC$51?vOP>G4v<0g#4K+7^l^Zi7jHfqFsjKm0OEV;H(6y`lb z>9t6S1!aXMF+qt&F<axiV&G4y<~5e zhGGU3qAbbWrRZFH$T+(U|eT0tB+oB39kMuIz)Mwp`qQ(gK#Cz8$Z9_CXh2S8sa zjrrz|5gv#x-1*!P2ov3=BHDlwB!r#XA3r6U16_WFr^nROk%9b-NUFP4-U?833GoZ2pjxm^YCp*mo9+f_AfkS-wZPu;4ZOK9qIoUO~B{i=AXN$@8y z*fSmou2--gNa2DXgPgwwo)X3{s2U}`O7U@6zr+G%R3Dz1LYM&v)PSE&=(*38yPTuY zxKCi352e^!9loHdqcXA0Eh(ui+v&O?D7Q~4D2*lHuoA#=s?@WQwunib)S6r^H0u$z zrptOhwe?>(Ak7ySp<-$R`yF9m56@;J#sTR#Bac<^*CiDQkp>QNzBRH6p-|U>K zGTJ_P`%*_S%4Ow9q5X=3Tzo_{jSjb&*&WV*N{|0SpI1$D9=iJe@GD&rnWgY!fg#0zehvPQ@5)I-pcIN+9(0NR+1Dt#rx#!; z`{|5cf**weRojsMk(d7GhYAQ0U=Qli<^#OnccVcWh%bj;qW=px?mb|c?25;}CcO#z z`BjQV_|IP)G(fu1wMJ*C{|UwiEqtKTB>}**w^V;f?m@4soFBw8E{YG){n2&v`vrgV zl+?5C1-A5`M3MdVxSk1uH?3zs(=hHozuy1;-LF^?P3nK)gjd4vMZPtfcdI+V*bQVR z8NVd2&3va1vwJst6I-S4%{!hdzb+@t=?akH>>0VK)mb$9VF{a0eo^* zTt|a~Bj1)Ap%jKfV4<}tW06L(#u8KbW{sPk@RVX7^11=hVv+93n4$pSh(dqUS!V~V z(FZx%J>knoGd2S?Aa;q$JofJce*k|9hMdbcnPQXA50aYzn6d?;Qe&fAfVfZ5lE57T zwLr>Jze=G#bhqH=zyMDQ-9X?HfYz@_voK^Eu5sDVXUb-JJ#P=Yuo_ITn|IT)*91~K zSbxMe&bDD_C_&QP{XN-coISy7JBoI?Z4ix>Um$${=|1qC)kMp1c9{XVsL}fjXsKS5 zBh%6&?q&qj{XD)GNp>ap%nit;nX-KkcP;@bfhB1LFqANLc-tswRo8+{&>65KGwWOf z)@ZH(l!yzV^EaoqrWjd^!V~-!Uc8m3%{-2T<6Lh0aX16@Jg*GN4WDZE=D2 zf$Qz6?{P+V@2F34;cL+vYT({G2MM3JFxSZgxBcdOZ-dgky=qwj*!JS^<{;cd*EYmw z`u^5ub)~oW#iSXCX}&=e9f&aLn*}Tm1Vvf}!_Qf`1^{?v(k(zYB4`c*9#bEkA~VM} z*XTev4S{K~=QIeVt=H)QV^I3RXP4hW+T#usMAyM_G2n3%oob+2oh_JslEN7~py9Z9 zNAm>OAl6c(?xHCVD(cK;4s5xuwC&u3cK`*~EI{>A8IxR|A4gmgUseF0WDO((Z2)Se z!qQSEoyppZArO061t8EmKzrd;pxUcX)|AR};%s#TMvd>h-76= z<{RBET#iuXeSscKx%~$afe-&OhZm;MuSH4HSwRsXkX$Q?$EC6kC`uZ{>OelPe!hQ1 zSOlwf8!{ZQ)bysj;A30}Y=!te!XBhPWh6i%Rz5%XA}@c*{rXtx6ao;4T=$!IfqcgH zWq$E1TUG~PrM=YAyE_djMP~t=x^Qz+_3d0QiPc0=FU9gz$t6Lo{JMkB+nddnukZY+ zKmxVHCBQXLWRMpbg)}evzAQl-?63#6r40aPG>;U<6)$Q(Z+7y!=%^Xci}AiCKDxp@ zz`cyok6J+y2Kx>BHHO`Q=e!G`N;{Z5SS@&baX&hotHIw^eze+7zv-9Ob3H#Ak-fel zvjm!f?{5_sIZc62{o_Uj$0v~5qf!2y>^(pnq%58sByF+U5<|xCS>RIJfLxcL%$ElBg9z<_|OOd!dl=f zolF6i%$qqx2b!)!PH_$oGp1$lNBm?YADN;wXrsHBsL&ra~f>#;cV@dbgx$uO=J z^-3z->cV*#VDa=bKbjf*@A0rzTzpd}H!2GLOnr4B6RK%0+6o3tel*grjQuSek~Aeg zc$lq5R$CJ+NLgwWPWscsMf`#HPIh)Am+UMcxx@cs{hTkEw302u@saz8*_Ck21 zArx#hfN^twp@-4M-$vEK>m@s?_|B~2h!R@{Gtiny*4cM7&h#>P!WpcF987dl60`GM zzz`d*mse0JQFH@I+%y`T&yf#7UQ&%T+hp4;fd1Th$sce10&p8TW}J>dNXO8JXNpLw zNR@-c9#>WlU{$FN#HMyO@Pe9J6=u_HYLwSRiu-G>fCFwXsQ=j=W++BJWus!Z6@fBi zN>8Gr(?i|z6p>v975oEZXFTy!C`;Q})X$aZ9?WV%SKx>jvk{w0%5pUzl8#{j&vDA# zN~RHX{7%88wx*I-J$YW3SFL~tw8lp_iigj`b0I{PrpWY`z z*T9hT(;YL91jI+i@lp9$cMH6sLL`v1o+lMVTv6Bq?phS7AhpNV3vf?TKKJI`B73+#aqv%E3X&|$+43ioZu&q&UMQLHR6MSTW02S zV@~vKo^cMw$=ZF49~~5@QtG|6VG`I<9|W1;GznXlcUP{p0opDdz3leLe+u$!a~+hb zRifE!d_4NS{WVVb&_ZZ}U(H61xFYf1-gw50{iVv2p@hA9b!z{E{_xkc1g+U;W>v;R z6UV&vPftftUV=FT6M;9n;STL}^4JFOt{bDz;4{1;dFvqZ&0^-Tu#d2%`AD{OKau%R zhHqMUM0C%3J=t3ZM8Cl4N^UQjR}YC;kl9#`7H{SNdl|;kW_#-(&~XH0htUs~J`}>D z(ARX{$kMnHH5IXJ$(Bjk)YNryda8Z?B`5VKX7`ELHeS#bg*G-qF~HRuv4i4PtB-ms zpR`~tv1ya0ysd{FDwr9ynAKRH32`$qrlETezJDcpD+FZq5%+hWg)xY}VIXpbNk%Ny z*0%CQu)YWL2Iikb*}5kbIj+-X{NNA0*tMT?2PXQVt`Td6bBfhk6jCeH_%9hYUI@Eo zW8aI6D8*F3>u_0-5@;A97O1f&5y4IVZBg{#@ zWJSK1%5MO(n@KiTezxJ}ZRnCrFtJz7vIM(ZJP%`SN(-}T^tYpHcrEO@7;ovLHIIMS z+ifxR3fw`mBtM5KSYYN_%{7&Hx#X%8x|Gv;FJq}-U=07g!zGXK;b+{rs$4Ie^Sg?yJo+DT-*&c}my{oRB41xY^?OS>eq(c-7Q z@{d_Rurd32^Zh5RV0od7>#?@|sCmP&;@*47%alfh(uKujI_Sdpv?h<3lvI*&$##Px zgWn>4{1z@<-_YIZSQ@C5-|qGCOZrZpraD8a(IHjntYY4P?1OWc?_T{w2{x-Wg+-w@ z4tFvfSlRO4g2SwY7?e)&b7Qxa{D7{~u)@-rY#x*63^i1&b?`D?OoclP^9^YIiPH({ z3gkbPAjPp;8W$+0_{s7l!KeqzsK+&fOsqs58+VspV**($vrykv3#}xfQ#`x%)*><$ zvOcm&zPGX$**dud7Lj4(mR4qs=ChySqdvAmDmY|A)8PJAeF+5T4TIQpG8gCfh#i~K zm?iCG%IS2@e_ETTt}Jq%G`z73U|EzGR4X-9Sj9vMnuN8~kBW}OGp8L)9R%gvCdFBf zH}H#>)U6xiYQIhOlg*sZG^JXWTt6UIFKvB6r&mWA?(?*!u+$9i(>@qOIVE?G4@!}d z-b@qjYVm#cj_|qS^-HGI_1olLmQS<@Eod~a$-9ve9(fW7ie>euS+=0e1$v9^n6@8_ z&x!_6(sG3%3yEWE5j;5!FYD**NfR8O1bZwu|A%n#5|JGGQ(r-J4oU;efSc`bb_b&)V%%n*4~%yMlKYGC$A)h58Nil_>7R-O%LM%yqve_o@fhk0m&))<_I)DO4p{ z&GXlbRvVz%^gli2^lN6wxszNRkjo4f&PqMY>Q6G3?vP0V`uabw(*sMER;xijjr;Ro ze)7EhyfV3`4gZZ614qJ+a&jS~OHs2*l)b^ICPtN%)ALv~j5CdwHrjGMoL9m<}ST{lhip!q~z08{!FqIGc9^2t;bs5ai^7tFoelg*+h|rQA zu3(J7Ge||_Hf1U#hD35k%0@x+lPUO?v@QjGM`nJ%zOAzF()7hv(Oykt?1YcxyHk)G z`cwPSlFn#LSkXGSd)!y_$c(;r+R7cFjzOxQM4w{g92IJo86x_CrjeUofqb(af9?SJ z2X4hH&P_UX5C{@)xSQ!`X`o|?E#4bHnCUEp)cbUaik44}uFLKb-GBojMhjAt-h4v7naq#hY5({!kC0F! zf49BBWW)Fp{M7&O6WH;KJ(h`xdNDPa`-Fcn{0~&Y?qIJ+t+7tKn>Y_cM2&R^#N? zxeajnyL*YSdi|H|wM5sTaF5|RMGk5)m0~7bv$S*n8`Y#Y7Ul(nV}L9w zoc_SaRLSag!p%;dWs-wfqb_XhK3aQpJ=-wh^l@tH`}*qfJ22el$6t65t%EDe{k%)L zS*QoxCaZWK;I+IMstnn|Wo^UPm|Kq!=j3G~zqdt7+!6Y@$98oD^Nn%vv?g}RGSbT= zkss7wlJTQ)_jVz%QE(P=Nr-2dC73yrBa!c9iUAem%0 zbdrfsxn_p?v;JC5#HC2#q3F4yzU{kncj_7oxx4*Xx?j?H$+T@`pFXMyRZrBtJl`Fv zEK0_U{rGqBjUNlKya?>qmZvm0Tf6l^>-I+Gl+jo!>4u%+YA7x=`tw2=bOQ8(`oExUz515a@u;79Gbc2 zE?Ps=YDu-HyYu21JyeA;`pgdf!V(u#uW8Dd$5%H%s8qTZCMgz=A+kHFa=rr5MSO5a)GWhG%Uw@5f~ij{|8fT$X^bk$g^ z>7~FM6q&~`B^;CeXJc;O7hXED()gzurJ51=t-F^YM8@qriRgm6(fY6^j2&FnMi&-1 z`tnne&-TCHy}!zvOUSw=Ya{yKJ?U5oVkwhj_qYaB=N^E8!MX|IL!Or^fd)?}V_r#? zYE;)Zf`W)HR=RZGC9atZGofPMp^Wj$U(siqULVM-x4ddApCjstyaz|Dni`#UoN^^* zjh!uAE<1tyeO`)m?-v(6`mG;&FfiJOqKvH8K7B{GL?u)7q`B`t`|+>Votj;&LOtg5 zpKXXzFe?xZ;2t9PF8Qd#wk1lHGx6?J>`)GJ8|FgR^C?f+m^9(5?*-AiPjm)FdW4H# z3GuVMms0YX0j`%0JpcWs_^Oa0$*G@)F-C=E?PkHqlI@SEvJOG~&yKJb`87s}xO&K- zq^*$|J~_svz$oi09wTq40k)p3jb?zR^+-OtQxfU1kc!X?Avw;B02Uv7`T9&o!T03{ zRZC&s=+DTP0u)TaswB-1>m7b-a zBE{Ki9JI5b$>9s+H(@XP7kVEL>Y^ft<~p{G81nc(z?@G;#eTaS_E2P$Is{#mkPW63 zo004m7L;t&(Q$$fTezi3U%iV#yD?J@LOU8riFgXDYt7+r9bL!HWkxxc1DF+=(Vq$J zGqEvWJ_$2RE^?2|hUUXgjpjM-sofsc5gN;c6Qkc7T{P{d&7|lU@-C_R@-j1Z^+M!F z1e-au!UYu(4#1>x9e8=ZlvIjPpP%#|b=--M$HLDGtQFK;Z*atJdw-)=Z;yotL@ z?$KC{#e~%aHR1U(aSa$rz376WS`sOA5-vuIH2FNj^*Gy0_R+L2)xPO+ zkuDMF!^qy(><+nm0(Qk*nNNzu=BC^k3+M3Qe_Q~gOO6Y#g(svPNr)aNaz4UDu`v$C5leEBXLCoQwrE)AZJ$anme=Gg>46qx1ME$m;YF^+Nt47pZq5?TrDQw zf8XwYw=0*B_j`NB`a2FV*53OV5y~2E4T^kz@FsvP=HN#7-954gT1lrEsV>S<22Xp6 zi@0UG6pui>1*K|H#Pw(?`QRY3rP)vPW*4#@v5V*H1L+SbE_f#fC)ORo5fWDh@h>*T zaFLsMrve#A_=8xEtBw`!TT9QEn32Au0{(G!mXDN$nuBF)Htw=7e~d%b2!He>hud(v zanRpWIY^anUSjVGHb!(l*g5h2zj5o(Rgy~M{4TctRdVkX|G?rGFk@>e+F?0Rlc7&V z&Y%5ocnteNctpg2*j6}ccxUM6px^t3e>L8M$UZDH_t&F+@)@c5{hcTbQWpXNNtha3 z?=G^iB{j!8RS~33Mo%h}f}JN1h}RW%YkZ0HBu33k`)gUL%$2g$EDGK2)W+S6tAwxt zXx~JYrz^Y1VbjkIKd!LaE%YdesG#}HY5em@J7sRkUnZIqTA{rr_vGTr$+Qup=L3`6 zkSM{iV;lr2cZQ3S5JmI6bJ9@|M8zDUx8foolLqzLzn&)eHGqNvB&ekcgwmM9N}>V- z$t)<%JBEgV-pA7#h*#=n1|q=JwsAavu-l2<)&E;}&k~BRWFN`5^6XV|{x-Ia)xb9W z5PQx?Bre;Ge3U|k$EL(zuKuZY{B@F)d*&Gwbf1rMbfQE@J&DbXa7V%qD+1c=HMNNG zKkvqCFUxkL5{t@A=`Y0or&e;h049V{gc9J`5#@t^9uwjhv8eByDKRp9bEYHU{6bqLQE46+ zI|b=|-bC4iz#Cq7e3w*Az5gd2=Uf8BpoKz$-6`V)OgSWnE0lyJ38m%iH`T(5niRD5 z9rP;9uSKPkcSNKUUl+6xWQ}X+B?7Qqh`#|#4R~CvwdQg$a(Y6f&H%+`@j437DCoDC7%D`zx%fbqx=k6Y(e9hOtk&~ zMT{h3)#jhU2oST-^h$sq@${8dVtMr6C5Qj+vH#njOZ$LjDxDi8Y3kwSqnO1C4eaxu;|FY-* zhiu3HpA|y?(gt~8#*bHpC)r*W^!FvawwHRb#^G>N27<8R4{RJB5GvVU<`DhKNA4L9 z@Fis#e8mz@pTmf^?ddb$jBc3i9pI&{)7d<3c7$)W9+)3xPVUw!bySDDCn(xq=Kk3a zriFg+%9mlGbPbI7^8-=ymaMpHr;*j*_UOIyqNJ0S!~VXMceowwP9j-#i^q)km)7T! z-)fw`AVL5`9_AF4>M9y`B;rtbl5ZZLKS4|H^0x79k3D3|-V|ykeMU56E z-!athLMF5w6o6XzPhS?Pp$5$@|J+$iev|zfv=1kt=J+}8nCstbL~a$*=v+}%j^aJV z_J33Ov_c9WsM*O87uc_6)5kgs43QbpP&I=esXGj~k4m|o0(>J^5b?RMqe2zIY??vx zX7@f4lP$_XLYxlieJj??tomlIq%%q-H@dk9itoDg3LB` zyFS=5mXKNJ9WWiuqSDvP6@@F^Q({Ky=lkWV>5(hANb+jq1H$dU;03U?BCOK^`(yR( zTB__Y;Q2Ny9}u>s{@Ab`jQq(N40jpT%<-GIrQ%pMh;P}Ui+aom84RUn%9TNYgB z9q605TsRz|PS=9Ci`nsa7CTVZBOiUu53Jw#!r7w#r8p?kXgb%~=P#~-fWIe&i8rab z9wVr6XOjNtL^I}fJBmvRhj>asoGjKqI`ivyviQ2~q4ZPg6x*oFjhr+l`{5I6RcerJ zs`D+>YWXXAniX`gI(vZ6MERM<-RJ*+7eE>dfERAW=*>G$!Bfe}nZ)CKmiz9rXn3Xg z#z2bw)br0elrxITBs;YdMUPz>iD`aSeY@_1qNR4BBz9(leze#ZX+`#_4ij4bG2Uv~ z{!p~$ii%Y@gATsW00@tpEdb?WbKqw>2_ph3*#O$5Jv@VCtKT37;To8Nrjr;bqgNXt zdwnTG)MEgR-qX7jRE+|7 z%5GoKTpjE+elVC4Hq zF`#f2Txo3VV2jNM$)7bSH-J$AuQOqy-s$kgmJc?FsVNS5^^Jo6KnYKAmQ(i?o?S@k zt9M3OA6wEI=@=01-4WV`;(?DrmKJSkC;7$-j1MMD2xLU&Kpi9_8-Do{ym?$moseFL z2Rwaq@X-o=N3+JleH6}nVW^~{vXT2)jRH)qmuwAD9IMfltki;DhA{{xaTwJkSLHkZ zf$c#{YPo!d$y(S7R6-)u@J)-#fn$HcTPdabfa58Ls1LuxCgAc|D^hZ_0LP&l;$vVn zF@QB&=Fi*)Lhm>5G6UI{bjybTWa`7Xw(@}isD{~RIpom|uuve%AYCm+G`R&D{45*b zO)Bj9>tr*{+abtB>P-Km(XReQPu#-uu_h>6d73L z?f1r#-wmSk8dFt>;*fE~(yfOnl@9g=0l9Fzf@j{|RHYW2;?PxRDoyjZMd)ATLVs0z z4XT5MLG+OdB4WUY$qX?`x%wbOek9dO(+vueW%Psqv9hPJ$}PbGi!4car-A7)CMw*q z;Bv47?84p1pO1%_Lh8${18ds?N`-02gOUQ^FsrHY#ppN@a&D;B1F|Zt_`uk-m}Mb} z&qJirT<|F}-VmosE(C%Sj&SORSDTWR*TSa4hLp=KnWNV!0RyOX)lH%wr!O9I?|(43 z75p1pV4oeG1#gr)8^9K@ttRtTnD-ukc;>q_{Q5f1eCwi`n<)_1NZ}&)P2CPtt zb9|+bT|x5Toct}%q^&U12SUGID`D7oW%6Hp&q695Ul*TM==3d2gbt8}j6y3RezmNd zJ>Xc`1!}PV4a#BIO1=Z20$@mH*wr23Bzw<-b3ZX0-X0o;wJp4VFJd1sSe*)SYDQmL#>}+ z1*`)&8i$*inhPc=H${PqiIa z@@%UNv}t~jY5DV;6R!5;lx^lSP4k+SVVUmN*-{4sYICiQB#S&=y|nd72dTnI8xTW* z?%Vr0RBwld@WPN?yWEa}&;`8O=gC{=caCL|o;*gFDrTRt^!A{qEW_9vg&ieDKQq%J ztf$4shQkt84d<~jnvUD+xc2aLwV0M0ko~8cz3;hDYs4-SNm4;O=M^D-t*{kawsLxM zIe#R5_oGiXWl>p}DK{tSoRcGDd{S0LZajQ_x_P*vv&<=q4g+cRes!mvA4e`n-1cGY z#!K5r7Ep5;0|9wZ#XBNs!8hF&EI4(*4fn&xTiJg_vP5d_!4e)36P5Y9<^W>kL|bIc zX60zm2Y!VkzYH+6P?wdDO0Kp1*oKq$+ET!+a13?N)|%{uqFo1sydTq-*4JZ|TmeMw z64}W`-~?6p#tlT3q#_W>1&jyC1V~MykwvXwFl`(y)$c?6L0N$k-UwzfW&r~y+AD7q zA_S=ONWkmr2z$BA<;9yp;ziJpWy|!&q559wU5snhe(fjtPg=I_H4{)HBvY)*d7`FJ zLGC3xj4(CXfF9e?_?0}(Q3IszR&=i3IO$mtwFbZ=<_F}b+1`RYY=1!r{(;4nOAv)1 z<|Iw&{v~ADWAjT+eP`;+cei`U7R*7d4nK(s^%h~YYRQT#&tEX`_u_HBkNZ6o!@_BZFM{X8lPOk{Z5rWMN!V1q2zMUYgvHy)e0UZV6kiy0 zKf?=C7z2ZnR!b{xC9SHweQGW>A$4{#WpWmz8SeJlDk&*_Q|B2`pXbQQ=zkF~{@8o0 z{Igv9DVmJDtL%aLD^R9S87#!OZP*bDv=p+S|y`J1bb5^q!YXt*eH=8az4W(!FeE#8^}HF-g7S z=zf4+E@e{&%Eomx>{8fm0A;AD46YPR6He#AXgW_`Q%EhcqG^vzF`?_PW^=m9;2z+C zkU2OO$p+rDu+5ZunI} z=hN&(h%~nG^w%u2MumIRw&y368~2HZdkmEN%ZQ6Wc3#6P3-BX?WEQ~vwUF`DbcV3v zoDHXhCAsM1sr*62Z+OAwbjpPOG(FagFTk>wDEKix^`_6X0xn}%?jDRHD&p8t0v_kP z^BpxQK!TV*FjkKNnat_@&5r{}gq8Rq9T|HSHHRB>j#nE|AP(n12;b%kjTdtzkv1r0 z)Q9^Pc4VMquyW{n_#hGMCRG-je4S7xmX-L?3!_9#SeeSF3ykLxpWUc9*;&^@`G)0B zcfoX_hlsH3R5y2vkTo+#T$h+n>s^@=(Stvt=dZ(TQx0!O@Thhn4_>@hms=n1Vm$r6I9 zR|0N?I3vfoSa>`7j)`MY=HZpZjr162%=q<>&%D5s82yp#Jt!uPE|?*z+>y>ce|u;v z%q+u=KIt=}nGUaWV@|*gIeD@P8z8dUEchR5g=6%elEJN$pYCY7#`zrvc8q2HQ$v!I zLaeA62sg1fN~KfvbI~OHarR)PDq-z86aEhP#1%f9{0z0!*!%9E!UGJX&RcmL*z$Jl zCpSkqF%7qoTr1f$x+0o*c7Re5!$q0fBSJXXKq>XP)6J3-ldZ%FfpxeC*pt**18O>K zv7Xy;|NS@BBB+ochlTXj|5J=m^e8f@plM^|zPMy&;_Pb7%YI6ql-WqBmwM(H^?*bv zm5$TxWIj?|Z^h$V4*wo~&Q!^}{_@Z`lQg;_cJPC~Q)94uSQkFqq$~*Qhj+6f6MZ79 z$Iuc3+6Zf>4~LjYS{z8yXr5vBcr)(1ZtfSWnaxp%;7%<~1uwK7_>w=ooU?3w5GtmO zc91A$KYYxz?xS1_uTU2 z_Vv_vAVX$wb zCY6%XCw-5t{Qkv>1_f%|@uq z@@V4OrU>vk5*Qz%E>XJdAKJ#4*3~no8e#@+1qA9wDx4jF|kQs|x zNo>rRKlm_9nH5^}6BzZM7aoXEGRi-i6JrnfEJ2mm=f1qzt@u#pxz&7JBk`W8K)3CM zbF%j>J@F#Y=JBsXuqb>aWR>wXkf~X`?Opkv?>uc|h=-nxOQCds=r3Yarwi-Fm*{t3 z2^gW_pzzDL@ZmO-JDhq)lfmobKh<7|kNjr4hs$A4on`T8!I^Nr+NIv~TNjj>dimgF zfNrz|2oish077_cDo05?aZh?X^Rnlv;`Q9}>jDBs{#_F`2< z@5Qs1k2=ltz8uTf<)2!N@0EWf_!>AgyHy5GPiUT|htwT7vh~lpTnjS$i5azhunWZS zWy%jg*tMDtNkAfZJz4G36p{o_av{q$9g>e2ioMq3%ouMBgH4L?ATHrsNKLXhLVy9g zhodD$ELNA8E$u6^$co#qpBH0(QvL<@iCJr<($<6l$yTcr#^R!>W`i%yr(Yd^qO`HR ztYlPTC*J@7eM;De@X7~^L6h`!P#%L0^d~*l-5#Io zU|!$OjWUcgCUMP#qy*cW-ae^OK{YNnbs_RYe`HBYhR9B#JW+~Rw{xkYUL#QnnG=F1 zn0vfD)IIoOOEW{KfwlKT2jn|KEZvUW%(gzIMS7A(AEX4n4-v#@VTB7&eSVbRMnNUM`jsKo?_^XWWU++h5Vi7g7eD7YTbi-zKgB?2FWf-Y+zAR z6D^MVhfer{wQ%!d8r%i1?9 z{E8}O>GB2lgwwxZ?#qncR9A;B7rq-esAXG@J(R+Ga@_tAwP(Enn&M(%@oe#PX0hF> z03-LFUYPOBriM$kt9{8@ANj81t6kMm=eXb3ODD?nNF;H({jgWT=-WAEwLPM7**#3O z={!4jegsUItrEv^SKbk~DGbxM08ihtwX+xo3I#^5!bE}Dz*xfwWy%^m1`jIkc9$v~6 z-c+n6n$&W{ET2T`;=>u_k26Plaoh-%9`@5JAJvAxBvALO?zWStJsgCb&e@ON8zbDD z%`MbpZV*Yc2Baqq5N=l#+@pTD3I^ztk;l|1gygY()7miFyDB3K<|vQ%Q~Z~QuTSUq zRxJ$n2@bujUGaoN&!?V?wsFYZnIw#eI-$?FY!!=J=RH>WyXGO`%b$JeO1Ng(f@%hY z(~BKKd*?fp!-wEN6G}T^gCe6p!+vH!nb9b??7)3Nkg8i(jNSkt^)ep}XjX^Nb5O`_ z#sM+@6>pRpS|bc8k#L%4#bjayl)j1pR`cCqI+J&IBXuB5nDbS5Gw8in{TXk zBU@#dr^gHtvLnBbO%@{7p;pR!F#wmJFAC5P;1N>CmacYvAq-mleCB*PtE~F{@6fb9 z8VY8}B=n%mKygcQ(f)>Kjc_Q$6yXzD zI$5g7B}cwh<${`{JnQZmhGxTA`v;0OZ=03ZG0Yf&XZWf!2PJ%Ap6<4fA^Dw{XxQg_a5VUx4VIe5KsIz?{a@;BH9ww!_8{e__p&YlbJVKIo!gXt z(RYTrGX>Yw7GVO4L6+zzl;7aun}L=7H^O|natY_m%OSko&J!K@OWg3g@_R6T(n?@C zuG_8i+gqP{GT#70DfV!*>E|&iMIMBoyHA5jt`tFp4$lLZrZ;zV-;!GMC4prK`ReNK z@9i+OBYuPOqjtc+ID^2Vo{=XM{hJx2qIWqNSc|XjSWXSRq)s-nnrhX;%wc2FI7s-S z3Qf!GHe4KUtr3c=?1t9VO!CQ8&(PDB555YlJe=No3w|aQ0wGtIh#d&VnF6zEo9&Xd z4tu-1(KUQ=(CWvpLjkHPB`J&*N=Wym(qBBPU_Jjz>;&h$t})2p(N8JZp-Nh9Fyke# z-Qya6vDzOz`=d#NZ}M(WWtG6ZQh5B4Z-;DN`Sg6k`?b9&ny5~T9QY=Z7`t;Drf4P} z7D^9^wo)Za=Ej2~5u_V(2Ga=!ibs})Xo?KqjMO1Ef#v3vAR$F!IF2h!kDRY6LK{ty~Aw|JlDlzVtR$+g>$IJno0H;>!8UhD#{s>E2BMr)`IaO zkVbR@O#6mmCmV8kOQ4Zsu3Q3upxO-6J%OGe=Yy2rzW)ayjto!Cf74~sh zr_XxZRR<`YxMoYw`~+8PwNR+u17K9wm#5*M`c6b*GpK3x{SloV41NcZ*3J}|y!$!G z5~t`2i!Qfb%qXePkKj((fl@KYVk(0C#nYC|DzLk1R)&$nD3;1-y?75Zs96aG&w6xw zz58l>QQr8y@;@+~nG znOZXoardI=(dDhfB1zO2%5;${!KUpL%tfo~g4rS4>^^Hc z(a|-o$Np%IaKp4Tcdso(QL1WrKieDE0j-$t2S^88=Ei}R9pV>wUI@2O&yQ*>Nu25b z?$bRGxV1KHdU`I!-fF?z!ZNaDTD|Dk&ckrZfByIt{(xo(9%&|->0#YK15-QmZTZhv zcWoX9F%yk6qDe`I{|LRjJtdI<&dW7l)T2z-s^EFxqLfBdOX3!^Oj+LVg8AarmGPjC z<%>)HJ~Xl*my6Bnw!IY18se>Zh4jSd)@=o}e7xy^&Q}o&Ktx&PSNxo(s5HS%GZ0_Y|C9c^|4ru>I%J=@XEKSF282@dcG@W`u=;j zQ3WNU9V3U7JU_#x+F-WWM``Je=ONOF(&!k*VBo632f5$nmVf<=P~Tf&1G+U7Wy;S( zLfLW6jX^S=1EQXu9vuZ$|JL{3Tc7G1`WmP=&ysjN*-Y|{Xce@bgWpJW)!!&Q*PqV+ z81&?84i4K};DRuBYuD%Ile9P8X*0WTTJGu}vZDX{;HzIqz3it-_V?=!{m%=?q{i63 z-)|}Fu$M|jSb5v7iV{2NraZj2_9o*6nlcsGRjGPg^voXP)~f&DRM3ONkR?@mv3FJ=Veve2y*E(vfpXX?LemL=YH{VNk-$p>%oJMQJx7q>2RAE+ccxFtl_Mb zFub;*y{=rYj7_wC-cUPI!LD3aP$}b4xW`V-&D(u}o}^kls}_;yU)OUIjF->*mh#_T ztN*5{+!qM)h}d(=3UnTMwu_|OnQS>)zrb24I$AbkpKF^kYZUe-{=REM4?OdXny2V_ z4m8ScU;jr$0b0#rU?-qX2&NDN|2Id#Tx6P9p=z{JK0%~e>K+@GprG~nwTE2^?w3#{ zjrsyRV?IswuS1ppx~l%$-wfuX#7H1jtuC04&&u7SN1R0It!l&4zk1XKUDkgb5mb(I z_wQ!ppKt_*XniZvmlWv6pn2TkYtZ~+#S`b)V z5DOA{5D@}CKgSsMjMDtUlk!{@NeA`Fr&gU<)sjmrxtQc~(M=#6;;qf6*#Gc+ z{`a@|F_A&HsSeqtphhz5Sy7kJ?-lBQe2TySf&`S^gT?*a`2QkF2NFb>Fb!e-!E^hI z`tZb}1UGji*`UNf_#FIwrO8Eu2bL&RF7$6}#(#cF=}3^zp*cE(>hI&!A6yip&;z5w zrUiB8vta)7t!vW@qN;?qim`;zU!C;v8ky!e=l7#$ujewOOwykG$)lHZ1g{S2z#G;e z{%A6W<;r*YSLX(1{exsr9i(L4IKQVp;r`w(Q&4O&AOGH4wC_a?+gE}A_QUmWONB4g zbt>k5n}p1Qf@s4_V5%3Vseh>7Z`;9q*yvJFfBI72W-YeuK>B4-DZzZIasln^<+b^t zg8b}X1LB^;qzr)hf^crr;Y?i>HmK#c1rjujSTqU@S&)`4Cc)^r7Wn?hEf1(01dYVo zgY6SbqRv-I!QUmo89+A{O0qt!FoPGW?|=?w|3o%e=i5N7x+r9e!1?)I;*V%3-u*e@NG1B>cwRmQW^Pm2dKCIu&l}O@`aw!9$e-ltNL_K;Y#%Y<; zj-2mrxlSzje8aJl*|0sS#DN%Lp!%39$-X~<&1GSFLolC^aVC4-wn3WX94Rj`St?h| zLhYf2xr;#tIKZl#{<4;;X<*Pb=Gm5h>kbOy_QT@TlTi2nZXalp(LN)OVE2UDUdJRz z1N#rFwQ{+eYc>&y$5qLEgG*Keura)=(EIph zgN)eiNS9(2o1GZuatvCU?!a9J&Zvzw|Pm%3H3p6KBpwV?0dgUw_O;(@&ys~+C z_zIO)7wqSYpwZwVbGBLA*PxYgjPo;6g>-sR5X5i~vT~4)U~`4e%m5RqSm3{1mbFBF+A2XBrNoj48dN$7dJ^jjz@T_xIG$H4IJla*!VhOr3>s~UYF3|If|K2SdAEYCCV8DSx09|K zo^S7z)a^cA?krv`&p{MJ*+af7h6b}4yBH08r`KYYkzbGHe}DSZ12LZ+HMsJAQ<6r@ zLKj84FY%$|gU9uj=ADAqzb8BRzhD@?eepn^3o6FTzF*Y|pU98X=$(k@-fOHVm82{6 zHUHL=uV;0oBXYyoL458gVMPwTqv(w^a-SPkcmqe~DRakLD= zJWarPK_hgwkMGyj*wiKXWK0S^`uYEs!E_coC5C# zzEb^M>^1mf+ZMTDBB-M;9z5<+Q_Odf()^84Sw$s*2xLT5LR0}SX#5AmI?$83F}^*X z5mU%!>$qsXM=}8pKc)~aqi)^xv=Tg>S~v8^3{8a~$=V@hG(hRDkT0NqJEsJxRKn%xiFzIRS=*Y3S4sKok*m2l>6}G?(3)6QIbO z1XGz7P$F4Ry1<)XX9vrNQ>XPYBYEG#?l-d)rQ{X=zBBWGCSTaQEwQ1|D39<)M>std z#c}P@c`o!T#IJg0K#CQd?Wr%wF~puer;CrAK?g zv@6Oj_zJl}0xf$`Iwn9=HAI%wa>0Cv@wHV?>wNvv8=bQ=)#Jt~j*8|<#ZFI@HhxKj z5_xe0wA=Ml_TP`_!eGMG$7rq}s)PU?4_j^arE5T1L~5LX7i9`cDkI;FQ#F1L&8VtV zE<}(ChIr=b#j3OeNS+Wn%!lgmZWp(z{ooo}gQotqSAoV$3&!+5GfdpM(b8;IMMn>Oo(>~G#fdQ_4MO7e+aNnE=_SDp z0h?*ObTVux74*Byb8dj_#bO#LbB4c1#fam{ocSI4PDmWd6lpYk<*=~qZ$VbRcp^i5 zbURrMreB#guXXgi6k~t-5XAM=+}xp#)zW2a>fCN}cjE)@9?hvheJ}}bt#`#oZe5ej z*v6$m-)h(!&v+8U-vf+LCJ)Lwc>g>U4+&Pb5ZVnG3IGPFIne2tk{Rp@kqJRjn zn%@BVa(P_gpyq1bfgBf6FwJl#s;+CeaD}avnzx6Pv{~@ihbt0!KmWrr;i=Bmcp*?x z>^hM6YnLwU6EwN`v+sVlTy+C5*$nwFE`qrnH_)AD-CfC%P21hosi9xeNWG|;r%uG7 zzJOp1jzjDDZq8KNt39La`Iozo%FNcL^OZ0SWsn@{e#{ZwbKY%z2&RJK8hW@!4hh@b ziXASl!I13?GrJA~w@0*FaES0sRdhq=^pCFS9U!u(0-cnB*#QN*ku%?Uk>6dl!9gUP z)rrBj|Ha;0M@6}|eZz_fs0fUxbPW=UfOLm2l$1152HgzZh}3{|Bc&q}f^?@K0@B^x zAwxWh9 zsb6BsAtqbz7wZY(SyJ0pA-gAlr<4?=OYaTw`?2wB5m8~&oXe(DlKUY6wy#85PicMq zX6vP91#H>%tO7T9s=bkjxOm14v0J$8+6q;-WBzEk=8H>ZAAu16pU|WM0@S_%O@L z0cq@Kq#pD_R|%+6i1QhMNcnuLW6Ayd{nuO9D<2hhmyxaz&2P*JRRFFXn@AOSuP5gn zP63G?!1l4)koJskGa@rYhX3n*za>u^B9*Q(6ss=Hp7AM5I4A#;*~JC4qxxj#L+I5p zNq$_T$H66fBM>Ctm^|sWp39We!e?3b1xik$b~j+n6tkb|c-5W$cirAQi=Ak3tubWA zI^{=Y&k7$aYMNDd0eN`2uXxhWe(Se8m4LyH2SBkKG)NCU!FaDlTesv8neus~(I9|* z*z}~Xy)1P?8-)8LLAI0TDkByIZ&0ZsnJamZ31;7|9LIQQrmaCrKDO*JEA@LSZ>Kh% z{j7v9AiwYb1_(l)%-SBFAbBN)z^=y3>-%{oCW|evovZ65UHF#=Jkm1@W!Kg|kC$7R zr)pVkiC!2SRPb}w*r)yaDb|R>gKh0gW8TVBbu0u-^rVvyd+SwmV>PM79UqmwH!w%H z{vNz)ggKr%-i?4#u20Orq3f>S(gB&?h1mco7Iee1l^%MV#{aP-Z26 zW&aE+m&v|6k7FfIjgP^`a=YSLm@&c-_KD~?9Acf+j691~pAfYO*bLr2SPKabH-7rM z%^Ri@+U6J^^=kU9$3vObCO8%_>fO{c0wgQ3pZ+ctk9H#vFOg4!XN~e*@l}Em3xN0b zK=q_2;wQzHJJO|!jsF5B>u_F&NX}5OT6%W(*0tA-Ldktwb3bO^^5JjNzw=}AMYihev-NS%K_Nz!LP!(TkQ@Nb<;00iB zb0e#~Ov0=tio>@EF7(s8qC(nS>!0&y!LGiPLx;2E`TS9MO3{f+-$IofTmO3Y`Lxbk z^kzs6AzsCb3!$kbCkMPB6n?St#jrKJo1@of+55%{H|0Rn!+YL!K3_JSy*=te#MSQ2 za;3tpYFo{*Tl*_5uVoQu@-5~Hx+qMB}Xm!1?uKQuI=pLa`J>uu_^tIsp|UE^tk z8js{{?EwoGgY^5)Ryy-{H9kQd$;Z=997DoLFI@bO_s1Lt6ca^j9-O7|c{M!g5*v4m zw=T7^r_0j0dIDwB)zkh{z2(4e$vPR`#eHZ+-}DQ-u27Fo)?u zT`_bG`Q^OlH7 zg!6t?Nw6})6m|eDB>r&$G;fvJuTEZ*e2k9WX-!zi_wx}(Y%Kaj(Q@H*UP)!GRN-t-;j#P?>);J{Yu+965mW1 z?RuMROQphLo$yTI^xFx$uaC)aPqG6J-S{2Q3h+MrlZTk)`#Yw`lek}I3t^_i(pcEV zkR^(V@_sQd#7#4)zf8?{QZrtMrVMrFU7@9n!m)wKIbrO<`cB%vl%$=UtQB22p#|`GX3X+T?CK=lk zZog6~ibkliOCO(|FyBBX#*h-`yS~~BdZcuZ8;kG0k(+p!j)umsEmi34BoERe|7`W; z3Ho*3P<}$SCu-?5DIvpMD;Zd-m0w8S&c`zd;519a7?#NwNr{NbI_X1%0fw9P!A@GF zl*{H>ta+@~zJp#e>8hb!B=;uF8k1N2OpO&SxH)!Ivy;Y@HcNF zoNu6vtU}nGP^k{S^zOP0RS*Dx7VbTDa4dmS2k8J`nWr*XanA|m^}f|6aap0-(r+ac zST;^fCz-{VoKh8SZm_UiI6T8JCq}#kGA9j4Ifr}(F(?uj(`(npD`fX0B_&BEz;g92 z!i*RCAgQLRm(W2N0nLbF6Ig#4#vGO%UZ{yjZ$W{31^Sc&`T$XUFM3Fq`#VR690P(` zf}5q!2VXj%Mfl5f;y{FYU7uUjnY(a@K$=~;xBh-yHqnuPE1}Q9irNb%5uD`=21WiH zk6^3Dkt8J6gP?f6{N-k%m#SCS)i$ zCU0}SVhv|7VnEbrdU6Y$z3#*+6Tp2GvOru;KjPua#hm=ZJisk_O}7)?$)eXLN~AMc zC9!IVsxIsaoM^6NQhjr9B*rP!Oy)2RuWR`<%J_-z;YahU5ZXHU)B@=on!JNcf1*r) zpn<0H)*b0#TvhscPuOQG+d;)ed&a#Hks12wRe6J>gO2ruxQB#~2&lxH&W_G+NUG)s zwyc24w&)!*(Qekmk@}VNjEI0=dugI1F8Wd(-@O7^y2++5=j4w-8WISzGBsx@W1PO~ z>Ys!cNdB%4Xt8ceUQ!uTW^b5_K4QvahrRFdL#5P_f9w z8)Whg`5SkZKLdv5YIDK$RGhXe$2b_D8uhVYXjFXMmTV zx$?MU5bva&_@k56UtR!mOsR`dKS=+qe7g9kjAt|05q}K~M_$>2V0~;6ko<{EC;ET} zJ*1jVgjqf4(&>j7l|SZR<|kACWE&ly!fAy2b?ja;T|ZaPuhqVfQ?r(iy<8LJ-c&gy z!7mt*aU0?Fz6%{7lXfj++v}3g=u16GgxiPjsVtO)L=IKMs}7VT)(pDhqAF8!-lrZZ zSm9#lt}Y_rpgP;_HhY5U;7uKeXEJ6`uDmgOnXd>_^szRnDc^9X+#kYJr-_!SXYl;G zRNyb%UGyIGo>4+qv&c^v&aME-Xle(yxDlD(23|G)C3yYDMBBJHdX;2*UU1PP;y$*v zQu)o$GdUyD{$1>w5WjN|3@d|Tu zG1zTq%Hk~F)^}`Conc>Y%o<^DcJe31x}xnGRg>?<LwzzdjMftJxM)q{ zuLfSD%W{*mD54^{$MMI5+k6by0XA8PPQy9Guvsx&-aKl#ID^L zVOdrLnzsWSpHe}8qYBOTbqsrf(t(<2mLuP1oXoz>F~72fD84Gc@_=7+*}&wTUp4s* zu^zkLgy<%p5;bTBa>JIgRnjb3P~)A>)(+N#OZ=q0jP}X0MBQ*R{C5M+`Eshu1AIU7 z=f>3TX3>v#dA{HGK-R3HZ@%Q`;?NS9so{U1uC87w>vGUzd#M~_pntG)7V2=ho50i7 zedY3u(h2E2=NY5>7p67Cdg_bzvNE8c812j1Qp#t^XG)QhSP&v$V)Vy5p&P;5{OHpg zRCi}xa2LwgBytw$+h4s;H6!|`>;RlSQ3F*8&@1>2O#I%vHFmv^ajR18pSO$9H*q)k zAqG8rR#@!!z*M>05O*p%TlqsoSjmtS-Rv7Tql_AQoVxcyB?F^4)5&+e4(FneML(v z7zT;sv&O$MNYJ5wXOOrN(+X|_@W-K#>gF$xI2U?(t1GHJP(gb2p%zj-*wgC)!{dV= zt^bRb@h^z=5*Gi(f^4t@V|Utb08v)rHU2B?wAsq=J%ys5TPg7G7QUc#!}JusXzEVs zWI&B{GLV_OC-PptWjcmk?!*T(p$Th_)2|> zcjMB4;4q3Ei>w_r6-Sf!LW#{PMy6Yy=Zra|E0;kQOiitZdtx5^^d)4PILLJ_M5`5y zc z1dtevCcZ-CVE+exh~lIO&&<#5mTmP=E{%9fmZ;xF`;yExoO9IsLj-h`ME!T#PD=REu0uG-(f-WB%smi$AN zTR{(fYwjuek<(%ET+0KUcpegq;D7Y?Zu^Qqd-e=+pyQAL7*#RB|BO@en>!Ip3v>ny zuBwCg{?UEHTz}tp806jv$?*60@SmSE$b#E-E$uds+&`y!FoGAxlVtYKt^j6{5x<7< z8-K$jrT9;LApRIh*>d28DKhFnv7p-|zDZ{%pWM}7|$9#+&ud_vf{@FM`dOsnFVMLneA5pvtF}<|- zEDOMwc>LmER@r)&fn=;U$tR>`098L=QhypfHd)00_Z(=?{W;FpqG8!#T<25rU+xk> zAz+G?n^zoC2f(>5vd4W9XF%CrxRGCzue5ozoNR0L{f<^CrhVg%Oy5wi;{7jw8DA`7 zeh``mP-&a1`5Hrjdt*c&xmaZg;D{37JjSZa!!x{=RE%?r6_E%y+C6yrhP&k8Erc(AlA*_5X0l0n*jt43&1;dE;F8U zzo=JE7cH_Lx5)i6Sq_xPo?*W*tO{Kh;BqjieF(JZ6QK2Gg$b+(a{{Id&J$-_J{P&= zs9>hFLSRZd0OBEH47$-g!`k04VHo?I(-`e&K0!W>?bv}Fna@K?E+>F-cOL*7{^PEx zT-)T8TlFR$X1|<}uA3Rk&+_+A_cUfcY=RV(&J#Ai#uCx;M&9&(29gGSxdZgie zXp&>~2po9cG5cyN?pHc$gQ;Fd`}APjk9Q&99W<)o^ZW#ackR@{y3Yf}W%-QqA~DLR zvj|u0^c!E!xaEK83~pyx50MY}i*_nV?Q&^{5xMUEVB-5gKkxx4SAcMP!u{aqGwX`Y z@v@TdcXc~Y4mOhwl#(zE43KQm-%%_QiD5x-`|JAi*dkcP&W}D~xaZy~Wh16(ZY>02 zr*HxnHw@4_#y8d{X*K+uwq}im|$1uGefWD2txxr>eFB4u0e)HSiXGV|;N_e*Q zL^;N=GBa1PSXsCb*k#CKGAX=HcUql+`dqg)oNDv+6$06jZxp1BT%`b!XFSzj@UrF~ z%Fg(DgXqReX0czXMcf6exs+5u86XIKWo_5fr#lQnOaX@kav?(+KzT0RhyiBz<#cJl z?QST|b5~C2Xx48NRkKwN9P090oPX8Pjug!RkzP4a29E<+D$Ls((3zeA6}}a)hREK^ zG|m$vUI?YQr`MOO#a;t|Jq*dD6ho`>(t_xp0TvEJ-UsiHxVX5nmqAn}7w3l!`sgDz zav|qDOrthaA!#0`EIKwvaRY-D3!NV=SYu*pqI5y-M9M}5#hPtPGe zprEq`)@Ip|$LE;t!icelpEh8o%8!D}9t%&8dU{w?@N#o@Q8|VO`tgu zwU3zIQGbi_#UmUKUT6en`0M^6!*fTkxh|<>h>oYqdOn=sC>9+!*Cr_g1fouX%kWM_ zT88OjipMv&udxy5*EPC;)_@qaLt=#sE-FA#`!Nm%1lezVIsD&W|Rv ze9BqZ0}NX)wMk35h}7%wwD&VmdyFZ+IquDd0jrf&;5co+f|C{7o94cLzcu8s+CyEc zyq@MGUtDUtpCAN-XCyt?j$jk8`-lvc3nIpl?Oq_O^1Mv77u5gLp1T~t>AT} zO!V4K{#EAQO_j3kr4KT{X4D67>|eZaIWspx%une7>M7-@=IBKE~8vh z26}JF?%pb>qA_-f2LR-++0s9uvVJkcf5o-KiC`gLpfY;NFWb%Mrdq^bI!oAlXY9oG zK!j2nO=UuBloz0O^x6ALG+$FY+)Xpa(}s6=c^#ulii`VYZO_5VKk}e@Y>UscD`?;vQ_2glYvfLO zY}K(y1K7&w~S9q~_1EXImrq_{SWSvm=nA_h0`A#EDpn)it+H?Cc zChBJLEBQq9!70cw;KPQ6r#|Mup6Zp|Q>r0qgG@3hrL6kTg1a?s;JG6ud7FVe#Y~m- z){t@rE8$jYj99ZQ7^){;(uXSvK?S9kO|hH#a5fPp)Q?_>hsCxdd=NwYQnW8x$tJie zUq7Yf@%K2mnrzkj-MQ4)S2i&+jq0*J2zOe00E&dQ>lf~lfme`S95iw18t&L97lpy)ndJX(~jO?5j(M$K1kCU z@ZzavJ5{*n0qlDy2~(tq#sL(c&KA9|BWD}Aa5L%AqvjXQd;IdMj5ak^9WUCP^6R74WaIM(cycWzuP<6gg=KZ+OC+i&;&J8s^3l1L8^appIdRNn!^RwuEGt`_S#j)MP(MirB?JV_8EuJiDdzn`ovt z1N`pU1mn!$s!H?{C)sZ+&xndb?c}d>H*2V764OOI3fLwkS0TeBH({uB;bI%IV_~FW z@2kFI-KfN~@0KS`QYOP`MeJtbzk0AKDeh0ubK;kkh+s`>Ok~&RL)8xlA*S8}(C2Im!X@lT*WmCE5ybZ+?(B|w39aUq zMzrbkKYAgzFB-o{83lO{&W7eM;~i(xy-#x9<|*mmE+IqVZAYzQ=X3c|#q6_#w+xi` zcRq#-wqKjvr?2O->zCG4gzZZi(kO}iriPu7Av?%~KEKTLBV?CBW zcP=l+@$|E(qSp&Ao+fQ@oEpfgGOC>=#iKU{4to@qqW7M4qPY=$N}b)$4Z$$>1c`)X4g4J5wItXLYxKGM=m<{Cq#i^eg72^pQlG|I(u3+GCQz>8pV-vr}DVEXdE zc@cd4%ZmV)Pvv_+A#25Ce{f^Qo^;Cm%ZJ@WhO$hG`}YE0hgJq&3L{PKK%6hm5k^sL znW~1+hq6|$BBejGt73D#m$Y!C2}te{B^#ZK5O4@)G$vve9O1PNP4-LXT`azrg7~~l z3Mu{AGONxgsm}O@r16o(qw6<6uv!dKU2niMK}>Z<)q6gWp!lee=$uw=&qj3ok=J67 zIe}WRI;BT0f}^^jvKmornr}r@q(Fu(t@@o#8tpc^5H65k4>F>VMjt1RVh11Ejun4` zI4NMWYPK1=+{rwLBuR=bk<+psg1Ebt6r$5}`_zxXoTWobk&7rqwriI0=iIwef_5n~ zE?4;{9{tZbE1z6ohW>!kox&H9L7XZSV&1hF^Qpe?`TC_1zH})#NA&Jwm(gh+DEQ2M ztJ`T;M1kjAGz#r|2!>0nvIReK*6NZ>in`rNqj}&eyz-S?`@JceB~GcgG8?k)Ul^;F zkxm%({vYxNU^>eGe%G^ckMK~2|0g&#+ANpU-pl>8EaK)^1D2f@5gNMp#+;l|9B~kW zU<19k9_I*~=M$UAU#lf}+;_0X(u9z$Z4P)n408_MpaA-r()!W(oBPL}*uLUF@pDW9 zg7#wBa|kmBmP6|@q%oCzUop%KiO}7>{Z84PQ6)M0*zPS?v#r03Kbx(=dpZklt$nQd z8&R#Wk0n%56QoTK`*INzr*wAE?pMb@V;t+fY4Q5P25a&6U84py5>J9&bk@2Z>)cX; ztLPN^6fV*i42o4G zm1n|RgXtNVyFCygC!(~-?E^dHV&X>A-MI8Cx?VVRJu~fIU}87T*lnWK;KUZUKua3> z;``j)m(kx&Eu$?N^5}nfa8g7*_HE$m=KuDo1e9VEn;<4q-Zm{mq1rB-58(3WYY`$g zG2?09DyvKXwef&MP9@D8nc-^h2VT2b@fG~mGsxk!&H;+)niG*D^xcc3kyR0`%J9SU zdamk8AL&ulP;P>QV9WhPG$%@{(ze3{SOw^&f@Wt}s(ATI_-c_c#wEbiBQtb3w+GXo zdHN9RzPapgDPhi9MbJ&f(3jJlWSYkV5y2fJWwTvZS|&2chNKAA_oF6^A9GjCjP&-E z{H*G+?50~7`7Q8WgS;?!1tozL$jMOhEL$0-+4LWQvpe6}Avjx9b2njXZpWC>o{alU z>oE;>qR-PaDR+`Nwe=6=ER35=fCC$6IaQf{;#*>gvkbYI6zv3an)8=@x8Luab~8nC(Vq!ju^3GLvHgH)$r*IEGNIjlw1STk7D>4@NuNE=5U{@aY?e~|#EJb} ziucD6I|o+ycYOJv$yIB?kyi-jp( zPFn6#5|OK|E?R;U#q*2JikTLh5H;E{+e%y5WDDYi0AOumf5X~(=oVB5lmZ7xqd2TV zqTgk(E)SpGSgB^EufgIO^ zDdZ0>%aED8)#DTXWPvObN0(A+uWqH+6#CS>XIGe1@@rQ#7_p9t5(OMgs@ac4M z)7`zEA#=(0#m$0CfUjX|SFmRrT~NkHMX$j%u$HZ7xn3<(1WJ$WnDMq`UH{b4)FP-BO#zr$@95558UqDnZ{@y zJU@x5zN4GvJbZ+f5~p`M0u7ke<#9|}T4-Y-aL%A`PzUmsZ+#|%N1;SNJp1;q9kfoi zzzW$fwA^>eDKhRxhLib*mv$i9OYiuSG6m+SWmPK@(L6f`J)WA&LaMZk0xgwi-&yHD z2|HM0au?ZBPk^&&iW-)~i-nBH2)Hn;5k&Lt*i74}<0Lygj=j0o0Ed2^4`=yNf8Fh8 z(gCPZTdQPgRS%d1WCkVI?Uu_MX5ZYNqjfY;q z@bdr?AKSH3WFA4^Z)ppBycP&|7}dyE9beW#d|zMkW5E0IA*wsE>e&tBvE_Y64SqjX zIC25BQcy5*9D~{;Cs1V#o85)X4*C)WwNZ4lcF_`G5vkz8SYF8;{-AV)OWzYzsq1X* z@@$%(A8+CG@4FWtMod@^4o>M4rocBV^@TDw?mU(GY*D~noi>ayZNe@Yha2eO**Tou zx+d|?sh^TlnLj5|3#de3n^1S`$LQ6M5zY>g#6xgUdYg(+j!S)(z~&9FtF4{tHT;Dyn=!XTd*S(Oze#d$ zbjnI$txr!G!r|(fpJja2cv8%}MwQUVdahi(@+MbkoRqoU7(a&L??Y3RlX<&7?X8?{ z*T_CO$k0r%WU!&3B<>qWjPt*TKg7p>?${@VdiN?BFv+IiX9-&kU|P+P$TjqnByA<{ zDYm;*KAO6+wp=w`IG!e1z9cjU`k0OqA~Qu83)vIOVuOF_)iGmI_cU|=~L zVeV2W2hXiT0=xkQnr3dfR!RqjX(-=eGDeU{!7eWQjVvC0E9C~qf!rXolI!G!y-%Yf zJ7R8n-uoiv@1p(55{FbShTD5^hp>6QG|P40cV*_k!GhcA;%^5PrEBfgPs?+zLVI6e z0~6LIoLLI1ATno|Iz;8Z0qu{cdGFt5?bo)O9JqbbbShW4Mk#;b@on7_xpC-|XoEY$ z$60Q@S7GzguR7mCo_%t>IL>n7b3mOBDt+k{OTWY)N=GCy?RuJ-9gOq8Ys~*Tww)1^ za+!qA*(o2eqzo8icHl_=OKMl6QwdhwQ%pmQ!R&dsJ6-_F_CHnn5G7Vs$Sb$APxW8N z^U9p-f+zmc=x3A~wGJyyW`33KaB0)Fab6PM*s)l4=d{Vb^PiBHUKk!mfp6nZml^YF zoG0@e^h#>;CZqiuCsJr{Cmv9|a|z9XmIvaNSwl}f22$nnW1858FOemGpPa0lPBs(z z($|L~!Ges(s4=rz?1(37@37&C#Jp5X={m~u~pD-shtFEH90k5 zbtcQbc&Gt&*!} z>@OO?bY= z5ebMs3o~TFtwSoU}>i)Nn;&43XH#Pi|Wh1xf-{YZW$7GQgMB1lFm9`f5oawQBdouyD{ipU#p8d z<<)#3Fu*P*PP7eX=saSHX05ZcTu}bktO7&nfBzsdyN~}LzWqPH)k_LG4>tIwa@K#( zz4!wj``;d)Vpp8}+w1dhzbL*y3$9fQJZQX_VHfNc*+OKC#Xb> zgg}JHH6$!m=jBK}M0qwQ=Boxmw= zE!=e3>rlsSORICan>BbL8My56)r%DA=vE)1r>Bsz?0_H8C_r`+%T|G?-m0MC+XiI%XAl zzldoTR;eLzf`OfB#_f5sifN;PZh-+4LQkQo$acs#>l4M1iP#wB!p}dx(~#D0rUw6p zSI;^)mJXUCbJln_6zA|TRI-=3yplGz;(Fh0I)mh^{fCylJ^DlW;6{9Y*@aOMq^a(L&Ga4+W@PX0IGgd3hUA+ z47OShB;L9JLi=oe04T7dJ{Rcc3y(c85>;z7P$TEY?a%JtT|mg1<#-mh)CJCh zOX0>K(>?gzDR3sQ+3OU@dTv*TNmDoghEMm#>xsZ=(u{5b1XO zDmWiL%O|iYuC_Tc-&DNxcpG$v^2&9aGco8Zkh_1{-v!)&?rV7o`p(bX$NJ^jQ-Q9% zWKdO}Y@W_*5c6(U{J()@h7+kF1EA*?V6tfd{M-W|*ct_YO3&JBGN_ApqO;5r#BpO# z)@mqT2}V^NMk&xA?DY0wF+%qoNYk}JrjHeXxn;HDjMDKMf~cGmiTiREfU2G+{Bj>Z zxBnWDQM2g9?tF-I=HmA!RZf27KaUw`Eus<&T=O8hVKYVTMmXy+=>!!}$Nv_%cbyz= z*K9V*#Tz@%zhpK#T|2Q7OSu~ z08iB^cz+NaM;oZ@HvuG82DYs+O#C|rh$mk>TGd6Y|D6ow+XTtZ&MqAOqFZD7x@qY1 zJFs$HmwFF476G51{K5+1Gdu$#Ah=ZUi42@aWvo@;lfYI&Z;b&>7cbld;Z zm|Y)X(*763s_(}*G?JfeT?exR`o5%c@S^y1aRj%Uh|Ff{>mXI+=U*!4LzHL<66i=> zK%+^gNf^`Q(=EAoE({fMXCS2&|OV6^l-Rj)#I zUj;LS?)Oat#ke^puwm+8&;f8V$ilf_mI@iqxNop(F`_7oy-)VnoB?xX6yTS}7$XeG zW|!M9Ob3lVB;5)23V7@P8tT{jwiqqX2H#wyoCcyV?}5C6(x6r66evQL@j4oG=St`# z14n`I?wymaW-+VJ&pohuRj7QF7HAx?)lPN}${7m&+;Tsdd83#A`AeMe;$lu0wrAn= zINf(Zb3w|T_ylKjfpo3INcX)pY~b4+daQJ>CRsLbxu`R^)V$O}S%aaqjfUhWL!CF@^AZNu`jDCJP+lnEwP^?J9NuF>o%og z(9Ph^dav!rZIdARBP`q9M;N9+tU*~mQ8Cj1Rf_RG1=~{z2n-*^P&GV&^!;?*qTpvx z&=LT(Gw7#t?;LITDQ_yqx|rcjCaGr7f2KE>w-VR9pPw=Hq0;ms66!vcyvc zW(}e;Fdjgozzb+49Kv)JxtcR@_+yp#Pa(nYIwLIUE3m$q6uA@rVKR$L1akP?NTaDfy%M7x>9Mp~YD6WLdbsNJ9#)=J2;SWX}p;J?7P3s~!g(8ygSjNt$H1s1T-whd@%6L)sZ`;P4Z z9fp7BmM_JEHpB{|6g)2N$wVH2XV>t2ylBdKqH4G77&qe46HzrP*plIPt$fmz!hh`6l|n za37X*a+fbfa&opCkG{9p`p0YM(-~7j||}WJDyy*QnY_3l=&(pZKZQC^LF5@ zvbu=hdj%Kq_D+6}X? zQEM=@slAxe7E=_Io}?QEqB*KOY~IEX{V{y*0y^n;Xu(;CcrYaUL2`Vh zlt#{e)=g`SVV87hdg}D%{+N%9m16o?mh7z7!P)1|aFlQduTHs%#jEGP%_nXu)7lWA zD%;w}OYw^c*^T@~RjGpZ;6cBloRflzfsbk*s|f|RZf!!z&CDY~B7ZMzZmd$05E6Yy z70FJ?QRz@gX2vCw_#V;V_q2+$vG>*VU{{*-9rLZ%f8(DO;i# zucb4VD=+f)=F6X>o`Z9+rIsx)RXIiOvtTh>F9-)h8P^sUw6pj+cLLAFecFu+>53D* zWkJJ|Y&yDp;*ho6k77hqw8fj>yW3}wD1#$~dDRqenxD6qgli{!cuwrwz2Ldq#jVsH z>MS9C*GCwf3e)!LPM-tjKm5UmFL^hv+CaTlE%9bqbxo8suU?^4M=J3RDz5Jp+7>GO z?e2%AUOH5oTl~R=)gulL)!GI@(jrOC)(_g93Y5qw$uJvh!iONV>cby(uGSR} zLcL-Tvp3kto;SiwbC0M^jjRppNGk4s8`M>Rknn6JcG;)pCg!uM)%5|9JEqe@9`YI+ z6$t%uh7b=X&L&R~eo*ruu8Egt-YO^R6i48*`I3h7!o-kmw~0n)NqcO5>Yuo#)7D{4 zo&CK1zr{7n0H>4Op%IewWPF`p@|4k@mrXSRp+WP5sDiZvaVrxaQix}3z`X1mi7O6! zbxyS6xo9Se#+RA^2h6FP{FvHBsqn_c;>s*Rg0YA4I2paY^;NA%>(6)^*P!EBsU33GAGM$1_AaXQR;#RL)d%U#_@RsL$@uncFt zeIch?#^J{fi=xe*2OTlB_9=466cLJLMJ5K}J;Ekj`Eiuh=8t>DK`X(B{7kcB=|2#e z%ar&Ep9q=ylRL3sLZ+|CwFp=4WD%bjtbQfZ;#I5h8dKQ#*db>M>L6QkKR*0nBTmvs z>GyIt{w#ujmn4*Ub~DXfIM0F--%_;7XKvDc;&_&VJk)q}ZHrEXo>H>p8Q2-pBHCvC z1~|f#F~|Ro$=Lf}if6Q}D}K8Mzk~X&I^6x8#$NQ>)?6k%E{88)PtEAFA*gfAgt0k; zc(~IHpUQ)R=(_m(-Hn&QmPvdLfn8L`YV*5JtgaJ6#Mb?x4fN$+UVym3#&QE$bym&Z z8ar`AGV>(jx2ri0HYm)*63XA1+0;gVY)P^1ke- z8LN|x@xFVz=^q4Nl7m%56e{(XD;Ue7gO1w8?_SXX(^ARUU$fsSrudOUZdy*hX96(~ z>Lcf9e2_IVp6si{WO$}jihx5Vu{u{*gCZ3_aj!wYb}QLNFm;a+EcFo)kxkFHYLa>` z>jZNFl?R>j;V<4raPa+_ZS+e;bUMpTP-RL4vG%o1lhQ7ZGAh1XB&iC$G*@f!GpGj^ zWy(c)-_D)ZNzg%uD;sg#7+!f?@a+WAp2lMtPr-dN0ezSv8R|HnkwO^OV}$>LHsBZR zMkGTcg%TM|r-Y3g=6WEHEvST>6e^2LsR5KOoOk-{|2jZ|OC60(6qnQ=U?sqh9oR6@LUZ%i4}8h?)u zV5kb(ilL^8)^`DYJeyRoc{!XSLF>y>!P)Vp*b(V6X5rlkfrGYIwO17>!h6cT9_@MW zAd^;hXRm{K9h6S1N3WMXipLx~^g=kWDMOjHruQBY`+DMS_rhkbT}b$Hq*u?kLt7wG z?tsSH{KXjxMNU7)rCNlBLdwo&FrZL#P47Tb+j8NTTA4h_TE-{Bw?oG0kQ{!JAD#+7 zx^wofNA%-OF^sPk1;UJgHQ(CcA$~`|mO0;^$#LnrH&v7H{ia}vh)ljcHA1X=dm9|KG{Pc=>FcL}spk^4+kp#G)X*#12m&!s^!)@?rjrDd zN{i^aUsVg7_l36wPKR_jr8)3>R+c%4k)U3=4AmxWmYnnkTq0`#KlkYm9VsNsz3mde zG|#=~PmdL&iXrJ|tB6j#!RV1b4IHX8%S|YrScfMpym50Be-k_3i8cTUXv0x`v_g^8arUv61E zOV|nWvTGNU>t)?Cxw;>WF?_s<Bc_+cdOkwioBxB*C7rD=jYTEu5w**GA3 z1+?HT>X#n9v?Jl5!r9k2SsBc+k9=#G`CrRJSn{PF1JF|m0(}!LrN#N_pq1-B5hGO& zrWN66iBOLzEdw`(Ex&H3f^cH`L&xdMF?mXpOo4$8Y@4&^DQKr=)V+xSCrrG7xDytC z>B3+W7vT)TO#-sFe7j!Lu3*Ds1s37a@7b0)_oKSjQt!F?@hde*q?lgFjd$%d zg`81&Za4D43{G(0aJIsHKoVfgKogJRn;9^?H&5>5%m;^?5V$O-P6L{|UM}25g1Keq zk|@SyR3G#aZKztqzA8MCZ?`*}1f{o){{9R|%|tC%nbgBim`4b@nJIIXgBw7nsM4V^ zB_u^HpH;PD3k>45^;MbEWul}oNvyM^^43pXru3?VYT>(hD=G`FfPX0Gg1>#Ao!w=C zaF+7*75{(nXn<0I{BmZfgf^qcK&knF-Y^R#H~dnI9kVcoE=_#@(276So;|LhEp@{n z)ob3rt&Tb=$nG{n2_!ssnpsl!{x>i3?nt@+^0d!aY`JR}ZK4pd!j@(XSBS_IET}5` zEwK^@gD#4k_N`XPuRt>u+<1$SsGHEA`{->(+M0{X?yFUNvfB zK*zw2vYtOc$1$HbQ}8x1uK2#|zc&ty z;hTCe!v6F1cWk?lF73GX2SXP(#9X1{}A~XQBrq{fSKl}%CO$) ze*?O`zjlk6g~dTlB#cIEI&nTMCq41tk374uD2zWh$P?!!NfCEYQlY-Vb*D=Newdmo z<>XSkPHtHubxK)OuqB}jZ&+4wzzfG{V%EM|F|*#?bFCa@th21 z+oa0x7zs|VCtj(IHI)+o{Z#MTE@=wg)K>ZN-41o#o-~ROPl}p#7t|WU?!;u!aU4!@-du_DF73H!lx@Y!_ z)SM!Si2iS1{o{bQ5apD%-T%ws|Mf?=Ui%@q*6_-4EC2hc{Of0-bH%R|LjH^2|KkMH zb+Mn%*%1W)kd*lkm-+9<7Inn|<8kyX9mt}NCfKxT|NSHXeChq`D2Jf+F3Yi|e+>)f zn~1lf#t49Oa$8L7jsE9P{)e#;CBY`-b21^ZDchrySNfR{;{1QSDooTz4rB9Ai=O@4 z%>Bpn?N0#XYfSflI3wtk{rMlJH|ho>x6%O{=KtXbz!l${j!5MF-1{{!jnwRY!nplz~OsbrWh zl|tgO=qft#xu3m~QO))H?#oSS1gdge1(B=6N%c)pYl!HZKWVt}4%-<35+90D(CM#m z+$by%m=E(?H|)ROg8aVSyBiZN(cGhL2iqK zT%~&#z_qoJpM{Y$q&GQHIO6li-RnY*0O%J~;D6LvoiIF6MMw#61PXFoACT|7dQu(d zqv1m<0zDlp48a65qYwXj*k6yjguhU6f;NAKAx7wCZKqzZ9v)mr*p%cgwpJmDf>&>M zpeuM$^xbf6?FYu>UYlRhe7SmqHCrDmv-lh+AJBZyy7ZfXER|gUH4uKzFsl@mxjaSy z^b+XehpkrZi(&y<2)n&;pIBZ$0RON4evE%3KStj*(KHS<$+ldx5-^x<@9dt~W@Eed}{EC0Q8!Upzp9unhA2I!0nFZj^Mj#Z~h zV(yvJl)r|c}s7$F#> zKIc3wyZo6od%pR8wq5xc@P7dy3wUQMud*RN*$_+{23UwT>Gd}k z4L4}OyxFaO0a)n3JD9wb*X0WVu#`Zx9%1}~MOSEbr$je?ur45SQ?qASBx?bR(sAVx z%_zi&{Y{A3>J52;NwzO>--;sB^w+)FimIWxjmjC^7)&3yJJBFJ#&#KttvC5NK>xTa z){^8VL9rnPyTEIED#KQA`QuZ=15Cl2pT^~()4$CNmhM)$bM@LMyJ zqthGl+~p<$+ST==D`V5=zWXt00YDc2scNM3*Et@&0{Td4N!Ip+%{Qqi@~_p3WonTe z%Ff%aBbTGYli60CkObHewD`gj6n9cw~9vcdf#>h}{gAtF(&06uWZz3T7X z-2^^iK-7(cDRkJcaRXYE;(^`=!;kb9p9eUyF1kjU-|^Wofcr%(4uh_Tq+N}H=Gc>d zG#cz*%qT*?t_uEMK7pd=GfX2C>rAB6il{E!2q|A@hbJPxT`>9|i;3RPts`ZaV(=fO zW22%c_H}bw{_1rytK)K#65Ca#9D=t^K}e@?EnHk{K=MXP?%t{hd!|8wev<61=v_eJ z{b+#O*m)Psx}$c3Ci8|si)*(lRXS=@(lcs6J_|yNMv)G%O=TyNoqLIfL}=3K+0O^0 zD41W=em<*3p|`RIOi~nR_WF8E!#JW4q^q}Dw10k_mw}B_2kiH@l%e_Wac+0Zx&`>B zyqaVP9R@mkC%GK&v*q}9_=@tzJMyF}1CmX&==-n%DsF5EDHp>hupYogGKY4-(r7%W zupchcibT%>5vP~I1qwE_uhk+2%@9ZeJw|C4QZRQwi0gZOg<;ZY52jTOs!6;N9l(A~ zbj&B3r}B~OXKZK?P`!p9GnIf`A`zR~y|%q%O%Qg}yw^@aArYbKDkCpH%)dqbZs(it zmG!5!Gu2efo9ioM69%In00u7(+fPHrA}5`CgM!t?gqLu$?b;A#s@Yqm$K=8F0txMS z!`}Bo8{Zf1)}u9vtlV4_WrI}|6dwv6YPv3}lvY9ccSyTTNX3;u;mvnAK2@y-4w=D) zwbG|k`_v2JtrU+k`m{Pc9xDv#BX)pgrp8?xT-)wYEMpm@P*jRw*uUcJA#1RgM0 zy@~al#{{4g?-0Exjw^n?E0(z71i%+GNFY-#trKkA%l--TSC5wAuN|x7_#<#%4tlAw zjG6Ga7r*2=;-MMdNQfd=+xRku=^E%6W#V4>C>qL69qT$N+ zli^+XaSyqA0c(I#u{9I$6z!3R^@qkz>Tw+{oId@a-lDNx@r<)^{ay}jr9;8@`e|=k z?uRGeKFksmE*MC*ksq6W`C8tY<~)6e$jU#TO7j9ZaA{-_SB#FqLxE!(`NU-sGJ+#* z2TwdY2T$y8-*<#C?KX!fZcf{cUbMMi`Z(x0d~HUi=ea&jkvRr0sFqnmpRq^HI}}sq zQ@n6PAnTCsF8uBtVIE}!J)5=r+@ZqmSFC82IW2YeS;`M$qHo2PA+lF?53(Ooa9OF= z?hFPm@CBUQ*Re$IYL;+iYb#1-kZJM1Z4r z5-MeTySX0rv!i+)XrQRHsa4p&As^to4Aym~dF2 z>?R^7{AycOIbon5Aj)uTi?;%rGP4OjY_U7BK~eHzHHU`q*)&dKR_gi(Y<*JC~5uN-5!8VqTHTr;`DEyAZXwjR{5SS1MQfLN)LXIi8 z+ekR@0kkFCPJ4;X#Ha3nDVqPqB=$JInir`yp^g3ZISz^Tpuvx-b8xlX9s_zd0wdEU zj>q2z?wKVc>+t;G{Z=VbB+^Q1uUyr{Kw8;W*-*3%)g_m8dDF-DHW-dmJnvy*PUG>N zJgbOUtJ!Tr3kEM44yb>J{{?S*f(_Yn{-8a^#=ZcoE}2HhnYVkc1%Y7OAKm$TSsGXU z;@h{$2*q78-YbEOk<3})o`eVj3M6G3hIJ^@mv#&2Z<$P)@|Fp6UX~0s*_y_mX@cF5 zs1RQ6ie}!2WA*cyCBDR2?BoMCg$zaiAq!$$(5*N*+|8$vJ#p3xM6WWpI+SL8D+CpI z`>c&mh2yKQrFvYp72$~d#J7w6qM5_ZAEll+zFnOtb=~>tNPb0yaJ%>lF5~T7AX}iD zyyRFa^=Or^f;OLF%Qj?7D;Sha?5Hj~2{p@lU_-)%M>qwFvo?h=k6fR?mH6a$Xw-t+ z_5Np}W}82`^2^5a_b$e0eBJVRdZY3HJXn02f_IKR0V5C@KI~O)I@Ftl7 zyNNUTvu-r=7R44K>YL)AG2gF}_;iae_ur+#Ich)p9wg0j!acGTS|T>bXDkIke;n6y zjaM>DtC#|t*b=0AzsxZV{R#NO?PIy9u|kep;klF_iW9*4HfOgg882>fw@JEcJ(Zhu zg9)@fYgguUx_o!h9!6j31=@BvcH0E#QP0FA_@ShrQ=#6DR9$Cy!Lx7*WGiG*n#9+B zJGGly4&NzA<2B+tFqyJqBsPC!Z)6piWR}o3y(2J%Inj%c^Y3@ieDVv2%b2h#Wdur+ ztncFG{g5qFZacdKa!nW&-gi`Ebd9zEiRp(KwOWg&G_07|5$x2q?(;k*9d8qac}AMM z#PqJC=Wi{J@9y8e9ZnDgd+98^`y{$UG8xw(FkLDDJ!t5*QZ3v(x$g)3Jyk55TDRqE z3o@8mCv8{iw-M4erFun{c^d?`$#B>u)E74W3)Q=&4f}-g4Ecw3?=VPpB$Zvls-okidAAamGGeqJrw4&QyZ{0_& z#qk)4Hy1siV5Crg<9J;8LR-DaX?hjUcry5)A2c??Cwr^xzTJ%SofkoM(ynTjc>62N z+_@kVotU>3f@JsHnuBI> zvd*eH#IsrzW8QG6cQ;sO6!Q2OrSzPsTYDyzFptIhA@U3RZ zrPqVV@AB_moFh6E^y2WI$>B3(nBbBq&rGn_57ml&=k8HdQKqKZrS8T}l;b2<3WO6) z412r52qGy$=UUNHtin-1ouSQo&m^nu7IQwbKh}Iw{29aR>O%Bc9N3pKn`)=gr|G?+ zw{9+GZ!&T*u&7m4X53y6Mbj0(mBt9rh3N&1;xh;D2Kv1VsI*BcX05@tM*CF3XFo_d z9bOe$DT)l9DLcJVFq+GGC4~SEglA6%38_a7ZGsPIh;TqJ46}&RGWg3(WyO@U&HYVt z{u5sIhaZDY-G0zemgGP1PddQ+`Ge1|yeSm)7;)$>FE*lBpdDahAP(Zb1jhT`oXB8g zYEo*8k5unXBM2y#!{Z}SOtSJn7(cg}kr`vXNN%wm4OW?Vls#%nm3~oRi|CDL4)fxr z{gPE*s!-*OOpo8UTINyK7W*`|BM0V*c{1Ue$` zFV$kFi>~TqbzsMme`AHMsjWO$;3CXDetM$+xz3zGJKnoMVmcdyjXsYiB?%pwN_G!K zpOam3WDjO0C3uWFz3gMHk>=@gd`W$9dqRXaimlgjGT_wj4tB%cX%5HiytamKd{lSP>>E3f!ON`E2_;1e7l0tH*~k_Io;7gH5zP@qUPtp|`}0%Rh}MZ;8T} zupD3G_iN&C*nY~JlE}@VX{X3|j38vhxcIRcU0jecUxYC?i~D^N?pH}IQ)znuQ(C^O^qW^kPUg5wL(ykR=qXH)2K9jRwTJ9coHdE* zy_1Sv&(HJ%UscUjj`?(DQBDH$&WZY1H(ErsAE!i39Gi(a3#nF{n|I~(wU(=gi#u@| z)MYyu)X5wvBQe_Gjd7e*u4KMpJ<{f|4IA3NSa<$lwqrg`K-7%mpLDo1eWJ1wtXebL%(Od5hy2c(U=0t^!F zhTiL*Dr2%605F$8bAE-gCtAhd;22E= zK1*o`0DMcsb~y2iU9L0YjZpFO;B&Rf-H9j+OmQim@IkW_{3@X*cs(hSfq+woQC4uk!ViAgAL%>UP@*Y+Q&uGO^Zjn8p)2S9@&(R)w%vtTatjshd{FyYjn@KDQe3+m5%gOd5oqmiX7 z41Er-rIorZeexK@?n+we_1+Fp&UVQsA}C}Cf_G>PyA(r}C$e&I{FA{pym!>F)YA&7=aocG8fd90a$o68XHFw^TVLf>~(q5Gq^jg}~ zkzYElfOWelD}Vg>@rd?kmSP)+v~IJ!M=#2UFO?g(9K`ZF_^I}^TZ9BQ+}^yEYvI(C z$M!;_@eH+%m%~T5^@A%ZO#6U1xrMqU8_E&F6ZfE#(`Jh6e(7m5?~J~)h)+LF*2&cv zCWT@Zp+ywy`ui#N6ZO4^TGMT~`EkCf??v%Jm-k9lbhtoZAC)DUkABB#z=4gE6QkFw z1s=`~jkfBM{P^;DRRr8e3h5u}`TD8?$LzCwU@B>jVHJZ_&_?ky4PXSw=w+X!8{-k4 zyP%Z89K;vHzT}|A{0)+`(;`l3!oVaGVt%qy!yeIU-?txRlUy+Ov%>zW!+Pp`9qvk(q$=7Wa}aEdxAq4ZBFSJ^F$Dk zH?rB~JVzAXu3XGWms6br%^R`xHz{#()`N0Ydt*Mp6$e+}y(0OZxVMXa7w#jP+fjeY zTESYo`2m!l#?>aBRMOE_+#6Z)OPjy|L3&qzaArTzWe|P{tUHpI#yU1DGzc_raeCrg zs0L#=UO9b?HcC=$yez_0@_;{pHg-%hE<8#emioME;Y6dVGq?TFi~UmLBLRqN%RQ3t|gZK~Os6eYX30AE1k2 zs{;Tl)m15j{fJ2=SiPG;ch*egXVDQSjKsyoq>^CV$JJToS8{vx0m5Te3#~4LaBK{M z^59b`?%S1=Yih+Vta3w#3nVSa@X29XD7W4g>ir|pi^3lB(m9SlgL>f-oAV`<;q zJrUog(dmM9oPb_zo7cFsVp`6;MJyL*pjlh1w88OxsnivXvJ;zPBTA=*WaSY0F_YPP z@5QUTO3BuANpaD}Q8eh9LY0wxW0eFtK&*eJ%TNxUgDdJRr;S(1o-CSVr@F6&R!Nm6 zVBgiPTYaptEBFdXDM*bfXP?9gu5uj2u$K$r?4vLG_4n>5^DUAZTHI;VG@WrtRk8o* z_-#=q{aU7NhfqO2Tt(qHMwNBQ1Z5g!0-dpG=P{A;IDJr52j;-r(Pg5$kzRe|t6IlY zwo`c!H|0V5d|fldTru_2I~vf#V$ntO%U*K#RWiHZ50FsxprPUL4%_z0q47H!qJ|3e zu6JC?R+h+^Y4C0M3|Qq~oBKe8XN)j%*yG-|e8!FOG$4j{%#zRg7l&OHzb*(jl}^XK zt@2)-ddUgZ#RUP+X)&t4UTVwpZ2hdNwl-H=SW;Yi2}vAoEtwA2c;Zd-Nrx=e(}^QE=_=38+f6_mqS>51XiAEflj>phVM`U^ zKI(3<2|(2CpJRUHeffcy$zqWehEA!xFBZHf7V?7jUXN51v~cQAWPFr zXSQBn?975b;UBL6l!*$TdM}kOVWB`hYZ|ZnKvNkRhYY>~$AT3Y14q3EF932#Y~oo_ zBuQ*Jwv5hdKel&s48J!t!u`3j8y)7}q8*8x;z?-MUa#<_DModW z6dBP`??E!~VC|h|K3UE-L71y7j4%pv3wQ&ej`}u^FAm@)ZAs)f@9-}+N%EGTRq2P} zm^K%gciTiVjx*TpDctJXbK}5yNT7^so&`49Vmz^VtpvvfzL|^e(2qaSwsLf|Ioz}+j z2;ry0LujX*2^-`OCUugQ%aNblg$SH&74FYf{THY+dV8^!#ULpqN7x@C4y{cUNPteMDGea^hWWSA%Qb-^hf%GKFuA0Fc z1KxGn>)7zQ&Ea~Em_F9lkY77UuJLqh-W4wxZ~IQ>x7E`s8yAMlM zYq0VZa()AOiK1ENw5hWoE3@N~+@eWv3AT5TmW18*_sgK&dOs#|-s?TjCTs%2lVwgs zygmic+tbKP@+rDvn=^0U%S+6IfjAZh(&DahSd5yKn{NRv9I$$ zivhYx^3Ic4p__ylLDvb3s5SPJ)o3{YG*E8)l)6t$jka|;>M`x@rVetJc_jVpuAAHT zbsys9Xr89BxqN9i(}^P^KOx!>B^kKIazS<9q&zaw(*;$Lq8gUapdR(SU^;xJCcr0H zo-tl`7Tl;93le&Kq&i+Fx92-=fI_7QV-Xus@K5RPE!V^&qkv91AZreYCaJ3}VxMmxR^@h=>| zPu}QpJi%a^$aeQUh6CZWnx@<6yX7{;55x*yl=1JJbMDH#)rzkhYYkL&!+@8{zve zr^_aU^2k9EtJ6*#;YiNlyAC3c?@P0a+DlzG`~J#zUyW?GWz){+Y)W1F9QKC9W#Wv# z*V$uYdHZm2=T|m%n|4(_|2+beLAQ)G4|1NR3*k~4CE;I(Gls_?8Gi=CydHK556|f| ztI2M+P4s7e<8`1TZHr?r@DDXxsg;HQ^Vosug*abs@EGJF`FP(25g~JNE=aYbb&n}Akiv66rf*p!&Uu(B8+vS}q$4V@Xn|5ZkwEKU-nfv#`()E6QIA2& z^`9sDZzucb@f5A0GeC3&!I#|iStx|xbzd)yvx+60>Y@n6_uRKgDJqw>;p@G28gF5v zJQ*YXG!k~>*2cEVH1k0vV&g9~BK`{Uf2d+q(t@^Yfhs1!-CyU_dHY+0&9$Bog706R zoF5{kL8w#To!>+J=d=Eo_4~&h5CEydRI6ce^uI0ef4^>Ug!INOzW;r2{{A!nUllji zVPH+;hPyX+x7uG!?`>2Uegx-UK6Bm85(HOWQX~>8|29N`^47O;qyUZ=T4Ddo z<@<9}viV$|a*tar%74hHWyf3ni!c0fL{T!_=W_+kZ;WF8Vv+nY4(aSbx6vk-{MTpn z`v+c1i~84KVui}T`};WluUF9qrjLZfG4ijL?B9+yOa)GcU+@w4v;TE${yuobctF|I z-NFaNc_)a~J}-6Gj;{@=#BWJm&Eq%UtOAL7nl({ z&D2pkf6S-pT@{J}+xDCIO-o9SzSX`ia%=o^`#KL#GONcMa2B%zO2}`rpK2?tUA#>A z5cX^I_avrs`U4#ZPqIT3Y8F~$<_xyma;$n2pk9c8Ia9yFRuA+KZ3cz4cEwhS;h(01 zS-jClvdf|L0qQWLKk#`nLk#HIiZ1Yf8v8dK<}0N`DNoB zEPRP_AQo92(*~D-KS3Xz=f!HaAa8f=e51ZmO?gC&+-mRIv zDp)ISN_>Nig$XHzM3=5wS$%MFpnxC)pRa8~r%N%41uwa}KzPI7N8g|tJDmdNo14|W zIvYoADFi`ake6uO;0=aWj*~TjY9BtQ_1}IGSCRl|4OA4Di>2ZIvKtB76A&JzE*>>j zfq|#)Nv)o3duc3u^-8RACD2e}%B{_KHlQaik-7Vc_*Cgvi%c@>(igaM=$f`9@N8=p2JbM%954#i5qC+{EN1hhwx5J0l-%UYn!5V@(^Z3bEP zgs&zobJ$*OjynKOKbR&;@JTn&Q5BVNIWDy9#y4EjdV%oqd5G}VaBRKbygT3A45Cv> zHFiM20T!4TJ;T@+-cr*mtzCevCk6QceTBeuADk-W83Yl0I)HYchvZ85w9r`v14?qt zaO8!0#1S-8^MD(Sq&@*!52cav585c0LLP?}c3fY}uZMN+MgEAP58j>$6ZvqxDsqFG ze5a&`TU)SAV6#yCOIa4}<7-guXMAb~zev`%2m%cr0V_DcJXngZ|zj_bo5kupt^Y0$)g?Ftneu{rJc4u}~w7om*SyMo!@gPLuAs(&kH z=y7>&SK+Gjz>KRp)0oy>1s@CP1l}q)mi_NEbb)ATE(07o9N0BOwYfsKRtC7;Zt|LNYe3Hd72R*fiyPFeC! zr0bJj`zHjAM0=MYJp5VM!h2`OA$gvNG353Q(7VmPuy*j6q1(Nueu1g!D2C9Skr;$V zkAtV}L3=vLR+wn@iTlTkF82;t0UYsF&o0oF<)u& zku(h5ce)}o1K0ue%r@si-`gK+@=rQr?LK7jy|JKzvNaK?1GWcxIgKmRp z440_iEv=EO*E6_@$u;)8t?-k6_XWyNT5P7b=dB^u;E-15vGTU|li4az-4KWv8vFx4 zZodXRIOb7Z$j;p$$v|0}ZbLn*-1^nU=gxAIkLDueWaQqyla+IjY=C9L@Vfu2c08NO zQfA=}vwo|*?(t@SVe{jX;4{w=`%EL*Cq*ov2xa$AH2c87s)aWY(a{|iBeuBQ1F6ZR zn-z1usR6V2h0zQ=D^T*`6Q!kbpfDi~+y#1e+R(G`#BSLnGH}RC z(H{rN5&2mt%jv{-mzT%EOMwJ_{m87=!4urt#-C3hc@HT_No1EH&p|=g1Clo1#(~>= zNgg1wF5&tLQu8DLX_yf{SM&jV12*OynTdWIHtSsQ7B?*(0SHN?rWKXL4yfPqXSfu3FN8fx~RX2E@Rf~bhkgL%ZL|2Cks+=uh`>jQO zLK;|bSe^ckilBzFSeilr&y?{6F@FnPQF?VA678>5)wza%NRTNRXbY7dt&Wp}J7i$s zwQ)OpBaxr&PoT=#Bit3s+9gyiA?x~6aaW4z52Tju=ELB*$a;BP(GcOC4Kk`rR_evF zd?d53(Gv?F=(){{4)gS7p_54*vpn&%E&f6Garj^dw2tg77~>z#e}Ql$?S#;eV7b3;Vq9raap>$@tiU&Pzyy;gC0Iz=zc`%r%dY*>T12vTT$ZusdP z=t)E@t$3H`spemA$zOd);Effn!=@Z8bqKf4NZI4ILlu7u%l86r7~_WsFR9V-jLDtRRFIIzSo6&IW;>}Ili zm`{�i>=YcF2}u6rjBc-ho&Y-iJz?m3?5C9my9SD=q%uJ^AUj7%@Jtm~j9e zPWR7&W~7e@W{7^9cs|Z$+hOtY;k}v%H1FIy-!mwUvzC*ul68TAcZyG!VX=9piv^mR@l! zKk)r)-gCXIQ$FI;MD$e4UhU2woM6$?g4?-NqJN=Z+(X5m2R62=a86 zX1~mx_MA`185Ql*U4AL6lOGTG0v2Nm94OT3`Ny|EBX;6~t>Z*1#sh_fYs*G^4@(U< z-`!I$4#|kLCdi+7K8eDLN`E?3yV&284Xl>G(0q+5JcEnZ(O@1#w3Aa=5-80BRKDeDcsH6 zrF%@|n6gDxNbi{R8s4Evk1+UZ@zzt1EwMK$PlV0eA4|2|fL++&!h;m@QvZ3x;-C{Bqvlue${)o`9;;scf7(+0dULDKiZ|>@ zK8Eos?m$R-x3dnjq|ov?(a52>LuE^Jtc|>2j`3mQV@;K@FRI_VX#4e0*^*U9D^pd< zIaY>N7q1X7Sv0u3jn7@-^O`iyfQkcrDbEy=2vkKrg6s#aZ800Zw_3mTk^tn)rT>2L@s5Sil>~ zv_kF71c^NC>=o%UN!wt19G0AIjrOjBHAd-fQzPiznxh_kP=S3$)}r&`fQaGn$e^ zAL1{QLz~im)>825qP5esBDQW@*)yz1wk!EhV1%4Lf*`?uw}O^a+d@5fn=CqCLO~hr zODxCJ8k<#|7wGynSjBzt*0@;!m9Y=?gBt68FtX7&d2*b4J*zoLw$({ti4pare?Gpt zz|X?Xs@pYk9D%k$=?pX_qxy1F-396z_F2bfV@D;>u1E|aV)pHWxLxQa%YfoSrgoj> zdj};(GJxgNPfNBhTn))5Ej&QuPeENiR4y5r#BFav_d$T!^N$Tt&Nl@x0hn@>5(0Q+ zI^&wu9IT>0Bc74E@4^MzD^uu=!%G9+L{!X!ZrL)2+WX^2KA7p7#e|2GInPZ_POY zfDWl`v6tAEdYP|l=yZxyv2DCpYktq9CI-kU$xKo}Xp~UH<0D^S298GMFpO#Yr4V?k z!1>CGyOV#V9&K-y0Hsppg%$M_uUb=L$hWcR}#0T9`|L| z6e{0Cah}hyNVdA;u9+ZKd!5Lk7>j(f{8r=RZY#f>q;)!EPaj~dXK}h9GIBJNV99zB z9AQgZC7sAYenA(W_}okLbF-x>0%)=oY57LwmjMh-m}BJObF|wnJiRHK`i41qap#{I zYCuR0lCmZH^)MtOZ}*p+qai*8J#s>g9}r|K^_EBVW$`-=%WE}=+?@5XFZdO$`~*d# z-y_*-5Tor=^MQ{0akE=zX`*AP#Ug>e7Yy|&gP;PNAM^7WVASKW2GN-_v1_st2r(~?hPzBa-5Ay+*(BX3z zD+8kNdnyg=3Vd6wA%0tCt=k~Li?x{Y#RX&vND&-7oy-g|XKJ=CsG{3-+6O!Nki~TK zp?39>D=%YNFF)3HKgTN2#)YtoZQF~T^&0mDul7H-V(GD{yZK(AwrcUYhnXRWe6lku zvP1gAnaZ0mRe-&1x(tJ{MWO+M?^RNpU}tlGgqGXRja&+8;R zKr20PJIG~)aPgIM%D=1`HVJq3$GtJ4=3qaU)PJ=l%(dfKaZM1!;A~5p-CJkavoTuS z^aBe66_1{PV)a$+kVD`P;7QL4vFYYYrH6zf-5K+aw zVlyL;p2=h|pJk^O!|pQl0_aEkemF)-U3|-H)9bw_5nEpY1`;8|+;F+i9?0K|2;YI% zmL^>cLS^?V87Q;Qj++j_?lp9Iu5Ek(5JtKe}d zw&;d~BmP-p@+nMMkT5tUKD3m50;)sXaire2O&Ec_d)Q)P&a#{<*iW9~zWwb($#|*d z1M=Jh@DzBdLa%slJ8ZL&-fBD6Xxm%zGO7vJO+|F*R4wuDjO94ZHZBCUYO8nF&qJru z>1vig*)S7?5#1zV;7jk#CqPZuzA9HtV+h%Fc!68v(CmsYV zq&{>132_!pKuSiQ;)xex)YkwQ(osl2fKUHie%9?%1b1lU46ulWD0K019Q4iu7LirY z(#}rykWp4`8v)vl(W1EgsN-ZVAdS`dK7qRiN8HuWwaUwy^csU7Q$G$HE{Sd9w90FH z(+WMRR7g`a!qMJ2@%9DwB|t}k``Qp@_=N6)P< zl|kU^(I|53RWfUniv`%(a=DHb)d37bAqqBRj-E2TM=LGJ!S8KUb|$K&9Fq_jSvi@N zziQ0y#bgJmkdx!Gj9=5YJ`hm+eb@5ex;^NJ_d?+zpRr>Mc~Vg;euY5e_m>2Js*nEs z=W|g28sCEJ)AmoG$epc|8;Wgz`?*=J9vpmv9K|}3-xs8St}b|@tKl1>*}Pn3$yal; z6%7nMqy$5W@rTw^47xo!TZ z>r9nazA)oop~Wd7qIH>%b|w?kYrX+SJr=RL7n|;8Gp(v=$PPzkb&^dk(R1jrx?Q4C z5(|fRm+Jd3fqT`ybuCf1*QN99ld3f4C(&UEB=-OE#6bp%|$ z#%{ELJVSqOV|L$fMaz|5!Yw-yK{v{#6jcE&Y$OY*x3PR;Q1I_ zJP`t4pxbbR7~ypVcALm`^X0Rh<&`v?rouX>j1yOpZu?J)<|5p@=wvg`ZG8VGW3-(u z=N23MoaDV-wc4bAy&qo)u!mq^qvM&qDauMFrJ(O>+r|!{A8el6S@nKe1wQ3_NjAmLGyrbi3^|hT4qAV!D}P$m z#HuK`2OGDm*+O871E*2x^Xf)riU3%bcY)oKQ-kakDbMi+DAmHcl+R=?Cet%^8cZ}H zf+A|Q8Fa+OhtM-NOXcQ|?BmCv%^@}~kHwvnPY{|T2r!k_&yffB`eF`K%8Pv=Io;{h z?DYeHtb9Rw32Jy`N8u?0ZAe1LyO#c@$#ZAf2koE559v7mpt&zczpLdx8-xGGV3WNS zJ;AJ0+y=K!zbb-p!4CipIEAgvd0 zvVH_;cNIFi$|r-w$)Md!fGIIJTtf{V=WnieZp6SFw<(CkE+KSSkW9qKs}i_pnsKB^ zm0sxv=m(tU_izr$8G>M6RFE0z>%(o@1{fy5H25y9UIBgugGMqOJ`23Z-G!hG4i3Si z4}$WQ>eCZ}M6nsDl%iSFu0;7@Q&Ga_k4VADDV0i&*X^~D(A0#nR6n{rA8UyGq66l3 z9%#2hE?$4SwdDqu3`t1Y#JOcNgwJ6|NAds4?FXB>UC6i%Qc`)fnS4?~267W*0ETQ> zm&E{wrSAs4TA`jG-F>nYRx@LzKS8`F0a(fTY^I&>{qD2?d~O!1xm%1QHK3%dwhWYR z3J{fS!-H@HA_R<=4%44vl(=VlbjbtEaKNqJaeHsj26(11H%V5FL9BNZXh%e3L4flJ zjk)x>ODN<&Zvv-83c5j8YjAZt!2I+961h-S1h}|1=kn?DoRcTL43Q;&u4Md2Dc`2@ zthZbI{fTDa0XXE;)Y6$a#9xVx!#b*q3H#B$MQ1TTe*_W=-)}-6g2k=Z$TS+KkqrQ&4s-x53MCB%W1luku0fvZW{y5VJc(K8 z1~Y_Yf0Vgup$SmC^!(R$2MK^(*fSPQDHruq69 z?sb&JdCTAL28+pEvKxvsXaWW&QlFEW+22I)Tc?QJSH~p52-NE_IQ}#EvRgWU4x~}f zsB~-;trYswKx38ZP=U&SEdX1d&uZwS8#S3wNQjWoWq0c>nS z{Gz0QVKDT+`=H~SVhS&-!&mGh#U-?h_9JKT&_&7^n&_LoKCWPYEX0Ss#CUprXBncY zHIRGp3aJ;!F@J!jF!#GCuNUFpeHu+cgj~1;gpYT?oj<_6G7ceA;~JZUzl?1)cnl&a zV6v^G7Ii-U0z=6oyTDAyDqJx%Cf(bxoO*wK3UILO^Wfo#4n$M(UXd+Ti6Y^v3g!OMW%m}(9?(xa zZM43=juEA&6P+bOc6!1(D77er_#GjSq5^_4nCy7njd|ZKZpx=&1YZ{!x3^t0j|p9| zLT^9OIy|=SqMuQ3w_+L(soDJ5Vf3mMWqW<9>IH$aM;8{VZl^Pr(b50ra&5>8OC!gv zC*@|pnZW{wnZlb}Mq+)09apmOs@xRzJ&q&bIpY2b;d<>ecZJWp>z1&bn86Fkmz80X zXN#Ao&>oY!BL>C7FLqG`p*Q+mE>Z-8CB^7WH0hX6N51*o zmv~0~xd<3o>9d(`dhC5-Lh)17YQ9ORU;EHmexJAoU^D(IB@$kpBEM71XdGuRW4JR~ z`ECH$z;qz@n2vL+CZIzN@vm^^`Rs9$aO}sl?dzIe?9V>?uDF5_V45t5T@1DHLYkr? zz633fQNUfIXJBKW06AjM_{UH1ZF{?5Etd6oSE*&PEL9KdbEOe@F3LdXfMAHgjb?bc zz$OawVE9z0!)k-vj;?2bJCO?WisVQ{$tC$nv6m7b@r-R%fJ~ z)H*c915&bmHzqDd3F#nSO~_1cfscrOL}r7_3eNGc{|AZ#**x0~!YQi+;}#^b>J%_1yx2bGO8f70=n_3w&G zp3+`%=anT{!=7?%b47o3;~?PRchCIZOKe0YrpFwVE_KLp5!qh>Xcc7TZ}Cs4^+J+a z%wQ`4ADhn{d}4HR4yYZ(K;#9Ae(UC#G6u(yytS9$Q>h0YVXu?tbe&ckSE=v(%S{WzmjRJ zpzc$W&U)8Utr}>8FWN!tEwJ8zv&2X=FpDxAE|OM^ysOM=olFC-HbH7M@BobUau{W< zc?5xPp{N7>vhS0Em?c{g5Go%8y|9W{5beTCH()+Hak4beh>!6@G*0Fc^({74F)|HVq7?s)2Acy#yj^syeKA08r`>ybg@9e?b;#m(hvyj3_?YWy#IX+!loYV?ed*Bm`bJQMu&FEbl5) zblX;CY@2ZWj+;U^?n|L7k1ZM~VRSWZo$3B#H$+)F?u_ppt-QdU%qYaD9As{pn&)UE zmsstVU0?#(73DgXc)+goH~8MTF=q*rT!^QA@F7wdAnZb+rko zYY7!LlW1UXcI=dClY^+0B+9Hb!9GbsmF{?NY}8@}?x@ma8O0e+Od;TCmGHi+^8?xv zCXI6!+Sa&d!#(d4ZNU>Z^-92xy=^?C^P`mbzzEX=X&07EOB8^;h?=2E25W7 z*;tl|%pTncqscj(n%LT}nkJkMH0|>4i~Jse4S1`J#%BZ(<2n|w!|X`&`C?!Oyemu8 zB6ltA8qvR`0tIi;aA}xuwC}>5QIy%Wk{;o z>4OJcw8p+6OC7|k*cYu7>%}-Dj)auBiKZjO>%}2jlIgTEyqcl8W>d?j zO61YWxlYO<&3I9+|gynO~x?J(nHrGi~j^OT2199cdA zdV@(N@-X*|c6tRHUM8uJx#2M#dwi_doY{s}Dpd@|^zW4X_8x?suJBKTsGNf-nXSh! zq_UPrN<;8tGqYB))Ig!9KuUp0?!+-A@ehe#`e{U>_{+raI>CVj4rc*ZxBa_6?xA&hli z4C;z1aX39a`t0KAW}EXy#wIbph@Qr=SIZJbA`%*>s$0WsY1TN%_1S4clX_W)w3xRT zQ!J8+2KBjRsx(qyUf4vsEJ9Qpj&_vW3;udxj(Sx8ueNKChBE!*k~5`?oe>eK7?&8@ zh|Ca1#x0FxT^ntf63e(W6frV{agA7)3_pqFtovn#aa}D%?&Fe6+aembYD|li+UJ#R zw?EqU_dDk|f6ke6o_C)2J@51Ver{iji!G!eaj6iG=4KP7STN~RY0`_{xqG_7iY-saR(rwmSS4Re4&rn|VSzGx75w`RPz!re z&SDl5{T`McS{}hB7TJKq`8iJQ)OcO`D(v;9@>ZT_yG-)5ZN>LWb0Ebmj&F@fKlSic zN^G#o5Wd~HH3&zdugws+>3-D;ueyHbGIwEsYXTc6Z9%Cv3mis{0`#ok+;L(~x?c^Z zNe~~>yl%f-LLq1rb7z>lnt$vT6%&n!&k~tV%Ok9Ko+NTJI_bdPR{EyABGTTaCpF(_ zerGf?hytqPHv#^a``*Z2AWN7XZS46*_@I7BS@3u5?tRusI=3&BEU2FgtUfNp6KtxJ)!HO4g~_y%iHoAiSM5i@w^k09B~^^xzJCIky#HB#yx0KKSILiVRcLE;A+=68k{? z`C+AFseKGYXp{+6?m-MM^sUlljxDjygATd!+P(XJXUkjuDkiB{TMGOo=mSPxfw$B(|x8?(L%4qXPG}k-`pz+}YEGNbt^iyDJ+nS=M&MW`6JOS9r z=pc9_s%i$*ku-;4m;=}`F2@&}Od;FfrFcVD$d5Rd7G$bDjb`7Jj*|8P6LZ2}0l{F) zyndC?kQG$v8Atq-vpYeoly&u&mQu0yPH39BGfLUkoU^NoezV|&d zFn!sI($4<@@NN)w6co_6xEOiZfOP@SKLBsq6Y4`pxFHTBaELfC*Pu5ox-R8)n_D0x zP+S$y_vQQwpbQxA1VwrQlc|S$e%yeDD$MBGpW~u(nR7d`bz)vYF%L3>gm|BAr`dsQ zICo+O$9qw2i>h$q%Rzz{={JGWUL(ntRDAAkV}bn5W|-nmOJ{XNJFYh=_!fsCGlyuK znJ@QLy|WNbB#WVJ=Nj&6nNV9BN~OL(GmcxQU*DR|+8r?zm)BSZi91pdM)Dxv<(Ru= zAu~6zcny$bv7s7n^-hm!YQc;)L;Z9Tw>(buQGh*mB%p4rZCg`Kri{h5QJjeO+h~JL zewTC)WZP;NAKO7w)&q%u&RWKdFmDItkw)*)x_i&+nn8iE$qp&vRW)D}ZpeFzXt;r% zpm7rP1vG~?cL}t?>q~&Rc}22`d;D?4_GXO;+BGPydT=#gDUEW2* ztT6T~>(^9o&kN{%^s7k=DRVz@J0f|q=4EKQO~uC}1W64O(mJT+#7@2Q)Rd2JjWPe~ zTx@NpMtgFDbVMosT1>&ZC|3u;xfv*J?ST2=RGaa7?3_H87rk=FC>&uYU{^U_a|v`9 z!mCn8iyV5R=^G4!tIQ_)W`AkhcKz(A0oIocEweZI?4<>1O{Zb`=?pdA5<@hAiK1SW z?xD=kb#(~E8b=0JG|7jqW>_69B5%&PNv_9$mPSsobF{)(gsE8C-dvHQypc?kH>X&W zv;FUs*`M$Izr?4YVw#N)QEZ=kk?{C{;K_^pM@Z>x2KnFHq_F16LmNw|;2eRPz~lC< zLZiP5ywBn8dnrHwR+X!)Ks7gXbl&>ZgFZSrrf%Qupv2oVX#VsJW%ZXWNR;Q~%Gk=- zJ8NQh5ZaPjD`AoHwZvDylT9L1enH+Iw**Gwu{Yo@PqdkDUb1g2+i56xmSE0iR1BBb zaO(*V#Y+Oi@~$#0NH$-!ru5hVip&$W=xGZEIyp`+7^L~s!|zVZ6x6DuxRd5$tIlq_ zZ}X^opUqj;nchX5^jol5$`<)>0QK zy^&D{5w-8uE1Q45c_HA&>3s9gzu9QCO#a)v-VlD~^UofWFE8_drQxyzYhCl=lCcW1 zP~hX0=K9O2pURgnUEgeC6M!7;#X3RcNz8pmBvAb{fn=V3|GWPp2Dk?XF~Y+z0;$dv z81>fkaX){E|J>5gzy04isZWRLm$%p?TS)Mo-bjVZ!l=bwUq0|LH8jT+A9oD>1CiKb A#{d8T diff --git a/assets/images/screenshots/cases-comments.png b/assets/images/screenshots/cases-comments.png deleted file mode 100644 index 23bc00f9547cb4dcdac63ddefa2f61937f2a02d4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 206057 zcma&O1yodD+dfQp=^!9&5z^fyA`$~ANH@~m%@6`25{iUF42qOA1JYe0&CuNg(j5cL z|L{C-JnQ?``tiEf!10{3&)NIV>%Q(iL}{ogk`mDpVPIg8D!qLE8Uq8r0s{m40|6dz zhR(@(9|MDE$yQ!oLrGqqS;NiQ%GSXW1LI{>Vluv#rXFqZu0K!uI}E}*@pt_|KR~j| z>zI^3!t&ldj@NjmN4Kw(d*_bU3m2{DEkk$W%b2MO37(oW#mmX*;S&pMonWe@ ze3h#6KY<_{QR(QbQ=Zcq|9&(^<~x@spFMPOgGpSI1SOkO@6%Baw98=AWMZ>nUL3o+~>hwrShm>Qu?8X!L0bI zVR4wVTXbITE4KpZxvy!OCd+w`C@Yxvg=H%X{|vt6BMgGK+&WM!j7hvv0k|)F9+Ml* zA7S&xmmd#kzexE!<7ToHB%D_>3eNB3~#>)^3tc@U%#GJ=^@cB6}2^9r;I)Woq#yM;J*O# zsjq=#Is%HFOU)fG>f_nfsLtIfgUUreX>!J&E2x$U3K-tu(EHn#VP5PZUM$I_{EeDO zln7nZ`a6ZapGsjM)m%^i`Cdg#+%ulUNR9*Q_t^Eh%NHDW1Mye+#&;CUgjHzn=jEkK zq&La-W}L7`zgg*|KDz)1qBr+J_wx~NcmuPP?6+h~MYb`kZ;|ePjw$Bknl*A} znj`@sOayXFEbprNp!!Ri(!f^gj><$Jd=C;9y=O?oInmQJ~Z1DSC{xe?!g4nuP`?a z!k;a2E;#hqF$>_b#rKMa(TdROo)svE-kkyw zToYUqv(Z6f(P+l5>sa_?>|Rexr@3aSO4<3u>#d+I!Yu^{>R(JK#>h54mmE=RLuPKW zeHGv>B5Gn}qd>s0v#>4eHTLjnd zd_q%7V>OgTpNq;@EBL6|@d-##>E~n3&l2pPzbNag zJbg6!iTg9-r@5!>?DyGf*!pztvKPI2sww`{LoZ)v1Ed$@Ab0YBHGXxaZv}gW>LBpI zfGFJj+5Y!-&2qL>cA+naUs%7y{SmaZw~XaC@vU?VcMChYEqYK)SMf`3M8mE@7-Esm;=T#lUC`Pz-z zAxAH42>RmJe#_$J+Z3cE*+5UL2yVTX}` z!tkN;L1;;(mVMlqLeaOcM_-);d>BfEyl8qY|8x;i_`9D|GVU<<<4%bB1 z_s4U~kE@8hsd|3;aVL`zJRq zKJO^+YRVdP3@Xi^mEsHK;w#{!?cI>l6v)Iec!$5Dqc zhw(|_>Bcg6>GI^8iP^H;3Dk7SFXwW|w&@15%fzzFz^66Qan~@5f@K|6Yu0?tbVMfn zll%8WZln`c`n}Gn_S&sb&wVewZMQ$G2?YuENt=A*GBbrU!!u+xq`iFUk5b^yYOuNx ziSfV^|2TZaqoHNRI7anA^nVyCl~@&1HG+C~iqE72OO)nn zeD56W9O7IDgPMFXshI~su+fxgee@zmSMVw(SI9*3Li6`#r&zMcuKYz3d@=kYl3EH? zvRDFc@*rCCI}b^1Gl&OBp>>WsS-zcz?T57Ta%`*~2J6ebh|(u!P5oVcR-pk+Febn%%>bdks{^-w&l`k~2K;P}Z%e0?$Qg$7+_s1ID_vcdMP@^2D zjEjqlooA9MZ+31u!M!4kB|IneriOAG{@VNVut;GeT8$@%dyQK<<30GJlH`}OaJoN5 zOR65XQVVEWvzm!qVWvQ{w&Uue4D&YC*_woFY z{KR~w;b#c4A2HcoKgO*o`0om+eHd-GT_XNk`?ZH(;z`oy0HuMu<4>lONmRnJQI_!z z-wN5IV}+H+SFH|qR~jZ6C+|%%CBNX2YEN9yvADtE>HsF5c4$+U*>o=IIeFo{6 zy4S!l$#Gg7s{N$M&d9M^+}RTi4Hm*5|2&pc)KJ!MWwc-Gy=gHfg4|ds>fS_gFVsy1 ztOnQyo#IuICeB+lQU}gA4h1du$IKI*;pz}O5~&b3IV?HWUW9FvTgrTNRGXV=?6B?0 zD5@@6D)Nq&j3%Qhph8leI;PeYeS4?(TI0Y8wY06H%%IHS9q;wq`{+yf7olyzsTxmY zvYVN&PPn(i75BCgop<0w-+Z8b+;~Q_~S)u z)+OTU&D*%D5X*7wWiTi z(c`q8ME`#t=iMScV-4SD@616~dse3V%+l-kyPw&i6oi`D#5fG!Du{9%LS9hoV0` zKVKi_IpeW3>1z^(5MQ6za9TL1wkEo<>SN+CxVZ6SIFn^wxzb})kYT(eWp)6&|-GxhiHI7|Nhd3&2B@RQWg z*vkIIgnKfmRo~ z4#Zo&FB;r5fX49%q^FL3nBoC|UTsTVB`Yu(<0)`VfPooli-7|iVFDjo-~(Xe&k-2- z!0)@j=Xoa9e_zF~$i)8dW9$z%H_Bn_F`GIJ(>n!I1P32M!%AJOx_wRXH`q=*Oo1EPLYgxbod2X)o@Nx6<{Liz2p^`Ue#WiewEFJWo+d2Z` z0p1}k#w#rOulxUhSN`{n|1nbce@F6(iSYmD(Eqsf{~h|q-O^3o*%5fBhxGrd=D!C2 z=f(dTD9LlP^#2gWzvcX|vw)zbi6nXcM`_YT^>1|YF)(B?l%C6J`Cx9%;-?tCnLXQ2 zcm^UMsILz`dP?ylAHqz?ko|#;i!z(-G3N6Rk8xg65_UvTFh6}y^!R-V8<$r06G6FV zjL=}&hu^=6d`h}R`Y+$_pKB115Ria>?F$+>bg)_*bC;=FyH?w%YLBE&XHX?#%M8Z4 zF&wdt#t2}rDUe# zTyX6#Dp*%(M)XEw2@!Lay-0D6F8hXlZEpqd^=qK44?@NaLb`?iMEjh^3bYkQs)RTu z+$PNMY9u`U7lqUntE%R(tWva^Ow;P zr;K$h^^oc61JS12v?aSs!J9cNagtD@ieoiU^-|aLtORa);txrupKCh)@^%Z~?TFgXW>?{-ToV-@jpp)4wo%vsl*pK~B zWA^&rMB+mqGF5NfdB9ojkgdc}e4AN0vYE=(k$Qj7`^z~9iD7`Vbjq{mNxAefzzOG? zcCAA)JuBPKPL(U+w$L<|-{9NSKj@D`Vsn}iIGXFO?7j$}_jOm(KsDX16n>yKKXn9` zGR^)LI5ilf^Uvm+Sw%=QxZ~(wNRAXK_+<3c7VL*+I`xj%b?vy<=C>JG*j9Sf<$r1v zkK2yof}4p??A|)BPAu$cQD-Y~2pQI{OrSvuPg*=_>Q$#ZLuU-5lyIR2ksZV;S*-7q zH;vu}AL{FLTV1xy?MB3iY5%X)BHfiC6M_uVsPyr+Ekjbr&`E(D_1(i4ShrXTFAt%v zyua~OYM`mXT*KlSgao(g-j0=&JpT7qRsBPA09JI3po2zDH?67ikM#bk;R#m9~g$datWq zwd~+aTeIi362pQGTK@ijzf8AfC##WYD#MDDm(`@WNSGR(f1S;(jXwn?7yPq@%6bC^ zMZNwC;dQnb*cvObO+RMf-0)gpEIM)n0V71@fP1jA5?H`nZz_|Ch09zhLgrJ3cU>oD zE`PAQLMfTV-|Fg?jhJ{rCwMe-<`|391HcpJhY$4N%kmLq#G9nXJkyb3Dlm>6xHFCM z#iP=|R>H32lT{c(L2wl%pB?aS(Vc44DF{3%Oa1+yXW9(GO)_-rb~#&AjQG|T5spi3 z$SZlafNgep25-%RoU3TYIJil6DeWD8k7i8@&EZ(>4A?sy)iEIy?3S_}e!@hOrr5Zx zOGKN%k{sG*OUwV(hDu{+yu`$Iy6Z=l{zdx2v1=Ct3^%Jz|4yK_dWwtFnd=76wqmNK zhWkbJQ1*3|N|Y;W8ZXPBpf4P>xp?*)CFC!~t$vGEYo3%&*%d@`6xXwG)@_wDl<%EP zJ4c3*Uzk^)Om#Cvcq0|tFt=x=PtQxcSyF{7c97QnB=e}b`=ou-f4*w#nsvBrI%<~F zP98ByE!MlkS$+}*zm`u4g4*^&H(pwQfv)U;``o;{oIKcRRAqhsj<7EZ)NM_qD~w9= z2>nzSTdnAoPLGn*po2E^q29V|IEUZUW>bH*z5a-dX)@o}6>FN>NRnN{Cd9+X7OIU? z*>itC`j$X>nAv<|=}R68sV8fx&JpTC=52cekZZV&$7~xdnT?6>=!$I7>$JmiXgv;Ggh}{uZ_2(LXl6rsBiGj^Uuo0GYtA*p!B28_?5rUddkP2M6(_?} z+*rZ0j_^0^!0^zXFm2B(_0G>fOZk8`Mya|m5hLe#G3#X6G{wgg^z@%|FfR{*L&Z?% zVrQyTaV`7&cz|6OuB z22F`HTl2jJHpqyy745b8hrfwXDf4G?ON_GKef=#g-A$-}`QXqus_jba zmdyPXiUjQc`k|da z7PEs=I7U;7zQ6=cm9|Z>pg0NVk7$%YYaGSZuiv-Kc!=p3N!8E;N@qZ3>$wLZDtw!Q zuKt7|Jm&nGm~?)A?fX@x3RSZr zNhi>5*17`^&q{A2*o?ef`*j!GoXM%g_4iabi{5cQ4{8_XdpeKjK$%?$WInFqc6kKzq+y2 zaIz1DW)Pl~xP`f@H4PQB?ia&zwq3D-j&S27#lh4Csm-V;Gm!m^@tPQNhH$bhgb&4k z%(A<6N@K|ClJ5K`%~GpJh4cMTqErtb`#%TEL8B0k;xnTO`;yr<6Gq=3^?8u1O%uKF zsS=omVF+B(EZqbM?m7j}=H4*Y3OMWZ?DYF!#o}aHxFplUtLB7-Hpx*ExoP@jlE`s6 zS@E%TM*qw8R_F*$qy@#%;GIW3(KLK+Y9IuTAfX4SV>M)mNrjcaITP-1+(y&O>qSmj+~xTp;8*2 z4{MsYQ}!fOJWaB5s=3dQw?%i0U`La#mQ9q&UP+*sO;#pPt4BPC#wNCDnYD5{KPCnu zn5s>rtcma|du_6EE?8O7M8JmN^kv(w3NW8zD3?WLUglARjitXB;bY!Dtc6N2;+%^~ zi*nnLNrOiZo-NG%_-BYETY$R;gIw>`3~VzB&)8(~W}<`lB4uW@KHQO}obyF)mu}>w zhHqERKj5rg&)ho$#YN6v&Rd#UftFfH@hhCG7i*j6>!CKWsWMm5EB# zDfh*I0$3DKTZ$Vn0E$ML&|RpWD##P(@oJJR<)Ru}e=L4OpIE4265UouY(FktgW5+# zC2$iL6qehG8Q?Q|xSac6_oVPywB>z@{9@qOA6Ihh4d5_+ox$ncM}w++P#HV?IEmwm z!bu0LDx6pOj;b+c!V@XzJDsSN7& zwz-u<9Jr$vvdPDHX1Iy$x|$E|YxKKus-x{ZyB1t(w>a zh|HK%8_)em^$gbGP#Jj)?QNn_j=DkT_w4%59!7KC?QdE@nni9`5tB>0K>7|>Ssg?( z8%DJaB4dQ7M4RfNK?4CnR@LjtO?kFcUeNa}S%jT)UZ|16Unj0val3;R!YyMoE=5n~ zk5vtN4%SWt1yjKksSBQsll!`wHLu;5SENYSUvCEbvCA6UKmB?cPGL$VTRHLHuBDPp(5nqKSF8W4X8 zqo?ZFk=LyK?U9(?p1eC8qm%e7Zi>NQ0U6whn z^e~)W+gORQSeS58_1f{bM=z`pyyW2|A7aOcvby-iRWx%|qfC%f)(+QcBoi}dhSQ|Q zy8l>gFte8aei*$LF>>ubm?<_ZGA^yy#g6j6)I*hEH&&bIx`tcQT^P8>kc$(Q1jcNO zJqa0}Nb_h2*_coiY?-gf@%DGJb*%Z&7c1cDU?o|QZg^o-1kBtcbf8RTQ&UZhi;Np` zcQ2s)~vOtRdWo)kxgdJdcuQfMvZ? z=9r#NKB7Or$eFi}ZlV9@KU=v+$myJa$)cr~wXyb;i>&`xq26Mj$h^aPN!?c`-Gb=* z_M}g{WVu=lLgUIdHg!2_qDQ|dYNm?i1fEQa1Ql(#hrf28OnlvIlD%KV$cTdHSPADR zt#u+KJ1_*N`D#bheW7f!E)!;t%H;%E)fO%~l8uRVl0v5g?ykg6tD6R(uOf2c$w*W` zySv>mh(2y}Q_u{A*B&@CS|->1W&K`UE=%E@!Y#zZpkqiuaqag-%gY__WD!Xofg7tC z)1P)(TWmWeC6_$Y5Z$Tfd*iM+-*?of`l01dzGm(hyL;*b5$XIp6&m?dl5ONtM`5%b zIPI)pC;}-g6l1Gg$9BgiuH|H6#y7jMYBDyZ>AR(;_XH4>Y7KFw+kf3@f5Hr&J7;L9 z)yKeewF4*E=%+Oa@&)y9MI_m~32={L#UavP*?@`zr>PQH8ru*rybzHCjIm%mS^YRv_76dOKsjoQ$4nTC_16$=5Mv!TT z1_c_|_2jz5xCqpLExl#4kB}vfQ9zi4XEcc=@1?+q_Y9v9u?8YdwCx7fah~GXbTOjk z_E4p-9)- z*e;jn)DVW=UC0^RdH*S^yqQzZFti4zNN-?rd4Lq4X&UQe7qeL^x*=&I26744QD8R^ z0Sg;?nF*GR`*X6mgW9CNUdq)Ir=;7Oh>`XO? zKo{ZRLpuXAeySV%>J@BK)!!>0vNN$OCU@v}Az31{d%ht`HBq$%H*ijUJ%!Bb>B95P z-Ec2_iL+#}`2N!EvgjYpKeKt}uFpX?D;7j5ox}#MbNQ~!qFi=e45{`TD{fgW9f9vY zME1Z`HJ+bz@U;qRukA&IF5+ZKg_{dnDGypzZRYoy^zCZ)BQyoYukpaFdQ(8UxlDF; zvLK8n)r{C%u6_rd2N`~TFX%_UsE_ps-wp0yIrcps)hVAEw`CT_n_K>KZshzhFR)(> zRGul^_kP}l=p{nZr?8>#z$T-vfTh-gA_I$%uk7Q5hcEruPxTWeNnrvz9dTi{l|c~Z ziMC^I&zoCnm`Q*W2ff1jl}b+cn&|E>U0xZOSo8ZQ;IrSuFA?@=7_- zR8u|`IyW-G(k$h7G~pnl`qj_B`j=_VNV9R3mZ<4^yxCXl!cTn{CLG6K11~m~e+q9h zklIy#n10h&GF;Zu2<5j_W|u*J*_u7?yRuxBjo*#H@jUbK|r@Fv~># z5STZaIl%jFIPrRzxTCS85hJEQ)KNWbe8Z=4z}7s#FgK|35OHqsk2wGk{gixju$TW< zq%Su$P6naPze`x!nHVQtp?O=Ubm&$X9_e2U zKygUgtNJ=~sA|*tQk0&_N?%^Ok&?&qhbh!P0J;!#KDVUa zf0c)WH;tPjxM%nOVY;(7Z5UEX>suWDCLGwL2V-uJP1e4>&B!!lL!1bJ?gU;2{1$TW zX1Wz>fV?&xjLQEJ!u>1a%8CF?w>S2H-v2>f`mBJwJb!WP{U6jo2dJSg1X=ihkXI3C z-MizSPH${9Oseiui0nW!#Mjt#t@o=La5fEDg&@6+{;483+8pOO+MSmnG4vQxkSBRN z02L~zTA2@cIw%-I9=I-V_DO-tcIv<|{x*pSvdA*0KIcu{#YV_7h5&_^lf!<0w(Ks* zXE{a$3s>USrYY|!jyZ2CefuspwXx5lnizlHY*ahuVJQX@P_?fQex2<783A9*eaaENo(~+|*?j^pv-Rc<`Gfe>wcE&N{m;4wuFArwfasCy-9%UN z&xq*8%}W52I++z&yEUd$t|I_{L>=vTFW>6tAt(2M88o6g({5qLfF%d&1AzuMcjZ)n zi%k--4K@NZnD(Ae5x6zhWvUYcp$<_ue_O})CavoLGeGUox#!#}t|Qx!kiMx4@A*KH z8Nbb<#maGGVgrXV1zor9Cvb&%;QZnzMMlCa)G2x0POZJ}+fNG6O6BCNTOZ8EOHM5K zB=hQTK}kduh&93*7ATzMcQmBfmf^p1U)v<`c&}Gr;9VD^KPO$|@tA=KSEiKz$(GCc zYI39r`eJ-BiZz1(8=s71v$)Pl6rio!2EWNqJ0%CArsv7xWUhUx*S|+kaXVYRyfyIJ zD26zRh)D-t9Jv6@lx2&9of%JQGuGlf`r7+!l?QTvr+PUy$?*_)BaNE)#*flYTKjjd z%bnpR0IR8|;otuLj-E?{C5MwsiwaMJ2SBK-(xpvL-VQk$SqFDxMCMXv*R9YS>JTCw zV_!?3-G?*rQ^o_;plT1nh@xj5(!xK{-#n1Mgfdjez| z&!CT$*s13AJ6bPAU!#&E4_D8YJ%(? zOIzQR@t#dy#7UtZycHOcDs&FkNM=6y7Rd<3E#9p`W)x2Dk_t~SKZt<)S8$>8-nM*@9$2v@%#QwQ}$0}P1hjOVz~q$!ks0DnHerE#|r zWpz#??4Wzr@7)NxK7^s)B9>oB7uT#o56lN74|^THR?T`D_|jA&4tu!bj&AEg0&W(K z`N%uU*^jK#AmzWeMkQ4|kl+=TL~z%8zz9zna_X)x zHrqa{aNn2Sk5c!bVT7oD<$v;#UW}g;-pfDf7bpHV&!Hwa%}rUDP-uDsl%~JOR|Y1D zo9^5Lq%T4o&}Dmh3myQ%!rHwM^6z~@4nv0nGE702%S`xoObHPr_dg2>s12Uxq&gA7 ztp{uyE^j;!#G*>TbhWMsr~OULU2Q5XRhdJ`?akV7wiLa1bvi$Q)smPbuYrQ0FRg|B z62QWQ(OkcDnVabmP1naIF2MIstSbxeck=Vp@3nF^Uyhap327MkjpV)3>$Cp#2n?v$ ziK>@nqJCJJ!&0b2WZD5<`1R03+^!VzR})4AB*&Nd$xUd0Q0@(##Tfz=)B`Zhf!qb( zz@VK0X_SL7gV1k_Jt*xoxy+@Dun~!yCI`KJj==4~`4B4Ghq-+-$wgL~b0wd}aO!gC z5RNI~%Jr7D4Dm>RKWk{asygYmJek;I&a(Eqi|O8TggBMX_4}P}dlE7xMNO#VO&!l+ z(V)ijHR5TfI>*Rh0ii-_0EZMt2opb$Rn3H2bt0adrb1_J-IofAe(7r;il@h(?=+%z z_J&n>EW^+T$xZL9GkkLp2TPJXO_y#yTV-9qhKd~;d`pSx`g`G<$?nT{x~k>?a1+ z@}fhbeXZNpFW@G&@uHj|D1+*&lW90JXQ1 za^q34dUf3%sB^%sIAhP$Co0(KixTeKP3FRm(RQ&$y0mLI>bkTzUel=WFeVa{^sZUQYhu z_u~!>iNp9Rnd|*Hy@X{Z;4SbDiuMd~Pdln=>-yU(-V|zFac$?FPO8_-P-d>EpkKBR z>)u3}?lXAL-02rx{#dwn0OWG`bxld*#a|bo!x~X$(S-+HQUhUHU+gvldA(J5+5t4o zEaWQ#gv_?n#?ywqE%*SQorfkoZEa|S=`vF0(yTVGb@v9U{OWZM+%yQGo!u;|GG6p> zUEu4Y2fc`)y%!5a%|f2-n^H$F{+b+eCVzHP)nruMqDJAr)E*VG50L#{!V;K{ztZ2z zN?7bM-3G!^@NuD3gE>t|fMk|@=jNxH3y722+&oGdFx!B*`vN&_yb!iQGAu-{I?s5JbL1tk z;#*)&$|DVTrm4_>N8Ujl+>?0-x^OfW$ZkTYA42g~xk6*QS#9DwP3UW@lJ9K?etv-r z+H+wtJAkc{6_=r68GD~;YLDui=t$}IO;lBKW^tf0s-;JkhpBTIWP$=B4=;kT$<~Qe zrN*nu?sxg=po){+%SS0Z(iN&S+9F7aD?Z-ay$X;%Ur8u34jf$-v0&0N3V9^2)0Ou; zP$#nh8PdqH{GX-Bpa2%BkeJ%x)Op21C~*@0kj!x~CUz@ox5J$c&48ZqO>ib}rzs&jrwVZdiHF;Y}S&*0w}`;g<_JPgxfT0*o(K2DN2f zS6!hZeX$iX_?;AqD>19z{=5oga@I<{G$4KK3+OsL@N`zBH)FQ!(^r7Vx0;PSVkZ&# zwT=6?q3hQb-q#jx+9|r-kFJfP&_t7y~`P@psATCif6? zmdgHXXW~t$&^BiX3)GL(B-yLeBQ4u3Xt09_`i=m zJkJltiXpB??bMkataOJHpUv(DQO8Q1OtiX^TmlJ$;b0aA@K80qP( zw@LL@c~2{lYZ+q2)>2A=^y86{|0jO4q)8gUBg7$_Cel{`?q?^lLgpS;{YRD7M`g1P zS-~k~ztZE{hXtbBOu)Zgi3D{Pk_?;(Z!-1bvyIaX^l!HvC}1Q~xHkOWK+kElcOUD| zh~C18raCErx5lHd=Fy}h2k*PB6WA76vHC=%f6WJ>Zko$Uaxy1nafwZ+Y#}T< zhf=x7LnzcH$5%e{KJu;i<6)}zx@6%M2>+MfNwXh)8|DP%hb-9!Q)Hb3v|(cIR@xLt zA^400^XL8Ec0o+CE|wY^Ye3eQXT&u{I}1ollNyANI$zyOB2#*=_(Y}J0~o?{CU zN1JfT{5yO7_!UgPE1#Mn!O_EL6a-z;wveDE&ORu!4U}XPW}-4SL6VN4 zX^nxlYnHIaAQt;@%&QlDAw^0V|J~2veOKeb1Jtn{+2mxdK;*fB356 zl-aCp0cec?$Xv#mCGvKLP5?MuEHJsU)3r|bELX~J@ddWzMgpjatN!9|K?wB^7-|Mt zF5Pt?BuIF2Q(n2=(`(el@5$gbd!|i;VUe^yIS?dl@M5a36)3@`;)w$tjDebKF%EKR zadHqsO%ABmrr8;Qf@Jm2XFU*L`5==o0#MYjjkGSw=JgFi+e6Kxr4Ktu?Cq3YXG+P( zjJ#)OXg5)lzxia*yN_OcWGi_uIaG1|w4m@c;|WkcMjCldJ}JFS;jUf?Z5ETAf}pS9 z79uxw=5nhXJ_BV+1T{ZUYpLqmd<$>w0-!)4)iZBnWA8547@@KC!8cvbL5HcOKs6IV z%u~;s7I4tbhguzIy4rRQvFbv6IWb5k+wDKS*%dVDs?2+zqd)uxFcnq|E9=SH0u^CT zY=ZJ80AH>@2_^Q|{PrE-JI+@RdPBkM*{n8(i?m}wtdKX zFke4dAasubX>xs#j9qCXnj~txejPs5rbzGlJQpQbn?Y?7z&DMonh)~#`J12n2NeMH zxX6z>L<7$Dw$hZ4i>R~xW$bAN(D(^Z?jS>~IL=pUFQ)8EaE*Vu87)sNJz+V;>9^3o zzewYIQ``ex*79Y4c%N|3n2vfh?#y(*)ai^10H@#jmUwKlz-Gmym%OMZ-DiKEGWMM0 z&O%&N%NWj&ju7hJ>uX`lpDc*r`gg~D9ey(*S=Z7`Zptq&Lo%RD4pz<3&tUVD+v0-mZTZTlzjGQP_) z*+_WWs-JyFZl&SP_~v(1+d&TxObWSIs3;q}i96dwQOI2SNgYVWJsCnvF0n!f={c8z z$TWAg3A0FsVI}cEWWW_*;Z#2TZ%w>TgY<3ZJ@s8}F$Vl_40nJuwRPQoy(qaL-6j;V zT$)4$BEWi6dzw2CS<&tSEX-2RcFb36S6Hid?m0{uiPuGliaPv^d{T_W>Du6_e{DB* zRcCWvxBbh&XRignCri|On7i+$?6yMMr3Ei@%qClO#rB;9(htCmF6w{pz1X#M{dzud zWc*^>?q3z|rvA0$p8=h15iSSUIIAW}fSj1TirbmK*+SmzJK)+~DT=P|;-~X1wrW&H z(u`a5`)0V8N^F(3m2WbkS>JDrH(h(4K#I>Kf&ibG@6Cy65_3Knu!-4;Q||Jpl^M1s zJ{V*euO?N1DU6$Ej9NSum!S)!itZ^~P0)Tk9N?nfwS9Rwusf(g-X?nL!~OG#E9ruM zm%G0zeM#8@`Dw!>+`8*ky0lnq!Esn0UoZO6a61~&&ALnQpS=4DE{P3N;j&1Uhm!ey z;+WRTDn4ekU?!L%KAF^(`B$#+@sJ`@pRzZIL^nfx}uvu zdl8A2od<%8-r(m$Eqwgo9#Jg0s#2~dS!8>*F&tJ%^JoKF*wdXHQ*T$?4-tG?pkKI2O_9%9u;HK8g~6k-ei%b-^Emc!IZj5phn(k?&G*#nFWvU4IMe355@aeelPty+ zWwU%&NEviD(Gv~c6(HONQT0YG+g)uDcIh7u7j6*fx)v`cpcE+Z?t%5k zOM$Pii1&E=IqVre`-X`nDQWQIRD>v`RGok-mtFkM`yZwlwp|R~TSLW3Y!r%SnH2^1 zdnfR)iUV@`7IM$y=2Kl6mgZ!6ABvZ5Sp{L{Ja79)`ACtjV6UKsf}ivAo!y?_SAVO z{Ja&`*Ovj)j< zv4+v=Zc;xM1jZ9mT(T)#q1CMIp^UC)fPI{w385TLuJcYDh8V`lzB;wWy?}Mp*4Yug zbPv+h;0VNv#*O!3)nG51XYcKWKa9G9;Z-1(Ly-I#9CYCMi?OP5l(RS*@af~Ni+Hlb zy8nQOubN|RzrTYK9hrv&xG#@TWRJE7lGBHckPzT-(28T^<2-ef&CaKe=sdnjH%zA>ERo9f?{h5Ube-)%{`~AhEN=lAw zE1b_yxg^ML$ZTlC+qfo#da;yY+pzTXeRVU2&=z3fLI^~A<8tjCVwxYz!@D@DH?*jS z#!18aMIQmtqajI4TCKODT@>L?PZ?BH<(Hq5{#jJbNAa(xRYRRJ?c1NB*5oG{P z1K%&xX@{*21T19c@hbT)(KhZa)#Z8dbG@Y;rO55nxvqI+M2f1PvuCU9CH#XNAPxP4 zGf5*FkKCsOe0n}S4D0{?MmWjw`_T&<9HCNdU|g68|3!n9ZPgQ zqwQ5g+8+f$xwD47i8AhJ^y9-h!1JKCO~8`v=<*se$gOf2D|BW1E(C=RuhY3juC8zR zp{uV#pXl*jxYX^P1=60e^1aIArV_NE8RyY||2}{6ls|Or9LU<#FaTS)o&oe{BH7;q ziPNqC-c*0)A{oj`tOV}Tx`EM+^0R&c%+r3sls=c8(Q|8NBCS;zLp7d8og|ALdid`v z)xJ5V(G0HIW!l5(-hmex9nhK}D6xrMezrL0=T>v0Cw9=Tc692pP-y7b4PQu~SQ+}} z`W2EIYk42-?y5~hpIcPZzWATtexU#|1<*jfx1NnP@>|J-LYyJ zz+JztZt@&aC|W6TLk{%5(`UztBWD|Z-{17^93uoZ>Z8nI zuK+@?_Hs^H(e9DE@v6P1hUpWj-818n$Ck-oc~XK~AK<7Cx0eBo|{LR#+?&IMYEm}y!>9D;XFBaqhep8ixnLGc|slMD*^qH*7xrHqlv7Ij(|)y2zbLO zxa|IPr{|Zz=XGQbE{ziw9my43O>zK_ONv zK5@&{+8rb5hk5s=DGn3SE5^-b{hps%SR<45 zLvq502Zag`Rs*VtX9J6^0&QElR#v5@6k;7!=3u?X<%R)PoDq#DIBy?-uEW5LxBz-1nkD`c~LVbz~DneS|C{1|b{9hDp*Xa;V~TU1`M zlmaJF35BPEH7+8h(FFDJ>pHQS_7``fs1uIpdQ`mb%0cW_J1Mb;_PvK#uhL&h2(cJ$ z81M%wsiS*vAR9~{wF*=kBWS#A6Us+49?QORj{iOvu=o0@i9Ia&@XK0Ulojrzld(rf zyUKySiKyTvO*1U8RmJXZ7hedhB1z(04HXxC-Uo4;xuX?hT(7lyrex21XMIs2P^ZN; zY1U5B7_4Xk2^A9Px~F|2kbV7< zjnwY&ZYuTW{u~7oEVF?~Mrn`;|5*0vhC+t^_=IZE48IlM{1`=jMR}B;^tZ-K$3RV> zbJRc1GX3l>bBs_XLBO4r_gAPjY;{WUmtoH;S5kvrUoAmjZa%KBj%|5NWb!FlH!s>f zZ7S8)9NjsUBuLo1-|Y7D$%*ExrHfwA@J+=jC=n{-+O95v4MVXhjc@<6w4)p|+97_f zpoXW!&<^u43zq7P^I2AOa*E$yzdqk+|N0~sqsJOwsl1x^qD?N%d-Zb%M4fZ*c#_zh zTva5!aYw7c{Kc*b1wp27wtLV}y^1f*S5a2iH6p9nKR2YR z-kkCi9d+zD_)vXUh^d&SJb3ANrVpD%Y!Y)z>SUvtvSg{zaXsE0BZbJn9wvL~7HOte z085q5lxSoyjP+v%wJZcP6*UU{5fvKD_x~9C>bNSqtZhILq>+{e0hMl$ZY5Pp8blhT zyBj1G>26fI8|iMOySol`$Zwx#X5M*b-g)Nzen0*YICAcD-+Qlht+lS}+LdNr%C1%2 zlY7O#xi+e&)3g+KTnNn1uhexkcv+d#+}tXSc~Wn;Y-zaF6yTXtTcG!E)yXr<);y?sKWK&9;zQIQvAf~)#Myusf-{`Efh>=d_h^+9XDK^U zQs=RnOan?d)2lbwfX2%fLua{djUdUEKJeM3h4NtqG?gxQ09j)6Snw=G#0K4{TtP?c zUEd2!eX2%+cbata4HkJ)x-d;t%hN&JB0tk8{*+YH=kCgQ{Sjk0?=!f$EA_u~Nx;2e z;>F8b<-n-PYa2T(Y;ermHC=Z?fNnQ_b(6^Pc5F%;)i~+6Th-~LfPboG8bft3dBaXb z0WkhGx#$AXR4@eRW1eIP5nf~)Bn`39WFsjtp@K+6grTu0Z>&p(+w3TbRWBSi1$KHYe^K7g4V9*CP+{Eg?A~dI@=r#b z#;+%eEQ}gsCsIVTD0f0Ek{>pxD?SwVPfa;8dsZP z*#90Bd}<3V69N&ZB8<7m09oIt&XMX4mgxYao_H;Hk9FMBdV zW1`ItzVCG;afCkVfa=RTGxegef0ATR$pH7#!&tXI2a*ow(?~RD0C^@)=ErDb2OTnU z$7yHv6^9aP+RPYvZTMj!KF^>3ts-+Dt;uOQb4s=fsWgEMFheNTIXgsbUozef%6>3Y z-%y&N=Uc7oHTJx_Op1dWXI4lmS~C>#GR@2-kvDlKTZjLA|1e@*Y3y^H9rRmq!nZUQ zVUMf&gf6(8bC(P$Z$XTPqq5Xo@}EcpqXO&IK{k>B$Y%4+E|IFdxzNLqL#XA8laNoP zbkCbt?*=CiBF0VqEB-N5ZeFYf#4}k^)a-9tKfl0L8Z1YhU2KB_tHq>CTFuFj%AKce>Drld0JW>%n)y|k=xbEE z9+SB~Ci$=>Nkd8C!Yrl9q^?1w65<1u4u2AJ+hKStb`KQ!Lw75zsrV>}>u7uJ$Awpn zwnJE1Z%{?A+(il!T+Co$xM96mcD}Gyx9=rn%>Dwl_LhW_tjb<`?R8P&&n5_W5yuKw z5l#HQO){;MLChQ@_+}!LtcrB`)aE{YSmMSD-NyoTAP32OiaRyV!0dM;BeSq)=e4{m zmRxh!_6v_sr5yz7qG9j5!#3eiiH-?zhpH`vhbSt(ihUkZw@Ea*UHqZ3%cHgV%pLoX z#Dad&v@tio_BftLNV8J-1#I~xZqz0$LN3T+Q-tqFjZ2M+_?bhWj6jw9Jbd6dx^x-) z<>S=Z-o{7R6)$*m7fQDKey~x;Tk3PN!S8~Ne*Q7R7SRDTGoAKD)KhABGwz%a!gt!g zpXFo=+?O($c`|CNay0Qg$?oB4i`xiT;)HMG%&GiFlxme&tImQtN@-SiC)K26{soTj zHu@by>9gb3h{Wd&uey=PLUW6q-WOie3u`ab&$vP$s!7~rYTHEV&s%Oh_3q!bu}o0P z#VMUOjtJm0h3Z!_vj}So{;kBV+^8J2hc3sQO#ik&mL$Gzi1mJJ(Ukb4=+u0npuJDp zccv7}7$N*LM}9eh(?q)POol~$tYNMA^(pf7-Z!fN?{y{C^mjXEy2^>gqqV)Kh+GV` zzJB(*Q4^h=2{Q|L1ysf3pXJS+xDvZ=xU$}*&KUA?y)ZT6KKGHMyavRcZnIZ855w_N z(_aq}eG8tI6|vs0oMc|qG}YjoXW4!^c4%{#Ib=3A^37Q&UfwQid@ocxlU07^M5b~b zzff2>%s9v$^5gd)^2TN|{gf0%Zw0B+H)IW>^mUX}*---9lU=Lx!^{RejGt8toWaC- zKQAX!H&@-*F7CyAMZ$^{L}gz`)ifa{FmLw#Hh(~r>1{Aw3iMuUrcyCE z$QTLLb7Td>$KYHuYqy}vgE7wBx>5p;qtPjf;#_xTj(2i;YF|!EmElBle>(H+Wc;F$ z*TgmB#NJu?;ut~Td!c~0Cl_rpyE)(jh9kzT8#DDB8$&*2ZM|TUhYcTt4njw5JpV*l zOMeAc)|bz1cw0ya4L2DRs*NFpXg9{}`}DO7hT|_inzmWZ=pgJre#UiIGB>M?>9?bC zCF05Bwv8$)C-IT#?(?%mUMdQBHB{u?i^VE_chJG?NOW;O$=vOxi7cq93G7_Iz}n56 zko2r~)=$g5xwO~1bMqtvx%ucjUUs&kRiYo$52n~5B~M{?A&lhqZS(oT8}6!BwvF$3 zLXcVIHF2GjLe$~OXOH-GoO4*%6Sx;GTyk1Tr^ROWD13upa>V?E6f2C(XTRR#@uqj0 zSA0;1-pLYAj6H82`W}OOU0}t@Vj4x&90nT_nI{Ti=D9u4nae9Q7;d(C0&bD&)n16X zQ;q|V8!t;JpqLnr?Kx{;`^KF^n^equ#P2#dE2&Iha?|-HpJr)1&*@?sTPub~Uq!mI z8xriAZ2dO$V8FTDWBXW4HzlTsKLE{gL?n@TBT|HA{*CoOW;)Wvc10|c2ld5Ak@{{r zFRL~V0&MRf13G!A#-W9#`}wQ9pXY+j3b{<(B= zTON2iZ9?P2mu|9Y=`@z~W^1af@35y7tD|k^&|C%wtaP1Hf6_di3@o~{l7go=z(0P{ z0w@HN+o629iXJ;kREzyyLd}JqRg^5@HJz66lS0qkqpkS7HTEj$B5EtH**CJd?|W4= z7N2Wy54l%Ve4|5UjUeOaCR=m*6OEw`FJDU~uTMP%Mv2RX^N76#6hn(=Xr+oXymoiA z^ld-SJQC8HMk~I}DdMtFx=^VwjTnF8&jyUg3UO{{;;1IA4L*7Gc@=X}NXjSRD!;<@sXkq&Uad1jqD*O4?}F1gWqGw2 z!ItC0638Ls5I(jpYz0)K3i4(f)g#_i=t8~c zu%gx`mSQt&Lt1D`ws43O=d>3~wyS#9NoOaANzyE5>P4|FZ zV4vd@48t&Bq^i|5yM2y>`gkAy!-jJ4U(A@1X{25a=@y*pNmT1E<5S19=$=V^NFUgF}uB-7K?*w)96;4y3{*4b5^Ckn7B*C8AZUeEpUk8 z6o&rt{8>CXS3Y`8wg^GO;SC%`;4-yNYRH?U^4v5Z;3)VxzISb^wrk)nFtoj=O;SwH}+>qtG?b2a-8xM^#LJmTju;}8l}P~ zyRW=>b`qHlbS?)g55qVHQ2>kCF=$}f#lLm@?CF7<>5pp1bKnR=)^rk6Y+qwM5)SVo zd-!(y<)1}eBD6jcl4lI^>()Tq!tdk$CNb_=%$?tBCQ?v3NMOKSS*#k;hj^p0=sqfF zZ%3oOnu!>2!|e{qxqu81j&eS0!7}T5=jIbf9?H_>tQx8}Ygvuaa2gUqXS9tL5l4O6 z*wObLuvMscqrb+Ljw@%IHrA$io|mT?&dLrj>J*JV)w@ITXyR5aWN!GFPGORGNb^ke z-mFxZO9y-1k5>}D)J&*y!|(2Ls)_TBBE|2gCz3jsDOL|{09WKk)fMJye!@tY!4ixu z8I+hfPC#jW2Afv@oF0^cjk5P>m*T)E3Dc$fo-(SvRKC#3jJos|&|~z2dh#8_!bddT zDe``eyz$K0g)>8kWX2IHC%0*H5v%u|vtnF_>8a1e(G|XY6B-;>l$-~hIT@dW@zDEz zrk|S#q!PVK--|bh=!tL}%z+VD);-ixpI-zdlEff*9XH4sFJHAn#c*>56twOg!Km;L zdUvQ1$>@waDF@UW2iI2c>6;`4*>FbGr}}bCb22UQMpojL>o)R66rCa%0TO`Q$70A; zhEi}c`bC7k@YS26;8v8152etJBsEQo4jbqlNiB=b{wyHLl?xHO;K-^WoaIUt&7T!z zEo|>Lc6F{p9w+1$y*54ix;Q8NRe{a!O^Ex1O^Kwh4FT`?S$ zd*ku4Ieef=2lq&LElRu$jvtyH=-i|`dc%P_*})kM+^Vwo_`)n#`IsrN6|0L!FN_uy z84Bsiguw8cG5>W2;bSJkVa9{yAd1xAdh0r`EFn`8knOy*)WL;shX69n=#%^qtuAD51I4+AOvc zP~1R6ap-=3fIO5cpr|MB^c;95$kggFUbLNR8BREdn@-p{F!OWWX5%MT^lY8po5y33 za2Jf(x?aIhf&%fO;e)N#&#i)5(Y2B9w!Vq=Ksn9E^Y?U;D0KFDkno)Y*Ax5BxI89` zxhYni7nXD+7L;b67ykdyGY@lx+ zM83uqf;U+{giqOUup@zvM&Di054k~0MwgY1`Jp+irCbxg7agZ)x@{@riCaQ7qQ-gu zJwkqT#9~ve`RX_0kvxaXjWiFFeA)nK+&z_bhb%k7ryG1)9TA)NW9kfPb3qKG&|V?a}GL>56`|0+T;5 z7C)rdc>@tkP>g6aIrpQup+qZr`zrk%wYB)b2QxH0TAc~&u!-mu?yAu*arxsP!Yb*f zjm&bo+ArNLuV5or)c3;`AI&7-pnxUuLJP0!sJiK_kdgN>{nC4??yuZ^vIFvWA3g{| zjjUFAg?=LKPX*y|zQ%>$H1lA{9pgSpiK~s#`GwELLp~`APk?IJ-fm+HC=i`#Was8C zdRSf=-XlHqX~_=KI79TPLL*Lm7bvLCYsHGtPsBSt>?}>SgSNsnHv1Vds1t2$qU6us z;3x4E8cvf2AujATI!>1D9mpvi3UU{PKDl4*4DU;xfr4`4);_ukB2%7YP zQo=)i8`4SIz-Z^9^_Pjl+{A;G4Dy9FaW=_zg1pb4lO`8M9|};|>=$sAHr_10xLXW$ zBi!VgjmMI(otHPy>@psdO8aR(VBq-@;SeubE^T*(Q@{)Vca>$wUGOgB)n0`8$cbxT zNkzJ7j=*7Q7deK5zNG$V_g(#%i7yliP0wml74Za?iZwE^W8wGB#3GdbvE;9Efw1&q z;PycE!WQ1FE2lDRid3gaMHYH|+MF_R`4UJMehw_?lMa09)N>BPK@v8Rij8X-7kGus zLYfav^5Ro5FPyShAGjMtdyZfTjr(XLIBrCJ6s>qxlMVUMa+f{vXmL!UIZTp^eAM)0 zakmHgI^f-{sZuX=y<>4L;7Q$C?g8loM62(=N&IRGlG4=*zKC-SoAx0hcI8V(E2Iq_ zwjfg^|6b_@){!i$DC5d#!Gr^oxDgF+GF8$m#b zipJZME&`#5fMY76M0Y7ALt1qZ-5&kQ3rTnT!ar7W z2%|+!&i5i;jAfdC&@!UA7~>p@X;O+0RaO0rU=p)ox^ZNbEN$mT^26nH?KWw(GG8U8 zLX{g{8x?*{>B*XW7uU5;XStDvHIFvoq6>G{dfLI$B8E9*NQ*^L3Z8csrIOsdOHo9h z$r?wMvJ$6NWh)IB8%pjLa~65j@`hZrQuY;%3%ZB>g{;Q*QzP zndd6c;iqEF++PAzQ7i$CU~Fqo9F;AF*OC*TuOgq8j41pXmVnDOEXOA@RLS8d+^x9= z`_S3}Gwm7L)xx_U^Jjo{pn^g9E;_+zxCjut3yk>s^0+bJ9n3t&A_-d1WbUf_WGxbj za_GkRHj|^d9Kw<1e<(fhp(_mab+4?$X8aYIxI5mT9%*4#q_i8Fh(7L_KJmyW%r%k4 z!v6kZ^00rb-xc4KL{_lcqeJ{`7W_=$q@TMah+lYTeid&+9+kzX>HZ{r1 zRrfqfq`Xox#6uc8%^+o_l~evRKZ~Mi8K-VrqY1HO8^G8ae4M)SXlSR}nu`0sGX z1gA<2(-yMa{ZDZIaaGVe57W|&ci1rwwkZahHkUvVl%{>}-15phMlsGKxqP9RL1!|Hwjua{_0 z%rnAChlGW)H4jK4>QNOx&7B%|O+H?^9+YmM085Ot0;|%3P-_3s9W`4 zV|APfmM)(@3*}2gto%tEfuzy4#9IqAJmnL*D0S8t*`{w(8AfNy85sntT`~r*YBB9} zteIBp_~bM#C6v=qW%IWyPb74wNgvE{JeTNpk&AnbhbNnc8@e%sMRVi= z^lgUo9!D0vx8FouoeuM$XKP+|=%p!m1?ki7b&VMb+NhG&0(NN`#mh2CEGK@Q|PR}=8z)rUs0F>`op1@oi)1q-sC!}YrZ7$L+5%KxU z<0`C73Yxq0qWr#GY$H!yTm@h=`{4+L)1cRS%o8&-?-g6J92M~VdDF+&MG{eXRbO0w zRoJ}v0FQucD$j#D_qL=x`_~-y*7xg+xhd|+KXvI~{W_pCof!VK=wUGUH?Xwz8==Bl z#FFOfQx5mr0L^wj|!mbzFll17Cg7IL;Di@avFTWOk~zNz>$#CqY3Jsm@RbN zj=Sj?tKAGH#m`x*4;CGa#(Mtw!2Yh&CjA?+z1|wZati`I1csb-RK4 zRkO^yX5NXjKq0>6fv|6Vf8b%Z@oz3t=`jem3qbTgU8v>LrehyzzhWyEL!z~tNGSqv)3iyBa=TwCmNoYd2M761mBjSank{Lgy> z6ovhPxJ#cLT$g;1TY>Z7D$q%uSRSuE4-{ zAG>={{GHu35Qg?*eY!dXgHdkAiea&31B&bS>D-P#N4I1TJ-^uBeL8L=%EYG4l2VhPz zCs_eP4XWEgt#J*|gTL&r9^jt!2fa?7q)&kE4~#7qT{ctN!iYJ_mN{((7lCFoVLcH0b|+wjv$~4|bCT{DCbhW3)F%3rxmcv!F80c?&Wj znU4E$2grW>{un%StZ3ly1GmD;i66Ye1L=`ZxLydHjVtK`MZ+=;1@u)7P<)i>!vJ8L z3`3!EYFzG^@b&bNk$iqLWRPDUOmfhG^2lonJlAqXIxWEKDr>3-mp#SE>emV?9X}J{Q90_*Q@9|kYnZ>=Tzd8G=@1LjUe0@wOG()<(`AZ zN7^_a#uIHF+JyoI)a~=p0E+0~KU%@5wRJ$sL>GHwuVIg&zvsng{ zIIO~%4Vhi1|8B|$+fl5=s1+4~=P(QR$2Vrgp0yZWlOpCMZ zstd&ZM?m-gQ;B1XGqMSoR&koJ$*Q-__;kPc%*#60NMX5=9eH0TTyY5skCJ*kb;u(R?=BRWFpYD-~E z+w1mB|8#3aons05<rP^0|3e^qAWLK| zX8q~+|8WT~P{#3xizbqtMoxgE$$$vO7)%B^vK1IuD(Bk?1Rw@5y%;~^DvU4g+XIVG z6M2q7UvemtEXrR0p{%MuY$5?7vcj7!X0IWzMVEnVK@l&RhbxfL45|yy!|WM4wn+gN z_)}o{kFjUC5+=vq9?OHNWeRs`H*#x$Vx|rB+X(Z?=ELm4=0?6cUI5el)-Iv*Qq0gf zpcZaZ^gM|!m_C;0nXhQ$^@Iftb-UFdQrlO&Fu5pjoFIoKsiUJdEaQO~uqA(t32b}A zXloo(AQY6*^{RmsZJ~{L6@*UwI9A7X+Z(sC9W1Ovd)4OuZd&rkhZukU#!hpo89HE9 zmN?+REIb_PXhGeu;1ZhK43gmkpEbbpH2p5x2n5wZV8cBJH-$gNh=Ns5gcsb+He(O~ ztih5A0uh8U*>&gpGU&1FjTbxSCCEP5qDj)2f>ooyTeq>b!gQ<^kPV2pl9G%%fy>`8 zW4Z!s{m&)mkrT52+uP&Wk&j68JB;;dikpI)eW2MGGGiY~)gD`0M;h^R+%u>X7-m7O z_ySkClQhlfNn)9({+|yt@o~}eX6F9B1pE`M0$}^EKatCveDMR%ABOhn_z3Ox$e5%= zFe@HbAf7PB578`5m5Noj6RH0a0Qhf>qF|b5H6^?8_J2ywf9!`p_Q+>M*r=!=XFSse z^KadabR77)uRviLK$1{N3mKmaavYgS19u8YunE6Op8;Q^WT1@I2j4MbLH?WnLxq%g z;`HA=ZxWyXYRpMNnBls}(Dp9@qmm$CJ5eoQ288VF@!Atd|K;x#;-@Fr{M|ct0MDe_ zO}5(1M2W`j@@QEfcrvLc?Z`5gN^lfv#r~HSuZ&YNwD*EH;*XxC$*c7F1EzUY;7yVf zr}NVDOzA)0n|}!+KDj9NKYNaI*M0^3$K3?t?VmT?8%khJ1=k_^=b!!COaAe#o$fF1 z^SMRjjemJC|MKSlbA9O|;Bmr#_WRGj{g*$m(F8;M%~<_D|8imfc-McqFcBZ{S_C}g zKMDN)z2=Ab{5*J;QvLUX2P9yX&WUoIgstS)*?Q z%yitUsSlyR;4>%yz>)I_`4^jRz`6oU_i8k*x7lr_Z|=Qu<7_2B9Dy*gqV{0yVk}HF zUr@L6Lw}~ibln9q26HLD0TOCd7^rqhyfg&*I27UAZN*hZVYk{}FwHxiT>P*p!{>-- z1zbM8qDNsA!b0f4_qFeg2jX7nkfLq$qw^6tkSdDY)#}`WhQT4L8b|fdHeXmV^)I*R z@84R|g6CT37?kif-Nxq+ubgy0Oqh2ECUB0hzdQgwNr6}t z8%zzNG9P=x31q7IM8i6E16*xDO27Q0&+g+PP7R1tXy7OwW3+x#E}sS0rolumhA=Qc zWvpHM8jv)pS^d-6fHeO29c1U&4PnFRw)z8Tf7~*LT zP3qpP5H16JjRBOW6#!WAxETq$j5Z5Rd5tO{&d_NR;=6HU$uEoRnOy|9XIh&c9!w zbVIxV)R6^7o4}MHnkm#U)wcIJEaNdNLcqPF(j@2Vz~WnrDgnxTb6O2soQSO<~4b4tqo+{J%0MIhRkgl+LY!{GJ zmW&@ z;8?OZX|JwLw%OlqBZ7O&S=$IQxuGX%bGF9D5MBQ*Ze(=kYGdpwb_ z@#{V`#7={i8(86z47EN0GA8mr1i(`Z|9)U^`7;Fx-mX?(j91!8j4yRAj5?F`c)^hD!gAF{Aa+HK8f~Tyngaf zj7P+W4}s)UjXos`%x=OMeiOV)Rn!J3N4gPE5#u6wSAt=w3>mQg4Hp4!V+@w@b{kF? zU3O}|)+XXGl5^n$9z0?b6c^yc8Z~l9aH9i3JYz;vzV|vGd?5EZ(>yCK*$%JgEjAl< ze)=;aFMRa)j$}zmWr=>`Q;tx+519ExY`(;7eliMQ?FPGb^U?zsrW589=8wh5+$?h`+@*=Uv4^yf6fI zK?OrRLMFqMEDMIul2;JAHk^TVD{I3&PDBX+GIRy-Y}m{whNldO3Wz-IyOBay-4J~d zc>Uw=BvhdgYDFGPMI#9klli(z!Wm{Dj@3m!PVl(DT*X?9l!;^BznQ9W5+9OnKm!4gIrhgLay9i-1?qVDzIqP3}d0{4L`bA*i7>}2>AFg|5q5h z79rv#yJ0U3?rk7bvDWys5VYh+Ho+{YG_$0__x!MgO2DrFy?BjIx$H{SfJw?btjlm7 zD&>N5#@eAoz?STGx0MwcVd)AommtR|=~Iq)_Thll-}!Ib(kOgii1BX{P^i9)xehZh zREyw52R1@Qx4^ovNf@{1!`5)dM75P}8U;BsU+G?iY|5N)iCDYQ8-&fFbj*iK)=cmA zjh&yvke6zunF`CvC^B}h%izX%)7_Q1*ZolglUh+StRH>HC-kv9N^X++r$Kga++9E4 z5xNU#M7aB7rmDCbKV^R?ObRyA9mqQI5|ZqNG+o?7uGG;I&3WwjPaMqhVV4i76sF}Z5c<7 zSi+|@fCte|q(ZC#MQozD`OYl3BiOJdDX#8^%1Bsrtc@=r3OxostRIZF2-K zwGe&up=U&3XcZvuK>sL$QlME~#1i;ECB^1o%^yp@-s|RAdMLRC4H)&56P6q?GHF!g z6E=TmiSZ5{jEvr*(z3Z8wSX@-vCv;x1vp6V>Wzy{YfptN~a3nz= z1O+`J3zRD&G4czH$>e;*7GB}hM}-=dCqHWlP6@9VeYqdJ#^$UYDz6*dn@bmcF!YG( z%G-X{_5gVc zhnzR(ozo9@KIBw<)=hqdRdvbc@M_StycT6dAC>8HX13K0JS?z3S5g0ql>t_a&yB2} zpG=I`Y+h`LH%j&^xMH4$kBqHs2q#sc<+`o1w&?whdz)(Mdh)k|kaai)#H&l<^(M&)?8jL>4nY`*}0Dkc6nQ!>)DPWDl$ctAy0=aNvY#pjZM=QXt%95rj?%z zVmdsIz5Ax5aJ<6fkqBwG;~8m8o%bNv=`SL+T<4Q~wV!`H*UFLN8H3w*P(!unVq5=-2upz|t^+i_Q%ZV9+A!B~Np zA;y$C<<6liBOyF2eCFZ_Z{SlWiB=v5ZZa+;indENJmItb_z+8L=Yz0Vco#{nHlOGC zia2U{cuBLfla9yPZ=Dj+sBDa2k>L1kqE<3$iqt}9wy}o|Z;nY7V*R*MuEf<_L!~i9 z@$@bBXDS!?S*x}3L$Q1OiKWJ=IN7MG9wCvYr6oH)UHR<9r5|1^^w#RYq#k0H3hC%h zAoF5;$cVTc>4OcN6TV_eDmq&=aP`c~;(1HxBxZP=s$4NsGw&TM=O{?Ld1z@J5j?lH zfe~vaoF_oudrY3Py+;v2EF9j<{QVs5APHNavPmJf#{ol4Kzo^(>k2b1AL)y5U4&55 z!7cu|w1i;^>>R?K#>iT)Z7cN5?%ty+T0G9wDgW(at=h6p1)?hn%RlyNZxQJQ4*Axc z_**m_lvWOwI;I#X2=I;Qxv$%W$J5M&lQ@hcxGZNl_Xv^#TO>>IP5axc)3ohIS>CND z?UA-Rpvcp!!1og=OX_xs-7hWB>pH2*i3=uv_C^W*i!VG)kQ+Hx;+mu?nsP)4+@)A<%`km-3P# zh!TJCg(?IeK+1AC`QErD1si4AYgI9hboBj^ZyRoG@+iu%^IfM`<_e7%>j!kG98Tep zXT&FI3)&mDvyRC&_Es&`Kw~DII%hVi@RDslE-`7EFzR2BmOcR?MGk#add1Y_Wo+Q_ zIaHFI6fkE?HN;6Uv<@g=GE-&guX00YA3RvX7c;%1ejG>{wlL4yet0MRpa;t)XLz$Gw~63bb>)>o~$$=b#3J zx@PX4xTdyX3z&BclU1@})1M|`R|(%uV^g#WYDlX>sG83JmWr)-|Km2yde#5DOPr4g z=NV}K*O%1%&IR}0rF{ukpwjQSAQMYsAK18@z2!f;!J>F*r8l>`Rv!nF$zQE-3tdF^ zdgV{Lo5kh$J_zF8tW79EYg$rkV!?Dl49nGzkmLrn(5+1T$q@7H2Kl;zN+qLOX)r~< zx=*w`;WSxlTn0_|O+l$u!4#aQ>OpWm))CfW7aO3-w+E=5C18LxvNKss@uQEk143|& z*^&p0OPX$jr-2J@zcTl4eE*1px!Q6#P|#zukEI0T%0on;130W+#fI0Tuad{Oovr255S{ThoNnH#s?JG%smVdYFw@4e51s8qQTZhTq{&M<)=JicCb!w zMxDQsghi`GbTMJ%r?9G#P3+o7ZWL!t@_A|WFZDiMC@LF+RAoR@wQ?4QdN&da3kh7`XA?^=>;HA0fZKCA@oQmT*DFI2&&6*x`E6r2}^fCZY{U~_9 z7FfKGbPgpHM%Vz)aTiIWp_0ex(&UOFlcB3sJYGmn$gcfeDi)Om&jSu3xHiZ^QT@Tm zP&goQ%#@K>;0&^O$}Fy_xA8@@q}t_TL6T{$IKd9*=!I3@LR=4qR1QSjwW;4&Sjxt* zyyXQA3v4vLA-{;jXj=YafM@u#K`t31_lsc)7bz{^quBG=wDB*ON$@XjDG}du zZpW5!Eu2?Ua6V{?X0|)jPpMZXoIbGEW)FcfXX?|Mya%Y^_du;5i{VD9E8|`|>GrnS+ zTWl+w9a}T)I{VTt3a`1tLH7n5#=)eUdH;G^barZjOmiLePc=(Oitj%O;NXPT7zGEd zr5u17DwnPmz4Qp&R7flF0j+C5CvL@J|3!m$9Pf#5rB(cd%WNuIQD_^P zmvU~z82j;YcIOkGPkVW5_Cfr&n8)9QNDjjf(4_7-O-I`==uaL?3m)JgW$Dc7$Jt-I zOtHw>)qCaBdnU>>Q)csC;3i`$^BF&6qTC58nOeh_K9w5Jrr_Z94n~;^<$ENqpkwi{ zR^X(Y=FVBG51=NYCMa?2qx-P*l+RAw{II6Q0)LzjmVfU?;sWTbG~E)v7+gh44Vc67 z&yy~ZzT714XvFj2X4mtxJ#~3#Xies<%31=)#z)^N*i#AmDAf(|vMB%tmw{u7I@IFK zglV({FCH~GSJ^gG#?m~dLA8>Xjj=i#_|9U`x<=&8T92*xRQiq70 zO3aD>ur0e>_={xl-Y>munEy?RwuZmD1lIc(Dz59rC{>A5L8T$@c_DL_`gwMQra)jS|!CTC!SNND*~`KArx*`X$gZu z$Q{D-fkX(wwCufuvot zM!@k_Xp)|smsU2mf0DkqGXxG1&sOX9FY+xc59?{tme7htG=o0NIhZNANdQB^0&RdQ ziLKd!6D|rco^S>iHiL=g9!Qoaee?BB)v&cSMB_^V=9;Cp0Lc_a!U12xMdIg!tfO*g z2lKPQt5%3&KD17GiLPjt5^gXPN4do``!#4A8Ki+03s>8D z$q{JWP60>V*33v{)f^c>XSPbkAmQ$pra)Wan~}jT2WN3ov++yGb5NIf;E41a!Ql)w z=mD*9Qrf&mrlU#ML@L4H>jy;mN1!J&0|*Mnpz#=f3qO!f%1gTay-^d#*3v zd(oO+P_JJNG1u>XxZW#|OmSWbIR{PWslDlPyEg_C^>V2K(-aINE>agygSr8J#nz6o z+CWAp(nBV-7HKk#d_w)#kq8!TEU{q?T!RR6X9gPb)eLuFXXScmoV-}Z{!TH+Ap0k{ zqFik-0+^_C*qthB*ko494LjSL9t#r0BEkM1O`O;Q%#J@f$0CboZ#3S6{;L7#TY2_F zaF$JgeQpLgAa$Z2SRYEQ);PO*T`mXRxtmWG?f1C@^F!j^E=PNg;A!5QdC%+pK*u+E z3S|5{`C0BbVo_ee|G9KUJP_r13Nruw=X&+D z-t=s(dtf57EEopw6UV8b=MI=0lKk7*(GAwggi+YPfS`r^=i98nd(tWp_rXwthl!1! zbuAPlgZM3f7#+&2?aOsErX8DpB;bHaDCR_7=*%?znKUOO1g2?e@a9U=5yz|UE-`zR54 z4H}-BlSSGd#7%D$1kaSwY_`SunuxAXw^yaT*kpFVud$NYw;b3}N`y`U?!&IM@v)*9tah1-HW9)?4Z_}h8no%`&SuAW5(t|y z-lYYB{4*5!5$%K1DJ8IF%EsygwH~R6!egm2*oyyeUzDjL;D&}d4aR9ZCI|v9(K#R{ zsDojWL5J^D>*stsO=Y!L>ty!OlXU}!l}geAEI^Ju7Xp1N?dIA^*Z zwbH#{?5thNh&TXAOLz*{#u8!fO6E?9eWX)wpE238llYMz+v4U4R>QAzamp|8;X)x% zWMRSMyk~)%ghT4o0#DsG0&Y=fI1SZwq);W>Ox6$)Go-sc8u>8T5<`2DXoHZYn!*8p zXV%Hv1+oD>qL0&Y{XXQ@;wZ5Mjx_95;9W*!2`<)YoC!S~`SSkTDjJ#%6hQMb{kFhq zP_XRUnNYq&7LQNmwoJq-6yqm%-J)W_qp@A(8z3~mj=;$#7VRXwS2s>sm#z*__{<|f zr9>1GNOTL>Vs1W33QumS{h#mWF!?L#pQ-|vVs|JwXQ6dxqR<>=!Cxoji7ymaQ9%FO zv}s;S!>@aQtU6l@CHl-jLi;ZdK<}E?TjEzV_F3nE@1;d&7;#{hHb9y; zMhk}k$li@)CKAHqJX=D9nN_3fcjA`ZuKg zhNB{>?D@Gsk^b%%{=0e}*XJ1Jo}cMCK3uei;Cg%t1%}BaSq-ii2V^8%v0I@JN^bz; z58`mNF8MwN3_beYG=d%+b=&}%QM*(QELH(=`}Ou4Oa9v|Dd_M%Ob5D%!D1=U z)YE1Icw<)%0K8zSTss9#)=GYBRtG-Nz*RY5j_0WQGWnj5Zh4#oE8d1EFJ~= z;Savgrl(chtI`7(8^#rVanO*o>2c3c+^~`|^MPb6SzknCb1-EeB-4xK(XI%xU2{qa z=y|LZm%RN8W(1@NI2`8T-C^$Nkm==Y%}TR%W1PwmWt@j?{`*KCiDl`6U@l{!4j1)S zqNe~Hui+`7RQBa{&$+CV2N4(k`85#5g&oa=J=Ux+dHa69*`I{dL{C1E^H^tiQp+x! z3=D;JwsIitnho6pp3Yv<;e&)2rLBZ+K-c8KjP7qKRdy^%e*0lFH2JOi2=-?1eWbui zFl^8w6>K{gGGckW+(*J?_N~Pr$%_)Z7N^_KM*EWeW41JFL)oLa6M)99j-FM}KdGbr zHm3YvSEvXgr8kYbJLj;-Lo6}Ua$hpgeAcO;t>)5q0F&#t%^???Em{2E1|pT-B|k1b zo3&~_JKO{#5Z6Vyh3d&--9Nr)h76b37=_g4nS~oe9|v>IjvsNerzn?J zjeR`#P)7a|b-vm1PaE)L>Z*y-B*iXni6c#uL+02&Z6;PKtFFoJr|Jp0*e50UH%gDs zZ7w>i%=h1wvTGV__^=qww&@O39amc|aH49i&e_`b58bJMFcuK*X*!r5f1<|nCHlq5 zy3mMFZB8+?dz)duB&hSr#YTy_Q`yTH?)9J_9{VV}cFywkTi#(q=Uca<1yYaPpn1^q z?Zr^b{sNVv)U$~Ssn^Xz%luZo;xTGVvy1$l5sO)w+MdI?H_R?77aIk}Q`zeYsSL%K zx_UXE39FdvRl9#@C^fQt6^yfUu&%btwCl4>nbG}UD@gD9sdpP50xC4?9=b`vVzDZq zTK4fZg>CYF_G#El`Q;m_A9AC%D*<78el!G!8OLuH2=)N+_eAUl)P}2#-$BOTSxrE2O+MO|j>^lGNb;v>L$kU41$kWra!1oZ7(tca6tHlDTkS%29a(^bKie=+HqMYE8*u zM~x(ptDzOS4^#ABOl2<&KTqkL$;=-0^g#v!zH3zF6Cy+8{l=pN=%Wf0H=sU`m4kyl ze$Og}dvd$=%*fF?{!kx%5!Z8rPu{5OnOxGpxGP=3Xw|i^(}OmH?#j2>(c>t+so^-$ zq{99?X$*hWsJQIdP8GT-qp&-raUJ8>>Yzk_7ssf|JK;YWICSA|$6(U+qTh&a+Kw-2 zzC!(fJxYKQiQpGDowkNsyhiz+Q8OLZu43p5EC52RFiU(_an~}#TbJJBJK=@kro;k) z?U%U3t!~uf-wuEOjJubp&JvyjT!;}BPx9hjWeh=Tlo{Ckh>^_f$Mw%-7%;R@MC5L4 z9M~xE>$1!Iuscx*abdx(?4c6H#1ONgzoJb2R3w1yOiv>QK_YDRqp9LJVK4*7d8yd5 zwFwx4sP~FSnwzg`j7uy>qAh310R!Ne=?*nXUT=^luHr8<4v^3Y0K2#C!@|CEg29L* z#}0<$G;v1zBNwswv;4PS?0%Dg%xxTo5K<+m?ovqTGa$MY_q?ys+Q}q&a|=A8Dsjzk z)vW>CU2pAlHcc&GxG5edPo@i2KlM>DPZ3MbrQMA-RgKPC8FJ^DBw*4tHa>`cZ-005 zna*)VCqcYd;xNug;q(q#m$H|EyF0aQ$uLV?R8-Akvehvw9b^&w_q!K^i5*S)a!+fI9<HjhJ z*I`kw`~E+!f`}qgD%~n73MkSkX#pbL-Q7b=cS*N^N_R7K_el593^6ne4c~j#+Gp>5 z&S#yq&+otAb$P98)?5lR@Av(_?^isZkJmM926%(}Rh%LGmjt;pNU7?^IO#Z=w*ZAA zYMup*@bN`wmF?I?>m#{m)00crxj-88I_jgI$LCpe1IpJAm*>IR+bJk0dOE8|RFV<+Hnyb{WyFJkRB1;R%-qYDse+>0GsLp(riCb34V|%``<*z4P7O%TKuf0B`-9}5NX71y zE3Fjb6mkVdEspcqd!uPaN`X#iRtv8;cpxzstU5mVRzlJtdu_;_mVp^KI|mN?$eUvYUHkG%ZG)o8v4)PI&t|c&xu47l zX>lH^Bj#M-q&ta#$`-L|#3j*sbEOm?xv}@CTcsrs7b+S+p*tIpQhO&&Q(t`8?tG@O z;k*LOOq02$;w~k0c;}pV+OY%fqWh9j&NPxP)mTMnDno|T3imRlcrYek*}#sGxKd`C zjoW!PM_zXk|EFH=W$6=+OT96kEh0ogMVJ^<$#U*hsViAbF;5NB5I1Ru(gdWg}V zV}aq@SGlb=LCN^Av@ppq{@$60>uU=7Pg<^H46K{N9T50nxjgiXl{-uoDda&MnAEMY z<)n610A;>Xo9A^8;`FEvJga~0Z2NAd=x~TQfA?rWCUc}*nw3ag?EQUf-b**ylDD-F z7{7EXk1^^La^o%K1us%v?r^3i%*ABb`#)G#rM_}1aJ4kjVaD{sRkhfHYBE=!A>u6% zllNnVzGw01Q+6z;U*t|$F+Fl*Nf8gLD!RDhWRK$dZp7tKh@2~wd)g9Z9R|I8ZGC#@ z2%|837g^n`X0tUPP{6!3W>HpWsqe~Db@HppWHwAgze9kl3Akkf%56Q_9;WCxk1*@N zs;^_nJj|=;kjyq2nYMYI(EZgp`3xs_#Kb$53hFF+CU8_ccXAT&(Xp}gxiJGT+rUF; zJ*+|`X2dlDS$#gk)^}b@UF zaq8@;GR>TF@%?VuLBiE$aTkw6212(L4lKIQxzcr zlm5L;_|X04PBquA$FavcG@W$QR6r|Y-~B8TBF#ae1LR-jDSXbS_zO#|=AZ~M1IkYz zde`f8ex=)qui^W7#(Pt&7mVf$5{`(klMp#!78(T)$YYOyG~au4&ma6~*<0S5R#hOk%{%Yvh9~6l!W0ymEqDGJ{1VPC5w?p|_BMbK7 zJs~qqx5e;MWjksbP=&ahxo$6X?Ijp^-M3pKU6Wb7KigVw;8xEu@}#{QH(;XR^z2jV zZy`!Uy^R&FnX(}=D72cJdBJ38=1W$hnMnY7%&5WSW7bcNCYMEGPto@k$ zQWLym>NC9oedNQVvK!E)k!R{ z9~hnx4LZf(_)+%7yT)&*BqzjH`Xwu{q(Ak-Sb$yaaa@+;U8?F5J7npbkw@*O<(%D1 zS@WsMlq!s!r%1=~hHp)~CvCes*uw|9q1SQz&+dNE{4MOFzREb8WXy+GFn@OQ2rK4~ zjbW0iep1ri{96N-0`-@npbd=>b!`V1-XXkGY@wYS9C7IzL`0^yI21D)h&~7LprqVb z$5I{2>RH^AH)5v?mw>g&(63~`==l+j*`?#&>)FxO`rZAz_p7=BddilsaTxlbTo57) z;zIz6gtkuzA>X7`g2Yy`)F(l`rqb@;^VnKDgzVRb(-Y}7W_@I0@lxazI7)Xy@ zx49(7H$m2>TkiZ}3QPgja`{q@HWVILQL{c+D8 zxW~LFKFMJ2>vC}kX?ZW>TR+MRf|*hBse^sf#oB$;mSNSFaA==F)U?i3sFfE&#AqfZKz`;$(!yZewYR-M8R6u2hOw1n6}+O-*8$jmr|9 ziMCz)i88Lrt;Xo!{MHyR4G|m)Y$3Bzo7VP6I1hN&CWY?%sM3|Q#hF)N0c#v{s#M)*+braW z^WyHd1J{*`TU&uLp9yRRR0AS~ zgRl&P>#vk6G*<-gVrF@+%4J^?{vq2F*38(}HpUeSM-NvmeMuo=wkJ;1oDfbLLe5bE zRbcYzR8Nik+J&3ac zp{u{x5TZA=raMbhU}bp6-d*%e`cln$YGIQMS0_n}p;GWz-p1;?_b?c%re@K;wocwb-HrL+Dx8!RkX$lgBY;da zB!gA?Y`72XBNDVbHY0Wu=0_w_PrGincHIrznOTnt4VZ|c@8uSvyYWVST{K3jt>oA@W6zAS*Hn*KB=tBDY`qum z@kGtHuj6^5(sQX4EeCHxAdy=3pv>7WH2(hkw>y zL02`r#Lu3y3AH&zPFs8nmrS=O)`C#98O8Fr6*XCIa=Qiq)42*l_u{5%T27dZ4pnW&W%vT zlqSSXt(KE^)8x^c7g)ImR$={^j45)r{jg;uq{?jFe8|RB3t3z@$M+x-Yp|r-eM#MG zsnuBBpD0oo7!kgkmhwR_u)TIrCf~wiQL#W*i+GExT9bG^%s1PB(y=T9Au#6S+^#%x zTA3<#^*d}q^kmh(z#($|aeD5#OI2tYYXV124$oND&lY~^)Zo!JUbC0mRU-QtrTh>r z=4sAG&6o`ZNKc2#NR^vd=Vl4h57cgdZt5xq2?l%7W2Wh=5;@Ut>R!k#VywribG&n5 zc3uLVGRZksd;}6*0ey`g$Ii6;795AKv3+*tm@heDK5Z#WH+Mi_vR|FNo5#R+-B;W# ziG6FE$huA^jX9is6zSFRMBSS?NojVJv#?Dg`RD+HiTW@e zCRMVXtiTSB4S2zSW&U(O0H-dv(ncO0^>!(K5z{2d&=$KKvO%YuvtRp3X3Mp* z#j+c@NKQIc!W-NVq6+*{|*hDObdx-cN!*y3;0(Ja4(EST)Eal+h1CAy+AoQY36OJXGXOlQt%G- z>>6n7Q#ZYrg_D1~%{szSyt2p23R$JYVp52?h)>F2VJOpj8E}L-k=H)UIHOUl zu%eAA>*BF8-@~ukJ#omsB{d_J{4PA&7IWP``R zIbZv!b2-a()!J0tjDa{bv8V~6Cic>etLEj*iR{$3EVv%IC^zqJM*GQ=61?ftESpRJ zHO4yskZXQFl{Gq*f@96iL&A?$6W#R-Y^hcrzjpQXk6-0fh0R{6rKC}(>wKf9f^FuZ ze%8xQFsw%gOqJ5so;$n0=q)%X;h_g5qdCdB5SO(~!y8j| zPSsyVA=Yg!+#X#_3eLmWQmN#OTPcjYu+GmKQ&@VctCxh5KT_9P`VA1tl&Bu#1Y~v6 z2>;~Yh?r<@OyPLs%}fk_|NP^fn8)J~H963c(8M96`NY=Dmg0l0Z$9S~HGwG-62D`1R=yItx8o@)nix)PScXxX;=w6mS9vI748IaTpsY0FE z#`Kh{cHcH4x7MmOQ60rkbE@YWaWo$*JB<#4RxsHwtlrUZ-C+^eg<4+a*f-=B2IE}x zy3uDA79ko^5p~Kq3_DNzb6f)|eoj6_)tyDgqdLR6*lUj@`7^EeDL**cNu7jNtV~Mht7ad^;mUgh`3-^H7k)~ z@D>L%B9@3!V1OHon*zb>Q2mfTxv}3`dhFI!a>FF9wxV{WLxCP{&i$jb3UW1pLB!^k z!!#D{k!tMO$;kZvW^3k?V>fV45Kx~w=Jljrm{vLk+>6yx%Rv$ycHMnorpo!f%hzoL zF=OPbAaJtYMQ}M-biyyirgi+vT7Jk+(#bIU0XN5plU_R*w^L*(WEVBkELpQs^$mJ9kP3 z3%HcT7Z_h2+}elRI?s7esz)JQ7JX2O@YH#%FL@lNxbtJx70fjV38s*-)|ie%;p(=L$fe0_{EDb!Z3{uw8V97cCHmloczKSYlsnHD zHJ+GiL*>l=Qx36$lgjBvOsu9IWD9vifwMU#k51}y`x)qvD>Q7^}DSb-RIBP;W{J(JJJkM^=p{qBAeR30R zZ!V)8ha8i{T72nkeRdiH_O_cz-v;7$bTvnb7q+qa4ew|Zc}_6)dsU_5@Pv?zB6bqs zHmp&gwCc1q{cEC6(o{HB?7V)fC}DKQ@q3Izvtbb<&j^c9jLg`gWZ7(A`Qm)!`uKq4 zj<8@K&d2hXlB_7L!I@TaIyjEOXeBw8MCGW%<>D<$ih7%y%=b{X3!1gGC@Hm~N&F|f zIikZ2Lyjj{7Qb!Rom&IqUmEunbGW5gz+45!Sf|P*jc}-1cRTuxPu?efjF z7QNqLs$)sb-KMa9W77}OD9rFOf73c}#AI&jP_;9{qPU!nNkb>#F2*MiP8S6>5Xv)M z*Vod?cfBFId8cl3O)^`&E70?~@)^h9N1D`kUqzkoaa3LU`LQ~NNtwt@;1|tav1W8q zpx)~#8!o;J);;P$=kRujNsZIVhWH!`N1dSYuMgZc2Itu)OC`Tv_2RNX4yUn-YnKjZ z1ihe89wLuAsBAnBS^>Y!L>mJW!ekty+^bwg3!V{JnI{*DJ{FMuM1&##h3nm9ZC|h zDpYUzDTOuLh>kA{$~Q%byPZGIFz=ex>d(EQA3oYZu=&r*&c$k+IeMtArQdbgwDu%o zSNp4zLM5{CU~Q;!W!}#8kEhV%#)t1fZh5lOyOfq}!Q=y!X5Z)b|f1N~x0|c4~;e%jccI5^BOXmYAtt>j&^{@P;^ZhncpT_6J#e zTU-7~ z8kd!7^Bjk@H15uv`W$aHfrxmOC5nTx+N+Q~+C+rUz2=g$6Bo0|-p2JleXpB3oVkAR z&E=0l)SH~1F;PG6>(1YR0s}W?t!0y5-+~b_>o|4?71z`D7h>3dMYbMhA!wuGW?*(5 zUHDf)Is(?W#k@-8kHexFaN&yYyR>~=;R{_%soP`>hGRA-mKK&Lj$JK5KKpb6oSy7l zp|J(Z2w_bJdoF8d=+07;&_q$v)|-)vA1W3ld(~zZB~F!XhbjrKng^*iT~Aa69Mee! zi*541u+Qb4R!FtHu78&^mKD1n_@v>yPZHZgUdPM8GUv>C3Mq$E9hze z(6a3PUzOqinUwzf3(XCJ@b7hp;~Sm-;R^t*<$wKA!VmwRe3QZqUFrD0{TX+{d}L_B zhvF{z*Ju6T{3ri-U+^LLCkEHW6aP-ggsz|n5It2@EIirYKa`$A|6NU$N8z*eDhHt2 zhoUS0tIqPj|3nH8pq&l$`p3swdggJCnxT8kBgI_!{Qnh(|F>`J@lyP|=|qXjmL~VN zKmK{6{acy_*UERl;Y>Bjl3)Jz7JR26e5zFPLoWME8xSs=6sB0l1~>2sLhhM`@eoSpb+T5 z+-ntf?oZ-k*KWnW(o+AcGvc4m#Q%6v{rI!t+ThO(n=f6!4z&p+#T8)YdXqjZB{?k+ zG_zHvD$MfjHb&*MKBwKC+S8r~a=%KT=xzf{la%ZlDn6%iK*c};07rk>%SuMEFe)<* zmt7w0jod*jw0hEeqv91 zVd3uSJyrQ^3dH%Npcn6H&CQMXe|@ey$1n#UmMIjfo1xXd5^oY4AFd|TV`77p`$jMgclEd-;WpJy^#UsrB2)^A=lkEK$q?K67>tP3UZ zI_I+!ph+i71v3r!Wa^Y@|FyIIZ`bZ0?}u|>2L6)4oo^9_uY29&?hL9y{=sP&%9QfW z!FK_=Jrf}Cs-Ddh_PZw!qy~5Otf57a-Gxtbd1_Ghp&D6*ISDt=$s7kRI4!^lC<3y- zLBQ~M21Sw%kKzbzUGw`^$#vzi;6Gd`%;9!^qJvQkblXgw_G@ zf4WegqtafS1yk{HPwlPUZ?tg&z0s2$ormF>Y7Z_>E3t*R2pO81{#B>IYc9Qa1XdkQqm~W5A&2tU*`>Z{)c_eGz=50 z2@9~?yDis&u`e_k03S$4jo$uapWgc>*zIXAJKnbFG~euVDXfFuJ^-6yPl$aV?V>44 zehrcJa~Xbt8101hW#vJffo$65g<*%E2s5bS<*V0mU*ao2{QL9JV>7f7T>%73x5pCB zS%H3Hz-|z$<*Lp!4W#bseuB>7f40a?-7&x1<8lKw0+n3(d|ujS3u-V2ySQla=ZEN$ zeVD*3a2WD3>&y6CE`r3U5l!fR9aq(LFQ;(bi}Q=4S^fo6pu=;SvMkb>eINNm?|IK9B-^GSsRL-c4IO6e z6rLcU!1DZjH1v1Hr)VReKkhs5Vn4%~bcrZ4n;KOpayhY16-ZDWY7$akE9zyp{v`8I zc|*-@b8mZ2Z0h@HKWbRe)z^ zV+LCJfLVQ-xdUg?zy5916KjAW9jTLVgq{FHPJ8$ake{J|WON)zqD}OAV%XBNfPQcU z2orG5zyjA^ChP+s&vvx)A@wxM0R;&?+8BeS0C}iLo6ZK{>9Ee)cb8Hhs#-)*!`X{t z7Hb0jJ1*J$JB=8?uf%%>gyne_v-R>n-bIup4i;$%H^2aw1nrq%w_0c|+xUI&KWv>v z`2>Qx>a~z!3wC%Pb|qk3rE09GodCr+70=`5@LL^4N3-s;JEQH3Xrf0MdXT&P7O;69 z?4vc>7eF})XLJUQU=;8cO#yj58Dp%Wufrv6-!u3CnjwOAxmJMAGWzOSHgC)}G+4lZ zt7B{I3jAF4Sxt|qT!4^DCe8#*3nL)pizdz;5b&4(cmeQH&{+%QcrgmNqK;3%0-ObB zusN_I>^E~Wz8?wHWd1V{?4xDI%tH2BeA9lzbM@t$_+M$;^62{|O zYWPf0`4`5(|8`kFhu;=y2_gDLt`j&HL?DzHK1CvA`Ntswz`(;<5$>6x#}vWV5Ca); zu(Rh|Ew=OXauH|{^p=)@3k|mr^J-K{I>-d{htiBt?rt<9E46og_CgTXf6dat=N8<-+b^r$+$hq2XX ziiN6^Xr*qZiiknNAd5ZBkRU&^;HW^djGl!MW`2I@MVx0Y&qT-24!wV#bbs~Y4xNV& z4)G*7O*W*ekW z;Kfv_cd4HBRZNOj1K|!FO1^C>qR&qfYM&NL!)_oabMDZNt^tYT zZL}QMkETO~Y%z}ORr4=AK>5l-0Ds`#W@a*g5Jn1Ag7}VGeiINd%+Tg_;I!&;PK=C+ zUR*GO7pU>z(2ncy7>fPz0MVG;@QGnktKr|QEAzs>Pje%fHkQX0VuFqn0} zs>3spgd1DCfJAo7ekI=E^!Hq~fT!`Fm55F};OgcTP`z2Ml}q@!b2mRwKV;!!VPM`>)6J|9x=($2&z2ZiC83;EtW)e+Vl7RV49P!i*B;;UYI9_~RG96Ve1W zXB0S#ffnOTV1C32*ZkN}y$RDHnV0 zDA67X>D37WFXJc8?x<(*DI*o#BFM5ks*$)9IWmu9IuK|VFPUalPH1oCXKcTa68$Mu zHGaoX^d7cl!yjI#UM7IEE4P@1?~Go8N`Q+Qplg(a4~zJ&ze#t)QA!g8He#u2RhDV_ zN~P@|VqO@@<;s_XB1RAS>usytcHT!U?w2mk3jqwZ#10qG=L(-BD=6zoV5i2tc&T(O1?Ukmi&I(#aesywd*+ zQUAF_|9s)Gner7LWqPD0c&$S227R(PY7Hh)rWC|chZ!OeYh@!p5p5w^{?`3PS*B#J zf!>Es8}^il7#RjZ|6y>S+Jhz@Fv=eYeOT^}cD)JGs1h*lq6N)>xILLoFW1#4_|>w$ z;qo-s6@)1Kc^2uy_@duI&SC%i?Jd&u@1HRDh&&*#5)q~#0WwAB$+wA~j03m1K~F3* zN4nn5^b9zY_hj}*VmNO=i~$QROJMFRhAE&v7J*pj*v>l|p-lHR4B)`PPEX8iooY9# z6bMCM-ERi_p{3pVb;~K*c7?d`yt&#!745bG@wn9lwqVY8eH^?G|I@BaGa(in`1F8yoW?mm=(Y z?GNRvdwnT>r>TM#z3H3}F6;e5U=DL$TB;dsOFk-*yHbiIzv?dHbDJ+?kItVh<~beF zF(@p7-h!3QN5)Kji{8jnu1>EIPaYga_*3Rd{?y)ut|TslXJkS~icgPGK5vIh)sZ&L zpYjFv)BwwpmWsTLNC!GY;qqcR?*=fAi~+1at(X}CS7zA6Tsd!S`PBWP*C+4 zw=P+1yHgd9E=YhKmWMfTVLm8U73?IYAYCX27<`5phNPkfv=s$S^8)&@+btO}wbd+W<_s$&h`v*XK`VfOeRr-kH_6_bsi~O_uV=t0y`G?=#lwUG z*DUzEJ;>2ifd4xW#2IOZrl-K@NOH7rn_55i2JIH|MD8j!?r+_)Be2t0?ZOYf^;p2&*F>Y z*3hkhd*9Yw3HiqI`CtyfETFp3AZ3WdH88ITwKp@Ft}4F5|CY2Zk|G6hxSGAX(D=|N zd35$v=>)lz2(s*sOp2}?X;4SVxvB?cy3?ekiH@s>W|L*RuqW$_?!joxsxpYI0&r*L zz^0J_kP$Lz#~3burS|)N4fIgdzB2ui)H|cKoJEw%JS@d{AhKE5{-W3`AsQ!lFo90r z!G>zSiN4z|9=P_oTWwnB>h#~oLR>>uE`HUZ%vp@0*Ba`5nysQK5y~;*)N#Cby z)JavUT=MIV7hN{a$05!YDtsGNGAs7OIiGv+zZLTT5X&>eUhuES9t#L|Rkt}4xw$FL zszBCkb#ts<7qzw=-&S?JCt`J>*KG~l0E8P+-|L1$K2zu8SR6Cd$D2^APjcF?(tIPL zyF6xiqF9>nIRC24F3)%(oqYyZ^0;}Vp>emX(33r#=>`t-EWtd!9f(I<8P#j6)U4Vb zsLw4gbNY_QhZ5vaydn=P6TZjw=!qq59NpYa`U55{MFKA`xg6OpYJnH@vUEjiPHR84 zq6r4sjJraKyJ=h^s3|O}G4ObQ0~Xk}=rkxaIYtx%7E3juHNnW``M%T!Frj}ET#ic; zKt%R-HU+K{l(YEL)Pxq5`$LohXwX0zyoNqEP+}^*j)64}$kV$1#foowUoPwbvPj)( zAa>w5yV2kyz+ot6PE5T71EH&DjL@@OH+(*|GPgPwP@fpBsQ}KHYx+@karA?&t;~?Nmn0 z%*Fj~Umf}cNf20I;gT)gWcc!MskMa1AhhXlS;=l#TKvS|KCC!`UVLTAQpFbF9PjEj zdIClbhw&2ZUQB;o=e5LD8uE2)SZ5N-16d$y$guDT!vVtIaa8#ENi@RE(4yw(J!ku9 z(w@t&?LVBNTpv&GrSL(t(b*P9NRu{iE+o_)Jm>1YdV)PMMY3DuDeqmjZwb2qzSMVr z&4KNbXOUvxZ<+b+idOJzA4PeDlLFM`6SilBo> zoVSr(Iw6Ve!shfov_I-X8Tq+8ra;+XX-u*M?S-QaY;drm-!`H|&HR*qzp-v@D`UXY zeaWH~Pi*H9=BN`}#NI#Uc(Q&~>vtek=THKSUyin=%!jqRJvTNSEpZuZt%h<1`i?fJ zkG1Wy_*=^M%^%c_9k)8>=D&@`O_^D`FOVa5lYAZXTz7P^oQH>Th0Md@kdnG@2jjX> zV)|Jzlk%8UWFVT4m! zhiV7~)APuYT_G-B>5gDh9Wmz!xct_tBC>hWT!a|L>B(V4~Ag~2*(=K`mcK9rNL#<8?7(|YzdbH?n07yEpK zYQ$u5#IX14Z9%C9oU=_NFoya?h#Tuuzb2Ai);Y7xWcxdQe->;0ksoNX;%nl+!MJ;p z%3jMrqbv`c`N7u{OZvoV2+sN(-i-W_Q=ddO`f^O1l$sewWBUsd-uOtjVD*jewgM5A z^E5KL;;K#uc^>^S{gtTt`-#5Ii>`o8zx<31*VteQT% z^ey1IF;}j(+7d+Y)uS2?i_Pd&Q+B$TRDoU7w39X7=vJlYBGq7e?GaL+C#`GNo_0XW zSdB}1w`}atl6EkYd)v|*HLVQ1qAm|oFG|O6H&y4G?Qe&PKhJwuif4W{;x3#Wt=qjSOvjLn7u)0!AB?THCO|xbvr4 zYIM8wGded39u!thlclqaxdH~-tFW!<(P}PK2hR=|cyIt8O>=90O<#7i1&0d2BqHh# z20y|-l7uZ8x{D4|aawAQKkj*^P2`1-FSmeOsCjx@ujKU>V{86#y>FJ^cw#8ROui#v z7K^!gPg_e6V;>udjTor!a@r!t;+=~pMXxAB#}(3Rta{z|snhu`YZrS~^hte1h_KTT zHZo%|!!tSEK^*^~&~4FpuC_ucZXZjtI%7 zW#}_xOj+kjz0@}<&JbMQv6GZXH^dHzwjWb#Jf01pHMat1PrcUW& z377=M^sTFHn)D`c+-Tozq;vK9_xgh7KH*%YIcVkR5Fj|o29^kMEqjAvSl;b{kpab^ zkTHp8sr&tf*A@ZHD(}CVIvSWuX?3n@7RhGUX@5^U9$qe4vt*j|IXpEYS~1_zJlAZc zBVQKsY;b)moVy|fT-`)7ZXMeZSGEGZG|9Bqg?fi@`K zh{lb@tnYR89JFODtt zi90qQ{j!l**wBjqJmCGi9$>I8!em7x#I!n`sTd|5KIWf+PNp_(Ldz?!<3P(GLp1)# zPlCVZ8oUcTCkkgi`PtWN!u6wBe%7WPop&!Vn|R4m_)NthZ?CPKwv(&Rlo4wYOXFSV z;?HCq3uD;L3sF)e>}d<}yfSFd+CiugxH^cXbh?LF7UCT#?UII3q!mj=>= z{S03*=l!y|+AHz6PEL`C*Ad|K-5`tC#|POTzj_OjAaK6Z;`aMS5`i13V9Q+Mx$Xf` zzh6DcAu7{-?mdhzIF=WKW)%j35*1J_Dg_%R5V3iWuCg+Z@Z+y{ZYg_Pe>$O> zhc8AZZb+%E!5NUHKSMt6zKxSS8mDc;^r9RrwrvPYw?iDdMh+n!!Aw%3c^OVvAW!QX zc96?wYhbL^VP@kMA>`(NBQdcvdw{8NTtmUWZ@&%YS%y3dUl z>$t8nVO^kyfm|Lf>l=N2{wL(H(*d(Yp?FU%a)btyJa8rzY&=m*WrDKSblb&Hg%Z}( z)caEwNjSS8gM5HMr$y?MqrLlQzymcDfP`7k#($NTL z;%Pk>J|yq{ zGF@`o*+P!)g|6`YN|8Mig z31}^|YCoj3EqT4l9Ti$FEZ~oKubyM55;UC%#9b`{6kq$N1{o@6(L78U2on+ z&AvFlmv#x_cbK?okQ8&GMvR70-kare45T#vISHqRc|5U5de4sh3)EuZo_aBPnZd1TZYB!akQ5Uc5L_cgc z=2l%jv)iOcL|+6E0b-x{{(-1T$sxY^sV$|NdujBe=yqMzHgx5tEj~sqa!*M93?fE3)@`3d ze3MHYP}+_qPR*w!kMDpHalFHY)+fzjPPR!i2$4;WeiQsa(~)NaOxPnm0;S#`T|w)= zHp}O0qrm2QBsa*KnM2O z>0D)927PtSc7ZSz0J56hd;7Ju^cXZM554XPO$pCrqj0@H^17Y;-aeLwgPBrywGIdd zIxTwf3`2YFH$CMy7Rou2G1PhE$KD~{_>+2ez|9%rIoTY9xJxCii{F`}@(j_8tI|K5>(QbC> z0K_B_2+Z~?3Q+al$IvGH`D~8oselV!8|(0YQ&f@;ctK`&(RfWzDzdnHZt$Cq?v>}$ zD`vvofa`ET>6Ab^Ai$KW^Y7|kJYN;@#M8dmcYo7h;wVnwrm|P?(_tIVPpFPo1px&C z3eD?!BM5j~5m%IMpnZL6sEdsRBYzTz4G5~Oxc!}ySQ~4Bz{8E@6^5-5dBZ$`1DE-* ze_*?2FBp&1CzNG7*|dEDhBoy!Xk;W)Bx0LlBcwBs=n@ir$g8Sa@i3}OH5K`LfIMt+ zKr-N%&ScG7K#MuCRsZVH`WvUm&cT2V1UaN|2F8og~`V*ZX~A>zC^cU z1liFdQH*zqqBH`8BrDA!na}l!QqDnr(iO4`Fa{qX+}=bmrlrGIOfOIp+pwbf$XJ8! zjJnaEnQAM0P7333;?N)*BDeiptjJ1tg{q=SQk#49+zNKI{ZrL0(_MF&H_?~?4vOM= zAN>;RfkTFJIE|r$EuB^0p5v9FaHrc|A{Q#$#9f_C+hy}Z+ve;|r681}V=r=jVVPTO zRSEN_2Z8=KnVm!lM3J~n zfj3QQo~M5&t{U^yzG;db_=Tyi@|xqmfDHrr6UmM% zNkmD^_KK+tl;W4agpmg#4GNl{Q+-58S1MelDlNizP1E)>9kwRRbJuNJg89Lkvr;}|IKJSu>zIH1=T4X)x&r{(paqS_+3%0S z+C#_@HJbZs#%msCH)S6@-2}9+p4`a^D|q*~WBT%6a^ zeZ6)=3zLxg@OG*E9?e(50?grqa$}=Zr+0E2QK+NsRQ9Q0YW7L$jW4Dx6=jXqC*MZ% z+-`0R=LKe09L#Lz7j?~^E8)C=2eurfebADA z_;48NSznIwNW+aKQr#f3eEuQ?9#3m`>}>@dTX>0pN#HGFYrzCLvE}E<731VX70WrX z?v;F8rmkud>0uI64(qH?qsf{VA#)kj91}c7Y>0BC?)&=D9M6I~Wlz_{pvL~sS+b~+ zIZD~o73*ViZ|T^~@+bARz8O2LKdJLHF3tx1pkHeNcMS~;Tx&Q7M8Bov$qC95E8Nk{ z6|3=#y~Ezd=zz4>JyiE~YL>g+H%?Z+yCPRa&mLYd*&06rm-+pU_~{3yJuc|`GgS|X zktYhj6+1jB4&IdC{YD$NS^1t=%jva>#3K6mJH`Jnx6WTk}ISml|OFdcp z-W4hxP*eyNR_7{7U?tz3(-Zxr@?MCeXX>p@jOw)~0iH=UbMk%2TBonA76$g}a{TV+ zYqgmPV;@eF)>eX*6+TCHHznd+{*tmECF;$Mc_S-B6IaGhjg49?<;HU1uhTDQ_H?`` zIz^855tLuUpIWMhMUI%*3ot0XETs9hQJb+}MrHhEZZuWqkTOph|3gkls>ZW{)WoC| z2A#@Eux)KYq*?tPcdscTPa$E~ZeY`ZRf|m%PICQbxYzr!ug3X|5Vb{WltQfihjmG@ z>l!0l@`G%_3D3tYgl=}&@nr}W7PQ#8X3zew3>h~CkK`l&vjQ5m>@47SU8uzi0)zF z`<<^3M&O?AI>|9Yntqtrn`KlyL)ECBl$7Q-EuT8-O=XCOjlYjLszHsh1wFrmITUY@ zvUcOD=8DiokROgRC~xrU(IWx-3^u)>AWtx%BmTSB9_5u1gG#Oopo2 zWtYua^?mrMEpBk4e&OvWk;!{(Q)d;P=bY=DbN@LX<+S&Ac;EG|^{nT4)_sjc!5nPj8F}1G9qtqt$BHb>dYa{8if-W~ z+0pY_>XvbP_sfdT@&y^ER2C z!%6=HV{&cl?_|vbLzJR?g%iz7To+UOv%e)Wty9Eul_mK3U0q0-ta<+~yctPFB6;VM z`d!SY`l~-@k)T)XzsL9M-wZl!AI(LEe&SFbw+rWe>uZxiW*?u9!I-Z;TF+q?=O<2Z zQK4CKk-aUc6-le8dSiFVFfKrUQTb?`bhhr}JK5R-eiIQ2trvApP9%;$fBo@P^wx1HG0cKbLw{Plz#8rGS)H9Dm7pTN#g-yA=sml>=Uq_u&_EOQ#XwcUdpU5#=0wvXs{pCN*7Z1o`1-orl{*t9@~&t8clOF^7}dJ z+L#~7OH$_U#cd<1LgFf-C*rvZBZJ@KPe}|nmn_K$4YwTg6gP9B=8CcNZHTOHD_ZFu z9K6I(C@*51ut@7hHFlpcd*$-Kk2~t??j&1{_%n(4Vuwh!H}?Jsu8Jk>yl8*Av#nQh zWJ|bg#FA527uRmLeHHIdx#Y4-SErL}%u9Y5X#Bmjd5Q_)DQFn7YM8nXy><`A zeYNPJRPNU*4Rx?soyl@N4Pc9LY^~)Z)2+L?@Pv)09GS5WC`KUCjlnZ(sj9Mm^ zfS6yUPz3!kds}u%4#AJ}K!{Amyhw+x{r3w^Bx%FaMqxtf@>3zmoG!>X|d(Q6l zTBmK4XIy+Y?9<_*SDwop)j8R4Xkc7`@I#H;tvEAG;kX){RLND+@AgoiSZ@6QSRXzAIqoQ<#Z4%yrC zAu?Q`tze-)eV9e2{)7V&RgMS0ZoYj_N7FpSvyyOf5fIA3Jqok&92uaLyJE0Bq_yZjKIMbTTkp!&cwro;pxr$4=-lNb?%lW%{+D`dMiHS_V}8D zM-qGL{EP6xRv&!|#|g=!J>AXn0&b;AV-nsSkKA)JN&a>4!0FRLtH@4)eyR#P;d0Xc zqg|Jr(wNwFMtGuufBPi(b96@PDT}pR}|H1RAh~*2?ZMjNL400Cqt& zTT9XhyvF+Oj+cA)A;;hn<+DMoX2QP z6ERbbrJmxx!us8mo=c{Q*%sPg$JKd)BP$JbWKKshwqe!Q0k^i@kijX8={4=YFZPuo zl`2wC{P97~>mHL| zt>$^96bp7834|aTho5+`)f~Px9AT9M1LnUvNPL7%K%t#-+zmt#)6sVY&g02$!tfDE zri<256Ke7`&BT^hd0455JKodIW6Swiwiic*n;a}a4fG;kbMRZ_Xsl&b%d=2Cje~!J z1<-u89xwNPvc!E$)LaA>S~kp{DZHzmeEU0r8JTd|BM|SsrTKn(E0N7p^IpsDb_y&N z49O7FV|@V(l>DgDrAOx1VJ%?XDXAOlt!!GKV8qE)xYe78St&!CSp^PSPKDWDmd?4| z8*wq+u$W2zX1XdvPKs9H(Nd^LYWN05P|_TUU*5Q{ldY{kmowOozN}fESX10bN0{y#^42zz`@TZ5Dm;5DMmk>)N6ajN(YV^pKe5k{5xTcjD0-8uM#1(! zZ?%O;0LW&@I}>V5YpQSrzTpcL(<}3=F3Rn;^}}_z)d{pA#)xD1%9f%$?^=p!kPmc- zIE)*76N1sG)en3b8aXjG+B!qa1xCA%_^|&=W0Q?jutdgWFRSP6wQ; z37v^sShh{T@Eto^$ntZxpmk$cho5j!O_4M0TI?6t3rP_tx!2L<=oFgh@K1_$LHA|K z4=fr-GhIAM8l(}$xfuPfw*FO$HAQS(TsYBA_54kccRU?mj<>cv_)!`jXOJ>R;J!n! zqgP2{>_hH>JW0@b&YNXu@4>eaKg~|=MVV-$g$M5weD}J<#9g}sJA+w4z?{X&QYcZiuFUul;QsZ$=W!2*O_igTLK~ac_^CJ34bw z9r(xyAFA8Fk{#I_yHJ(aSnY!cu$G_*Ds>Quu8iqVfB#e|lLh8>1RPp}lhy*rfUU7I zG|GLH2u&{&v=A+e4hKVo$*kh!BZi4pidzSW{QEfwEnxeJ;DF~YhU=5^(?)%r-Dmpd z{}=opf1-U;R{u`a0@Q1G-&ugto1~PzruM2mhY&=Yj2ZP@LI`9q(MAg|+m&$Z!~|Hz z<6lRIxxzeACLv4vI==*lpxU5t&M*P9*Ao+38>Km>&0lEAsRU)jfpqE$0mx$ZXCJcxvIaNbc#<>Ezcx=4Znnph&ZVts)iKenS*~ zw-Wz@GHn0dN$P^HHs}r82wNuVHlnKXI;cwQB&U+SJHDls6rIT*Jk(bDBwP~Un31U@ z96kg32a>@$fp8w@=tfFUf-BgcfM!MP|4 z=60N^G0a2HQvGNB{U`VPs`b77*t@CFX(p$5sgtLdyUCvk zW|Fq#K^y)Pgn>a+OOh|bqb?YhwJaFpm?xQoKZx@;Tw`%F0Ajg=mvtR3c8uZ|LWu;| z)PU2W2Q`lD{_}GCt+4yU3ynt0KCTZlU~u~-jJsPGcD_o$4w1%nA#-a$dt#Tl!Z-r= zoDF4S2ZApWdwUBU%v#taKuAS@X}R27VivwG6EstKxf;9`4HZ29t{?yKHGjAg%zdv$ zfh?H8)B5X1UBz4A1ZDtRw`*>wCR4ixQSl*SjCYQmrhExHnMU%;ytAbnQ&u_mstyR1 zVoi}2AU-EMoUJWG)N#@zDIJ;e0>f(FndNAg|I$<9o&6TV^F&kH8cx?gKlA^78K3q( zJYb^m_TsteLogNGIR34zY)clRm_mESNN+C20dPAj{e)S)QQ)kr&JA0y#3scI?Vh}v>n1U31x4Va2j zkI!pKpQQQU-p*yREJB-o(V&?KS$v}K3@|PQE^Oc)!d5sis0!Uk!(8G$ca1D_U%|K!ToU%jFg9gXtg4;SDU@8xHsVfg1~ zL`}|1EfV$a`yq8083sJ+XDzSPf_oW5Lla@?EkSn}c6yBVuhq{q3R%zScshSp`dKu^ z%EWEr3Fa$^kPF^vR^pdDtRhZga(1BV8l8OkxK+vO7qICY!P@a0k$|aT6W?Q=)HpTC zoXRiBg$Qa}2)u_BfQWLO=ZzvHJW3GV1k6_KNA-sBp1?jTlKk&?`RBb)&aTMDdohBM zW27CSJ45jj@MX@v@r;xEHH5N!+PUEG;T z;N5+0kz0ji-2|WpNBNH);9@LjRC@$r#+%s|0jV6{V1Z5|MCJrxT_k2d(?D&bf`~>Y zv7X61S%f*-j;q$X^i?GcIC@M zw$_B*EY?Yt*}1*C!eO{K1vCJv|-I^{$$W{NwWrtVIqY=NU!8e>jM!F;Pb# zvE}{SSbVRX(URXQpgnp%EXhwMl zo#L)6gs=aOS9g9bDkb&N`gGBL$044Y`RsjPGcu}NTXOm8aMGw;{?!JL&3gzgltFt= zx5lQ1H@6)mQ1pq#cuzsesRupi$J36L|lD6yp_2YS#wM!t&Z(-VS;Mp_J zRR847OuC|O?aynq_2#9fT~5>8V_0^aQO09Gm&lGVXOk`mxs?)vL-Ow$QGY%my z`t@#R4@T0X=D9Rb z9lL^ny89^7192E@VrQ}ohS7ZxpAyI+K5@GSO>xel!~-XE{nqywXL#}dIg4wH}`I;jY`of$}e2_SeDa4o?SxRG37?cj|1 z_YyZ(QQ*AFOH5nk4;_{WSKr}kNJuF{$^g(hxYx*Os*~WdG-(RwV)n-yp`9@Ka}wNR z_*A;C=x@JJiqKsoQ=hU+IeDR!N%IUBEC4Y%VkI*cz6jPPxyU#(LC4A42q_aWb#QFg ze?n*Nt0A^yG|Hy|a|Q`E$~>5voebH)^u~5ZUFh^et}FfC6L>+V=kDx=k>$^dKq52K zBbJS%bHJ`K;ZetD!F#+7L;?Bb9=^POl)B{A^WBi?EkS~Hb=VDB-tr!@+!c_H>jBo` zI71~o7+8J5|JQ(4jyXdj7hd+1=I|31cM}LTX^>bKe&g1hF$~o)f?^>{s}(8GKx=AU z0a;BBVg$c`e!E(U>PO=6TQM^jIenR<5$N@WgF!ct`G7Vz@UvA%?VeLQO2A-9NXUls zR*(4ZbRJ>!54D4an60vSJPD^As7@ygQV&Dy*R!Hr?Ch1jNS$;8WGmW=8eUWRb|VE6 z=sd!VqoWcKgEMN~!5X6j{0SH}Qm2Qw6t_SrQYc>Lh7qknza&A{C2Jpq_7PEGo~ygO zK5;hYTJ=>^jUj~z%s}sMeoOq0V<{!x>WjWYHUVZet{$KpMRHNffjA|j9T&$3(t6>M zqpsl2qC+zPMQg;WdkWokHP+h#_!ltk4&KCDv;1EyTPxRMjTR8W6EZs0z&YF)Fr536C=3_VVP34<0H&MNYnr3rM`iHKqWcGA!7ct0 zQ(4WEuoP@6lCn3xo{BUOc!%91D~%{UL# zlWFDh6!XmtiyT*l&6Hf$wpf;-&BR7vyLUl)+q_7*PzuAY#3YFzqUeADNy(Ny1&B0GMs`x>#N{|>-CpLQagCCzQ4(7tj zvH6u{Y=>A|PHH044}@LzgS*zvH!tzZtG-)TIg)Q+RkPdZ`zX2dk59mqYV z{cdg8By1g6G{tGY8sD7@%ju<|Nk39+!^~a6LTnqP^2Y?^t&pvaOiE@-Weh`v(gOja z^(~)e0jFplGA2by-RdvKMda0qOa{zY5QcT6Y-nO~WF%r!i{@m7ECI5dHf`36loZb- zQYNV+25~jOgkKY6a^E9o{+5P@or~J9r=wi^LDS;sk<=X>UiU(rn1J|cO!pQNbJe0Q z;$nB@O*eopPOKuiAT+YsGspYKY!G+iz9VPL2>i?P?|CAzArK9V`S_xi3zkzQ4k2#| zGe-^;=}26)i!9G~8C`y)_V80>p$D;;0J=_9Gy}x$mg~QMRLFbXN2d`k`FhI}ZB_eS zK*}pe6=@h8ZI%nSPBjp|j)<>`7}sc3bRRjOWzkmZ@Zz<|KpgQGf}s5Q*NNNDmI5B{tGy)A6x!c7ahT4X473Ox3g4;U4Lj{^xUfHBvojxplA zae&$QRX5X7zZ9rjZ#gf-fmO@PMQ%lWtR4~SR&pcZ{hP-Xvq)(h)jBhcUzpwGib-jv z>UpkY)XX3LWaljLq+gj?YOxW`shjqaeSmxyPA}Oj=xpe$wdC2{lQ=?nn5(HkxWF=~ zM)^d1jJediiGm-uI@_)S1$=b^*dOJ!9)vJ`gdzU02K|{klf)@CiEfvfwdDW(-bXJU!tZU2}40}pw zXIOx@2RSX57cyZCov|1@0{9+(x1fWVV)UoT4ZkX*rlLP$tN&gg6q%lyVs7J!@!h(U zj+}wW2(_auy9w-@I*^uu-0R$w_EuSx3*HFio%bn+x<*>m}^*bn4VQV02E=f zTj%+=??2EUxqlh;xi=^z2l7wUDao1v!%hu#DN^hP(G04fm zo+21r0@-zX`^nvWc}$B>l0FMBtIk}?>9zQooA#?NrS5~^^1B(qcEf?ttNuI`R7l+ULfQI0=AC8<5$?~o{-JI2jw%qP|4v2m`!O4$&}lwx>GhUJ6UV&JAu@Ruy1m9 zcOpmIgontfN|nCW&Amx)Ygt5JY|SZ6jRIM{re(wd0=B&TyM!EvcE)Ck#}j@{%Zt$^ zA}vBoVACqEYg-;Wge@kb)EXavT%{GfGP>Z5_wG0Xi2@s2RQx3v^GWMuwou^)I(?gX z)7bD6O;mHKB}8tWEeVGD&!jt^y+LwOknuP|QdL-bR!TWETB!Ga%$i?aDr3{uN|i*n zu66iyP1Oy6!V?l59g1Ryzo|}WdXz&j`_Qi?)LrOg)vT)~!<#q$;b*^f?Q8@4sH@$TT7`Bf`=dkkJwy>vHtV+3`~+V-}_P&%vUUQo_iy!))BI z95>&N=A4O9V|9V<0C1gcoW<9FT~Tfx+&Rkp`!c;IDGfxUpbKUku^A-B6?MU+krgRq z5DEIN${xtBDIJ}F*4)yaht=9fi>apdqy_ZxW96QX)*=-UE!RmAS|~CxCjDMjCm6-4 zPWNv7+Y2COSBvInFw?L+CSq?r09H$8;5%?zg}HYJ`22Tu?n8QbPNM4{Cs;oxP4{(!Iwy7KMfC(H_6m#167VFf9* zprc_W2%XA2oG@gr<_n|W@vj|WT=vgl{gbFl`Ka>1nP*)bg;T119qKv`A^X9322fpN ztou4-zYZShtS(QbM~>G0jsx?@)%Dv;tMgAl-*z*XXO_t31Q&^6~;3WApLhWssj{s4Z`tvF!bMR_U;=j(S^mUepx9 zM-Wkfytg2N8(eorl|Pg5nc{^YCh@_*E7}%QU{hJZ*hOKP3dOU^Jy%diE%i99GA($3 zPhyH}2)9~+y{Y;YZ8ulrmQttplIec~K0sYUMGA;zz3Evk!}_`+=d`-hhv1Qu^PUBJ zQ=DS7H)O`@FP#sczO6?*@%NbHU<#7vgz+1mW@l%=_K^z;x`5$(91uXGqR=V>;oG6^ zukb%s#k0sE2nlJv zlpfZWp>VG&7ymGucHN`nHtl-4%-(Gejhjjk8=M#uPnZj}Rq)F#=F>pryAPVmm$^(feM&?uP6k8)&AVOzKhs1k#Sl_mdh zn~SZo^sp2}_-B5AApFdT@2J1b+i%uCo(;9Lqdt!Rk&COX@_h?e!~hf=)TR|Gz#ai> zc~~Q1gpf1whMf7tBNrdeOFP|2(_ZlKT7Q1NJ`KzdJ7IdO0V2>pW?OyS5z^f*_(PE4 z>P*1|pD1xOW(qha8DLwc2|b!*=n4T^(VpP!RsyI(d%eiS>ChRlwzPM4-&j;H1ldjs z_|I6b18ve298;f$>slf8Ig)eL#JGZQfP5yP9$K)~*_zxa z;f@;s!}4}~;$)B*xv%o~}!iT=rcwab=xGi*?Fi@PX6H z{QwWwq$p^)@x@noBp;oV`J|a0nw=k>W2f3-jlx!^ZY<76I1Air$)ksb%-hdKTrdqv z{4x)w5D{bCv~SeS106NFV z!s@qkdCV}xhx5z&+$fpj)XB~`jvUBr2T=t889I2~5pWF-4Ja+h#s=GiX-ZSUh9KaFKgxRmHrz8J*f;mnhDLZ8? zJZY*2)Ec7TY?JK1L3HO&-Oge(0Q9X#J^f04($AAhW&BAP_Vk)Mp_cDix%tfW?rfr0 z0*e=s1gAd}t$t~9;TK15z|M&4oKh4(6k~@|*PO~XKQgnf&aR%3+z|Wp_~@!UP~wQqh9$<&zzLh-S2gh=qHz5&HO(hYA3b==zA(3ziX zX?481eg&?9pB6fm$M@4vU%%<4$Eu#4Md|uWB-z%w@I2#}6UiK_JD$Xx_q|{*h$f{@ zfdgd?!KfFCHGbZ=;gihgjh-Vo{LAp}q;n~ZP1s(oI)9!-u3r%BJHQ$6m_{#xKl{<2 zsZZ;ez5XSOWU(fNu`N6v(y?+Gh66JI%i&opQEcS|`B6Sb81%mpHnV&Q>I$Ls+Trfd+iN z6=0ZFq>w<;(04%N!TbJ#-O(o?KRt6on!k!cv40huF*A^Wi=<-Ed~no}1fRne!lzA$ z>i|q4t&zGQoP zq<~732^^7*qNaSfN}~2u=uDSX)rl^H+8q-$Ovzr(sFcnIBwlSmRK%+-0-9+KUCP>w zed9c?KR^2dj(5Ef08H)39i1o4ecL+NfH~8{TmZ~=pw->4{D`x-H(WrBjJ02pxRZ=H&%OEw^ z-ap|u)u{oUf=O7BX9@Lqz+}y2FXi7*7~B4+qFp2wXUca*Wq4fe z*QI=Z1gSCQ-|>_I_z4@F^C;?q@STfGG#_iPkc1y?xT1~pIDc2s{dtjkV)#g9hwt7o zLXy25_ulVn8`cJBr;IT0QtlW`{`dja{*X9!kDfd8x8MHT8TB6aSN(a-!wBQu@yF}@?H8;&L zz0sRv5dp<^eJfsv$>|otDmidWtW zIXq_b`5@viB?@^}rnY>pWzXa*<(uh{f*ZY2uMuDFwwp@H?actOqVby-d;f>W;7eES zfDyg@782!)E3L4?4=;+pw1NcrK*U*n?{^Tt1OdbVAH{H92uN`^-(evZHB8hRkX zW86#vSOdsuzg?iB*{M4D(;K6ZW{oD9f&^2_q7wWiV|q`G`+K)i7*R1_YKKafCi`}= z2lz5VE%IDT8Mvo~A!l@ZnVkn;COA9${Ba5G6v6^8q4E!ygmT_u%MgH`mc7Bni`2Cs zmudb1+%BzP4*4c@=EfXSa7dUS$fE;vULlV(gg#KZu-$MwVs;DFUSuUyHo&e*gY&6X z(7as_iEx0LNMxMe^QRly>5p>?tOMBE<28z@cf@c2v^>sNRVIQ!yVlyp@l=B2Vv+Ma z%!Y962zLN4bw@}j+Xue}pPxLxhH$^Y`b!hY#8cpWp9Vlu6^z!%F;96?`@g)(gUDin z1fW1X+0BObEO@FlSb#qTknZRtMD$Y;!aGtM0m+*#yB64XfT+eCpTM!M@Yr7lg|-?+B9O z%LE&_o*`%G52wh5@oNlQ^%P`-Jlb7jc%A_|dp&yQ=ZCS=>p)#x>X?KaG8ds$zFdaZ zuAITe-ZJQ3SO5hYnN^bT6}A~i)G_u?O#d7XJV*gMC_3mFglTBvg9Acg=t& zN(ZOL3pw;FUfq&Q*j0EeLg*^6NHgEPXW!HCIH52BKl~W1`X)a@qH_6Q9U<`t1`3v=$fRW-e+9{}F)8QX?IJD`|GlX`OA*h?1itha%k6NJ*6RMh>45wp6 zhxu3>veq@TO!T)lW;`rFc>Hn<&O@P%M47p_Ct0d{0Sj)KOrMG2nA`JTapb?2A;fsu z$2u8UDcsCB!1e?fEn*Iw)HFEE^Ys0@U}q)vjrT`-6X473oLiGM2Gp|eR#Ggx10TEN zfYDmU5)390phA|=+O2$dRo#9h@c|a@DXd1MJJGbo^&c?D?E_%&1!k17le>OpcEI9m z5c@6m=8GSbRB@fa51e<>n%20*qiebcSc(zaGec z9~X1CS+z)}Aov&je8s2JDf@ao)7A-#P5Kxc`zG@6=@|&V-C9G0OX6Im!+t_9K)DJ! zo!)U`?fZ*1A9}zn2md&a*d~tTC;b~~6$fgt2gl+NE(dHC3xvjCXhuj1L54y&0zEUn zriT0<7c3$ZSlQyV6KriRc6Fk^*m@eNw;`z&Y0hU7G&g~=#BY#60Q(9je~jT}g%=Pe z2n(SaoiM?}9B^2h%pw3q$G$8>Yi)sEP9x>Sn^67#;Y&Z0Kb*cIdJcDw>mSzk_Dg+8 zQ+;dy6!b(Y7U%_$tR0bjq;-7#oz~|sBeka??y(~b%{YG&35*4%VMFS}$#L;otSA2F zg|V`w88^JIKKn0P^2y7r9VJ?_aKpj^laHs`(<`8xY?;n<>%-N(01@E9f|9G}0|HQl zpAl3Au}U3{==){z!Q6kNw5!FMt$%f~gPMB4EkB(4Ndr$`i`u@ZXDOHrw_F3<*I6hY zHK41Tkv)&VZRSI#&i_q@@Q|h*`gpLIZbNT4#eU4ZXO1ctWxJim(lU7=2LQm)7HdmW zGK*=neU_EO)CO1n@(6tvj(J2uCnq_j>%LlvEHF{0X}Pv<*jrsjIb=vUK=92Qud|?X z*94pa{4HG&uJva;Yv_#=QSWYGjQ*O?85Kp^LYF{w6&$*&9A|nhfcQV18ujh7%WveP z7oG*LTXkUuQ}Tn=xj3?q3!!qpK>VEA|IPa^-!qtWw5TR{Q@cPpPgOo?-u`l%zSXZl z!qU>ZTM2BTWeWIClbhJZB0dB=uR6u+XxfLr%E<_|0o(QPk8L^=W|pRL`I`Bh*Hrr~ zdgHyPqvQ-p>kG_v5&^oaTSCXvt9N9hVn`@fILcJ*L{fvPu8)TFJKQnLd;m`^%7k)d z=9NL0EUNQs&NWUdlnp6uZ7=Y*-f}(Pxuozipiyk@D~OCQxjrwFaBQFWiax6AtK(Hg zX5=O0qt};aLkJMf_6&ba0XVid7Zcvn*XPaun*@9xH zbQt5hgsQxXQLqo%d1FLb@3q!VwVpa7>xVqQz_$qT)vi>L`yaP^R69cPU3#)>*Updq zckcsZOF`Xuvwq|9?^RSgr{G?9&j2~Dodvb)A2NUV_^(`wBEo)BfA^uRr% z>{_4x)spkXTqb=$eL2R9o6Y9UE_VQT7qONMqsP8I()|!1vgnDo#kC!@FR5>Mv^1s9(4228l4RjMJ{|-gF)nNL)X?}YTT=K~Wt&_rj2uE~FDrNzeEETZ|Ag z3(-`#GY(L|PROQ%`5J&MG1;Q5kbUCCr6#dm)}Y7hL_~>0_elTwU6`Y!xTAQxq5aUR z;)=`;b8H=N(30#%ItsK85izehq=E=T0xvIhLd8-w;t&(CX9y`L7^M%c?#N ztEUjEmO7;M&IFQTqzQ%2^C2-KU|580V-asQboFwFF$d0A~w7Y_|h4OWW88j-V!|s)Ck5f zht2g>yipF;buD(+#T{vje~2H@1Ma{_rL= znFAEkxS1(ECDu!CTIBMBsN~4vP1}V`nYEbVkuL-O9p*hdeqL)xy|fR?=3L0t^YugI zWx8T%wJ3{#aBNuwR*xFS`DB!Ue+ak&B`_I6F+R~wp!|Iw6~hYu?6aNj;SYcJkggiI z)RgK|`U1^jcEh!K6C!|=eZaC+)x9D+0W$;c(I2&hyU{A}E-8_i>K|`mae!*)L=0`C zI}A{R`KID_T@Em5B;Tlc1{{afYc#SW?wOffGddvL?=z{Hiz0}R6%$9)bUP^GaF3S& z(MRUTiQkCzb@Kn^H3@COt8r$mOU17{fCRIg3qucG0aKX*+{94;;?fMWz?uJLuhAfT zt$e>COFdxmO4hHK#6crS2_3-j8VU^0?a8$m@rA}KI(9wSrmlDh1NmhRXE7=IgaBqy z$7D)vT+Sjgm=Vz{AQM-X0NlwFDBj?&C`zKThUDN^SWM(5JNeq*HDYSptWV zGN$tsVIMLrMcdz2;$|uWBmA;xNt08l(60Lc12s9ZjQ`8U(~|34(aL_hNFULeYc+$t z-~ly)r4lqknp@X@YlRsr2b~!+irl-U)k2s;$=me3Qk8=a@g(you{BbVf z%owt<@de}DIDqgeHF?syfj(T_*>W`3`}6quwNA5ChXK_JjSUksv5~iSH&0sKBvZ*G z0*%rkI~L0PA=EIyhBg~oNcYz=9ggKRpmcOWhtCqm;bik_WPG*+^@k8&-W`D(;?Q|+ zQz=;T!p50tl-t8Q12rZ=PSTB6dBYU9v<%+8$7;X)t$J*GuLZtBcr+AgmO$O^kxm#+ zMO9GH;vQ#W1#qwJ(xlTP6QQ8syExG|GOW6xf&fWQZjwB=ap6@IBFmE<&E9S@Je(;R zh)KoL6b%4s&!Oix?k#nB}uHh{Tz{FX;W?9B- z5}2;qb3=*p%40aN?Rt;m+*Xor3CY5y^i3l-*AW-a*#JW+sUnFCi= z`LQ#Io!|esz`?3WjY>kN4)+HOTXbZwH~*}3Z9mz}@a8Y_eGnO-<7$JreTED*bIdjF z@Vz(O?f}v%djUpxvhMX0NQg9i>B`(8$n)1K0lq*#S$}r-Kd=&iJJOyWmX=$s?gl? z&u0mw%iD~r-DC%{055&4Vf5G;#$`ny59#lMwlD4d$@Hp8z`m{hCSly^eh>ugH@+bL za>7VsJKXyoB<~r_BbLKNDQ)~_);rwY76E{8466vUCKtyk6 z?upTzf(?O?_Z<-mH1LPlM-$Yu_r%$?LUKVbaL0)b2L-9gq@+cz`b(l+9uwL{5v(mc9DJ5XXK!SD@qyW4@xI0+^s*7UU$)}M1$lz@%Ceb7Kc z>#rGHuK@s#FIGPe82{63qTB}pID9k^7Ad{Yr1Z@Lb*AgUW&%4-Fpe@^-pGs{JwDtgW9AZj?NSEo( zgITFjCukOX z1FW*Pk#V6!RHw@>`7uaias@3q2eD>|01PmC+nUC++dC@i7c?;W9;`h-bRsYnl|XLF`wA<^od}) zmV@TCPAl^DPQ*zHkx&{b#B?8GU_x!f=yJ^ zF3Vlp<@MC_W_Z%Z2cvZ0R#7vsh^B!SYpqIR^9Ocitm=dJRT#Ugsv;;r2Pn8u7u03b z?uz4&KZbM6Nw~WiiM@30FbvH%OkDkuSuaupqoE}wI*K1_=(gJM$2^k)^U1mTqjIW`|If}62QXp-|hnWb}*@HD$K4Zez;gzM~yUr*C|;i5vjzQAs751qi3SjJ3joHNY5bARP}NWJdyp5>Svb$Nxa(+_EG zB5bxi&D@t^sNDsl-^CkCU~4~lWU401yC*?9HM~MCSRFeqD<5nLXH13x1ENR6?@68G z3|#oaWCi(InGj8~8;@0pOz;Krz^>eDhTx5oO=&egEmVx8)HK7~5JV zH^EQNG^yu}M$>G{JfUxMNoXYMiJN_`>AUj5xm#w3=R0j^+v`beMx(i%lPaN0S(5U}516yI%!h)x3P(dT{tnWBweZt=4_ZBGXy+`7 zwEAj&rTQgn8FtK6^KJ(hzL{Tqo;ytC{&?|NTpS%jfO2y8)!BpvCPDwX)ydl2j85F@ z4M)}d&r65918VD~O5T>Y=>-oEEmmL>T)~Wu2XoUZm*ALP)aolpmgt0yK}*2JZKhTg z$Zxz@{Bb@wpr?O^wJyHlUCBL%=fNIKW{hhO1zot?@I!MTsrmE;0fyV8ndBO6Bi9Nca zS~M+UVPD3q`pdldW?+=5{4&qNt|GjJ1B+Bmv)J{GP2b`tF=Ub({6EEL8M(@IcNfIR z_Qe)li|KRaPDQO0u*?BrsLE&r!RP}ONzj=Nym4!i1?nkl6a|eM0=A79~xx;IT2G8)sxsI2o)xz>a2J94LW`vA!zx%$?q| zakIme=Wmi+=}A^)2|;F&M;LLuv1Ps#F>Zp3{wE9prick1V@@u`#p^F zK*}{CD>^yC$hE2>Z1#Aba_`%d!e(9e&6<*QI-^{_SZ2KTmp&l4x8~r+)ZE-d78sUf z))boQstJ#9;DO9m-O^=HRenZj5{EJ?FfGw5_pY`{a9&LF=hGuh=9R9dvbaFph!lV+ z@HLePtx;??fl|4{IK=)m(r$YvvG6JuE6bgbM0R{3>gq4Mq>cDpAL?N& z|2~VOG*}&fqpT-cRR*ZRTT>g_#xWStZsu}3QUINo)i5Ad6cs;!@VA}#nn!L+Jaagn zYWKvFo3kv@=($7k=xs&k5I8bN?qr7d84@QVy=}&~w5y`st=Afez@X@MaS&HbvFKrK z6r3oEKD7p(O=`+@av?Y5-%n`2)Mzr+srndjCFM#@&Dg52qnNPRjH$4`I8XXSv#Z;5 z){6zq3vYRm+%b+uK$h52K5|AbJrbwt93j>RWs2iAhXdw5-w=r(pO3kxGm?k&mBmiR zm4$YD%T#$YTQ>@;jTnhNJX{!Xw(8-MZwaM}pu>x(h8N6&-_s*hDdsnrh6@!&#?Fq+ zPCn2zP<5228c3OcB3?n<|6yjA+vCOJWpGBT)OqARFVZ*eMdo&G@B%yW((8A2x6}+< zXUc%9(glo=6XmxBQkf$bw60XWW~OZtmKr(wQLlMOKOp*SpH|ZT)QG*r-sWY0h4IeI zufwum1syZvRWGH=7IW!ul1Ml-oH<-Gs7tu(>mE6_ra1CSuj!&&AG$QvyE#+zZNmH` zU8_qzXCoaXJZ`!xa}eieYCipovsNjEDJ@?(hVPRqC{a{W?CQJHw490Gu=n_MswepS zV!$RJ7?LeBRV&ntt1dU)Wg%@_&c{2gM}7-#jx|%(vDyGk(tMcEtBP|=bJrkLpi+JhU)d}#8CO-hw zGw%)?*CdhcJn5bbsVFDJp*1#{LhmyNy469M&?l$b{}Hl>IM29JXU4drwk^tUlbmt8 zLKPU$je}9)&KZhnTt{v%%5}Rh z89?^&Y?Wuto24_oF0?AD9*Y#CYlAGbzh*M$T>y%g!ggWB(Q@{)E0FMB6<0{FQMOhq zr$rwgASkt-OJ9J6KM}_%!?ts&_asc>?iJnAY&(!dGV1Ya z{5T1^I+Ma=f(&2Z;6j*d@N2J}1KXdpuJH-T{xduvgh6n7?$ z@)~dTe0*}m{&~_KA8e6X=~}E^jECN}Dqn2fp0Rb@SH{$u1FD154|&+5Lp$634lI)G)0zJqLcr%UQ=`1@Pm0Y@83Peh*B=zBl2by*ta;d%{)930!Elst`&doml;71LOS=6k)_=NlB+x0lP z!I8dDpMMeCpGA1$8|?j~pVWoW+N(AB6ckv+Oq^uT){9#cbD`E6SlpG$oj4|!yuyDb(}15o04%F8 z<&+7|7Cooi>O=|c%4O0*Uw*QSX(W2aqk6^jq8^BpV;Ni+n@^$HRCmi{bJ6`$Y1EQ1 z2~jaqlo80!Ix2um+Vv>BV_)24@|lZ~k2jQ~0JsR?HZvD5Zu7Thscm&d`!8Hk6OelK z>Gc(%MOCfy_m%s2S?fy?f;xe_)!!NYD3ij-?4Z8fKr(j==hPK3RUFfptP4TPXXzd4 z8%08*+DDYX_>tt!?xb`&rrXW_I%qGSDxcSheut5d*C9{TIK_J^CbkttORlV^DG>jY z07r`P&@E>lnVMFAOOGPc@YnHrdge-s*W~p~MMG3#ZkAK9Sd+W%TN(PI^#Xfn;_l6I z4uSlz=I{>pVc z_rCY{y#K%d%@1bHTI*Wpy3RVzu9kqYtLbwB%4Yf|1(`_@J5`U-&pK)8>$r)xTRlDj! z>$&tg*0gflE>ogDP*pq0?nqj8Ilo}?D)kYE)Y;+a$XZXyCGFb0odO~&yD$6carB%J z_Q+@{)Rp`bvrP4X>Dv;wSFM5%y1NBa<9D+7AL(Y_$mTy>aZEvY5VN>ltejT9SWp|W z@OYluWOli$Li2d)8oQ6yAZ>QNdjQuyZ7CQ?QZ8ay6MQ{qQql8p)fnaD^C(DD-{<0~ zxLLzVsYJA${@79d-Se*ddX7Hr%UG;n-G%nf@_VfWmL=tgstSf{pE`3evu(r3_YD(5 zUszjH>C-8Ui7Rv3d_4OwEvfcJ?&FSo%CxIlQN`rwj`e77+G3>Uv1ajfjAu#$)K{nO zf+k@uJ!GU#hV4vx*d^PgyV&V?hxc$79TW-?3D~_!haC#RucN@?x=9y6;>p?1M11U?jZB}L>gMv=kWzi- zF*Ut8^{Y%$Qut(TElX-A`+yEllr-q7V7k9U$5P4DFu^_#f*93j4W+ies>6%Z{2zmB>-y%g^M*YwH;6wkDMBh zXk;xUdLz2Z#s8RMSUl<2!X#$Lw%@unwif*&eMP^V9szADrGI|pJz(8>-#BTRRq2%H ziBbxANB(_kgz=A=T4*`67;0wLl+1RXhy5X zYld4Xn!P~@kIp4NW!lB2peN^2UZ5V#>o+mR?FLFGb_iuN9I!ZK$*Fpn=Um!*Z?#8n zvf<1Al3B_kazAjPiUq=PXKeRqkL(BRYo@i;7s4Wk_&w=^`%+JTadR2Db;weUo7ITM zYqon<#)tMkpO?Je6k`2CJn-^ffWvUVUy(P>_p%_n%7|QtfK87dmK!e26`y*96W5P~ zO81`B4Il8^hWj22c}B%QlA5N-E3s1Yc=RP?z*W_9OG-I}u2+1!tzW9yIjVu#fn#Ch zJBrdnS0ehfj5ATDCaGflu2e6iKHsC=^eKKl&SCwcR8T1XP$B*Be0;;c(q_dASJPV; zpiW4?Df8|E>7ku>8IM)hQ#YYAf4K6rZn7Vxbd#gkZ(V8AwLj^E@WY*#{MBu~*BM@6#tHX$&YK5}&p?7A8?{3e_s0rw~=QV|xUA z-36Z$I-(6W{dl=X%rS?nGlq>7Y{pL?h+zxmWXc@VK}(M`lQUXN<=w5B9%-;G^W1`I zu@k5sRt(b)2gZ*ce-p4Lr%R!U8hto$xo zYq$~dh`Kxi#fZSI!II>5pAa>uO zW+6#1tqW9nGDL?AMYqN8m?>o|iExXik`C@fG^&U6r63+zM=4KTHtjvJ5V7N3%{?%9 zE78}{bilm%Z1RF&e%6S^ZZeWkvnslR|Uf$58x?wm>)Gz&&f!Me4{HW@%RN}XZW~S zF)>xeQdwEWp8d6UnisXahL=|v{R!p$D3leY7nkzpD4Adv$y$jqQZCOdBV(fzBPfiG z$)KLg5iN6-S=-x3LLW$ov|tV%Tn>>pimqT&(&fW<2Zef)JZwv7Bvzg$M44UNjO9j`410^c%g z;!&FX)(B~CmF`r#A3B$t<2dg$)X%Sq zB~a-8=wW%u_c&`j2T41`&4qfKFzB*hOsW2y@%Iq^-VNC9?G9mUX z@>n?cDX*JsNUJ;nCFRa4|J?TWz=^(w;mQurY_B45S7sqog3&axI}ZrP@0@=nzZbQc zu{-zPW{lUC^ptXre(@v&^@61^YqS1ouhUBZ`^{_HH-Du2dwJ(uTxspQ*EUG1KLPqH z=6S@qL3s_g;4z${A+#@4L_NCq?#Q%3JG2U`-EdcBMr{>x91}Q{ zs8pkeOP_VrB`w6@%`ia*j+!JTHXHR>aytOrChOM&>b+@u^J_BY`?Q>uSzdK)n+cJ% z7mq_bT38veFy44Q?b7s+GM(##vI7IWOmo0Kr@cH0ndm+pUO1=B$>QPen-8*O#@(L4 zo4buSHF&zuk~;{H87ZYULvg2DQF)s)#a}nVdq@#9?VRbpmoe5X%K{<($tV5`nHrg5 z#P@;cOcXL|tA=|_5?AHMvhtID`@M8VtyG4;Yl0u{IGI0&(c80#SRx}zS5du|V4zk6 zPHPT`47~})s(;-4*m~s_f2m8UWn_prQ~5ew0fe$u`~Q901#Yt0^xF zaFU2F=V`w6)?qo0(6jgkHf=8VolM9{q-9H}^Ro;N7E83m{1v=F$}IxM|cLkz_T$!$3%IrpP6RY3#;o`v2v7?(OoA$j+`3$dS*I5BPx~G7RMA+jC}K0o(pSx{+uhbtW4a) zSbY|-dh2nPUZHXF^(?MsalewD-2bLU7yn~!kZ9UcqD%YjO8(P0|uFE;6nU4rY8 z-&rT!A({mJPy7sizX}Gu=sP|p&yAHlgq7MvMhrrp4sC&FhcY%&`ywQs+R zhRy<-h3?JbqnpL2V2KO{ayYSmZ4lXjlT(==TaU2T`Jo0_8%Ks;iP* ze|i=5*Ys0$ose&m)mlGqKt);;Im-#n1bKy5x&k(s`S^-MXS-hifYq9j$J<)^yXUBy zu8Q`@3`7Ed?#8M35wzk$^)Cg*;<1*-xPHMeRD2XqE0G6y4LTmZV#|5)vyHO351iJ( z=)#SY7mx+bJSiSYR{|dug7J4Hq3(5sfw&E54~kZr3>AscUy%aG`G<6O5MsyIpqo?L*iYmo{F!IRF=!ua$9cr{AKRfF{M4gw(S1ZPS9VA`O?) zHtY)jlmbGX-H<7lnBT7>K2!tp%NevMgE7L$!IyI1yy}G@JK!lSHWhp>M@B%=ugthr6TLiC=m^Z{aaeRFD1(2F7>Gp9Yo8<#q_tx^`$@y== zsH4RfQ<@hllW;BzF5$G0N?tcb9yR8K4pZak_8T^FJ@Bc4c?3VCmTiu<_YGwsB;822 zz7c2|P8jt)x&5qFd|=-;|5VS46%Lh4_lmY=ro(nA9;mb(3AG4)qJILKqYRsp&D+lW zjJg9HK}fn+WE5pFl$ir3B&F2f z20Kz9s{qmV=1oWsd$CO5*HHUD67GI>;+0f|6f9ea-0A3(OUmkm4{ zNa%Y|-1IaN4RDS1DjGi$$_aDV=3#i2;ZR#5II{&%MA0~Tl(dbq1utfAFF$@#Bo*Sh zv6ob7{>CzVcJ2da>e5FCf=&rA2UfSD@!T#s$+{li2FtO3x~ukN;i9g<9Hvz z-4LcVXV2m>q4;kHMPkE%yOe<8M49yyz?&ShqwSQX!Bs6n<5I?`utFE#_IUohUC-(a zoXH<|A_aYaOGH;9l*7czAO{MHGQ^Kd4+S zW<=;m#Dr#A{Rgf@(JP9n#h&$l)<|tOwPUV++hn2I*XF<2CEQCu1gd%wODc+-cs<4d zRw1ay;2|(0c)icul%G(HGC=IeG_g{LZ^sf$>2*5Yh2d~O(?X+KPuw1Fsz-64WH7Gw zI%8i_ZR3q{n&)!exjv+K`<_jY^p2~`{t*B&`tNJ_ab8oTX)@1(kift63AXQ(z5D$A z2x=UwbsGjMtuHUEVx7Wi9n)5Dvpg14#WV?^BBAy%63QPL7K||`!0aay*Zg~c%xjX} zvWFVxFO3(FayGe%n7NCue8sANp6id5O)13P5|yiEpBJWYKxAIbFqL(T zFui>&QI&?TJLBdj~nO2k}98A3i@n- zxspGh-@kmcxq`df_v{Kq$Iai@Ci@F_JTAm-2ffes3vfH@g3145k^i{yfBC|{e`LqOy1d?TX^i>5|LUIy<@jP>9p4k)`Cnd4 z3IQ%zIR}o#t3Qwb_s8*{fAv4ccPY7u35$jU&~-CF^z>Gn1HxTGpq8@P8aB!N|8p;Y z-opDp*;kj>0pwZ;2H-46fN#PFTfA0*3Su4Xqbvl}w>Wt!2Jf2zBq`szv(o==p;+%G z$o^t#zc`t`2nKu)f*CITs%C(*x4U%>0Ok0TUNuSqPNJ0H1t84vxLn%x?Fpb@ZUNf^ z9r4eckaH{rWfbXk_FFM4`5tHj=j!e;<;6Lf-k+P$da=}6+{)#5;M`Fg2`bHfJ4N2LboCXXf00fFB&z%Hcv z_+!#u>|eewz#`r;`ZouN(vJZ|zpdEbpiT>hnD3g}h|*pGf%%8axYwcVPz zQ(Fg+3pgIP`j^Tv)92<%fS$yTrHn7((dJZL3-&c0V$iU@&*`H!2nLV^I(f?SqD7K{ z5{wcY&}Z7c`^bS6un$IB1%5ICz=2l^z?HI(Zv^+K`$zr5k|FNx z;fC1<%|LWZ)BpgQEf@h1z(!0B#B<)2_KvIGjr>xUVf!vsp1QTQY1-$&NDLq?S^yii zj=S*?A>&GW<-{|Z2KCC(C$F9ZtX?osqv5Ir08OybyFoxQa3%~-l*132uXQHmDI{jI zz>;3|cCQ_+fjNZNb|cMmQKcbTrLN5PT~>#A?Mpk@(T;I91``C=H)0eB!*Klg09l(r z3xRM#_?uIc^X+70C`%LsfFB7!JZEid5}Vj@?}B+xK+_dlkrSYKl=l=JOgHCkwBvWC z>~K_y0{&{#{k^UDllZH?OJFP{p(c;UjB<;Ut3Z10P#Nb|{c?MJIM(Y+-m+T{^kB@o zQUpmYUjjIjQb{{tG#6b1JnTpeVlfGiDJ*6I;|34+N?y_dR<0V(n@maOi2YNbe?Wh^ zmQ+jZb*lSQ>G?ydo=6qg{UCDGs+{}$JK+~-T5cs3ii=M-06=f0937v4L7$i^f$ZCIq+CD z)fwR3gMp+Tf8m#v4``|_@CzcH@wE`g&bl8`0PVHf+P4D0VMB_`;R&fyp)tJ#8_2Qy zT=Gg1)4;+cy=)AX#d?(eszH(CO~^LjQKsx&2IBODVB2ylGq*z{spKFY@@3YMF-XIY z7F;fp_n5U{=vFwN;YZM}uhtK>>@fo~M(9rf|JYjFk^SO)D@3N1c;%>XnV=DwMyy*G zCun)OcMT+RIjJd{p1FP)bUqTK=nw#!apk%uUzLyb5dMO++2>89=+*Ly!o+J6T}MKh zZ6Ix?5z`*W9f8?#mBW52gT7^>*!!?;0NFg0pV}=KfpsFgrokZ6eb0CKFIKn$?VJvg zA?=%&;H6pP4}O%4myS#6t$(rFvFN)twNtKIyNv$SO*1VAAQvVu>tcLVcTQE|TjIq* ze2grCcQrs%l&Pw%7C0D#MmG{%Wz_Ub?`bC)0pb9!fNe^b$|gJ-4VSZyP#a-I@*@0b=(A5+i|b-;tym5Pn{Q z&RF#5mc^d3E=|h9swD*&rsB8Ovf+!3CpR|r%dh8}&1Yv1tt9idyZ&9!VY&_FTzehK z;i66;$c``0+x^C{CKMk+2O$E4f-YpP(AQ{e?ckXRh~^bZx@63R3)w>d`5MVRN+h*h zq(DR0wY1v)Wk%&gX;6S^k-x@ECh1hxZZ!gR`2NbA`2AAK+xSyJCy}iZquS0?9-pLT zphzt-xE#|imPP2g(ngXFIEv@uUWW39itxl=3b_vu1A(x(xC7vomAnzq#5gLzqN$tQB9Ng3`E!dpR6#AOc~=(*?lPzaDp<0 z_l4FZMu>)qH8nyN`NyT1arfBrUJA7)dZ03ISN;OPkoL;Xy2vU=A((f^wb)oWngaSz z+R*Bb@TAm!;Y}&};ZSwj#~lNn0JIQ&LVW+_-ba%lwq(Q7T;-eCf;*`@lL~tBU6y|M zfx5(HfRXCPtCFhXf}X@ALk_%(yX1km_r3ot-fg;Y6KhD))4|_j}BSvVwqkO#6H8>lJdP6o@9y%xGt$C zLgj`A2O6U{&=lp&SW-ym+$CrRM93m~J@MG+z%ZfNxNUx9V0G#8_A1OBitQmSEbyx7 z0WAK=_cgC|kqQ;ynYvqRO$lo|66C!!&8Ad1jCp(BodRZvF}S1iMIRrfA|8fK;F~qx za>{CkbrV4NGHhNJ6PyX!@9`srt;GwPUi%q`y3(6b@GkA<`pvKN^b7)~vZp;(pRUp( z+kCom__K^Arww1$H`oeO_KKtkZV?!J=l`rP;5fKHJeMuuR1$jyr9yS&+@)JgUS%*@ z)?06IU|eaq(#yz(=Ho zo;m`L@%AaYcBbZ=G&9fOj}X+AgUg%TfD`Ot7YBOAqe&K$1Q{xK$79=?YLkSZvLaT$ z)d=?mRCY98k=~L1?nNLkI;{@b4n6+V@^pxQVe|gqMVu+MxL2=@Lr8fAYqys4zQyIc zsc&~M1i~Y8f~&~rrd&!(uSeI-{|v1{rr8x!NeYV7M>8YB=6y1|<9*;0X7fRf!IuIl zGnz9ow(rDe)*7l7Y|T1_C>WsqN#V$dTVI%bPvRU928HhUvDET|7}!ZT%fADV_C--n zQ4s0l#?<~~(o~r$WQwx5uFd;n(R*p~?HrXH*0Y7}E_!viOO&;-2>~C$U0KD(GTxv| z#Rs)zmeo^k_yU{=yYz8B95&)EVit5%vBe}eMj|FxPAwh=KZ;=NVT=HHe`UEChe>xB z3o#xvr`o-fs#ye^?SRU7x`TLPr_Gsr6)WO>gx?v6Oj~Pap`vhlflEPNIB&8DsF5Ci z#O(=qdkL!a0<&3iqjF*eR-xVr+ES^a{&Kt!Z-Qoj!CA_-vV>c9g`e+`t=-Rp%);V{ ziIMjljdY}kk_5hA`!co*a|VO>Gz3RAT7AYrJ)-C#YxepMn z)w-DU8E;{~Gh#k|D6Cjf_;W*C8$N$|-N14NKQg74@dF^aleD^~Q;)N4oIfU{&+kd} z&Mvi~m`es%HW!|^=|0YPAR_NG8*20YfKdJ!^=NQA-$;<$W5~A-_>@3Q-nd_CLK53r z8IE>!RgLjv0|C5=^VO;sr~oI_r=wTyluHA5KIaY)2!vWVt<@ayXhJ`mw3R5%t};Qd zC@$X4rw0o6Hn8rKJH3<-us^|XQ_D=4(J)*R@@ z8h(c0ky=IWhtFt;&%bKQl%pkRZF;)U@|Ca`wsADLKkKh~aej)DX%7{F7qwh|Q@3NU zc$j~>TR2k}znU3yX({QFLAhdU z0qYvMRIm%=I(*4xb4p5}!HtE$Q3DnNb&ES7r+<|Y6chY2RW(#cLZB>3;;d{!PZ_2b ze1)9(D&6Zb=eB_o-F$w!G1U}y8TpbqxlmK^;3k(IPt@axG3EZtXh3AG(!q}cDK_{!Dq0S%1FoFJ7 zQtM9SR)>DCebk%vzF-@5eTCM=tUC!s7Vvp9L`0D#LECp~`ZT>S(dgQ|b@nFdw+kMA z0&()pBRcHJ5@p`WI!C^V!-w6j{}&rzMm7kiB-8Qqr|mp_*b z5Djm)Iew?bZyB2hfKk^_OPaw#sK7NynKlN=~Vir%Ma9N|VPr7}_4U*TDc(FJYxs5*O9G!|rhrm-L17Ez>5t_bjnUa!+AK8AW$ z`TN6K;!`sFoumm0zfUPZhR3j&3Et;qZc8V$+DB=xvt?@Att79^{q1gQ1M_dDA9sNa zh)V#{;xA9-4s{9c@k}@wK4PzFbvd6~P*fIuT_%VylHgjlc{`WT*P=K4CaO14ac|yM zgPP!8(WIzi_0u*dRSWH9u}v~Un1i}{HOUGI`YJm56z$1u@m$o~Q!U%XDhPKUS)h1` zoHq;CBc!Mux;ey@ZGD_U$^6}#*GFr|th8imr)Lr6Il=pdmC1~ws5AwW91<7ve1Ds}s@$6s8!!;;qLa5N)&aM4U1L~Z( zjmwI}xIa%DDWaNmZVkQ35<>Sch`0EqdlHl=B05;Lgi`#hv5`N`REz{`36ZHHiY=^G zLpme&^h3in>_vj(I8T`5DIEOVnw%{vgpBvbUJ$QBDQd{eBVV*N;`dt?8BV<4r(M(= z7aL*ZcKa+PWv=tslqQMjYfla@!m*hW)qvwG#@s4Lk9c6!cx432KKN?W@5K(q$jw0O zTO+}xWl0xPog3<_%iabrh~B~U78^Lm+K%!!)vEiYJ*9D{2ojM^UTa z>asVyRut3KrY*;|Yo;`!V=7KvO&Pid#H|K~4N8FRz_!<=>zv>2ysK+uyEx@+XL?Cr zPFg#T57kz@gjb7>lD~B+mw*-Yi|J=zC7j7vnqy0ZN;|4YmdPMB@d}Y+)K?EQfIQ5O z@DhKSRUYa6Rb`#csB?IbKXLuP8P8(fjL3GodKtZ3dXGl!RY6z=wPlCotqIk%ZT38# zsg42#8CUxJv!htdK{L*z(-Do}2U>ged8Tc}FR zUZsMCJfuMM8&*5B3N(m`f9Aml^|$MgDF}7fNqTFx{rH1u&mXMg*vK#_U+O+1Kc&@9 zNo5qrJ|L4YBpJDHnH@(yZeWdu`7SGr27~2j!7)@TnK2GcVlCiHiP|c%vdd#Cz6+wM5NUjAER3 z$IE(xZ`M>j!ur;M{8YGiZ^a^gSMsBE;b!Ioa(RxdV~3{d;qs1Mqog9z5y{UT&m0Fm ze|%-@tsfrt-LF#hf7QWd3Pa-TWyF?NpjtHrRgQA#%MG?H z5kyX}L9BP_@_@vw^vK3{mS~OiG+rvkeu$mz8TGwNkAGBx|E&N0&i{Yc3K#Gb+&#Fn zMf*CE*Oy9S3d>V#NSAB#6@-J*dDiWbS9j>9K+biqu~CQfB&3~&t_%#W*^pg>ICpps z-xr%&tE?;~@bJ)mX;fTEZ%A>HMWDFBfq7H{7^G~JhndO+Wd-Hbk-?N zM0$X5OK4Dn9Se4oinduQ`oQL#sJAv3hmW{?YsE_X*Q2!Nn=HY7ZZ-;tu^wvY$$mck zlgAzX8Sg_mi$oOf|6n0-0d&0_$Lh>hQkKlrg4x^wR6j}X=LM>{vJEN_7QGAL{Ua{h{MtF|}FT=U`*OFn0T(*~qS=3od}J%#>iYAA z4XO9-d4*kyqbzPuqTw&a6)Qj7ubXA1W@mg_TNr;<1f#CYmS~D9P%jOXfOK~=hLNr3 zh%D&N>Lz&E{U~S#nQ?({QOAHe+rL)d|D_1*p9Fp1sX&7jE->wa zJtCx-F=!i}Y~*&{VbHES@e<@Jih>q^=7PI>HNBto15LCFta|xSQG?lnKXah#VR)l7 zsMsddYVxG2y8%K+5HL%epeq&f^2@}o)61rS3f9S+5awA%Xa7%o^XErDT6bDqZ*N{JJD4_k&+yefCNvtch#0q&M zkJ-V(+W4rNpyt0#`tHY2#jt3u=9Y$BIg5sHvj;WVrTC#V`3PYf zvu`&Z*^|rV-mfnwZKiRa0>v(e-7QULGnSMleEKmPvc&BV6`7j^_1s!wNCYLDABt}z zcvW_ccdxuRsnZ=vWt{so0iADUX|FaV{V7H0u+$pV)p)`|LddM^Y<=G<3%R=md)2QPQ4uCu}x z@o;vy-`d1(RnhBpBmh^$DbNjfzTt+(c*kHwD3jDW3}g zVG^qjq-v;#{eb3ehsqKa=}9lh0*i7~#HNQ~{AF@IM*E5(U8kHIy$?53`vt{?GV!rnok#ywpo{5%$i@e1)DaUiFNtZG>2=aYS25AWhH8XT z4Yd}$Xn!;jTtyqehwR-6K2$)>f_eoRr1RBXB|UA#?b;LK5<|wNdVZ_$#i>^`)L1iR%V&dTXR(vtyaM50uyxOWTEXlQcpn@LeCF? zYlsMtX~v$Fp)2<=r#Ho=kWZO&2zsxOVhbxPk5c#ZXMn^dF8VJ@v+VL57>Hw~o{(at zH}Qv-l+z%H74s|#g*gK%!>UAPd5}+SH{ml6g~wTqXUjV<1$4quJ&RZ+b`tFm3$go7 zj)H6ef!@4DD;KI{fjZaFbxfTcfsAEv98es{xPeuO0&9W@EsS(7$BK7tu zO1!I#ooXFlPLlt{+p~qFa(?+l;h04*a~M7?Rel4HA#aDr-B7)R(m zsQK8LXy&1|jeGq^n=+l71mc0$DEpc!{B9iJI)rcbk~QTFdkl@6ggw5uQL*jVaXx4) zrj55L015TCoBX)2cvahyvF8uKf*=WDFG1ElZ!0M~f)p01-urk}7DX!3AB(>{t>uT< z_Uy!1)8gDHVAy1?#X)C0k%d^!6?HS_-_eUb78JqDI^+2bFa9elGuL2`k>Qko# z#>M&Euvy+&TzB&CY3DAkW{wH&(SVh1VfVB4>Eh3P%esLx@k9z8{Luo_x~T~qe%0MlVWvji0K%vlmLW?P4Q5L6ikrBVc5Y|>d->hJQYB~jmdX$w z^!BXx(yNhwIOIt7zR;!jksow^(T|gL;m-_(glM>(tID5~6hqP1iPT{wWMwq21zpOR zSL1}W@xkRT9WBIlSk{fQ36yL3@Ot*8W)Ym6tz4_S%&}PTWR`G6yKnZechE9)P8&`( zr}#fw`hU?}^uI%F6Pu&iggCI2R#+6Y+)#}mZlPr9CoaRsFZ|scmPN5Qo_6SHiaaE% zKAh?Uz!NS7zoYkIxjT#Lj(6nJvBC+2#;npE42+msw?Uy8{ZTUN6T{}+@6&oHTirHCXhx&+UCYAocVqeQnrZ(GiDc~{wi;=|G!>$*@NKuC+z?IVY=vH16~VXF<`bWAbg_$yj~O_T7p^uAjYSefNR0o z=ezkB5TgBUl(bD>&K4*(2LYZG1dtcu96kZ6L02)IUPBX`*Fnvoy)f~tr#&2Fs!K}% z5+HeeWB>G@w)t1aTg149Zf6L=G-t1lai#OuA2MT<&oMHu_`osT|4LFmAa0Qi8OO*T zO_l?BPHr1(WHlc!G1IF6X_D1U(K!2G?c5=?5imPHA}PB+Jrx*tg&r;BB=`@mwir0sLendYfZq*0$N)zZb914d3Mmv~}tozYdjIk)-V6 zV*2d@&u1D{P4055QOfvw553{gNV)6UAo+Kf;;*WZlf*d=2#i#9wk*2#z&JV~5Tm%q z;{;^U%m61sk^V6lmM7-}&TtEy3$L~YQ^g!Muq*lmI&2}!@6!3`qd9hglrsgU4agb6 z5@!zg1>lG6doIR+$EX>j!ci5U^a&NZ1b@&AdaanKjQ~7X?WO64ml`b%02>;FK{WW* z1A*mc0RN^1d=5O8o>ntRZ0Vv(}{_!5{;A?X#$d zy83J|&}07%Sb@u#17-)84@JW-+WBNI+fvY8DQNGI9?i z^`fe!x^E3Aem(}pe9UuN2HcmseEEcc&-(ku%_0WCMuG%nCVW0^&fb891|97KP&JNv zphrCG3mZg_w&`hCE+jpE_wYAJleNzjyXW;U(;O>~|9W#OxSj_abl>KH`Q7%E#6ZE& zyIb%(oKqmxX#u5i+8`5HQ9Q>k5LUhc8H@A*Ig?XI0|t*`1|&3oI(q>$MRYqeCkq*A z)+ykb^U`>gf~kK5gV*{dh7;Qf(-fs3l-lj9?rE48*OVfz2P}?!UKo6V+0esBk;~TU z4wd~*d&M(vyK4lcSdEdGEW|=yTIL)b-2$);dOxS6cO?jxS`y$aW zYaal;(%dfY?tN{vdc5@{!I;GEt!u;I`J+Bc>`c{97Fnx6J4)cZ4lJKw#vwo!P+?}I zDd{uBKc+IA0N?)y7nRpxUfp!m8DRKOf--GI7_ zv0;x;C(m0u55RmB1lS;pcWWkp{NOI3#q>D+Zr^4CQ(>P0j!4E+x-6@kv}B#EKf|X2 z!xB{y*LtQ@yr3nyPNtA817I#l%otibl-vgpdUpRXoqA3i^Iga3D;2d2=5?@vVxjt; zK}Ct;WG9$oh~5lTKDBoEn+>2(5Z@)qw+0ZGiUzMs16HbLfc2$P@FVp-0TO9EMxz+C zRk84h3rPqNMz4)&jxUS%C;-TTLs{Pr;%@*>Ja-s-cOK~YDjK#sOO7$W;vu>0Dn0Gg zPA9nQJ|1!)>iptSnu6rpj}>6+pi);2wLby(m@J)tL-BMT>l|#rZQWf}ntHp1&;W11 zs$sTXG1BwQ&FFUoW}uRDWI@8))e5Ew{JGTqlBMq)Lv=%9Uj{Q|myWdb|MfO6!H3mq za86vdoV>~td}R-uj^Sb(H3=HlpE}snTe}epR#O-dgJdnbjmBTR)H>63nDTx`%*=0Y zuHlARQesj0^f6%PyTZn82wgE_c!{Wg|J%oZk=w8-kurN$UGu2W7z zj&Y&?6V(07M;9?{NDt&Y{4UF(P>4v62R z0bfkDenRO4%b_rQ-qdI~sLH5y1)xe{W?;zZTE{9CzoX(-p;H$|TVd;%oi1w(aY7GT zyOg(V?jC;Q_l?z@%H7k^5@#c3_W=MMGa!6txibnjl{fEuk979q)cN#9GiiRWc8(M7 z7mPaeG@#mbj*~rMkv*hrZYa0>xVt@=v}*tBZ|scGpBVJf*@6ibXTb9yLQrw2En>+0 zDu2065W2W!VRj1tN>u>#tn@G{O#Hh|;g6Wv0nrG!P)P1XP(oYYvsjT@`GDr29ZN+S zH6~Dy5cTg7Zc=WqkIMRwgy}z*IzF@!Lo(7*^Z)+WK7V{p8~2%4s|Ejoxc%$o!KN1kffGAJWgGuJ3jK%mNeBRt zDxtTN)Zga2|7Ni3sj>(Ah90YbY02z2{BKJivrmd!c~{Q`p^*dl(?O`|qnqR+&!Y#TWjAnlb zUF7!HC540SqPfu@=W%9lUY9Ab+jt?bo&S79{sdTvwSmnO0mFm&{M4evN4ND$-ABEK zQpqa0SzbhAOixQQ2XLun9-m5i{P8}@+Tph{wE{^H*HJLs$GunqykiLP*u}HH?*H~9N1GkOB z#Js_P8t5B;0w(VH#Nc&)glfUakVqfS1oi=en@_+YgaFM!%d+rQz+`MeDdp*M2$YVS zLB*7A7)0cli3ZJtp6h>QYNjtpWkaR&I)uMg+@bF(Dav=VQ}wLHtp7IdGcRB7rQ7BQ zpGGrulC}HdilU`xn?LejJhw>ZW8xWL{ji_iz$WgYLFykwZot`fYe1v)AJ%>=LRPh} zIAIRRZ!#z?VI~%l0MOD>(8Csh&7lDNbOB=8`+&W;84!9^JqLo*!5}P! zX^0Fxc*}#SKR*YtI^wlLNHBoEb9jSWM*^BszIFG%1TAZDVRxnatgUa}E`-Y`@%LLl zMGZcqyeAw7-qkG}f2g|;agWc|8v)k?KI9rNplC#8zq7P?*1&~GHa?yH?EZ^dexN*q z?dy6QaZ-;Wuh9{TiKo)Swu*ZQf6_&V)a1`mAz5shYW+tYm;{XoC@2yF`5_0|hZP`T z4+cbwx9I&x_Q1A9OK#-ybEz)!`!Aq7wKe-HHQE27mnM1xlVM@FSp-YOQ5j`w1sj;l z`}5uU=g0VvM%x3Q(OiMK#HY%KPTTfG`ye#GgF?)E&=13LP%ITUhKBWGn z_z*U`jx^Mv3%O219t>zjrN4jy2>>Q0lD-fXfGj1mOcx)zw{~xSqxPNHRXN`6WXMuC z@!jzmo%>MLlCFspXJA1zN!MKT=HejvMp?&JX4QFBv`eqluiPgRvvP{2Qd^BUE%()V zZ@j4i&#EEP=X}h$JA@W>GM}KMh0k61Ngh-8Y!;ocCk5n{q}yPIdg&S_79FJX-7m`y z0%?-i`ino@Zf1h)Ln4P(6h_d#3%1k61}o&)e3~@o!eTJk#q-iFf! z{uV$3PJezp(h!V6XqjP9jUe83FLUwz%iT3T{?gRgOP^Boj&VHd(?jc<^KZLvIRf;m zC4A|1NHZ9bkr~sco2XM3k};vi7!GxROXy9{yZ1) zP!!{r1=Hp+1q2Lsn$mJRU*^nq6ubz{;Juz&Q+an62B7)PnDpS}Cg@m9e;R-KF|i*r ziZ%&y93+?l(5~etMt-*j7Q_G61LSTvd%ggZj$?VSIW4mWhNR3uPQm|{t4e+xgcrh- zz#1^<-DqSg6!P+Pjv-myc>Iph1qMUP#fa&*e*!U92wDoV%fKfx90R_~kMX1dv+QvqxFrem{3_0&uOr z*ER;k4R%gt#!@>_tW>GOq>)B$V{DV2t3{tPonKmR{ycU1V@LIm(#-jggUJe8`;cAH znZC83q(N|~c$3EjBrH~lQB2w?I?;B;mkh16>pEa_+jtlv=lh*0MB{IFOK7!o*Wm{x z%^}t#nDKz*OA=xY(0^t$)E?VfGVKLMXRBQk;9?29m-M0Ip`zGOz9u z>QwYUJZQM^S&KFV8Tt>p`)(7MF2@#dPC-SL<2OBhw~v0$E)13U-Y5n=pngFNW}D}l zzh~k@U3`S{yJx$PNWw_WX-<}U6=%){vd_ur+=zYS8`T*&Rx@bMUSkm9YnuS%Zmnk? zDWbNp@aQ+N)>%<@W2D4{#}54eRV?&5?gtBvD`9;afX4ShDKIgatLTgaFv|D%h1Q1z z>90Ou804OXh3usf+&hL0l%^T{TIvJ=s%PH-bG;_*r2*io>~(<>+M!$}+w7lQ0LNG4 zb^;uZ5tgV8@t=af(zCu+iFT*@^zCg1Z>GgPb6>80enjZgLLl`u7!#6MZT@n|HNWbR z^19&SI4b>G*!VR6EdiHQuPpg7w_rtY>pb5xQ16kdJzn{UK7K?}9){ao{uWem%yS%` zDB>{nb02t2wM8>9Y-%eyN3b32fz;tf`Oc?P9^kQaNTKg<+O+s5tK4BBdG@p!fse!t zL70fGJ$})_HYa^&cl*f?+VO}>hM=Z5Y9th8UOo&0oj0;thuhD7861}0`!V!KjpskM zr9KI4_u4IwA%gnj{gY2!pZQyFz3LegHmq5#ecStx$bMXPssh)c)&kwrwq?))sNOSy z%6(|H){-Nl+-a`ua;@%iHq!&UQX}_YBKsYToJ@*L#Egwld0IK@dxSr2K_TIui+Vef zw+a-)f@@PU_gReTK)FM(c?!cK@d<$Z+l}A@$RRI)Y{OMV*DR)Shm)n-m#R)iFUclI z!%VJRrzWdn3dRt=-n+|c!0_4vN|g;f?&t`D6gQXZwM~4*Zmn4H%XkU~?5jG9KefMk zFzX7@8MA!_F1iI=?~QXXMA^O+2(nf;jOGR=_ApwGS&HrSV0=mvK=GPrU*lIu(-lVx z*d~6}S5PKVhC-}HF%wR3DNyHW=A^9$lPqSSesv8)rDl3|I2Rpl+y?KU2dLZ6#^}bI z7hC&EdPP;!>!8p@1RR9RAs}moN(GBkjO$kxVfbXRdQo8WyB%I2u$V>%lo#1h$uAx% zM5r}Cs5!G&c+YH7e4|Yy&!=yH6_C9+Lf@7Jw-7e-VLODAdvvfRD}GMf5BQmUgkgi+ z36OLHz2A1r-C;rX89 z^(Xzdiwi71TbX80@i)8!i^UD+$Nfi1>W^$Ez+O(_?qt%>2Pec-b=aWUXNv2Jwc50t zq&@09pIa4UCAkyhr>DxiM*8el!Zz>0%HmVH1re0f=+dg@bp;gRFLtf0-pXUtl?{Ak z;$n}%0^w4roX%H6+lm)oB^D~ZCot(FZ3G(l$|RrttuE!f#jm_}-h3Q3JCl}A2Q0i9 zUQ2CBz5hqghwbi;T{birL4f?0>cI#1Fn3{Y3zcp5-3n;!B;&6GGhAL|MLQ}UpUno% z)Reyy|7Fgkp^EM3y&G7ym-oIUpR~Rxm3Jx?QcuZD#%xSdwygfTjG>7J9UjxPrjXY| zoqOBocBo5eN9cQq1%k?o#w-|LU8DL5L9{+@6}V<;Uv?KkWF}M#ghx9|v6?FSin!9G zPsFHl`JaepP1q~%D*1ggCpD*kCeJrl*OB02-X0ZsqMF^Rs3?RBh3#X|n985yz3-ph z*Wb%}BtfWc*i4TpGTmdW1xdmO&oUAcni4rYtVSxic)QqQg&()SDvm0%F6fQ+-wt+v zLee-E9oi#~5jjRn5L>1BUk;VlS0D>H00hU>N-u`d;T$r!zd&_`h4{EG4GN95i-sUB zbqVfK;xH4dFQ1s3;*JE$5xGw~DVNz}X74!(oY(Pjx{ja{AhbSn^6Q|+=8~tJG%zQ4 zn!}qP8fQqOh+4aJb-Ud>VLg%H4sCk2uV8l8HW)~Hce>bbz5V+7b6@?rQz}>-0W{Tj z)Wz}bdPP#XSMwWZN2HXxml#M+9=8e(L3_6ff0|_67}U4+?6~vTxQqRw*hrqTa$KW` zqO7BExkmrH=M9ZVoMrpjoYVFBX-_|lzO$WJh)}_&)Je3u?(jNeZ{wF&E|y9{tYgSR zlxzC$Sk%Q3`&VZswTyQhl-YX1p-Pj1!(cn0)kNGp&rHZy1@uM#8L0mAV-7Er^1$hc z@bJzc`pCWh=|fTY#%xpYBhlcQ&?|xy@e~3R=qU9wK6siCk>J#K1X~+9D2*&t9D`TA zz2;R|xw3@fa{?3&j2n6nS_Ksj8x285hM_ovt+|}%g-mV+2nJUPy2>jW+Z9#JiYh)v z7#|01$tqiPhZ}W`b(;vSgrWEsETjTfrAiVQP}`XKFW(HH@{p?+Euc|7@gn%PxQ_{B zoRTTqtogJUf?j}qMW45|Q2(S$(j!^ZZ`aB6NK9=>kuZgK%^mrG^5C7;#nMR5A`df ze4`xA`JLH*Q7To3evijiJ44u6n-m&X3RQ*1pe3{&DzadzuPDUV)AmDDf|+83-?Q** z?1|aU=QK_eC`@gc z*t$k~J59>I8Xkzdm@Dsk5Bc>T$8^(nszc@2ER_>~KID=;9ISxEXsV~g?*}Zvg`aSv zoWs(8k@x?sl>l3~n|^7k`{;Qm#0kfu$}&9=IQ{e6^iuv z`e=5m{XUB!Gg$+0f!(<4YaZ-K4llycjOFo#PSxyqYxr>n%x(b1tX@pYEMz>=K}te| zEOg4OsqfetRLpx?^z+^K5EU$hb$dEBTIPC>jq14~Hl?V&-fj}#&5eAon z$C>Xw5>|AJIEnLQ3P&l7{(p>JcOcg5`z|R&d0#4IWR=R!p4k#nsqCGZEqaYe8LzEn z&z6Rf$jHo0c9N}Zm96aYyB|*H_x*M{ef!Vp@V=k%Joj_o*LB_3?R4Ob0W&3I6J>Pr zh2qw?b(6GrN%j*ohPlMRAv5G zbUu9t809l(AN@xw{f~W`RE`}Llbz>zQkYFtcSe8VDUtC(Z_Zf73x+CPvt4h9ZjzSM zQk|i#-8tYO+frg3jniiHW~Wd5ep0o1Fw)2NkVOA?a4Ds(Rk6g(>O=DzwF0f3MTN$r zY+3O}?KQgg$d3^c8JDdk$2ggip3!`lo2qm3*HCVh%xitYQElD1GB+mj@am#Xz*WJ- zF;OQmN`?gcZ)7JQ4~8U294crKs5GJGb`&qiax_9s93T@KIeUS-j9KSGzB8d~*;hV2 zCjD6a0xp_`f$xe(k)OHXO@hahV6NW7Q7A;fVZ(L&#I;5(^3UfEmGKyr^xdXU3ZKi8 zi$as8@8jbV4TNL4(kMHwNweYt)irjAVakeOHo+04ph&VnDKa%3=}TC-H6}E$rdEksj&ZQ z4|P&{=bNo0=33tWDsi>Z*7wC&?<$ekjlm~zyJdWsQ=LCVnNUqOvU-@!@6|&?c<)DD z%N6Jgo-R9hj;CyYaspQ932E;upBHAk?Shv+rJZ^+W~K1v((u^9%YuE;)4S^f>kuc< z4oy`La?D`gIMfk+=-OuUpfY!ra6%@RMt)FHW>QyC@*}z zh;uJD1Mo#Hc7M(TiIs^fB|-WX#2Gc)N-VbWFpmkfu{+%3RIwekanf7y9gF$-MwN`ac3ip`5C~P(dFtFo|6SmEwXXr2^G%B~oAnOWvCQs;8Xi24M=>61K zFd9IDnVZv)6Ykl6W>WL@BQFE5u03XJv+MPIi4|k=%PM=hyvA;u$y^bAR9XAklUUYZ z7AKK?iTUZ>YtrOooq13!lq1IjMlACI`^1Ols%hfg+#9bbJ{ES=Nby=i(LW%XBy~zn zr_$`(V=F40CV`A_*>$>y5mKl_4DJ*X=mPf z-Dg=rQ^l{nHm-oUgSZFvyVsbAKeVi;Xr@jkFtR5_1L_Aj(N(;wVjC_jB;!Tf5QO>MDE3P7)ZfW6{Zqlh!3d9aF z_U1$+53X7U;FW2I7-XbaKAsc&e!`DPjA@dDuQ7?R%qpuchf>aJ7&Ef}tjk+Au|~o1 z>rH*{BbS9AG7(4%n4BiAJ|<-fRphk(NO8N>v$T``4r}lIPmgFRn||u4Uz~~NnXB0W zVuhkCn$t4wk8B29!$x&$#l(irT&yYGlAwr7X%ibw(q2ncSx7%ZKyZ^;ChDa|uKii{ zD2L&?1~+RBvEuZr^0J{+dyBsUxq9%?F5Y+<&(jU4FFn^hMG}?S^h6O4vMNYpm!s!S z#16UN5DdkhXQt6#UleRC2Aq$xm+wft@&+J1>On{*(z}?RZ;pz`{{rBV2?wR7NuR#a zf=%V{7SFjf5~G^?UYMc4Ev%Eweujl8r*M5pl3&;T8u)4aJw9U^nFIH@lOvJm$2G%N z?G1AgF)DJgLNCQoIvRPCvg%vah<+qL4(QeWPk2p#>i;^o{6ILfUf(;QL{VQQ!(;O zfby_gLzzDvH(jL%K$UVes#3gpzSLl5Pc%A93(Ij-F7I^^r_rDE(NHuz$RWf$&s$B$ zhi$pz>ByCzbL7~Tp+nMvu8ml>NKNB_H)NT`FXx~J6rjw(JX#nKr3dLLuX`uW4Pxqr zQUMbwLZ)i0>+L?*dd6+T25jf9ikKwK^O{su=;_v`@(SO$bgg+ff8R)gyKQ0Up#S6e zy&o{&qm|>_4_@ltwqo?)bvb{$`bovr+4*ywkrCZ(_$6El^B%`W)9unbJQ#5UTjPVb zGWtZQ%>l+%CB3K4rr{G+@CxROr8|#dpm*Zxm^o#<;@kTI$~&t0JIyR9GS`dO#f_E{ z^klNvq8zLC9v&&TCmG__~x>$~ZD%;XNidSA1zC#q#?G9c4&C zG5U_*n3s>GhLxix^e*1s70Z}3C*Ql;oMw@Yg-$j@?n5AD{i4e@-mz&VBTF)x+;ck4>;nV(fgvNt z`6rgCNs}PAgh!IBXgJ>QqTBF3C!d!)Mx{G3QO;)f{9T+4>$Wv?=fGrieT2ux_|j*1 zK5#$C==}j>&!})|)HQW8v9A$Q0B0vx_Hgr4l1vF>`XBveIQnzAAa2HKP#!DPAD|9BUzZ*k_jzMw{r|H+ z$M%V?vvo1=CmwDir%;u9>@B+rpm+&DmjSic+W=_ zo98|szGhjzpLBlb&W^N$;~O$>Q9;miUK#uPwPOQeD187AOyV<*jtnh&a#h^nt-r`h z(Je}eA)+;uJK_8W(dsQIowTNu+$r}m&F3Fy?*BiMzxNYJO)rBb5B=&+ch8@0^ru(# z*PnDAf%oF#)|Z;|Cm-(}swyR2aNoeFQSHA;(0|syn>TY1Zbp?muJxz2_z!+(<64`V z5o`R7eQfd1SmPAL8h`f9>WmMPYD@2Z8vixWJ?GbVP49he)s4RIsN3$1|IhP~>iH^EfeCK&4R z3E!aV+##X$kCSg>Rl1zK<|)23JKEOr<0V+odrzc^b>D{#RwI8c@+0`fm^tn>7x}kq z`2Xh{)eja@3H_0!JOAUQ|K>+25m*mHkMn*BS^e|x9tp$E9q}Yd{r_+LQ8fK>x!nQ9 zh+b%5*N+?f?Ju7&45S>Dd}74|bIYbceI{624D+6hdYs#Aa_Y(d_q}g?xVIzWq3EPl zpcH-3q*|@$jKZ0~>n?oEzox(b@u}V?33vL_t;5%swP%`alW|^~1i&rf@H&FsRQT%o zDQ)a3{E*lL@rv~?mXL819C}>{IrazULTEwWG>X1;{1WT_=R&tA zAl&J00TaTGi9@Pl+ISI^F}o2k9XlQi0wiE$>M&q}6J*xK*6I)99-^{17{SP#n$u~O z8MU^$>12BHxaZF^K1B3Hs0(0Gd_y+^9Up zrusI3IE}kuh=#4E)su&1SVcN4JgS7VF}KwuMY=)r&=(@qOAPNz9b9bomZ4@Ri3at1 zi0?oiHhsWr?t(ks?IXU9?0pcmdG@jM4Dz}u2R-tBP$(Diz(7zxBq}C@Rw86cWIFV( zEujCsvfsi`HH%0QmwTs%D#j4wRtE_n@3(m*RBPr<>##>eA`+oC#1{d>NcHv$C~1R@ zmq98*`O0N{|44f;khUgyGZQ^trPDyH$ThnHJ4%jJ)_Jhd%0a2H7rbX)n3+Dm3X;Zv z-aeqaE|3+dUcGg#ArpF$^!AjygV<8vb8$#2zVFUE{@SKL+(M_Bn|P!Pz!{nCn6Y4$ z$A=Yxw}->R`;i{39jt;#&4W_DAwBo4$VEil3$`2Hu&?FJtvE=7Efc?lgp?+Sod`dJ zmq~7RkO|0+Cl_cYFNx#O9(qjkH16y~J~WmG*kRl@Dej8-I5@HGTEQ06 zsruNmeOp?X9+1t@FM6S*_eb(3MsG6j^yu&V(o{)!V*_12zdPt=0l-_gcX%HJqm#)? zpmMIGd}y-4OyBxlDx=c2NTxpIaqq@XYsQs@Pp@y3a|47S z)jorSpF5|w?-ux@1`TgjwWP}Hf(dUHc?R$ubqC{NFH4dlqw9sXlC`^n0v-ViD!3__ zH!9co1%+`d8XxQkcL$7J-@i7Sxb6eHMch{A!6fKoI_V=pQmU5KD1V&)SjIim7}Y<@ zJrtRmjHP2SJsl!hv&MqgFhQU!Xh7>&<*Yt{Eaaf7ybzb-mQggfbFt}DN0~WT=OH&a zdjR--!BtO!3})0eTrENtR~M0i6M#%q{gQGsAeiOWg)yFGcqFebQ@<*Gl9I50{jIzc=fTT=0E0=+^X5}?4C z)62q0q5>$0PR>qb^wtg_Od0h0(INRXwbcr!dP%^f5dV3R0Qtk02e2hjU(j`^w1+wJ zKDSjxpIGa^6r|X36;^Ag#|K@f`VH|Fk}tj7?ewp*Xtc|d>M0pdeud6}eRHtl+DCdn zu-EY?D>bdbg6?v2PTOn=S~>2`b;>~aBUSQ-uhvD7&IPc<2GZTQCI*{CnCLsGc`giM zT26o&$PXDEn|uDg!@oS}HojK^Qz}baEolAZVZ_dAIwuuF?RRh*iHQ1Ug6L?X54x{* z%PFN@l+%bu9UOqeQ?sPajdk$xzf)cYPs80v4~@JbgDXx->>#7YEJ1I@vuuDTe4z)C zDIKYXjR5!y`?|J~zI*4KN~&b&v{}wh{U1tB=y`*lj^}TfgXD~86?2d?+P-O60Y1RU z97^XKH{W>%NsavsR=;Q%0sTsb{2#l+o)>;iFF+pENm}1A_riqx@z22#obXnIx3Fb&7E_DHllz=jGZs(i-|RzFp&{^4Qqoxdx}l;b8PdwjpFi%PwZ8A7&{U%+u6Xj0xyris~rU2bd_Uw9s%88DNqPniHF~_&$6!H$?0?i30K%iXU^uj~ymm1+4M7&MTrBMx9YWZ7&>QBFbNcyNM&8YR_nTsTW1ZK@LJ2L$~$5 z{{ncvidEIP?n8gvDS}#fXGtwKkm7JUu660)bZB^6IX#7yp zoBNx**ia6DGzsR9dKrIqx!eeM3$ja)|Dy_khZ(x97;a9cw{5P?|M9$&sNmNpDuo*F z{kl2pzw<*1>YK2&!`@tJyYw$8;U+k9nZSD>RE!H9MbyIfhAKimmmR>k)>$UqY_mIz z;;|aMGD((AH2dEWoh5#6IE&bjwXr6&OfK;gaU=iwYlN>7rAj7_KQ#a0EdT2zog{=s z?UyFt+7OzO=qZ{Gg1X*wmuru1yz-(rSdv96JG4E17crzXD5dH?{Pi}=Z(OrW>XYtq z`h8&gQBF$f0l?*qjsEr3{o`N#h`hOCWn)G7QT>0RjUW6yG$B0e*!;QkcZgIZNhbs% zYoupRYgmLHIoO2E{hQr{KfTMJYFxPL_smW9Z>FIEkQa3dN(|H7YHA9D&QlV zkBl5KJBFM3WXM>C>L0*u+>Fn4Prmr0fR&(NS(6i$q_9mrR|j-sS;mvnmHzJQqdq$Bh8c7J%w-IGE!qwuDV1Y%9-2 zJUhtPMKatmVjNA^KoA$E60w{}=&J2&?*(e@+rn$5+sGdjf-mk`JA%0ak32e&+^3;s zdiTx{GROWT8|75|kCvnV+$vI8guvqG;Q(LN*?m7TfqZ`{Tu#S}p6#1)M9Q4fLbJ(s zu%fkM4E2Ecwj~%|C+Uaw@Jp<*f-N5Kf?mJj7LTn>=pWh!o#EeEIVgA2H#&|%LrpLO zagp0|#2^}5{b@WzGmH`Spi~1$h(Uhv2nIgVL&6q^0o?Z^0XAMF_sB*m0D|xf$OxO$ z6|fu=q%N%j-0$`rHgq-FpCJ%7q=1EJs-hy}pT|WdpG< zC~`c&riet&W4NamSp9z3HKE`oaBRx>22Krz5*98KmdWU1wM27BM08FPH z-$A_4fmT=)bf?T%_1Fy;RK>bM{8zP{CN2TFhc=;&c&!)Y^umzZ7{m5fvfQzojvBBR z-I&|7lh%cG(>u(M*Z#Xt%YTF(?_LGN$Htwn&$5g$FYGH1X2A$Ci{{S1|6Z6?LzQ9X zV_q1Ml^HzM1({Ick*kP#<@`$g+Gkgz(OCx1g}yx>Vg~{hdQm-!qBUnM98pUbj9q%0 zPq;dD`cmoV$=8{6A$w$ee+MyN=x9Qvbq-5XBTAQHeUDu9{G$_lw3SeFEIGb%3?3M} zw_$N``kpMTE%ftn9y(ibVl>=EWh8dDt=skVp74*=e6c{J3V}Mi{uBD0mej z>gQO@uzb1lewL3MT^)B;L$+%y*Jze)_RSemae)Uz0SAs603wm%{(!JQh_*lD+OCz#Hot zTkwuA*1j8ZY=YrOD&VsXBfVw2u(Jk&H1K7b3PFe@B|v1$?>7jM7RorVCzaHYpt zLwx293ul+832OccgGmub&@@z|7t0Ve`=PYB)X@;OefV85)ZhK+)B#)mG*bhIK8P?D zTJqu#x)BiCDF|VoNdFyRw<;)=D)*qaY>VI(5~@Dn_=d@HZPHP@V$O_=cNrjoQ`?B% z4%IkC2;EM!beHtL=kM9bop$hF^CU*Yl7#PnWg<-u1mkl}hv=^87z@fHzk}O(D%3OH z+lX8Wv)5}ktnR`1KnyykqELU4Gx_O0Ck-%oG$^@ z)C@uhO`r}8g(HTIWDIBJv|Gl1wg@^T&r9TVRzdMAZVSg_yT$zwV*vM+%LM0d4$UlRZ4jViWY{oF8^3h|CN(_ODdOo7D>8)EwbPE|D$pQcx4Zde^D6^5YQ5kqRpiw544`@wgo-2%UcB0NrsM)S!_7`fuu`A3A6aDgd zP#Q6Sgo|kQLMTviIR|4Q*AUbj08rxqG?`0(gMKhqtAW)Xd>Wk4(jvqAEOcu4BIzYj@-N|%gn&yAK z*uU@oKmWB!jF>-l3IOxeX~52MzdkjClg@>{t@%cTw$&3H81{(8gjD}gKn*XoXKb3H z>jVNrormf>z-KMzc$eoV6U(j&Ifn-vYziR+@hGj4`_W&nyR9VOc#&gCwQXMHro1#> zHOYv4{HDVGBLM6+ecsL^`!9d^Q^X9H5+Eoycl>H~(BUWT(k~yu238=2zN(Cu3qqGf zcqy1sP=k)`Dv!jL1ONJNMm-4R_=Z}*1A^N1;?*kA#OFV79c{`fo30rDOBADb2{BnE zP^Ep+;VsbUg&_&Qyn-fW;->WrV_{zpR^~))E?{qcWvBz&dPPaOyc0=2MW_9%zM==V zYyQO0c*n+TO|qkavNd+T=NZFm;?cVj*LzNLBUiS6R+32?nCAxR8r_FTH#=IP?7Qy5 zUE;mZfB-Y)pY?_x!G#FITv8JfR* zKtFxFR0bo!4eYkJegE~)_^*vMkM6X{ePZt)ZJyD+pp0>^w0RN!M|Zl!0C!q^rLoBP zkG4e7b$GWKd8hXM5mher5qXNtPvmR-LKph?I{5oKVIjd1*qd7;^GDVHs5{*0a<9aE z;GZplov;Lo`USQA2Y&h2v%eY!clxnlL_hP7mVmxAEP?;u1ApJsPw)P(n})?c+IBwD z19XQKP>{48UEaEFN5xDn_eZPPO+&H&TwnjS)xW6_c)_r)eyCNg9^0d7DljpJG84>W z9(*I^%sw3lY|HtuB7k;v-tDCfhM8XIkg0&4U@GL$;t*N8acxbCB$q)+gJhv_EPmMe z6)=W-Nj-u1|MB$~381cXMdQ9y6XCSxbpb%3uyzB1q!_(VxPQ0E8rTw40oc5UxOE8G z^6-%r?-FchT$-OeUN_g!&I1*F6g1adziDLJ1uiZo10h0Ob`w)eAjJr8ScGQUE5aF$ zJ5Vpn3d~yKwEN3$=Rdc^e>@x>T@q{X^_|WwSxp<_1G}i4JLXUz+jOYLz=*K|Qv*Iy zn7E^%3z;Hl$~7t=E9`X~MgDCEJQs{=Uy*J;4IvW#vE-{z9allQtbX?$9AU@n4nO%% zc;hKU3k@yIA1g^YhV^{#EQD$r$#qyl_|K*!eu2zG4H9YZ;ubYCzu&!l?;Rv7AUn6c zdn^1?2j(8pZn`Lqu2l&j;1wjvU3;N9avHK!qTOc5zXD-8NA4_w*fXXf6Vioh5W+N1 z%(^CREXi+N1iRcV2IPZ7j=eq1`{nWdoFztGs$E#5oe8x{=&HO-uZ0TZTcsW_p2e9p z)-OyCYzg|24XVLPKh>@Se1#MnrchtsCtM+9o&v<98WP<2;mpNxJ1<%^4!IDT%Fkzn zABYH!0CsrqjqEx*s1D}Oo$At~MHXM@hQW9!wLn!wCf@%rEi66rjQmH)GhiPy{@Jo~ zZ@UQ(y!dJ3_O46yyIO6wfBRX2xp~%5Q7!v62a}$ofEQshoD9nrpz%n&j6)a)m6kXO? zr}j(F#eQ5lgqo4T=s-++?zY{&5aRm{L{%N>KpJV9-aT&&P)sPA7>0yRZ|1M_Bi|#@ z<4%F$LZ30c0wkC3l)_`6L1kNDHV?4V+0pck;LV2j{V*nwEY_9L4@2dEfwMoB>vpnP>WWXO0kIify8!cXT| zh~1)9r$Ahe$-;WDMPIyCdVgsXE%9q%WL_WQ_EI7cVAd8e@!Tbo#CVKSa0RLk)r1Fk z_D<8tHWfoJ^{p+D@>leea8YPrZR?9u*M*tN;KB!m$DWtJ6Ph*jLTIQ=DrTQ407k(d zS7A!`doOtC>ItYpg9FS>G9k&W2H{p?H;p1F1qwbaABf7^2Rc8waw%2dDEuLqZ?7J@z0Vd!n zO(=2x**Tg7t$TWxUplwBzFHD>(_TaNiB@0Rz#)-ePcGj>ocq_XgVX>a=7oa-dlw9L zi_YGjGe8!RB0s+C=DFIo{>=rMohX$;(g}DIO7R0a_SgZ7tCToL<=oEVYRPmD^_bU? zx`CK<{~_$`C908jeM9fc2cxSX#u9fea{ow@wtLO-clSk_FvYlzS2K4m!eIyI35ZcIU!LnqoCRwN* zKxd;5UL7~=`_YibQbB*WY7<)T*yp1$grY%G4BcnAkMHn2O+;gOE5w^2mBpe2jt0(g zsoumA5Drv-i{qtc?E+68da}d$00o+SYgSZ?orjJxen#Z|rt~!~EWAOE#n5V7!ggkA z6l*!R$vArY$d0&{KzLLyuKSz?dr$u59P@$ld4%*5M-tBk6UM`Yzq8+b`uS8Z6Yprn z1bEL~&+$99XJi+1f7u>&6)Y~_0IUR#Sc}~-ByN_3z+H7lk^a26O$;RzoPsCMuuxB3 zZ)WJ*x(=n@gBMMq({*a1pC4Er_p*xjce!y4xe88$rhsr3>(INtT(TYn_*?$af;MS4 z(GIX`bBS|T$PTbZkk>1&w^fF;otaSibIJ!NF&L5w_pfx{=s!+NJOM|eN^0TE+b7}= zY$o5xZqoR)?TR`r2cnm2eKy3cflXS%V>$AEH_N7~Eo<+>^?%HzW zq?M}@8n1gIIRv+ce^AO7gsYj23wiM((dF8So!RdAPja?~*Hj!B>yZfVvYwCf5(K2^ z^e}8nwjS8bc&UHG$8on{7@PPOw##O-5o~K*13|~lPM${$hL?{flx7=sJdG!kjugkA z;03Fchc02S#o}@knj7qU?1#n4m>I3Mx3JsOQ{NQIgIP?Jde_gqApS)B=6NYK;k78h z<>zyCsk&&$q(x>Jz0IN=JtSm3*v_@0@rrwj`iqw*g3xs-wKp~k;h&;KR0%*z+=NJ* zJv>+<^^@oLe5@ySjoWcb7kJP)HL`Tt0d=D^$~Adq(yudGfM!2cD|tDz4`o0451&<)-T2{mteX^s-{NmP%MnU8UX!~YBLrmiA~3r zxrS;g9F|WVc4g%BqYg^pPF{jwHJ-gIOmjyf#^u17JLa6U`n_QOt9vnQ7LXHOdjEyE zutv+-d60lb>=>NtHXERmm!*EVOX|)9n9O$izNvY0W=A{tQ1Wut(8%3rN{D`bG( znN&8>qrIh=1}*agHni4g5M$}3c#+twdVur1Q+UgcjnrNk7bh!ztxTISV6DZ``1NHm z_Ms(}Q-R-!5k0+bV=O!kI%z#olglriO>k7>ZU2DNk&v)b++64*@dJ@yA^kUT-0t6pXEBZkUWZS8lphe`iU>0g zciCc87*UTv9N;Y2c<+R_$is-M*Z1R&ac5Rga2gACiI5K+Cf8)zDR-vs5a&26vt+-A zV0wtlL4z)sEpSsjs&)Ug^?B|_Ul@wiyQU5%IDwQvbo5jShq4O73ZbN)n<7$O+9 zRlbg`2<(*(Hk$faijOZ|9Ee#M@qI&0ozRSL&=R(dux!ZvAY>ylf8+I5`SOfnI7n}E=t`S?~{_%spqozl`Hh550(Wv%MDLEBhkM0&G-^>&hSDHz=tVx$*k*Mt8e z>@Dsf@Qh^q%x=C0<$%y-YvL_lm<*=YYO3insHp+W8Jf+FjB6_`^P-{FCeIrrpEasnQoNg=W z6aTMx|7Kx3s*7-8>G^~rXI~13uUezWCbRZY$6jvK; z%^|?A`NJ;F?J)Ifo_c2n6G8c9ZsnTdEqzFP;TV2Llo=5I63-}-%8?w3cnijg1qe7d z<+z3o>X}b89AKiCWlSl=^AOA8W|{Ue;W&Xhl0LC_2Nq*o6w`EP79E93*IotM*XX{j zbj_Y!Da-e4J4$(vgP{oDft#dI+M2v~Ypjh=2$x?igL$08JKcJ5ZXXA(E+|dftkgrT zPIte_G1i>vFD?w;QtLmrg?k#ASdnz9n3VFp%@5e^ZSLqEG7=-Wm3tiA#pkD?-B#k| zLy-~>PRP#eK3VDsc1F4RZK?O@@<3XJ%b}oMN+~Dq>cz6qiO*UiX0e7(Y^1Wg-BkAZ zh(sw}A91HHpN(_qXtS2etSil%iX!&idyEZ2@7?SWq_DX$5Jj4BW&eDtb)grvk3Ez! zcdz9C(i2lbm_X%BTSOm+jKN8XOZ<8b{%es6GxeWWHEQVqh(j%vO|CS9!4ra&t&9HOVqV-RP?KIqyhq^e!PA%0@|TZQ|rMNuT~ zW0hm6y9hvY`C08k3|8V%lyRWZ@OY˙v}H{|XJ;iu#>E zG8Z%7GiRY76er%RKTfAb*6{i3)fRo0GQOr^*lMYfg%h5Iw=x~~knK2jp0DgGUlN}D zM%a`~!v`%DCr`3FNemRN_biA%qf*SMs-xk!%$TX;I;YG(_R zo@vc};FySoboDlIWG>b(BLAWjv0e^kC?btSlxnZ!ulRf&QWq4jU3~un#^3NQSWt}a zB*3S(12dUe?3CxR!;vx2nCxBYjhNA`K8@A0i_k4`>K<=G!S`VM#=&{u_A9{Yz5N#5 zYic!P83n3J^M)YITfS3xFY#B{(&*X!G|wx1Lwzk~Sg8<%x2b)atNY?3o^#EdV4m&)H`RYLm2J6|5o|7C{vgG4wT zFXc}-{zYppJ`Gi7F{HH8VXm4aLP724)eOIg`4qnERk`Mx6d-vz8##TZ_1{G_aPC+q zRJ7{U9%T+J4E?8q?E^k_;+e$zm2|#UG}PjbM2<*H0&{m;NT@F)s(L@uRT!kMyv-Vu z6oh6-vr5O9IG%7yXK&OqP>GGiHesJn^DCTCSV4A3W)jXvo&xGEQQCW zh`8tlc%>a314;%R&t*k@>pzGms?O|)_=v(Z{V)zG5-;-wZ4b9(Nm&eECTfjNF87T>Os*q zJ93kh`c-BK_cD5pAh8(ZF#84DlD0Rq_ZfC|>5A1{&n=qk%ha{7;`G`IZDyQw^|5K_61hHaRFwX4F>DO0QI^1UOlIghkEPkXrhyBtP zoM-zvxwq44;+VB)?ncy*%Ej1I;B8-zDgE}*un>DcqY7A9x{p78PCQ$YpSJ)Pbm%e8 zB4hb1p;1kS-qXBl(@n}<0XUBy;x6@nCH>HyxCv~n7}LtZYbNz4_h?wZHevRBsW1Ot z|6Yb}W*d5ZNs5S@JCj>p_9M3a2Lk{9Ke`>>S{AG}(}kxI8cW_jR%TpZXj$Roq$uuU zO_flQx=Hixho@$BuKV}W+0sTr$uu7-^M%ij?+hCYn;@OE#c(=l;9l%>kF_I=H{ci(2keVG=n#a4Da;I|LE2yI(M zmD~#z3t8XG%3v}cTO7Ob)4R+Jk`He435snz=*RMKE&FJ4e@oFViFzk`21A1k)@l3$ z--$veyNV|)@+(u{r`Q`yC621BQB1d}m1mG8Xl*QDW>~=fwmFfTV%mRMz!rg}DclOd zYqfaK)mTw$A64V$AU!#;a#3C zmRG9_HclEa!X8h4z;c3GeY1uw046e*G?wVMt7&PAH#tLSl>Njo_qY3OEVjD5{bK`<)X{;Ep-cKVHBh=_S#>G<38&gvQ}B9d`0~`;zd7 z-nHeXt0`gnHOoTSJ6RSPJv^6}!voD17hB}I4M?K($<#f2-eKo$X&pwYu;!;UMLs6= zH-C>bIxA_udS7Kz1wGCP4{^5z!*A8}qm+b_uzS?ncax7#uF>+2@5i!h$c=qGFCLwu zC(!@su76;wy#0DFxAD?TmJc{a<O=MJ-?pH4uk@!bHD-o(zW&y)?99%U+m=!e_(jl$jo#Z^9v#Np z(IkPd?3l^P=nbNF3M>>bzO~&`e?sH4Se$(WJ}i;p)%dDEbMGs@{+s1qs<$H#D>o2j z>TNdgF{r^r2L`VojwC__aRNjKqNZD3kdw8ou7LheX(e604=y?slE0KMBY*@xbJk3; z@q&IH6EsotVTAV4eW07vL@tbgppR#-Kv`PT4mF?&%GTQ!R%RPD>VYaKaBryS^)}E&G|CoBsOq!Dt(+$d&T*j4ed1``IRTx)9$r&u6?$8|e9IEKpK4WmFP{Egko`*?4cD zKR;7`WC@pXOCxj6Qy;QKj~e`e5}WvzH~05^P~87Yw_EVtdd^;nXQYbR92b^YwS%)s z*Ls}mIJ*|1?BlsG1Nrc|}`Y~oB=vI#M)E>}2+lsCO$jN}GjW_kDb373Y zf?fxZKUYB;CIblSom*3}#aw_1Ao1JNi7WRBUj=PQdC-Khr@2{;`Xrk5W}EmN)L(R{+`4)1&bl-VH$0OWz@ z*okod)K8osj|^5STfQ*fF@KorYfoTSjjp?#%4rh5&{fTV4-3=kcfYHC;l|Cc;Vm!F z#LUkdoRgccX7PO4+w?tPI34F_K*`&cBimNcpK;wq$Z5k;f2Ujfd4b`nO% zY*S=Fe;X$TOmh`#t^EG(HkENDl-Mm7a!ySy1ABZUe1v7_Op-6%;TE80s1S#MIQ&yX zoMRK&^5Uh)m5o~XImYZsi=)u}KKX0*%inzp`_2nCvU@i$+k<$q5^409HJVf-Y#>KI zVz=MyDu|NtNag*q(scwn_bA~FyXk_E-5b*r5f7{fr;YGECr+Kq&2Qr@53;NyAq8^c z?rd>$1};+No|uk^f^>nvf&WIKys_7|T%S{p6!2oIvsta;#PaoBJ2U;F*ee&Gaok!m zQCm?w&!EC$K;c^=fB)-MmZ>jmt*>O&8`V3m^t`~%Um&y@Zk}i>Va93Pt0}sArP68H zM_WWNclE|e%~_hYE5*a1{F`|RzY+{-IYq#iPsrNzl5k3)Vb-){Uf)zdPW70aAE+}} z_JMUDvXviz;G@RyNn{xYwjJ{gkN~V};PL&?la?ozfg2xYO)EYCoC^-vfLl%1M=rD6 zbLZXGpos4Ts#fwYi31|*ER`H#mp__ee0l)5Jk z#Pspf7lY=<2JgL%53kXg#gC9k-YM!7n62wqYH)sS8pN4HoEMRX{U9FuJ_~r*XG1YT z#y0L>Op8YLAAF@WdQ?pd8!c8le4M#I;kdl6_VkwZZGt)jO4 z4n6__NI8L~rm$A2DG|jhOyP^XgxUI!@|k;igBEqGf&VFW z!i0U%t{xhQ7D7`xfX0~)tEr7$ERIh3j=XO{Brf9HCeJDpE^BdL<)ye=hZ^-fL}V_E zCvSR*1@1QYi#N=O|7UBaVj`Ekvv(Oz;9Co|^PnSPK%-eHB(Q7KhxEb0A+Vzo8r`Xp zjRGAic2RR}eRQ1!qa1fxCn2Ruc*SX%*Xrq+Rr{Z{PTQnmjwX2TA})2RKOcSniSc`} z9lQ5zcbs#I7uhv`O~e|t2DAgx+VWk`b?C0QMb*{xy)k)W4gO7J%EN1w&k|qtaLh7i z0X@bh;q_kV3%wJiQwVVZ_!b;FbZXnS_F@Q8axk#{hBWQ_<8RdC%Y%P?`xm?QoOk3kx}Qwc)Q_hf*+}k^%0aFt7TiR}+LTLtkvI04 zf}Cu7A)I=h+qX7TZKYMSma`eYSA|(x;5WgU?hDCxM~xV)jss5u4rc-?p2CXPsQVn~ z&wHKzo?#9$OHex9fH=Seta{D1Nj0Abi2Du*s7pajFRh~dn2hO*RR!4O{pGYPpuSPM z&fi85#DVAK=DtB>MPs~AhWW-etB10mI>Bq=>^|bIy6^Rc*;-A&CgdR59{kT38_i=atTj@1l@bTf-O7_AtvT`y~@`VcT zWet7WfOVija(2eJa=+C&tym&*9>!}+J{EyZ{!EW}KW&kwOa`C6>czZVq?!U_jS|Zv z1mCl0hB=8Y?2Bs270%$kae!L0>?Je9KHo3U5`H+K2lvvrTZ3=}nQvm~pLIa4!B8hr z$5$?e2_A^*V#qL*>-0zrsxCj)_S&(?v{Z?&(U|w+9LE9hFi;vD(tI07q;Fr3??Gtf zQ}sofH}g9jURi`ZA9k%Ijh3cbTykRgYkB44=J{~mBV_l}`KEkwQfQUo4Fc-Ox+%ismzviF!Q;DC{NJ(uuh}X(x z_|mr$dt*sFl<-q?VD5YddvD+K=FKHiOVZxyB4Vt@=#359lF%W~o`06EnlOdV2>a<-EZQw9ir*O9%Fb zFhcW!PRf8FNCO6$R^Z6tbM?{?;jrnCBlZFxSgX4}$8L=PS^dGv9pnq3xJ!E>9bC7K zq+Pmw0s@)?_03xYl7Q_E#_QB=Ia6qX&@>g0qNIf;K01~na_@Muf2@Gd3+Q@bZYBCc zZ9EFeQC#7BCt?S=3GrM`{Xx79F2tNS)~PJ|#XgBI&+a~a)(EpiN+Mni&kEIwAE*{e z9;K0b4!~qe_#{4h>h;tEu1@Q$`iL^V5gXi+lR=+O?c?(2?EdNg2OBMmiC%_g

$7 zXKFKq*p|~Ckj}FpyI9i}JldEncR4xV)+w$W_3Y^6ZFjT`4)zi?4a!NcpEZI>9)kz=Ul@T%oDfqCT!J_ zd-G$C*WVz-CojUN+e>$!u^a6bEBW}ejn{KM8Q*3X8s(m$uW^}lV}?jB1x%UC?G>rz z^zM_}veo-^Mh8Z^>k{!(Vg}+`4@^Lpn4Mt%ZUU>08M<~{#J*kAM0UM}$0uu<8fV?o z>#Mf!g$($pbsdA*1y6j75 z#FSz;99sydcXvC$^DUq5nuXdNf(%bTHr@Ngo_}cB_7Ic3I@bT{?WZYcgQM1CH-d6g z88Y7%U7ac`x`-0`a*#C7O_@waA8cYLp@RzV$RNjc&U?&X$6s<7nx82c>5GNJMT$HMSs*CG!6;Z+Zo6^a?^zRbf`EcV9Zoa&-^@m?5- zBN}PT0rSpR_Rp%Q9}+)^&CX&IG|E7(U{M!uDc!;x2e-9H#=KHn?CfRYC>e^hzD~@Z zDGudfqdS&7LBg9b4)U#0D=Lw4hvA-G z4%soLeXsJuY!+j(h=ZndvS&n>;Stvb{q>0H*R<|5b}ck?9sAl}tX&(Dqxjt9G=Yt7 z=GEGfxqfwhAYqe32d0(pJ%PzdzXU;a~kD=JCN!`z%XhpYc*1Aw_ zMl@v-YR5w5>6mRP)QO!W0;OxHT@VHNfd6ut~z{6EIt0xHUF{U4VQ2c;3DQw60#X%K0Y z5K$TwknU~}K~hSjVJIo-?vRx38oEmuLO}YzUp@Ey&bjy8`~R-RI%{;zVVw7U_ukL* zd@2P0eN1z;QMcL$DO+OWpwkT&dg0Lp6{PARVaPE+CuJAzz_*uiZP6SntSzaW=Dcps z@VhoG%KV~w1LT#+XRvp9;UqhLxC^vOV1|~T3AaBw=5I=<>gl2_>pHmiiY=ucGbsUE z!Qm$@^C+j_LAFA7q*nfo+=@F!^l$g?jkSje2Ki@;6M;bok2+E8sa6kUzIM}^2C26L zqtmZ9SRs+hg*;wtKmL%*Iw*eF8MhZ%w(6eTN`k`hYO2=VqYnU6g7Si zfh_KTTDfB3@C`xO6?D9sVg{~Fe*_FxhLw_4=X*2{piUA{8oFHX0_yi049KsL0U>5; zchwYCGn&m}XF}`J(__4t7(L=p<)#OQxZ5Vq^l#|spv;|)rxe!Mw876NAYa`$g<6EQ zxj8*<%L5E@ymw?plm&~D*p{=9Lltm$%z1&aC-$v*=p&y)Y(+WOci;&q+cXS%=;$WD zib#fq13>%^-*`%VjJX(s7qEH=c&ZZ{I}nXIrahr>5@zHSNf<|JO(=$C+Esn(MyV6h z=n1jiQ-fIJYDY+ut${XDrB1LmyaH(de*!XIOcNv55x4fFzDKJ!=9c`oHOME%`I}M$ z=1`v<8WgIf2SzBy4?S&nRim;mVc!1ZQ*5bxG{xmdYD-hyj_y#e4icaAK-G%7LEtU& zg;bHca(39T=@q^If_q{CX`k^5^{Vq7n`U6n7ly72U){SBC#h!JGllk(rjcvz?N=ho z?C3JMso;JApa9>rftxP47(I%4bPB?}@_aw9ltT{%E+Wqxho7-bLrIoHqWT(aQ*}i- zZ@OaujpSKlooU-n7&T}rtC2gOwe=UP_g~*CHwVMAY>R!fH_dt!tRz$y!}AH(@Tr}o zZer(u3g65#z9&pm;9>I{b8pvB|>!QQMg)GHX0gG(4W+b#va8KZVx8{ zQ_=Jk_N8feupQ5W76_U;1Ok5OZEVKeD6p$aMETAUK(1#B z?lHRTS>C1w!l&wEwZQJ-wgX7iaEjX`rH!(A-j)jX3l!F2bDt*|Yf$j5HHe|R{k694 zpm@|4+Y@eI8x;x!vcpl&JrG2d4@|)hzq48oxu6-pMO)P^M4!s))6&7Z*#zk6;Xm%d zz4>KNpJ} z(m-)7%)%8GRONG516HW_4OFmE^X=;`rY~lnyvU7bdWRfllIVU(YA4*OI_+}8Dlp-AnfD=I zm~P=9P>TEAxvG-=M0WRY1=|K;7Lrco5$?atW60c1mIB82E|aP9@iNWL;^e%^&9();fm?z|gA zN29-+P_s8*vq!2oc$bp`N2bBeaIJQ(8~fsMD}6kYx*;gWe$)SA9U_G<#~9?aLpn#N@lKxCtgVg^~>1zx2` zkb8q1rRjf2-PTgjS0;FL;qG+8?)MhNeCGY=;et9@yk{eTCfI+;q^6mz>-MGyXul z?PA`Fec*?B;{S)D{*RZ*km%9z>dXEAlW>s63kTYf*hRVi__V+8Xn*^cK|sG(KDe;c zL@#=j{<`t~$J>6B_Q0>?hdiO0VLgA_C;$7~t0C#&zh=w-{cZpH`fI;}p6MT;{o6+T zU;a-(Vmhy;Q~Gsf`iZ^R>VMKfP1{c}Lq|M`Iy_&v)!>hLH-@GS@Bpig<^F#!H@hx= zznE)Fb&_^4y318B&{ncTA|ev7r)+vaYVzA2W7UOFkSpZG^CbxkC<;b(C}%FfGHr#@ zihlw$f*P{kgq);zJui)FmgIX)V zp1aEp5$b1_D$sptpXFR&MHB{L2anc4SkK4+7{X-)Oqnv&ftcL|Fc-^DOumNX19lsO zB{OFDH47K^hwj;qa=`fH>dK8s&v*M>Sp3M zpVzQe+sy%c06pL$#bQqBP*!K}IG#Y~giHbs&Ol+P@M3a$v;5(6Px87fb^GFh)8RGe zYC5f0F^#QJDAEs#s8G2{zpNIdXE?f;&*+xcfLXIJ)y&j4Z?9l75!m&z_`J;hTpf-ViS2as)BeUq1gaEmv11ACrQOP+FEu1r zi59lN=}ZPB29kTDCQL%7P;gufNXpx|V`_2s(S#I|q0T(F>K(cfP=7NP{$4*v#bd5B@^R)d3%-5qNQN=K!AT=+;13*8e z1RA_qc2ywpO42DmIKVEab+5ztQNL-q!nfi$yi*9F7(ai!*!*VMG=nhs@xygcX|r>O zRmC#TvN=9}_3x%?h`S(jq5M~Z!JxM1Tx zrcGrH#KQ{#rVpQdOTmcNSblKB_4mZR#1>+{C4ukU@DgFdlz;@_UC3`Rg!b$g81m$s zmgooif51X&n;%GFe4=+)QwomA%J20&8vCSY}lE+*n3a4MLfRxQfAEP=39l&-n{!AKL0GP-^K0 z+==oBof5Nzc2-n*JsFeKQU^9~x)6K~M%kG$Z({V}_%T*y9>jrkoj`j_4e>D- zB;YjOEm)t-@aCqtl!GB3ue zmrAOR)p%~@>9yM2jNU9u|C~PUBd~>L-V1=iqz#JN&Xnb<6){|)2hfom2M_P@AxZD) zKJuzA*(#sRD5rZRX2E0B6)348alBWGbFlGzcRZw&Hh3z@O(=1~_rdduz%l8c$SIGJ zFGHI)b>GgI-9{L`8o!K*QW)E({NzuXZjQ2#qy^Tfhp@C0{7_0)XA|^Agq*HIU`5q=CC?&Of@J@xF2s~qWuP$u9UC_~Pfx6So^ zUS_ha2!%uKA z?0yYZnYZWH+c*!w}X;ND_+ zXJZ;tcRQZ`-L>KcE$F?87%f2Ry9r_PP!i5<{wf%?jNd-6;CgZTmfsb|1{a8cRC0|1 z90@WA=GM!KI?;*dlNOrmEm&$5) zFiY){4XlM$Cr5djC=-qCWQVzYN{4x$Oy7GUL-q$yFrKcct$HX`#OrJOO2V-Mlj~(c z@qG_nxR3rQ1jqBks{iQ(u)rF&7VPC+{M`S;|Kf8xT3+~xk|59W1*i`Ots!DGWPxQ3 zxGM}rK`3~~q`mFzVefDZ5!fxFa3T0hr(w<(rj7feY|DBZC>!4)AuNA~sZcaSf|aPQ z?0E{#>nchSqvU!>(J%8Rx&9-Ay>Ey$#%DWUYjgjHg7j0-kZpQm=*el#>^W=Vy9Y2% zhze0HpQ_lesI~pU(#Kxos36Tgw>xd1{ATz&S2+P5ur%5L9vDmVXCg4F`HDQIWht$T`!*W(_cA+Xx6H-jsvadyLp#FW!EWw%;PIDj zo+)qp2){PaoDN=b^(-vzR@@RVMm#6vJ0N6s%vxZur<|Xgh<2Ku9ls&!dk$>^*mR zT-k`l%cp&oTt0G$O~^q#+kIZW3*R$K7Ahti(4Z*>++eEP4k)}88|3=PHl7XejA zZ|`uA$3AE_qgKE;jYM2Ri#ag7r#2|?cr1rr>o}KVnE;J{ZU+#O>Q!?~v8_Kjpj%Lu zxg3;D9KKt7Avk$<*yn8!Z|pd^e_>JnLBgOGjgig!ld(cfb>QBf=W`a*AJfOt4QF@C z*3Y)zkfDX71$Q4|?6Vk>@Do#qROjKkuMvnG-$Jn%U1 zZP0wmd&b97yp*RSxdOfIb?Ir5AwSKA`wU`M7x#Fa2fc2feb{`{+YUy4Rq6CGhJ;07 zA#U5(FbMg*AZ2s1_Jil1gI<@XTphO~S^(KhW9kz|pj9ZJV-;G|{&IEu0hiU)f`{m` z7}TGF`TbOG%rM)P8!X1Q+4`C;sppXPVfWF9Y8;~E zP(=y-A$Y__^$rU@&zE|Z5PvF4-hT8sLOxDDs9*k?=Kz_`^ys+s zE+_83ajVVUuuy(NFTx((u=cRZFi~fz+4a5x5eH~C?(PPEW%0KPR@bo4PLOh)3^UkP zFsz^r9?o-1^yevk=%lJQr64}1o7ii-&qH|xnVP!fb2`r41KR~PmPjWu5FAT|-F+6v z(_==I%quFIte5h0{3J^vr>exIq)t9>gLk!4SQgY+$G~DF>iT;6>E2T(Wk$3%*N?L= zV5?=h+KJ-BV$z+WG)MzF<(t3P;_@7Yzt5S$SEE&e9CE^#S?G4=-uKkpnPsRPh~mu3G17Fc_bBIL4?|(C<-!YcS{+_g?JgLYH9aQT zHV+9C(=vRvz)~?a$mztM$>hP~5+dnIxKb;CFep9J<~d2g0nVJ~I9|97NOp0d(FqmH zD}$f}jm5xS+SCstNxiK^MEi_;pS9C@3F%`0IVb7ig<(n$sK{0HHnKD2TXo-}i!wDN z@^@{Fj2TSc@c6l!zwj?FfW;***QyUar8Qg5o;(_DnymH54PIYwLgtj}7na}5Z8)^7 zs|Fky!ZG}xDC~X2SoD67_R?C5;4>4^=?{Y9e%R4IKtLH(T8g zqSnPlZtIH+QhGAeW6ZxqBvfd;`5E*|)*Ex(v@Q5m_$VB;-|z=u#)&}l z*$lAL=ID|-GcEUekMonVPY;u7)K-ow&wA_)I0P)4$;%nZnoNMM%^bf(rrp+;{XGx! zQMr(V%AK2xiS2e%^s3D<{cxx9PuM!uMuM(b&*v_bxyo%Dasq0cCdO)_NA^Bb4G>#x zGaE#N@W)?Mcp;E41iZGkKZ&0`?so_DJEbUpcOY4o3X18G+%`Ps(|6^{m3dVfGFqgo z9bBGnw?HTUso-kgP%*93*FgE%UQUe3ohidKbJ3P}&MN99<}iKZl?yuw@=A8{tMeoCt9{ZI?fZw4_2hZpWqYEU`pH-6a1J8MgB*FhJ$~K{ z_Og@^Ye{B}glg45XO1vmM}6xjxPs-`nS2Y<9PVjd{vDc119($GNFRd@O^&46Za$cE z0(Man%DdX2l9(Q0Rh=#8%S^Nzo_MMFcwOewRq{5lcZ}YfJI_|9(QrKkUN6sb80#fI z>bcMs6JbL@w&drd_qV&cdf@cbD#)5Nb4gdEeOli=)Z!OOX-^`A6 zs1QOT4Z31Dc0JMhs4jzuE-k;EPM%mSO?Mz|G32<6LTB?z_!ONW>vA`7QrDJ37&9f>&n(Gp2UDI!G?%TI;U(bpt-tmX zqLlX!U+&$Z=q;I=c!d-2gsL?x9N-E*I4@gT46vJwi+x`D4xk%vra};0Mgbi&s?*+Jsmg8&}*WPcl6E>z6iJGt%8)cN6u+ z;f#SROYup!GVU}gQPCF0Il5FOnnc+jlkuy!2OcjwWNWtBXmmbQ&Oz!QLg0?ln`=$2 zHlBqPv1n}W<&l%0be&CDqBqIcd3lyMo|u+nr!eW^PL&W**jwt{%^|mDH}ln>*6By|B&(o*SDS08 zW+<7QO79Ie$rgLw0Rws?c6V{952r6IxT-8$9Yv)!u=H~raAq#6g1eRt$(2{)j(GMH zuko$$M~AXh+%sc%@xU9+pQbsPb|zw&TySAhi5QV$;875n**vGEa+Vj_rF~{`NYSb{ zslII#KQQAu-EAAlum>r*FkERf=;ro9y7A=^)%AOp$!9Y?2XzCEiW;j~Wd&sMy>6pB zFC?e#?4c-P8a3=_8iq-Fl$%86#cmyJn3ilw9Fv-tPqR?>l?}T>8*jJYYKURP*C#!y zX-Ihl%?9RC7^5OH*E8=eE5p~Q_L)w|> z`~g=e73`V_PH+^%4-UyFDJ2x+^~>!umgSYvKc^nCucpvfG5_Fp-7dMWleT+Z%8j1F znBG^qS=xsNL9EA|P%kL&sPoGv24(3-r< zj7`|p&VeiJ-B;!j<}ptU|4%~wGPCghVF1aDndmQ7<+OWMD_g{yI1ly91kz|Q8xkWi z^#WjjN6Z!Q!uI~q`Seb^{V*Q7rp;V5CukDMT+eal@)kqWn2tm?UDS!W=C z>{_L5(537)x0uklj@uui3UBmb)FY|}=9bk2z4GUF>;{uKM zY_+G9Evp9jRavNOZFed3JG~YfS?F?JloVUZk<|tV5Ga;{Y9UmIRL8rR{XJ?QN-o|} zHG==SVRf}x*4ov(2RG^sZ~3KyP?KgTS^YSKmGDBgm6! zZ*WDcQG{XT<~Ek;53OO+)h|&}Qffm~&@lC0+*NaQbGZTAx||vPR@3#hhYu#Vm0dG} zkVxH$Jsa1qZ?^4kBfbwL?dKd#uhm3wCq7Pc`-v?*O$G4EPGJS>=JTayfv8Kzy{Ro9 z#eZWaZ-6jm?ZhBp_31^1jz=8J5Np-v)1YV3WRS;b^F}c~B<}l5#omIL`r3jSe)y!_ z3A<>$k$-AJs8#b;8RX_|FTEJsna~nUMwQ_&&G$3D56A)viV3E-8+xUi>zwDju01!@#<32(b$cIw_9dosa8_Jb>wywacC^#+ zr>;I1A;8wf)jP()DUp?rVqg)YSQ`bo8>+0jKUDwRC z&~?Hgz_>`xvbwBf7KF^S^m8KL@K`O+u z)Iw2y<8Gh)fKy12J>Zn+i|ftE0ItIpU$42sG4H4|?(V&YA+kL0k-cs-;!bmwC7Ji(6H^K^(-H&R z(KSM|!Sz8V%b;P+ws(_K+mDZ$6@X>!%paj4W6XMLyY@JGJRE z&T!gz&Ue%>N0+EyESvY#3hWnQ&An-4QOx-HD#r|~^G?$kFb@7W!?ld!xcnpkZ=-iM zLNIz~n{_YHLTv_n)QDY}VcLFb6p17mKPAG{4$l&#?^y%rBNJx;nA`GdgZh>Ccqt;H zaYWjG$7D6bJ0ScJ?HZ13qHJr(Oa8mXS2VU%`CqLywlG~~v*tJ56~F!B5cm*A*Yf00 zj*W8fCDVs}#jvZSUs&WA&zdI{%f#8IQ^MFw(<4y^)NaAFL>(}rG$ccZQh7!anQrcq zvB^Os2!MaA-28&8fKf{oSPsaLtzh~eCmOVnE+<7pTLGrT>z_V&T{Bm6OezqFSxoo6 zMnj7;FERZYK2Q1d^Lw+NVQQcI8)$Ug-7))d)tWe$vHJ$kP-)$v_`4-@&(3?9w|9MQ zmAUrjwFv_8L-m_1=$^5!y+4(gmRz|~pbtB+yI8;$^J8lt#FvfH;f2D&JA#t9{T#du z-*cz3(3^4E2hgH)etwNan13&I7Y)%LljN7@uhHl+T@Bnkt1&pWD4_yH(Lt&YzcQLL{DTj6Wd>Lsl85S~= z6hbj;G`&EUJ=BdBxGI!VP5R6SPcwH&pBNO#<9ihJ81xj4aL{CNXCIlrfB9ah4`+eo z;GL^KY-Z+&4=IK~6K&u$yw~s;f?a-uFhwWYx0ub4vaeJ_e&y))cgE7(WYgAdP8N9V zKRH~{05h(j8WUC?4TdgK`_H|f_BYmCK=YNrhRg$wkjcxA6y|7(?{;)Q%kOqbo_5oC zK`{#wHaa3iNN+$IDq;f1eAgi5>bKSJA*ZuzHFVJd4(}ens^u|e*lR4PZK(UbJZAs3 zJo1++aA>pfd5_JtOAWxjycnmp{cC3)b@fzXa+T_oCT{?Me>*^hJ|Re&Lb=AV2l!kS zqx&Yn7X55@*f2wOfwIk#<{}9J4Ys4sSXb)zJZ~#9I`P;PWLIEWv^gQ!S#F?xGnIJw z1oNE!Pb3szr^4a@48@%`V|xkImRBw-SDooMBLh4)Fd4@1#lF#@(Dk!fT%s13%ct#ZxG^uF|X0M5B8W0zh64<2gk;U!@{m#Hwc_%^sJNQvwdb|)u^~-iXIO4ba5+5#~w;nJX;XB0Pn18?# z=J&^g;r9ees+u-U4&Hk*E-d;}(Gi9}DNVAsEez^_RkbvEJj5a7k3bb_$Nv11SnW+X zv0Kk@5}+6gU>3k$!hG#c26t6V`_WQa?60E)tp@jQy4bc7)Kl-SgZ@^gi80Y**m&ES zZ^^Pt;>=QKG0>6C9;*m@zy%B%Lm|KobHGZ37qT!>qWsJ{ko|3cEJ~3I-9BX11#jXf zt0Q~FwReK3myqjZtx~o(ELY;|^>9j^qz4e@;WFyf3xNf^KnkM~ILNrEepFDhshVcK z4y@uL^RdhAs+GoocSJnR2SNRfCu!K}dOv|bg{=4W%63^yMGBHue*Gyx_fhiWT-MX5 zLaR~M`ttJPuS-EadkAaIC`VpJuSsamxfLyz`>ktZNn2wvg=96t+HBFoN_b|-=}gJd zNg131%WeTHk87j^DuG9Ox=STwdrE&G=)ea%6SxqLEv8*q6;$`cLax3Hq#yuP~GouXB0 z!0T{`EYs!NvvExDwzVHS2Pm6<7}<~&-XOJg5mz2PGSy&1x{T8i!_>D#CGuNKrO z5YpVV6!LoGgm&LIJx`ff(D)(d4-8Z%g9b3QlzFp-y{j{B7=!2t}B6t!|>BO>&+0^zl^h`7HDgzQhBmx6UR+>2Z1nCYV3CQDI|PrA=r=$P)k$u{p019M+R^oC4o_S$uXF z8vrkuj<~U+RDcc+59KOHyg#G3RpSjM)A%b&8tm>@;S=3;awM*)op`#M95v<+?#`Bm zbwMYbV&L@r%T)tY76nMi9kK1J9}ZX+?C%J(xTBY09v#|n^b-n{l{*Y}{O=yT<4)m@ zeeM;u(LY%^8;m?;| z+M>xbA`)UDM<2)KNUso)-rEx3jqb7OnzGWwlJKo;{pHvP~ClDaQE@=4};L|8IpBsOaxAAeyCweT$B5G~p*lSU%Hg0x zkWHZq!ZQg^7xaT+!7Q4U{Q(03!C#veT7%5HV>sqtGBHzwgk)AE&~kJ;Oq%mlxUUbU za|7R0qCu1QziwRPhL{L#yGl~^Xl$U!d)j9&Uc3PZLMV%R={FMd*iIPBi%fY+)0x_; z<)x+1Pcjbv$BkeL5UF!HFar_}dnvIgDglSwbAV3!?wo;DKMtrNI*V<=C0B0{S3Uq_ z03SegRFX`h(Vlcu(EovUQah$*NV(ac;{Egl`1Po2Yr{wKwI&1BK*FHoCKSqKI#I0u z<$J02uRD+&h!+OX&1~sJU)YPgsQwcpIVu(9=9B6*4qMMJiW2QU_q`D=9RTt=eE_MI z*l!_5EC8z`{-LRIhE|upYlFwRW>&gQhua;46974kgKJ|5B?&BKfn-I8M=uDNE;K3u zBa`3}XX>PKCemkYW2&me91x-%z!D-eMVVkRcXC41EJWO9|4Bkm?0NW zEC>JLI*c!g!zROFoDSWpTw>@!RDV$-{~Y~3F^VXTIiP41U2lbTfuj7LIRdae$9o1! z0OM12w%$F@cqqeyT9lB32X{UMG7&3v{&di$oTsh^qAol6CnMq1RC{?E73Jz>CU-)D zlc%#3=@}4rl`(F}#XTqr=0-5qnv`jH022C#Lr4~j08AS*Y_bPdSU|c>z+eSn+E(Qf z1Gx&1yt2{GxKI+q;M_sv+vIaVW`b1lD(ig`4F9=qpFM=lIiCZT>cq!8Prn1IM{%}N zW;J0mhdvksR{#n87|B$qIcSA?WA(w+=E9hw_ZX_M18qa))_^B(c^HqaEff|U(8Js6 zbDBv&Ui$kp3f1w#lK;FoUTbTevg!1iiuX@}@$?ozY0H5{Kzlw&;1oC7lTYNI03)o| z-8HtrUwr~ZpT&(w-7hHC47E}t0=%PLwL^xRe2~fNB#j3!7w9~r`btQTq#Xv@B41o;i|z^W_(|Y&{vDW4I37q> zL!5kk&aM(nB;?^s?x{mBcmbGLa8(IL8w3*tUQ+;fA>hvNhgyb^>UW1&Z*W+@eQ;w; z%Q4Z^6wn6)cf|(C&7)E16OwRKJ8V?>% zAoYD6u$;HhN^tR~QkngSBPf{}v%g(pmbf9QE=`PgiWmR8$JwrwqqGNdZxW7l(mAav zj)?TTNNEcuuerEYTXl}q9aMgw<=@e(w)y+ud`=jaoER5e4mPvfv^#(XR=G1%>qIyF z%N(QGkD()fI0vsB?+oUZ*p2rEv{%8k$#T_zgEmXdqQ2DG7sR8x5BQ+#qEz^!q>Ia^ zfDdg4Bvz#B9YF&bPHrWyH0eF}$k|`Nz0oCSlmQOd&Xu0{Xzm*;H$|t!KI^~P1S|@3 zkWlZqJPm@4rt1B7V0tq*h^+BaZak)ZOomUDwvC6ZZS9!MJV^5Q@sINvtY1qFn%bzg z-#qD&d8Ff8`C%t;?n7bk6?Ba2P6B`fkvJFdwnqfr$LW#DSfI|y zcR4-z(QY&mXU;UQpL1^cRqNrQFE0r4vaP&LWuaMvx;A+?!%rOZ+jTuL9L+$>?c~@C zlyX6@%wcIdVsp0}s%%%QAETem>AgaCZJB)WX!ObR(D}s^eFVnLPuS7C>3eP|fdg~D z@-CWd!lasCLlqBcMN!Sest?=vIG%Z#2BA=Z1J`zp;`FCpm}8Q#djfCwfh6UiGM;xc z#*Gju5;w%tW?yVAXZ+MET>J0i90^nTl?&Gy9O$2{E-w>JDi5-KA__kS8>r)I^J_u` znztkl(0@j=9NorX{SGknZS{F|aV&;Gai^W@XC!l9>(ZU~SMq1@=P+3=KxI;icVV_z z?FrKV2+ccjxxZylJ#nc=DEvbO^$~xL$9*^mks1HM_#=b|UgT^NO1ojQ^eaTk_GjSE z15d^q>6+Hz7uTp!o>L*1_6EqH3Nj1if&vo_^%1@R5k3MEemf)G7k5O-nnI3fnA@B0 z_K+2QcvPFGM4Bq#d&^-Q?;8FbUOPKFXDt;zvf6Ha0iC@zXP2Pubew$Oj-H)sEc9sV z$K;^<9$jeTvecK4qc>dE55<0BlT+0>+0wZ=KPC?+`ikR~Fz^L7286QHU7Wf|;3lEl z{a9Sx(t7XE_?)4M{2e_i+;FoZ{p5DH!?+mHE`eggab%VNx=3fhvo#4BahDYh!2N1? zt{<-&x@tc@9(^M5I^;Scc0(vZ!HLw1Vt@?!nvKx{DEoQ|DMB5a5Q}_4{e7?ncJd^+ z7s33&0JSD;vElNfhOo7{DHFGch*iO<>h=N2%q-hbIeuL1>HR70;}DXqx+UP2Bcmd} za$U-<-2rIj$1sppt5gEOm4X1i3oFNZz4PcnsN%-$3^xcSw zh$4To``c=F-zD^suC1+mdjg!P1qz0>PL<|3UL z^@(lUB*A?tnY6GT@OmZBe6l?MyMGf5LGAt{oOXlL5Fg%4lFFgWs#9DC?FlSBhP=0L z9?y9Ne>@NKSo|N8Q0)x4C)ahLesEqU3wfbKilUUCJ{AC!; z&}G=lF^6c5?9%qip zg3JrpX3tyzsKdVHt&r{OmMch|pKgAz$7-R$s=HO9*6y+7Csk1as)wofONYALo5uq| za|%AFf_v_ESIcROqsy#ojq0&TzLuN=3bmDJjU|(IcLtUwvIApA7A9JL>V;MM^24Fz zu$OF~JpSq%pY`4O>0c1Qqq^yXMS3_FXg4Dw-`CE`e$!bQNv8l3tuH>+l5>ZW$F+vs>-ZNj zVr01HAhBT_U#p`%=%@AmVLM}w;e*>%x8CD#vkSJ9%Hl15ph@b$`-!O(vJzSUmwDybrAyRkwKp;`L<^PTF)j1(r_-+M(m z9^AY@LXrnYVK>qRtQW*@_4*-m26x2UxNdO-?bIp)P;G4LJ~dpRT4=-(Ir3C`F3a!U zDV~i0IlU}TDv_rXJ~UUd0Ag4gO?yuIGd|mgT-U5sN#3v`vuKTGL4>e;cUui{pH2%8 zx*7U52t_GXt=u=;3!%!%ZJ__r6U)_(nX02m9{NMpmxrCI$OjeoMsC6@wOCwwc&?y- zpmsm=)-K+Iw3J=0Wwp_RZ<d-c zZ6faqt>y0Kpf%)wK4>gkU!C4-*Ta+MOq2CF!hLmF-)q$V$qR+3<4`KhkS2(SWU)#P zwqJO>k6G}vTyyjw>^q4%!#_+7;8((jJuZ$7FCVTmDE4rs13I(bhlaxWZ(m<&>hW{N z{?QXl(41o4S7sCD*TBc~f}yOG-w|g;T?g!Pqjo(k-m?qsI_0K znRw9~+I;-OU6F`3CCSM&z$vJNlsPP~!h_EH8>%OdGp8+pKF@M5*Ma)55K@O6ot4ZE1<| z#V7bN8J0H8Z}BdrBJR%Aq4%?<(-yV68|b#te!-i4Y)|I&=WL)pjBkl z`6D_BpROJkghlBzff^0}>-UGZ4vmhSqwIx#x*gp6huiVzG=V7iE&5iVGX4EfSS|)S zo>8+-*H9wodeb|L2P~;OfGneFv;+X3jvl3++JR<2T%Hz-+B?8O2|?7PCbb{nu^I!+ zBz(J&fc|Kud)HP8lA`x=5#ckDZ;lltak$(BM(}7KDEJ27tB8Jjq7O@esU_UdPJ!uu zP?qC9;-*c2)pZMY>v%Q+oU}?P&-*_yx1b{<0kGZm;sPHj8kv`rO7-!NVHl>Fa*vu)3r-ZV~1Ol zW7b<>RFS=RC_v~Ecbsm_1kw`12!$HGEfzbNSI8?6D2pfGlWQL3_N>V!XnM zOTKJ2@+I!R&sq1rxmgCwYTQ$}Ks$gFJv;#dM~>PBG4aI+axPv%-LKy|#!pi2#6h*-_r zLnyaEaa#%mK2r=#2MkRdIz8DzK#lSZ`+lQd%-+Jh2C*csiFiM_SY2g=EiW7UB`$X@O`97jr2R-2I^|NeT3_K_h_z)zb)v&LB_jcr7uqtnRfs(*=&^Lu# zk`VTxrf+)3qsq?c?`8RgnetV=@zOdBEOx=Fn zZ$Zw%tkzMV?%4>8hPVMp`z6 zjP;5^?9o@T%fm%~Ok9(T3BbHhKaVd`1L_~X;6W-`12bq&L`a2eSL=y6%gj-8{bi}V z#6R>GfBcePQ`O?zG>-+IzJ9{`>tTI%hz`q^b247ZzFR6lI{~GA-Eye@9-2Y%59QF` zr?U5NpuDFjV1Afx6GaYQvGJ64s{Yr{{vrt8@=Cc?;{AK&2j*XhN1}mwV5;{INO~VwNcO0S3g5I?by1&}E)QGoB+bd2S-!`e(gzQR zYOptMMO-`l#l~5r*RKOmr1dV%;~L$u&?of0zzd>}BJ;zu%$EJm%I-&Xx!d%8 z8uEFF<>$RqA~*ZYt4k(uzRr3om-6=QQB&#!$#3hFu~O?+v5XzY|M-0#JZl9dOujDB zmm&QBjS6_}-7Q=y3NQZ=IiT#?Zy!~ov$-ccb^VwgJ|k;9>QV zCT*hf9~aI8HSTrl-dIZS-*4YvpNZeEmC3v$&=k1idB!$EoJ=D9C*}$BMqTuB1UA%| zuvRv-?RvB4<ARY&PD}KPWa1V zxfvjxH%Fzw0yJo44qJ%yGd+QI>7))Y57Q&(wMvF8d&&VbOJgiwYYR-NOVvsY^buv6 z7(lPCm?6goaeu2);uAGbl{7YKb2SZN6$ zH2<+S!0qsToKvXx%eN1v#x4H%OcW>3m~!<5?EATedAFG|wYnU&c$8(KqRZK zqamTHsF=SGRMkz^C*bI1LM4u*y@84)xfpj2h6N?#OxlAVHD~qOK3JQtgUW!(AuN{5 zu=)Uud@YL(+?;`V*A#dD*cV;vg6zoS5BJy4?~d#nz8o6?4frbjh^dC6BR>eZr48VK zWG2WkcNH$fR3n=+wCjsQX_6@5SPl-OnL5KZp`*&NH&bWI64hUd1=OdKSQQ&JNc}4E^8A}uzLXi8j$Dj=jrvgC@cfg?d(Z`f z@r<;B2o+-e*eC})HGFu;?n(LvzIN);_?a zCxG6}00fFg=Yg4~@jl~baGrWuG1)_tPxj@@A7AO;H|4wnoPG-kRr9Mi?x$@-`Gapd zI_)UiP5P6)rU8*WH+7>2bE_)i-fuPN&=MB zS`=J5B~_V}YvG%$HISspw0Rt1KFwo1*aA65nmIDrpRCyeeIKB+q?5m~2R^~7J#i18 zx?|~wC0s!p`{`~CuoyBV#?;ZjP|?C_LdNSJxJ#iPhz;Srv-@I2KbBX`JJRTLx5fHe zSjB?VTqc^dr*kDk32&Zra6h~Q-5jq#8L&OH=H7~Yg8t=!mz_>qMB>lE^rsPd4x9C7 zdrxb?lmzmKEdn=#d)Ee$t;CR4f&_O5qCoaJZ{>FvE<^r%ot!GA*pb<}9piGboUPoG zW?Yj1k%%y7jkc$-ZG4O3%dS4a{OD1`AXdgVUoAD48LnUyIAYzbKl$DW}2L)M_7I&5KQ-&VZx*Tj& z`77iMITviNcAlr!2Afs_=qq40ciCNVnGLE2^ktHb5HGs2XB%xyMp(Pdx`YZ6`0ZIT z9VnSj_Hnz6%jB!56|VgTuNfbq66F|vIqOy80|TuWil{!YHo_CoeW<4By$0&WGQAMK zHfPfY@T6j*`cHlK1k66IaY>(NwJf_>fe0T=LQNy%K}Z22Pa(C``DVZ>-Y$%$mfjbi zz#TXgltbpx(A1vRT-nECdn6}%Uw3P~C~dP8iqsq0ZkD8GwFEGW0}#0g?1qGOWF|Vq z0iCX8>tSeAWH11;iy>f#GWs0v#*SGK+4_#M#4tUj4m;#>tK0FUGfZ}^JDo7LKh7sq zzrP7U)0!7fKNnJtz>-7&=E`!^@pi>6Ch?s+@|2BRU=ykU^5t2|h<&e=3SepdmC~=5 zF%{KHP|*F@8+Wyn|AK^3L{&cub9ycK8%k~scu3Cgt1#rc0u9PEf73jOt9_qe*BFU+ z;-BTyh!bzwWtEx>RF)BXkK-!sNqR%s&taA9p9Rl2*l(MeiG5EOdd}c|4Y$0uw$_T^ zR8jkT}J&8#J-XSB#76>EK0uun!KpO%VkFW2p&QCunm3;xrF9Co?aZJn> z*J9jP4JO3s`JtI`w$esa;fhb;Eb!)>au!#E(3udPtq)d5r9lvl%GlqXPU$E6x>GdR zayE+smzq0mtRKyiEGqua}kvav)q-QR?LVtU{U=B^fvdSLfA@~Hll38LpFbaJ(@MD zceR}>TpIf`Xf8G>9udq~HDd<=Vc9DD>34F!JNDkuJoaMsg4doBUXU9Ahl)s|n>TNF zdie*pbEC)+ga0eelyH1jkdj{ikibe!jTU?kifIrCuG*~@y?sX z(WWD2c#X##1~RwQJ?0MAOfX+VA+IBd{H=C}td3e(r*e2De@@fM3&_5~Q+o{#D%Tpl zA<3$S9gh{3UV*%VX5K#9B+H*%L+3|;Xiy5ZZbD+OTWsMcIJo8M*uX`ca@)PBA<4=@ zHNjzx!1rQT!^b#0b*0(m)UjdBq2BN`By62;4vCB%l;{%GSgd$jDHra0^eCUpWASrw z%nU9>Q#GDfg9w=w@_TJ?#l$%I757o(IVDZMWi5ZRmkzVSF3T~h4xn( z>6rs3$9W#?BbyK9(Ho99AlI)qdXvr!%;Wpe`f`^`D@5_gyEN7f?{x0S^<&s^NS?iyGZK|*sa|bPsy7T`d?5xA0Y}d7~ zh%!oxlr*R)N+aE=B4yDfNJulpzz`AwN~v@W0t!m!(4A64cMUZl&CvPX^SbuC*WTY= zYyC6FGY1~y#QofHUFZ2bL4so%d1idrS{b^rBQ4uWwns#Trpq({BPcbtOe2@S8K9+b zVALK?aD_qB$?N);h@LMr47>g=@)O_slXm76XkLpFjd16FmO4ZaDvvyo7ZOGDJInW5 z%3^*2vC5k0Dmf#WeH-Z(Uj*;;J%-WFORWXMOrqOM@~V{A8F)7U65gIgo4aC(HA}ZN zw^t@8$Q4XX?D&#RI%P8~fuG87Jvk6m}}dRSlHhpc|{w$y2n9Ld1Dh-f!-V&RzU9B1O)28MH8Nv zh-Ng_~sGdo$Xtz_&ExzD_Ps=)_r7~l5c=!yzoM!q0 zXujTH)T{IKBe7pM0a0&$Vgy>u=>ePx$IlB_9wf#XD&CsWnI9=8FYCX^L>1yOCY(Hh z9i=7@6P>9tQp3Q6tp(R;>(RL8o{gUj5s@I;pz-UK5G#E0clHxOx)Zu&2V~nYDpq>f zTr3f@FWtWE*j<}1GB?hqlyszsrS+l*h`k~Dn`p0&tu*Jkj?c>!b}N`pKsARy;nntDckoR-T8WvjLRc^k!f5pw7X&zB8O*2JU zHofIlk4^HC#;Jsc<;IaVNk%uig(~PVUQPTF;+EK|ydzgy1Qw#_5W0e}3OFwCwoP~6 zv!9kTGOdA2y_*9NZs+|=2)m#Wnq4LQ>&a>pF0t92Rp!r<#f8u)&w%M`0KA~Y>Xz>6 zC*NSi(ha?vh*%KbH^i5nk|B$8Go00rKE98ha6>i2P^mfgc3T^=Pc0*C#GK+TpO+Cp zlb&JFmJT#zjg^dk@MpBGA;)247?C=M*>u8~We{L$U+W1&^4x8t>(5tjaUv%w6d_3F zPOb`fs7+5gs;4hDL|6d|M(DA=q8OXw#r{UJxJw<22rAE^+jJHU)xOiJdhAuf$NPoW zWBe#qFMfN}j9crmnc#-xdeiHZV5l0$3dTO<^}P>Z15U}RF1*|--7|G-g}#dXf*)xq-_^+I^Y^|idDKZiGtD?rIcna23y8u?83~(y1aKwEL;3%@TevXzR)MT=na{*jPTZ7AzgA zp4drd|5#Zm7$av+hY61L-SqiPQm_Zm5s$v5Q4H!@()5i6XwHJ?OY#r5=O>oczwyU( z8#fvJjv;w0TI!*HJf|eZKX`HWAwvxyG{#w7T2;$nXZYY`G5a}i2JBr}qW#0;GU=V} zuo?7gtFcqHe(eW50wz~q`ojWGAbe9H`tsGrf1F^7mWV!ugv_czmWuI#)5qu3Q^JA5 z&P)BrYWQ5Dt4s1k$qCcl?5V?mud)7$#Tp1=HdM8U3CH5bICmE?T>+MvChx=P3>0t4 zL*(v4g1gZR_D4&6428d{qL=H^0lb39g!wT?TIT>eW3mC!qbR{icli^Lu=h>t`Z^_S zt4AY5DOYHW6_3m2a+-uaH*1m|H_>aBCcfG9WV4G~5MI9AuPUu2`<-?}*>PAcdGUQ` z`hA_P1=W4peVu(b>yp7&S2w(d(4L{{Le9Tm>_3=^d*{kJQ6*gO33B@CFH99yOWm&Q z_Ao%JrPoX6Z|>_O-L~!~awWXMcg$5G+ITCv^V7U4y}I`*N>Hlw;l7){nrN<@nZucQ z7VXSCExClcvQoA?xRmkrvAx6Ip|Y^XeW#7f4AuM1ZyrzDhdP{NZGK_Gr8Tc(X9W-= zkTICJBln`HqP0@cjQ;zTC;`2!3FWzH5&by6YNdR;M2zJ`A@lFeY}~4o7|46rkEEFo zP>=2|L#4YbzUk*mZ4H9gx&hzDWRb5AO{Y?bhD&#nV7mnSB$mDV4E^b#*iGt_p9$~5 zQ<%G&W|Ba%m()XPGl`_IM z=@@n49K$f^`GP)|^@LwpbUF8t`4!Zgsh_DEvP6lqN$mP!B&BlR^jBIO!{wMUaqoFy zq5EY1I_KGY%ZH*7{~ss&_`&3#Zh?{!y@dfLBhLCCm{DCM^Z_ccls=snd<)?eOw%jQWwm-L~9A z+eu;fMVCD@cnmn51P{U_`;460^X-KFcM3U|&)K9|8fJ|G>8SM+1>LOCA9C-Kr2WG7~axvOh&&YN7teyIJjc(EB z78S1vCVCgX5#`!K$U#_i@EF2IX`Fqjm3L6CZ7t=cO^+!`pHkd;YM(R_)Hd*N_~z^- zgsJhI4iE+yq6V&=)ijIdGUP_s6M%EO9l~WM9M$2is6g+3YR?d}Q1WH1gprdD6Yh4U z__AnPnjc*%G~FET{n5Z2@p6YkgOWT-=C(iNJGM-q1=|ulD#^6I5-DXJbT{alv57QE z@9nC-}&8LP@Fh9OF4p$lPf=-I@vTgQ!hBKRGf@j$2oP zZ9%#BF8O;fM*7ViAeV<@2H9KX+Z2}?5Bw#D8U5r8dQzz?~Q)yd94GRm~-C z!T+VnvukmZxn1yx{zUSh#2 zIn^wIfU;f-w3|M$OVeqv~3ODCK6$U43`{T_JapGX_X=`nfz0N}iYgWhV*x*p1QfE-* z5g}duo)_*s6D__Q^m5utD$8rrxC80BVL6DLNS9aN0+J}bJAb+!j5+m@uK%@_CvBMSrF-T*+25 z4_R;J583<*6DfL1!2XwBgG^!b_xFeZ#~w>Hb3s;mmg{p`FCfNDRUVrhDrP}BiA+67gBp8G59B(<;lv6C8bN4f!prBjjxeR9~tX~oBZ^=#G- zD?C+df*q1g`O^gGAmlp;%E+(KqEvFjDcOl@mf?~Ah14tdo->{;6RB}TX3I^Y)4Ak$ zo~KIKdGT_gnM19cCX#C6AzLJ-qL;#yYGCzBE23j@?GEMaJX(N%nyXw>Ydfq;Gu+lYbQEC@6oB`)ZsW3`_Tt!Sz)hS!>WQG z%A(Uh=kh<%PjU~sUeQqqb?$`=J1=SM^VH$1zZ(8)mo4#3 zik{8-`$CLLC4@;R;h30}^^y}AY2zZnl{eR~7fnjJpB|e85O^1anNuz1QSRS9XoYr7 zKR>DX>%JP`#5`&W{lQ{=bZqFPtL>4|h2^T}zlaWZC7NOvF>jK|CFqWj0S08SUAC?{ z>nmxto+eHm*4z<^%%+c9ujOHP65AI|k2d~IGIdzyP3FUK)EUaiHts?*#l#zHaiR0x zRDp@oe#qCVUUNejQ*@D=QV^D&8CACYh)%G*qmrsWW%KErNGsM4``COmQBHtqD$Z>~ zzHO0#fj4^E$e(uqv&%?}6U|g%dB%765cyA^IhGNnjmlA^`MLG(o1I~=;34%}F|b4w@rsg>XB{;5eVApYID=6Rea#5=r> zmc)w5l}v6zbY6JD_)V|vTqL1J$mTc=A{i#x%R-F$L12-1(qLJ|-UUjN*I5!9$1T|> zT+4*&Dg_kv=QN%ijOHJzwr*BD?a&h{o-{S6ciN0bW}h9ram$I^Em?2Y&eg4YP_5v0 zv{IhEzI7(-!Kd{>>bK7dqsE7B?}j@jdK**9s2s@I?JR!e?aII+E)IGY#C1O56YK5g zHV4It(8x=zn=2mr`CN3t9eu;ZsFi$$+Q8CgZN;8D+5DfCAVuqqSBkjDW7#L*_Qzxk z4juHEgP(m()zqz=gu9O%iCNio2nSc zYJOr_r@E`HyUvD;Z)QXS?y8NOeY7b!S9A*md&4}r=K^KQox4I$5=z;++;Ze$y*SC|-D{r;-N&Xqg3rftT zCxx%N!Lyg2FEBv-58eofqqmo|+J=_Mezo*{H|G+^Z>#qs5aW)uuYn~WxUDxZXrcvv zMla8&HR5wqiKe7_$B7y~U+8f67sfXcZ@r@uAIW#G;o%g&F)y9QN7baVfPLTnOfx3@ zm!iF!M=EAcRnJ-nxX}!0m@d~4NAm73v>AGg z1K25{mjj7Y{JSgiXXvNaV~oE51mZRh4xIaZlr;A%mU!!pEOUGV#{+qmrwRlX@*NA| zbf+P@fxV|Eu6yBgaf|&*QgcXMnDNh81+2<`QaSNf!1pdwIxlhU8mG4BYOv=TN*ZiW z@L2Wo460KT3eUQC8>{bF!-C)N+uyF@9wsriZB+dB(c)lxbI&?P8J^=Gt~oR;YU2aH z^IY7&3+{O6{JmW2P@K<`Rfoq@E{02g!gJX55kF0cn^xmu1{9KK61Q20u9$O2Pn_tD zqIY`X`1@+|>QdC=`z%d~_Ffa%M}Zh5b#a4RKn!`~LGTpQEN%-$WXkhsBz5g!6=yf! z8abRNb~+k+wFoWJak#w-30w`=T@-Fri@LL3Eo`g(Na+;rFvTR)-k%rl1x`3o>H1C8 z(=!iI$0Td)qwx3MXW!k=n!ps_opmI(fzadjzoY6h6_;Dy7n!_5tmfS0gkU!anVanw-tN(>dxMRSD;ox`)m!}w=t>l-CygqXPys_I(PjH`5DrR*FO2A>g83* zkzI>lVu*V%?&|*(b$0Cj}?$`>=*FHr8Xol?)H& zXQca~n_}*k>y~G+9^32QV3r&MVxqS|iqGw`!D#~yQ0tBSiEvkeo3z7rkF%=~jkoUw z?*T!;k3{@-K5N(Y78%3Y36WO^Ynu0r=W}aQD9`k&P!EnI7C=N^=Xsa-*nbyFO&jAm z_C>OGz!1-hz3}=Hg2m~#IbYxV%aa!FqFDq)G&75}jk>WSd0StxcMaC5IYn9wc&_;^NvqvxjTE9*FH3)XjY$f<^9itQU)w$VIB z3ckN?0~*GOy!jVUTB3SO#VspU0z}K!^NDe6aUQYLUp9R~4HKG_8zeuflP>x-?Tcy= zNHytp^XXsq>yce@ZqQO{#8V6pX9glSZjlYR=vNDFgGZ^CK+KfW;<0KeXp)yBrQr=w zDeD0V76wpJb#0~O4XB#anGk&%&4dZHXsDySB56;Ie#1CCi_{g}N7uWt%Jv$!I#l%} zt-~g$H@okI+&3sAa`z!eZ&$lISDcoIrQxwJ$Au4*_SHw^gJy>!o%w}pth7mmM6+M@ z$)?2P*oAxVe_2q`zau7uPrA4v-;|!j6MoNzXVQ~R68_~}>Qrv~JT)_-8Z<&#SN;OBC9gKmC;sfe`9n{)Sf-&0*LqqP zWwT?I3}KWQQ+ZQ&mOp#e;_(AV%qwin%MUxIck8D`6@_4gQ}q%tw_8_6i!vxif~xAF zk>)JUl%9&%?3=u={po}W{G3`28{*s83k(*Rep^`v4GM25IIStBeL%he=7ro4Odp|VzL z_~Z63F%Bp@Kk>y&*W5_w8Jj$P1l@olKE{H>w+z!NMvPL-)y$O&5p0TNh-D&baGY>? zH1@;cTxN65GeIysM&NLZt6L1;=D~WUjKGFAV-PDyNWDmmo_=O!rC z=Y*AyE{iz=`vS><=kpR#aITHSld1VJ^i7UGx3AlF?k_u?Zt5u@ZwSDK?Z4?A4b?&e%wALxJ4%4Uc7tX60t^vTy;ye|LVXrj0!tm64y61b4YT?Kr7*8jdvPYr+57+E)7@NZ!Hq2#3&Wo z0MVdxE2D_xHwu5Udu=f!buU;dBNiG(MOgr@lx-<8MGmj`D*AR53yf7B?fDKvOAn!a z97vC?Xy$FYB&rGwAdc)#JWWbhK9!bBnqX>4Sl<5cCV zK9SX;!52srH~s082SfuUd7MoV^z->*RJx6+mBa6MJexQ(9braLP`H*~Y-BFNLuAP` z?fH$19|X%leX#N(#5w~@NErA-u`Wf@f*P&*rcd9gS3%IUjcnNKs>;(0;b~e^vewxl zBT_a6A7RtrAIsZojnX_ zjn$DDA8O~ja+d3Az0l2RT722lxvf^CyG?{w`0c}{gt<`C4O4vfzS~=I)@QEUaztfd z@|$oXFNTlwPc;U>nxr9PcUZ3vQ#X7`=8rFikn0W8$GBn2&9UMvwLt&DnW*3X2Ejz{ zcg%z0YoMU;735O>9blCtc#SDcjnP<=K2czR#ZP~hW>})LTr+@}_d)XUpE8MJ{*?H(W^xJid$yc^dtj_GP>a`My`<41v7-`s1^jF3-ez2>S5*a|!R+ z_2durnIqlD)EjC~gX_z&XU&zDFYOu`B3dd58rXK{L(K&)t<#h(5{w+$IE<&LF`dmH z{yN;O`KZ+ijT6Z{t?Me=xPlfh((iUUzkU6}KEPxVz5A{YtRC8|RqASS*St#RBe8|6nEk*3h> zTdcnrO=8uV;;Xq$z!6z7DdO@Y6q(BK9y+!p_|wV!sKCrl#xc8l<7KvEmH?}|89qcI zE=O3~j37LYoKbU`h?_bN;(vAK@smJ;S^A`qzt(lFq^msk_`Sa6Qq|O63YdE7o2gfr z&(irthvROt+>{lZ1m4oW3LE*3S9#O}A&-e(v$o4>>r7yzC!ChsTi#txmvRT8;ny|P z`o0f?-81;sk{}0`FPzBDkw3SIy1Vr0O?1rK*qCTdmm2mtw&kMZ5AC@ z{T=@J0;CsiGn1~h>$-B3|C7E=+W&&_cw7-5l$A)0y11C<7 zdl#?V;b$N<=mNc@zy!xsKEySw7R5#Xi!bE4S@8m%{-qi<+GTx5qjx%E8-2b6$#U~Z zegfT&ELDtYylti#fAhHv?zNa7g1*YnQH$Vz{@-u2NejQkU;E4b4Oczr?M@QY1@?B1 z(YPOFf2PN%qzkM(&szk5!m1nSXs$8QKA_yd1)vjOH!*-MQpEhRS7jsc-!j6#aEg`( z;?$IxB~xV$a(817swq9TQwC`TQyXGlUjC!(YI_Qp0sQ>WK60pni!9jXm7PDGpa0|W zEB)0MyPxJ5_0h@RT2mq!+LIcnqnDI>P&BW8_MS>3XKAwzB{GB~_OA~m?Sc1^f-*Vk z*?*9^*1dhqT)HqO1KF@e9<1x$-#O&2f&Lg=atUc#y{50sk%)UWQzamBa;b{c`Ioxf zKkxUIG9J*37B@VW(mA`Ic7Og5Q+p6XdAg^}Y+)52a!p%?BNF#=k+@~%x^KVjpRe^_ zKIT`D|A3w{Aa_c5kq5cD90Nb+;`BGW@v|h#Uc*0W-nHNe!M)sz>%h)-|FOc)*njy- zf9yc&Fg!PoaTJvVeZqcZIkfAym<&vpDNUe1S1Y|Q2 zq&eUhdT74)ge~t9Zj{uuvop)U7x;(C|BUVb-tSZr}58f zNX?=s<) zSPiQtH~>aPpKTroUGT?`*-I!XyaExjByU+K5=r(`3xy)H=%X9ZcmZPkZE1R?2X?_) zH6Ip=Ei6UK<6o8x*#FT-zre$ZvGJq6vHpiqDy?wmQ$&P`NX}5f#0<)1xJ}?J zWv*|eMb=8jC@ox|c+NFD`Q?XzTB+&vQzL|@lcI8|;pc^sd{@j^F5OUJj?UnNXw8jQ zbFG};A}&g$>CHptN7p433wH=(Zj7o5ome#x%=C41<*7%5@*){)TSi1IXN zAuZvx?EV(#Ro`m5G0DdC@gBMOF-aRMbLZ@rpJ7w8tnl9*m-iOun*|T2zrUiH;MNh! zGHzW{N9~Qlnzy0316aGFYuVbTdMh=~5@MDaS7dsFuQz+ICn)TVg$J(&)?#gJ4N`I@ zf5baaR^{%F)YJ?@h}BNuUMZ8*^Sf(1-}f4KZX;oqpF@}X8@{WVQt2G9Kbl_duC+D| zUqp6|JzRZnM?HG**llku`EU<2@qOsFaLXWp0LfZ`HLtDPNf@_xZ5tPpSnJe!ZS-Ka znai;lb}h>?c&+klB9w}9BV-AF5&On;?ga(wF#x;rZyxiCfDugBg?~O zz*hpMl?{NQ6yn4}T-7_z#(~Um4P-qO0H(IKfq}sX5?W604}86vl?l)pOp1X5&v2Nikj+vLm3lx^@Q4d zG~H^@$@f$yVW>oRD&ETV$}T;!!yxX>Wtmf^Qn^#<89VDWoq=LH_D=&Rc%ygn9KpJbwdZsZRJwto zZ^d{MoWs2Yr?&~A*2BboF}z$%-t?aTX8L&{fftpAsr>CQO#4ClJv-0afxA}y>7hVF zs~??EsVCpiFCyiwz-#j|ne0u&{UZRgt8zpH zlV}3)yjkOj5gMrRn@A~D4RMsPWz-#hpNud&gowtM8-aE&hYx~H{PuJuKe4GEeT+Bj zt5wc6$k7wC4xUBKq^WVxHokN~*!W%~%GyD}H&liY1%~O?yBIL7SNug9MW0ao~S5hhn;&v#7cB zmcl}{B%GGiHTM8!zwy1|Ik=ZjbJzLxylT+^*piRiwMGS>ULm1hYN$J2^SJ){6dYIc zagdam3UEx+31^g`PqVKu?O2AjV94th`I5kghG!=h8XladJ)P3|E_ z!$_v13{O-yrRlBoH#Yt}L%N3NfgN)d!JbY=RujUB4!axftU27`(~X|i(#d+^+Y%n=u{%*E)N zoE?;2Iktt*CGUAMe@W+;{b6`KMn8UEn6w=>Bhle+){q2e(-Us>I3K?4(gH2={j}m; z4lUmv6p4M`a`5YHm8(;Ls$??^}K)?n4@-A>3i#Vq<~joU~`YPhdX6p;H= zzi+m#wLNx@aT7Y1uybR88INT=-hWJYc(8wa=;zvY{UwL}a9zf*b7SUA%;n5I#+;aB z^TavRM)pa!w+a7xyCA)A2X{8p_vWaEMAG?iB1anTJdHI90?TSqc!@vBP?F5SgX zD4c%S?HjofFc0gn%e(jP1M9LY>pae25EN~dTb@qAMP9D_Iw*zSuWIuaDdBfXDS4Ey zFCH9#OxD0c56#MYnPmnbSq`b9vvw$igr_650RziTjS7vl1%&?x{Q3r9AxdIi$1IW9 zVLLXD0QqSZxP}D$)$Bkewv?itT%Eien0;Qe%LXcVCJ%YDe!YIg@R@!q^0WsiGu}z zbk+~_>)h;f&u@g^5TVotA00V$j}{~ZtC3jBNl0)6J9uRINgt#a0U!a z(q;!bR&1#XGX$6beYhK#5GIW-g;fHm8Ktt<;7iSNvJ*^_E5eEpDF0Iib99HJaPnBnb|TC<3BaXR4Xe8DI^X`M!N}1<#?1_27VJ5bZ{q6u#(kejNhviES3{Aydx|4 zn7rNN>`Q~u*}UvZk+P?5kynY))B-E~1be6|-8vq}(?5DM^+Zud8#SHvxr#?=XDYQTkTq;q|cUTYInUr~IMk(?|D_ zrC;V_GR5cod?4d_x*a$D#fRqR4Rs_P!cqkO&8C(zS$d0c;G>~Ilsecy-zJy7ix7dP zV?A2@V#-rN{tkiIX5FR94DJ>Xp>2ud!$_QLHX^rL=qd+cv~wlyV1qIOVy@9uRdKo% zfM{texgzQuebr%J^O+o^nN38W5m?oVk9Joo=StrWW{#xXrIr;pn34LI;O+30j)ES!f(mHV64ThKgTTsg1T^6t^2zB>ywja zWAXs2k?4vAj@*xP z*w^k_!y=!ff>tzS5?uUZq*@MV9!lCylwH3%2AeS$Dlf2^a*U%Hg;u)nO$-z2A1s*q z3Nq$+g;_5u864M=^`i>|V}{?VcX5ULvrMx=IIA%X-j`?H49L3O-9}b6y_TaB@L3NS zCWjzj9$=B(#Pspp?rzA0(zs8)!~oU_Z9gv{6n*=n?a)AfUrT= zb?Tc-JNAceQT)RnNmlc8U}72n!BFn354UT7UAgpK+vU8s%dh;K`4|`7K%v3-uv#Q{ z1?lv3(iijOlbVs-k=hUBNV>ETH|5|}v>Il7ON{S=(c#6bq+Xk59eoe;3_B{WbmZZ) z6c$kyD|zuvlUdkF-tg+Mw&nS8(Mr#Jw4~ZP=W>qwpX+%3#=jMg0cv6E9bZKx09h>@7X6)Ehc zyv>D(oHSMCs$lWK$In*0xXSDm^L*pwGF9uR!!XnLk6KW4K2PB#9fUOpZ$p z?>sveAh3Bge9ce4_8<*LyY+x%yh7z|Sw8x`LPujnU@5zxW@cOGYG#Gq`S z_+|T7`s$PW|K=FAg_D-e4u5`f7cVRFLTcWAm7>M!bZssAVW)Uk(07;vn%hJx>JvG5O^2 zqSglARH?X}^Y86j(!(-0YBX%%+Z~r(q>n3*iXl9|i!SA10(_{24SI~N_6*~$ zb}=Ha$o$yPCr_nAi%A`5W|f&Z3v0hVtTv1u8AYKAFJ1bayt!>$Uu~@J)#+eaD9*pQ z)J-}jlXeR|A6Jxk*msrI8-rFciK=I~waqwje2hl<6-IB@xIn}u28zX(%%wCfZgB#L(mGO5su?yAvyz{L%9tIrU)qA4D4-WgjU zD;U%@pyZ~LSfS$LAzR(J4I1iC{2!BM_%SI8?*OOQ#CsM}yKn@z8w(5@D71rfEy|*c zNLhx#@8>~O8^SJ#{Q{hzyS7}`wTSYz`<2x@o(P-X%yfOS&Qp419AVM^9ny_t+j0%& z8z%g|oU9GI_DwBPI% ze(;vxTX5)y>hhI#f7E>1bo9tFsxx2JW@RKwCJ37!t5PA@6&)3&KCgS(d0{QXDA)FZ zXz89I_S)(Zu4DoKE7^Zt zg!6f#@U?7Q<2y&iHE=%yQdIiWxGw_7A1K%>c47UmJB7q8`);x8+2+?@p*qdduSD{e z^0O4iQPXbmMDcPzgbD_RlJ$S*ZR&Z!*aLgYW<=p~0xZj}jLku9%S0QKj1ul6z@clS z1~|Rf9+OwZ#UzO2lItj&L^9M<`_OY6*%1*jTe}LJluR4EN_O}yI9jkd6eyBXmA2-y zVbGJ#Dep$HD4rDi^sa~a%2ism%EnnnZf$K5sx|&q3AGnK7Q*|c$GIP!2l3R*7h}3R zxYrdDvmX#rQD-y5YEH4Qb#ItVn;tf6mn!fu!E&UnJ(t0(ayY_7EfPMrHmrYV%nZu- zGfWJw@mZgyGr1bRGA5X*#BWvmN=0nry*ASRvAdw8|3NI%M^YWw*7*Aty-D3b|AiN= zVMS*}%*BV6YN-4qp==vJ(zn+K#y>8+9j{X4NrsiY)7&bo+FWDJqJ{aoLaI>JEM@y7 z4Xw}5_vy$r@;F^ z>g|7*F(q-8V-M%_>%nzTSfqu`tFk~_RLulo)TFe?;k6K@nQhV!Kq2av$E2+l6iz*%?a^CZ{}8Ur+3+3^%uTAPlX2yv1W9DFf1 zyOS8C+(IUUzCz}LaxPsVdK9CuYSXE$s!#SisgSjfuT%un3r-~?hmp68Cn`c0yAJu) zXMi`N7zF(G5}VcaCvHx`G{K5KiYs}Fu*C2A1XY8ug*criOj(XJI=-IdLXdLYa&( zNdgY@CNeoY50kKJ%AgUk9K((p1hOgD-Pt8y?J)F>6&Z{uIsf^k%9Y9T7J4)s|203> zdHSqd9K%`jR9gSeYKug8o8|2qgY9c6YhAgbUq8GgRb8%-7La`1B<0d&1@(3ANWF0D zdLWg{=+|hLw}uq?vE^Uu#&WeArw&C>h?Cbo33C;0r+wJC>yYwO1Y%hWZ0?Yu=ReDg zCJR(}dRiIM+petlw&AvZTws6bY^&K?6Cce4OF)%IxZ1}47`|N(i=GNUx2i=Myft4N zZL1;r&1bE9<Ak@~+QxWC}UqbzN$dFwDV8YKOljmLgQnhsDIB|t6>ZsSx| z9!g$7PEG!;nuTWyoNZN26=)R6npUXPCN}BY*TzbUz`kg@s}@($!PEyEO@Vz=a+EGe z0KLfWFM_>^{h)5}Y}_PVf+*z(@KBwhLUU;4A69mBwq+?c#l4E%$}w|5X0ZaE*CRal zwBewKyZSpT&jqT;)`xKa{nG^m%~zhx&PUxN_PsAorib&RvKP;;k;sXUb@a~;*%b2W zc^xhc)p)|$H~YCZebcKLM4cXWUIj$}*JGeYO4^hF4oyu`BHK+rW{;Y2>!MKJ>AfEs zX#iR<4e$VOJdgJ{he+n=Q5fp8Z~6uxt~_i56rwD;5`@NmDISAn1#PMQzKFO$VifQTPTnI$?8=dZT~DHjyVo54A9$zoMIF zWV^&(qh+B+fUct({7Kcxq~F>-l9qywTjN}JJJ>;^l%xzTD16n28vXLeRn91|!!~+d zTqF%yhGZ}sw#AL%?%-6kgf>^&kG@*qe*QJ_@@19PDN@Y%{b}xN@)*69T3xx7)7phM^(!8Z zWYP4MUMC-Sg?2urBT?SIE?;HF<4|1>TsrT!cDYP%nbooh?>k|2YUv}558zOWWABsk z*K?%sY)vS2pMV1oq8rgJS@!|Ok zO96EEDhO?Nl{Ne2*lU10QmeZ`oXR(tgz|QOiDe|eP7yHQL7m91IAIJ03zeW4N`v^S z;=KR8*LmTD_q05w+y3UKzo+xaM9_cxQq+%l=?^YAo_*FvTtUnSjrwl@fOIkr8WX+T zsuUfl?nn-)O2LfzF?CU21yWr{R%s`^)EjO8d|bj^8@;^VHjr^k2L5s=ER6GyGlLRx zcOLfghe8q{=tvLYLntM|iCTzSn5B{bbhGW~!k7#`9-g_g_0k!>+<$6oeKiHZczr(G zv8-$4I9h(@)1;68`(yt7eP^5E#nImefcY=?h}F`#COb^pk4O=-*5b%i_HJ? zIujo#6kev@biV#?Y8n6IPwKn47Nxs$Cja$+-D3P7ty~`t8PL{``k|QQ|1Uqy-yiGG z1?VvhW=-8&4*8Ftq&>b4z%W(;K)gWH&~p%|n@w>T@`uBE{W!Xb7^te`fLez(lOrfX z?17|$vePh$JuNFxKpS$i_=m_P6GUCO4CWdpCH;pt7#Uv&mS798oFj35ek}uBXZIgnJ7P=9CSD1UzVwA{)b^u$if4rI5D(8 z#VR<2J67Uam`6LyCb&r!2kx8#u?KK~TPXZh_~cu&Ts6?HzMR!_`s)W&|BU0#x0R&* zqiOxWzSjSKTE}sR=XFz%e{3~Sn2Z1f!yD(7A(hCtIF=qr)VNbq3)td&0C_$ddG9$9 zZxzVEz`>$$SR`V4;T|2N^>Ra0sok_>0VyFU*s9HnO-%(gA08g=0nL*rx9#?Q4vs>A z=@|#vL~mN@p&=lR;?~|FxX;(XdVmCafT8$@R%R0JJNXk6dUWEjd}V&H=!ngKlDoc) zOO&Sr+EDBRR7VFC-H+RGiGlQq9Kb&N-~?K^X{TVFLJsLzjRLQq?XVs+R7?@@16M)u z;$hYB)u=PDIB5e6&!pG4X*Wz#&eyMXxDElGq(_-2u%qG10j1zKT>s#Bo8;T&KSHN( zpefGYoEilNI~fdAJZx}K{AMU1m8{?X)EiUvW9zymd8p$qpoqlU5gh+h?>P5qa7QqI z%BO<_fQW+MGXzYWRghaEV4!F<@IxbYPNBmv^=aY6J<2rDD{fT<$T~QH%h>o43%2nM ze~j^Xna`wYly`NV zAAZ+#I>n6cH=T?H9vMuNWh|}j(ZFskc@F?eF|6d=&jj1 zFAhQVby%O;Y z8BE3LI4#0BPL>ie3YwngIJtI#%Bo+T3e64(<7*+?Xl!xoK|M13DO6(!)Xaj=#iyl) zIO9QjjDh>F52GF_wd(&c_BrA;!x@zk;d?*`^W!zXVmPA>*uUGeG1BUbSoAOhP(-8k z-s)&TkG4i=Zyc_LElg&`1e@{U}|7im%VJ^U9rv)TsA>>K7 z3oH(mzbGM(BMH*1JHGC)s=tJI&_Kray#=I}m-PhAkb{{BtH#PavJVsi;{*-S)S_P3h}EWYb&FqK5g*MHt*F+=^G?;mKohT zZ!2xJ?$4BY?05>Rzz#zn2Pcgf@b_eAbl=P8m3mO9SOT@qDv1e=B+c0E7>zU^l@t*) zc0{ZVBEyc4dh>wbdf@huAlclo-Iof3^Vp(+x5I5EjN^kv%3?x=hGn zw(eWly*K^;-x$e$f(OT4e zJpj5X)cFLRgiA~THN!+L$>UZ2V_dfgM}}}i-|Kc=1#Vu|pi!7v5u-G1bORA4nYec z7i)mOpvFLWa1|^|Kb>pA>2B+VV>c5>;`v@L_xFe!RT_JO$Or=?PKyM>L*amvKwP|Z zD|dd4F76V4&B(6E+t~lW$m}tK0)g!=f+d0 zuNTxi9;Tf<)Au6l*{y($MfvUObq1?&FW&y#4=|&BsUPJp3mTmKydNamB!>=)V;IhS zutznp7)8m)?Ch^=;cw9)CrVPumW|%Y5nDa81A#;}NAR%FPb)8M&1GK;KI)cgm;dZns)szbAO62fJU<@c=~@@OCuR^G zAZ!M6PH8z5b2G1=EIUGLfIrc>g1oo@6nWA~*xTnpoJsWc8d^3GkV05ZeF%0aCb)Jd z?tJ!hrwS}pu2pQL8&`E}dKKxmhG>RC7F4T;uv4FDAt<}`>Xh29xnAC|Ye=33KZT&j zf&DQUo1UX7x$>2!M1)q;HQ+Vfn2=ire}3yv31Hhh;ZdxK|4Ivw->fs=c}SaGrIUnb z7G1nGrg*T(5}q%X?IQ0jJ=LQ%*$)gkc~Ga4SZ+?B1YM3_lWVJ0uQh%LX)P(uWq>+MgEez_oje~ zWH)3Cpvde_K6|GrzL$OEBsDb(858$VY+n6j1}Ydkq&=O##ew(Elja-XK+>*297u3^ zR-_UF=H2w?U!MxI!Y&67Nm=7o+|!WW&umKWy*1#jmAr8fX7l*tf3X07iG%jb0ojVb z^ej5*7X;7&vBnMB5f-36qV_$w_E$@gbC@r0FeRyHF1OVMhp>6wN*9fhnY#DbGq7`$ z5W_zMo1lj!w(1b$?na3sbCEotrZDZ~j$|;n)QA&T1ZKE{*Yc!cH`r>+uqCZ1iL@ZZ zg;?PNZ!DD1N(yc4XHODoCT;oLKw_X3aG*%BrA{gdJABDF080d%$&@)sYy_OH!2Eo7vSTK$3Z zt$7T9m;@+chDqWDw~osG)qW|=Sn(*K=fM)O?qIRi-dpS4w^Z(ps`s=^OT|bhQ>41~ zSQ0g%jHMDu=9aD)AG(KqlZR+0c#FDIvP?lzwpq+j{ncP-%bHJ(K@KL1z#Oq<^ z%L0|8Hn_{M;t*2%vzGf(BSqrA<3mif?)aIIM+K=vwOP^cA$V&GS1oJ3-RB6AUsgTC z{GO9nwLN=ZvlQhQpPYNgmDT0CK|hAtqiYlXA7gI;7UjCH{~IXGLJ3hi1SAYfq&oyr zQdBwyq`MmghLVzQ5J9@TLAqPI2N+-&y7T|cT6^!a*FNX`&i}gBwJt)PXJF=ipXdI5 z?)$DiJDSLAIGlKLS$7p%G8j;-nB=!ho`4kfEu8hj8#+{^E-Q3cY{h?9jC0w3G9IPg zxvr>jviVLcVM%Cy=ja2R#Td4PL)`&sob7P3p0DvxoHjx=yO=KicxK-lL9nSswB#aR zNSKYp@1w0_c~?L^ux6s(t3SV*OZ2rGo>)Y-Ijgl=<$1HTp6kT}vs~UGXBLK~xs53j zgedpcZ`aOk8ny(ulGXGlvk$ZFHAPDb*gE#MY8A&R+`pVF6w50ulsZ}0i`%ks_273J zQcWxpv7^h#Q@D>pcTm68W8Tls;{Ii2`?teTmMI3Y!yhy+bw5D!m=py_rnx~AP`%ij zj7!sZq_eD%U2MMy5{?zn+eKVdpXw~J?(3m%Ye6fm!8;4Te(2gb`jirK>N*D9UJUCy z`N-Oi?Hx-|vHLai2&7{pDLgHeq4yr(O3mVJLX7FYUfJ##e@7*{%)# z3WWKmp||TESUt9Tc|O|jv$g1SoauG6Aa2r&s)w_1_5C$7aqedx>mVyOsvO>sT5wXE-bV)R}wyv*p? z5-wB%{rr}TBpm9b1zQ3!O`9K5f5z06p>#xpUss+dU?a6#`Wj!Sl*Hsd{uxDTJgX%C zn+RMJ%w0=zw*~#^XSkES5Ap#xL1c{o1wu8zV^Crm^uq{}+3$p>Lm?8qcd8&P7~jo7{Fy94x^8tmTw7T-3Hsi;=+^%(C|DG{AiFS&T!(E zM##sqJQ)%lDTFp!(DL9!z= zojd!4lNwag#~t_iOMHl4VZVEQk_% zOIi#y`K9UKHyK`L_@w;DO3LYsI79Ea%`G=KmlmgMO+>3%>$I7=qlsyAuaA9e8az)n z_?i8XY;c~Z+Wtuwi@}u9fb83V0R~=X?4QwS3!Z!<*v` zYksUtTXFKr0)k+RCuwpp^eA@}%KW8sYR z)P$;REbdV$A49?6hG3%eP?U0q%&jJgS_p;+22KZT+=`u$l)AdoEa7zS{-x?`07Yq4U)eK5WFHs4oSLb)Ii6$M#8@5gjYfQ90qQ2m)6FhxM zk!kifF$0KAMP(3H&30v?_9|>>McNOxX{)c=6etieOi!l|KMk_E4Sxh9F_307_ph7G z19zxw4f4jLDU(dWj(Ju>udLvGnGgO~;Dra5QlxI4{B^*z{w$iTy93VZKFjLl+kz zFRnW=!vu*@L5E@Xpv+v15w{(7&s~{%6?5RKh^20r9{((W6ff2cB<%?bX!c9rYg&pR zGGr-|c#Px4iRi@r2|`k7?U>Ru=awVV`RR>W17PwWpv}UDDX`)J14rF`qM*rPfE5-9 zG1OJ!Z?jLjGN^hS52zz+B?+dTk{^Ou#|2J|p2KYOLQ{$Lc`> zheK*or7i)(cfzmZj)x^Ud$~dn(=p8W3o{>9Vcqwuw5G|=jVv{r9;>*0#npd>6t}O- zR!OODASleODN#C1?s)xkTw^m{Hh!(4Ca``!@O`|-*4T%ws|Cl}ov5ew)-iYOD+xB` zW-EXy|F+Mtgl;Z|Zk+DrK#6AnHWyBkF|rnKk}t1~gZW`$W;M$HYSD(9AFEgKkFRyr zEe*}%&+LDbDdtBL*oRt1V87M(L8|%<&eQeKl1J4GHp-}KH`cK3@#T-adcu5!gviO+ zn&q=z@PyqwbFkPL`^0i^#B8t6`*)cU$avjhH+t|MK*EaI+DmF2wztv<3X0oF1$Agc z2)X~*`6?#CN;AOrsa@P{EUEvq;|EM#GbHE-&4`W_d&6MMV-I8-vZ1?H;?%rzK<8Vb zkR%p^_WD~TfsyAd-{gX}$ioJ-sKi$byJ&fCq8j1rY^8|~4adJ9woBAbQM^>(5)8-i z;>3S(+Tv9jdcAO^Kt=OOCn!x%HFJ7!8E${9j98nBVz_$G9$CAUrAj4DJa!+vY1|r=apt|!seya53rmRiKWA( z$J_am!gMV!+n`jSH@YD4#-=$)_d*^@Z-$pGrrK&jPv8nFVW1Hn!8VUK6<;-$wHD)I zttilzah7@j_-lJjpGx5dIuoc!9DD?f|bzA;FXGLYK-TYMdM7*$NHu9sryxC>Y4GErQGC)0|ba^X#__@$Jx4OzQRp` zc&&_M#|IYh)^!@SWr3b+E9iu`+t$W!Xq4(xwgeQ`NhJG}6Rn&*bgZWv&#iE}Ho)x) zK`yof>nTg8|$E6lqH{z3|jbN!QbsT>G4?=Mb%Fl6nQfn5X+mTTU_Kr80 zjFNkwyv}-}{%VQMgkQ4WgMEdp-_y>vL}h|VtC5G&_o@FVb+0_X5KL7ZZfN-Pn{T-* zo={r!(=yIxkJyi-GHQv(Lnxm6LB*!WMt0_f^Bfe^!TAUUo$bSeEI;N2^h;|r2e601(E>~H ziX_h5!9`ImNDr*5(u$ctCn?h|4Aj`QDMKB%SgiTwEH(JYytCJCze%? zczut$*sU=Hy|Z(v^Sl0RlSR>_>jwlQNP`{ib`zH^o&31LHRZsw_0w|GZ}m7<(T)!~ z#s%$hnhSy~?N>#!SZt9lEO7?hxJO)8qAn^bl89h%dLj+!;71l4)zfVdv1H~|x9^8~ z_zFR%JjjIxwuH*63C>0a>ca?DAaYuaCPY?=Tl^br^mMH#X2kk+qg=-HBj)!_vL@qS zw`DJQ8Vc-|ZtFt!fBRX&`It2k{Pu=Rp(cK;sN6VIojJucqQT03+GS*OPVB4b23@~2 z8vgm)NacGXWPxA!l`#ECBVbS6O~3BmZD#`@-u7!~j&Q5^k5><5a1AiXHSDL17+63H zy-SONC*AnYLc7#sZiR0|x^n)#;?F({!J$ERtb{EuVcb+0nfUEGlupa|wIEx;%{?fa zZ9QeT3k)p$HZQn;dcd!!mEj_?W&GW^2+=ap_D{{++HX>pAKgsaZ^Jt;*R+3N{FW9y zT04cj;CY#FP5cwgl9WXtk7?jOf#a-m$*@5Q?N$Qffl+DSEV420F2vK`+r|f;Q5RUh z)HU0y@wyX=M)`~03sV2KAt~j;cZArrZjMMFf!EDh-GU;i_jAgAk>#M(Ht|~pl6tKA z)y*MP_e9b|$DT9$OCCoZxpkg{jE-`U{I4CbX*?d{JWGgL^?PKe_x?7!TPX=D@ko|0 zKz8bJkjqRgiL|3T%)MC>KRj{p5;nagDD_@5w(iRp%JLJ$TEm))`v*$rwNxYMn94q1 zK=CJ=lv!*s*TvM!O|H^S-^$E0yATJB$_j$VxvH25r(lFBy~zrHUNOC0?$pG3;P2IY zkb1{Wbq9tT4sST;T);>$VPPP}d<=>m>87g)fuhFha8`x1McqOYU3`+vu^T=YK<%5 zp%EzcdPJ4wfroTl3cdaHGKOWIS#R#?T&TebLLS8#RAd3o+%~v;wa2o~U%F1ZlOdo|*`h;? zxaIr+Oy!PrC`?vcuN@s*(_;MEKx|TGekz>Z|3Ww4aLgb?_0@rmt;_H+|Bn9tmv)y& zHxr8Bc^2M&Y&6!)Vv(DmJt9Se7l3kf;WW0T%v`vLAxnvOPo#@HYuIZadGb5nvmqw9 zjRjBYJLeV|Gm^4qd;2bS<+dnGkcuR)`{gOQIO2t0j4``wm3~=-v|dO3vKTaxojOPG z`oe~G*(pO;ifqjFYbADp6lV)OQCB?;!SGIB!GDj9djuwr+)OUbH4JQH4?`>Y z#u!)%@>l942BwR{@W1lGsJ2V=nZ$xx`Qka;;U4~06Q4{*OSZ4<7Wc0E$T_Q{M-sWL zQ)@9pUliR5Of0FNxQeT2DpadK-H2nLhS~0pmnV+f3RIdON-{rj9`(Ict(yC2t7bH3 zF;47Ztay{BwS1AGVoM~?($AZie$l(|4j0eUr9hT`z9XfQ_kD#veY`X1 zYPbO}Hc4{be{^%`i3!u{>$NCU`!`uje(@7(6&@p&*b$o$`+zQF3@YNIj>Mh&j`bT< zop}*C<1gd=cE7%Kpwjd!_hlO^f)diP(}Z#_VNsPJz~pvM$5A=-uE;5{Ik97KkG20Q zJpc(}jE~edypK89MIpbWW2u_)@3ip66pc&(Cn+%}!gYmwr|D+_3{R&|4`x30S%O%y zm;dr$#AY?jmH}E&O$aNiw0yqz;69=!EXo)Lw%KGhix55# z-tWe3J~2E85qa(ZG>G$^8uiRETDt{am1^94S!Js!hfz@JZPyq=Af(>uXIBJKYHP(E zOX&!Y^h0o`7VX$Gj0zogh$Wg(;$~Aa3DqGQpk8+mAHN`6Y*c>tEG5{=tcYgvx0zqn;`rDd4eWQKgvlg-0iq27|TU!avNRsq3+-R&9lkSNUPySd133DKl`J`PNlR$&D*hHfF=EDpi=+!q=o*J zm7GjbMC~g}gu?H;?i?e27>#Dv%{H0jRd_iULjwk+&=!-Ag-dmL5klrNHcN+hSmcWP zbH_{4c-epHhiNpZ>GC0bq$#sMgmV8;2k*YRc1aHKT3L(X8*sPf4w#_jsQDrhg zO=-RoBDN^6x(qvt3BWczXl)L7uuq{&F9JJIE6ZLPR~i5tf=4kG^6FGP6|AASv+0;L zf4nMG>f_B<^#%zn2&R~E9P`T)$E-6c*~qJzS=fkO)k6!bZomeoc;Hvv2RH?;4Wyf0f#yW z@=|aZl+YkS6AIcTaPIkYMl8#=otGp=hd;{dAHAKzllX50n^o=go-qLIM(@iFyKH5Z?sT*-7l-#fLleuQ$ak#fT}n%o9`A{X0x-W%R@aV8UZ0`Y0&BGyWB@ zcoUZFZR68GwxzLbL>V+u1sPqq|^7B8xI`p>f{D^wuD7zMhC@g$~WAfq{x& zxIT(Cr6 z5NKxrt1z)u0oP)t;kNXec6}x*Jo>^&Y=#BQdv~apcGvW8-AVCwa0uV)#2zpg-A0?c z+)-xYcA`1#)zm3N62R+YkT)()Db2aSZeoZi@iiBKb0iKPwGy$T=8g9Aoy(tT#=g#) z{ah|8Qk$&Sa~4L)ZA(#S%t1DYIt5@0}`M0-VJK9*ixV5&GjY54pwn^_<`{Kt7 zw=kySKaB*`64TKA(D$g+-*aM-*;_GN?dGX9p;c>xq_%Nj2xrz$e-z6ABZr8jH_9z% zTSF5e_Df(_Yg4&;OzT%!rZyL6Jl-hK=K@viM`6AyFOZ$M=i3=D;W8k}UiVFo@t8|a z_338+xpUh>w%~_j4j25X`oWQeZ`+urAI8DFAl}Zp*}}Dc{_Z+|AeE{Vzw~btX=||K(oko{qSp#)&)n0 zOwgO-918@^9exknA?H2E7I-x!n3t>)drU+Ks7?6h8!K1X7UO3=SN37TnCfFoEGa26+vZE85nG?S3$$9#o~9WJ@JmrgZ( zw%{!*TQwds8{S3pIuzkriI+-C`m@F0`#<`A|Js@S^?wqGc!$YLddAG)AgW!4zwTHd zIe8|J9!(_hsy@9We z8@z~>Na2Bwc9tmi>4OZm71jRzj=W`>$8XqJlsdcB|9-mo*I`3D?lB0Eh^vy$Ne7Ro zLh$$l_u>E~O}2B#mEEYP#&w0^R+P^Ti>U7R6u{~{*;wUYnsgIKA-PtX6`zxpwrq%YS>@k+8JPg(l6wperAs`+!m7N*Mq*11K0Q9h`zHVBZSB=}%l= z9SfycsEVBZwM2O%$cMr*4#hU`qkopzgxT0%j42ogZIq5RC|zYP(Lc|l& z&NMxmw{xbKBiupOKA|$r_2)HXw&gn3WIia)q{Ce0glB|}ZnB~?XQFhzw+tZx!0?cP zW}m=3nTU-Fx$_$P3Hrl42}mY(8&WI0=FxF1xEdL-1jQO@T?vf0%V=o>M5okjYOErn zq5w^B35H3P5>6dj$dp@LCmFyEUKEi6Luh=T@x)@nSn2F|Zc^nl8^YMx-K$qFD8E~@ zg}*6Uk`u-&Z}W~y@g3!|?VAoNvAgl4G4z*yx}P)ojX>$`JH;WYt;TEjYh8aTowj1o zvel#McK8wPSKmep|#g?iBSg4v}aRQV&MuBqkl9aFB$>4R0ta_PD+}0-EX+n8#a; zWXO~PadHA6HU##W^|HXq3Xn%ixa2ADYUcy8#+`Km?B-?P5nbo=h^89#>xX7pmzj{LZ$&hw$u#_ar0d1 z)$17v=oXg>&`0*1NuY5bU5i)?qCM~ZN;E)%9mX^ON>bh`C0;OBE!^S*M-Nm<4>P;_ zI~{)He!^Z>T1W{nhfe$B(+15Kf!K+?ft75p1BpMc`rn5ieEY6p#1j0B{??;+H&TyE z#_6Z^^Gzm=ra8*)mgh`qDXvcY$u7HZ$4o|j8q}6*48~%9bX52jvr( zGr_|mUBV^#XkrUFUM|K}VDdZZ+xf0VDJmmX(QHkwH2+$pFV7z0JmGj5Bk{Zn>21Vm zvn4t`9}gA?eO3CX7CTnO&Uhx)0y> zq7|ybZ{DAbQqo-a*#_A14DQ`~RDv^dl)`V&op<{bn&#(75L9-j1GpZd)JS%NdNyi0 z_J1RW3AC*-Z&}d4vz~PaRY*c?20%wB1G9$N*um!3KU#I}HsSTyOad{)9Q51$Gy`@s zPLC_s>zJo*^9^n>SqNa-HbEP^?be6sMyRvRmIJv%v)n)tE6MQ<0%}?AMGO~E%#v?3 zl965J{HIj+ulsIP)D6l$={Ig`seXBY)oqC9$F=}OvC+pX@Lt^nZ?K(PcCqR2ctaMe ziHAsWx3$wJK|SJSM>Lb#*?fca%llsTR{OdSxSCx?!BM$tO;T4!h@gJE3Xa2)p_Co& zw)q?-?DmhF7wav$Z)(r-3Z8)yXYHpC9M?wHD?aUS*k7mif-?MH_^+3%QjcvGXaD?&D2YJMDCZqSe%r#RSd zY^%{73y`YuW45P zduej{0(dqbtARV8qS4W;gBD9Vy5-*YM04iiJxSDFACMhP(Dm3)ZJy38>et2#p)M`>ss=* zO-J|D26bYBqE(d)vG>ze9bGZs0uwA6s^?{?L=J(jTvZ9PVu$L%`~_VmCPBUfQ&L1mIK zdl8DVndh!OhLdDJ;X9@>0VC4rGx9mxHLiBbOIQ7qwGrETo4iH0%M?k5le%Ur*rvOs zBQzP-++Z;ADnZaC6=df`iWr(~oDOEbcJl4rJ~i|;+c=Vm(|EGv=T^6rblGXZp5O9} z1FY?vKElp;dNp@^Z?QO&x!>CowMc$eFVI)f2-lk4sPI6wdJ>rRe#mTk!!Rls_M>WJDOM)C_v zR+yIwbHoplR|NNlTsIKl4nRLYrva5_b^<~kb97TZTW!qY4`qh{%fSo0uVkWkQVn+- zRzq2PsKBlC83}c+3d0|1((c52#~_CI#B5oLviF1j5$l{EEN{h6X*7I{!TDZtBkZ!- z926>ln1s#U_f@t5#~Mc#tqFB-+Eo$T^3{F2&#T*hkLoOT2kFRT)1aQ#M7w+m?vy8k zBcl*z$F~vYtG#gz?$!N)lM4X0*6-|Ye871>R1apj2Y8;xl2bchLxqChUq^K7SVTZU4-;LvFXCA%jq?j|Mr$4@g8b-;`zBV}6+i$;;_zcwb%&~4yK z-910v1_-witW_B^xtNT;U^&}b}X%jZwa_kU$zQ4qP(8XLS*VtWSO(SuKztahis@kdk!%<#fUxmhau5Pf20imvB zNCFaL_l|w5{_BpPFO@I!9ULw)J$j2-uH$tzXm!l4aWiWV%aPLrl4V74%&(4p`ft}9 zzl%T>w~SC-q@Dg3i-ocJCyTXJRVx^~g|W5ExzkB#J}fe1N3vQ~dR=juaK^d_q?Xx$ zc>>fS!KV^>yO$|)WqE7oXy}Pp^Gxbq;iVJvy^~ktICn!6Q3ID7_3_L6wsT&hVKw@8 z4hl5BnF2=idUIFC7zw!CcK7Y(k^j$(cU7St5pUp?d9`i7`nq7cRY~0%~>%rSdz|*rZjz@ z#4eERMQQ$g(BnQ_sSPp4mt)cT8d}XR@Q*>3KGe(98>P&ILLW}8dc<$KZ~mDzdB+_J?S>J=jX@YVTX*J zcI($`-^CnL)(y^+8dtLrV8OGN&D#&8Zns7`-fwrG5_!{NFYdU}o{k}!WP{5F^{Ua2 zr=!|yeis8F=$&9FW2cUT(Dj`eE9iPbjv>g*A-$J`N5vFJi8nZ1P+;F>=hp||cIV^RY^RSI=_7v#uzF^3%uG#$Ogq2>GmfOdTiFB17u;N{@eFC ze@5ZpnrY=oTa!y?S+(vw@j^Rv6BWv|O!CWJ=U+Egz7pF(a5JI)X0!9m!#GLm-(IO& zyd>vne?y_EqopZP5&N9&Tbd(?3cU^!%E_=NWrsXFn>U z-HlHylL?X-`qUTdQZvtlFxG&4U3SSkTH2>J{wC_;1jvb%Qu~|hnoMRI3@>!mDzc4A zld5={AXR=9-JM20AKkc*vE{1$5$W(bWt}E0XW{; z{)hf^p4)eT=L6tZdfOL?e5Q`vf^|zO{dQU&KS?WERMk^#p>*ki4LHP{EiNsk`M&$T z4Yt6pa(uVC5EU7sZp}2Rjm|+&NXD2&(=8IB>Dw` zlJ17Y)nOUcRT%&7&TQ$yvDm7jE_;1HHK0hvzYJ>%3kF?f6}pGd?7gdt9jXPZz=%Ilhqh>v;pd!f%{sUx`n^X5LxO z6*i;o*h|=fRp^VQ77ZQqCgO;o!1Lbi_j^u&jmLorBKYoHq#u4pnbO}Sw;dG8?z$Nl z^3#mf6J$hM<0+{a5QoK=HyZTCue{beD&1n$F=joY=EU43Wr5ZySGz;i-jHeXtb(25 zF=_<>>R1VG3GdvLFMK_NfJ(zrPU4wTAwP__QG{iZYGZ){$UMmH`xg0K;}eSZ<6#_fp#kNi1{)qTSfVKhrBl#^A4#H+b3=SZfpC51nGOL=y`{esY<8QoQjV!Ib)^)Pz$E9nomh|suna{2+uW1?d>qkT9R zLp#Pv)~+c8x!B*CmA3VcE>fn?WaBW@Z%^Ikt{DOt*|g8_3_KBX&Pu*$unux*-P=JNA;1<5B@&gf69pZy~0<8NOWHmBV40 zM98tZ&Jrk^jB5)Wp5_Vte56-;F>G#s>QFkyF;b#YFO~ZJT<*oDMd|S z|H)0YYADBanH|&l=Do9MsBoH+0jokTdy{y! zW!DUNt;L59%8j9BCqJ(JLlocVl6`xY&d68g`GIN{b>#`fmbq#y2?2M|hvk??mLecZ zT@7l}G!JvO7ULE0Mg|jccuDU(d~K+Y8hNZAfkVyC+rvd3*aRbDYvyjIr1sezZlC5! zS+oi&B5tkt<_^faL(Lk0n6lLd!CvR_85(tyGpZ9w1EFCrOqxj%?Cy+9BBa+n3^0OE zB)E?KWSWUA&>*o1D}9H;(th5#+(*T1YL2U}huG)4&JvNqUnikj!%FnrJGUtnD7NQH zN)~3JqIxd1+&IfByVCEB3G1%V6#wV$wiXc9Id0G7*+c3Rb;#_bp zOoh?dvfgcNnk2U9W-V5ChL@+&yLic$0W)nDZuH4OxEcy*7Z=s6i{@+uKA>^58TYk4 zeZam;e5dvb{?liw7WG7b+7TGlZuuC$om|bH0o$@@+FOnqh0{L!#+b(nW2lZ#yv+gW9d{x7)F2;7KA2btw!tz`!i>a@sdlW8@`00j9P`rqra&&Dx zxA9DBRD@Qom>#M-?ebi3(AB;nA8XUhb{}ftKLtr??pGXy&nqH<3ny20bW;Ctc%Rw~ zyHetiggia%7)5UJ=R-H%3gGdIOWJNOU{|c7JD%fwh-5W>u?n`LI z>EZ}b*ywTywb;MnEjw0%Kt^8)VoeOoJ&A?jLW(+Zee>HUZ>hZ&lE}GQImI_-ewlDRX>%c6Bu?cC7$Q^&j5YBa z>_~^XO2n};i1VyGCbtp5VhJJI0x>L`^=)uF+DJF`sx&566QKlrds1xni_)LEF0K-8 zSdf(G*XpOQ>wBa+U;#y+$P&AMxP5*u1l!QnrZcv}fx7XWg>kEmIpO}`KQ_6(y1Wd( z;V3vlPf`VqyG`>Va{97pL1EwEu1%PyTHJLK6B>h-_*yy72bvSPfy-@OOK%Jj|U%Hcf z<;zL5CUm5*8y;Esj~vBEa=?Y(rgi%_c&(D$!kRcYR~~P$(QIkt89)XrWiPgFcfF|kaWTu#~V^L?z7+#zRZ8q3ja zJDMzFJh02K9@ogu;K)|%^Q~c>148^mLH>CAozOdioA#N%jbC#SoeNM;&2m@DB*szJ zBnGt)C@-|m)7{zBAu2ifa$4YDnv(JvXz&ADf?3)5^Ch-gxN~XqR>WLxzaA{krP-N| zq{j43^d^;>evEQl8GyUf^f&nqx6q;oqdbBjO{!@M~wR)vL1= zw@|uS98bU5%29`4>?@UqLZOCu#uH!54%`MwN~h0|uq5~?bpTy{s9fTX7T$aO9*7C$ zJ!%Rorbvp4nBUKZzDxsHPb^1r|6a4!gzpVUAS0cGI#xFTgP|Zf7iF%M#ki$(g_8J` zWpL@wu1X54Kvsm671zAg=@Hy2@QxhH@oeqh$w|Ww3Ck=xthbU*l)q!z^$n3nTQ2EM za=8x}C{~`Eg;St@sm0GP)6IT!g3aBqSjg{iqzdO3yk;UUa^xnR5f!zqZQVQsx+VJ2 zdys5fZYibZQi9u^e-loKDkNsD0UEq(ieJZp+wm-dApot6U&XhD%IxtNc?eSl2$LO4 zgv>WOim>$3Gd#47EY z=9ZWt`|jl#C_wqQK~hxkjYcWuug{3#7>>H^aYDuynsnVn9+N=^8$)T5EX4_38@mwX z&#us0C;6=<8dka_Ia&Bda{sW$@<2ZCCgdhYeauH+GATW^81(Fs6g(A!Jq0SW&0A?b z@#UMDyZd$8^%5h-gx9$!+oAaWA^VZv#!~>|pLoHbs$UvK_NiPbGdo*!)p7JyFX2l<(7h2=MyH%<`pQ`YpY*} zV845ioH5zmqDCnvy+PI-3U;v4PDRl?l>1V3tLzj5Q+=?75I^66$cn0Iyfwf()rWkY za;zNId>N21^b+p@e(C9=kap9TM5MlCDE4-Be`Me3FNjzf73hOP&y(EuL_SF0?|5_^ zC3Ua&n}HcPHiFkCR_)AqS#TEq4*_G)DLUjh?-@(Rabl^3r^-KvyTem+A;OI#XH&Nx z@IXWjLVezHwNyus!p&l!go~^ClP+0|Vr5fmeO>qw$h;>-ys4wLMwHgE;w(od0GzR| zeD%QDIowRK%3JW{{OyA<&%q5>+}G1L2)IuK8AFSZbUZ8+e^<$+uvk5#rB?WRUP?4s z$VNY`Kw;#8u}nPBE(Y@P&D6^hcBcXFdY9p<+KuK#+%6JxpR$Y58N7sZ5KZ|M&+|V>aPzpWDDsVhp(pIRfhC zL>Mzg^0WuvuJdwLwS5<}4|US<#PSIGaqdF$EMwevOTo zWT(4*t8@$d`6h}Cw*1ps0AN}6%_9UC^B(H{2LQ`by@rm|E4z-a9=?ro;I7(U=$dvaQamYNAhT~B&JK+?z`K9UDa6`7* z{s+=I>G<-&=4D^2em=K~{Vd$W&rG)b^`#`xbi6lPb^Ee>Oa8R3v7hTQ@LiWAh@TD9 ze4>3wt^TdI0Au3}R_THDa8r95V&c#B z0=n4KT(ylA*vGr*A1;ma(tY^94b=_e}uxGD_mL+nYPjV?s|pekR>D zLjn}wSb^BkVTR})hSmJ*7Wejd?+#aNF2;IE1OYHeDEWtg< z@{3~}g9=kVij54)mnXZckwY+63N_PR$?6W6=-6Mu^WY(eRu7ktTF+=*ERF z#`VrgMsQ1jyJr`ng101IXDD#VCcH8V-?k7V-8cioi<3}Ry0?;RwN=aqr3&a^aT|%x z+FrMiqb;6DFZ^3chqu;iv99G3K<>i%Wj)5U_T*V$kyhcq-9YjCfP zRG1k`+A}|J+~8qBNII7lUCB3N z*GJNiAUPm#n0zobS?DU-A#<`-iHMtJR@MG@axm(fUprCS>bjJJa&86n=+Ysd)7Y)X zkmCe~{K&VX6)GGi2yu%so2?@2m!aBqWoX(;;QW5_EPMX;!c*D7mnI`+HA#!&Gn5Hq zas<|jK2ZyOpUjM>zIe~nWQA-4j;v&Z`Ng?@|McZ%K`?paCXKn(*R!dBfr+LssGZ;~)EwEF^4JWF3)vPm+2B8(=FByBu(Qygu8_g47M!OD z!n7aV@%LzV>I}6@?Lv;{7^_vC{;K9%=y4qv7CSL+@@s&+V|o@!U)#z4 z=bN~NSoY|7e`AKfhktL;>ksc9+>K>jm*(^j)TH)kHFw{Uq{S!-<%B62vG)53!3w~$ zcx-y~?}+4-dkD*S*_&ZKQ+;jk3K`AzV|G=iaKw+ z27$|TJX#pnMfNtnVuAJ9AU`RY@3?yRrmzgZw1l+>PK!I~;#s@tzt@?U5& zm;(}DS}55up~)N_3YXj9j9`k~TP=}`;3aqFW7UoxMwEf*!{ND8-3M=H@G`~3v8#UZ z86O<(Hav6H*AS)`y>kxYp)TDLdd{EB1P)oRWn!J;5}iHU_?1pK#v58d6`S9PwSxTk zH&*Rg{EZ0YX~aJUnN7p=@_GQ}Sl?(KF7WIo@ce^bn7E&nSpC<>E>(W-vg&&lG%8(K zcuTH@E*(>PwVcIU6oIXW;VT(w(R#OfS=+r|Qd+yJ2r~Tsv%?(x<2203UfK#w7F4=j zvkOUTvOn?PV*|2!G4_}`K4=o~KW8WSE%T4Hb%%f9FY5`<*n8l)0u%Og_o23oi5Tf} zBy}{R)hB4EHJUZ9IQI3?Ir?h3MdJAaPPY4r%2hNBarx4nH>UxOoxO;_z$=LR?B^h$ z*(sj(c<;vIdLXSnrrerBngmJek>1}fQUA7!e$EMax93NPa8qUZOvbhMwJGU%s8ZsQ>af_(4iW%Y|C^6$_2zc@0_M+sjNtS|950gSPC$Ij#6Fg-2XU?zLEHD zT=MztUrgk`J%#`6se!M*ivei~KYP@E{%vsm&(PQZ5q^8}2E!!@x&Fn7(|mJ z=m??wcQMRp>W&Y@yqKNrEJhJZBKnh1Ai+=S_cj;ruM~fXA5aEq6KD zQ1^jb_hzV%$asNwb=;>vAd|Y7Hnginh`jj(FI~7V?Xq# ztjqP~u}jF$en#kBIl`xUs#EUpQqJrozgv16d?;|WklvgWrTib24&inXy|-C zVg|ude=z*uqbmR{F6<0EE-Xs>I7)@^7wRt$ z&v%iPb;lY`sZalxH`(%Id4Uc=^xR3=6T;dQ+S#>$l43~ue25&cWYcY*D1x?Z0@RK5 zuFmr`bT}a?pz?D_Z?^*4q>KWzJ7t^wbSt%76lK{&!~B|?LLdk+53Emftr4iGo8X6E zJZ;f9YYcuXn?IHgS?ur9aW4Sla(NuP!IY*8N-tlvyaXK8UG&wFfFzjN03HI4@%52R zmqiz_Gb;jH+Q~ou_+t}v7ZqW%)D40hZ5>Q1SIaTo$z8B>BoXcVq-LgvHp7gSf$;xK z^gMs8!b}YbdcnY~ylbll$$SocE%g%wIEg|Y4b)E_8>fJ1q)(Z$6k^}>bnc1*wn;{8 zSZ^!J-T@>5s(IhNp9cm(J?fVc9~?nkv*v~AT%A+RbD=(+H?0FvG&JY!aFv?#LU5%)=s|nA|#?$!&h*)^BpS`6uyBok8#U_2st5<<)3E%pzLi68;gidb~3Q?+>}@ zI$$Mo96$nZd=J2n=F8lMaLN6O$jfiz@(-f@{Q?vFkSWWY_dmZ1kyG<02!M^1AjLYq zEgL;E9@`fPp`)3uzn&xcusOP2s?jVhn6m`DS_WJ;Xsvsmv3PlQ~@c`!K1Oadn6A zpztHQU3m1$0G$!GcrG_kB+*HrJ$u;~!oB zMkzuA4~DT#vIl`M}Asn zG;*?V z0m_7%Xk%H_C)KBP`lU$&>R`g7r_SEbM>!SCI`1fXS4^0JLJz;6oGqzF-KLL2(-nK& z@h1hfDPDB4Nr%gn?hIDoJUAz7;pkC-RH7sBy8Ib#CGG#!5)iIud)c?`a3nt85QV_k z->Uq7jeT`MRonJ8ARPiC(k&n*N=m07jnWO$Eg;RI5tJ09;ebeYcPff>h%_8RO1c}q zb-4Gw_paCXexHA!9QWCKueIiiIp>&Tgj@iJ%6@Fa08Wervy*T;2CU>g!4M_6ce6Lb z;9^UkIDG)HVc&KWXnN_-e@*i~?F7)lM=+PVBT&~S{ArR`UNnSK^g;x1^$7rg+=t|E zGv@Uo85rf$do;a(A#aW`r8VJ4xp znN}QAN=V{DJjqSx7(~d=FQm>Gl$woSlltQ?fe4Ub+Y#PYXG|6cN6^VlnsP0VyD<+D zUke`VN0Py8e}q5P7#g&f3inLis1t_^rY5}iQ=Jj6tszKmMSr*ZZ6>J zXL%P}pb%KUjoraPCu#W}HWzCu@bSlE1|qn!x%YF73x@9g0ha|i@4FkuNCKMz%@to` zWXuPb8$`Jh|`g@8Kq zVZbWj7XoxvL@1nUua&=JKiKsE+;|?i0?3-kgs2h$Xq;;(bT&oR6IR{>(1CJn1angC zepN*;vKx8t{1AK@Pp0ae7G%5tmlA6!sAn7xPG&%SZVe#JjkyuWWT+M6L?fT2-Z7lp zFc@#ABATJvRgg3i7hVD6bW@Gx6X`KcH)?+xE1D!~{l||lqIeoPq9S=I{8_|Er+%*rHe!-c(YC+IL8`aVDW8PUe`+M(z~!tL?OteZGWd=P##c^SJt zQSl<&X_CkccC=6mq>m))_y{T(_|yy3i;g#ML7D;k1LSO>K8&1i2n!)aWP^iP|9pLc zl*0jGOLeFty!2y;5^q2gKP$sil>f6*S%YguV$WxmVJi-a~#?EC&kxAQq7JTbm@vG4fx2U`Njhrw44MZH z^I*Z+drDy8D#BoyC0wL^YExfp?(Y~7d(A^wp z996+-Ro0~5-8#KrtmF03V82#(tKvW}%U!>7lpz=QLIj4fKl;GL5@A9JNn|5_@4fB7 z9k=TDupeh{nuDy{?q=oEZy4W;7f##4nmCA}k?<1fIl3Ez{D497DX(~ilf7dver_G* zJ2(zJ=S|;srIGcO|QF-gLgy&w_PdW^ZSWkvMG z9ujOo=d1}MwwFK^f7nii`WjzL(}0xSzWqLG%hgfKmAlyMmxEr%y5th*qS$@0Xg5mG z{oeH(+6?Cs1=P6h2MXdX66Zc9?lFVIcN;Rq9R+Rgv20RI0yyux8j23;!?qK6Ews3g zAeAs@x}sL0D`{XJIJu2sC1dAvwo--pnYXJV3t$i4Y{O}zMNg-(E!IG-uG0snCn(WZ z$1I$)+7Y)J;}FDQEQcyqR=0X5wuLX;Qk595(#a3zZ%!tr`&xXxEWcH`^XyZ>E#r@f zH})!JBvnvnEp_B=TAc(6d%K(b1_)NxfI&Z(87CG&vzO29*Op-y0*K^9bXK?A4J~b9cqWlv$lq?@bf8BMxi3V5NE<(Z>Rti%Cnyh-A=m?U<(&-rtT>kLpLLkJh>VElXmu_J zjX!y!2JL7|5Q~xb-*yzv3~#=*`3U;~o#X5dT7P+ID`yB=-R@o6=$Cc7PwH_2TO0c8 zcOuW*(OXV{b94}cH$NBsL0s$+s;Jj)}BdE`$mP1=6*BdT;bkD`v4FI&I0 zbb>Z9^222Qf#y2O!0nutE;E`&p_$yakn>g{DT848rkiue$0kUpT&K@YK{8t2IwaWm z6U%z7`9h2|UKu`lo%&Pw8Am(v?$%tWFBt(46ncoDZwS^k_UAz2ga+G+`$~_Gv=|q^=%NSl#GcT zKZ_PFxob%v=_jTNsHb+`aEb-Ugi2PK>E^y*y`+e(jC? zXyQ1~du9c0q&&r@Gyjm*VAz-g z01;m~g_J-j6bKG!1f|*BI)ZG)GPBp^Up?vcg{b0TuWq-7Vd)35Mvw(GqU+0qA({w& z*%742c2qs?b`@ME?TbgW=xVQ^>VF~GGeiuv)?`4uqx2EaC7BC7tnEW`f15=^WxV{% zB#nZD!G}dhR>~jSH`gK}sYGTxP+>dy!F09()}mvRUUvdDBf?<> zy5Fc#X@>A12s;TbirRt&bxWV?Mk?j{xHnfR#e+VP(w(~vJF%xoKOqucXp5i@)nIZr zM!&aDcrj zqz%dP*0ZQ;QS=|c{RsRtq<>?r)-6O?>C(vOQ7-LSh;s1V63HTT>njEs1AR-`Z)UrC za^n0>Tlim~S%|glwTy|Pah3fMP+nW#Ei>_lPD&4%Fxa)5D-vyDy77Qs5#amZI(dS! zkH1f}<3iXU@LDaTTddveIXdJH&ByMc`HeW?SaZx%jLnw2{WOE8?Pt`R=5bHcaSewk zX-ZdJ@w#@}BMc&scYY{{h^HCot4A-#-nI4jwhreW`Ko0rcx*{fNC;Uv&g#Qk;ZUHLDkUi>FirX{r= zxh8+GA>4T7W-><@qH%L3K7=785FV&~H zq&yQ?XQCXpyQA7|>ZVL9YevR5SgdZeS@8IQQA2!mXD!_u*UA z9YMSIee#qc)sHuE#)A1jN3wJ-mv7QJen-SLVm0tdVTmjs(@5fp+0veWJPkC4U|Uja zq!Y$3b%u^uIa?)ZiwW^*(c{A{6z{D+AYoC_M^AG5NT#^9$!+n93LB)4 zJP_iTB>x~`fBwhe!X<^QolZ}R%O4p)t=%X?6#G8d_n9OX<4LD z0(D=ojOO@HX&uvfl=sa6^ocfvLvcT1T|!#Jqxu6wqqViXmSZbzDE>*S0Yci!)yTIU z8*SW~dGR&v(5X30IT~HdX5R-c6Rmya*#4UCc8>cH2Ukz9PLu56C^e7u}pXOpzi6D9uR(l1UAP}eZ@x|((Gj6CiT;IbN@px)rKa@(3WdhP4$uz@GM zV3Yxsxf47bb0tzPj_%Tx1!q z3XXQFiLtoII14>%=7LB%bkhoj<#}qxy}#>zdzpAsWb=D%Y;|woIftHHGu8r(cRzXO zH7m`>$JwVr=L;qB)O7OPZ>b*LpIBP3{A4aEamujCS4+@D^LmG(tFBaE07Cl~J0r&8 z_~tD6{DoCzq~bHhVlEk|gd+tNRBnDWU~5MHi%HRnE7cLB&*ziPo_F@u&7qa_?)tCe z-WDm8zC@jWdEXCcQH;w8_P3v1S!kK=P~O?Et0Xv`kcZiRX3F7$xqoJow)|~0t1D9U zV7FVF572b6b|a&+y><&&`D{pgqZ!n3y`|Bf<0c72ZFC`SH=|Gv)JNSUIX{O7OQSkS z-w_+B!c*g0-@QO7w441y)LQ&cplHD>4OJ|$DxTyXPC#LZUe?2(pL~U_hd9Qz@3GUDhHHWH=D7Yv1H&T?p4dWw1qngn1937C!$mHK92l$Ixf1=8;n@c zIZBhD(rW$;4H>f-=PBATR-DYs&wIor#>a%CAd2NiG>_7EAsJ$heDi0|4~jU-ujZ9# zk3M2Y>^zu7SClE1sCKNStQ43~PUf){q}!z5Y>>CUjK)1evwbD(w`&=?-xLUyGK}=- zGGpQGJj{e3``?2YfDoflK@=~9?kxsLgD&vWK%W|%Dl{u)NF~FycOZ`zRt{IrhW6

zN^@`sg}l_fRz@M~s?(F|-Pum(<%W5nOnsDsG2Pent}{Wky{XTY!>Fqcwh|gDaKZp} zt!`$?WZB%4jpjiVm=K1=d-czo_BkQY?7-FBVM@CckIz2X&aEo7v_D+5eUPmf$g@0U zIXcWHY1BEY7~{2!|8@z8m~v!@2d*$LLiD=~{+2TS%j+;fjw5Gd*AnKJ1(nErbgdrI z*bxM8h>frxqKQR_DItG046(vSqRXYmru#xu{s2Al0YMm|GinIQv1!y>L?cwj2Ebkv zeSGvTD18i|$=N4%NQokzq1|=+MEVB3Dp3EivQg`;tro+=*w+buk9?mbwBr%sabPUS zqCZEL3q(ad#NWabn}045?Zug8L`^~&l8SwwPLLMi;{&(b=KRHvCh?v<2;{%afU{~G zJEx9+;hWDRIk+Po(q^58aRZx+;FK^suw3dqf|S;9xF8&YUHi@3pT-NN-=sYO;EP~e z{%rGnb1y;J$v*y?Mb6UzTyb76JSL_X3{-SSF^ll*$mV6uUGt2OpqOfX@*!o<1N0cm zj8)5I8%8d6+vjk_z2`WGAfSJuJnts^5!WahgIu@UaEc7wS9bvvIj3C17eaY1k+vLO??*rCCM`=Ft3gX>M;CiYXK#+pL z-Q%3Y_No(=hFwyunB-v5>%a=iFY_pR=qs`#vZoIY-W2NCOU1FypjAfO zbQj(eP8(Fms{$c>_et|K$S%Foq>`sZnDlxN7eyPXr-~w?Eutcd-lf#y9|<*d%i4_uZ#=a0gUFN53MB3^Z5(-n8KIh9+s`61flT1( z#`7U{JGI;C)&_L#>k+HeRqp{j*Xnh)AQ0P+-n(cSvKA@08xl#{%84SU_d;Yl^;K(X zf3(+fkZ|ah`EPU7qJYQmGtSKwBCo|}seC;?0_xl5cwSv~xwp*weJ$_*CHg0A(lG0f zb<6Xb%&4jnPt;eU@iDpC{3}*IM9CY1Z}4G>FO|tZq!~ve6JWeysU^%I&m#0Ae2egr zlJblE`g5eH!d?7x#8|L)=bY~D)z`Ol@!N&{8q6Jd#S~lXnQw3JF6Lc; ztk05AnAT~)gP}kVM)9CR$LojJQ|5>N`{Dma4S?`9V8VDfrS@m^`aj8zSZeE;^^xOb zkOI@BhRv7|M~3uVr=72vQr-`QI*Gf5-I7YgYYiNX1<(YL?1LvXf+Ng|Hk|tSa)zV} znUX8?s~rdTy2_oKRCWFa$Nv+D;I~VY9<{LeNv-a_1UNN%k<@GEgBSTPNCH(3q!V&_ zaJY=td!QzLy}lVH(kVM97L+mn9asGeh~RI(mWqQGH;L<-r2>AZ|MH|?K4= z<+<+d?=z|9QCw7;voMWJk}BKyf= za(jRmFo7c!;0b?_r?7-e{|JHe`XML)JbMY(P!q`pvU-3rX1V4HoCwrG^||#-V_gxb z-g238=+FX~4#+7!os=d(d!3)bsd0)yp7cup&kFH42xvw8g>^3H?>pt+&A_DJ{;pv# z4zI4~wjSB{-y66qf6(mjBk+3C-_^f?Y~~(U;psSk~0jZ zaJfz(fy^1&84x>M?`ChQ{17QTp@C%N2>=?G7w0E?O&!j;6f>ilO<#*KaW%7+O5cx&V#?{a=0KmnCi(%2r+a zULtq`=ud0~tpeStY>eR#(vgP;#6Uh#A>lz=3(O=&p%6gzE-xN-kS|C?1RvB%Wa(5{ zEjE>Po>hKRtbjuTg2`Zj#inZ)Yt#V)Mj-? z0@8Tppq;{1m(JOkAm2D?4;6HGv^oO3Oi3R7$!h8+KAuO2RBEw@4(Bqsfdk3!P*9kj zYw6)>I1qlWuOHKE^G~gs2S*0OaYEI0XJ<8=dj-#QCG|`RM~V$^5Z#Wl6IY-XMcTTc znjvHOB=5+`DZ|jY3>F|S`If~%*nRiMP)&Jx z`8r@@s)3U~vB}BEJY@SoW!D>eMHUw>L1{_8cq-%n@#2}pYC>&iO9$;`Xs*=qpN z`eSV6oSd9VH4QyeAjwe0v?2r)$wm!&J&QzZs4~?t9ID`otSGq$-Tkf9-@x|V#hd}rQknuzj5P$n4Uo{;76%T8AKvx6OlSYi$L9Wd0B&s0?OvJZcB#@GVDRJCdMowezP8m4c_*CX%i zi+qo-5As+4{=?qDe|%>sHR-%10F>eMcwE7}vH^Og#qVnQ(`~kr?dtO;PCxox_gb`p zZ}dW^Px#7pYkp(9;9kyBqKls*0RV(|tGc`@G&EH2WCxI6Cv#MBGxFm6(ev=zG$Z#P zsHfk5M-HoX_`uSwV$V*?81cJXisGPK6fYMR7CJ`CckVd4yAfR9#19kY>p*c-2qE4R zZ^VmFiGQ^9A2;~U(h6J5A5H#q{wX0MO&sjiJB>KYQws?-MWo{A1pMPWa8upI+IFq` z(IT~v2Y*`nAr{_1@x^Eqr)VqaY`6gkaWcOnL;9U1`Q;M~z+mE6lp4;`&-?%EZ)(IL z{yJQ|Tsovnk&Lykt1n1@HxU2v88OMk6!L%k{@;JHK>hxZr z|78b%J}&AVQqTL;ckw}r|6`SEK$$tUD^f_R`m)5zULG4nKl5Si&6^taZW->cPs*0~ zR!16*lANt$Y&$l`+i${(9ID8Z1Fjo!SDiX5Jw4sS+w*QUY#qlh5Q9~>b^soNDZNnp z9D#|2Rq(uK{f|-pNB`z)QZq8 z`vRF&+_q71s*n$y*KHa^LAQ{unM?Jc6%}oO>RKrN_U?Y9c)9F|8w&I~8>=KIhoi0< zW2Ef4sXaxniF%sn2S#{IuI|Jo#zpt&W!Ycf7K%XMQHS#%9sKLkl0JmA_C|I+#hhqt z-@WR?P$tr5jiR;{r#EZq(;Sz|DVy>t7Rb&x+{SWI{f4a`p$7kYi~kr^KmL0Uj^e{z z_H*m17!oKvFtWXC`XandpuKueZ`UWJ;lsZhE${2=60L_<|69AhwslckJWVZ48*?Ec z*wUhHKF)ObSckj5sP|V+EY_CvNAqW_lJKYIy2CfCbMADsU(N7tcx%S@&xd^};+~!^ z?~7O_p2OH-hiE^cwj524DS0lMk>q3pLLK~Ei%OU>PJ=7xe=PUh)TQIeoM(kTtfgtY z*7gr3&Cdq0z809A77%SdC+W%CsMrnzFL*Z`;p!-nE8aiiSDROMLc%nOOsej>SKR-GvZk>7((+2( zc`4-)K72|SqboZ$7VFCN-T1}G{A4lZ56a8Xgv;((JrEeOBRn4AnTY#qeL0X5U96M7 z^n9Euu=;eXs8mokaO@KbQGj5u_spJ-eXf=T|in` zTG}Ck8v*hgwIt(+*INvNUrjT6rG1Brt5mAl>g;i?XCAO^Z+>xK&UVVYp8j_u5u7X-`>WC! ze>DTuWZ$KpW=|{cj}fk^M8h*hws)MY80FtlTz@YROK^KrmW&fpWtx>UwxTjQ;ipF$ zSaNIqV7Sw4&wH$Svq7bY$A0GWv`EIx^9cOiD$(Ntvp!q%xcs(Hg=Op1Ig9M4{pVLr%d>47lquRmS_+* zfb>!Pz0cBTFvC)oOsUi|dfd1kY{;EqPc&a$dcxt9wu@b{b}`$dVn-@79wJxg71KZ; z)n)jp^tiqE9+?0D6|aNnUk#jqs7mi#>KioS9Ysvk>X{`J6h zOWEbnnv>wF!(wBvJRk|BYshY*G7qk|4$iJqk1>2GwqlbWIb;C1EyQI=hH)H}9@zlr zq4MKL@nm60Jsiw(O`QvlWQ1ErW5O6HH$~2004BwSbx^#TzdO?eAcZ`pUAL2kJgXa8 zX55!4tN|r@;=-NVx5t1FV+DtLGPRC_v!&}6oWjL)q+sPUz;&CzvE5`*Z{y?50ijVf z{0Q9#;{M$|J*?BZTLAK;x2dlrCs!eXD>PhOw?x|A+v~iRD+0&B1HHRmt`&)HfWGqK z9g{fQPwv|QdHYJ>tZ2*1zJc><*rf^`j(swqpRe#w!xh?(f&j_oYKH|WmDvNpVmR4G z@3lbPaRwss>)`ZV0Y|&PgaSt@k^;!%&NWQT9pLaz8QM4QywZU}p>_cL8bjgGj(?aV za?uGvW7BUOYZ`ICTr;>T2MN)4n-XHW5Q7z6cxAz)b;+z&J#d(KrX%_FGbXout~`N? zE@aj2Y=6}lPI%QYlZ8dF|Ea|LfJI=|_r?^2)9ZK}dBb_qj_cra!3>?Yb=2GEJ_1EW zO*_th;a)zmLQY>4vjr!KM0BhZ_2XQmv}G$5x(&P+70j%S(Fba*R4y-njyJ&Wk4Hsu zUK($ixyW3Nj0|??>(`rAgr89NL!o6&9`ZR$iHEH+6osxiuc~b}%o@%Ny4OdHT^#!t zT6Fa$g2f<7T4&iLE_>}+E*6otFz3r;X1>eAQa#(F$!1QRbo7Z^&Jkjf9Uj-K!y-5* z-G>FcUT;PJu`%X4A#L?AVS6b~PnwJ$zt@|h@(-}dgy61DW`0y7oP9dbYd=?Vu^8(P zeQ5j&a29nz-Iqw#z-(H*Ps(L6>%RhA;RHP(aDM-qvi4nbKQ4MZv$CqH2^ytay65>p ziBEX#30x@{#51ac0MX5 zx%D`J(yqBwIIpRb@z^938MMrREQB#gU~o`eeIc`dc|)Lb2(aot2hp*-i=9ZHN)SZ* z-lPuWMwkV$0=A8a)4cWPC=kMxi!<2OrvEaKD%KuGD2gcPk2^gA4v~(PRld;fS2{Z? zIMXRp0(lV%-wY6ahkME{=Q|w@dtucjPrB9c=K+YgdVc?@fdptg+aH*8E)Uzh72nUR}YU@4kvS?NsP&x9$G6d%aOc zrJ@FgeS3Ijq9`Zp<+`fb-s$D@&-JoqUxHgHhJ;4nsX@+uWF2mV0bW-XbLaAN|K|c$!@AwuR=qRArA^%3OlLwvRcdj1P9{2J$76!lQ|Zx15>Hyr zsR$e*E}Pw?;D?M5xG%6nR*v?o&tnzaI$1HQq2&{>DbU#Nc5LmeoEU`(W%3_rOXRNe$#?e1;ku<6-ev| zd^J;O+XQtvT|Sd2E2`DHTGievaYvwnWgRJ4I~#i%xGIx?Y|$L<%*oxaYrn&${i9?P z%HpIyp*#s^J#|@1G_Oa<=a6Sq*j;jG%VBEGE7WgUuP>h`d{UI#nljsau(GRH^PF=`XBsD*3-Lc%oD-gB9 zSw5CnWUVfXXMJ|5TI0-?P?&i-9=CDr>I(~@@G~Ig(qM~Q>0Xpt}Yu^uR zaQD_b8WngB7h(?^k7~!d$J7BM^jl~97~6Qy#gFFfEafHfx5w2Mh_tHX6Sr#Q?OQ(? z2Y8zvxg}2S?eU(366~ggILQO(_H|&xmjF0g;r}=U3K3}j=w;MWv(Ii$FFvPh- zS<9SFBZ`SjG~3o#h~4%>Hmep26`^W$K)JV?H=p)5hcDq|%hgYPOkaSqvUq|1Y7RF- zE{*h)*No5?cQ6&t{LEuLDEVLJ0)dtB)ExiuW(ffeF+renxopTHE4rM19mu*wtgXX!rRk24M`DX=lD3o@^? zQV#NO+2JuYWU=_kyP-ngPAGqvjH;0vbhB?8wwG2#WolHg?^BuWG`K9ER$`&BmKy{u zLF()phSU1U@_u`VfC&!rb>%O$j&a2zh?*5xOSq@~I4UKQyR6n~f$fy(6#DVhUvb@| z8_AAddq3I+YtGmrfn4tMeW%7l`F7Cs0rAmdRh~)?zmq}<9O?JYyJWS3A8^VIA>JmP z%3yWhfVHTLMdn!N?hP*2)F*X?oh6Q6K2&MaTrx%Dt*DedS8I4m=ToyNvW%=-a^AFU zmmtc^u6ePeWXkfzi=$6`s;g0*#8K#+$Mv%m%kh=_aMk+hhlz=gvB~RM{pu$L z*Uk^MvNX!Aor0E#p%>b}p0|e;{OGOc*$GJ%md+Mm_eMRlG>WZPQ_n*BgxP#=PiuTa zJA0@#NyqJEcd=Lw#1I|FGd%nF5t#=TgDttlJ@5^{3Eb|2CR5&FM=eQ}3WGTmv= z{iKbr2?m1W8eR23i2nYX$_<>`ULZQ`sVvr}WNK(FKw;1kS2o2(Rk7qU;wa)qJcD~x zRX%jV>S`Lz{De{t%R}Mz@%Q@rKIYFwv)K_uO4dJ6dfqV=t)+J%VcM;E4?*%h`Jh0W zft;6m76kFwr^AsF<`B(M-Z?osPNjUyVtI9*9%h6yKd{`BW-jn!V~EOmYfWGIi%Vtp z+2gYTYSdn>5>I6jYti7-C0>-d*zd(>tlC(PjTVz}HM*msem-iv+i14l65Uep(UOnP7Yyvxr3;G=jd${>16-W`W$5p`{vJTcXLf%&w*r50cc#QQ&H+;MDS*ezv z4R`Fc`bZJ%UF<}ygYnTWU}|?7Px9sgmI)PbS=T&$=5&MQQ6_a6QWx_i`GhK|rdBkj zWJXSD||sMIfbgGB`g8l&s1LM zi(L(zL=jf1r7LH3U4$9wp`kpx$X?4?!>@-?BbE=?7;Lb-^z?x(3ZXSIkj~;w+$N6T zT`9a^$}K7Mjtx?eEAU^$TslMiJYbA^;ojztQXE#d)OJ(*rVh#2oPv|SwW6IKr|G%0 zHEHV(*yYDWE_Wh_tdQT1#3std6ufK@mg6@-F#(2P-eRfzhH_AQVBztk@Q@=)j5F*f zXC6X>a0_V&{tVaHk9Gp3m!tXtxKfdn6wR{fqg|JWEWF2L$S2UjWx2LXWp=fjV2F3# zC6@T{%_#)9@AE}2x?!#}&U50=#BYxhWSE$-BtTw_w)es|AYwsO{JU%Eep_F4Mmw{L zntTuE9~Cs6mo|PqoaXEJ;$7bK>{D~9lf2fL)zu!<)hc?9(mT#&bVRF|t0~fBrUHvq z!1&BHS@xZX@Ue!=G)l8k@*?69s*C$^P;1lqsT4iwAOtEt7gMDiqJ2%(wE z11tC%g!=5l)O%Jl@l%0D2@nu9eJ5w&CUU%HoyZXYWJ*wvs*!Xtf1)H(sb>X#XE!xu zzPE{1G>m2%W^Jd_O8}T!tZSfMsloA`5eJRBj7?X8Ta4#bEl}tM$8r}34o-G(F~O=i zjAO|2vRql(ClM+UAFR)K)ikho7_auS5v1|DaqyHaopBWJvE$`KUR8JL6ZlXyzrU*I z=L()BmCqK>ChtI^%ID$67vn zy#e7PwE-TlS>Kj&jx4nyZLOtCL;S0zC;gZvE#S|JTD()23xSE$#+^FX&Z-XRHmd5+IoL#)I^XuL5 zpTSKVYO{mZ4mVnkY()5N6y>@VoYZt6l}x!=ba##MyjaR<46nAaby(4Pcvbi>8)!Xz z|F-iRqlf=LBHU{C2HsolbF}PGRy!OXBD`!o%kMd4wl9)@#%+qzpUm4I>!!|-&yg5g zRU``aH^a2Dq~JD%uzb+oiXW}SMOovDcNP;9OB8+E1+{L5!v#9vI<83OT{rKuujtN{ z(KZnYg%5Yw>js`60 z1;OPh-*YZ6&f*)q8#`EBmuHesSuG5MId(pvR9ryr$(;da0B#|T>Q#Zq0Dq(t1&#{M z`%U;0APpNl5RdOOQuWTr;+wfv;_7bX$a6kuA7iDsR3+p~g_l#OdbdH#MZ;%Yvm>iy zOJfl|9fkpleut^*aL0fRf9ws4lv7t+i<(bylSGZY=Bau@-fwZnTe6x&8k6;gT4JY# zE%Ta$ofKAOmpw?v^7NfwGsQbswWJPqLX)88WIVQI8NH@k2SYfwjz2xsXL9-@t+tDf zH=qc$7E}5UhxtdUhbkeql8n>hZE~xtn7t117E}doi*8#0^M4eYW@Wf2npd25nZ!vsfX4dMF1tuBkk_}?PR10 zOx=R^x`-TRWYWg>>lVFPh1rEh8`3v8;Pecx2FGVl8ERmv>IMP4`-ua-cs{9bWEI!+ zzqR7_a+mb%gZS4ct|L#2#0$V7&`>ueaid5qBIoktLRmzOUaaIGh+Q5?v31fey9Vg!>Smf0Yon$=gfpjx5P+};gXmQl&AXN_{$Hs z2Gcu0`qlMFmX+`p^G~PDqtQFIJ6#_OCIYm&Q@9#n-8~~IkdPwO&)=mfXpZS`QYb$Q-- z%@UG&-7J7#48`W$#BIGzL=>NRrFEf}w+;v@+l6i;sBTNODFe>K7jjtzRR*SvAWW3F zd7HbW$Ug@2W;pPxQJlDsN~$%a3S`-EK}iBi5P@k%>u{z_jBb?jMZ;Qg18raA8kJI3 zQS4k{Yr|P|uh8HHzIU;GkunGOQ=eD@n=8YaA8a z_h?_e1B>JlmX!E zWU$OqYBy1T-T9H}xaLg;cnVkFx7}uDgyv?SNv9>dC86HAN2WU}ccD_S;wiOuFVtW; za|=Hfb97n3^hhl=y)k<&)ALCH}==oq@*At zIQXEa%6W!5*uBN3^01c!1Q{pB3qO;sH)K8byE!`5kQOo1^g55LPBs?JHpgQ*E{}Bi zIz{4_iT`9r${6*EK`F`Z8$R+a#`L#KYI^sXW@cVRL`Aq7*hKzqgL^Xjlh?a!)J%$9 zqQF^S(B9m7^3kVaw?*?a=2qRrj;&a0I@Ic+Y(gHCY=Aua(KUDK7mLaJ#s~!^f$;XT zSr?%AcE2!(`>HqOIs^U2BwwblMu_dD7UG2ub_H1I}Vg11F2tlO$Fih&bzY0Q&tr>67qR_lU&i2}(C!H|715i=;8< z;P_Nr;ja#~#e1(c^cITA=$h5c=0XX2=ToG00$%^r)+w{AIB0T>unnV8CNF4vea2N) zaMRk@HrZq>|KqK*7y5qF{0^@dJw?zgOLR*^owt$ZMw_a~X0F~-e`SbUG=1sgp@(Zd z9-`YSYFHQuI!HAJ0oL^$x!33)vy#ED`=*r{h|j)ER2n>Wo`?~7>}egmSf|gEdPtJV zbf)D8ji3;SGs8d~zaQtUD7YiZn^ww^6-$v6AHQ6FM=e?_F{O$vfug%^bkv#KejmuD zDUcj9QyC;DE%B+BMyb~zb0wJV%zw^a#RSwMD%MJhrv2OqOpOzdX%$!64VEW(<#;B# z4hZ7|)JG0MWp>J_Ta8dpy$i2SCG~DzrW;B9*+Hm40)_i>m5=4x6t=(zdnZpvkJ2~n zv3v_V28BFA%#(_TU9lY#eQTr9hAxE`g>aKl4L~57`0m?76Aedy{Ad>5zxkgTp?pQd zpX=fcZd1E~ZWq235p;rM$56J{uUvpevh=!qHR8^cuZdmnK=tq&t?_4-r7MU*6%56+?e41 zMsLkCSr*w-m1Q03D!8LvnduZNpZwB+$Qml~bW;1}_zFnz4AUXLBK`g$v^S6Tm*^AT z{dCdF@&Yvu!I5m+O18Fj%|%VB>(212ry1x=hMm?q@#}mj9J``;%Zk)XnmxWZ!-vx^}K9Qn7i2m201hp~-Vk~Cb3o$eSZ;;^_(bkwmX5-XoWx=)~$C`LZK$60|IQzSi$=F}>oxwytdJh|^z zuj?qN>d~!U5ihJ`dZegj=8n>-=im5PG3h!mJ)BdQl^qC05rGdA`rQv8-)hpxyq~8H zAOjjKylC(Z?bjJ2ny!yA9PeB0^AwB6t}OVf=_3^S)_#rGc87@Zb49ispHs^nmlK*I zYv;uM%+^c-xV>;=0tAVa&CS>pB;?ANz4`%`f8G{6>ZiXb1j`~=zakG-RQ0-IWDK`E z)MoMYmJUeRlks@wO?@9I|E4n4IM&-_v%YCtzL6l5Jci%EUHpp92_1e%KS?ZQD%Qb_ zb==>)_g`&Uf5Glsi1r5>$IlJ<*}`~&?XM}D-vJSFnE`%AjlSFa|KsBMTh!?kL{wzg z{rYPr|L^9h8Vh)>~Bz`z@b2#pNK&!zMmRu#_wPS^YNAL9dW=aUo! zpHaCKde3V^$ZbKA?EJY^wcKO?AL#E zJ)R7>_AX)Ebu#~dkKb@D7(db$0iK#F?vj& ze&c^U`>%d~3$_92XGVZ}{{L)PI2?MmBPWXX-^VvMr4RptqO+mh9_6ox3)?YEx)j%N!RPPqprV>ApZ5Xf4hM%d#T+tzfRfn zAVMOdv(P`%c%tdgkWTe7U`(ge(ei9UiTn}<|NV7EscS{SJkXsr0@P-4AkPnyt>q>x zgk&^8MqDXEL;xiHwk~k<-m*&ThpE$fY|E;URJ0jmv#`}mXd@q4w zhL#P>Ab9k;5eG`5Eg~P2sm5*^=zlB0uo&GZoIU>U%~O5Wiu+_Gan_k0fBf1cTQQDX zRHDNJd|k@*@K65-aUBe_2=l_%;0& nQYU3XZadQ-`?;vlonw*6Mw7`WwWW&);E&8>Mag1uL;wE=qY(Zq diff --git a/assets/images/screenshots/dashboards.png b/assets/images/screenshots/dashboards.png deleted file mode 100644 index 9f07adedce4121b5934c7d12f196af45a8c2c438..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 395029 zcma&O2|Sc-8$K+QMkNuYLMnueqR75g_9bHwgC1_b|uZ}L#H#ta>K8@(O1zv%IpJkV^lkQ>XhLXW4ufcKR)gre^ag@ znd|(Sj<1RgXEPYC(jAhtNYnnpa_rclTk+F9PC2Ot8yz zM<0SslIZFBj}Rov{DpFPJu>C-cJS03%dzUhXk_Gm`2Obg3#nYwyTe-e z7LFFy-9Y(Z$U+fPY>X<+BZVFoSUAfgG+C}gcx%BI#UwWh5Jy)v3;I=+z$EC-a-e-?DnGmwiP| zSo4(qjsEFK_UqCQ(pIl!r$(l7(~YnDE~(d^NUuV%j<=SBJ$VCSM?d;zKQc!d(kt01 z(49M(?R_thE@SdgXJ^YhtujIHgvB$QZ|FEWLj^hyKWjK{`hHXTkkqfI_7@mcl&?Hz zctv;esPd6FPqJ(dn;u(I=Idjw4D-+jp+76TFaj7WS zx}81u>_y3!DqH#+_s{a!gX}r%*|RTrvi3a2KE_7Qd^>JeXDeh1FW~Rxz<+Lf0Qsa< zve{=a8$1h|z3XzOl6Q+IqVa}X_H74?i(nSiOK8+!_+VsybHy(icVyKmIiBJdn6EYC zs*4suoC>`4>>+1EI75z&M(?TXUz$EOdvrJ4?@7X^D1FV_cW$dz-SyKw%a3M_d{OjO z|5AE_>X6Einv1~5l{I!X4fGXAjI2;htfsk^@MXeVa177e5n&-AuB+IqZ6<6&h4+Oa zGH5TeJd+uAvq%@^H9o;Nq=~i(h6&CkwI;4__grSCfTq#V*GR#zwc?ggL{a z#I5}+Jf3=lEs2s$3@;H9TC%|(CJnUmn)9UcRE6(wuygQo6txJ)F~_|V9u~fgzG(y{ z=o5|;bkGro#knlGV+8G=+dns){GA9+Qv}+hqit^{RmZz}d)B(Z-L#q8)k3MNdRb?> zqdNy@8p%#%7IGIE|5N0rUjF)Z)@PuwMs)`l+Y5F>u%NW}5@GVH*X_n%S94+PgE|xP z#uTa-NN^YD~YZW{u0ORd6GAk z&i7V!vJkC`EDMpAfp^qQ1eMf2ltHFy+uwjyiCR)dm^9Obq(Qr-}wg?-W&S1u+O;PxWX9Mdz`{b@$QZ6 zEw(@37L{&!vj)B9Xlb0PLi4%U^FeH!mK>KiV}>DwACu0)iE%-PIb zbn6>;>v%hPo9G^9mp^VI=pdK}N$trfd+YgO89e36naa^L@U?pOiT9$9*_=lU>0SOi z=XlBuqT*1&Q1=iE_C)KA)XNEF2;KCWP+20fI53*2=W^G$S~QOyQm@D%ZVDo%Dpp4f zE}nAn^by{=z7>aw#QfX}UuWVqNsm(yt$U7mj0i>4q$gR&T4P7qLm2i>@0st7(KSCN z9TE-gYxvdhp}{qZC89ZR>^PG&Q{nMyR&AE3qu`Ul=N_E8biy(1SjUN^8uNV72chBr7M;Vo&+nTJ=b}yAs4&x^n6R<@2D&8F+Th!mV^9c{lqq{w%K+w8Z7m% z`K8UKS)|Cl`JGlO3e%q!y2iosBIpk312Hc&FD{R_Tcw93Gcv0=ljy)I&L*MzlJM2> z_p!w4M7+2xe|$`kMh6>_e-L$CD=cdZ_QvIXfzYccNlhZjeu+AP>*wj`=;uY<6O*sg z_D=NcU%l`uB~rS>bH_8pJj$#cI#R6?@@;?vC(z_pd=1wf8LIo{h)*l5D*RpO`%3N=3uiv(6z4iTxu)=axS4_e zlIzy*ITKB8O%dNWKHq&;VxPv|n!7oG^`1g`*!r71^}V|Tp0hmfi|lI~MLI_l)2cO7 zTfVe(D83A?#Yov8RO2*^9B&oL)X@6trjc;Pl3;XyaYen`9+BZUgFI8?NvmA*_|VXQ8u|$<%Oe&3ZL^b>RFW^~8`~ z{T@wuEvzfTna7rwL(bUWf_7(1gMgTIIO_^Vv!|mSuJ=3UQHHsgF)rZV<1m5#E zrdd$^+a3=$HJjE)KT%LaVzWYGV07c`T>@YgkC?tVdK zh^mGL@E2m|0fV`EK0BQ z^Rm6@2X}Gxl<||l^hXI9;ClaSu}c^KDB|TTf5}uw|Dr0w19njod>wrKk^=L^ix=fQ z9@@(o+`0Fk>cIcxFFo?|a+47g^Y!%w`$~Wj9u8tRq@|_Bu8WI_i;Ds!L_Pgoy=?tN zT|F=V*~nk*+<|%8c{sXxIU-yy?ze0E0O9Q=f9cZxgZ}&P&wj%E9RGfjtLJ})1q@JZ z|Bl!V@O82OwhdI3+y7QZ-_Z}|Vs^(74ona5422svq{Zd_sPKQ?`umapsA~FmRqZlhtvU++}j2^T+)?99|qxvzBP@rMtrO7~+~KIC3` z%<=T`gUw^_YkjJ(a%%eB|I~Ts{vD+tBgW$wFMfBvbV&zvH}6MCJwsXh$WUASZ1$|e z)G`+9>Cm2%=s!Q~;aR^Wd)YW>x3uily~lKi=oyc)UR3&@7ssm_z8~W4dVH|b`z*+@{l++P#Y))wX&%XRsBYdUy$bmY)U!mb5=;+J|wgOwwU)BFt)rLom zjGW$~Z=H3nUM7yzy$<*xlCPDx+As&}l_#PcTxqUC(IaKK)@jRv2O6c#DbBMczn4*| zxTERy5Z-orks>3`z@AufkA9RPa~aRf(Fys@M_ilM&PLG=ii>Xkv;p>(0!2&llsF67 zgRRpseP9j`{gz#kJL<)_!a2H_5Bti7k8{}dL8_gliezn%>!mV81&{(;a@}jl1ncsQwTv8mZ`fz)8QZPJfxn(V~&@2z;@oAzVt_0X zPRk;Xe6PSz*B9s14`$h+yGM`Ctg5vsEL&dWSWLstzeZoOVo{(Vq`agfZrC-&x{pgv zmlkdQ>PH7&))ZcJJm8*8u%`bwMGUaRaU2BST8Ma0IfXl;K1+;W* zTgZ(bdCG6;OPE%69UOkrmvN=?Y(31(%CtDH$?jlS#hKBNn-y>VTjJQl1`CcAbPY4K zL|V4qFi5;^8{yGLFhL2X`90v1sd3PQeJv0iOzT0e51R<+%6+Pxo1n0KB*|@S!by>C*?X@<|RYX;^SS!8DyJRUWR&TWiG z2{n5Uab^LN1daQca{=1q6F!jyr>)Fzzi-TMam-0I$ky3X_3U{JPWS5;f({WhU6CMXY1{0sWmv8 zbF3xFtfrtb)xBsk^hRAj%m=$U zncOluUl-T_evom*92R$j)M9OAY1AILF_vhgvP6z*aRzy3#SB(OkzLpYxlOyp;P+G5 zD(j6Es~2L#gSX?2HfBX-b*8D;kpp6J)F=g7UrQa&FsD)HE-r5>A*PbO{Xn1}%6H9;Kp@7O)IQj$G}+h~k4EW8 z_2+KSAwryMkXFWPvYEcL8HZR5btx*Cdut?+Dq3ucC=8yHO_1eph|_!onug;D8{&5N zwuJ6Sr+K*amtMY5*%QV7Y@!@9_j<}#o%*SfMJ&Q+h%9N>^x9*{9a4RQV05VE1(T04 z9v?iX;s=6Gnv*j|C{{J33$}H%g!u#R!gKWJ5!)>un;pS7h_5z(<|vry$}Hx4&h?~6 zUfwE$tYOER&bM6VhNLU3_1Ph-^&&!!-a$xN8_!+EW8`Bi1>GkF0oXIQH!7v&cMp;7@`2O#98-8#;LXevxBn+cG(m zCHz46ko~|&IW@(<{X!fqX-Aa(fIIkDL0!{1d8@DI^4EuQnw1BQ&@FoaIe$T*ESA#UY$#w*BFucOoL~ZlvAmLBo9!F9e@JYuJIZ}6 z7_4nl_-IoQ!ous;kcnm+S#0KovUTP|uX&2%MKKl_g`c(8R4x8=fVyL+4X?>G^_J7zAZw6aeBeO6(QU9mPl~kkf~l-%4(tLR7_srt%J?s zYyMaT}dW_V=u#7xSW z$m$&!ZL|eb@98sm%(7F2{kE3dwYUWXm?$Jkz=n_dNzp%CL*8L47zoH; zB=muNvXU%@*_O}@4?u`487mcAM=p`*GU}-a#q-DW*C|xw6Dw@f>qKEcX=C3|>E-Hiej%BL|HG+m^~aCkE8DIoeV5t;;$RZshwY)NaH$}P298+im-L7UJxw&LG#aiZ&Gb|zkwyVkOf;YFVPvz z-kzUdd19guyVl1a8!z-|@GwhY61kEqwkEp~Yngm|F$3*nB|N8t1g|7aU4h3OTXbCrg{fqfHotHK11#~rF(&+){=v>1lSLL z)U0@)M28$?ccU5Ff}PS89o?W2Ti)p@^uxAl6@Z`sVRf=LcQ&2u2AUwn3p+rfq$|`ps*1&rY#!EVVL+^jQ7xzwAp`vy?6PMS4K0>g zAtb+>E2@Sf)-2C%wZdBls|Reh*?u|`la#BqHv3Edh=jp?+dr)oz%rvWpfH zO!Ly@_>R9>u)C*5=Mh)h7|uPoR)~qF z=C%?cB%n{H;TCJdzV#kWT-H=d5qxVM@NQGwzOiOy_Hl17t5tIQxr!htxtW-&82fJ+ z_wikbkm&oG@hI7BA}U@;Ur@X6J#*G-K+e+wfI`yN8+A%BY?K&P6E%&SFg}D0w+4KP6fFQM5Q-K@Q(9AL>On|ngWH)t7|M4|WRw%*TjxnUbZll--gbRRVtuoN z*V;JXGc&2)*rKQd<2zfrd}(J}N+gXx!MBajVQhO|*2g8iNaRpaxpv^-pp!FFrh$HX z==g5}WTB7ZqNK&}-p@Zt6-UZ^M|t)haJi&H_X%3?$xrhE3{nu6 zdewj(g{`N4%_B!hO}>n^-E8Xk(-;%QGu_bOO%8O69}f4`{t>)m3SGDAGiuc2rTEkd zfWbLa+zb(w=T8xWLzKk|r69w-Q*XvExPP@JG+H!&)nMvPMsG2mr_6!Ksb1ZAq|YI8 z7QyZ$0s;9XaCQ0JlzlpGeY!M+=V3j-LbA-$m28C9P8jDiq<|ho@z%pI5gJ*a2lCe_ zm1QRmCS0vtbpy`njM$~m%M69=?F_@o%K?12sqX+`EB0uNl=9a8DC1xB9AvJOvf<)Z zz|x_Rw2#K4lC?+1eH6#XdEAi6G$3q3L(wyYp5ERq z*cNoOR5fDrb%2p$s_@!Ilw*W-&FY49Hnvb?A<`c_k?`2cn*Mnz(=16Pdws6Wc|7x- zUg5phknH0JU(rUEEz^DgT=BZHuA@1FQL-*3mB?|*)ZDK~oSIa8#Om)p_l_eIEXhH4 zIGANuW8Z0I3-1t$i}F-_6N_%zmdLLU)p%$wke@g1u}{lRH@qOJov|{|u?%dC?9t@0 z_H4UlRDolhWkbulER7M?PF=nit4&FYzhU4A4z1+1^mCV<@3WIxtEonJqB^b6`9Lfx z{2e!60gX2_(_$5i>({-#II;BNG7D9%>3xJwQM(w&MD?+4Bc{1##nqp+pho^jeglp< zhMzyDST6^NdvSlyZ^!X>_6@4$m|La2vuJ+7ZA5KCl)yH>3JUlhAsgV_KAs?oC015) znWl^^)_%>kTmT~>%Ec_x{6`a}{69f=2A*4{jbCO_EEwO!<$1JVc?0^!2;LKNO99W* z52o5S)Pm%8R(b%Uzd7oE{vq8OXLlgWBDozw;xk<6UD-1m%}X>Th^Xt{&b{Tb{;UfXNMt)qRpCBBB7sUZkqC5 z8+WL!*`+EPO_Jfu9_cSbKthvM(#@0p?J1l3MmvQwZ!;|9k9bZe%3q~)#H>7y{{!&@zsG7TgH>guIpW^eJfxOxgNJQUxPuju75dG zG~{2-I8nDm5{px1*>r1O+may?kAc2hy6tYlHaX(OL<&BssF@-*10Wm)_|pab7%qFQ zh}UuB3Y%Zqxwne+$##=L;*+1bZA*)TNLr*9QFD$UkI3mN-ZC;ewOO5Yb|`95fhFBY57gE$+y(8I#lAAFk1p1r2?24Q9X#VL`qQn~`}S*xv+A{0i+b4ea7O>whQ@yPp1bQK=z-8~>z zP_ntm7`}2urR%Kc(JR{PACHOU^&-m0`YJi7lYMz-MA&+Pc)g)?C!9N=t0q=UR(QuU z=*L}xSIrlH+@+ou2OGEc=elgkAgmN&=?&5W8U<8xLmKScTfAMFR5gyV>@v`CQteMGngaKR5 zOZ%3rrypI_0S*0V`O(*|{zl|T~dD-OUl&@qR@i_F5lQyAkT9l zeO0+?GEu@Io{PJu)&6DwzB--xGVNfnLkEyvo9e-_U1qnPgSkG|i`O3k88P@nhJz7B zK(7w91p^&zwWb57A80KBvVKGl$QmxVL~0*|o$Qxsv;Zn3)YDlg9E9rcmpPsWB;S7Z zpG!PwpPpfX3fDspRRtXk&W^I4l{>_T`&@SGpb4j=$31}xw!8Fhn+IMDKYEpbFbC&{ z2kz4(P@!@A@UNu2}+KD8bWUwO89tbue;6KVJbdc84rGURp*Pw?7o z`?r9&KzdcHUv*paB7peLwM3kuKUiS$3qb5|jOqHQhT6~ByteY`hiP%QC*N}J z{goEl1-cea-w`;n+#-&@R>qo^2)T5SoQjgoeOC3`Vxos|*QVm%Sa~}?d&kzB&k*?P z%TsAJdIr9Q>5tLz;YJ5kHIJ?sWw1=c>I0;0aRBu+!gOhg;Z`o#F_YVrAADow{7wXH zjWzg*<$Uv}Ksz7rc_w7}9S;Qk7>1LX;>Kc@Fyt)(g0;>zWCaD5M6dGoZ~ z#H60)eD+qU?g*!K(4wu^H*nm6wqEFGR`sjJb%b$W!=Ce&VrTepy3EHK)op&}-ZwJ) zVe9qdpzSELK02~enj$H4D61MYLtvYacn5SQ$(pHgX24S9Ke%BNeAF-fhGHyt*uOeA zc{gMCmy1=?C$WFx%caiaGlWYYlMymWcyFe4#%I+^lOaV@k9o*MGVL#l6eikve1d=< zaX4OCz4)(1u*qOdqS_|o8E)0N|5X~;WM|XpQ~7W-hVro=ztI1vkYEy8o0B_gaubz2 z-aD8~x%Thv6?&Mj6Uc6Ox2?934!cK1Y5a|y4IlVBhXbE?t-`#B??>j-8uU57JC9OA zausTdUi~>vAQj)XU>WZKXjJ^4r0Uxn|Jfs8&6PqJ$sHh%^nPD*Ggm%#D7|D(_3sDJ zg|@%pVg4rut*B)bC7CcSFO7Zs{Yq>k{r&7eivyF$S=G>^r)aseXvW=#2Z6|<3pwBZ zF<8^g!}q}54%CT%ewRV-tyEm6R}tFvaYwY19%*nP<=?BMagpl0yjvMu3?1$0$?y^Q zduQ929s>^BP;y4U{XJ`E&xQusywwc&crWr?!l6i&e~f3pgBeOAqrDvCXMQ=}zWI+; zSG@zcn&)zF!GBvw!xOe#h5$YJ)t^sf4mb1v{nY&y8NhGWu}=aR+MSgCo}fkppb=Ar zIdIZ{2hh-P^e1F@!b%-sqy2yMDoUm#q{*ydtxsI=TiPTNgIqy zpP&98?*G}#$Lm;CQlc04e?UC6?pQ6^s91P!drC2I$bGJY2v*!(j1HVdv7jt{%&@Dy z(EPfs*)lyd_ir4571qugRX^^GQ8IQq&U(rHQ0A*y!Yv? zUek{j!JDMQ{4>?fIqAUxKPs}3i?6J&$x>@Q>)RJ=Mt58{ch~E!cY&v(B6tFFUjwRL z?F7G=5ENcvB)!nUfInuv@ul5;s~h8)gS~cirtNUEz~8gR7$ErOBv}0LoBw-wd9D#H z5;HP?O%5<)UxE~YbbbE2e)neXE$(jU?IQawxmQ3E>BBaSSU>Nv4Ip* zPXoeQ-O8M}jnv8TmFm!vqy{&(+lyb>^E2I%ZBPWxdlSeO87a;Zc9dRsb?T7K)%v#cW1V1 zQv4Kofl{2XFX145PCU5AWfRDJLld{RM)$xH_N`azH`@>`&emH4PAkB;+GdWMs#Euq zLR0A>!T!HOnOdMDOYx;Na{l_{28|WiZ03z7*o1u*bl+{l;?1%(<%@w#JuK{mWNsbU z7+9aXw18B(|LlW|R3+}-eCpt8Nz{Ms_m7KfPV}o=L$u)gvLRFdJvP@F63SRk2E>tQ z!YkOs_qVBhMFFI{XDkidWhezp&5FAvR}|xfAeespWRFf|rnop0E9{jC%t!!*Fr2>y z#|&34yRYGS!!CGy=OY1zC$c{5YyIO!`g-kDoOVtPko1cM66ABKJ6kmifMtb5c_N}# zC*JAB7l-Un_=(FQd+QRZ6j5d#3NMX4FYHp4v(`oeE8EXr;W&(JuJbabS6fgQ7hg|E=87{(Etpg7)vjFzHB`q2_ zfg}7i{;^e)9t>-*_2@drdUpwBBw4^hzO}Ui+uWgsg#0M!P79{ZIMGJK57lpz#7roz zxYb^=9Gj2!D-vLe)>bPY&KN~AEu~+$Obi^4lrnD2t{%xwb{$w_Ma~TRJdTRHTr=1? zxC)vieKTfSDYa(p0B}TjwQta!HXx>_FT6en1cwX8|wc;jekYB*E{J!#RSNx!1MJm z-t7$LpsZ>ObNkEkfF0x6w65L%1H@W;O)>jML8vb1STl6n0?f~PE?s{F5DK8dYh~$i zfN>NJkX}o)=lagABZYf#Tf@|OkF9y%dT8Xj;@+}i>LDB>p$I#fw3KhXgO(_dzYZ<6 zDHM%6yw%MXj$eh%GM?%IV<%$JXN}__bongPSx>C8({)O!)Oh@_Br|1_{GoP{x6nd} z(bXbfBfEMUAhkV-YtsynHnpa$d3hk;IdRQJ$os>a;%9-#+567$4pq-P;*09Sz=!15m@-a&1Oy6f9fm-$|Wu-QS`n z{7e#sQ$ywpY`+7iWJk>owHG1~7=Go%l^NjdO>dTr<)qU71mpM72Gu4xSWpXCJ$3HQ z4jFYu!`$kud__1@#e1<&lS$6;jOxjvc_X!8YBi;(ov=9>!|2tLCJ8m@oJn6<8r@yP zEOn}$GH#dpeq@_Ea7C4`$V!a217cSU&CSD@JI@jBBUCRl)$+TC-Gq?EK5TyuY!XCR^~NaQLukx z4d3=OeA=}LcsA*Z%Cu6i{Kfz$I{-$7@tFQ@O-CP`qWs-zd% zq(&_cTbTDe8%{OUqp*kncx3~eoJ{ygVN%@q>@>XZ7>0S>zn&t*RuytX;8dgH0Ha$D zp18S!vUYR~3Xmv8@IHfZ6OR;ot*Z-<8Cb6FJEK8FJyN5dF~P&SUY)$_&&HlhTP+T; zEOe3@hHFX*EW|FWlb3TpMv=E4;LjL06;36$UrY>{C zS)AA_-BiD~Lp90LNp_$CJE|lFz-%M+Ywzn?nbJP>0?9k`r`zD#g)hPzah(p6ml2h< z_Di?kqGL>~k=}9Q?bSm|k&2_*F;(qrK{{(c>j3mI9`$4UnJn#TzdE2z2M%o%3mQ8n zKW7Ek>+j9X0M_67a^huqn3m$o`;&2cNHPT8?6>flDL>r5u6K#nvHg3KFBTeK1|D3h zcvn{_S|k*b)ct8wM*G{Bvk&)fUpamzEIfccd^Yc!;tz_2)}#VrC-k;+Z^2Smba45V zR+N9sG7@a%j+dIRE}t8UTE=!Di)8Kk0{hESNOs9u!8f|IBEcTkQ`6O0zg$fWh0R3CE(9=^lrF?#BY8K+f}cnfQsHFQ6^ zuCA1~xmhlq_0}4BpCgG;vb3xK+g?z99OO4bB{#Yz}_gzvCtJE>KiYNlA zu5fG8JzXUL`{@|CD&tBfkr*#{Y3w8IZXa=nvg^+$c(oje$}u_-0*U4w)+tD~Y^^;m z3HzU_hUosov^f8y!HV!)HmiWHS5}7HQhBYf16R7#Oorc~EkkxzwS+l)MaQxWI*`M`>oucB zzzN5at*4NSJ=_>$i1vm^aTvBDR=G`Twl|*G@kZ%Mp6~1ak*z$PYX>kxPxs?XuJYlQ#Ess@~}Kq*P5o$8y}1 z=v2`G@FKlIa?qtG@veHwr-wmo0$REmEX7%R!^WnzPXkJX`yf*+rKM&YvlYcixCSej zFg#y19@UOK;yDKFFXYq$;QCN4)_XJ}`i+5vtbsLt-x;>o{cz1>z5ntWEdHB6yx70Z z8O`_GQ)NZ z=Vt1r{LRzP^Nm#*G9*L$GIPR6zu5+Uc*V2{7Ub+C4K8O2TuX3+`id&!0;*eDi77&t z*^{&~1Vtf{0LHaHeWNZR2kiDXgBHC0=ISafm4<8k`^up;4V^$S7sNygR5I|TzwOT%bHv1+z zGtOuU4U1@V7r*z#J<(Zy^ti;{`hKLSGYVbDQxtpJCruqeUt!fmdpwZ#AH~T`h10}S z5yNarI=64|TT|kxC-TZsLP&_fE$cnU&46~PIm52}Fysv_T9E6H<-VM(Qkd)J=LE;v zu&nR!aGoPtUUC zdd2@%qg#1Hfyl3>g)58M%DyGAS$3q0)bQgF|7l}Pq~t)Z)ioyGAh!xR*P$x(b$yRZ z-oZAQVIL7L+5YeeAp=IIPlH7@^X3KxvjCle$K6*SE3?;Xnn|SwIaD~2;!MCl?D#$3 zaTl7>v#!?aeywF8F9z~ft(h65Ot%Pl00jaUDj4;2?cVgvgwU=D{v{} z8gCrSOcvS5;K}lUINZVDH50d&{;fTakY8jT! zHkI0`uMz-a+>0mLsFZl)rPlV{oTcy} zzx43&8Gzhwd+BH=hH+kA`5tKz_6 z3i_gz2b;In+9f30Gp*2)$&~`353vu__ZfQJEA^%^fG&$B4pX0ABTfW6O+b*}< zO7=Tr>2*IZ2WbhfAZWJBn!UC^D(3%Y-;WxVbe#E zeJ(M+eC@6+z+1gfT9Z6fNE;&G7!s?d-yBfqXc}T$s|BJ|G_zY9qO~m_zb2E3A~uPI zY~r0fX@V)$pO2i6-PfJS?;JCh&!I)iZ#6qwwo9cN7CTp#*fslrW-6ZbBq7UE5T<~3 zI1-O=(s(JDVuGoSXYbbfR!vI|!WHV;5~DrSGn^zIq6~c|FBOYSX6Zfg&D%!t8VY?* z()1bT$5V!rSdC24h6oFk~cZEh&p?n<~XApIC)CTTwSA9u4_ES;Tw3yOnR^Z7BoK1)9YF-2$| zL0|XJhtIT@h#np@hkgkg=J0fyOCGxGtX$EnusXi)tY&8F0OPnK2@wJt)B`^9+EGanj! z7O@|GF(X|eNaD`$AL?J|*u@0^Z;H`3Q|K&r4MeD7Y!e;4UovS_kYI}b&Sx!z=n~Pu zdb7m@tz@53@;S1z3Kqqwym|W4i`#qdWHZ}=t9p8U7FvxUgpH~1xmBW%o*jXN1 zp2f@{69lz9zf0C{iT6P7V) z8vlnb-k{I=ojM4}B@cg4f9-pHhqGeQ&5`F#b`B53LtUlSV83=P0(WySDMtMNrtfw* zrU4VpVYs5b7K5tIB*(LM8JSoTd;*%WPmKa(?&0JQRRJ5K+B402}}gv3{3!J<+#?5 zLlCW71+O>zJAx~dctm(v+6%K{%rx(0Yr~2J_?15)T#D>x~;I4fzthX%lFrit&_11^J~FugfT*>ikoROYHG07)Q_{OlA0tI1Et+ zqYd;LM|U|T6gL{4aS6r=P7EHO0eB3}&-LD_I|VtAItbB|H)=a$z3%9nPG_4Itrzs0 zowPQH5KH_bHI;A?L67prSBCpYjRr06Cw%usqwCiWF9jllo9vS|CaLE>tHUVaYx`2R z&$E>!SwJq^>>&FVBajrR(bI)(-Bd+$(|tE6OzW*j%>mvlHG8u^dB;4brmf@;$??#Z z;rWi6HN3kE5n5%5h?)j~w-M??+BOnQbD+T~_WH=HO%S>m(FCd!jy zA!r-jUf8+L*KZwNDaH{Cl7NoWE+hr96z%cPLaU*}9Rcx<3NSfz%LDmBXJqAmO2*-= z1jRfjusTP4;G4)Pd8nq>e{lKMsEc!9g|V6KQx3EdHrrn7 zdj(e~-t)~&5fhp)WfhH5dYDGNfN@Q{v<(FL#k}qAqd_C$dqH(|0Fu^8Spu*9tTuLo zkM?1^{(L3ytN?vtyHDFKVnMJq0yh!9Cax0{+|eEwQ?23_d~XV;9*j~?*9%^HM*>K? zp3!?5TZMdU+ch^R64oK`5Wl!qpE7lW7Jv-!$)ayq^|Mfx%ko9HePx0*U&*oHtoTF(c(Eb~Q8ilDF1wjsUqU;;cfmhwvh)w+IOG(v$4GpU8p8ZG~A$ zO*&G;KeM#5x#6jt6OtMGB5ES_Z@O?zA*Jp^TldJ*=kcbSb`fq zY``a=jMMH&Ir#y?=iw?!;D8|ETXUG=Y~QwRWTZ@J(!d!o%tTduLs^Wyn!$L`Qk&rcDsR z$fVFkycZ~Hj7Xc>BG&J&5|(>{Mg(+IOm~{~(dS0?g~pXePg#9o691ircuZ{;GgTnh zG-OZvF0S@jQX$uGcoF7L%JuAB!ziHYNeeqj71tLnAOR)-AcDaTxIUlAk-xW9zX$v# zPO{U`=J<;#x+(ZLQd|5zn_TA17PJ3{w6~6{vfJ8)m5^>JX=$WE z5NQzUMna@PKJ04NVUy`!Y|u5(kEL(R$gDr>R(nqd+I<2q{2_$^oap3%CC zK|b&H=MwP@9}>}>$X~m0nA`K;*mcTuq>Kp}G1le#BUb%jaqF_IXQ53{Kp0P6oKc`Bx`)p1}X7(i|b1z?xqEK0JD> zIjhEVoj*Zf|jjB`;zth?#@N10T<866W`Jcw8?Fs7$zi%!o zaN!Ur!CV}0QIw&uG?Y}xMSnuMX+aQR?LsI=nxi(1zl)UcYid$ymZoF;dGs3A<-+Q@ z0h+_K+fiRV+{WvOYCs*T{51Tu&0+75<2P+q-uEegnwhpBPAaBv(`^1Yhr9A~e;uG) zlw@;aNWY&poi!HkfLWhKPc+>f(=h&QQC)5E-B!SMt(OPJ@HU0S)lx-aq1i+R6PEw`g&2UeAW6Z{d&a1t+C5` zO@SBhZY@rs=l)k8w_!=z*z0dEEuifD_Uu1W%72ouy6T8jS@D{$8Mdgu#NW}HS6!!? zGHmdlFMRkZLj^Xq&Pjk;pTIwIpntNoC9EjNwIAm|O{vZfZ}62bo7ySn>zhLJor%)b z%k5&82*F#Y^&Gfp-{a>zjHrse{>ltAD>3Nr5I5x{V_K$R4k2*3n?80gdu%WgmymCiN%GsxYx?s7uXkH3_;$ZO( zzf*dF8TS%Yt)rT1+u_E+Rw6&Ao z1h&j9AB&tydEC0UR(B0Y{ZFE4<%<{wbAm0V#04Nx5J0n)ym8sg{)}s}4`5Nq8h3Lo zI2Lri6{v=Z}d^Z*0zGDCtGh413?SYi% z6?Nl2Ak===F;z`uT(0{@)IrW3@&j5*+~}zYgiKiqs15eGwqCQT3ZV2b?F%OD3kP(SFERY~Rsuxt z)6F{4mqqiT$Ag7msY=_irH@DZ9DWbn$FFr`U#ZgPO}I|z1;hfbH?v`xWS{OYz2MXF zH_F(B?A~ zwNm1<#ir{;B{06{dtmd?K~ZGQ`hgScem1=}C}Q|L7o--|U!9VJ8~%{|`DY51XUu_v zUgZ_ZfNL>4)*w;%ZP9OR3!DAj59d9m5bBpP7vOd(audh^HJU&s8VgnLJh#XxmN#l{sz`3TSWneaB4j0dM*T2>EotQV)QHdhx1lFz zeF*nSnE!rb`ax*jgWm@H@nG?$#Sj*O6iiM%iPS*O`+qjLSj%nk`LtJ6Jf5&=0kVEi z)%!I~d-;O@jC}uK?->cab*`82p@FNIAuSi?!p9`1UJG;UH|3kI3G$aLZq8ISHL?Gd z@mDv5|0^KP{9BjvSM-MWjuKsb{08=qul#R~n$!v4RfaVQQgPQ`{Q9mIFC@23X`M$U zrKrFC_fO3X_|UXs7>3Q0S2CWz4b6Wm{xQi1rGZpfTV(S;lu-ZWO_vPhS>tMKH@{EI zzqtATBgQ1e0(87CNZCYxdk8l2y&|=BI*xy@n*PVV{u&(cR3nh>Z&Sxu{0eISwp$H6# z6S@(oZqljfpPT$mPg}wY`hhXY4EWpr>he;8h;$yQkL6O9%<#u7^p<;_eLIpdx%X?q zw5b9~;e@~m^Dj+gOAFG<2V^o;)a2Z#KgLz}8;VnL{X#0N@vjx2`vo+4LW?yXw*R%t z)e+%t{CvM@k|c4$L_B)>7210V z!*yHgkLicQlk;w9?z@^A=%0V1()c5ePwvZv2;44!D{%WUyAA{wWYesTXQ>3Snt-a{h**t)Qw6>iM0r z9@TwY_+z|NrI^#DCqIR)_-XHnr(GD_)lc2p``qEjDU@M73=L*QVIaPSmPAu z9H^_fjwuFzA?wdcn?PA{VuCVCrjoVQ0#!1(e~G$M8N?aXtVq=~{@oA`iXVl5 zL&zLg>=OL3e-Fq0^IyROP+iXGo3g0_0CL)`{7HmI(Rgu`#e@9s8T9s(O+(*WZP>!# zz#e>WzB^WVdYJHQwLo9ji{ZWII(g}2ug(&Y)N|r+_V0-X4>lr%fL|1dYE=LL$Ho-mvQhA|KpL}rQgS#l?wj#{51NH5Ie=+ zF0I$m+r#ge)Z=`SArh+dbKqGNyxEkeu2yS;#I8a!&lCKYTF+4rKKSlq4@&pM)FTjE zwcI01-?lPNb$6Hq{j`9}w9M((iIAq8HXA_L3IvvTzkj`uE(NYhQ>vDP{E+FdjejT z8CW^!=NCkg|DJ~yE6fAoE-R-vEy{n--2ZqW})aTGVD=12%lu!gl>Kzo_o( z^|sF4mK)z7$^hSyOf6Xd-GE|OezjW({&}OU*Kn6_B#XI)Ygh$NMwO|*)mkriq6Kf=-R|GT z0aCWatoi2D2&fQ?VC?e>s(~=o&b2}1J|9$)41`jzpu#e3!2idA4PW#63DQ$*v~4zLv~W1Q08oG=e@` zJs@}u^TfgbT7&=nMt~*29etA@Ea=9#E$Mk}jLSD&a1dyl3D9@zyzG1_B!0YM?J4!P z08~}8moriaYLRX**lO_mN@6Tbv5*}3RPCnQlj8UR_dVNzFzs%J`~oFF7|mQfLjn4C z254U&+`W8ms)~e@05T7!b!(2C|BKv$Z*~```Dfo(s-zKx##wW8>=4bLcQT~K8)Rk7 z0j^%lqT#U90wZzDl?CWcq(}zyd7-&I^~gEbG*t8HHn9tN{l4&(KIjS+5ce%*sd_rP zBvi>I&xaGr!Kvb1l&r>IWJznhkzZG_h*!h@q@LR} z415XQE>Mf9W4*@jVe)_Mmw)dr@Ssg7O`f9hYQMRe-|;-RFMm8Ty%x8y0A>5b z1#izGek^Y3J;$}PJMW(U*9-VmX{V2kvYHs<02OkEvX zTh#4Vf$bkh;y6?K22|p!@}8H<)i-AUkv9BxF@Nq???sBi?Z`Rsc16E|%Wj)RKm0f- zeFQi0AVUjqM^MQy3n<1NCxLLZ4z>2MlPJE}efRy(nCe{-7XaPJKK;21xQyGfyW6Yy zcmV&e4vCX70dm3i>8m}^o@2tOVGQAYQSI9cupu?7fG6pl%MA3ecs>RIdG*c+phyNF zP2A>4ZoJCTG=PFN9nb#by!!K!e;;-K#Fp=K+WYYMZxos~E<{veZ!8juy2-}cA|QrvU5)U(Hb~^JSDWPxAm(?ma~?^WQ{kF4jPAF`Lu8bJ z$@8cIa(pJ4+?6-~?NfgZ5W!;@AUHvb+O{WzTf@X0PWsUPhd=1oEB|waJdn^mZV0uV zHm{Ba4Q9%116BI2R%it^Y>Iz70{>@(|NTF})yit4eQ!+Lb+>GM8bXzFqP@|IaJ_kCpcCaY5AsB`d}CO5GoY_P?M0KRi$`0Tl(x*!x@Yfm>RR{NtC|Jw<2j%zQrUtJ7R5Cs% zj&^_hxNn8Y+y{Ing_|>Tn9u+W6ff4WY&>z<`-1Q{NBfd4?V~o?H@m;P06-}Y24cG~ z#^b-;$sc<^EdpAK!;So{);50~iN|2c6jv+#&F)2Dw7mt8L-!0kXaDZ}r-|yG?o1N< z2ekxZQC_-di@4n6l>e8+_K$;FERFE{duELIZL+;_4Z-!k5^c~^UO>dfcBJ(0O|`ck zOQe@7$?!X7ZoRGDKKnR)b8iQVhJyD+mduWhl_D;Gx8IgmO9?)3^q$-lXq4B%o%-_+ zvflsF=2S}tD&JHe7hvFC5nK9up$Bs#N$5T6ey*omRx+dqp=bAuUy;;V-(mj2h-(zS zxxBaA@VKpPo<0TiOQe|6FHFdsdeEk)e4r#1M4KK)}&{SiCbw8`%mfFlkP zi-GEja_IrOaRt>s)8nVkd8LyaISKUM)g=%E2L%RN9`pwk&f#JwI>_zOb$ z{b2YXo2NyDQ32r?n$SSj5mH|V4vgmYS$a2+Lh8PAR-Y8s+a|0>&Q+L>bc0Oc6{*|7 zH=C6x@i#UY@a zwy0V3XEz}Lzb2m+l;OlAvtk6~2blNfKR^;&tDxYzF#Cyk6*ZJsujEZXEG_cN$ zK>$xt;!z{C4^=xsfG@pZ9g@CbYVQ z*q#C|$JIVvidhO$5jK=_|K9vU6!^2*AcTQn*2#-Q<{A)o zkL;=wTTgLP&tF`eHQ&v;^pcXT%i892%JN(~n^TI1GeWI>>#TWSs<(^kRbxT-u*rcq zpuo*%pq`l2BVYuQSdO2s!XG_-NAPAh!!d~7GBIrs3K8+h3EbWP9JvW9Dg~}tyAhr$ zO|}D=3+=eH86dFHRDErl?Jd~y=4C+}po^;COgb%xtqn^pC1N7v3c6Uxy zhQ*5;#8egNK7XV5ZvJfQ6_a@f^Q+*m?|v%D=1n2JRul_HmfGc2lxAqhei2C?CGoiI zqIrI?cI|Vr>p-&We*M~+o4~$nKfiH5WAkL{MIXl=D0d-a5=jD_e&le&n7ZH0(*5ut zaW*4OCIV`OdAD3TUvZVB$xA@3S~Xd^ldK?*r(uXy-HQCA;>D0cf`|}eg+3f-l|@Hl z=9fx(xMw+K@~Hwv@5hT|@%G2~)=kP@^elhHOyDyAR1b#i`hjL=ZF^R{dS>@&M-3SdscfDTg9s?30|7bYeQ_)f(8 z6rhO@^bbkIEX?AMd>=Cb)YmOL7FF#h>4LBAr1uJrUzDil*$Me(qUU04M;WjVO#!h* zvkhGrvjQ5iEj)*LW+-hR)hoHW%hVzoi?-MPc1}H2zNT$ z9xVXn$Qt?h4ya302-G1f(?sPTJBR9_m=iD9&Lk*>G&@DtfY)6D!IX#FpcB>754Oiw zeSq~F-(4hy=*;&hN|G$zm}o(;V&3e}HTDHnKYnJt^r9M6j#rcclfr>URp5SSpz-V$ zQU7}=RH?2BHmvmgB${dz;)ip){khoy@1Ml1A4l=;OBAX<$u}hNgZO)L52|FD5!m!-PoD}#&Le$Hf-d-F+oazTYs{;V2Dq}2-g81J@U?gI{l?}q!CMz&E`~hCS4c$bO+E@>^In5Yp z3ZMe}Js<~jNX{56HLdJ~yP0O;E@t5pi22 zcg5f&v!Y`m`#+wrBI}tnPTk%1yym;^b8L@_P6I{x{&>Qex&fLaSP0LH(z7~guRHhd zz-f7YLUCoTHWs8F&rYv&xr))6#*Z&_eEl*W&=Je;Y3>-ROdB^#F=j)9j1krD&EuI2av3)6zpP-e(V;r42q%t*rN!ZHG;cm z)B<_VW{aUDyko_bO7SM#Cbr}W$~wU3DOwFkRGu*p14(;)Pvd6g;nu@db)0ZNw3*R6 zzI54kq27(5O!s<;&jh1@v$lIil%OTxE{MB|iAa6GDTgC&0X;}LAJLc$=lP5mD5E!w~$pxcEo*L_JfVQYDd z=>i&!ULoy*lN`%qjrOIC&Do5tygZ*_D^e|nQEJvLqE%KQ)-j!^dM__vs@-ly7`1>I zLE2jYxLLAiQ?dih&;3a{M(Y8L-DAD8A#k-b^8FLJQT%1+3)+X>kD(5*W_tdY!Xlqr zg5S+9(7ayfEx(5xHAdqB5SDV1+&tm_v@2#JYSRWmly0Uy@^_-pd; zVYklIQ`X1Hg;i7CH^6aaxk7{C+8Qt@oypy!q}LSP+@NP2U!Padv^cw_pWgVVyK{ zZPt*rzr*npUlWL*8;wA!=WT5S@-C}6H}cE5bUJt)oNfYjWjRqWg~r!M2Q{Y|oBk`( zJmj}*0=hCa$NZ%V_$_?$1PTh;E&dI;5yBT((xeY+#F1oX({_~nO>uT5^!F5BE5#SQ zQR;`lC10KG@85)MH@KtRMlKcdKb|F)eTZzj^yO`j=CCv`zv(blYJBWg@#-Wnw(cBd zyr~^{Ps=Edcoo^9O-EzSW=-M9@z^kTT?daBgY9DYLhbE{#l^vF0Hu9hy<-?(M zbzF5!7tmphS5w4JNewF%j!x-dsWC>B4+Ydo%nOqd$q_4GJ&|^lN~}6o-6}R2PZ;R1 z#qP9P&_HpH6+^nb*Xgg${xAN_41vQbrgPcNOz+s`^zd`(7W>cJyfs z5A5F8*eU_^FQd#4e^fs{UtN{lavSWHnycY>ViAc!FftrZ(ff)5bufwzM+h(mvM{%XfmWOhiB$2}ksRVUQ ztrQ5*QqOP5Z}JYYL{?Xt=lJOreWn|^=1%C1FUTn@4H@#av2PX`=Hng zAB6i|yhuRbd!lDP&(YZ-#rXW*TG+<(G6XZ^m)TMxi{PNV%=OT?}l4y5SECZOGxC6gt5WUT z6ux_QMlU9OK8v9rTin(vZY{BA`A0SbQ8a%BVBZIu*{XUri0PC) zWtxQ^NBq266WKV-pZtCKW=dE;CQ9={~ zuZn{wPuOb^grNcY0NrH4bv%MK$HSWk(6QiRxt|9fbHcT7mcc;;F(6NG-`y#EEQ=H( z1-t?C>4dyL1rOWB3xbmL34{B=LHr`u2`0X+EwSGiLT+eejTQ&5Q6vb8C6GL?xHbxN~3_QZb1RUCOL`Xt#qS4D>ELP5 z4=hNKvMT1Hbz=w4RyB&jIFC@5(E#%tJVkcPNE0g4h?SK+AGc}kq%q9?yMmunA?T@M@+u%59t?R zzhU2*y3$3DvMJvxbrR+a&E;Mnk+_38eAq1eQu_^Sp77*81mU8T5| zPnSWSbiF^sw**2gLZ8sRZ;!7+r=NQJ+DWW9#u;1(QdD?V@Og(h<*g5zImN0kmzT>+ zUOCs!X9&$L;SHJQS@MSX4vOjfX#;u)tVVIxSgUajxhYAQcr{9M8vzvN3TwS2*1o;M zjY#;}c}JM}&c^1|7l|%nrmpHAhClheUFyj}yL^fFxP@B!U7xaq+zO6CKUCqay(zNR{Qjm~R zlpAEY1O=t()`O&jTL3iFlBKdS>lfUU%ZlzG*V|D!`6vYK@d}PPm$P4rR~S?KlZsCfo?>f{+9~jclb%*FPo-vs z-YIon(%bq!Llg5i)#@Pcz3GhN~w0=QHP!-^}SESO%v75H`YTu;_sTWsxB&I zD+qf>OnL|@IXo&yxEM(s`nGJ9AYpEB+-v(A{2ONkltbd=^t+`UdU6dSAA^JB>7N~- z&HLL%#Oy20D#(4gJ06IOck9VPTC45tNqDc8`9UH~)V4me@7+Kv-@_*c=|T%e%KS$f zBP1EH2B=;Zp=jKQzC?BuRi>TS3pF~ZgskH0^^ECSy5YDfUq$Cz5)!RRm)8^qV--#l z#24qSt_s=yC77q;i}WyrC0Znc3LO#e#jO&gWR}kG4gx zDSD&7`P2>rxBO=6q~KaGy(!z7gHdR&4xO(zdR$*VmjKhF)Iq`efSFJDU87~j9&feG zm+|)rY%@8$SAzDEPtbg8VU0dHv%`twbdxPpa=}ilX}PNPR7y;~W$gJxZUCE)vf)C9 za2##+PE@H>%HDWWl*L!Oa|~H|x$TVJnb^OrrcKUAPqux}T&rcqe_X|Jk=sFsiplLm zcFnuvYwj7V5Ad7C6$UHx?rb+y?vzTL0=JnPI@-LdSvz9d@g5oY6*gU>dxY;rn{u?+ z7YSWn*u63nViQ)w2wy!8S(8)y7cgK819RlCyD_HWLR#JK^LaLY!?%Vtpj7_fWKAT{Mm&g*-y3C@t|KMvgYdD;M!jHiqL*5v{t9gC|SAY286pk5*?5 zODglYZB~iyUZM>9;oA(6PvnU0?YMZxt?>GI5J~ATShG2Ch@KrmR7zK_cjTj>)D_brz z8y1G7iwx*%@sdv8W&nl?nVjYX(I_6C3lB}v!yk_0q2x=I)da*6V{iOb&J&{5dp=6k z`xCGaCuJlw2-aNTvT3pRH-e`HW8TUnOnUzi;Xmn>pdGz=X2yzW?Zw)=g3(J(%JwaT zL@z1^Ug5oENe-?Q@~Q8D4}*2^vbRnJNxBmLDqg*s#(|KxZzKXHcArv~=lQN6o^ayB zM`J70=2$2ZbOfa~_dF`X(ogWaB^WEbFhN=1 z5tT4ZvlOO~O5`x2p8x0|p&aSi`h(pgOX6MKCT&Teo>54Ra`+db1<_euYhvmr^@SSb z;^cicmKPfIa-&9paWCKIg4_U3IL0O+_hgpB5LE+rX!#b)Uf%wKMZ1WD)o_zW zZI`SzuO7j2To@YN2XkB4+sw2al8RG=j;98Qm-dvKxaJ&4`CkUP*u%XJV37#Z`!Z*} z$VpIwU*oyR@^rdB+|iY~Rd;R6LF{H({kf&Qqn16-NIdv50mz1l&m&ndSs96^6k~E< z!ewX~dvn?$=mqYZ-kD*+iQpJWOl7_EvrhYYzY{)Ex5`YRqBQUki?2FCbr;djn?ReOU1Ll1mKl0-aZNHQDLu(`Sh=aUp@DcCeL zO$YKD$EI`?JxYB$MWUHbOUZpJ@h^p@Xr~r4KEBR5x_r{#Z^0+jfL4N(0$W3$6!xX8p;5X#N}2UqmsHH+Tu8MIQ;1hl`S?lN4sj zOPN=_a_9-n`H^j8|a&d z-1OJI-Tbntsh+DlgNL##yoNRw{xB%wq9cc3Z6zIjd~PzfqC`M+Dl(?xq4hd{*ll{b zu(4iJhqEkkVsx5odcTI-j`Eo9d5-F1RCnftgd&)`{Gf=ACk;vtKgtU#nP;-&8V3g& zTrYJy#|jJxB_k{c6U!2@8-4ZsZ&NS6Y=$3Q%em`hnTc9u$PfufunuDBo85yUIU=CK z%~x@p8}aw_^_Cj}Wx|>OON4b70X)CZ7f;J@msgxj?XgvHwJz_jesF8(cM`N#<$O9f zywJ)cd7^Y$cHQsNS%a&k-oPb8m|dV0VK(axX_-jr%Y2JT)g#Z3^B1&qpJEXFmKK{Q zt>czMNIn19>p}b7(R4){!Oxs+v&Uv_uNOoOX4N>F9D10he%hN^m92<;P72E!FI5b+ z@$enn?B+2NCRvrQ6@0Lq2isz!r{dC2j_wo9^tK$9KnabC1kXs}Xe3w`PKmjGTdZ2MB0R%w` z9*NA{qpqRA!A@le2lG@429Fp5=c6+* z$EGMAB$~WMasC1O2cpY)Q0w=HY}N!6d7+MUEvEI$vn7}<2MA&kPd|RL=>8Pdg&4r9 zc;I{P#bMOuaAz|RF0w>CHe_>{Rpf_^ogWgHnn#dkvP#s=A|>7}#NUqhsE;LF7-^fY zJ`ahP%1I%GzF9pZ^Daw=R_nMPmWYu@IFyNDMI(?_N}#)F(brRK3TaDmB0%{LOF8(8 z4DHT|v${+%5-e^35*1tzl)gi)>{tc@|HisIa@EPMEwKYi*CH<`|OB)%3yBju7L@s?zj3jWe;! z=!QeGRdS;gv6NSzI1D?=zn4QJXW?Iw6Q%SCH@d`+=$LH{?Md%J-@HK&N}jCwK5<@)>?_a+Aw|pSy*ZIyJ*dwoz8V* zEaTx!5ng^&w`$8F@0KVOA?ir}z+=g{VPUFcuC2oQ!tzNPhB^Eo zjLUGR>oBs=9@BMbv(>IOi{qcYi4dy%omF?7rht{u_HE@2O_S)}NH`bl&Z9#Ds^k2W zGYuo68w}f`-z{B%C~Rkt?y@;QkZd# zDQPG2mN9>-6i_W{;GoHtNuSR~`(}btXEnAG`S?)SQDU~TZ)om=FYDQw+8{co@aYCfJ0q$dI zk9*vsjOi2=gxC{AQ`{hu^4Lg@Ge%4wg*O%>yoq56zq@69D?rHV^cHq!VgWxhLY;3ljda1p9ck$WwyM_+_qvj2Cg(icKfiMIR+UN|01kObL)OEV6Ny%^s z0X5pQ4|FL1>IH!J{G2OUhII()#>n&&ZmM*kDRR}j=pu=J-)b0d5C?h4z3MB8i9IIn zA$p4j59(c!npH#|nxl#&;6V$dy?sk>)Vg2W_5A*rzKJWjIeQe9IiuUenJ-FCg)(Ny z59x=Z6}F5Y@xKY6HxFA*A$QY7Un=Oo+0jxZlE1RtWF6M8-R~nSq7WWPISPHI_yDpM z=dQdbMcRc-IO9*%b};RvmK@t0xf0;o{V0JDiT9XtRp9BYwc9}w06Y$o#NHvkRKHDc zQY?lP+|%G&u8E8fTs3BRK$o&HPq(hFNV%_2Vzpxph{MLzpVuKhM29Hbe1~n%jTz&N zSFoOyMGCvVxM>Y0x_R7HYQtv|+-{CBKX^+ZCpH~qQ!}0LZONB?vUNdYh->7U-lnpO zjoCBr#J?(-O*+msCH2b^w@ftS85v&8u~JsFMfaHp>KZZ^T*tXH?u9qF<|IZGDdQTG)m05|&R0`% z<2Gv=TLfFtub$vFnY!k29HSlM*OdB&*jTqL;dGngKn4mzAdKiq&&6*O>_28WlU*4v z`j3x7%;#5rDsSDt3Dkfu*)J=~GuIod=Ii+?YAvA5-6|07fUJk3&c|h7W|?H7)CmJ> zd?^pblss1rXCtFI@tQ@QLi2(P<;_o1sqGWXv;zexS>Y!~YpAhHpCJ9+j-i&Jg%`N> zPo|2J1f9np8wrLh&oE=EzH9P3WcYU=#XaNU!`RNM6%~Xth0}+BQKCS1)tjrYL}Wpb zJDD6dANeJ5ei`3|a>{gSr)HqDP%_G)r|CysP8G|kd8lk5xS}TY&)A(Xw`Z3+$m8*O8G9E)d@1ONX;$y`Xgr7 zZgMbSrw5nt<`)Dv4U&yNJ|gS%!;Jnx)QJ>XGm$34L;B1rP0+sW+7O4!p4M{5a&Oxn z-gfG{6YBeAow=m6;*MZWqE_c{zxQ&Ax}r3fx;UNPqvI3ubI}fzu$l4tS`YZkB%{s; zyEFui=S45q)a~EXe&IM?ERY`ZH0}tpMB>ihNo>|oJEjVK8k#UbPkd~h&IZ%;VMdZr zcjVrsb+^Wnk$Kc=|yd z0WUW%r8y+aj}6HlhMj)<6(;@C+U=Ux*h?zc;Jj(6{IX7~56CS)(a9`bS95nWz%CKS({vD{klTYA^7 z+t6B$w3#<|U+=jd+1ubWC2wk9nS8Ck9+IC~wsemtZS5G)&h@}2J8~R#&aWTYC*HMi zd7I2HRmWUyg6}x8*i&~=Z*RAp+iMpuz&CcYTWh@+@<1j^td2XGullxi&$kfI_6g(I z&sm$5GU~@VO84w-R06XQhI$zv8Tt)G>7l9;m~nWmI(0D$N9pkrl+CGKp;F_vKYw8E zz{%7dta^hgl|yb%X~q;_wn*^i`+BBI65f^m0g>oEH&y> z9s(Vns1abe>2xQ4`Y*9nVaKh`rKC^jvWrfNBgcW29 zNu^GoE;y^?Ly_c57aW~cP@o!eNK;2D#1+<+!yWbjy0Z((Soi4cFAEc_F{F%6Whi&U z(kv&w08>|p3~uy`vdJz)?D^tu5dG%rvkP?!V#uKQ`x0odOi z;58F|YBPm76D$aZz+De<4daz=!0QdfO#bXlA9idX!0Q)rJndbIz=rjs^3nf9sa;Zp zqDNI#g?$($JaJJA-=wob>@J(_F zr2THbL|L`^$u|Ww=$&9UGcl+0b{b>u(V^6c=OtDTig^;gp31yKrhYFYPW*(#cAnUI z3j3tJTX810vpFOt9&orQEe%d#-(WHYu6YRw)uQW49gdc<7qIK#%>+d1E_ zMj=|kcKv84UbQJ2Mfodyl}rUI;zN$A9wm>%{EF3E9Y7)&IZl?lf^YuFh$sJ6iL|w< zmS<{W^p?uvM-t)JGZU>jWjr3)dO9%3UAoc5=W`lp&D7U~Av`cI<*V9uuHn#6sd!k3(GSN7PpBu;?^Y)r!YS#3>k2qQy)}H5x7{Epp8>P0J zN32`6p^f&X8fR<{<})Y-V#d_7)U+OsM%W{Iyj4-*W*;I%RtdpKJOqSfZRq*~9- zv8b5Wwl`vX%aWsx^|?53D!yiqmlp3f>2#x~csFasQA1&EGK7N8JN1kd1$nESeX&?4xOT0(M zWTjX>ozpyJdhuc86JQLDn_BB0CRLkM-E05A!S9F(@8 z!kLe$y%FFCcm*%RWYg!Sn(|dndu7LBD-MiX-7aTr2h2I=D;(9Y4f_3=6Pse$G5e+a zw8n6;$*nol-((lD#XXr`2z^+nmZuJWrM01)%fPVY@u6g&ft3MA(#e&-jl9Kw{ z!8wadhd`!K#bzlcV6Rk|ao6;8DZX%k`J7(=@^@N1vw!|!l zPs>*lB#nK%KL&X714Pgy8wyMF4u(PnDrD@2 z66cBXusC0ynOVI=!uRwX;6LNM6u1_izK`YGfp_g%?fvi#oU2vfGS(&8+(^n29?(hh{qvNLbp=y` zLEeW_#W}_5_QWzn`|$UCap7Icx-I&leV(5l?<@CkAIf80ich_q;+)pd*{pw-T0Ye( zHIMI(5LXdVF`%)0@=X4qc}ATal{X&%1}u>Hjz^uL>8!bd+$%rx!wNb5C3oc^ot_l| zVrv>%{O|iQ^_BYEHOUYn*BTt|bAudMGrGb0-d-6b>l45$5*@R5y{>y_!fG?a>NT>A z_k!T76 zWF`)Dm@5-R95k6U9WvEPaw!grPtDLAb7b?Q&sLwgt_5p|xFh|5M3OnjQ6JJ|GIHk) zXnWq+3wox_lm&6gTYb=6YN_588#E{x+6VsMBT1i$+jbmz&aG_&5SDpe?tRDNDmLi9 zlK8MU@9Ua`u>7D}qutn6XHQC__3PQeVq2pCS=np4US<6ymVM`!(;vCz(QbnGH8Q>6 zU=~sNB^cG0^xxoqynY{qaf7m4tk>p$;V{-J8vk=f^%#)|!m(mHb*+GEITw#pg1`-7 zscce|+ejLED#U8kfMp?5Of9gwB&jY@bE|7{)SXh>Q%4GZDoIxoc%@yw)c4Gvtskt!O*w%J!{#*?pyiEY zR2_SiTEN;A|y7I9_>n)iYgka`EZS%cOASM|qy#IKW~JWc9ounZbL~KduXJRd9wPnCf9% zb~OTkWI_LMZev*+twuHO>Ph7J1^e#ZOk>Iotc{!=N5|rnN-5a;HiYAa$^kS%;=#Fo zjGO6hZDkT;{T3*p!d|=GoWmLo%I`p5P4@LyI)p3wOx}{1G?9wu?xE4gje#pT|qXlduf$!~j9pn;1U^9dEMxNeKVl0WEk7%H;4e!oz# z6RYl01pI3nCc0-#b23(?bHZ+B6!2mu4d0cREg0W=UjV7i%Hg*R(if;S5;W~09h}$V zJUtmt4TTS&3Sqn%#Uk>AW?Ih#r><7rq;H(9=Uqm!CeSIYhjB{8&5$B;R#D8?1!L%e4*@a(o}@x# zT02$K&ZoDzIIUC>tQ1uu8QF4d!tF5k%_EWK%fHCZ`m2XDk1jKc@n(@fbfUwf!;pEN zI5E^O0;h*h;#6v7*G1x}j(IE9xT-mGKoadTEI(}|6{)iG4Qq)6g)8P2-i-uh>k7&H zdoqYvfm4i#83jbFx?bC}X^d3zOMdeE&lbtdxp@~&q7^p=JwCvn__1T|J;>eHQ`-a` zz!s1aSKzy`@e;Nud^`GI@ySy4dq2h~eKqYWY{~u>>9Z+SLwtWlINOzZ% zl!}0WbR(f4-6bO3-6_bXk&^C^?vh48O1idmclWpUJ#)V^-#qi)Gtc{ve<--Gy{@&+ zb*}R~*6$#VW-p_In$2qXJPSlOfy}o*BnufyILO=Pa{JqE=2G!Ca`#!6O zdV=qOf}U7&(U)w)?^c>uf}@I;hR;H?9x>~Ui3MDVq)AX9JdDMQ^wj9hB)8GFav^t; zCH){)7SO%-zF6i>DJl`IP^Xje$;Jq!m=iUOPbRou;C~X6Y}H`KoM3layOQ26ALW$k z$5UUrHUIuSB1#aGMEQ!$JUx~M>*CA3u?GL>PjyPjn~WbO&9uxO61OG}Tfen3v+qU6 zzXbg4sAemN9L!P4XSqh&-7diu;?tFf#8kgAg{IoV`L}4TjGXJ}t*UUO1$s-y;L5UI z;R+t63-I*!3#M=A*{?7gyl@ntDN!d*7pzoIndyO-`sn&8o#iAZkTzrh`&fO>m=k^Z zsJL8S!i#&_7eWX;?D$Dk(;FjR_VVHfSOQKdF!tBQk zW4JF@;oem$CnHsC`aUlt7KoUk1)GL9a$0TL$xZ=*O1<~2C_xiAN;B=6SL4MON{Yn( zso?sLmq(vV>LJpVKd@|@iOAS&1yye5TicIb&$u%&Oz*I)1|)jj`_x}TO4Z1;%q%e8 zGvCVeU2vEbr#(0A?duscwe%zx<~yE2?4YHG4p`=x>!!Y8P+s$oYtKKy^u#*GzQPS5 z{=DeY-A-wVZb@h4aP?q|Ci#rm``JEchGp*EQ)H=N{0TaHJU!*vl8eRz=a1L8UNO#T zeCyIbztCC=9^>>8G(7C~Klw2bo*0oQ{jtS%hb(Mv<4XvY>IKc4$a`sB_Y~YOXIn^3 z6|9TTg5Q7cMIt*v8t_f%AQoZi%pz=mw}I6l{wpiP`5xfcR!Y_)OK;xWbNeayxDxXb za8n&(F5b-t$wyc~%(vU8QiSlh*@kO^a2rvf<90*ZxS!j|3^|wInLn(TB34^sNO8^$ z`m_MYGHO9h|LE6#Ae3{km$q2AX>~(oZDbr}n>O-cd329xZy*?84Av3#_;|m?# z>9G0W)=jbY3d)xLhP>AFdy!Uo0TCid)t9iwOV4jOvg(5QPi*QI)v^!%=waA&Fc-umH>LnwyS86nQnSCjIx z5Gsi|LRt{eh3lRAnDb&OJg{BpGbuX}W4)?Tj4|(&x}-%jt`9C`ke)eJ>1=fGY2c&H z&mQ01UeA`a2I2L>Oq@m<50J%4@xR6eh!8&xd-Hk4V5t3IheVCRX$8kSBmKb(8n3ve z4|@(J6mU)?6&Ji8$C$iRFhgw^T$p|(goq#+4G+Tmq8b-`Bw$&S$}uli7flSIweAm+ zc)b$ExBGxTJTl@9wWy}Q91>2rjFLJfYRo5EDGA|7{X=%aP=9D-7qxYIv0-_HHTA4W zKJ$|?F~a<}Xu^J3^O>nxAqMcoie+yMmytwC8mAL3((C*VjQzNToZu^j`@jX1_c;Cy zeejY@00dLRBLF#qeB!snMh}imajgZ|kc)#4=+svuki_&l5q15}8{U_1-cxr^1@IHN zc(wvE>|=wg zenw8neZVt2{~Ir|2of z4IqA@VrJxyjBO9VRwNYJ6T-lehxOxlVSgVUwJmh_^PDFLfVr^l}GvdReavj2zr# zRoJA+2F(dsnX_T#HrBk7=ng+IT`_1nNF62A^eoQRV zPrWs+0b5(LTK+YLmfRYxL+8W&*faXO+|hknd&roFjODRe^04J_d<-%+0ktksVp`4$ znLROg(NvVRg@>WhV*?tXz@WdGx#lkmm2vw_HSAk9Vy^#ikwAbnTkS;XH~F^WR{4(y zDdi0qIM_6g*2E$aHqnWZi9dz7uO&Bigrh>2q&|MF-q&1?JH%K<7&UbfYtrWw;$wT< zFW)?hyR9r1R=hz}NWT$9$gPnXQ7K=gVJqp}CaFR$ei zbFi#Q@i6#RnTND(no`YSu$|nrn3S2DBe!j45o*836V-w}6g(ZPV&o^dX?40?uAdhI z<%x*HKcE)Svqch*JX|}~(Qpi{IudBtjF9>0G2rR)vrt)Mmlz84;=}iv`y`W@La394 zA5WE`e^0@W=?)^Y;?33Ft*3;chsk9$;TR;`G@P`xRLyf1L%>jAdoK(17ny+2C2|<= zo!mE<9cAZ10jg<5?|GN{Ju6UI=K1_HWqax%_{Q*H!`dqIzV7zmW}Hl*`SSAc?n1}i zWruCQ5$>9ORrmU|@J@QcR7%0=yy>Xk{j_7cwmSdQF52fRE&J$KAoCOhaNxCg>2*J^C%_ncWmFC*9&8k~yiD~nPl4JkOy#mASxE|D`3SCkO*CBHH5 z?Ol4&M~xDNOA{Fg+zBI}P}30+^bx8alucnjNesJE4!?%p?m2r6XzZbEe!N*BbNZDv z;Gaz%a~pc`DF>ObjV4sqRu!TCY@aZ!FETI9=vx)#c(dMX)|VC2^t!zt z@98sZ@VQmA)U}E=hbGm{4Bldgom(V*Q24Q}nDp^R?L{~#@(W2;4k&4(6|_|y#YC<% z7ZIflmu6TO=X(+n*`=Yzhm62iQT`1+>8<`76kFFjWGJiefAplP*av1m_yLb@i#@!- zqN-sMhg*Ob)_@}JfKWjh|7-+Wxfy;X+ic=BsftK}1mA|gZE0~3=;Qkh3CVM?D&wDKXM{GSj68RC>}3!4U{*_cwyJ@b)s+-FD!L_^xP!!^xo8O|lx67d zDh&`=r+gm1#iD4A;y`7g7pybVHYeM=kiUG~qF(%v%*H?=@LLcU_NY;`<{4O0CIY_U z-(9aTSjGJ!qH;xrc2Y0V^Kt_w5O#IACdVqmq3W7O51A~{162CRl4qv0+st?*AIo(; z>7wW~3^|E4+HzoG1~t!RB0Z0hn7N9RN7zj?zi9`WH(5R~Vxw$Y2udlzZd#X+~kl;)rg@=Z1jtbL^q?DMP_wMtEBSVuL(q zK=cfRfZ3g}^g!0r6(EgdEp;#0n@pE6cHhu9vzdf>wf813o;MKvEzMd&d78TvQBUnn z%%FLk84>0ld)O6??&vghn_0?#NCk?alJd6w>@(wE%Z(JB+e@YOAA#MU-TC{isWPXI;V1vBS-Fb*$v=3>L^q2&p)i{*{Ed-In;XFM1y z-&v^ct;D8b-LVen`|rsa&Ube$%c>4}P~MsOlYzSFh3YkAj%^X3tCBwZ-(;{ht2Kw&MZ2StpJ%E~Fbj2~psV4=Fbd&fY@ z1Wov0@B?)f0k1O`m+m3y+o4|90JS2&f`TPh??7Q?n(q*U*jlFPH^!Nd#iHJaF65%s z*563T_#9DoA%?2roFt)No>5?S(z3Q?4j4_obVOotBA*9T3BnET^K{ z|AlYRr$`eSEbP8ts_xT`#?a?N_>!3Jb%1a+ityvE8T?z^PBcPMjk(p0fi;U?v*zBJ zw!+o)mAjt7TqK0cBP2Gm4fWrnSla{$4 zaU4PRna9Q4pz2VA(fB~%Sid+lkg#iDXzU`L<9h|Zsz3opX zVsv}|DcpqHZg{@VCjnhb?p9tlv}o|Y$hhkCZP726B~ThtJp30vUl5B#SdWkx(&K%l zF=juaFvRIRy~rl&W3V;E_-+imZ;p@2QS8UwZZR0M^?Dw@zm2{4&9RH^%|JXzJs7#f zq}b`}1aFvUU}B}*pIUFt0+y(}o7?%`?lE~Lb)JW?W?--EG#b%6<#Jiu;BmPbP88Gf z>`q3m2xilcac^#owJ=VjF6xWrcT;vhTikd5#0k?e0M#9y5rEb$V1Q(U*EzQuOETcCp{Lw!h}c zj9QMom2-dEsZmvZo?XJSHr8|@yPSS;-WpNC_AAj_yGJ1@Y8z69Lgc#Y&oM9L-O$AU zK5V~UNa*O3H{o6K+;49BxkQZl4f}nCLvQtce*2!T`GQ%Fy>G5Z$~}#5ly1=HzcfM( zsxRkh=gEfp8RWli?s+-3TNor!sUyw3U%j07x&Qp5b9!$4dgf(3qKE0x_iSuLim*!7 zJ5HMSYS^GzW~J}f$4>bPJoq4$|BpjWrkd%fuuLoyv`|zhiOdwA0jXxu%kTWX_Q6~` zkC$A&=He=|lDv(u5g#^xQnhMrF8Lsbpc9$lgo%Hu;4?hOT-Qv}avBj&EZ)wmH71-{ z+m!S01$5t62yeW~>COR--5#4p{gL5~DZl)2i}mjQw1i@#4=q*>e~*+*fbeU&;e~4! zNbP%D5_keKRj>*O5fZj-9^u4GtK;WF+e06rE3vk7f2o?h6JPdOdm_R{g~^9T$fv=S zBRJh|+214g3>#kF{{bHy>jxO-`An*S5EXI$B{XOSLJKvmm#{|p;U|b;hb{h?Zmaw) zTDiQ^#(KGMfbfA4`>%;Wd9u&GM%zKZ+j1dq40);}*G0XT-ET_1h`?9g5e7${CiC*x zkG(2?{^kdT>hKZk7lRxufiswQm|UsS(nB2Pu+R8zy(6`echqs9`Q7Algy9;!#C`_# z!V?tdz5~+5O+W)=I&T=U=MFs}LL)p?F4@ZKL~f-5D9xuRrN5d01D{lYVUCvTZuAIX%?b!RtK zSlNOr8+*&FYi9LkvU3uWk0Zu(2Bl z#@p^a!95IlR>#ApHayl-9ruIhi3^UzFZwXNHjk$l9Jj~XZcXlUbRsVK>+d};avE=2 zD;pDcv-kw^x9Vo?3@Y7!$~k|r&srBvucjF$@0ll*;cWE%oZsUt*UKAJP*9?aW7X{B zLkPYans2UT`pmLbGN0~|9!k}F1nQ8=tj5uD)Dqsi&}8fn<|t!!bCz1KiB9lWROrgbB6*(eFsCUIZ23E<8_tqC244b{r;`xjAafnKDj#wRmA*#?ysW5V4k^Y) z`Ub1u@&t~zC1#Z2x3__ZsTbU~TdcL3rB-{zU)>tiq`WsVoA&0Ty`APP zOO^H51S*r?u9xU;)Xh?m6>sR^MV{nxiErH^nfvQ`aP^;(owRfu>9aCgG$&kN)(Fg< zAk}WCoi~tOcR5cK!1xBqC*Yk$VT+WKKX+qC7{w9JaPFlEzMw-1!lK$^+se>4s&!MA z6>#?9HhHyLi_H}J;8dCxGyAYqcL?>wvr(1COY1Q^XDH+G&altf?q6RM zplz5T>``#Hd5+r1u}+)}Hf?uEj?{nHrzg8z>)}23Sb3>gLut3VoYruBrrxe|H^pc* z(7E4hZqCYE>;5~Sn^D+Kdk@Xj%V?3pZqC1>)yBQFGIAR#?6W;lpLOlh?qHo`_1(LB zg6^Y?m&4vv8-~Xfr}Mn>^zjANw@K_)OE;I+Z>~$f8n92IY0pZs8Z<{)aLd4CpYRhl zugo^Bn|g*xu2l~1v+_au;{L%*`BNwQPm^xg14Um3#(1*_s9vyu{jp@@Pp1yhqLML) zwo6-EgsdtHjJOOtQFvSqeph6RNSl#cPvt45gD zok1a6W0XwDB-ec-oMTScoMS`GV{7+^)iC<<+(ATc115&z)yc*h=9Ioc?dH+^?KKfJ zZK(vsiz`b|>YyfszL}w06~upDG+$sz->)@hD5C8Kg_{K}7x0N;VFHXGOJ4UKlSWISJ;x?mRKKw#|?|O@V{wo>kd`i1v68Lsc zBhQZGL>mRgH(n|o1W9=(Im!M!1+cgLn~|sf+uFB8hLd(hXDt&BlT28)pjj!YTMA9h zmof(YBA&^5`*p(bFYy0!puyK3RzlIovR-3dk3eoYULBgxAmdo7(Qx(R@vemk%IYcH z&j|3_RWxQSGR*9r&OrnM4rTe1Z+NgZmW!?o$b<4@Lqu_mCehu#&}qDuA6{9TJ{om@llaWnqOisXNs86fc0q6DDZ?s7-T zCj9GKQK5Tq7}~n0lal z_P-sB|Nj&KyCZ9}Ffz{#p2lPm#gDVahpRLye7StF{C^wkd@OhvLYsdngw9Uj`Z(== zM^($RTHD#~&q@2|Hv1n&P#9&53JzeN905Vj4!LArpHH3^p+&;yNVp!QUxwGlVa}4* z7`Dv+Wpw|mkMZRtg+o!N;CDJPE-q2qS$i*c-8cWzp^!|VJ|>y(^;i*aiH*bd%MP{? z&mex|c`L}#1DS{;5#EBwPnhF|M_^x7lMNoQckOi=UI>Ua*S8lCet?+QAhl`=oqYY@ zj_Mmq@GxKbotxXC)71#FC?r-v7-Qq^@+4Ep_?*VUa zy>oyNY``b7YPncKcOH=-y0j4j%p{oAV?D6Z`E|QQ)N0eu-e^HrD;D(Va1*xw&A}KR z3a<`3CHHrGfMCP(B}eN`g_cbl;yjl3MaMMh;g1+b_ZzRve!YgbS(3arcRQ6sbH_tM z`-JNHaL%XWYK<^1Bj((p5r7oh=B3z$ZqHN~Aue0hgL}Ol7(8|7P;V#}b-cPEsxzQC zHUKR7e4{IHL7oE~u$^C+aAi^vlvV(?aB9Zlno0Jzx&3cq&A*?0_7C7`F41&F&-dn= z$6thK!U&9W1BsmT0J64wzxLqe+Qwrg!i$bbrCO``S0Y%W46E%6fvfaL+x)7pZzNj- zVT*%{)@I;YkITdbaH?A7&jY4Zoxp?02=j;tpb;MfAD(O1(OG~*+lHN)Q(cx&6^lE5 z0;>Ed6H?@FK+k{a3_K3%nU!;2N}B`hqTc*+gwS3K0CRnr6W#L1|Ik@UyD0pyKr5g=uL!A!)gq9h0p+0(qP%=X^{e4`UUhXwgZ zUd%%8CVnQ2d@t0qtd6b)z;GL6N|$s~O|i%<&eo$o7J=z+D@=9uC!??DL7KSR5fFv7 zi1VB>peqZ)*N2A>bzP@W3<@Ya2Z-)2@7se8tZRo`;7aNUK!5c^!N4=c<;M2G;y(BX z=lgT-`*jq51;po62%>*K@%*=I-vZ}5^m&0!%MTPeBXDN;Ee!5RY zuwunWlPmi|l~@pxFyN$}N?Wc9uL0G6zXpu4Qr+S$uv}VM@I2RXp44%!2MDw2#%YIN z^7CKxyf)eES8x@zv+OzB8pw@n-jrzvpEgEjgFH5!4(=j&hUInw|j4{ZjLPojwyYE8^Mn~X? z$1T6ud{Ybu$K79f2^e1y-`c)hd6UMIaEIH6Vwl6lWlvO{fCMki#;D<3)_|+4am+y# z?~J9iX-RRe?Yl_HXzXDzmzDgfKoDUNCdJm(>9*R-ka%{rI9l!34M~;c0lOkOCmVkR z&~z>ueQ|*$;}upEw{l~Fu=x$=SyAc%_pth?(+i4)+3RBSp5kCP1_ZD@OwG@AyN*hRh>#UQO* zAZOX95%fA4kycdDX_~b9n)%(K`b`=s(bf z0EAuI$~(pTpQZ5%d0lkdq?3ucPmnc;tJVb{qnpF70jJ+m>l?FvQ&;N0>cEb=n;}Bd zxE!b~dzBq)r!o3kM8*m>>}bA#q2FyF4_Q_%R|qEHfhgY|MtJYs8c7WT;^J%76IN`a zcriEhE=Uwc+AauHf{!3>t0?NlBL-d8U@funvfvK-p|ekgyi+@RTnF>lnFF4!c-GJM zfo-xg%*OFPsLJ3I7R}xq2cYz~eSyx|iCZy|Kb!-npM$8@p{sbJXPDVo1Kd;k{?j+# zoA!WB`mMcFRfTzcmg}^LOmN#s4a`Mnd){X3>7uR2)5|W~R`nO!CUGirFw;KoS9=zz z+rEFXV}FoBd3ATOyayPV$8M6`t4^DvUA9*Us-J+;uHGqj^y+a=Gw#WjzrwF8Kfwec zLL@DvVIeiLV5|9tI05-w`d=>?1HQ&t+Z%eZg8dKDTEn1msaE>pg(>eFDy35G7$J~z zRUyC^S0+z2+mi3pf7>O3>p%Xe#1yT|mA?twc%rfO?d%s^*IjGXN3X$Fz36p43w5iY zBwQoZ{6GWSMlb1zDqhJw6KVyx;CkTIFr?+>pB;?&(g_*>ouEs3>J?DFmSo-l^E+KM zLe>~WsGu?(R!n(0LK*iB`(h1{lVF|r{+2e zCTPw}b?f`;eRr8!<_r*)?u@{6phl?XVJ2Pt18`_nx~J@Sk7T9)iv%)VfYwKF2kc8g zY0X`eWCM@H$BB31`4H)mO$vO)!1Mk(I>^iRj5M*b&Q2ta;^~ZgBf3LSbKHi?f8`sW z2i~B2AelK;M53?~bF#9Cml9F!NGmqO13@nB2Au$5OGL(*EZ|?%)z)GC7CSHK$PU@;? z$v=l+2o*+YT&$Bkb*{&{2v}HgPNXaHHQ|b>EKD{@I$Ou!|VKBM-V#+4Pm0&%Cy^ob<|F!(MN(C z^FN;xi&OS>RSpSm!}265%)EkZ6jvEfYVxCmCM{sHe47V!)6qk*sF33Dz@L|^OD0x_ z{IB*1n|aMq=p;YeWK&VxWCT-w9K4NtF%K}gRsgx(;$fQ^AyeuwdWtN%RuoH3% zrZP`{kNWGbbU2f4NMkdwyOFgdzcWgQ^GA=Y;?*#ltFvt>$=hLVy*Uy@i|dQ)DyQ76 zvV)6{Rhwa(sRiq}Ym#V7aHvATwD28!#nu4KL#psg3b`ZLkFOmc(=CtIj99}=ol9!4 zp6xgiz=LW2f(O1DyEcjc8(QfqcEZ=6BX+iLdtqzY2mzo_=}YS_L2|Ulh{1%;4T!fw z-=$>yo@Z(>kIkF+_pBWw}~= zAR5MA;%_Q|%f9RNb%uJXJ#Lou+4{d9N`#XoA1pn*YCZ+IX^lewx)nCJ*VV5yw=v)vD_08Yo(?-VM6z%iRuOgISOnBvU;=qamO!H_?Bj3K_K6Vt z$uJGAMb&CHt~6hhH%JvPOT06|8~AfWY&eS#Jw?@7?N2j}}`#R8fy7tNXQSSLla6#xB6`$0hTztFQ~o3In$m zmHoi8mPfaMsbvc;rN=Gj8zMBlEDwCn^I@1;vEBExsVJrJOF!b!G{8U3U}U!ILt711 z){^UufDvEs1QJB|mO7JPT>^hPiU4})_>`(6kfU5>K`tjyQec4H2;@sV^ux?K(bR!Z zwVhO`J`zbt#Wk=|?Ow+VsC$!7ma-s5nQ0%Br4 zKp66*tV!BA3>vzcoTW~)6L^XA2?w4oc|ZKAg*lo>vYOYERWfL>C~wZUuXcURsSdBn zP}i7O{VSw+O(@`_%d2BD?pJ5xWGziD1kP7y6r{t)2(~z~6+>FIHD1F#>}@t^gy_XG z&&bTM;LW`2Ev&j+K^B)hn#tC#uQ=DgvAX zIokETg`C+V2=_E3m1kApWN_V+J+0u_$I`#1$opugS!a7ZIKjK&&r->UaFnWIik*p& zkfq0pW5{#sUDAHwTugWM%vJ4PR|0{6<9+2nfw!W zvJPk=avw!$yqI#|ux30p!VT~Xq0nK5PsF4r2_<*($(RzkM4-V9#9XA6dwO^dP}7Hv zMv2-LG0{4WzhOs%%lR+h!x|%adaj<27!j=l$o1Cku+U$e9fv7#zCR~&<39}2K1QaINOI=IYQiBgosh$=kiVp$cINOfvvzn{Q! zc7shZ>b*lmq&T%klw`Kj)Nfxwf@m6X(vI1sQ*iKsF2ga*`Q!QJa6Dadm$tyBrddfi z@BoYXOvp9Dy`z0DwsCFM`i8=`!}eOKUo0i#=J|2ws<`1Eq*5faqKo( z9#KS*i@gy~?*ibyy|2f~Bq3~O3eFC<`Q8^`hp-vz3_$mZ9hpQ|JFg7rUImc%3VOWu z_(Ucplsr|Lu+e$lAEXI4kQv&t zjN(&e)^RoA_-vk25y6jQJVuYu{L0dQmF%z!o^jO(6du?#Ogk-QFAHL=FL3%`RNzS$ z>JzZrG4{Qey-X+f=Mv?8-XwP4Kd<(YW!ahuS;LZX_kknwbFxX8dmS0;Z+EX_L5c4^ ze6swHkn}MZhyIxQao;3HKMBR6hVg7$tK(!_=6RZ61lK$*x>aB%id&K)6V=8kCKt`- zeD1ER@omL=qS5V?M#F16@$X3|tY47lCLSOH@>qllxry{9%EewRFllBm;pJQs>-60y zmq_ps8OE^>EFKI6B;kG_x%o*?x1BaCzf59pke^bZPWDBcc<4#GkHME^aDpJ> zV{^w!g#2K4@uQD%fY5vwVt}BaJ(qTcm1WSx7-E=mraS|mUP^^uL6i<>}%Z=ZwVsLAzbkCmSom(3Rw7a|G%$=Ok- zG)2zyXmJFRHU}CGui8eINP@(?h#>%J_l&hHV~Czj-R60s`(8cSYD8Dhf?9)WAM}EM z>C-9yNm(cI(j2TV@lprzIVItbcI9_WoEKQGF?K$PPi@+%iVqCBhWb?0@2FoT?eRb! zwu;rp!rgp_stZwgqo-n5iqepGB(7&bGx+z8mk1iydFmp)P$V?q->)z>xUwK??DYw7 z8q)2{v_?sUjg`x8_OSr*Pplge>B9$Dqpw@u=F+ePxl%4DD}=^Ug(*+Oxr|x`2E4HU zq9oW3ZtRA5hptq|l~aL8yd=**7}cguZL*uh*F%a=c&g4LgLCu>{o!>DEcUK`llb*X z$lz<%oT%G-`5yt$NN*z*4-aDNe|aaT*)L1$zsEWFvg6*Qd7T8| z)l8zSUv-0QH0~g9-QK%E4@7k*=f*RFr2giJE&fCiBXlQf@Ei}l2k8cclL#vJe)qG; zPnP6F?!kVmWk_KjH*t8e?%pch@(l9M|KQz9?kZ$oIz};88as7$RRJpC#P$z_3l$xdLX&dy5wR))MeNl5L;t= z+f@8R{-M&QGMdvJU=MnSW$yMx*R6oD!5|#V!2g*zPQcGG$=JmNxg%^PI zdI3HaJ6RO9pJm9%L$r3h6J3cqfGI>$LtKEn@3;ra{-FF7R>#jUwVilqCs#E@MON+O zbU(|rhHaH;tYye+Z1_Xuwx#SJ%8CMUT42XczU&xZlDQ2Hr_GLy7%r7PxAi!h>6_vJ zIGo+=yEnRJS5k?zgX$T}0gppUHH^9G+Jg*!d%FZUTzu>GEZO|rk=f!i4gk_RecXw;Ry25fB{0l(I_ z5p?Wc>)8)+E-dCU2Z+>ZEQQ|o(2jv5jX>yIzcqstZP^&2tSjgk|A(r6`Z)E2g0L(- znpxra_6ibXOleAgB#gdr#_VSyH0p{SOXI+KVHed~@`JwoGVrE2nkb;An+J*A-GKyS+t)XG-c18j!rLF@oyfk%>U&H&bm1bR z#li2;l8sbkkh3LFMD=kft*=1k+oh?j8)U}kmqvk~@Foh%QlxYZZ9jVys~WN%AMrdw zMpsr(p~dV(w2SLXbHFoY?T8XwvXFXbhm{yo76r`CnNFN)-20GMKhwoAQ^l&?$Vau_ z?pm8D+AcZ}^m@l49$mvM7R-DH;%Ub_!;BJs@NWT`U2$>nVtFE!-7>7gylr|hxVP+4 zxegXDEP(^Uz_>oIdY2h{$S{Ktwhfw0zC?e-rN$mwV(d-2XL>Q1vyFlSn*CD5x~h%v zgR3)r2U>gm)nA+ZW06%OPuro`A1YB?tGLw7vv+ym{O>`%Xn~KBSXedivG%)<@}}gJ zr-&?};8YMigtx`as2L?yz7iJ}%O@rz=`McXak$MO(Pu}9w5G^4No%0C+}iSI|84jk z$~zO8h)<+FR2BZruM^~+%PeVM`D60s??B>?Pjlp zv>7%WO^ALuM*kb^#z;`1T);CqAUe_oWS)6AWODsB?goHZz!ZEmXE^ZSxh(xO*wyA? z?iB0|8?-#2YTg>(@wO89hHP1+*`gtLlav`s&JBVh_w*dT>l8HgadAEo&&X=`cK_ur zlIR%BCY4rQqYijphBH1E9peX1k^%~65OdX*!2MbkUF0Cy74Yl(VJW~KPbr%$~L>j_aCN$*d?|ICSU zMbpJPI=8oJQ#sS?!EvG4RSyY{%&IOUZ9~71%)q97klktTX~^BedCR(dIp;|J7k!xs znKe*25K8_cmjI4}oST9Z7cCHl<&!D^sU(qGl6{_IVH3$W?l_jjo; zkqxAkDB#uSuV6mM;0`yRW(}X-Y23fo3tdt01^419jKSIb6LixN)G-?XFi$Ae{ND$i6Njx zojj$uTMFZFBc`rC-JP9;a;68DbyJB{v)8beZ_ zi5G{e_eXQWgx0wGkBJA_i>#5 znWO(>0Mkuyq!~6bC|^xApUs#H)>OX#X$LffdUL>A>UYWJ;WhA^O7`x-sZ;;uetSCk zNAPh8wz&ssWk|8D61 zOyfWTMNQyq9K8Vgr4$p}*pS#;SW^^K;ss>(i%MJUfZtQRcaMNn_Yo!!gGU(EDea~R z!WZChFZ{Zg_( zUe7CssC`nJOsZWRxMEqDuhPFw6#saoA2bkPcDeE4KBE6ttpmFDX4P#xR{+`HMJ*MQeUHUgM_U=elaI5v8cL1-|+)Haj?B_J1q=rknvMGGddplnZ z*q+L{_tgSLS`rx?^L-MTZ6M?S(@T3VmAUsBb!?fU39%=5okHvi+JW?sRoXpC0A zGm_Z{X^Bl~>spUvMcqxQ)vgMn9gAH#<woxdA2|i1mT>Q(zK7m?nftAUVcLLFm>21oi!D^=K`= z8^YHYf-Mu48SR75A+-?CY}=f4=L1NkGXG+kFb3FNjrkm?hMyWfjd|% znsD%-Jpq9=d*|}sX5AeA5^z6rXxwjU-2RoP7}I5y70zup-{^dPr3xni&C)ng& ztw3wevf`;$We?2G9cCI=6uJarmw*>IDSjpcg}QT7&^d>BSbyCf&Jc@Es}4vb`VQ-H z?6ux|odYlPMj-v1Edd%!D-a1CKodxDAy59!3xs4VSc?kiVXThIG>smBPs^j*7yHpy z3bvB0cY3z`K;{E|-vpNY9xT8EXPYBJyGeDU@MyKxyVKHn;AyqbJ!jJ~%4r2uSX}pP zpmYNUE_`A0e;L?)c}aX5qE6O~vE!U*hDmV}1U(x7N}+!aSe-6|HvT%bM>sj}=ue>M zktdx8lQRD19z+8Hxcp}96X2z3-a{qjnTM9$^${j%aL$s7a0;gKs?#$3L{Gkw2g|8} zQ|llFXc5RPOyGLuJfL*nc?MHaP+|3Itek?NvWE1C__x>HaayCo*R9#+fh4XX?7g_9 zg$1Z5=%w$0a=tyww>m@Sg1Dn?AW}NL?IQ8+(L$j{M=(ec=Y35TW#uVBIhnoa@p#_`ar_7jukdM zl?NvewHmmAdu}=C+17g&ew>A=>Z(VV3r+gtCmI~ho#*Zj^PgmWi=Y$&sbA>qyyfFK zZ(uWQ>UOi`A{+N)^;@l;&hz*@$_UUdE#oquP!A{NDwd9--E%9X)hRw6UtWRjN^pDv zNcicN3r+R>vVlS>w|^|()>0S<0Q`I(OdOM&r4g8x8}xPDsIRn!c-!qqCg@0mM{^)r z8#fxj%G`QZ;d$-ke!W{O-|BzI-EqFD2olR=8f(u-Rye{B;1IC?`i~1O>N~qPku*Nv zpV7a`6h~!IElxoH`7@bk2r;@{QUC7daw1a#y%7Z8U7%#G1Z}N0{1qi-Ve9D%6L#_Q zDWiz`bjVu4&qU51#HAOp`A_nIv#LCM?;7FVtzwRB+?+>X0$8*9K-gF#8BSXN;0si- z!!qBpIKH!zE^B}W`7vmXmJ^6|yUBsx3Nmdyou}Ji4L?O}#P19p z8&eGO5+2&mG7u+V{bkq6>@W$OdE5`$kmsLfq4`OCL?e3Ao3|*dA|Ss`U_rWH&io?p z_XN<{kXMi)?!I9CSSBwWoQ|raC$NAYI%d<0X8j}~&;BsECTr2tu?bCq64KZzKmT#c zG*B$fZHw8N&7qmV_*m;>Dw@g@{rsMCN*2qRDq9*=?`HK{*W)!un%B33+933>Z!o>) z!Z0hwPNUpLd%xv8VST86>FIdgL**Ut%F0lO(i5B}31H}t~N5mNB*8t;V1kKZvX5H!9kDYk~Te5?2h|H7+Cv%0VdDc4M; zjRjK-nAd^GvPvzMmTofAG(DZ{DnD zd{3Mh=RUzBk5+mxR4SJzYsiO%cszzLsgxkM*zA&2SgKN_`qOdzSyAZX-h3mLhKdTd z2~`2}MLxK9oT2xr478lB)U~}e4oY?iJOhc{Ig-_-YiL`$|>0*9Y_&xty4s<2kJj1DO?~dECXgJZrv6%pVY(MnL@+BLWA_h+} zb`j&R*i**GyB!NvST0p>-f5H75X>prTQfn{0mOeFqmPR8StZ zaJvw$ z=<));q+J*-zu-tSJ6G0;)KHn=PJtI6gAQjaqR`%rYr*`MZEl9s zt#Ep~L*e6m2A=ztT>t$Zqa4SZT&@iFzWt{no=J03BxK$RpKRLDSkygC~(gYr?+`J z=(S}#ZchXbLCj}LMe~Hy3n!To2nx(Ts0N0=2q?N@QqS4)ic0cR?r+L)z0Ea{@$WDt z4N`%7+KPzPRbXGBoChHb8q=fPR*gqHyag(@y}Ci*ORZj%?OG3!=|E@c%|{FNQs(0M zS)|igBgFDeOGgnAj^N@*>_Y>Ub;2_jMwP;Mwv&=@U7*`SSN35jRltgA1!Om~Kf~6( zVJAUk#2S%;7vRalY#8b0O!A;`D)Gf{GW=%4f)Y-P_$8+-_2Vf`(aH--y$8^W3;9wt ztB%Ky7CV9)`+N&m@=ig01!t>Pz<9YH-!AG14tD_mjF(oy5xbjz;ZOoBPc=Thg)RS5_T>UtbX z5FMPb};qNV^K;r>K3{&DOa!kOl~xC2ic`|wUElyFDRnGdr+B8iTs_aH$PfC zUX>&VGktbW^ZpNcz~8cj-yCpH{#YVmX!){M3tGc@&jqHF`$j8KLd$=y`!4Uw=Q6bMlpz>f>9BK zQARp8K%|4%kRlLzKm%Hr~ z@8Cb*THpHKKW2^2B#=D6a?aUj?|rJnI;TMXfDKURQfrmaQShe%@6u>xCd_w{732=w zDTzj^msDuZmcEJX5zN)a1&=i+2P2uBtlkl(~v-9n?xe(}ncPcp|C zKh&ZQNvikdj<=}erhp2T3q*Ccc{R=ai!z+(wE%Us0}2#|-LfWgB}@Wpce%wRJu3K_ zYgK#G3`#xhe1s}nm1`Vs-iG>M2!BgR{9RDc?87Ea&tPOAJIh(y>#oJ&M$2x?v`xKh3Q{Ns z=DvW6$$&Nim?ye}WQ7j7brV>t#3a?8=bQ=wT-Bu$B`z~JD0x<4ELSvQ&fuIsKVVPv z{nos2=6tH}Yeas)U~#|%w=5QZH&WmY&-resMJ8L0ES&48YCb{QHuq*{=B~d@tEJ)o zJJD(7ME(&jg4*yd1I3LcoO0`Y4SFF$N**vvb#LF!LIzt~b2S*vi=SG_7kWJY%<^@) z`}}D00-%6}eXclqRk^(u2fjVNwX)^{Goi0m4z;A}wgL`Q{J3r0&`PfIhtqi5Oh#V$ zr%mM?&PdKN`E*NdPu7?%NssV%wZXqChqFIWyPVy=KWX3kcd6&k*{QTJGka{XqM&%f zlfO+_e|n$ocQow?tE@=-euBAS7&zgSKfEnl}46uu{%WKryuqA?>AP1 zceT$|*mrE^!T<9|U(~-F*!@i8Cc`hit6lwWpuRA9I$Zcy9)8&~EPJf;|9eZex3S0{ z6hy!=aKD+Xk@_hA;g5kDUHB8<$&+105AyLhfBXCA`p+i?=Q)KoR!nBGl0m8sARDuS z+XGqQqH=UUSkKy)1@UR$sCvYl4eW?{t<2uDn<;evwV6MtcscmZsj8}Wdd-cuH+~A@ zXSuDCteKt{Bj*>|bKKZ)yVBK=6Xk%p8PVkP5i3Gf8no)Y&|U6M5iMNM9UzLHYt zI2O2kl|3-D>=83BA2&C5Zq?__WP*SF;s$<3XHIe@{qP8FYl`-Z$*uJIc1?-bG{^); z5an4+TRKZAM~ZXMkU8Xh+knJu2#y+lkeGfxBw{^Y;a*{BkL4-^^A^4R{ei0%X1mi=ch{9*0V~K8GoBs2*a1-dEzC+1zd=bS`Uj!{(~MBA zT&@N9B+rU67<2?SE27Io-GNw2#wDthBN>T^vfP+Pk}Bt*aHsFmj$it0l%0p|IV8{% zP~_PF7WHK82L0i)Ct?l2<7XlzyY_aB81Az!WV)Qkj5=#vTBe!E%qRMO$}I8FD; zASzTV$eXO)agG0wvf{+)?$2q?|RGsbBsk8;K4Rm^_A1Fgc|t^Ja} za@$HT?0Fy-D{}L5$OE23P8yZf+ex6@ZPG~BXBFqQ-2e_Src=2tqS$p-XKiI3-&_RX z_;%mKCpoE5E9#6i#H9k!z^jT^Gi_Jr;?%7roi$5J-j{ggC~F`_Wg$Y87)yU9?i;Uo za9MCot#oZA9s0f1<}2*(Uw?M24X{OI&L1rO4L@BmP!mkaGO6)4H5p#3jS!_9{fB~co+`QnW;;8aGE+m zt7`-D*I2qHA)D^bA47FE3c&)o43bM_hlDMMWeEuWjr2W*U4IyBa@)XGTX@f6bN_HC z$^|al>O z*#`T~KkrE(>nX2aNnir4w%vB|%Dy)fKH9p>AIdsPZO zB`t_5S7}Pp@I~8sh7mUmfe?~eaIX-U{c34?Rr|;GRuE@|>}A-|ua3MW+A~2fI!JL2*#;v!5JDsQBi2O}hMZ zY;3IO3~igx=6AI*&dcarY%op`Gvw%iq-1!T1>em+2Wh9hOBRni&eooFp6s-nd(_Q& zG;fbP1K;NAk-sui_F3dEw)pzS2QIW&>W5tG*}*T3WJ%s%%_VleljuxUvfNl-n>;RY zJSnid@BV5-wsMOMI~yd$PcA-`-27e*Wb=BLlXAXZfL~`$o;|B9c3F3#UsTt!JQSa2 zNA;L8jhg6iK5^T0@VCI-UUv#^Yt5h@YKVJ!H}kw`trd-Vkej4?mR0u#^Iu=`Z!TZ2 zO6E&y5IDOIjvWm=hz_{GN&X_XNI9+6+VNpZxFbMf$El-Rt6x^3F#})BG$VC7t*x~? z9t|pN)DLKfKWy9-G)A-SlpZ9RzAv)MjTCz?`OYnjOWjI$&n{n|%FfNJq8t6nxI{uf za-kthre4t{!Hhy@*#J+fZJX5Qwo~8$y5UTxRZwg1wml!Dy{w9MYb`#j86V@MoVHE2 z#CTQiQ_-4>dHQ04(nF%04%Rq@YkSMF$#n6sC{4q`i?u=grbb>>V@|q$G5$M;P5P^) zZ%WNyo+Wj(cN;m(bacI5QxTQi+#~M|*$=7nRRhW0lBY42oh3bmC3&BNTx28;pr_VOYUoIW0UCl zxwg2?er4lg=^O8Dp7Z|}=#JK3xZ;iO~)-_=v zjV%e|*#*f?9mh*8GpB;9J;aGm*@{GRxg49GMzL=4AZgGWE2V&^52A2WY`LAcg*P=Q3@H`>TxW_hdW z+$3BwqDi^3|5%ZG8`hWpr+oi^TWuLs(s42Gb9PvoZ8zw4h3ACc)wleeV0>44y;F3e zSpYX46EN^*`&>?PBau1dBdIB;#StUlW&a2(z*7d6Ye=v;*NIm z7Mkg{okjfNA_-&%9CNaPq)n6Kd%{ygi6FDh-Yo}@OJ5S~=WACL-oHe+{Ai-f(=y<& zyKL2+JoD@BYJp?7a;l!TD5#b3y$u-Y>9D!LT3Q+*@Wh`YdYozIcz?;47a^6tZZc%J zb7Bi?*``jWRG*^%>#O~%{`s$eV(;G;pu}^$KOmT&Baj;%&)*ir{nY>7Cmj@~ZQepx zxa&AB&c%AHCDyoU-j(m-fFZ{wPyS7>cW2VeF;LJwC@aQ^F}%jsJ=XtnMJM<@XNu)B zy}TQhY;Jx2j=~)*x6k-#j$5{LIgS_9wYDesSkhV&2_HKbnptyGzcl(=P7?9f9_Ez# z3bo`x5<{9)?YYvz&yy1>Ej;_bSoya?L%V0W(nFVA!?VA}WSezby28w6I((xfj&o(Is<#?d>D`wK{&Ap-8Q!1(&gslScRC zi4vM`uD>CF!^K-nPB>5Gk-J^f@}3S_?zBvmjtqCQp=Py|=oYVOGq;5CEuU97aj zRUN*bS0%_NdYRMt9A(mIhBPvU1k#ODBXx{DEjuhGBJtzi1V^@TQ(b4)X-(1Zc~)H& z`diXdx`tS%uykrEYcoEn%E_nl45?B>`X`jVpF|Z^tvpqB>dRN^&PX|$o_14lqo_>7 zs@)<%awg2It)1m!dd|byyzL8nEXW&8T({PWx9Hc2Xu1rQG|~|{b^1rqs4>DpHl zP3%qJv!OZ@Q!^s0a3rusAd?U~4-%*Q=vs$}TKC^Bv&Ta9M+a|m3 zs2|_W?I_xJM>7PTa7f@@7j-9JawcigOu+eY#kDLD`tnj28Z^fyKB@T^;Y$|#Z(3-H zmg4xIiP_Q)xy6v3Jv+b0_qY3&elzOVq#P0y&+Dn_CC|+h6n+rDyqZH9o0(x&Mnagj z>y})@ZM0BGr3v>fZ!A1wU1(Vhv-H9q(;LM3y4~zJ7Zz3A*wMm!xIysFZ!H97|G_Lp z{lu#@;t|#9`pjjm-aNay8?ti9tMl94><101h3(sS7xmB$;U~3;Jcj00izQnZ?m2%B zb6RCic`<_1H>sr2XD%G^SJlf;OUGuZ36)F>cZex(=d+37Og8~j!#XXz5sO_?6WfS=Q;wIN)LigQe$uq!B2y8m zA1AZixv+3V# zOMT8)os{|C>w3&ZTxE)1cQcl$kyZNVd?|V`LwAC0Sn^4eS~|`<%?< z@vP(h1U0qaUIFFLVMM)5M;8`X8)Qv20Blx#rcu zbwifS8jo8B-CEmhFe(DmJUrXoR%%u$_rsHp?`CoFQYwA5DElPt?fnz`_Nn#+l!6QL zChwtB7a(PQe>Urtr9iZ8OH_A#;!Iw+XRx!yN#hv0Z*h6uZu-r|3Q7WlvV=pUPQF;S z*~NWR!Z}trb2^)AKlJmYyXTUX*4IEKnSDe{lKqs7g|5iT zi40<>CfS%xWPGCF`2L+q#@H!gZzq z^Ff>bV)CrQ+RoRg!FEw(E(UDcIb{+BDdLCD~yhwd=v{<--#zco<5pYDz9cM>avyEMDM3#B~$yq+E(P&eBWunbgC*L}Vl$mklx3Z=fhj46$EYjprET-jD8Y*a$&>EW z(^s|$$DL@tnoj60qvO$vDc-s8HQduT?1?iAXx49=z7kPE&W5W^JWVIucZ-I5eh+yqiT-s~3$ESm zv)D~hVyJ;%KON<5#HXTxmE#Q_jwMI*Ji{RZ^sbmKbw2B{$|$k=q&2hZ$*P-vlM~N= zA|vMPBo})^%w2;*;-lO|{0CjBV6l>gd0DyF5UKkY@Nd=G+(y4WiXXj0j118UJ7MGR z!#r(|_rqUnkDp62!;$+4&1{kh;qG1Oc_W8>NOn>ivj;E+@gq5sK}W6bxo$R}-Jrc6 zZ@T`vPGTG5rF(b1wQN4Oh4>16-tJlW9w|zal?4qM9QaJRyE9T}pF4M)5G=-acCQ&` z(-&qSA-y?|;O?zkOrh03zPcV1K~3FQGA^p7`@R;1WnvLA^~Z0NGN*-x2Q6EDD^Asj zThd_}ppPN;*<(}MO)5)uY%rgfC%PHdbIP%}oc6`v+iN9ujNgkQwZR>?S~clZcE34( zOYcBJQ|6cM1?4+)n*O=nd3fr?q4aZ|vZv+y@KJbHDVWhs7)n0;WvWGK%=q2 zcSsh-_+rnA52Nl(txhZV@;7+Qx=_wFC*Ra8E|c=a99ayQ%ADnC6LD^t@ong`X)GRf z?;o7n|@Jb`((%58HE zZ>|_@F3VxhgPN}G!kjd_fLDp>t4#5S>g@h>{z`tF(S{y%1i~{#gO_{l#VF24GLS6s zVsVV)TOkQ2YA*M_RJxkYAmYf?+`v(0OB#_jdX>T%xTmsf}(>#t;C&8_mV5{x~u&_&J)VwYu~CTB%ze>p6-&g z!hsrj&JQkMhW$1N=)L0&JYZ7|v`|W@kVP>@ab|~9&P2GVy$%4<2v#~X$#b(5F^AH3 z9e5>Osv38t9mW7&Cv_8&f!xP`!od0Wt0C8cag~Xt+usH(zf@TtObZdmTLge@DiC8i z+4k-T zDxBHZx{^CY>-aOj^Sfmq*7kT*e6ztRe9wE7)(q5=MFtg$Y}Q zM%dSi3WH1*TR%o2r2`L+zh2oHG-1}z4Kw*rOwS_R2Fiw1yZ-m!>)F#jH`17DMakoE zKXdKP`G;j5xM#|WH0907n!3Od?mDx#9fC+-!k5pfz(SgwR&Q3a`d0@rIc)d(Mck4O$(mKX#%BfTkO8;; zDZ=%)4(YtaK@NOXyc5@=*66WwL=>~WtSjA@fS?E$>N<>-uj*NisVx}ZD=US;L&>4e zrbSs!Roqqlpl@8WJ-cO-H%$%Q_s=}0`R2_$&OAUNb&zW|=jw=84ATiXJQJsaoB-fa z3A82HM)FL+6XXB=sqYtDqlX#z_;PJ?gx@zF=8-$$I~WIu1K%t!)`NJ}^tP9*t9@a0 zFUh$jvo>LGea-h^|H@5O7G8YEkdEtTms$$R#@R29#|cDZ8PMG50EvP1p+XJZ%(qm_ zgu6Y^sWL`RDn%dqW|rSSJQFtg#3TmF4LKz|rP+hw@Y(AaR0-&BHL`CiCTnHhxFq#E zBkg{!kmCtml#&$cYjMwH_cNyc{Ce3n!jo+_ETpOI2sei9&O?$YKh8jrlYY#Cfx~OZ zv?fluruOfYPl0OQFIQ1x^J%Vhs2qWKVi6?s`HXrxPDziP5Gw|gri=nHXGBdX#&1hY zG+u;T18J&s)@SQ5+Ax!$*-|u-W7E^!Wll@^^oqBL!=_S>VBkKF``|Iwl4^mR*!%al zkpwo_85N?RV1pVMHhY-h#?LB2KGmUa98JMo4)m#GO>-ZNC7L6;%dS)CIi}j#d$<2= zPR{zhd6MrH{rb?ThG7w079Bw2>3R;-JqjXXBK|OQ^RTFo_L?7Qte$`adRwE=!OU|H zX|w0zkJsI&jTMb`hI^v}8A|KxM&GXbcqcBG7mURo>(22mjO-G)U1w;|D1jyfop*z_)jdYkvaSFj5U`E|b?BkAwWE^(8gGEb9JBMF7(M!h@ zD1;g%cb4UXPH)|0%>AP{^SXty`v;4}va8S$+RWv*C}PI1iA~(SK@c9~f>=imE_OLb z(e*z$c=|o!DB1y3x)dbpC8-@pT!;~kMUbF@HQ8-3z=aEp#xsEUkZ(=^VYuQu$b!WxTJ*0hF1y-J#)ca8;CuIejTvzT`aD?;&ENGl zn>GI9b*ElIf_l|a^z4Dng_%G1-~WBJKOV$C7xw>F?LW8OhyUA<|M5uvKX%s6enJ5^ zB^Z~k-!)hl<@s_kT+}%jlo;a37za^?z_+shaR&aUzn&dMTF~c2!8gzyRpdP7M03LD zo44m^Q<4#4G}7fd6p?4yo;7DBzAw!YWT)F|?ZGZJiLDP5@<)b6u9w|ar&eWO2Z5xu zF8Ea5L^{2jjUm!kz21dLd>ftyJERUU?YKc*m=KF~e)gOEIPjeFfRMwM_4ptyd!UmS z@E$4hSUi)K9pq;VAdaSh)WB-raitv4Q`CWLaDLg3qpk^>>H3peM2%F!JEs>RA-AAl z%muFs)~u&cS+!q0;%+>;Z)B>DgZFUXLCC;tt95d2eLY%yT=?lGKQeGn4?A75L73R^ z{Syc!2;Fa_F@XZK{nzG4_OsuWUPXbTFBilCekr!SWi;TPL%GU4bm8#8guE`9iM zR4B%_``NDHk$m7t8A1-0iG*Jel*lO!yik@r>BCfaZj6r#Mxb&*Yb^UPD#GSX!#!<6 z)J?|yfXiMWsVwZT4HoP<>AE^|c+QZ)xd@&_nMa|+$c=KT;}H(ebqD3PpSxKfarwpX z+91A7fq%Dv$OYTG9SPaUENo7oDCL+His`8Yx%Ww9mKAFBb-Ydo*d3eiU|@4#9<69q^C1I% zpbeD5N-R2lUSt%;S&+cgK?{WKoll8BkQ$lEdJd?mUE_#v^NVu1Ve?yk-@hA+Y`{Dr z`ynbY((KC&(IfLFU? z#i}#^EAUCbrzNZ}+@hW<1uxCEH}d|dwfs%)^}}N*$SgB~ij{w)tByF4!8?MkYyyT!|j zux`F>3^fA02*yzEYDKeyVKyBw9^e*2qt-~((FWM&Do#jybi^U!h z+jQOIKjM{faJpo@DNCTbr~H-r{c z*?`Nchs|@ZSooR%VB$W`W;H{4q^^KA{WE^1u-`OCNw@1d%~be_A! zjs*5MvYzHEEYa~8PsBuMv2x?99oICXn$m^8qx^9)%D}%ahB+rif#E#2)AR}&SZ5Jv zZ79N7KiYGNb&Xz?SqazwI3ej&lpYg%%SmpgVbaT&Oq$#(jfG0*^zoI`9RBl1RBZ=T zJ>56iTk|qfWIr37;H_r@C$tBjI@( z!?tX-{9_=^ycI4sGsJg=uAD37G}ty^GhiW~bb+IrhqET`su!EjGxf^~xYS#;#=q0x zbQ?30`xGl1c*^3pnA^^71e!&9>#y9)1M?wXt&C_P^QI5Dh^FFRKtX~-T!y1|;8Gqp ztII1>5jXYDDKnRi+XJ6`>K=)vp3sBsh(Dn`l-RF%K(lh1_}k6cz(}6O5oi5oVIj*D zBF%P@HEZ73gh$>)>UXky+BQ`;d|dd|CI=bN5AX?Q}MUzn8ai-4Siv zTzylP$5k(OUl@J82w-?Rha(B@z9{gY{OpTuZ1&baFwbDG9V%0 z=)!69p1t$(xN>BmiUPn>of#nxX3c}pV%KacDV13I&G0SfrZBC|uy@fd72jx1`+y}LkHoYVtwjiddCsl+hX0~^EPXWpgy4#L%K(`8!-SA~M3 zKY*sUYe4jF0|7^#xb|p2f9Pmd)BgJmTf=pvz9{?qRXiY0E<&uQzs!>!<%mT>T)G6^sX?2t4}Vcg#8bR+#QuE+a8O0$GCl)d_0P;XBHwOFak_i1hQNxP+fvz9|If!NwR@-9JSK*U) zy&R=Uqg=fVHtq#Ht{~`jV$UBsvQZ;gI^IKHfcTpzO7U%m<`F!D?NCS?^L)KQ;u63^a&$$9@Q|AYr@wO_wg(EGYP~hOxxY(dtmepCZgRQddm|ITgkuBcU?HbeW5+= z%@FLqejbeZf$?6Xm?$dchDh&}y~f@TsfBkDYl}PDU8r;6c+{P5pJC8KdEk|33@ZES3LOeh0;0h$h7M7QTc!qUs01H zCMLufR))!*e#NUP+_j?EJhFQIsgyDao~(lm%PWDa%4)QiXe4m8V-0Z%1Yx@m=P<(D zS7V8~ur3(BR+SfLww-!$mzarWa3uz|LJ+frWLjX=5u6uwy-;YB-yLM)S&W*{om5#1 zLW(EoZWdri78+g$bDuG3gDxa+>g8Uc-;)LImNoXIKoR*qRM={C zT?0vJ@cxK5!S&c6v&2cnC5DH9v`@-wpkOIrH(0XmG%PaQ`%j?fe=2hSghKaWpwHEq znY>qhNhSCYL6y0g%@ysEJe=xEFyDAMm6(R}yF)XgJmEUl;(?a$P74SfQAQ*veasOL!% ztucm%9?N?8wpy-u++!ry#e7GGD{xe|lii#(y^t=I@XgN$u)-GLQIyP=a976#sTlQa zuX>&Hp)eJLeykXAdHqN2#HhP;uCGy3-!+b|gp3&cIm1FpIhMX~9Bq0idev$vZ?|b7 zG(Z<11ck{u!{q5qs(VmWg$-u6`G-z;sYC`H`k5a+%S}YSPlgN8OZo>CZZ29J5^E9! zNF2u@gybSsO6e1f)TqrM^i?e3B66sX9(!YvSZYI*Bw`2{%&5)tw71@{>;3~o`5*r3 zWu)*A8F{%2gDbR2(@?KuWr)7mPNqB8)O^IygNPlgX3`ZIrnPM(0KE&RBYo4v!?W%q z(EyCGI>6G-oG1_KyaTeRfE*ohy$Kg zS79@280rix9TMQQ;rMS|%YWgxO`Y{r@?(Pt$25$o_a=+}yV5O;h|mHgmHF9|O-V24 zDwnrGWdDcy>T+pa`8`jQ4W`FMFyMPNZE^u@f*f#Dt0f$CjVEG08Lm8R0f_tt)WJ{M zjrZSQ zQ3FmqxKtgX(FLssn|;RrcwJd0U*J(r&VlPXO4q-H3gyA-$!UCi#T)!e&_ME72zVvk zq~w^rU==@5NQa|91M4w})TRO_PHgph%bx*pS>ei+a~(w{o|{Y2k>43ezYPQ^sp3p& z{v>98ou)atO|?+}dbHB)VwhO7e9AcOJJDZjPX+3OQhel<5m2E18-wqE`foRYV(m}! z?#8dZtAQ7~9pu|7nUB&Vtl{>A8|XQ|K>{h zzn=f4bZC*xead9}wO-^&F#M_7a^vK$y=w$`i>FUjawg7{o1=?HGwco7|{AfwfF(}h&Q%m9{6i9{--_rZyUjD4#U`> zkbZb}s80A^~gW3us|0cS>FeI6SgocV@x$ zosuv8e|sjzA<{Q|tsc_<`IM#e_UFSaP%BVL)`GzeTLy-iC!gxSpFaz7+=ebe&9ra{ zm@_)L-nR-bn`(n{)Z8?}F$nMQRsNdDJk*D6@Q)=Tqee(d;EXd7`$8!T_(0WAuVEeW z`+w%&mSu8GL;JoR41v`o+92`h0`iR&G}N=foguD6@GbWHm$1desnc)kye59y2aJ5v zkbty=oLyC=erC^IzBt>~hDAP!^vbqV$6`s2V;W&+%$|#(IKRWvg_pcFm%kfJlEF@T_96{-E7w+VKOrn zFk=v*Tcv%A(C@Xl#q(vc^l-E}VI>Ll$%sE42c`90$VnqTX=O?=Oq=A_Ow-GAn$Q{R zDJ@+CL|YipY(Ur|bd{^cfldTy<`cS_2$)*e0^cXGCT9(bhwVHoBZt9jslVkQc!W}V zpqns&@`5Kp0^UZLtT$*I+ElMkA;yycfQHGs0fFg6K{23aG*~i+Ex2AG()li@wTYxh zy&z)mT;RbGjU@>|08Jrr@9{K6hjpRPpU#$P>Uj4v_BC2$y8 z((wDEIvLb#YQ!$iN4nWIQfCR)2GPQ2B>V4*-R1}M?|c{5!BX!jX0bjOAER4qqC(@ z!cES;XwnZ}q97b6YO!3D;_xcW-r&*XP#KEqm>JbMU*xN!Nps=J^!Yq?k0CX2YTN)@|OBVg@eAdC*=g5ZP*csFP{8dd9UQ zlOy*e$#*ru=EA9xZp_u|)AZOE+E=5kJ3MuMH@B^9T~de6yeH%9a;D|CXD3RPJ779$r1- z{(JQPiRF|?qcOUELb}dW-Wp_%m*meZ|&qloQGm z4XvFgItEJiBw(9}SNcTIb#vY-f-Y0}{kyTZ-N2;F5-d>!&J1cksNYyzi5^G7C(M9p zn+MO@J~4M`T#=L2;sl>(Q8{U){1p`~PTsk2MKb6L5k~wj`HC~a$xo6{>OpZy~ z+ePIRY|Cf@b_p34QhKFVw>&hF~%%KF4NF>f=&0x0o=~>H91nag~nAMI&4Rs)W*0Zqq>VK|MMc< zGO3?3Nn;rr2~7<&BYC@u2|YQWpwE{@uh|S&)?$HmSBYnsTRqVY_xn_&{g}|h?zie_ zI(Jd7?x4WHUZP!Ms87lHw;1-78QvFTAprGG#?Ny^@#v4`KIF0cw~K5SijdyE@uoQ7 z;#5DcOTsmaHxf~}>sO~-E%5F%_$ZoTcRNoV$`3gLY!>R28SEDxvoUvjsm}O4#$bz* z_NCyf@mz^>?4YMoV8;+GAtJh!_G`CWtK0aY-!zXl3=7>a6-;GWMc*knZ?U4f4z0Z@ zZ;#Q0Jzh-}LsDQUXzh{G%88LjtUo3T6GNj)w!~V*)}d9!y0uzWqRfVi)gMb&#}Oa! z8b(!*8(dlY%Aiyl1@Iy?1w=#+S3whWl2|qzmhu-&a<&k)B2@@hmR_H% zG535#N@dT#K4pTU5g`YvHTs|TnVVBQiLOVQ;)7#Vk^1L(VzJ7Nes~YMjl9s3zPNZB z=cMK8x7ZnvM!%cpUxSw2*K~clRV|WUxwiTdJQ@pPTxt zG!u#K?KYMS{4U<<82E=$v z`ubrw@7?<}FDc_@=b#_6T8-{yYHP%5F&QJSDirIKp`M6yj#-Fj5_PI{YQ+MNa|R!~ zS=j*Ij{B0w>rH98+~a?o@KPkL zEn2tOtvH;$ZA0%j*7Q=oT#H1jkD79$E3cNnzZGQSPW;0Z_7c7~gnmT+9H+#d`W+nz z%UPky;=@iMcM3A=#QH4el|i%LIyv~mJ()RsK*MA!!f zj_dNIt3AYK&(DXBuLD=%_Qtaa+lrkFU=~;uGt_xy&-&N(DDXJc{CI)W06fn|OJ1|A zD(XJLZ9t$YwAno@W$k`F&1QB*`NHa#05F8q_gr(-ywY;yN2|eL4^P`P%r+3+Dp6ja zhj?Z8^=zA_+W*1Pl)gZls2a9zFke$RrmJ0^YW(rJHOM3z=_JUu8c8lfJ~MM01^~}= zGLlx}LwpGR}xPwmH>S9lj+OSejiCWc8Tu=?5EL5p$xRIv0jW?kI z7je8znw6i4BVpIi1>CAx#Zm~9(ebu;b46-EllRbAXY-k>sU=VLcVe&ths9ry`n&aL z41E(hn7mwbNXYzq_tJFm7|YX@3wS=~QmLQ$%Ep{D5)2x2X|TWOq?9F0TP>JyDbx4v zjJ_ReN=n^VLa&(6(&|~8W;D`OL~^6=Pd_qJdCv3Tzx{~qUM`V!D^Xv^+zIabX?11u z>&3p0nrTH3WwoUHV#k(A-HV#LrK5!SzyT6~- zbyjM!^TKWWea~%crtU}v7TB8()-Eea4ZXInh4Hh|RI07xPCr(s5b7F;S@H`#o8OM1 z+2;4h#)i;zmAbjoX)dIlL!rxE9d{5-X)U!bIqoDFCPWwBFIzz^_HR%H9qt$kbQgEi zt$Nj+TdA#4@E99&$4bP?C!F&{v}%c>)T1<_jEIBSYTyeHxF^_xi0;WY&0g zdx=EeBu6?<#}{Cf?2xLN5#c=`rv_u)CLrr3twBVdJePXcgZweU&p5ZU6^PU#{@w%g z?}Jg4`MarpH_`pc10}XSNg2|YyQrfRCsXT6juqTuZT`GE-k#k>zT47|B-;vtT9)Ybbx~ zh7aDTxW99b0V9pBU=nT%eFM-W0gJyOnHwhT0}ZeKRm>7 z2$DcI$!pSYTesZ%A^#6@A+4ZF3cCb+P?RQrjjNYQjMUpthB#F6#!S}ZkQRAO<~99& z>A(Q8Eq6*U{_zMlX>5y;LnhAa4{yBUMtL1CmqY2LpMrlRt@kr8C0tpA&hv6%O#N+# zXNXO*JIz*1F;bi3=_H8P85D`zqR!gALFTFm)Qp8{UM_u0vO$`D*@wklGN`pw%XE($l2CcPtIWU&@yA=q1<7BB*136v3Zl*)zu4>U-1} z!_&&mMKu`S7VaOl63u-+BvhK_Hw@jkHpFx>cj2X)(hQy##4=NCZMbVf_Jdck>cIwq zk)aVsz!sX$p>^sO!O_GK%Eo**rYS37{Mfu(p^b`k_#~YJJr1)Np)=H+76i^L=l^x{^&f} zERz*!eG%&g&MIYurO)v7R7fAUMX$t~4;WG9FjPPOg|NWu8vhKkYD;GC<&^!k*c>&X)X8U@ylX)W=+ktx;9kR7~4_Awf$>f#3PugqcVC9mdMQCd<-)T{#=%!8_Jza7;!Kno2nUVSsf;rN2LF(rkM zw5BcvLv*4lJc6bG0rt9&z4S@UZoPd&dkHsMNm39+kBy-2XzOo@;AwX> zyml<#d(h#U=*sY0JnxxM{nW3C%NjNwPt@*u6_(DUP|aV`-n2E}j_OXq^}azZ=SX%} z>CJNA&>u@;q3yb#$SILqd;B85T=`vd)kS37UFzNu{w?z9QZTzJKHiudTZYOFO?c#t z=H!}|dA9QDX^Wi9qe4**G+m-RC;IyHpNjUs!%MxM@8{A`Aeeu=keam$Jw1WmtBPd8 zWqdZG5OG((8y3%B6T3w?^=YeSp?4=!99!raCD-Zazx6dgx$oWA_A zPnv0s#m9znTXkvM(?%~o5 zk0UOt<&MT%?|)ewU0i19o?v#yO8a+5|Af0D>Hc_hmMgwzdz#;S*Dp2Z#olvGb16UG zO!hXp-`A-{&?h}QXHiknc!7xpPFJscF=KD*%=ZiP^M7fQPt|FF;W^ZC81duCUz~(1 zE`zSZSsQ>oWs>);Xx9|aH7MX4i_OW(6eA#8PTJQ$zVmm>@UMddf8t{Hx`7@sQ{>S| z8TKw|s&l*5a29>vEHvw?xuH_md*XZn;&d6Mp;?T$l+t<3wwQnrRN#Q%iD9M6QH_Py zrjd5#F6PY2YvsHQ$Uv~QR=>QvL;QjbrK7628h}Q0>iNu5mGNJRRpPnZ5@YX52=eO} zx53po;C?2z7rOg&tv{k{jJwMqnr@ZaPG57LpGMfavu)n-$QNu-#-cdNGc za2z2@=ZSQ?RH8c&WmUj!VjY@sbjkFs0pU&_(`LA8+guXyn49- z*s~EgRf0)~s+T&(FU>#BeMvB*Sz@Z_+bW2?663&V66Q-@AC1fdk|a_|P<7VTGI|k0 zEnrrqWJGTXMvg3CEUy@PhI@Dj;kzNMD8x|S(I z?@T%1+PL1^ODL~3j_4K)v*nflU54OoAFBD67r?)t!YexL-(dRM+B8_Rk0&KWesbRH zSVa^tnu1YicS=o<{S(3ZSN`?C{Aq?q)d7sA(41s;}sr$7?~<+1ubhtpZ?DI=110_KHxQh42Ka_ zWE4Z^T7gC`q}wepgB;vEt?NVWj~sbdzT@X+E?0aR2qCS&i4>tx7ZT(p+#JALxB~?4 zpE*yl{Pc5YIADWzmw9dFKYG+C>NY+>DZ)K8>h&IJ_7yaO(<6e>xpXdzpL+1pC|Y2g zR01c`6bMhkxFALFnMTG_0eiw;WwPKY!?)glb8=@=ldfaEf^N0&jmj3R|en=KAE|_y*=I&R09~Dlau}T&My7) z707EjxiWxgpbNMtptc#?faCB5Yi`G}({K%!3vl3iliNsh};*9fbP!F7d9; z@l+6hKTeZKM*RGl45ER5?Vzi3r{w4fV3|?6?09ti==_N_nDbX)M_AI3?}o996F{sd{jM0AKSSKM%UPBR z80tiz-0m5EQnXj~{#8Rkfi|uB)@xEF8n2A0PUpvDTkWBP1frRHvIz?JcV^Ibe{xy+ z>1&i#*u-#%ud-=v(_NCPS`5?=Z!d8#GBGhJNV7Rw@Ko^sVehS@s#@2$QAL&_s357J zh;*Z((nvSb-6BXMDJ&WTNs*Ke=?3YxKvC&#LAqN??lV1S->vR*JbRCE$Nl3Q-+$<0 zvF3W`e4qD;U+C4k`VKZWmN8d=wwDOusAlwItvFsPPftwyZ&VlYZVEVH0w1|J<_ox( z6xdFz4r}8|nypk(&*BIXla*blSX#E$WG-07!Ne`J{^N5A-`B3JhlOtr#%{c1Z)i>D z&YW17`<#odGcLhA$vR}#BkQ}Mi>X(aR&hQ;_gaoPHL+%WMGIRq&gkHInCb3K5Ycs( zdc;+EjI&|2`%m&ca1f>t!-P}J9ICN=Ys)UpVPvissR>7M?aGNi_Z7?=`>+w1ZQcZS z&0bRdcUFR`91NX|V6ym`zt)1|Sly2UfkB*Uu5k$E>?L6wfNtL!OtN|Z{{8mRxwm{+ zXMZ3%je1~U&J;3Hc-HgdOtWx0Buu1csT>5nIdyKzt??(B7kZw<4sSW#_negGdO(8S zu~qO`AGnAQVc)%==Q!Y{_v5})z=V9s1O}q^eKpX-cI|_JTjsDh*tZq+k6I;9C~~!Z@^Dpdhe%M?*jtP#qx2P14_xkM)Bk~KUQZHcsCQlJ`|jbdhdoV z|9B)EXOL&TXeSHN>i3YvpI@av0dQI1CTsVgGsc zsl6!g-KzpX$u8vH3kX=omw@glY8r%VTKX7FtRXeCibmAsugaOG3=V4Zj0do5UqWC8 zlsmp}{Yk23BAGSt+txqRB9Pj_BCv)yZ&g%Ni&&j5fF0_PxvL-*Xugb^XBH%y`fd8) zbvIMwp(w2+$d@s|U;;$gc+BVu?^D?(amK=M_R?p=E5G#!$Wv`R%az1^?R` zGC$y7ev`&SCMQshC2}t1yZH-ee2V^cgul>zhB)SUWG&aae37MOz4TzV+# zSpc~Az1*W_ui%SzPmDvUQH+pUGKgNbE?NN*%A)a{T|nl;I>hvQL|NJaTmFPh($LU1 zc$*^-0JIR6)Dpnmhjc;dhQmK?ABLX`2wZtC(_teb-PLptXc306D)u@DW@$)a@1T)A zVOmo%4=w1oW!SUrn+T2eaF}NNH|L?H$)2HwFb1W0;P;d~f5PA27XU0CK&Xss>85ON zeySH3#Aenkes_KizG#gb7{@Gr4H)|+ql*X!^m!0>6DljysHQ$*hfpNFz7jN`Du|cB99D^p%l5Xrzug*B#$Bj; z^8A~%tSa83&N6r|LKo>eY7IHj9l`e1XQ9>(%5y7?=yaHLvc6k_9tFbduCfwX+qFUA zn)M^j;|PWbpgaybD05BJaWI^D%PKGL5q^qu^w5^t0UzihA!ZR<96US&fok#z-n$^I zV*;G|QiKj+gkYiaVs!T7H94R#OXY)pp%r-vIzlh{vf-m4#{o-6;QLmMGNBCK8^F!p zEUVl9#3607x)2lPResuJsIufFaN7{<7h*mHPuN@8;dfX+mN!2pWPjO4Z%;qwlxQ(O znV)f^2w-6(t*P5t0N?KH!->^B?2OIK^Z5aRjE;F$7iS>ZmD`VLz=(G{9?WZja^lZ0 zdQ&pD2|RzAd!*vYw(AbohhXkkuDylM4E2TbQ{x0;OfQ z)Kp>Z{8zFQjZXyNG#KJfGUQ`t??62{dem-ma4;Ma6&BQLBKYcO@8ib`!Y?YtH1J#mv~;VOwq+S$(Jc<&WLiFAFAlJzuJ z-D4-t;1yRRhMpr7HNXve&!Ge5n(Rv(AQ7^&3CQUI`{ZL!SB~{q@L?1d`laIzBb3A? zy6M;jdy3HXiS^fPQ<8QDcpR=716!RlMq{SSa4WSPswcCnDj?v5l784n%H!DB+TFkx zjr**3u+vlD){F)nhwrB+ILt5AGMUxhCw}KsPT1<6p4eNTvQN#&$9Gq`wZL2TwcCgB z_V;Aoz!)9j?nNTwQYS7R9sT%e!oTyb1UvIkAK(R_RjTm=Xm*^|<2L3`Da5ab@Q=sD z7?#LjNIdZ{n1z!(Aeg~rp#O-|&NKFyiZU*@b*5UN8aQw^`KIZzF~$g`g^iQ#Qm_nx zkNdFs;avj}Xk;%yGt|+`6)}6~1H6jk>ysQ`2FCOZveUa4IzxuR3zn=CBNF4Re{}Vs zMnt~g)2!R6lebPpKgK;ymza3dfh*U_s>C`&^gTHrnmYE#*}t8tQ^+Su2%?cg=2I+J z2a?v52VnTz`4nwr)|ZQjFoL2TMmkdy3ADCK;FLvdXN-|9OY{aDWd)FIjDT2)HKJ$* zt=;m^&@J9gLzvIjoc%{TNs+egRAtS17^!7;@t2&+AjZNmf7$ZEU-Pn(l(h7kSRa5l z5fpK43u&u0QFoCpRN%Q_c7+T$=7wvktlizZ(dQj|4Qg#pP}~Kvl4swZ{{7sqo(<3D zURgBFwQF67O?3j#$6!sZ7$C332o1F(u3R5GpL(QH2%^4iERBpH9p&{U;KLRJ-r;Ly zwMtn&c*Z&k8e{9mKs=X?4MzxQ8{tL%`GlPlY+Y*F#IgH7S!Wo1UQ2&Q5P0crri+A?0=n(5FA zFOjHI>nDJ7bO5RR5%CrC{F-i1nqcig4?+9-%kB&e1u7y|!Xgm`4S2lAcUkQd!4WLY zdFo@7;r9-{^e7@D!oq%6(?J*wIaEJ%_Xn>)0y0sb@Af(!temvc0irgDSRf%xFDo6q1o-+ zYVRsQ5sisxvH||nFHJ?N*I^rJ5M?|MV!V1FthfJKSG%CFbtc)tTT>-uVc>Kwjt*a( zI1mQqr|o?&9VULMbr!eo7_s_Sl($bW2XuwLvRr-e?=IZ#b;239z1n?jI|RqyMps{Q zb*J>WIUoy+sOq=#En*4w)ts8KhL3PA!W;EJlVFkG8u{a#q7QK!Pf$|rx3lX$)^bKT z0lHpg`937%2d91C4yI}?R9}|9MZe{eKRefRwQTcK*5bZs{WA&XtIjbVETsWCLx=4e zx<~(P`}jdgM&Xn-~4v9fJzEH;vQX{9OA9AXaA6YqE1Nf7#x2ET*{=8sSv`=?3}l^ zvdWvwDuO&MB08GXpFD^CcPG$acMA<|ft(;(69+ZE0Y1S9*RxC!kxM8HHx&FI+v%5_ z;7w6I|FIe8C_2uT&{4L3b`>7jVMj3j?wRuM-;)xDepS1TQRY9p%rk=MdCY(ImavdR zg6LGt54ZkV|B6E5iQ5lH;otarUW)k8g$mQxVE$*z2TeoVU+%{L_@}%SbQ;6)nf?FK zY)l}L7g;(1Ni0_g-K~aEU z2fKk(az?{WmEh0y@oFc4Wmvb+xPoz<1{qEu8mzfctCoVIEaI@&1w$QhehZdAb^E^? zCVGhwXMokT0~CP7%<94KPJB84!$(j+m(ctBB;+m8bl;0~>uw0*eG1~|jbJO$NVKHC z`b$ai=R>o?b{B9-RWj}X0gDI?B{(=s>+|QUSRxeitlp;2kR*vdL;yA@POEuufx**B z!@tjC97DRXP6Nqbj(O4Jf%7s4Geqc{oSz@itCOkzG%@2LTouU4nJiSV zluq`OjVzqtkuCPsYO%AuPe!PC(r7*hxYKHy-DUFZLz61-uPU%3c z-V2`jqU7xlQWGEgXvEc+?TM&1=eK^0=VPEyxYn%h^XwRq2|X0@_pEGk5bn%w<>PO5BpiF%y&r6Yh0OdH!reX z__SnLwfH4gH9SXG^L^M8yV$RC*L-bbE&7WyTe%yYIBzyv>byTCGr`$Lt{c)5`tjrW zZ}(}B`q*V|=mWGt z&kaTYHocsJDH1EJsvMJVS6EVGPcHQpwW(-a8YT{Us1=bm=jR3yD4 z{O|EMl|HfZ@CN?#c$UuBL60)o=tb`m|7q)uM}SeBLP8MZ8!iH4X~ehGjC&ifOk24Y zkY~*Io9A!18UOB37}L@RF~UuNOYdCCBzJ1&96y1;!(GSE{7_|4v|%>ENR78`RmS}^ z7QQ-!QZNB#G&y&{kM$A=iY2$aIrl?6`ZXZqsbK)B1DDHpvJ4JMnz~6hk!8733 zd-!K2S5Sw-Y9AQU@*MfKOP&~piC93xAAAAF^Z8%&W8t!&eZKpesZU8>Ldbzgz<=T4VuFNdFF>Iq@g{;$Jrd&l(AQg@|Iyq6JdWdF4(q z;t>z*t54{bA4QJ@`KsY)hBzM5HIy7&+(84qaNg=Q25FKjQSC zXEs=bqZ`cvCm;Qqc0OkJLI`+p*KnE<1#LuGyCh@ENGW$}W>@$W*PBy(>+(HW@muFT zzQ5HQrF&qewEXzMZRhJ$j%y?Pf0mFr-Wo!_`)?BQpV8wuWpGT4Ie>v-a+2e!^|50M zn7KIZy&wq%jZI1u?P(wANjwZ1LkbT74pkN1n~2GW1meupD_7GqzK1Yu=o4MUegdXI z3fYE<)y@=6qVy}78;>1fnLJEQP1OLMH*I}Hh&>lPm}?K!AiXHfQVUa1Xu0ZeZ?{{^ zx}tj>gFPc+v%Ldn@s$n8r5M!VY7-;4H-Q|Sb*r*&^5{b2d<%Q-6w;|zHOglIzp=sy z@Pa0%Po&#FhdC+PMCJSIz%w@m=5)n1)Ap3kEA`&LuDk$+hu8eP1=$Vv>Ri3LVepWd zPrQE$X$}C}W~B|A^o}=2G~o^{5%d zp#9talE*Hd708$=>Bm=AD=79{M{wj6u?Rtb0SOau+bi;l7OU5q?}o1ZIPU-Bf?i;J zGE*zA6;D$?g0X(fk*sL!FBk18pn?50d5JKCgqwet25t4~VAn9Zt!|jlT7~Ufji#xG4j}Wa>7uiNEfUC(K zKHmea&tm9C4M1}pKPE~)_b+$#za4Y*28Z>6bp=1TLH@0+KZJ0n5uXKcH__76j7CV@ zrB*}SE|XDr=Al1Q20fonrzv2~w|Mdk|^(ARU-ZajkTSGNfim2zIQ6#Gl z!n&|JRT6aX-9?{X1E2Ggnte*6@s$nxP_1ohCTk8OLr%+)+98%~7#z9CzJ^u$%isU; ziTLH!F-ZywX*6~QOlC`ADzm+sW8iQnGo{XJ#8eyZmL)WmNY_&#K2-ty+5*m-?;4)S zlp4qj-Q_lhBUgWd()=9M|2)?I{0ZW$!TohcwY>St+##5!AgS7f&TE)Y-+R5Y3$8Io zqo#MEEr}V};RB7;nK~|CLC-rw8P^aARH~5o=#p&)CS4 z%|6;BULRUL#FG3yIU3{5QJ+_f%w%tt=Npc}Fd=~V$>``}E76lTLTmH|yb&D$Jd?5* zQLp1KWhp-2g^_Rc$aePG^c58(Sm@JFqZh+D&ij82k4$ zY&sWfcB1fU*)ss+==Y3;Au3__=d-vGNODN0oV-VNm85czB z3c&l9QMiBtM@r{W+b$s3ZVka+)+sCdUXtL09Kc=qylW%S$~J+s+;=lU7g;my<< zY|8ddi0no}&9!@X8Afw%WjV%qa=7ISqDu#Vv=_Qdu3l( zard^*sba@?NiY|CD#h<~J1#b#M2er)ECSpDp61L8jzmU+Kc5l5>;x(4#8!$LNS68$ zvk<^T+j=>`?k+(P@f%#Do=4^pFdH&gM(|fKnkWNQLAgM6D^dJ4^9Y2-k>=NR1edp! zwR-tgtK?VE9lFe%7!e4Q21{7>G=q}p%<&r6Z6P`K%dzIFKXfmCvpwM&y_PYy#aaRY z9nBG`xiQm|pRi;%EdZys?7^xus57nyl0(5`{S5xf;~QRxC>G2nPwO?nGj$sH?ffX8g*4iRrt6!G) zfBf??ITQlPceDyn(q>)jM+$c_BtEni0e_oV+n+>|#_kfz#{3cmkGMl}NKSa>NUd;{Lseo*}Q z-{;U{c3Ax}i~Awxe-nXzUJT^PoIVYBIdmz?{BMiVeP8`Mu=;QNj?(b_{@(ubY8w^Y z>U9g8?!P^)MD`U$GqU0XRwxfbM1v2*3d7iGv5|FduA*zW$-MgWUM!o1PKt$yT8SLRfFo>cMTxqB}>! zu|t-l4<=mmAh=WnC|kDc?5{O{EdhRbwgn0?0i=98Dk{pcg>S1D1d2^z>{y!M@vTDr z!!6n$zWtaetiMxV$d@Bt`^<*Z^zZ3|5)4oJNxjxm>BPf3~Q%i z?Shcn14Q=`d{SyH#pUZaD*lA%Vj<7enRB&5hrHgQK(Z5&DB1kfnxQ}iAnyX07H&8E zb|ksNRN%gkhTQ2oK>Q_v7%fckL*^g+4jy!x)o!{atgys-m>07E@S*GtV%cR7NcY1p z{;)*fzX6=i^Sy`aZo(e~+Y=ym>wSLbd z);)2asW6sQZNQL7YTCg&HRglHFay1@QlM0YYPRkB+xkPB)B{EAj$46Ws@*90tVig5 z-*8=3w=q)X8Ytv((q?wcioJI#S5Ih4e(27$J5_|zxLJksRBH&A^T>jW_oktkGZjDYpv-&wAuqDUMDgYQ1rQ8oJFg6)^Y`Zdp{Y8j zUcb~xA7F^|gJ;>oQ*rXkOGe*7UAP~4YN2sodtn&b33Gvs9F(^y+IPGsw3_-BLl_vb zHSQN}tFtUcZFpkEYfx##Y&cK2#~79m=DX@v=!N1lZYiCOY^uD)bxmT(kYPfa_SiW( z_eOQL3s2TL6%y?YUbda1`?fD64FCH?gzM%W7pv3baq3>$?kAxp8BFv^(k{!7J`-SI zQOA2?ryhJA#{~}VBS6!Q@2b*vIjm>|mN!`TN$@cmejEaB_%B&~P5^OoH*1YooAbG{xj9QA~`8wF#G>Uq` zSS>k10qbXL%LiB@CSSj*E1@hI(b{ zC`M~>mFiujmpvN+-BD3|7&+XBQJNpL zz=eTDyF7Tu`%UlOmp@w=6aj}=W*)x$%mnF-b|OGwON~E~A_kf)z{Oav0Jh3gHcy7% z)O-|^D8#x0rtH;-M1S6g0nmhNflkBOwQb6ORqy{gS?2vA?CvHvRzpHSeHR?&qJImx zpty`e8U!$Kx%u(qPjGZ>Jo<2o8j#`Y2Zoz&C@8L`s*Sdfj zgGX5_RVv(d{3*#&QCWiF#1T&b;fbw0{RgVZG zDo;S7J&2cS+yupN;FS7^`?|%1nzyl(5 zH;C|M5Zg7uaA*O9kxHODhbgP3c;UNa0MhkEg8qwUZYGn$*+o^IB~WGA5FGCs8=h`^ zZV5%b9-4T0p9=n=2bS(gUE=Vg*>pTBF~do4=%XumKYg ziXsq18$B3~=*W zglP6kwPmYDv)E;`?~dD?Bhvcenu;|moyeYXy$krhODN?7YO_&oH{Nzov*rSDv?T72E{1%dbFv z=UV{rLnG-3=0fOx0L2viMc54hlCcwrFG$`mNw)L&~hGfZzwukHpq*VPN8)glS#1qjRSKr+{?1!zr3?z%t z`FNMbLIgsFv}};>KG@8tT?Y$@vYgiKn(eP3gk;179E}^juO8ya>NsA2D1AI`X(ZR3f-&ue2@L?s#4Jo?ud!X0_!jNx#M3T@=5ek@HHpB+GQOd6kS#$(Y+Ikq!WboYXy`iHPg5mILxT7X&?zQ{u(S!rRDQe`%vY=^n4KKj2+- zz793v?v8WPCU$Qo>B^0b(RB4g*UaR>&?-^gOTXmJcFNJG;80-fLyk5XyUk6VZdNRL z3Up!P%-=~CQUZSN);ne2wWo8w9$I#MD_SNJd`Y#N{pO`6ZInt&sbxcsTFaO=UriId z*9nW$4%NVBt;nvEHwXigj0OR9 zSUZCl!;ailII7Ix+^um3r6T4Iwlks{m>ra!0u0#nq`M$-@ZHl4;@uz{68`}jfXLl3 zzSRqA7M)8Q^`(oy>qTgmqS}{Q!?lNBRiAjNBaO@9&$qie`3h_DgbXvn9uX7+;Ua? zFo=-l%}ur04kN@J9XVzB(8q%4SYZOgI=aZ8!jAwm_VUNs5woy`uPpRiYg#6c$KPnn zxtbkHf#eCXHdcBr#(1EtkwJ^l8u3hcFgn0skH+7D*+6cOY z)7YB!3(85IU~Dz2ne?shVD|<|>^>5kR$!(o%92XGWZGe{dqUIia!4GbIs$Md@ zbj?XC)ei4}B+J7AIq*HTxe748FMmX5C6OjcPh^XKAEu6Mn7YqzZj+$99547Pmqdiz=Tw?{m(%n=1Dq|xt) zprBUA>X*h%)t%$`-71k6(!@@H^WNC(St1ww-rX-8=n-#w%d@heCA`G5pI_aL>29<{8J zr`;FCyZSD1NowbQWd%YOk|okZPGva7`$_ciceD^=6Tzd%`9{(X4v3v`6xAp5o8E#B zTyvZZQ6ZQ0FmI2L-n1>{c8<||!Q4v>ikd9;nbNW_pA5_Ov^r#;!=$gyAwG-Nl;r3j z(Xm%(ZJN%-jVl|w%y1X+hp@-R<@T8K67*7=ZQey>S3bS_Ho@k>u)KHHn%0bK17yVR zTJKDYIRhnQ@#G~w^^ENq=H!p1DSQX=Q*NYP(a{g9ocaPhRl$bF7}mb|t3^tl}L`%v@AH zoCk1o+bNAW@y?0dd)7qUdO7Zs@F-2JQ>5+=0u`c1rFs~D!@G9lL}D2Y(O@(dLx`KO zV2f`Erw?sY1Z~34abf;A5*LhhogZOHE9)hW;^*^67R9~E;{nvo1v*kifoSxo(x4~0 zRjJ*7KZ{+VeI;49s?#=_6q9Rj`L)ha6O5P^Yo9b8boM?Z6;vo|oHeomvFgPMw=RNd zQOmO#x}rxRt@jnjh@`U~k*_7nIjeqf?o49(qg>^nJhA+-%gzp{ECP99@b8dv@D=ts z<-kI(s22RpVTD^ft1Xc#i1XDo?_@WHUvYx0>nIrWF{0ZGah7()%6oZ6!DyQ!L57%i(@ z_OPD;5gGSivqIQ#IAH5qgadh_|QKk}c9#HhM4CpFQ8^JcSl5|bl1kYdzcsw%(&!sJ@1{A#>5>uGz7SLR(iR^^TYS=4_hJG zZB=u6N=mt*xV7AD;3FhUKshje-2j|WDdaV8h{DMu>_4d<$_}Y~Qw!y*&fHz!V(SM3 z8T}lcsG>y&dtH@_4|K)KmtW!Ncnt@fWglaeU~6khGIP{^D5FbqbSFE4_5dcnOGJb5 zCOx6AHUmX?tnZ#Wd2jOz&(8^y*FHn=yOtcYv$781y7@xzurzJ0w_EBbThJBG-NfJK zY_mzMS1GwPbDm_@K)mq*dahmiJ-R|K@Qjln+U%o5V6i>C9LGl(sw5=k4 zSL^-NEDEx>f%K}vHIeUcI>_wslY6fh=Mn{E<^^_9ghdi6r?@`CsSWjQYAb2s-Rw1F zwW1zI=QQQ#AzrL$4T=cY=n2!sZ|EM?*|AU8&J}|Y&b*N4{-xbR0b?JF6>A=Yl#p?Y)ga3{=;u zXJD225!|W&?fC1K(dNbuz$IdpcpD?;!B#bYMQNf4!v)buW+exMO3T)_$|UC&WV~j; zht7s&$!WY;X@5@dz_x81N+Sm^FJLp4nrisr1Ai>xC{*X~(}MJ7L=)x~h}bg23xL47bvMtzVV9Im@-U6r>HNf$V^}2= z=^Q#?goXJ&h@W~D@jCQb7B-{2C!dt8%yz3;=h3&`?775un{no|q}M%ku|mgMM0#y~nFV=Sg4ttI`^t8Kz!)r(}h{A;_}d=?Dq9^Y9zOyurUFl8}Q!ASMi+C8{I^2`R*kCh# zL9-}5KQ>zGf*_Nk6dW#L8@VlmTH+jU^3^GNnU$& z*?IN03()d(qAIs)zGe9k)lBDgpHUI#0js$B{PA18*-Y}I;gQNyIou^q)$tjN%DZCj z@2g5_rF5!EEtI6AL5s?Hf~Y4ZVJf-XnJ6}EU!d{nz1mKvjfT{euP4uo`>iQv$IhVzEJDs4 zeOBI_J96Y`CMk|S?t3s2#j(}7$xymKcF`#B-rx#)F@v`B+n7iSE#wvJ-!yTilct$PSd=iqLSn$8`f zH(BPgCei$E=+;8Q9XDp=r1jSdboiN1c1umbhyns)8}&lsP}NBM;CDn};!Ic#90T_F!Y{#Ls0)P%d2i^rGOzK*dEnlg;8UNcLK zhz+ae7VdhQ;Vv>ohKi?m&Yf}2Z7_`uN>FFK(8Ena$G|D)fMNEfUYhZkN^8*U@y=!8 zQR(5?73S^`jEBl>DRwi^=+I&EVr1J4nN{t=el|z)??^3ZOvla^C|e}V#_O8%WxZyO`!41KiMZ-wwwG|uORrE+lN+& zFJx98QTy(B95oxS!toW+I_@GkF5)1lu6h@yg~-;hV!ySE1xdW+hx@Bo*2h#Ea7$}){G-MhhHj3gzco4G6NSE7$vQ0&AVSnH@@37l!ifJPnDSBCg|KLEFdT= z4mn*L%75BYs3avlLb>GNoiGOqtar0^=lO2aJBg!+c20_}i5n_LHbBeJ23K73M(!G% z;*-P6ZH_7=jg^;GKL=aL&(R_jksy zaa+fO3!7D4TVUZZCPK$&%IP=~-OQmI625u4L?V;SWWlf!H=rTKGXI!y4Ofmwf6oSS zOtW)kGi;e*wO0J{Z!1oxx;E7e?l<2vYZ$ZZe(6VhS$QTuZsK+D z+Zwjp^&JlB+^*+Ivu|#77R5EdUhUj7i&Dr{H$P|{P;84`zneJ@hG=Mc}kzCVoA(H@c!S z!s#~LlRUBVc?affGGI24cTPOlBlCou5n8t_5SvrMIk?HOQ}LOa9`T$JPuT9m#r>BF z3m6l^|y8PtP zBV+EW6!X9c)!r_QNV=lm#gG{wF+~*j#NJ9#S}Utjsluh0ri&?yh_}l>Gf#eE!mM5> z6Y)>bSK9EAGCL>Y@E$U3#i+uj4_%h!vnt9#%mfqH3Km5=vSPJ+=oaMKG_8|2)+N+$F~yPGp?Wc{!YwuR4B7s?e2BVaatiNy$O4KOsC!ZGj2p zFhQ1=N1-}5roxdkUT!Kd_@L6dn@cWNG^<(Lp)u=5k2C?d+HAZ`7QHob{cg?dJeqn+ASr3o48c)1a^N@|e^ zp%gNR*snQcQH0c|uxy;f|SKUqVU4E1!JUA^ArCt>r8qOCn7X!}iUd?R7+o6@_YgeviNNesRzd)J=vb zNesHpNnYFS8*)>4M6a^Ab`S)A_upt$Bw&aUYTJTlUghf18j4Jkpf1J0)vS0b<;B9=@A1`+=dGT~&+B1o zkzbBiqa9n|DpV|eeuX$(i{X;k%fpQMitRge=!%3gmLms>r34uY%LTLEu!*d=ousF}?StOVp`D{I%XjbsD#7*L_C0epOBD^GC99{izwOxlbwk zkdi()!_*VnT6t$eYvY*NzPt|c2oSyUST&rxO2k>jvfQs-b?)g_&-d>s%-Olvbvm10 z{cst!ez!Cp`nbSufEvldS(AevXTjYkv&!~t$rR#UFHVqNeHZV#D!C>1$n36U2mQ2$ zgCo_N=5AME`dT9x1y_qUOpH9fzpiXbW3SR=dW?nHbV_MLM;}krU~QQX5=nW$bKL+) z@6C?a$&AGtqnQLXk@mWZ2@{bMB@fbK4xz#r=mkiyhvcU*^RX;ZN9pzD1ZmL%9Y-=l znr$k*lm+zkFC~=i?Qg4DYtu_;a=2BR%+RXg9%;lfU#hlQ1wZ#kR7%PZhbPnA0tT~_ztrdoGG$)~QdaI2tV zk7-)@0TpZWnMdNX=1fj<9PE|OO-s27Lxgh)-b$VAi6pHV$7E_wCv$ipA|NCMG;Ad@ znck#B)H9Z*=lyjrscB5r(buKBiQ%ea^LK2j9m=nK*v%)Uk3GckC39TH%Pi?|Y&09` z)=55rnLV|zbx15LgqTsrrXI&-Do;boL#(Sv5wXb-7fMu|ndeE=o4r=(9bCQkaLYJ~ zV+5Lo$7oQFbEJtWYl)TmD$A)Mn=X9n(+0v*@^LpD=1n{l{L<|*f*epoW>vGipNF2$ zeJVB2t7x!P;=_9{VSUOhwzNjG>4UlRfQ|R*C4mg?BMgYhs~nc$+)upa)c*x z>@q@{71~1V$yLmsGM;PW^UNc_9#t+w^^+7^XE+Gz5E!M-We2gbooQn_)V-~+g$tg! z?!9x_n+zzH*{^NZACfZ~=e`wmXjySv&+=xNTk<9dZ~3s*0mT2uK9YR7CkEAedt#G~ z%D2=a`Wo$=DYJ03*$QnzO~!nscJ^wu(&sHJ@{8%N510lN`XZaIgek|T4qsC4Ng6%F zm1*Oh=FG;-^jN~k6Mb5XZ9c13Wa0*+l3JXAiQi<=`P^(xOGS-@CR!rpWY0H<^iN`l z2;&yckd+s5PIuDx7of)!Ym#-fRoxypvq+))G`w7jRL&+v61q-=7m7=7mzP3-QeUrEyiQr+iDYyZOZ(t z92>Ejb{Vrf%A45^YHprQ>niDt>|J$p{n`6^yJe+iA+x8ecT~H`rZtl*F}gG!9i1`V zF{z86=2X-1-F#TTBRnD9SlO+|vXvFDGtibz(&qRi9ZkJ(gqwC<&VjZv0__!ZrS-a6 z+>2SRuvP!e*3BNABmMUv9yH)obC)Ba^Uj6b*>VS675VfK@2`Y}j34$QW@!DMA5bnX zsycUjr4vM2S>f!a3mnZ~Weci)Cv^@xqlin>3U4g9td)7@RT>$oXy{brdW}_>eOu2- zFDt@z+E|Qk46Wt%KyS)@2lkY-heQSGWQX~l%?M@2;FMfSBRi$?&LgZxc^0%+)J96x z^u1XbXT7aF=!SafFA40XSq%~nCUy@m)@ z#uBB<)GNY4jJ??LR+b}-`^nrd47m9g2&s>z^P>7ZrMi0Ody-l-VSF}u? zw;Gei+&I%9HlQ`2diXY@XDb=1U#&Q(Dbgw{TyI}VK4@^&#ZLKfY<~kfxV1Lv5K)P3 zD(_r%h7aR;b8i0iyJIx6WD7k`HK#Mk_=v`4&a?#oZ1H%QgQk^NS3AvHE z>gO0z6M9qO>ij=vslM(Q`{!^dVnWE|BwQMlEL*vYJi`B;AN9!buU{+|3Z;R zdLGyFjJMp%d?I`H7iSiivSw>LK;Ckn&n3U+(UR@}=k)~j?T63AJ|3IIU!cJl2vTc^ zuO-yK+rlMz?&eD!^xMJPGsz!W;#ODe{)8B}yC;Cl<{r1`IU5VgtqHkmtzq$MwSW%3>-q0k zs(MngCfj0E4hg#|?^Z|HIiA`-B&krX{qk6)IKN_T+o_xO!D~DX6^(coB6&(D@}8BN zv+J4VCm&r!Wlj2Se0cIc$s}^mYmfa(**SYl>l^_;-kfdKQ<{30rkXAW@~L^+OYFEl zawed)HFd1d2C>vd$CmRoS-sdPVa7R4Vy8u#JX5PLZ-kq0ytKJ=wzlTk7q@g;`Q|g@o~OU4KPv39 zW8_nqZnji3^5hzM5xhYX{r;6)V+Uix5vy{(|R5qVeGJ1LpB~_F1}TRD*@1JX3?C?P z^>LgDjK#hQbCGyE+@Y!~Ca6nKLjx~1uoaoj^qI+R;4%eDi+A1$y2q+@p+owernhbh zWlj)m2(BY5ngt;*-i`VkX^*;ok+CweUr0OyzmIHZ{lS(>L?`aF*ll$Ym2pG9+179I z&!mf|U?v516Z+-Xj6y4BlWb@2df7`asVJ`|=Uskl!*g`^KEPjXYmbM8L3Ye5SowN$jf}Ln z0A4RYX7WKPZvMF%UJS;p#|w`KeDACjzBPONu*p?*Ma$n7H-13YXGwQVePG0I|FO|( z&-PMDtB0nH6W`nY2>*r0dg?M7Z_e1*ZXe#h?}z(=V?E{g3VxyE<(HQm*(3ZG$`8gW z^6EtP6mzPu{K@zh)fR4Aqz9|-ixoC^fPxMNCpXuzCLh z{HgrU`e*vbG)i3m?EZqP((w_`_+R^8m7(2aKEWASIOtCfcRX+2~jE=6zz`Ys2XJ^J8zp+0W+-h-K zwEHBsR-?Q4jOhgB9Za^dGCZw7g5-okIal1g7zMa50r&VUbv*?n&^V*LGi+xhW38a~ zltPsJU5=mY2Mfbl9B zj^LA|4_J%Gh5D^9NM!V zZz<3>v5`WE)&R3A;RMNpGub4VQG;byG_|V=>z6r>N);0j_kVnMTb{Du3ZuV__p|YQ zse(DWbNIc12Cn7Siym?rIh$QnbWOAAATn0SCA#A^*CRK$_TEhHuHhxBBFgO@LlLwG z>59yyJA8QS*tlEWHO5!x#8toc(GHrU3l`nZFP*N%a9&QCV%w)2Dh{{WIkd0ws<8Uo&Ky~kQn2oY#A7Nd zBJ#?XPxkc#>QOe)&$(H!I2vjd7GgI|zLltZH@6xK(qqaT77t&W)L$EszCzlBTa=(Pd`vmL>OGmeHJG=eQW3z4^jR) zDT6@W_zS<84N6msmz8GMB~Y%KE4ty>|K`{v@SZ>%qJL_X;Y7x z8v8iri$!y-p?fmYw!6yj&{&k~t8hE@{EF_ z{b|8dI@^8hsdr?I_T%geYtwfAm2W#ILaN!=xEKsS5IvswaIqo}zk))9*ZI)OH~eR3 z#}_?Rj$hsM?XA#G=6$Rkbw2h@+r+Uqopg3L9hxtH%6*q=dw%B<&--UD8-t(RW7{Cu zs>JjV)78+eeDh35{pzD$!k|bkhW7MveJd9&!}OiUHWx?UJ@Vhf^a@^YC%Dds+z=g- zOOlfR4_j{))%F*)e-;Qui%TdT+zFK8?k>f>36vJM;toZFm*Q5S6elh28lV(!aVNN2 zahUwxwcc6tpP9?=T`scEIeS0P^VzeiCs(A_4l)ToIQXk!hAuG!}JM!1T4&nM=AJ_ZeZvQ5ZiA)5mr8*?$(y^ogh*s45dP|xfZn# z3QlouG4@g<4>rjIK5a@s?PhWdmAUgm37YH7aRapK@r}fi7BkbpG zz1yZ_%k+NGr_aX>apLp=(LsH>h2Em}e_h_qJ(dJ5w0j*}o~5MMSvLfYd{Ahcn!&?M zctzayTKhn1+m%A90kh0&vi;=sm)|U&QNOZ1%iJy&x1}0)XG^L-Oy}>iRp$q-icAq- zu(fKNUBpk8+(w4r2g*}UNzda@$DjumAZQ0BPjB&iOmm^rhf8@Y=}r8{waL!Sn_raF zK5Ey$&`l$)asg7;hK<;W&lC|X(ZSpg{xK1yEdPUkaRG!f)PjkyRc)b*19c#5K!95cvv_nETkz_=;8T6a1Mz+@9V4eEef#d^|3DGVYS&lqTXT5*llik zHsQ`Gx%@s<@f$>XU36daNcixPxk2znTD`ya;_NkN?oY4I&w?ukfE_>ZLob1N<>u=h zVP;OGOCLxS-15U6k;WxYb0&Fe#q8!wjCalB>b=sR9^;Xj`rBlS%B(t(CEYNC(IMNc zzmB*D`IWdFsX7t^xY2-TbDq6@BxC#LVql&oE+9P^uR(gFHZX@`!dk;XURK2|sL^rF zh<~7^!I1)-zF&__tgNX~3Muk0Ohj}+flkfRnj zCiVV(_QPpu-NZ9SP_3vQTaM4`$T*QL5ADfcuMi+fy7{&FRo$!KlJzh3f{#Dt5e@!P+K3?I%{xX>p?hu9Ew(;TQ(q`Z z6Z%^HMO-q6DbF9|z1&ElAdl{ZI!}b3LU<=T0Y5OA0F+6FOThz12D(i(Mzk$?M|1X8 z75?lp>yIRUYja~kUU+hTBXqKU6ggn5?{x)M3aH02Ho7bWs<8j-V*mT72z_Q1VRf51 z7Vxc~wy&MbWLTPVN)BaW07H5P9qwI&I?hjw`jlC6k^z14eKCE3*XQ>p9ei$D;0bs% z=Ki|aI{y7DFc5F!+DiQ80vy{!EAolAdUW8J>n=JxCNqvULD5fw2$P7eZ;O+)UJ{-g zd-@^!n2Bc@C6>lp!|B$8hL=+NyuQe@=eu|UcDxkC;R_&xOQ$^8%rD>X_$RDQfUIaX*14Sp~{Jo+vwmyJH)?t(NxsGG>5)LNnAiaXGKTT^I(+e?Uff zEQc8f={f%CURgb6=B`ORBB@c~>y|at+QJWBxLIZ;%0&dc%@NGJo*t>KdNd??}E40#qpKU)GN9P8^FoUnBenWz^$e{l)KocvQqg!V+2GPNlJE zboECKU?YeKZMfE0Z)*5(AyuSWfa#@n#)RrIM@6fa@GGi36pDNBU*FnLZCH+})zK2a zk+$QfLv1x1soj)dr~suJw+pJio_xow_K}+t2bLV5X&0k(vz$&? zxW*IX;_e2^rUstP{?(S+n7=^QqiiQp#0Q@)W$Wyzzx1uc<{#_9DkHhoB?GNNrWml^~4D<{Mg{I3kFxdlVa55JWA=CXmYJJ-GO$IH=%Rh$gO6C?MrU%9} z;e=z`94X6??WN4)D>$t$+97cq2|ZnmEB$kJ1CsV$` zaqdURxc&faP4`h<%VHw6L#>h~#HR_!unweUC*XeiKAAb2zvyO#l)nd-X;;e}rF0x9 za$5xG1hmyC%+d>1Y#&vrd3l!HmA}|ByeasB(RXu+0eAZswGLiipWkf0|EN9r2GF-y zBom1`U_SPf8~xr+BP-f1fowha|MW@7;duJJ?7mdKzJ|-d)uV_HL~~0iE)6DXDidSZ z)=_kABgDJ@2Zo4pzW#KN>lg!W{?p`$wYh>0IO7Bs^#~oE)sC6a(LPM1BvzZa zpSe5PL5;|neP8bp9}_q4D_ct6;D?4is1CR*=^4(3>?T(+fa_TjAtFUWnM@Q#q|64d zn%1jBS}9WtRTuiSfoQd0xb(5_m;*BoGtDeN9sfD8dh`$xVhWoh0V?6PgLn0>gz7$Z z$KY^yIw#}2njTKXk@^;C8dosWsD5YA577swSclM9e~iS902D^Jg;suhS=i7M)BT%Y z@watlV!UHGGf1Xq(3Sx=i$R4^r`ay-`MkX&|7X96cZWa7(YDbeN%j+1V5&-9@%gvB z;Q<<4is`sbe}%NA_RbNVZ~``F5&+9B8UaoGq<9D30LgPPHbo&(F34@H?|x`O)ZoFR zh0oe2rwYSBicDT9!#zZ`xrNjRM1Ynu-)~Th;q)GT~#5C z=Rq;AC(s_6c-^T6YQyS321rgeqGo+oB-h3H7qk_=znOCUYDCEc$=k&Sxar^a_{w>) zdPbaTMKO$F?{F^hhN$wDM?}IDDa)%r1dNOJl{?;MB(QAJcxW5E39ouo)b1{+`90Uc zUlcsA7ntcRfm%P3WwGkM${6y3&?8nxqEb!xB@@kr>e5bY0$)m&bu$>c+=AMBnLVoe z&iZLhLDst?N>r@s~BzM!mez@Ml%U=J+D_6wUsC+gcy ztw5UzCvc+74?f369YNE(O5H+>B1R8WWjuyVEzRTdMz`$}W&Eh$eOkzFSxT z&1(nly*YPt464tdknSwL*MrmcRry)u`y)F)6FPS1Hbv)}Uc>Lr-SE@gt_2hw^JzSOgNwT49IMworXb>1`6;y- zX$`e`pi*LuIU)ak6&=C{=;8}X$D?|lDUP2tUuUf7vA^R!wVqK#Y92}`A_aecOl_GE zic1_0CpwiJh`wZUV=6GP?2z)vxsk67JPVLw+Ts+=GD&UU#6e2WQZ=|xPNfUW{Yl6B z%tgEsp&jD|vi!xt#2Fj)L%46iAAk0xdj?Q#BJnj#2Dir4QUDFCMO-#ePDnl70k7|^qno!C$3!R>4Nk6HKi57A5s?~9Aezp`b* zqIbn%c8IB0dc=+hR(#7D!YJ>K^W1p-_kVjJ>v^W|uT|IzET|FIdPEnAQUcsBytja` z4BwD^a?f9=VegWg9<`o)`rmo#VPi{gpxp_DXmO|3m4Ucl(Mu}wJWoIm6)5I-3U7H^ zLnKJj$X^atK!`cz7dTL`Wiw7m6ZQce?^cOFZt8<0P6T+gim0d*!R%QqJ)Fe_wGNwaKG+7z4K2swRBgijg0tUMlF*UheSUqASQ ztv7{-y{|Ha=yW5*@VQR7Q@84Q@j?5N%UEnVR@CML#FFCsW+fGq_wOq1@Db)4HTvxO z_o;_~%9P?6{hN&wDm-+w+ovOsG_SSL08^hX9E!l&F7U1TNZI^5i5)(JWx6jxW8Q09 zjfi6DrR{l=XvspC{Z^HwFOX}~i#F0j;N)Dka} zl$(US;ykmz>0YZtZ2c26pVj9T&ZDIPg@@{|U9}!?TLdOx|*TwTL-{Z8{^xrb*G)jV_oZ%YdOE0HizGJ1$1F^S*U zm84d0#EamSJiBsN+cGE~1jnvp9N=6L5S&p%t^?_0B;HtRB%>elx>c6PMlZzT4JFp< zT9;%&l7*6chHM^9)(VE&-sSomCc2;a0B~1;)CX*Uhmx(}j6qr|jQZ^C#h+~<;GT{Y zzGV5@{+dOyJ9X(Zs`ZK-haqOI%OEc(`lUaN{9YF_T$n^7nmKsXu^>V}F%Hf}?2*lNS9 z%V<^7)Yd`m+)A$F(_+>0tHuPPy~G?L$sbr0G_O0t|3nu@vFj+=1P0?L;!{UTe#Iw# zzxL|$&jOd4zV~Gf|Ij#A(o~eyIKYu2S1KHcA>%OJkAbO))!O4_5wcO{y`tX@YRO$a z@XzS%hJow)44Gt^*r&;sr_HBp=J*bXqLp2B@D+0Q_RvJa)Rsx7tg3xS82cR}`QLa= zm>Ug-*vu?ZMi{BP;6~=-D);3mC1e!UTfT0)?&ov9^+jbEv#n^qiA@{#waYnA6I@L_ z6l(9PMod|XOy-~wgt%=cZxrs8|2T;D?=xO?v_eHqo$5bZ(_KGA->B<}cS*c%@z>j~s*s%R8WVP5Pc*pzpBR@+4<9F1st;aRw8EAp_!+1oK3|Xlg3DT_vtWSQObXPFJx* zy_K5Yeqj58utn~#rZgV~SpF@yIdal=8`UP@5J>{mh1|IrEm&j%gaspQ|azPdgpqL+Q( zYou4W3=O+%P;J-bCm%+?<@iyS(z`{=`IvA(}thukdep=^)?r3A5p~{ zp>ucQ87gvuSYA-|LNCaJd1x_oCqS2vdTF+%eJo>D=^|!4_x&0HG6k3qHto{b~ zW$y$N?ApQRHNREVOzVF-3xpp*ZSE0Q1lu)()+b$=golY4}-EYPX91m*6X}t zBQ$)(Gxu!Oq>26l1)80B{7BZxdE*FOvs9sVnv@Wdshsy*i%D@3Y|)CpIIkkBhphOO z7Q8bB6V!m3_;}3HJ{Ns2XAL^PcNncu4;O{tx_?ts0LZGu*hao0em~*Nbqn|^LM{ch z#??#fDr9r@%P;&xD%(DgA#gMu$6&*l=?c1VGj4vuW^Ny+#Lj}L7i(w%G(@NyB42wY z`BOzHK3AGP6@E9dVsIl4O_+^iX3oIId+5tpGiRVGPkCoR7$uW0hU)jTd*3hKnCnc= z*0OLbe_rDei5)CXbREp0ob%TB`p~e1)M)bd?C^SDdKY&P|7v|+9p?W4Fu~&(bGwcD zt5pKsn?(fyYj+7lt!$J;h$46l5E3cy=WZ6+X%0uW1~M0UGl(!LLcwl~jb|~MEQS%I zbb>1!6V3|RL-4oDdqx?5Pk;J&#v2AQ8s0M9`WYnWFz?)$OYZnyFO9RDWvt>`+_m% zQ%RrU;s4q!LaYW5(f`v_y{1NA7f&7u55fGtZcMUu|1qdM!Y!GmkB>R%juyS|J@+`} z0MQc}-dVe8^iok&9UB2Ch;wV;iOB5rSnN-u;00_rEpW-T_XSUo_W^u>_hqRGA?jr; z0?@pwRQY&RVVsZo)txC-fNCK$3NsS26rFw4h&gwr6zv^zh?+ysMV7siGb&AtV(nHg-{B3^vz z+`lOKjy-4-T2ayS><1lqa8vg)EqAR{@wh?KT48IZYAGdM?!k}LgxKlsoaJPsafkgk zn+ST)C_-uyl-C^yD35l}qvocm3lY}qCl5n5 ztDM5N{iR$a#aFu>gYPNmY$%#}O5EDg7x@nWur$i%^#et-} zY8K$+T-6zf-z5gCbYZIM765it$nyofL}nZCU)}7pVP~rtl>2u_TnD9@O%tk>*9nAE zgDWVJOa@^HhH`pS+cisYbeuvMeY4Um(A}OD{`=V;-0t{}+8O8Q z?jO3rfk*jwRX@J|fXkn* zY5SOMlq2R$d1iuLG{!9Qy_zl0nQ05O8KkGE!d4OJk`5ijNZzG|#&D)YBChY<-IezB z58$5x%Pz-jL6g4GG5;|OeqzkxT$H*c*nGFjkQN!-veaVB#l}Fx^8r#WM@2P<1?ieh zI5c2dINsmjBc@zYILqM&uge#KJ@!h#iTo{w{11r*J|jQT!3Z>(cD4);1dVJH=k|o) zf8+x*=GsMQhbetey@%LDGo8!Dc?ldoWfHnjs=Z7M(fJ3Xe1r z;VHhVP0Do{<0BULY-{#9IGs3KNsl}10=!$7kZdk+rS^AJ4qg>+;aiuWK!SRsTmKNS zVFT7**N)RQ1Fj6KZ3P-I2;)-w{rgnBGl!{8)cZ9ywQ~gFxqV*t0Z2Dgv3f_CEApjW zwQWl}>He5GbGy(?zW6QZ6`1PXP!O!g{mdv(n_Is+i}$7ak%>gkW8-(zYW2;AU!=p0 zQ&9?*ebYPZTkB5qd|Fyhpt|fg?SyzYcX`Fz_r-LZHZ+3olD$jM$z^3n)9t3Ed<{U$ zhxLn@Hvl?!cCXU??TI}mipGj0BXl;!@Br^0d}Pf(6LS9+brb?qFmK$Ww*IsjZpdWM zy^U=fBeg~wkG9+?XtpdH&53OGZ>*O800tCIQ z<{YLHKb$#}m$i<-X0VLU1PZASiYTM>7TN3zV$38KpaRW1()+vRtBwYcT-~+L|FQsL z&lNOiQucn~W&?@pfdro=A7cx%wO?i@h@*9xWAT1r(MF(add$=udO>MO`c5@u(6I{hyD9GzmwHC zS|!I3#wxE!&Yd8nM?`|H7vdDCE;4xp-k6l!k}+G;L&(t%gxJ`KYU9uV3GugsgcJg$ z_LY@r*<>-<(AWce_jH+Y{t{6osJz0rnQdxRj7Ftt5?7ms%?o6$Rds&(Ugm;=#0-1P zpV-55z|-j!)#rx?%7m7t_0{uFJk6O3BfPC(97!2Js0w`G=PwAp2%l$S~=?lcI0fYlrJ`BHJQf^rUcG;z1 zE*}p}&(^w0UJOz%pF~o;M=AGzs-E@;ZxLA1*WDBua9fFiMage*@xOQ^NDbhYq0yRVW_Y) z9`eoYf9jnebf=R5Ch-DQ>~9!}9vV-b8yzQJEY03Y4ARPy@UrVLH28A#s%9c{o|)pnZ&y}KFGnly zuSDf_sGI<#^DIUxH8CyNlK}3#_*_(6WUzUNNrbSSiA{dhmX0=V@TL~8VRSQ}n6zF~ zypLssxY~$Z@}UqichtI=dhDa^JXh_w^~G}0p+DmGzI<$xXvexqW2@rscx(RDF$x0y&sM4Q{EcE#0@MIK zRhQRI+eYDCJ4E~+7^zg38PWN1IZrFrX<3c}&5FxRq3#83cZV*4QK$Ok!5X!eW~!fN zql#aD!67Tx3zk>OVOEQ|kkmLHpWm?{zf8_9FJAMpwz;WZK6&|$4n)^NEp zF92UL;5iEocwtTGwJdWB3O1a*5p6Tr1f3;5TzB+HNCwrFQj$uv(KPB`vJwb|hl8g{ z=YXqFq6azY?*d)bF>V7ga_b5-jGRJXR)>;LcfUlFX1$K70%4{7fHL%k2Tsa?e@au3 zmE8V2&u3q&{b2z8p5$?QeM*IBUEVgr92^ni(X_wPgJ_6&dv}&-^xG-OU*?L+kF?SV z|2 zf6F$Ms^u9S`peO`G@88_Umg*>h!YAQbkbvB7ovZP8wVSNeAW z_N2`YJfz1g7rW&^B^LLd>3P#@>>URb+FN_}c8eTZ*>`V4(17V26C^mzS@kjA7a#q9 zs`P*5U0Le^A|kA+^7jG0s%EEa|CwZh3MJ{6(3>o2h7-wK*UXGXShoaC+7a6Uk08D1 z{Fv-hX(Hm+Stms(W2CVw7M8f9#)7HK0h|`DA;t35nFmR6M|@m0a~sDgRhr|jHq1E0 zWb(UaHWWBvgX(H)RayZiy?gQ{KB8UuSbaW{|FLKL<@6xH88C~e(N zlZF0DV=QO%fq|6LMi*=Bnm- zZuFHi&%t}?>^EoRFD8^MTH}n#S*Lr@7*VYtvJd?zC0{G>%B-!n(z-I=-;qR`;&9O4w&rnDoaJykw%@!#M1EHlHZmNTP@b?f zm*_rlK;K|EM%Xph1^%8>w%D9gc%L1>#Es0lM5*)9k+=QsNU?wEG$jq`*P3a`mm`A* z#Kt+2{C5t+i3%?7eRJ762XWZ54Lo~mKwsn{ zVvn6@__dsK!1`!NR62u;SvS-+ zaqoj+@B|l4Dky}>YS)McXPbB8cxNY`bFhkr_xc}F0UC~>tn6DIHlK0Zk9=5l+^0k| zr<~KsKIDxDZ;`cxR{zC0y?MW!yR?dtXy3R^VOkw}Jfo^Wml{KSw7&xLR3I%WKOPaMqir-3WkIPIDi6q&*PBUz5pD?$a89SHMvDFQJh za8&y)eVnP!s8Oq+U>VLGEc_DfABPr~I!WuUYVfQJd}f;#m8Q(#^?nz}^>8HlUhv97 z+DJ2%uJ*d+Ebwe>p3VFF$k`!hd~E7}F(w`<%K>{_l03zQ*j0^`tDF_l-*dI6SjVv? ziGWzl^lnT3#@~l0bL%U3QaS!_EtAz#nX;6=r@k3~w_TPaM00wn_eDeHVo5Js@Aw4J921bbc zvmE?LUs0-dlmwXBE!`(xQIJd+j|J@q@>}gpVf#jV&^Y+@mD58@21}!DZzW1Y$MeHF z5af~v=F8`jXk1!fM1N)Yui;rWh2S6D?>8q_BL6Y6zjS!;TAhEv7Q98_=LM#1Pgyap zg8I>#ZX=)JZZUQ3Ga1UXqz96#K)c$?g7?`RNgrT5pd^P%?7gh~B*ff@E%IXNKt=l6 z*cI;pDGCYP@P4{Wr%;DOu0m~M(veKmZ8^{uTFmBJA@ITA<6q&`$*XuVLReg%>1~75 zFqCN41ly+dXYMD@AXJwb3P-(dg&V|E_W$c@?f!e{{!FsWT}ei+h&Ae1{l=6H=^RZ& z*2LWz&sxD`OfIYUeh{*!bZ-=uBiHj)I3^FqsJ=~=e)vs;96JUn7$&?VILr9? zB`B!AR6OW2Edrz$>k-0w`^%yxA+!Gm~J09n@gxozs>j#hmX1 z>qg7(HZDh3{D}Z{O4FhY&EGasyoHI;sXrAD5c3aZ7Z9DbyRX^_df?j9IZsxuNK)b}0C}W2Y{u(!(Q=-lE9f@5K5( z<3i&e8^kK#jl&!hG;H|%8A%FGO^ptQe9TAViwFq=`0Wg|OBR#M;6wxg{0B2bkhp`2 zo{7pNDP=zNo$#jWRa9Bievj4loz!AX!_8lQt8hlGel*_>^pV?j6f%;J@rSB91N@~Ttu!z zt_B`9MHtp5`Osfnd5c+)hc@ zYk{pYtn|;^k8zZfd)M-=`UD=(Kg6V}KDjR^Td&z*Qa!A}_v?@-1_CB2F_!5}1!LDb2@K zyzbRb*H9U6kJZNWF`P~V0dtx+zs)Dj3@9HtWtms=<1(+}P68rBR&yX`qfxbeHOliT z=GDkHsBj$jR;Q7pHNMEfdq-uM_FuXO?6+@n#vdpb#@YHrl0|64fw65I|H3PoSeq7CczWQCeYewrmKTp_l-TCOcr0LH)2r6#Clb|Uz$BbR6oI(eA5j7K`G~tem^6<_G**e;y4SbJSKVthh+8nE* zV#+E|BRWSWz3GH*i~YIxP*T;K^n0u|D?uMu>a%TVdu(wF&IpCupa4FbjUrM$HT%af zYg3*Zp+hQ1Z!N1xBCDMK?ud9!c%q8=y`u+M9-Ko!Q~0rr9jlM$r z8t%+xWEW<6(0L3EN&Wioiw+T=q_&K=>sx-Pgd~)-?znO#+btO}zuxf)eSTi~csTDk zW?lV<0*cXXvO3@Pew66@Hzq*Y2;ps~XoRF;XsP%XcC9N{p!mOzwPl6Z!sx1#&PR9o z(^#P+FjUm%UB}%Af1=q%R8ltn?(tl)|KetPU7x}>ZvS-u=J@`G#LXJ{Y{+_r^t@5U zh-R2R_)k79m@tJBhy ziX5827COc1k+6@gsKfQJzUl<863JArs$m?^uF$sVYXCt${Ii}cnD4iSvY_2*em z*G?nd6(z;qo9FF(r^Rn&D74=4d_$35cJ{M_7tB1?ywcxUBBSOlS53h~w7&sSpYLyu zEtYfbk(!T>5()IE%MlTr=>Ew8*5${%tBU>~Q+&h~yr#R%$_;4sZr``iEaWqckCC_j z%C{Z!R$(Ih4^UESL&vQ}^PW{KfsAR08S-P*v(hdsj~7!Ifwm6&$5_IE&ydL&!;Z%_ z!TVjOM}+J<|1SB)k{y4<0ypN|WFT1p`~}Z;4PW?g@SkNAtkkEw9=Dv|9T)wD1 z#;1N&qgbrGsFh1emPsNa;?PfoS|@b#yC3_3GTeK@lwcw=-=A<_8e3Rb^4|jm@XIU% zo(p$lLS+qxIbfZvAZw9x}}~)dG60s-6F)7LS1cb3EZ(UCNn~& zrt<#P-GIlsraJ*-BIfGJYJS|py&h6K`>H6WRo01eApPDd1_hbES z#*O@w?0u2lMVjSBt7ZBfEd2PT*Si(4@?`3k5&5T)bVM9(T^JleBv;)$Zr&TYs*_C! zC?=+|5TY$Do7v3{H0|HoyW%R2=p=Uqa2>u%Z zIohByv9HgTG#60)s4*_;YAhL_YtD~RJmtGtAP**KZAc;$RXg~mus8!!m->Jctbea| z|K{=~-2GJU)ID)M7?KBhR-a^bpc9~y763mTlmj4EJ8M2VD$|pW5pOH})&;BPCl!?g zne_WySWk_|;Iz;lV>tE{lN^^^3K$e=8~SrGCMQg>oZ@@=KmD6JRc?xZIc>P;8wxT6 zruT131fep)6f5Lhc|o&1i3s(T#bhu+;B2>tAC>GQ9h8Hyd_|x0A%d+m+s5 z8?Q40r~_4`-~VhYx7ht%a@IuQc6H7MbAWqYqMu%Yi7v?AcJb&eA|xrfN}o8jd84A` z85)-2?sx`5e7-LwK!a<={bZL@vptVDaW8P1cJ0>pZ9wo&0ee;9Ayh+DP zP4w2rXO+;P`noHv%F{8- z4-xSt6kjObCX{tz;s|nra2rw?KS%HFQG1@s$VSoqZ4g%bibL)9U4SD5uN?)h+K6xJ zI+5q~)D~@1A%a0ie;7QUihjWf03k)bFs?rKM(`&9m4J7OtkyJ_Tw;g_tnh)?1S;Ww z4QGu5SM&B}B6MRsIdwjT3}P#3?Dt>G49fgi4dCwpv;#lc;=9uTweVHe18!%yON2=* zqU=NFyQ4kYBi!uFr)WK63~B~j_=)uk&44{B2J?n19?sigrB~@pX?64q3Qs#$E!5RH zVA%|J!*?&j{kP}s&70@|Z(0bG8x89wF=%)R-W(H6#nGU5&!=R0!>|a#lmmO=Dw@%L zgVkZ47Zv3JgFiSA{sPNAHr;5jYvV>GuNGf#A9p@II&qQQhFDI~t981)!n|*{tA54T zRJw(SvebHAM1+L-M(4`r|1cBT!QL8m%DF&}l_Y(S=+zsj+_FRG+|nk0aGa5U+P^}i zj3pK9YR3@D*}arkkoodxo0^$EXSrqc4@-|8Uvx)tUdWJ$t{tm%vh~pBh7zEZAcO74 z)G6EChI&a({FZhH}Bp<$8}I&6kXj`!tJh z`1oLqk(cwEDcseK2k&C};+t?iFkK`8_hh|leSP_-97xjLB&=}HTciRv^aqTPuIIYroY`)Xp>DjuSf*^KW2oe`1hjRv^;-L&)hj1C zkqiUX0G%wh#Wa=p#7d~e%r-49&h~*WQ5!lcHqoz8u=2Mk(w=iaO;Ylbde}f$2hsMi zV(@tIqKl}$SL`SBTkSc*b)=ESM}vJV$lC3TY$(jv$LWpC5KWwlioWLOjU?z741Vds z`Z7NwJP>kabNcO{I5oc$TmK=(mwZ0JtrzG_#*BB}<6!ET(utSNF;Ab08)IC8vK~nR z2(`)73rUpweIY_&PVgvZ-=GY^JO+duT!b+|yoWmRs26o^hWn~h1vnj zoFk0kR5?*SNy*U?dZf~4DL905?XWa`$YuH28P=G=PXSfIcR*DbL*KJwMm*z>I>=W0 z^q_(>N_2XGPsa=&z(l~ML9zLE6#0Fca82M{Z{|dzr#_cg-5Z@)G)Kp##uHhwR}G8) z&lCP~!E!S-%Fc;|7n)x>Zgx_P-woYE0LbfgX^U3`^EU+&!uxOuBlz;8^naX;Qp*ntA)-5_R+~=-bFY3$>JuN{ zHajWrqHW064z@usDIeB=Vtsow4`FZC=@wA)D#jQM6vh*`&L{e((dL0avNy!reD!WEpI;FK*+46ukG;ZIwkV$CdI| zEB8qqi4)2hwt$EjFU?qZA;~^?fM&|GeE$_?SD!}%MUSvu^99eH=3kZk-e>T!?Rt?O zm+{;Vqt|oB3(_&lmROKdW6Xr&Sz7v`uuqo8+NMKMb=9pLkU$Gvbk)D8*(ziNjo*>h|%annP+erM+I15 zN&r7a#589Eh65%85*J1duU8>5KE|H)BQ5(?BpPCl3KjG+M$t^3m7bxi7+T%U&zM@4 z)#Pj&pC@AuuXk>-HDei^->w6zilJeDToay${&~LGYZJ$

}bpl4q;Ig4ap&fvANMdrIH=;f#!#Kuug0vW}Q8z(i_1 z5kG2|de$0;wy#CYh&D)RR`2COVVCfkO zE`5zH71A8{3U;dJw-Ks~d-#zl9TRaK#VMxA!pYo3KZwSFvG_crUYEU(te4SC^<#*v8fTi-&B-HGaGc@yd}iwY=1nUoctfEB<_eEBOY@njnj zj4%&$``ZwyF;}u;YnpxPumJ3q#~lDyU{c5>mW`$#=G){^2^7TL>~95lgTLYqqZPzD zviFiT*r;UWIAB}c=}wbeaD)ZD{sL1OUH0<7WbqYcXyQh+&w%f${$~-2<|&b#A^$Cg zTRV5h4DCr}-1bu`(C6lrP5k*R18HJ*6I5dDR(92@HlK-ibzLa;$HxSs-`(GgB-3SN z2BG1ffm~3^^BAu`=5PCp_Ry=B^2bIR(T(cQCTO_bAaPb)47(W2iUwS9O*@hvr;xu+ z0}1NYeE*M#JS3>&isP^$+(|)h}Fk{rX&PF#P|IsfG zGxRbvL}Efyc0D+%On)*hDnPmG_=k@P41|#OH_dz-|AxFt?eyW&Nejb!XZ8d6i zLij33)tBRHZN(uS{lhFV9Q&STX;kdi?`~sf8_jij(7P0OhBE(>;r($V?&~IROe#_^ zw6XKyO)QX6>wI6(AwI3_MdBPOk@auGa&|~l965zFK@R^O!o?sy{K=Gj%4`?ews$Gq zaT>pdlJK&&ZGawu%TAR*WQ!q+zH(uRHIQRV%f#=Hl4szYV~b>9abX$KoHbl?trImS zlL~+OSmVFs+DEL6-+J8P|K^cZ@wYvBoEr0Jl?{U;_ZdwyLSZcc#=%^b4gQ+Fc04coiyqmZm@dnxHNo!GZI| zFYw>_J;RwQ|HdYLGZf#Zl5gCsYj$7GzawSD@+uHJhR~AcIf7L(JS6;gS#U(aUnZ%$ zZ58j^)~aYxj3er(Ol;JURRm*;^2+j3P%G*0IC^^y9@m!(Oj(nG>}(>>JGJB>tWa{s z8U?FyzUiXs@2?%Vlv|PlyBZh<_Yt>x%evr^s2{jV=c`0$-jk>voWI>Y%3v(ctkU+niu2W~8x|9}3XVKR&i zhD^M@QTiX07CY}%@K%|p8yN_kG=0*SLSzbN`;dp4atHFBQ)3_wzaC`*rz(L;u?UK@uzv{(n$sPoem9=+<28E zK^)A}4CmRLe1-_W%-YsEsW;_mFZOF;%)Mno38#->DUbCxvXzs->o+c|EZ^!pfrh|a*KtsCS6 zuyi7zyn$0Pt4u!&JH{7f%k z!GA{ICRyJ_YIh{{9G0F-wn8@pe#u0k_>nZ~Hz62<@#WQ+&2n6kL+62o6f-&vmBp7VstE78;|iHsqKVttXg-;fG=_UFepLCm@FabEkn1emN`-bY21NGO{Vg$gD<7U2}-vJ+M?oP zl?I$*+=NoO>ccXwxvwJJd#l_Oo>*-(W8qQejA3JQ=XiUC`#BEGZ1laa!uCN1_271C zDJaM2%$2_84_kaUVaslJ%25RLXqi?t+jnr8lrRmpRh5&)rn8Kxs@yCsKP?a) zeko=6b%$8Uq?TN?jcQ9FrDRBVxuUi#3}oWUHoDKxT`6-3eTlR&H&w@U(#*nH18^AI z^fPq#LzhM%EVp`uJ5hCltvK$2XRS+(waod>-i;kyod(9-=xY!6h5W{88U_Cs0bmu$n3lPK9`y-MY(0zrx&@|$b(JR z=kcn(OD`qbZD;y%@x^=jxlO0NmbGKW#XnWI`Qmt9)0JbMrlV5q3AUs3*h%>6@2W-q zqK=ls1jpd6w8D$x4fVQ2SR@u#H#Nfhvp`GF+w!x#g?ewjs=Yd8>iJ{DYAiqKg-wNA zmz=5|vcu1oBb{-%Kr0J{m$U|R=$(kku*Sz|^;Q{rQ1H&5SFr9WcyaI@r-)7*3Io=uyh z*ac5;xhhjX`@cgg)|TJ9bWF{$nQhcGQe;X!dt2yZykl}8*JjN|Un&M_Vi%4{E0E|1 zE-c`RoyLlke;vgVnJkhVBk*xxerD-jz_J9^(!&dA9FbvL3l!9KmlS)eLH4i=mi*nay-8 z@D-EYWJyU7=8_!)7TbhA^<|#4+vh7%A_5#}yk2j&3@|p=*%O}V<5%@m&{Wf5(TEvj z+sHq??V2!BcDAotxQ(Yr{@J{#a~(;4FIh-A3C?k>5(z$RYd_vl$7=dpd=gd+j#8Z) zmo9&`zpL9vvQl%+zd&{J^XSKGN9@Ju=(ZoApA{E>p#A0?>a&viA-;w1bd%Ihr{rn7 zh$nkw%8k{`=`|I>0x!iq1A1x-!mA}~7|igaGg>yOXId@FAd7PFvIzuYiYe)58wsgP7iOPERG<1qBWO^O6N zM3No3OhDV1cJ312dxO(g^NS5(ZyuG>)630fwXJw6(I$P{m#}Y%b>tpsG7_Jvd~o|S zJ8`2#)=OHY_o_=_nIN>U%N81jcUpafznI?BS8{IhpL=^Q;l>jVQAsifG{+~hMc+D= z$Fc_L++~W7eM20^Z3)9KV9QSPjE!lZ#~uQQ^SSZ~Wst)yje}lkkAU0P4VH;Wqo$;k zlP_dmI5s6Rc{|N-;pNrvFYeg$re9YA2p_zNjeaZ=Kxp-uv#y}_1=)4Kj;;OnE34#u zoA=YKrM>6tZ8s}NON@KhipP#&E*+@zzcIhsqGn0^vF54%Xr@AFjv+8a- z@2U7F_PBA-lO_2c-u>*QMvI@y&-D!pGks+zhwgV~PmW=i^XpLakYTUkibz!gpJ&=RvZuLyYpkQ` z*^%8Eoo54{#UTU4?)7_mbAU=@KeU#m3ae}K^w=7QT|qmN*xBK4j2}J1BO`sqdV#v= z>s~wHOcV&gsLtQ%f6?L22*g0wA(2MlY zT6F)YeBKeR+mBf-W-IcK4Qvv(T;R@};-r4D`VP&?$&F+El9Zl;##3f*N}Te>gV_ey zp~xErJ1id0UtTA1dQ1}dMLNa&Cm#y@k3aR#t~9dK00%9MOF-`S`9N+P`uyuv+&MQ2 zF{#fRigL#JZc84^JNIU-<8WQ)un?2oj{OMj_%;lgxiO7(OkVm!Fux9FBUNUxU=!CW zMS6duVDU@IOnz;abD!f&?3eCS>~?X>ENUuVuTC+RM_m-vV5WFp zJFfKW)jS7Rks!!+=Ui}l#86I{1O2j`5END3D>n^!yv$^_=<9}D>-}RTj5@N%83^i6 z&@m!Sp>nF-R_Qyr>uj)BCwaBEVeM^tn%?8J@gDE2im_nXzIA%(8*U`4Z#PsV1WRd- zWv>Xk>}I=+vz&;~$2*m{5kP%Zt943l=UO02F*e{;Pcu52HaFUgvq3;CPD*qDhp9y^ z*V)gn{LxR>PpU2SUXxmtzrRYSi*=;zu}-hQ#9^UBmb?2E!6J`g`YLtG+h(twPbeg` z){p9;OjR!kJrj@~CiZ+pm2)P4UHC)PS9GYB$pr|4lo4|6OOUaH8JdlPh9@aT08+Fp`&=_|N4WnaoC6RB=wPrPc98XSK-QBzH7hIZP zYi!cG;xobidYP|j@w(45PJdummX?2j?^#G6v2F#XiWL8?bk3)g31aT?Z zq;jFC+bhT1Y+;jkCuF3c)^vsd+a}cbmhZ}iwL9#-cKdcOCrrQXH?)*5T9^9YoDo@6 zP>IPNofQbFR9-A1u{(rFy!v9cnR8az?wgGQ=xDtbOs!ZQ-;%y3%k!GrWlo=_|Jw^P zo3z(6Jv^9cxy%m_gO7#OPk>9H!Y&$eGFh#j`$_Q;>`(3NFthO`kkN6h_-=z|Hl6Ou z?RUl6_pJ(ZeqIQ*P*g0L)8x;N$zQ+JGqwH}mr9@H3Hg-%vipg3qBPb|r~B{a&yvjD zKVjGNrLgMuZn~Mi$(=02d7@UGOJB+RIoXK&@A^9G37lB2&!FXa=245qGvuJZ8uXdx zQ5$CXild9R1sl$1PRPS-MvF|dUb7GO84Atbm8E&1@VJT|^)5Uy<#I>a(0Z1cigI5} zGJDCq{kwr&*AME?aNfg$;(>I>)Wq&a*h|3gGR8nNJsi<%-Ei^))2q)_9AO-bAyH8y zZjFJRi%@*SJ|9;TWo4YvLuolvQPHW3OT zyqw@>l(DZBWvI6H-Z%0h-B28{XPFPpc+x40L)VDOgU@2ra@WvBm`vpv63T*jX|4d` zN`@`=lI;ne%97BSFkgqwvf)AIzSKmXCdEh5As^aGr;{VqJF%5t+p?E9?kqDmcBD6|nc>EDZt5tbPc3qyNPNVqNhb&2l)e7DKwUkBGTKUTH ze51TCC6tS+ou%fXp)t$P4X?UN=?p_p@SP&sSi5LP1opL}Tk<4u(cPMo66r%ZDet@W zk+##xP8W^aw2twq-eJs~D7l!O?;a3tI^wG-Z+7BRQ2e=8NkZk7xhn4{Xiz{y_ze2j zBd^SAn1B5THuy)MszFsJ>B60R>qcL zD;WzO`EY`rGG?oW5g%cG32ea9T#F2)*)u_hO9Y3l=>3wfUMJ4+5xgP5k~LEMX+@?+ zMUVOz(9A+F)c@6O{+{r=)hthJ`;e4h+h8FqAvSVy`cjxl^ zxu?_0`8UeA182)%RG&}3d0A%W2bwz4ab~Zo39+hcya&uHk@w>#hgigzncUHVnTZKz zcX!k0(2vJh(w)3?KM-8fi(0+=IVsOqWO(-@PemJ9;r8=bGnUMiUFaik2Bd*V>5_`L z9g|-4;tp#K=>Z#6JL8G%0kRLF#ng2>f$3`KH<_$w09Lx)tu?twQ+cqSO~9O9H4Rg_ z)iQqWu{hdG6FCWz`WfFdX)V&q9fpGy^n^*2uIbLJjQG`l7G8d)@L8uk8c%68QDKUA zC)jbUuukTyg=I0wMmJ6hJQ}Rfxi;Lkk7Cx7){FfXf;7K>d?uRR;iNTXtn96? z%5-^YRpfBBzvt;1#bLld(5Q?wS!GKD+1Jsf2|H#?&(%i{7ik6=7nM3yrp@^+g-%?m zwL5Jk%6tEDzYsGq&TDax;fqD}cE`mm_zG4We>G#uz^BTOWt!Fg8TNwLJj#g@k96Y9 z;~JSRE&D-R<#bQ0yz`8vZ}OuA*V7cJ*vjVeM#O1$T3u{~Jg@%5oTqinFgziDv0@ip zWY=$2gl47uK=&we_zN03jp8%E+7brSGA^ZOWS!fSKZZvvwg`})1*TJ_KxpMc(dAv(~Ih?F7M{XDk4_m?Rumno|6`B0(buos=o?qoSn z($XHQ;$9&6EHD|i$^ze-T57JSa_mv$6Z3RBqRxebWtziWp~;Y)QS$U;&*xsIw?lhj zoGN>f481QydwQBms3YSRj6xV@wpzNY?15~URKMU9+dCoKNftV_&7dudPakob zuVryX`Ps1Kz#ZvWi>!2QqAi!eVjpi+Wsw3!0j1n;WeY{aZulnP3162k@Jk)0^3#6X zK_Y+~T=drpG8%&up<=Y>qsWUVB^cOP2v-PXss~L7+0V$7^o8&X5(WVJ(`b>*v&YO zv*_@-KOZX9yDCl#AP&1iJbnG!2?ye9oheELZuL6QQI)z4S@O;}{*VT-5a*z7Y~ z*v7pONBmx3XgP2~S4Nk%N@z-qz<7AIC0)z2ta3ZD(&#=f7C%ex`72Jn`aweK4}yoXQ(|Lp@Z*vcrJMR*Z{%PdsKVk+IOvlX*^pOiGlr zY@SY$%`MsGxBWiIOx65rRoFr}7^HZRU+TSQ{wrns)m#5_0PAD{B-|7)|!)Rw{e>GyZGIM%}SBO*RzVxs%8qbm9B?x?Cx_SSo-g#zcVHy~NmJ1XyxsSNAuEE0rHi zaTld8F_9efSMK+ps8~s$*?*YRq^cuLkftE*a67TY&AImgN9G3m1;kvcCy8m`_Acm2 z)vo`1RwVOU%%jckGeCa#5P#`e&){L(55H{Ono+IfN9r~KaiDa&tUZ@cTP<1~Zdmxx z?0v-(SRuJnX%gA*zLVm94xyZz2}@Cy&!hV%hNY-oX70rHp)*}uoQFEl?$L)i&MWT; z+$;||3Ea1;@6C2)R>Nf2z9Hwe1R9}K1H=9(AK|sP{d)SKal3k8h33uP9&2SBJ1 z;@wQ7B{UDBopPPH5_@*RzH-;hnl*hx;t#LElpBZoaI4NRqrb_nqhshl-$@m}n63}= zv=9J?G>G{fxd&m<86cC$S<_Aq9_HrtH3o0WHoZO@43!I2}PN2ITdDV6s? zg}_I_Z6%}{$nhL5I~}pqb^zmzfU(`Q+?_8XfZS@CVJ(HY2*lb(CV5w})*5Vx_N^&`m{>fPbP z1ElVJ4xjg{hh$ei*J7Q>!SYDZ!Bo&wM!}I|9Tl%P|L_FCiv3!({`fDtj0`#A=P}Lz zCRT@lW~YTcUy`hVHRTHXE>gpS>tF6roLzjaVSct5;PMRt0*9)jKb;pGE7Yb2x#6LI zYi5*U#*@*9Oflw3wb=~Kc6neK>Oi72|76XoGXBMh2FkF>Jx3C6h5_!FN8>B%I0`fd!0b5j16_Y@pmO}khA4U&NQ2 z*=Le1`Oq0?D7=lb4HiL!p6=UW?ss#PS5fSoVW5tPmMOm6Fv;~S_^Gb4uL-5!$buFm4Q7ZAEu#R_LX|Kwbd!SbWFkF!xBXFZiNbw ztGItf{Ql$`)rhcJE=~*0Cg;#wP%YRMm9aXT z;-mh1aiGm1B7##?7+tiE-7TmLKwaqmV2$ws65-|4Q9EC9U}yLGzYRQoWrIzXaJsw`i)?4RM*4>jHn_tF z-FD~crp+G94E--$S%6{GdpVisL3cALJ({!Zy;6^BXeu13Y*{8-SABFOHW|I%Mn?MUjvm{^E*4~1x7bq*tY zSVr6rCf(6uU)zG**5uQ|H%AEE9k#xaR~9!dX4g_wE}f|45QMN@hh&A0QoLQmzwEU& zY?A!%9>BoA%CD$wzpQe%Y(#6(se7rK=D_kj>0y_}epe2X_Bbp?4)0AYr75@?zjw~q z{{|?`;!mg?868hwtjkhz~i?nAi8eAAmmK3t?5Nlgf(sBFJ1 zL3HJ|g&E$(+&kRgq!ESyui1T}oZWr9vEM{vYe!(I>gc41)N_|lcVaFp*?!2#u5j9d zOTBuy9lPHfTR40;#wgO;JYTF~fw4VU{olmsy>!U2fo2r-E7NBRjnNUjajFe;MDnb? z-O58}hAAOf0YE_w#0h)=@b}e8EAWJuJnvN6s}5g(UbeT=NHM)onC&|MrGpkGcMESC z)$nO_4S|wXBlJa=Mdx7?Z+@L??Yqd;kAUn?@7bY|Jn?A|)STuqMvN+oOQ1HCgoG`8 zld#*ZQC%6webU~|@PGy32RxO6(6k!anECXXpSRoOCzfo=gRcY!x;?I&gFYb&!j6{v zi|&WJ{hKc!#Qz5A-DSbmH!Y^!hsbb`LgbkjJVe!2Di3!nt24CM(?@DZ6g2Z$9cPP> z>d${`T3DoXYtLiG<)3{?_M-NRF?PnIv=n8S+NKVUIBq4fdPO9Ezz98SJ$XlN@m+qi zapw$@Bbcr3O9`*Md|Vk^2Lpqv!7wbMC9=}(?`LB+jK{8>=k1n3n-B849PSR&K+!d5 z!)Ybv@1@pGx1wj8ZK=JTKI}B3rp8 zJO2Vt@GI8-TV$tC7xNOr37y{;*{c?zG<~r9x~TjC?^>(4&*A3bfsV7z1EECBdLGrH zm*j-R@05xbwdcOEa8y2hW`X7qD_8d&?ZyyMf-f#`a)@is$$jx1H`Kd%^=o^jXV{{EGF5H}D6qq4Y#Ff0z4j>&knvCu*|#YL;J$rx z*gf{KYXI5aA>;KY7zN?&#J0I0k%MCMKJQ~B?U>D>$cwC(olkoFTtDXI5`AScgJ*T0?$~o!t|f25Dn+fs2WPy? zlL-l3@grrh-26ykk*Js;Ng9$@%aUDwds8rQA8u4O$+Hy2Exc0CVB1*pIQ6G9nFV<| zEippY5+70*RQtX;Qd(5H?aMGa-~7uj@H4!?5JVagDjH^mFf2iU=XijY`~LcLmxhHL zBGNvTc1p|sOMQT{sam*$7~cf^(b;cF^Q1n7c(X9zOY5(hVrpI#5w-hUj!06NDcv+* z*?mf39zGFiQDIYsg*RsGsOZX0U1wP|Sauj@3l&<~{oPFkaxEK0e1Zzt-Zl-A*YY0I z9sn%Mhe);0Y2*ocJGi0HSc0>c&kKR$ng(NjlR$V&mmlaS?c0;Fv39)=!kpe$mgl(t z?pFRl|B>&Bo54{hZTG)5a52&}IR3a+HMiT|mLL;zgYEU*1_ig^YLio&gys>U zxZPs3^!2^b+b3i)S3Yxy=c*xwEoqq-UDIVE4- z(5+;Ag)5y3N3AcNhC-xyqtna)Osh$;O1V8qGe=euG9a{53juwu;yHk48d(CZsRwrfZ z4vx=Xv3#D*?5zo_GDYW$g_V9xNwulgAAi>RdyP64ua|HyLvVDK5N-_D$6}xtJt21 zv;i1+GPdy;$;F#ieyKBOT?5|c{iR3DqPt~xgZ-Lltowl@G7g<3_}MzYiGS6X>6F+Q za6A~n#CZ>_qwPq&_9|3-?7PJ6H1DXmYcIU4<;YUZO%F!*==mqrlIxTQD;pd4Ldld1?$yj_YiVQ}c!f6Sja_3 z$@lc4-b(yz10{bsu%h>jnd8WPFi?z7ek<;id?uo_U_QS^nCWRX6_>G+AM=Yy^HL+~ z3Hu}P+SG1oS=U12`OUe-^8!ZR0bK zN7}M=D)&gMZIE#hCF=Kbb$P+Uw&@l3IQEfv_HSn93EB%{M2@6 z6?x%qz|(s_=jy=6q%XPie(P8i+kNW$X<%t+_6QM+kUJOVEM65h17({$45>YuVp zXVRy47b_Klgm)hDgE#7cC5AEbFtO1z53!#RabNMlvWL{C+$9%t*WgW(LwF^4-u-Fl zNx9j`TBM0j>$dbBZ+(IX!Xw7m#Ay2=J_6P9sd)e7o&y*O8J%(Tsk3(?5?QT*geRdc ze9V>bxa{TB_VM}I5OGhUf#;S5e?i()?L1NArzp5D8FIyED-s$NcB(YK$v0kfPTFS? zNF=9-x%c$!ifWQTt{@h6Cb_R)K%0t=>$-~BB`-t8HnV3JUZ?gq7h8?C1D7p=rCrN$ zJe290g@pf%D`T|HZGPwkwYDwMbCRu;Qm()yQ=^rb%0UrJ@^WB1b4G1|_lwD>R?gd} zvLE2whx(<$A^h<@5K|2p_2qup8n*_oI$n3`@ENT(&JbJiSFeJJ2$Qa+gApH^m5uly zBJJldG;y}#kKa?8^tT)Zo!2UIsm6P`6!`YpsM;qZqFXLtl`>6vAv-#Uk{LA5yq602m%uk)h8fp=$c!usG;eN=v%BAAk0bA(_azf={YZ$0-w;ktIyUjf zFeXYf(9g`Q&26`TxC?hp&lwq3)n`$;zmm*wM%BolL(|*WUsqdcvJ4h;TNhTHIVeio zfPg6pA_hJmYW<#`Gm_}79bj`>*OscWr{k;i0WC5*@2C@z`tw^lQQc?ci>}6z?*@!A zyPYN7_hoiIrJ;1fv{(P&zz3!dfB6-_W=kbGX>p#pADa+RJC{oy!E zBDkIuHMXbk&E#g`OX{D{Bit&QR<(j@Q?k|DAx^^kYaJ;~-2Imb94X!wrACp{l}n$B z-W{-RNlFd3hv0C0)Wm!@7bBx_=VOx@!w%7;T~eruOotqgmbL%*bnYPPW{ms6cFBsi zH&%6~PNf@@=3j6|qFg6l{j?Tusp!4xv@!Rlj4}wBLvcC*-wy5PbepPkuk!XV>J{p< z@a~*rYDcbq-RqnCix6oHaA3d#Zc8f-P=J+5c;I&o*ep`ZISbCOP6TwND8!Z;B@y^d zE1G2&n!&BeDXwSU14Zp!NsMPdHL0-Rc+!y~bPZWHx&~o&@*9H)CbRP8k4;${pz33e zk*0al=L8)r^BbEkH(qLLHZhlkw`SD{Zw9l`#Cn@Y=!37K(Gu(_m4>6S7j6zeTUQEH z{P9}`oZgm$GSt7z?f!kS|N5_VQQG4d5WRN=B*gLl`=8~NaMt3TmwA&ze_BUW{PdeQ z>K50W3f+EMuWUqJs@z-Qdqv8wqG6gV;U82sVws-%RxkXE-i^Vh6zs|5jkSBAR|W<5 zNQ>wlx-12j1wU9V>-BS_Zi1#x)XHwQec5S}(*R-VKztff@I1XA@O3bexr1~U&eEbC z+*;RwLBFdL&RjeO9N>d_7Hp3?Dtk>NIkSGa3OSoB((u9$@8WsR{H^o9KzdD-Cyjx3{)l`UD7lN=Pz(53SzoYue!M=9HQVCvkJgL76 zWDe8d$Y-~7a8AX-u5hJ=7iftb4)m}}W&sV+nM*|y!w}QA6+nY$Vn$Xevji>%gdk&} zlU3?hPyHv!;nXe93fJ9a2tWi?8(A{rx^qY*Zn3`(fR`d^pFL^V#%XiR6EU)6juyx4iK9C zI}kQ6TK1j$hhvP1NAY=SRpa{ahsd>SS~rD4GW0%M;vBgC_dlA08qqA0C1?b^Ei1=au+BWLaeZ( zQPer3A zq$>5wYY;1;Pgmm%1DAm*eHV#CS?9ghe{Uat|1W*gqBpXmb^CXS4vqB$ga>8U3a<=CIfAu7`Wdy8IFfD@*?)(@ZG z0TFF%{EDWLKcS9NoBxajrwj5tkw@)RHLWC^cBWGzPfbf~&4Iy?20ENh2e4AY5Jzzp z#>S+e(&7H7dJQ0Bu>lpIY#l@}7;{KXD9=4#>i0Uq7Jk$pNolmgAPRgvXAMV_Y?6)P zF01>Tde9y5LL293HVoRZft>R}Q6qb$U~OyZy>i$!p9nzFrOkT)1IZ!j>grN8XMveg ztACuXHy*@|EmtkSR+Uyb{m)Jmf(9z=LAR6NzR+mo^6w;(eP%y__L%GV_Um z-{nNbLiY4(qyO2Efk`O!65Y(Qd=dEae~wlD`DizfVbNij-kQh$rQZ)X-g*JYd#$v_ z$nM2o{Rxf>I8Ha8MfWjcVQby_3IwS62)u>VWB>9pzn7w4{-yMthm4cf#uow0|5?5N z@x~7=;B_|0(5`>=2d46{ul@ZIe?dd*efF)6(i4Pu`0&-&3Rc(Prv{Guqub-Yy~&J4oV zhg~B;G5!wnro=cI=QkGEd>jwciMe<)`~_0tmyGOzi6(clwK3=9*bT2umsUSLB@3~r zX&;~_jdwdQ|A}PAP2hU386TYHKk|dyNPXZ5ahFgg5CUv{S`(yf57H`DKCyJK=eFZz z-Ysf(y&LmquM;V1tG%7gePN&ON7Figo}*LgP7;hlDIMxch!_N#e^d-40apP-|5E9G zconjQt4&us5@G%x3lvf9nV1(O1g7F1-(DQTtgb*Y=Kc=At{o6!L?b-ds}Sl;J{WQs z4X}Z#TM80)TbLjrJ=Bz1RzK}CZWO`4jWN3;8yoM$3cKDm-JCBPmWPJqhk$2e+L3ta zDFIE)ZvMX@CyNR-d!)F~t>f;hb?Ckl5}Sw&A{e)O|LD(-?;>)1D+SY6f5=K~3_MX& z5?k{*)%day44ah#y7>rYQ8tg3MZinyg$<|+W-t^3TGI}Q#T$ISu@_gNWcEGamDtLD zNHnzDWZ@Q4YCHQ{9>#qmI1eQB>S^JF@ry_TcJA{18~C%)(5gMXH5#PQRtcrZNm_01 zWjE-M@9f`zjcG5@y#^H3gI#x)z5n>C_{&5e6gAn~ovQmycEzvuHLsDa5sFG}`|H{6 zP0sF6n|Ks%2ATLLIt<*KplYf~mI)$Z0&_XyGo2Z#_}^FoeR9O;Z3plS@z$aZqO3k@ zN?VN8zpQ;n<{m_63Ysuf9*cGKr$j*WF4S(G$+G`iotkGPt2sr>#rOQjp@Cplvn^|+ z{F@`rlpk5>wlJim-;De#rKYkUa-OuPo`meojI-bV2hsmG3fr0lms`3vZNK!x?QjulZ+5JQyV@^^#0ATk9Qo%_W&oH}ovLu7(-@o_Q zdf}OM{?_3qH&y;ebuvHZxamr|059J}=1XeTmO+W~YQPyz`b};xhtawq1)zM~)mnt= z?79tn*VuT%%uv5YWwg3_!va{I`u-r-nr^6B&TMp$5$M$qg3R#Nx?TOV7bV3}YM(uB z*vm=$>!%czJ7!uk{(2h8bdg<%JJ2(K`=n~w$8#o$Zu>h)sZm93k`ze*6!If5$uy8w zwE6(3Xot~lujF}0yahEE5N$jV0=UZvlS>klH|WmK`oTMrO*J^{6+%jJf4HJQ`voW) zF)T=X--j%`_!E))ovOs?L(tFvu~++#{MoNh>t8<^cj7o|+V<~{_!C+C_tn5btxb8= z&HeFJaMa=;m0cSUtQ4dKU+X#rc19gaZtY5U51U|DSgm4_tY4&*k#gfe(y&lyq&s55jx zQLA$X|Kp;E=TSVB@@OEE@k~Rf!^481YbRJ=xdA~YMF+BbBY@82kkYUA1iIf`)_%ZB z3aKWpu0A7SOx7?jxv)Ol&CUuSUjVwJiv+1i1j4qS(k8pbA)&*AStwEU0T9uCDgX0r zp6mpgs|DLo-|hfCi|A4}$-LTe^NOvF{anz$B<`PfBlR{UfXqUir4m0Fl4zZ;2slXe zMGYzUAUp;DRJzB+D#2nJg=yJIBMy;&Ix(ajfQna@m0($?!Tie(mfD&;5+XtLB#s|< z0=ARv^-#Q-uk%7YU>!aRy|1!Ju|V4ZftI1h;iG+|VY6X+o{#hCk-)gYM6XFA z>gT%71yj2OB6}|ufCh5a_)BU*750e&!%fr3-&_N2D>K}K%JSVeKmJF7X52u!2*{rT zBE&P;PPuhw7Py(IYb~E$b7B?2>jFWmdPVH}LR-nxf8;ZZnIfDqdx5G6?||8~8w^9u zuz`x#q%`6X{IVYcFlwR>wYk+%7~#Q95F`K)=2axXN_wr%Y*x9yk*1oh?RWrGi%5LI zrK$o1xj944{nVX?$6S+txrT)C?tAuZ%@qZ2sssd8v!%nJ7HStiB3PMfOu%p`OJ>3C z@75e*53Qn&oO{)eE>xttkh?}9Q2kOx?b3VBxy9ow?_TU`6}1Nu&?|{R1ShGC(tpFd z05@=jUD#%-bx-I3Sf~2!P~MM0x_kgl=1D>#vJx+IoC~9x<`A*jHvSGRvXO@~YUGk*>ZoCTSFYcGfFP*+z3~uV8gAX+9DPi5>p8Q>xgSmekf?2lO!yD^?7V+aj9b;%M6LeZU>~^n z{m$%gr!PN*|A%4}(N!p|c0B4ayNyre_r1*U_5EYULN%Y}NI(eNsh#IuBHXSu$SCCP zhKaoUA^x6K_KuvBX}UxxhTdW}Qyk2KvQbjVIU)SIA&m3nv|>`010@Ol3wu!TWcWGZ zd1%|RokdC)Ou$7L%qrNKMW(@Iw0E-dzQF??#0|wK>=l)8DvrfpNmVsDYwhBZI??oU z9SyRp?~Xbg#%cjz_!Gl#k+C!f(PtY!J|c?h2kP1C zyvx5sO^TaftW$s@%F6r1yq)`7CXZ(`D{W$TNlSJD!@vCwnDcYwzMrnO(Vu>cL}jA- zo~Wm;VBP}^uZ9z6r*xh%4a`wHNxBPj39cZ4%_*mScLn_$T|j4GttCt|YkRGx_pAUO zy}MsYY1%~285R~jvaJ9dzhubZ+nGtAZmfZU={_;7eC~M}q)m5RNLinj1-#I2lYD;W zrMnK9co$hm7zDzabQ~KrbQq-V5aCKNr7xU1!$Ipa9)C^O84c$tAmO_RV+#}@zBI^s zLBaMrIp9JN$&Ze9uYQz+1Z;^jqhQo5Y;cf3G4cu5IkN#A@W@|$Ma$)ZK!!lbesr3V zCLIbQu6=+uM@9-sq(~)|fY4t?*jr5-`anATG?HgPo@yznIEW4>3|+?;-uh|-G2+-;I|fbu zVVBh;FgXT!ohSPB4$)#icsCr>&AVVKm}V^&e>ehB-C%4YGT$Qr@R#4VC_xF-Sh^xa z63lcAVkKCPuPqLX_~gfbQokdHNe$lc*V&^lMBmnQ?)#XNqF)y%2Xqs)gu$Bfr=9S^ zO1LC?Tm26emo1P~{7XXW`R)j$kXZnPg9*8soN}Tr3T{)itefPaJ9>wRRYKDLtf+2F z9ZpTlwhvb-5Ka&j%h;2EX~BlK0R-#=Mt0(Uqb+x)*Jg7591{p%i{+wZ=X+p=aV@Tb zyKSgmL>u&XUHG-+f*nZLh;z2JS6KW_Jn9L4n|%@DcS!}O zK}K9-Suj~u10gQ7gD(rA59a{`nv5!x&_P%!HsF3z5EfMJw(q^C`VJegyppf>MIPca zBdIV6dJ!L{zzH#dnF8XEM(r<8%sYHDPU=HH)|L>yMmSxs8iqLs_(PB`SNm1=NcCRNypD2V~9FV%<${MOAROQn1PfoEeE7GMvoaz92 z%_B=;wCh}MoqS#+QE5NyBegCTe##a|XRXiMPyfXMT>ki{Vj#n~)hw<%y!%0*Ko+7k zAgdG~y*W4FGc|>}sZP6)9#D4gkN6RH)M>rU5N4zn4}Edx&mB5o%oH zE~1ow^ijWj<}Y9TKmUjc%n6)-%>wx4Q-1m4|M|!L@|%D8Lg{>KLVObIZzRl0hmN z3`o}v3)_&tbjF_Q#2f==tkJBlzx6!7@i@O+m}dkrq-kj#N%?>62BGjP3%6cqgI){$ zOOFJfWGn;rD_K6Q`3HpRKm4>P>oL@HXM1nE>R*&A!c->Ez6gFTe%aqB%P$x8+b;?c zX_qyW)%mO99+wR9n(>Uy^rc@8?|=B>OR&ca?Y}SM&qVK6r}y_|{LYI1R$l+1o_}k` z-)8EMCF5V_^lvlux6k;`78e}2ka1f6j!ay}@tZ(U%%CnEz4(tHlV2@PqsW}9T&nDM z(c!P8uC)X~ur{}CZMc{T-28=>PNcsF-gJ{7kqgMW3izPBYyq-*fg?ZsWJM zz*8QadiOK=WbrgtPw2&@@lya~tk7LF@SjmZDxYV(leYKj#~_;6UG`K}>l8(w|KR`A zZ^Sv1u1lz*Y#cr56T8Rhj{Nhflo@U*ZDmH_Pow_R)0`uL&?=WCxhz_P_L>udqTP|> zQl1pP^{+(ki??VwAXeb9ze*&YMoE!X-DE~%*B})^{@7a@OJFwnDaxC z2v+##E~G$HlsI+VuIqejGPdH|An`0x>uutwK4}DK%#H7z3LbDm6eUoj1@ZWSr~hbL`DWZ+G6vOZmF zEe_H(z6Q8(GISIPBAq^X8VDMHS_jzhZccz3-Z?zj?*RBNEE)1&16#d)s5*$SQ;Y~B zeG^o4OGsNRluB3#Y^is5pCa1?jx$ zq>>q^FMu1F%r1TQ3-jJsv#Oqj%MIH$_PfiuN(aY{<0p;7?=PwpEC3Yt4!|X&E1-V= zy%h;*DcFaBz0yKXHlKqIA;AxW?l<@GrGB8#4;lBNYNDaLVH$uSR%Z>OnX;MmjP`}H z#i22Ns64yIP`?e6=||Wedf|gG+?Opg=fm;PEOSR}(h~!4ZPU;ydlQ*u&cEOFdlmY4-U(ar?q#>hqA`1* z@U}!D(C}#ymgrmrP@aY!hV;$%YtRAqC9xCQZ#CEx$+>}Id^f^4J&m6sK>r_!ITsUQ zw+Xa^gyva%WfH0{CL>yOjwoZwwdqxNq3kv>$EW}UxilQiO7@Rjt)5xtbi!Uo39Iscv)KM zUw1A>ir}sp9-JP&*i=Z%tDGWh%V%V z?P#+MTBL>E)a?yj4N!CP+@x|?fjtkPfE@k~KY)s|;Oz9r3Qc!ND}(@u0EljfP8H%N zi2xUd5%3%1f%isp9>nG`8uSG~`2&4w3CIV4t+?bxwD4l63s6rl+jd~jqG|w(DIeGf z(5n>hWq^HDzsRGwCIL1}C7DKs7q~K~<=33GpV~TS9^8+?A$(jT)nIq$u;2xm#%1u3 zPzsur9H4^``u6FP%vi?BXO<&&5xOl!Q;$`63n{tG62>}&OUG~q7R$OK;muta<^Wxb zyB}zMNNK!bsO*c1)t}tNVnnMUbzB0?l}LhDIaVkLZ+tT{cHZ%$2FWx1f(kY%D)nis z+sgar4#}*#BnD8oo0;Scb=ix0>SGZbBC0gpc2}OvN?6T-m!Cj9Qfjq-Wuz=#$RkndnhvYn4C->WPAbMJYj;Jz#y6*y(ozXF{VNRg+ z*>0@{VKW~&PsPw&XiVCOb2kxR=TIS&yGmn7=qUm^lBcYh@b6Ecg(A*s4B73ww&y?~@*045`ed5A?qj2})M1`W9*iHUI3=i|A#+ZI!hx+&BRbrK z#_UtJhjQpb{?g$h{(EgniOlfuETZ8sf)rCd$6sIg{%bpP9q7NP5n^E2ap&|cmV!Umcp~NW=sJfId(HA4XtD+YCcHKo+3`2f*0TP z;#*?L4k3jL`J(S__5Db)_Ob2_gK3|NudjQ*SfaA_0Nj~D2at?qn{8ex z{Frp3bN6siOoE;kpw_&eFXom6v#-V3FxL&eNFsU=d7#$$lf+wxvKRnc!}ZL@#`>P?0ZYznk%r?>L9e8ank5|9%N zXLnNcBQ}(QDzE!9nf2%igt=1PW1o2k@()dSXSuu$-QV=i$KHtH19skv>eY*r_h5VB zmb{Hf{L2~avNdy$JNMV)^|!+IBMwCJVsh5)E*FNT$g+$tI_DuJKBo7-WB>Nbdg|A9 z6M+(zC9%~Dh#REWi{5v14u4^Lr|);Pe6yhnJkAv>56A8Y!S@*Vb^sadvx0|g0W-N( z1e#K?1!EtXJF)CGGp*d}GB^VJ85)tr^@1{*cLvLAIBzMVLX52?gkuU=M`r5Cw$!$$jFHcouF&=veR&=A+1+-O0LdupH;^LL4QrmHc3a=mH}(V^j9qKpV4{diBC>P#K<_AaTe_jCgQvOD z2WHg9$TrOho%&b-Zuh6C8|U#@$eL|yhL=u*b%1Ouc>bCS#4JLZs_ zo^vGrFUd5#m>(I_{yJR;Q5c=xNsC_h^mDlKW$i({%i9VGUvK98W;?BI*dPQ^k#@|% zDn-#2=1tjd>_;{Xk7d{X!lsH8L94fZ01SY9OoE`;;nc+qBBNWpLHat3-k>`BwIx;Wd}J8u}!_y z10#$r)jvf_Zs%kh`aC09sL*EKB#V5nPGlNEM#{pJOD){*rty?08#${0YCN%{*vQV8I{VjZrlw6PTE`>YJ9c}JFry*0n-~~pCaUOm0-Eok< zO*g|aASETM-;EqudY)sVZW_8Tw?FaR>fkMLZzmhYP5=Pz9x(pp)tZecGH~o0>NaVA zx@=2EddqAEzS%L8V&Xh3&$8^W7zSqk1}i{el?e_8_hRoyaQwZuHg_Cq9Y1l5F_deF?J!L<0&A#yrSB<@l-iXG$l%mEoi}=C?j$BSYiX-1a0F^B+f6y8$YJa#`G~_5u*cCQ7^T^#={He$;-85;XLNI z_e-C0V)zV&Z`-2#T5vwmAqud-ZW?7&3rnr{5H`*kf4 zXLe4eb7KS0YBi6rM2w^28{9hjFLrJ{!C%cb_?=z~(r*K5!E#FVqJ47q70()1(K7E2 ztvn4(y&b<-lhFphX)%aelF&dhP{sPp8mkW%kF^*o&bA{Br`^s~Y<{T|s^5UL()-es z1cDXBktFDFWG&L`Bzy+3A!yrp&){KfI*tcJ(W0A)kPa3qvpLxpe|$fe>aZt-Cl z^L~5;GXU0Lz;$7R*zRxXqtC~61|-9QDA*QM;ZXvsrm&$lKuBe*OdH&lhNis=pt+W11o> zx#(!g{+*OmIOn}l@MESH@>1<)z-(Fr#u)E3zM6*S!CN8rK;3I2=hN%oRr~BcPE<|U z4VM=8>DhKWCCs#Eo`T7XthK5(&JVhYN6{f$DRtP9Y1-kl!aCP*+k2bdid^;857T<~ z+kG%buM?6AF8Rt-L#)qp8#$!V)9h$6ne5A?kUdMYScAKg{rbR0qTxN@>~gTP$&{|M`3WR)JCo9@+1?i!IyNp_cmiD7KjUCrqWNTGw z3g^CC7M}Y-ry;q``8GZp!W#8%(Z2`aPp7xyEge*^MA|+iIx5?TC?_4Nu28P{7 zF)7H3E3IjBAdb6gS8L$OB%=q(Tts)J9ST{u6-TS3*4sUpv0N=|u}rOa zbLzFy3Q_31o_bjXgFRq>9iCs7^hf#MXyZ~n`UaUvRqEqj(}S&qFBF;SR%^3J#I6D2 z?it!DNO}ht=0F>!fa{?UYfa(3H^5ahAEcsukY3~FH2GAdrg}r9$z!v+!=q>uZ!>?C z*s(6`2pkP`Vx4JG%eb6+KF=;^HBg)hN$6YIMx1pKA_>H{rOpP~z7v(pIii@kF4yGO ze8x~v9J5rWD^)aB!09;OUle==-;i^CYpQG6yjWBAYAvrfc2_vCGmkU9d&3;XZzNJ) z*Nr-+%KBn;Y0dM);4~$F+Rvb@s4mMrw8LNd~ zl+~`NBg;xE#HA>uNG^MoX{g@8y2AJ!64D!jM3eenc*F?ri486jwLg8QfhI`c9?oj5 zIeFfqI&lWa-Iuq>>?_*NoM*;SgZI@phTyRmZ+q+ltE+pEr;QgNIX+Mi(0lk?c4zQ4 z(Z{HaxWhA0Vtyf%KS8I{Si!=(5-UVfeu-d<@(b7B$1-c9k9jw5mT#X98h!cCo%2=J4@~xptJs*X?Jqc z#Zv?H*FIjLDb>4XSJivlKgV~!9)=BNUCL<7;Pe^*?j6e0z9YPnq9_fp;zC!@kly<Kb%I4W( zaaAqo!It-IF!j^e!}g&0GhfV8e&0MLbOe(11S~we{q*8B=TuEPB@(L8A$_Pr$oxe> za_#)I`8>hC&)yHm`BxJeVMPQaRJsGfeuVTq@(4KASD-v&eY%zQ(LniSQQRC*2%lrk66%YTWNDRZ_WD#lH4xmzJj9y~vkO0jn4D`m@z*-s%HSNsd zb$qs4N(&_B2Q+MiGIgZwjk0lxg*H?g>)~@#C_j2XdpXG65ud1QsnBDJR2Rm=j@`A)OT+YQ*OMWT`S)>AWJ302Lh`Y*9h5%{S0(nMybe4+AaW{?Z-4y8?{c@^CVs;f ztJeEpB0S^w@XJhum&e^q_i_vyy+&R0K}Fg;lJi))n!EXg&wrHjqdcAZaT5zg!@*ka zIVCk2^xIq%0J-Cyr!LK9!~iQ{`v+T4D%Obr!CbO6a0v=MqH5YZ{n`JbSY9)W|t?1%A>K^X#DUJajj zzQCbknV^e_f-Y`lQDzqiy{fqgh3lfaJC`VC-!|$s`1t^R?0{aiy`@=YeKdf@3ie+W20W4zmP_~kN3gc_up0EF$OfrF#SF_^aBieIn6JRBTNOd zq=T@QAL;2K4uL_FJmj1*I|lfZNf5L2#Log~`78k`)blv^EbK!HWa4zvWci@C#to#I z-N-K^x~{)AE+QIWS{uUF-i%V2crZb| zwW2!u1z5S1cpIq-RV85)U~#hqO3LzHiZM%NzJ%Yt%WdetxNqZBE{+nZ0&XpCFPPjZV9Dg6 z3a?QNC?Fr%(OP=}l2fy?LOl^q+6+*O?lX5@ct33NV7))JB3=lf$?T4lD7AW);(OReAe(9dp)i3U9^A_I#D{dfzA(*v9@UM+;d9$2Awdl=U%f z51Uqi!pcg3Q!|>!zy~m5Pu13{ooLCoTumny9UDTzFM1LYr|JWfB&*NCJ^OhsP0zIy z1i^=gu4#36$~fX!S+E?Pkh_PD*;Wj?U$=y`g##i6jsdnxLGk zP5xSOk?1lT7rm>*1-aYv=dhoxPHES=EabV~Zgb4y;yOU4rnBePfXK<4_7(s<99h}4 zx^_MMx54!4`USiEL+3c*f!hSB6CXa>#O1O?%dZG zvXa*W+Ki2hqPIyKA49pwnN<&fM`*^qCl$xseufMwSGda$$9IMA74K-s&Fu$DrNBF8 z-m7}rD!f5@U*8-Hdojbsd~dDF%OH7iL~`9ny{wIEP;15yBhhN)=h%;=xqr!R&h=PF2}ULnmKG0n6JuaL{kq=Co) zDT-eThFe=f%9>0ve~v?< zi?u!d^Zry2LD4aN?==nJDNGWL=l>3j$>fO-0821rBLFirMQm~Ld+yWT=!>bUG;)8? z_mA~pc^-kxB3V2VnRRvcz~yt)wSKoQ++U}CfD}6{yHGBYUhtLq=Q#Pb#NSOXwMhRh(g~ZPaf4vY%0v{ZD zTp_<=-hbzK{8=skf0hI|(jT&XT=@AG2tp*7c0LSdT_!^?=N=GJRmsOf`rA@q?w~xd zu^I-f9NlyQS~>!JyHjRdZ}tkjb?S+<64`uV=lLtg`Rn@s$BQ&|uwq}PYlp~Ys?UQ3 z*t?Jbgem1Nue*W3sjvmiYmIXQNL)2QT=D_j#079ByESm&m53%oI(W$LYc0nA#0(Pb zjR2m2p^*Ip0!W4XQz!{$y)8S;LEim$A^<$uX*rlF{mTFR%ySNsTzYNRtz6+8CnBK* z>fvh0I08t4^C2}nw7I>;G5L%a#W$!MJak0o(m6pB&KWqYww5im$tHUQ9a zYA(wmtdiRSQW`jrPzDmgC;?)ENJ~Xf#H@yA$7i%zE{* zbZlrqKw7q`9D3)|z@{7bC8r`3R4-pTE|T=_47_M6UCD5<&{+0)e{I+_T@>Wo~=B0xR>U$vBYE>Un|Li)pg}voH7*a|?72;|IQDXF$ElYH-$%PSVIz z!dBuefu`TxoS6{zZ_0@zA6D2 zCIX>^&D^|d^gjMzX636YA~NLzp9n{(`+Lx|3^tF~CD4q>0$>9mYzvCAHE2u=MA;Ca zCqR#Fe4wUM{(4#tIEw60upxNMc>}yj#W7)` zpmjW#V?+xyo|8))h=s=|cA?om>AjPt6B{51s3qvhW>T1kwC_|92$^Vtv&GcX;3}-x z7mPg_p%ilm)Q!DDIdQhe!%psd+V%TjrpG8BJh1(BeIkkg@dQ+odS1PHv)MluA6L- zgm>FWL&9Z)ylTAdjmAxD;j_&^0%3A9Ms#BOpI_QHVcUd^P5zGGNY<>4ek9vvfDDhl z8~yvO|8RE+5NJVrv={=K42aRR79ecRZskTwJ;}S01Qu5pK01fS4={;H*d*yAiHex2 z#m9){hvb~PA2qJqRha2a^2I5Z#vd{H#zZUvHbE`cvU0kZPO$+rWZFmJ|F0bfdaO4~jo9y7Z5mz`VUdsLQJ>wgOQN-V_Li#V!)QR8_s zcx3*oTQhcXAy1#WXmMCZ1W3SCA$Op)0?AWLIYAf|qp&@&6ICwv8Z8$2&L8x9OLbjD zbViVGD7#KS?*1_p59$S9Ut@FvdY(47G%Tc1hu=q zJH~kHKXm_;56}zs$6o~B6$FJm+C{UTAlJ&RK5EWslig602hBn z2D>RNTv&xe>$^9!2BxO#O+LD`R)`xcZJjN%tHiqi2 z4OUE!u#nhI!jV+^>yQ5Pi@^x6KD>q&B#0^UU=A|*!zF*BCX4@8gP)2Xn z0-}dNHeKWN;;>6h4y8)UMt2@y?St&&a1U~;SOYVt%ptmAFZ2HCT^BRWw?Jg7mVmMO z*ce6$qDcmqi5^+!S9g2g4ZRUy`d>Pc_{|{*@5WuonM#KP$a`Ju8|)qeIQx852M*06 zTHks5Tt)HsE-1!C@1y+z){?wItJC*ockU)d)TuwPV9K`~$+z4ViAQAcJyOs`I%Ew{ zM>rGpAw^x+)x}j>4z6N+W1{hxM;w0#gU#>Tnooc7hlsQgD+_ADj6C`>bdTSJYz8tu zxgr%K<(sP3a6DRmkKbb8V|HRC!5W^uN03!(-Ke6`@i3&2-*{28`=x(`GU8yuf=;}- z&7FThXq)h3OG`lQE;I-iO3fzmX~|mJNfP4@l+rArJ*Y4b)U^uWuz8)XCI)6eS#t*Ufy9j67c#zTZbZ$T)xK#g6~S(qTY}mXBhz)x zBQLHg?xBAHj!fF+35#1^Vl5%q=|kh7gN1r)J>=t8g z{32K`Pi5awIVO7sWtfdz!3`j5lK)^o*agP2%5w%C3x{CPr8bMN$*T-oUqN<_#J3cF z6Was=dGBNJILlYOp+sWe2kzy_X$d-C(2Y#kqsCoPfyNEH#9h!QNtW>S!q^fvst1I~ zVbGy`RtDVkt6kO}hzoVpyzqeUfMg+omgKQ_l;GIi#8HYBAK-DJobtAh=~oy5I=~Yk_@55Q5g!;3%DQB5n9t$Rf^5*te1kM4|WB0wRWx4iS`N z4mngTU+4~7u!kXvqZ?q`lnu;hZ$cbio)P9@kVF>nF9@>F-{JEc#O6XSircx#wO#o1 z@}3B*@5vI~IG-vlx$JX?EDG`>=y`5jFxH0wx9#2$$m0X-)6=`X^8^xoWFb1}&!INB z3m_b>|L~xcPlB9yaD-5(?p^=_6*aZdagajM7!2NWXW>Zr0h!OA2HGd06OdOv&&2!2 z$b*I>R)HsR7fGmp*3{|Eu^e%!8_5$L{LQ^#iRL{zdA1{p%HJl728K>=!T}{r`32(N zEU$0`_@Z(y{Ix=hpP|`#WdNY>I4vTj{g76Ub{Nut<2kguahSwxjcE_l2<32tR(fMy zcuONRy?G6w>4Q`)%TaC(-BDK4xwgz41#W<1y%DtpS-zW$P4W*2=V;Lb~d6K(Am; z+3<)tMoz@&xHxhlsFwbYj=lHL{3DjUFVFSBTiWIZmgi0%MIa3k0i3Y-1$%d&Ii`jB zcCDrz(nbj|uo|RP5zde3}_tS+M0@gy~H6QfzvIz!1e8U^nsULb)R3j0J}qt zvg|pKNNHoPRMcM-j>Fk^YzoH4LCv=Uo$~KlEOciT9Gc!SQcbnHNKic7`f%jX6l#6t zuH$U*ZihB0;||fo&`jyW0BiZe5UNoqG(y9E$_ez1m3TIh(SgplzJ}N%xq`6e2=xPY zYe4H%>&MciKe-4T<1o5?-!IjgqkInxYSY{*nDmau7*&(O`PE(4*XmhrDH&NJA`UD(f7jK4P7pVJ0Q``-V4X2&`lF?T?Kfiq^~HVD!>}vmZBe!=20^|jM=4x;m(V} z5zg~Ly8O*E$c zh`!7$6{NK|<6?vO#Iy<=BxTAbZf3a<-i^tQ%EZJt*p|YkeHWSJYX_Prcpuv_DTG6U zH1+4&_F41^WVRP~aFef}e)j&IGovA#uqIHqU~_LC1)M$}Z_M5+DRfJSJ6K=retq1( zbCqWn&U4qkAxd~ZS`S0pJOHeAV;jO2lD5OOc!$c@oQ0R9O%GW~?5@bQb@tVIRnn0O zy_0+4@La?^)S5l!Qf;D1fs%G@uF~oIjy|79X|)HZE;;z--&$4lynr8C#Jt2qb9 z#(bM_AXN%_v?|uf@>0mJEd^>kISlQ|YZx02OP8g+h8641Rh||Pi62EZwG5=(YnC|bpLywq+EmEVQ>)lO6 z;1m2Pv-U&&@d7Z>88dIgt-UL(B^|!CE3DOuEBxFceNf4@c0>9E9W zb)Mo_XY(f)36vKX`V&hjq=U}40OFfYpnAKx`gf8`2y;kBEYDV25j7p4(n7XgPVg1m z@Czoq?K~iDiXfDVo-lCa#F$e#oV^o{eF@?o2*_!kx3&j(I1rJL&5IHilP-AU;Z*f7 zG9=Pfb=)AKUGH`mIBpdr@=0i3BrU(2*n*BTcXW6!82@WKM@@h5L>Oe0y1GyOF=99G zIyPtGNA$TRVSlM-lC;Jx?GaEfLP9%WgN5I`Z*Z4vTBY^qLRkVePzMwd>^q#o3Glvx zMDKW>QBx>}hs$d_;w*_SbjH{tG3|p3G)&uQw zHwN(lcO~8UI|sYBAb-+yT~co5{kAN}&E*kLJ)U?1L=PILt8^>+!ey0Sn!6r2l9o`j zCk>Pe@oALSziX+#$}OnkLNXE}9Bs25iKwbF=p6`zjCgnDrwP08v|#xr=HmJ%cj};M zenmgzQuuQJPGOLQ!vZC`2a-NCq7Vs>ROd2#n$q;>meE~pEa$Uxs9!qAL)GjsJ$|WM?c*)SWA7X)hWx(~c z=;8p$vqgQhEywggs=A81Bl*fB&cRCNDbaAe?bVCVl zQdA4t^zR`L3`K*o+@# z9AJs5AVI<%zI6Zhs`bU`*jY!$Bev8y%A>d9>{clIv4~cKbL4rN+gDI`ipZ5(lkD+OCYo7E(_Sq-k@;DTmI|V=KcITlbY}u!dm2sdO zVBMaHpmd56-4y1Gm6Yp1jRC{c7R$oQ&KYrOrp3KHYUeS3jVO zWC>t`NnA2dsrv3Bjl)=;s$!8BJE9YlD^`BxNRK}Qt&u|V1V>&dLX7Sp2O|pF9fQcK zdSY=Ds~6f>xLz#f^KtbtJ|iHPURv9EeR6lU8_z;ty;D|G46pz8pLR^e4tzde$j;6z zpNPXdhH4FIg5T-+@XsIptS!VYNB3t3015IO0 z2{iDzM67Y_=9lut26zX#26QT}+LZ6+0b?;G``RTFc&cQl%q67Gl@&I4VmqEkDxGWq zt$s(pYpSBjjZ}M|B`U8VvG`^@9C%-l(Yx-OWCQ&U15ds|C7)_ZJ2-4*1{o%AKQk-D9?;n@dUrEfTXY{$c?E#%J0S*z9EV zcL@-hkLJmnVjRzconHaF+}m`7p-E@SzKnwe1o$0%I~m6x3##F?0#Z_x$1)DofsKT@ zTD>o3-=$Oi8Kp6!UqZt_j(OMu_Z+^` zXZiPugzi4*8z9H&)@tUBdR>u6m)MUaPcSqiZb0cs%`^D;_FEgOc^Bq=P1phpmG%lc z)|$A0U5V_UmGaO2C_T(U`Z77SBLfM!kRyUhMGHC>wIn<+$W?TgOj)_ymI68AA4w0= zLW!^E3wZq$02~CGeOfQHfui2X-foHUJD5hANA3Mp@mM#VkUzoI_#w=p3Yd5uj4prP_B{cC#K1zl z6%&m~8L1PMk^sJWX>a1K;5qKzoNOg_O?-|ggDFpHpH5GbfqlZzkndULNgx-jX5is7?~l;Yt%&6w zAaFbjb-oQFSUe#RifkqN#z3cdvM5Hh@)!)mwoWl{NcsKg>WM?8xO@t32hd(z@-8t7 zuZJhgNa-b+;!M4Z*pe!_9B^6sL8brI??BY51O|W`?JczOQP3gWd3WiW)KI?R!CSL@ zvXoy5e6I&N2bs6YpfBGfrq#YJa=e;jEsMH;bwJ3$7n^?ta(J(&^E2)-Ox0TOx!^m0 zf+2Yq>POt-F_{S2eC)Y4>K2J!HY89!VvK95#EWU{AWbfu&{Bj?^f}a8X`6B-@$TuK z6@#Z`E!9!QV=DfY1+hZh<49~}Q?bQQt2YcAy9AD{kB4Fu%XwQL^m`a%tZ0K-=CN)F z=Ub@>3+NY_K^t>fCP3P&H-t%#;ZGy^S34Q{j^LFu1_K3^ptgW@y~E45O325dR38p4 z6}3h1Bxi{2(1h$U%)Y!eZ$`?`H5{Ij=`iLi0aT(!g4FO!+*XRM-(fo)m%DWfz12b|%C8$5T1 z0W9ZiOU}QyAi4t~29!tl$)t6Murx2XxWSUw@IAx$c&WHS{XHJ9!1*cWtl~DOd3?K5 z#dE@s1h$C=TcDNoLINIu%}~LHLF)yf1o?`Giz4`e!-H5Z^p6SnyBB=$6l)k6&~Q0Y zUKveYk8v*CIl=QYsat@@+pJ5|^sSO3T#TQzNcRmyd{ikXdy(+kpznPsHukm@I;~Qt z0?}jgm50JH9YJJ=VZkV=BZ{DkWxs~*LpQ3C>w3qC2H_iT9b5a_8@nC?dt60rbj+nE zjvcro+r9uKjpTyzJX&TbEGY$)-1|>q>7OA=3Zs|_eR{R~s~}*lm(H$sDs>=(!PZ+@>u}g;8$fl0oP1; zmv{oViEs}Nz8g#YLAX+VHul^gAQ4>B;#)L=K;l|+_ad5hqt;8?Q z5>M;5B0Bd<+RHdNxKgHqwkuyr*sX=I3X3U#Xhr$am7c`-<=%r+2@y|5;&+C#}*bP83Yh*nGO)s50y(Mlqkk$)3G|gCewJ|zT~H9#gKFmr+30M|7IVd&~R|l7~$1W%2mRWkffz~ znIxXxY0$Gz+ZM++B6=3GWdd;0VqE&eO`r-L(?PGyWeqH4G>Mn$yA@$9%CQxGoT!YC z_;E_CsoWCjUy$aeE3zD`CUA(~8pZ2PV_qr>(#AMUj9ngYUh|oDOmyvmeK2i%czJ`U z0?SaljZE5Gn~fZ2xxW9#r()Yafk>SIBA2I?GJ|xVqCPL6!CFnaj4IHmI8aw!Wz1e5 z?={VzhdRtxZVP*VxA|7A|AHKm2_FyzYUr9i00)(IOHG(J^K$maZ~bsw6J+Kk^B7zN zE|4Fcg{c)k_-;D)avi3_?#`PKC(^4~;!F13&`yKh5k!Edw`vBX{wU-2L-c$1w=bh} z>zAw#8K3_Jy+|9Mog8^R$01kT4iWhii~cUBS`O(0md|S8T0pueBuY=~nW*{F4g=z+%xXhL;fk{r&&> zy9i=hIzqJ4YW_n?{ulcFzrLs^ns<6L^NuG22GC0?JERHe_kps%-;JIm@usu+?7ZmT z_vr5v?LVAxkC;J?@aRt0#j6#II5w|)nAw|1zW?K+Fws|dpcaW@O^N=GZ)gWLRyA;tfGp$OhP#(?Oc1pGFTi%1P`zw*)Y& zVtaf0S}0TWU5J74lfnV1Aoc(VBMMe{#>kEt?uF&Q*XEzl0{ux#A~TPpQgM#(fB*de zAOV9j0Get!R-$7GW{k^24-gpl*9?P6zFD(|Aa1UK0HMqc@+!gWTNk)Jq#0JZ&JT$L!b_3W#;q85AE&_aUEK}o&!8cy zmOGz&;;F^j+g8B!F&lQLYdF-?=`&KC$sKu{Ix1EUi9YEEzYYQjko$ zrGtYo9$s%uL&CWr`-Ej_&G=oC{Cn~d*lNiF40(bq_XtH(#}av@{oXg^PQ8Pu3)*L} zr^}e2RpD;c4w(?$LYr-AkRQH4OX#CS)Y3l$S)9XPSUoD`CKl*884>&@_ zPv~|NyK^b|&2wL>Na$FMi9(|`fw@ZNvZ$UJ{@+(wk`DXwAtPg(|Am0-`bPoR_qsR) zTuRTHh2kd^SUl1nCvC|36Vx=Fj0#GhaXL2>yrSI;8z9cd}G`wA-UzA#2?KTpAK!yEE zJo|%kPU`-}^D0T2Z!r#H?HSR>7@0Okz5A$~_VPPNVq6njtCBV;bTr>4u~o5o)@zQ) z&)$rdk8X5U&JUKR*&R*#mpeWSZ|rKecq=R={$xONs@Q*AJlpNg(Ped$GT#9Iq<4Lb*Ln8t$XB_N6j~u~ zuX<;c!*ORnCR1tr)!Oo8OM5)ujH~o2fqPeZ?348!`9v9%lY~?AnN)%fjIRZ#^eWwT z%6J+E>*7S8epUyJmq+AT(qiM^$$r7R@rk~1U87t<#d~rjw&!-;HmH-DMNdJRI(E%L z2+T^^0|7t|^SFys;37!XejP&;uCOMMHRiiEd+O^tD<8>Z%C&uMRh(_I@H$|k%U~{f zt2zGSiV~yuhGwAcGbaCpt4AqT!hu!EweY|-+-T{9F{=*P=j-fqPb`uf2L$pb(5 zyt$`WCVc_U_tLm(L88^%sYyus3?6Cxw1O;_KI%^UlQepNAH3eaH9WK?&I?r1cqC$p zj4MKuas8>mOC9pWS6S3b-nc)DI2KK$ z>&rx`8csIbu}_!Wn)QbogJmqk8|ufYr0U6TH}YEzxF}I zFqQb^r$x{<4`-HG(6>|i^`NfLcoDJMbsN=i{&4ZPZlZbfSla8k)>K)ri4KgWTbE#L z@oL>&{!gBbazEn8#mm~bU)hD8c-U@7e#pbkC5>%!OVvA?H>|RLx8h1KF@8M+730@e z>t|@aJe^TEZ6oytlYa7Y?KY9Hfc$BoUMKe+>xb}sO*M%JIDHyu4w%POyX7f;5p#D_hkUMlo$7cIjc40%5%qKZ-#*i{y|)O7)oz;Ctg7Q40!@N zch4jkS*~mItwD?r4J>=e#A&Zfs7cj7LF{{Fj51W>4T}Q2e(z25DW@&S#%f+exr*0N zgkkI~DC4ZpE*WlP7~EKN&iJ7ZjjFSH1aTQQq6(pI&{X>X=q9(X2{j)@#RnN_`#}Dd|+0ar{!#eXVF%eijS!m7;2af<}akYmWPV5--#w- z`Ht~gi$lHp*$bBs4V_k7zQ&fxZ!&2!-xxo~UL}?GLT)0()C5=(xDr@<9{O6!yWZp~ zx?^3*skruD;|=^%P#T+7PJU4ueXBS8Q*YH~=U4B-_S+a{X=rC-H@90bz2A4t86J9v z{Xq&re7wVtXk_kxExOxy``sKG3kQu7ru%dnv$CGb`S81i3peSnVX#}F(`ybgvL?G9 z7u$N0w9?>3Sa-v>S*wW9KF->R6Sm&E+}Et1lQ8(6!P4lMG|x&rAZHEx?2P?1{980U z;gf3BqTHt4ZLhYB@T%i+gP8uA^!*%KVPl_pWYo(Gy3!#|ww1i;m=CyP#)W4crq%t>@AKzW+IDll?}>>oSF))WY!bdVuR_gTY1>dr zY57VapZI7@I>goA)JNffP)*Y=g=_oG2Sv+`3wb|o5v2C`C0ggvWfhE!rJ$$#OuIS_ zqB!@^r~&DOdOeTDPo>%sLHCHyc2-qrfE4jOrhJDGJ*jF>cPqb^#*4l$y11Tm>Q$7r zbyX7gNocg`w9VVxL7xno(kN>gm3{&`?h#cwI^3%#1XI>N4oL)!afg6nsA40Z%sdYd0;Zxx_(9WEb&4a(iPUuv%m z$W~ic2v+u1Qa6aghyfQ{B#If#tOb~TrWH+wH!N!gjKEAj2xbvuXauAR1wgbrFUU9r z*`t+2;0)NQeElOY3yPjB|G*M@NqAKYYmI>d2-V6I0Y0{|ihBl`BgX0&VU2(x-H8%E zCO+f?wxu=U0$|ylx&T5>0fFCk5X7NY(k5F6qbOA%)tQ{AEhSvHt7ieQJrX5APrLxM zpe1R5($i}P@=;-9fh_}aAe|y0!RC-)&;lZNbCD#lG;`5=`G=7OwILrd4w5}PXlVna z%pVEbndz{NnGiahk9rfVTo0cb%$`bK*RrP5=S$sukzuZ@7~hu0rsA!#uk)QTz`nhQ zWSA-coebGd(7{G8!P58SJ*4u#)CgwJ0`$B4OcvmZg5;K#X&}+80mi*$u0H#h`k;4N-++np*5DcP;muN9yT@9n`dDpHd`H z+E+8|%Iz07Pn^3MD8J#4fmavmjGNI9nebE2JEaN?Vl)`2yw!-jVKbbIveR87Skm3G zwGp~eL&HA%BxqIDzsQkKJRgH?_iaP>>9gc74!#XaMq`)?gD+1*ZRw2Y3a+dugsP8W zwcTpIQAk~4utoRnUGtz>t*XI+g~7=QT=DAiO!WmVn&w(t8m!{75EQ|2)$0u|Fr9(9$r1(g93w1z@FB5w} zY<}RkcN?#x(`EfG)CeQlX$FO+dN^e6u?N`nvp@)H zNx8T+ftu<6@%7eGQLo$oIGq9p0@8{K(kNYnpuzzO=?;-Dkse@3!6V85QqtWiFu>5D zjC9Y?;m}Ak#K7S1J>GlHx%czE>-U!~TuWxb^XzBuSM9v18at;_iVyz4;Y+*9gnEwm zPIP_WW8^z3dkyGcx=2A}cIvEG?wl~b`bLa4TdIXGXRqQU5f;mE&MfgY| zAa=mm0{P)E@DuRF;HAAg)AxP;83YtGiK56yhszJgsxIytiLW&O;Z&gJnwGhfVb|e% zGHAg|=%)r2um0lw1A9-~aK>1w^2-}HuvP(kL(R4J$Sug&z1MEml%rjAM91Q>8yNBA zv}N)T{~KP7a|!5s{{IJAH*_FbUJa5PR3su3t;({J8}1<*`P#&*kSm}?+!PB9PSHpu z&MZr#AA7T@ENWnMLX7LusWmYE)khT~rgCg-%;!d^cTL3#;)UsI5^2+oz?j(9u0O2L zYqJ^7mCaYQc}ghxiWL5$`IX%IcTW@CqS^ixknxdykam?rf?NI#*JSp(R!Tchrg1nZ zE*qgf24_dRm1GS$c3>MAq$W-oAnlsLJ^IYW8*$#oN8=cyKqsVB*R{M}xE=3sW2lF- ze+LAtXkgQke?W)(oZ)=0lE7Me3!Q?H=q}gMRIXV^;nvo;$&63W_VtZOQE#2LB|ljm zpoO7!<4z3DA8Oo67$MDi2tDhxqlRw{Js=tWP9*J(1-E;S{-&C&7T&T``=MmjGR{JB zo67F9(=ZMnUJ{`=Q_XU#(_J<_B(<%XSS6nv40L4IIuf+rs~^B4Y#+4a6X4pp>h8hT z+jS-mO8n^Vut~k-&H7E>fyNUgm(6Dqi$;?;Nk?7bSb%HLKO&sg&@G+9?h^B@1-#I> z%x)@Eka&ip=1^qED5((M6@ExWObi>m02Wn&zEJT4JY1FW4PU_PpT5^956o-hn*ARl z^IumlJAXzRT7Nvs7Yclk4s7*f9zV$jNFS>Q(@8BqZEUJ<9zX!A(8gP#0IRwW+kn#6 z^SCvZjLP~Clm5KOTKs-cprdKSYaD$iTXW3r)_!bX0c=2zZYN*k?i>(xO62cq|C=sW zAmX~s+4qoUs0BomAt6C?vD)Uaq4_JF4D!Z`S#ov3VZAeT>^Y@m(_!nkjn2{?b<_gf zvW{|?<psHUrN3IuYffL##?JE#%GZA6D0W%?;? zz`k|;k;G(tGy03>Uk%N_I-8IcH3ipA6Q+>4L{u>Q#$#eIFQ3GYfHtQE>f=^Zf>-^; zm&!!tW`bh_y0^&WKVYO>PC?h7w?i*A^)V@Si`A0;Ta&TWj3@nV=TepVJ;$_P4n34K5ZLz z|B6<+X_!AI>U(vxch~2mXXg~7LD!jX6Y{f20ju@G+u8B7+lZ#+Xx<;vPVBY?{=cm= z>)Sy4?9dzkfb9ot@+Eb;)DEEEwO1UzmDuK50IVwmxd3MSfuE5rAM;(SXLmx#*^@PZ z&2ZuEEr4Ah+pfuQ=NJ!t2e;bEZ5bIKq;6}IzpW1^hK>W={{ehj98&moo zYk=}w4`h4o>lYY4Dzc7Z`qkgMK>Tyd`NFEJzVEqTeSgiZ!@bL6a?jP~+dW<9qC8v8 zs?3Qirgl5BGA_a`ho&x{v8;%MQS81a3h z6JhlH2Qh>Qzv@3tGX7y7d9D!pJCZI3JPthgLpGaxK2}Og=}T>vyM#+JwyrGKlZwNk*2Cl z0oCwDw2lsxO|yUsTgFfZb&4f6QwI%a*hD5gbNrT71FU-FNTFe0N3j(fojfNs_Fq>y zkJJNoxfy!pRuyo2>gk`;{2H#@_zs(o*}y=|3<5H~3~I=+4dhsyWM*bEturAyc^hQq z>(F`LX+6GM;?cQ0ndKktbnSl^MakE9e^;edJNhcN43cj_y7)A1YlJM<3bb>2b`5f%35v85nV;AnTQp{2l$n1Y@}5|${A1}y zs8#&}pZCS-=}TXJld|&>N0ASc7PLjKAFzzTLyoza}n5g_6847c}?~7e6n%j z#2-+R#{`700jXu-Ac+qU*Sz(nd@g(&7{xY##BNQzN@VQAtw+-D@fIu1%(H$w$1@;G z*AJhN>*Uu558;$ao3!#XA))VFbEOOk1%xu`JM7HNqruJ4fMqWD$6z?#HD?B-Xm5m4 z3l3+7(Mt2ktw|02@q2Q_<6&yZXETP!C-^zf89Dt;8*YeY42cGJ8YcVz>^FbSTI)&# zH7j#GH7jO8&`JNXJvM4l6-{Ey)p+jnnbBdJ`g~wbq(dUfhI-ukmyYZP<4OG#Kd##Z z;f8k@K}iMKcim&)R|JWUt7La1J+ypNDwl|0Qclij0zwk2@>Vh`dq^M)sZ7e#2-Hc$E0ah4 z@HHs{#VG%Z4GOs_aNFCA;e_%&ce%}Eam&j|?>V4T^zu<-FJRm@l5wOSQvdTT)?(oH z7z=h24D^cuW|>B7Kft<$FGb~G<+s!$oo1w2>s|(S8ywmHnvj$-V5CRfieHwS4;lYJ ztk~!^!j+$AxS{OKXgaq)d<#ZgpEyRQS6^rH!6O^tDP>Tc16hX@^`OJ$rY)?L3}6NG zrI_(CNSYPv2vjOg;NTy*&-9cbxDFc!**Tn5(=xJUQ;|ESc5Umby?^}L_b=a zE~^072#&2m8fdo(aEw^T0~=_dYbsKz_G|?#oiY*NgdqH*o~pOZ+jLXAQWoXOlc;EL zc&hkuCJh6lyumx46+-SGMQfm5! z4#w3lMX(eU%C0gbCoi+4#-H<=cQW$jZeZFjI_epB=7o_dhWx zz(?ADyL=e*-E(TdWu;dV%8^7WW4eE^NcjvvP4g(%Sg4dI9X5;4mgbU!c)PFykBl+d$x;>D9hIueP3(MYm+eBBA^Oj8tEC$fE&A*NCT;T? zpPZuDw^0agsB(>^Qm|Vm7aLjK4)m3-X_#9!x2KUqv5;531j=dmj&gY@b~>DQK)@ZK+6{)- z$~?BAd+ov2lSjkbuyUiHK5SLf77o;M+H>`)Tddgi-=Eq-@de>yx3y@v#+cR4)TyVX zf@HNH z81?VBX1`%1c3xu8!pr8j91EA-2EtWLXAE39c`BXjXHmxxp!XPa?$3!NXvSL&UA~D{ znlughc0U@$=W+p&=M-jSjNDx|a3CdJtg5mf{g=R=GsIm%!S*W)oDlE^i0rnC28`hx z*5Ur6!)gA??8&J1@Ws}TfUR0>{-H`Gp&hBSsFZ_OAZXmJWA?^l zlDgFI$9Xr0B~tH(jHoOIw!t6Z4lE92TF(-*Pm%<(AU4^UkWhqg%u}hei z+f&C7t2!kThIThY0rSZ+gsQ*P>Dz;OtHQTTr!M*n_Qb1D7ZV(qGpe>!x)V7k;FoM( zy9Q}z$Vk1u+xBoZX5%fkjO(b@1Yff&|GQ=nPgw_aflw=RTMTzUoBP{cf6*z!Q}*U? z|6!mJG#=^R5BcidF~LTcZZ#($IqIzC<GjRmF=(d^xrZL4 z6<$vui6zg{z5ZnHTS!W_bQ#K zCY@#9nvOZM#)3B-;pu+K^Rv;ejKF7i&q?ghHV2=cbu@(3d{pDJyHdukOoXDnQvW?k zcEJMHH8f;+dND5lJl8htF*w(@Xq|_WpM{YBnqTjO!aSjXC2EI}oTrq1`gd+Kkv?)2 z0i3rVXo!Hu^lT^yk|ORhO~okcvDzOV+yq4JKet=y>h}lI6#TIO{u_($c`>;Il>B=B zK%!S+9Ww60bM}{=qcDJ+wZX4Q7{k-xu0SG$*(yWZm~hm*k~$vMojN}T_E^*cTE@Hl z)XjjavJg0eLip7M8vr`24q!<~N-i0gzZs-wHwYW;BW;|>E8&l5Ed1+9RtMC88z33t zmw%D%w4?FJd)hSg=zh{vK-+Z+{@CCaC&nuqz*rCHS2C3=#EKsMbh%x#?IJ9-@ZN}0 zu$ub+^a!pbcaw>%_@oANu1r3*jCS*Hk05o;3LPJQZ*{NIo?_){(TJ_bB3a5~&UZ5~ z+iHtT2Pw~BpquI4-&J#8IH-mBqUxur^7=;A zW~N^>YVZ|S&1}&MCta8lz33!8>vEVo%7IDg%s=_r01s8qbDrbqDQbX&;M?Gzl5t>d z1Mq{g2|kb7@MD(CEKu-6N0#G#c1tr~LC#rEtFuw0DW`llc< zHRR>bPnYI&y9%+-p;C#|lfDreW7e+H7P^O4A||L@G~c~`#g7xzW(BrKZ4Xu4j-a=1 z#whTG;3XLjJ#qIofF$;^ZDmd>NHTD+y2%Lnt)dni6B6Wsf8YAxf!A1)^;(@x;`svr zqTN;d#O>3zBnvoaBUgUleNjg<3zy<-fY0MMlW>dBpW+Fmf$%+ELo|kWe^%Yy#k<{I zg2sSl1o*tEK^1HjtDVhXr!8b6vpw{l!+LMi=(ZyV*6Ayt4Vx z05fYmAbr1FRIG<38ORI9e8hwUhxx809nh|df+>(QrV!i8N4Mpkg<|$<1Pf6tTakpA zf4uTQ_P`*?-SzfPil4A%((8-et+;P5^<8JVUJ^*`&D|kTbkapW#d1h9?1e~Dk`RQ~ zVKMDc)~eu8JrBLZgYGQ}VtUUR#jE2B6vFETh=Y6(>KbhPCU%@Imj2%b^aN=wo$rMK zIj>rQM>0I#ddV>no=$v@fwl}^L*ne$sRC`w>xOfsCxphVXT+4dmQtSLT*1Z&JzPJ$ z-(QDO+Om%oqs!(MWbEZo{L=8D!6DrYsezBIXGFPhmk6n&EIisRTewAExEwZ=HR6V>>-`UrAJrt}vP)fSW{ejwhHc{Jc<|A)ogn>*v_MkG8-Qj+cQrkgg zF`t{7ReYuAXO5I?8mpO2pRt;k@}O0ey}wP&ygiEuR*i`3?rUHvGqmb%6uuJdoAF;AXN7>{>PN+g(+n z2Y=%;kKL;&a{v}#tDbHo;i<2qy2`+E3z40_M|&ndl8A^;gK<7}{mGG22d@C^fHH@r z)uZFRj_+Y}?M_aA~g z4i$GIq^A&8c=XoAiQ#-DGf|1$zP@&|@k~G_ptM%MRVnG11wQPIFSD1$SLmxGXiQLc z+sXcWGo=&GW}53IWd}kDi-DiNu)hu#tlKdtj2@lU_jKmLVXZa}~|AB}_Zu;#A063AA{W(YG5js`BMmev+PV zZ1^-goYxUQ!3wt915f>^j=j;oV1K8PgB$GyY4vATpRO{(2$;>Be7W%{%GW-cKwn@IWd8*};-=Qrx?(rhY)9YgLm2Ze8!bCU=AdZDh#J{LNYGMMc2(0K`2HXwGEp2mb%z`X>&oxZBr z8@dn%9JtRQ);e2nGnf!5H{~`Xw+?o^)T$YFpL41D{(3usR)N(FfIUsWRsW3KpaeMv zm?1xT2H}NbwH*rEDGOq)k1OQTeHQiH=A-9L(WXFvc2k z{`#wD#Ke^zp)zlKgc(RqTTQhIvL|>XigEbGV?ooN zse47ce>lb(eIQwbz88J2KgeV#7fn*Z#xy|Y)%MXqWYGOW7vPKzw|?Vgj5Jv}7zI-4m+eX?xv;#O&&&#Ub* z_Wr|L_AuM~zkaud*(A#aLE$yY0>s|3SII+eT#tz*7W|sat3XT$noP{>%#kIcns%Ow zu8Ue7c2lcK*~R6OObe8If7pqob9!I`kR&Q|nDL7}S5bDwlCG5bK{l^Io(L-2QpXo& z<%cfo4{=KzqT#@`(LshqKd;}XoL`mb?!&En&iJYkj-|Vp6&`JY$FcXDN368AE{{g6 zFVqv>#KLVqDkIppC0Lb%K08TWG%_98vZB5Yu47#S0FyV zLQqQ3h81i z@%-*RVg8NfO;%;?W^0d*RzYE}7EV1-pTpI`pKI89C15sN2lwgyriAmO$Jq&`Q=OUc z=wUsSHMnKreVDX4eSAf&S^bnf%(+AZLwvDlFb2;UwwX_r{#J6n%{Eo)(vHj8q zrmb85%@-nHA?@|qywoDWfY3LV1Q9c=Dax;Z&R5R(v#@Ysp8@`*&b97LweVyYeIv85 ztVRcF-8+D9{NTC6jGaqD+HW7%SGmYyH#U}8&@Yj!B{a!9Rr^=c3lOtm3zNtZ9%nP? zG2gv`l(r(E&OQLZ82*p<>;7Th{-c2Cl0>{(g=ed|X?7V79)FP;&FarddL`bXmr#|r z6Crd9`T0mcf$pczG6~rV^P(7a#L-&l1By|WILnqlzp(B+p_xy8Wk97o&#Cr*bd^Wk zoId*kAKG2}oD@RGL!Un6lQ_Qi`S!go$5-Tz;8w=^cLd{O?e7ZeunaMaA%yG-+1qzG zJK+z?UfD}j&09FsSr>Ev;=g*wGyJLiEN}VwZGT10!UWYKa=^~^jD@$nJ{RJ%DUz;U z|6;IVQ61@m4V93E(bk>(AU&I$F@wG#FhJRfH&tTHpqNaYNV-5;o$SSSMWL7JgeLGG zFNXNJZ7PyGf6mRw;Ue&%1~qL|TlD~F$LUya*FHw3xZRm81b$eeCUGBj^RT5S6|u^FtG(-xh8dTD@%VUpku5_C+mbxUp^Dc_qICpV}1dOES4B4W)*n8pj*9`>Cz3ILkp^1GN!Pd}%nT zJ~-%JZ3x_d4G-M6#G(Sf&{y=A)tB>!ou3weI>H&>P<~4y{l|Y%|G8nov*XH=Pg(_p zBu-Z{Nww%<3<{xC+Dd#83C%gTNzyoDvIbV$iA2MKiRxVjUV<*%OK~||wH97HsU-wR zZJ2&VCZ2m}#&ZvC4~cO;>q;WasW)?7kuJX*2p$E$;^NA5AtO5JhjU(oH;49=$~Ruu zPYlV@4%RDi%nHjn2HudrJyUkhb!$aZ48s(plP{b1#i$fj%`IcR|Kx2yiuwDuJT?yK z4sz2VK$pP$ZX^4R)%JFSw+wigXl&Pa3_`E4ca!6aN_M?`g?qD2U^+OSeECVuK>=%0 zLF-jl#0%#HB*MTG1rf@cdoO|Q@^*L{VI3|O`TmMmRq@bfSQs0~T%e@1e5?8mQsY>Y zN}u@siA^tOfE83zk^O7q-ohMLLo1q@yN;H7NBHpYh_e&;G_^&Jge38){sMMsk6D^qIM&`rG@H~JxgoECH<8oDy`==rDxp{MzF47dU>~~C@0KHuqd>+L z8%Za*oO#xDaR!Dfo9OGAsa0lBU^HeykBkHLg&SXAp4+VtBJ2v;(flhTnNUrKsF1kT zHz9D1QaAKg0I{acw(kfeAmG5=?vjXW{$u`E&X#J?l=1&%dq5`;gdPeeO&wfvsZE)4 zJz6un)8Qwv&;}l1Vp8p@A5^OmHwU>$TC2h_I|*&eJDa4hj{Iu0i1>bSsV$j56v{70 zvc)O1{5df+oo4KIM8hKoME?8@%NpV+RI~_O5o@PpB+o2oTqjbWE(Rx1l!g%TY@C_T zGAjo5C^tWwGnQd^H+)4m=2%W48(Btn*HETBglfl+Hn?gpR9r4wjTp3;c|k3gj*L)U zSt>t&QQv~8B{zK~SRmoqXk^sXpx0KG_%v6O-0xInP8IM0j# znvXQW$)?3v7Zt$5*b^s!+6MoS)IrcRPdHmDNI@X&7LnOipVdBS4oL6HW-+~ec*`CF zNs07dO@YeDTsj2=Dje)mTk&y>ePAPwaAA>@iH;hIrC(k{_)+|M8aV8*olN>ny;o;` z!ns550DWRMC%8KVJ%7}D1-SiF!6Rn>{1E^CX>x{y2KUEEcz#O<23!y3)*lt3ridmYX~WTo_9X7?dJ%WcmYjn$(eeFz zgJt#nca8pAu+I#LFywy_yh(dId%8=JXHQ1(4@?t6M8RWUBlVhifOELr#iVAEE@;-V zZJlD;h;!)dZkt)kxg5mE5{R$MDa-}*y*!4 zOcvLe*_tUJ!Wd7X^)bQqqhtJ%yIv6fONWseV)ZKB{!7h z_n(70=f}R*DX&GNM}R|fljCME;~y1>aKEm_Qbp=5V1}SHOCZhc1s!p-@xH5yE1a=a zw+l2y`|`~^Zqx>p7?ZowmZ?}p$%`i?!s`sMST4wSkPCO&vD2j<&gpOoI)1QYsqPk= z9W4%^^7~q5FUoDVz-4LYFU}s^9Cw?v?FB0)O?PI-u8Zva9(p!rFhv-3-*5n;fxe1I z>uzYzYlYzoN?gm$5$vcNxLi5Wm~v5l7Fq}8aGx=ovwx6nVK+nR;Y(HgXU5MxAgWGJ zhZ?v*tNqFMlS>xyt)JuQ^Fx zxpVJ-v<~eJT)~UYr901+9(rT|!Zpd=3er-!hz_S+jYpY>lcG-8_=$M~>B&rjP)r5T zEjZmZ+|{N;`v0iSK3d-R^h#>>&nw6+DD>XnC?WnYS)YQR+%v?B9qJW`!f#HNgKHSt zL#|W29*$!}rotTAeXLTqxtbRv%?il%r*rXZ0MFG%#*fO@dw`&DoFTPijHL!9|2wY-dgZWGx1TR_= zCL}hYz__P>rS7LZ+T1Vi@TS*#A2_delcHjZ!F0}jEcH<4wUd;K zmQ+^2wy(g^k<5HnWG07Jj4qmaMx0ixRek=AF9355AWXJBa<|c^o%?yp;U>V4fM5ZE zG$;e!LfL>d&>-%CA$4b;#fpy}eW$9V=dr9IsIubwWj@ZW-&zr*l5h%1V*=7!lPZ8yr6gh zPdwP#G4`u-%j4C~xM{K|^G_hk?yzpQu$Lc{gE>RyB{!70tm3_tyt?OQVq1dLa z^Ef;~c23+0+!9pDh%osVPo!9RPG>@F;AIbXWU9JdEIU}sHZiw6y9emT2Je)PPBrFM zj7^J3q`NH^18sV=UA9m+X+}Nw@=U{cStzv`4rAXo;rpzmK%StC)xf9f&-n7+eTp8u z1l{kaV)o6*sMHP|B{%JMY7N#J@%8^zJp+KS37By&<3JXJ!@|y=@DxPSG5I{NVVS`@ z_lKBKS0(6n{lU$o_w~f|ZFQhJJz}cwp5QifXeI{-hy(iGsqUluo;$|%-rW?N;q}hUnyRH`Nmo(Rra3H#wY|36LIzD z+=01ou@kc9W4^OISiE-K{c;;gBwxi6a^0#t9lRJxs%?L+UF9hF578eHv{_Hel>EzB z9aq0yrbc{i(IBd#?8c^$+qoA=gWIUgzt8Cz@(YZxVyXl5NqsdTu(bn4Xz*6<}zr*If*^8^(bt=S?CoPe{9*pM&TP*WBFgd9h|ie& z18 zvSQ}nEIN*hd^=HJ=1KkcNPMeN`R`U^&fYX!H&U!6U1k%jb>(Ki{zMLZ8qU6Lz^kiI zpJlF}!}3iHk7f9z*PID#hjTcpN76-MxJhdlI#r*&xcYD1=kI>w$_LGSE|?i~UqY|< zDQ{{Wn9aX-;WaDnGsl!MF#u|KZx(OWc=HPK5&+6eDCHpp`1w9lo;(i49Zf>`EP#@u z6jZ=%;xd0Ryi>h!BM6pKyQ5xADMEc?L@br!HUvCXG$zcm5t2!lMd$Z5 z;pOv1VLQr^@}+LBIUJSxHBWzOE1nCKW4Ukg-t)C6c*Cl0AlBNKRR}R{GyL~)2H2VmxW?(nH?H}AQayUbSuDJ} z;H4W-y?qnAQH|4Y{h@ufhAT21%N^K+{q*>il9@U=C@q7LEO266))&G$~-3*v)t_^y7=|{r}yk zXlrOoX_T;{ z-;s@+wkqZo=;h4jl>0qgJfQQ@He#WOdNXaQ*IH0IoC|pZ@HFV>Up&)>E#)h+B(|sm z)rD8w{Lf+JV z!H-QD_5#ZKzu=ExwjM%;@lJ?62^7d-3yb2v{>i{(<|;migI+r2n+! zvR;p|q^17#t|}31`Hu9CU;DfGI)&>?dH?QUc(||88n-$K5Kx9(w=bx&@hGa8*`e#b z4b&5cYd3iejOLEYzcYfCEpF|-#M#P;ftpzkHSzt+vr>HXQYUw+w_%U6UYVuaAHEQM zT99|O?2}w=@c8rIIVmh0`ixGt*yD&X%K6i%@S;Z5sdEZi0>r zo-Io{KVjI-VhFi5`HbX=VPiJ*J3Wa;!^FFr@nx{O2C;B(T%|j`m=i{Tpx~D8?QO2t z?eGWu2jy~ZT73?Lo{JeyS%eolLR^gE0FBAaNz|q_FY~juK-mW^FmF$sk0&p%c=E#Z zxzMx+$Wn$rnd9sxRVsXz4s`>*`7bDP)4R?1%uz~U5mHjThe9;IjXW3v2+LEq2hlYT ze`5u1r4?n$svDAIDCdDpW($-xe54g`J5h}gWqvR{O>B{kV{23`@kva z;+cttw4r^&y*+O7#SV?=|5(R zfA^H_On3I$<3xGXW@ycLAFX$&a?TiPgh?!9+78SMy9fg?(EjmTYa`yex~s`GuX*M! z7PV4p?6rZ)+#ZO9a-UI57pO0nK|9@^K$7%lM z=Q}#10b;lURBx`$7HY=fjmtW*IdkqZ>U$_}#WG`TjUc2dG(YYTr zzx}p(L_60tl{_9Z;Xs|r+N9f)!RKINQMd|XfGKdvRxUZ$cSu*__}8aa@w+u)0%dY6)}Z?psD?!1?nhr^iwBHyf3^Jo{6(0V z^1By5$*O?dG00)@tJ>J8h1tVZ;v?bbUDv}KmX`lCJ@6J~uj%Vq%U61k?z3wty^|Pn zRGLaY+P2G~`a9F$pP~}tuC5Sz^{PcIn&m1}h|6+#9RclZgK}`#w!LxRv7 z<=~)AeHh!f7LLB8H`*OoK46|c=Y+w`R3v6F6pN=$)?!l@dJ-}@IttKJtZU*iagpP80Y|4x zYY1qQM#X+(kplC?i(kE*EiXXf^#AW~Re>lszPkl1K%X?*YpNQ}ATc8b_TcT}C15UK+ z>#R2J$tHO>Tb~Hd@*LC%@*ovDRFlpbA*BgPoh9bmgPv0`kH?&J7mn-OJQdrG92L2P zdeaYN4alX@aV+BjKli}-<$xy!k(WPWx@^+r zg3e{L35HJ{<<6XP0+t0yS~ygb-LNawqR+j0-!Zy|y>gL1A->+2!wzH){|MEM35CoW z6W6_G>)N@6gl-fEMoUL?>-=zC-$(Y3(AJrqba`c^VapjzCTUMzn>Nn(cCXzpL!ID| z!L7Z~RhQl8^_TD64?@p8e&E!+9P}~aPopj_fTMSDK6`DiI)&8 zKzZ8#vLC{{BApMi$!pF7T%(JmvcFxU-HaF~Q)`odJ%x^SFO4+K>OHP$PH>m zXaY2_(gXm|kAJ+2GZs_IKYHNlIsD6=i2jM7?0(u?+NucMaMVTNv_2sy@5TFA-RqJr zD|5ah#ko~kT)M|~@t|xYUi_i>mO*`XpHIBLOuYAs1xPNUr!RZqH!u*&ipm90z0)Nb z)rz;#Sod*H7PO`5^U96U%aM#Nk(l+O&;7R{koQ(spR`2Rz)$gO`}3+eA*}IMce2#n$PTWcr{j| zE^@2Xf3P~&csV!hzQL5B>`4X-83v&CG2ZQ2i>@S{YSb6W_A_HTV2$s zEpcCD*=aG(;L=fSp;vlOaMvBwFERkz7dk&2y|0A%>K^a1yI&nqo<18$s^UG~xapnG z<@w;*08P5p$U_jQqn??EJYstuoy#gyvVt~7DA9d?nRcK6MyOk(`-Y(I`xe9(7pFon z^R|Vfb_`lQ2!wSLkLgEz@(|NmM(k1>%9wXK;!1)*@&kqv`dO#5DrCJvCqtUZkpEu} zzkO3xp`!4L8Q8=aTN*Xi-jkFcvS5}Nu_o652RCV7FlYE%q)7Q`PY0{bSJ2Pr7Jrg@ zm^<%gvoZ5&WsSp!uHfE>2^RG(WsCoeJz}RNY@CA5>@ygW@DY;0KeEnr)0|_UKby2V zubKFPjM+)Vjm98L%YbY5hS}2cTwuQa+(~>3_v9BcQ=F$Ixp4g!BvlV>Vgo^veq-h_ z+;{^T(U{1rM_<~vO{c%oMK-<*hHC&4t%B`mV!%7N4^H6tV&?10E^47<=diVH*w&a? zz+qoKut0I~U7tDvz4;FPf>lpu-u$m>t0!3}wx6pcq^d%*c7tuj-FU%wKUCNQc z)bDc3oAu`F{5T1+5r{Kk)IS$<(|hZp+AlXn8!0rTR3{Vus29LgUe-|##C zwjn;35^Rs&&XGS=jeb)xB{^7@?TXGtJCa*gSkgFti?%wsvNd#36c`P}g;WeHpoQIk zrTXVZc!)TGYjr0$U}c8+2Bk}UZs+P%if0X|yv5gC6!@Nn(D$LCUv|4Pi$D1R zh-iu)EG-Zp4lKXSW-JE6qe@hCir*(~>W#F$A$>yf^sWDk*gK&-qc>GJkA|O82*eKq zJMOQKdJj$gl6`cTxGQ7lL#+6Hs=ui%?QCBBPu--fj6YYLttSA$?f2UQB)W;Iha| zG&vip8ybCie$=cT!CR?bKzQL*V4i1iy}K!=ofT3t-|~silaFz8?qTcO`~6)qS@WiZ z2JJUrlm7Kbh(-lL(0eF!W#ura`l6%7NLcwcp*$SL{h2h1^8EZwt>J(G?IGzVRo)LS z!#N?+2im9EXl)fsNKVr%-E42TvZn7q1k!LTl~=EQQF;Hz zw1(UNIXen#y1`Lwdnc9xAA(otcJiUuw$VZSQJS+$H;dNWd+lwc#8t)=DW2zESXL9 zil(^^njZDO6=||^!;gjI&!}LeCIj>9F_*YZ7;w65N@b^%J6aC@2pFj+t-7vtnA<$P znp+xn+4E9)F@gU()4=Q7wDi!uL9c|1iIFA}#>+54uS3TGA|b*TzE+X5F-fq~Q(Rc{ zW4k^l8Q3$|w5{Yd=`;E{KiO&6kjZzQmcx5%g|CP2m8W1^+F?%r2w3V6vL`iDYKv~|l;IHS9Pm1Obpp+DXkZMA zGw;gpCu}03E@%h#zdt2s^StT;*x+mTyIICiZI@nPAQObaxu)_BscFbl{SY8tItlNu zKP5jo1^mt`CksJAG^>E?ZfqBFA~S81WM)6-g-Tc;MX-8YkvsocBj#jcY`hMnj}!tM zkyC*XMY-u$pVZfbiD|R&iQFV0d(deI-Fl1??Sr3zz%C?vU~O0yegVM&<1&y#c>86a z`wuJ-@Z;biSSGh!JI3>x_2H{`KYNG=lSPyoEOGelshT|)z^JVTL{Q(C1I(^s9)u>J zi5V(@G$GHe@_OXY9&%tYP18FL=0G5m^Zsf7Oz3)Y<%!c@r6@~>Ps<^{ml!~D)Q5Bq zX{?J6${5!tmi;^VH>ErTF~)Ei0Yp%9BazDk;hMMWgMZ${BFJwt_h?R}&VQ)aX=(gF zRWet@^*vA1O}c)I zk28|Ah#yt<)RG}4CSSn!NUzD}BVWG?AgX*dpy~OQ@y>HsbvnKeJcs2*(Wm{&h$YGO z&r{4~@3~rdvyKmLTrj$X(phwVVx%v>ve#*8V`XLSe-^8Fb17+~FMuR+U;F5L7_6O( zBR2T@_tzxNq)z8kv8T$WMj125hg|H}W0tQPFjx#Jxj;t!fZ}lvUpy$roZC)mEXO1vX6Fb;ZW9#{*ikt$^Pb!_jm zIy}KEL7t1AwYv{y$M2*}QcUuY^}58j7Z<(*R;wo;52)UPT~?IYzVo?JAO-m$l0GBP z*h7*wdS{4-ESIXyA$PSu#yn(pUtZ%$=W7efidr|306lioo2TEV@6OCaJs4fTYZ_uq ziuWr4JIY$0aHo4-|5aZ?jRUqD=HbKlJ%LSjW4(NprcE8nzzda?O@9ik4^+pW!hsaA zsEU?jW9gj+^g3{uay!DvsiCW@w$eZ_{yLD)1*Aso{z}Y|p>M$Zr?uPtfi*cjyA=G- ztZuzOVGp`+->(5=`6EE!kFroR5SHcs?WU;by4JL9s*B^%Eip&>z>}the87Jl5)CZf z>%4e(jf*PKQ{UA6X)i)Kn)MI-a`bgzFW7sh^P>%=n~;<%)2e*sPk{aOT=AF&S{1TzS*q}7iU}}01h}EV$Oh?%ksr~4#UhaLiyz2Zg#)wV=Da|MHPO14<*KDRDbsB<5aSP`x(!RO#j>o zHMyd~WEhn+6ATqdo`m(^mk&uQQwk`n53Up6)8cFY8uDWVaxEy(+-8zh0?pGrt5vM&M#jJ1%o>NY__+hZ}~zkYk7F> zv7_IMcFgHLc`eF-(2AZ-c{ziE%4-yG7Jiz_=!Xaf)Ilz(;IP?QQQgXi$1rM(1~tFV z4`2J7f%-1GXiHRwD6ANaWjwFCC?a*6K|){u z$w1VR^yBO4p?q4JAqQjW5p*1aPo?QVfQTK~4_IFR4S_$1A@mB>0vV!_5qID~jf-IS z|0%*O>s$2!2OQ4?d8$RNe#U7aD^!rw79aGy0mL8YWytwoNB+P9X;HcA5_6*b3EZ38 zfUyr)vCQ$U`gMqJVI~BAAq5o6uGh6)5j0V#v#0Wxz`m#N7PW^WW#2v>4Fev&pa-K$ z)gte=hJ&x68O?pOj}95>kMM>R?X-q54Ve)j%ar12kl)sPiws-99*|&Sfm212wVkCL zSDYXJe{{WfJk{_2Kb~Vo_R7dHDw{$`azv=eAsN{!k*&}<#<7xQoFs&-WMv#=JNDjt zWIM+ej$<7h{GML>{rTO#fA)`#o9kTHbuRZ-W-{I1Z-98Z`;pUv{e{&=N=tvw zk}^L)!>&^oxtGb9dl8v*e^$^`~T)9=78n4fwUHFn>4BljfO5djg9B ziJ@gZOI=hE4lKd)1@;=48+y{}zTSL2zXB+Q@=ShIx9Uxo0DOY_-vg9L8vRz;Mv0u z^4;uNG?5=7EIWgE6(n{A7EvvZ+`-RWjf%;?*5v^JW&m`)D=>NPTIeNz!=gn&1q==2 z)v^pqW+A+cIi?KVy~Ao=Dv6mz(2_PsnlppLhC7iBTCN=h)?iHN*NSKo9(pzsshW}D zW0?4=!H7OhXvb3fUUqgPJ5dZ#+$=w4*UBH*>KX!L6o~L#I!|^TV031$ZpExym$3;pjh6GDlQjI!X&^Vg zcRASXN=;kl+_fB6N8hmE{=0gZ2lD3ZXSk??a=W2(uXSNS!`p-%JAv4do=4|u(e2shAQ0CLPel zh)3Mvp@vPgIC%he<*htjlGxHJm*#D^a_Qo_8#_7v&MiqyY4f~dAgf$a&F^5FPku%e z{>5>QqL7RGM}qSxgVBgh@L)xK82ic%qXzDLQQUo20#F609!N=_0hGFKL{;K^0K8H_ zCF}wu=M4hs*H@rbw}AO|;ba=fftg?r{k1eY9q;gDd#`|Y?NfECXd^J0B zUf2zYOXe9CjiJ#THF`$daXPzJ263{tv-^~}m`b3dh4xRp?!EmoR&c)C;H^j)y<)|toNTm zGdxRqt@!59tHIZgE23$3#!7pJ`1jQ3iwdqATEuAqt*&}A)?PZujT71KhLPGx>|8h| z^Tp%km@UGf7W1N2Q^NlN^?kF{F8!cY&f;sJ7)W_+&4~}Y&tv730=_3=eFx9s7tTQV ztxrDvi{wl~41EWd)?Sm6(_;Aty1|NkT*Jo7%^Z!u7&vUzLlc&+)0o>*;@*;@1%^b=8VVpY)*IUxT1&HPLpGB{NKQk538uc{`2xTxF5Qn-SV*1Kgf> zpBS!4tAv2J{g#0*#=Ia{czzVLdLWG+OPXjG|GB-sPv2u!jvA;4{MdYSZH2?Fn@%hOm5+)76Sj_8 zce2y$*EgR<{+zQQPR+c7rZT&bD;Ug9zV5xE7_vH`DVff5+tUqQZ}9Dp|sY+r&xKsw1=?8(ZJvAug*lnr+aMKqnrf&k?(X2R)egSHZMzEs0 zWbx@y?P=5&(AXRcBvQ#J;M)ZLC?MDJ<-QaMDf=6lE8FO#xQ|y29rkby9Zm;7hMU%w z)=1-wZMlCC)n^ECLvOO3Wa^SL%KDyfYWYtmn53Hs7WYAvY*P!RbGE8ydz$(yfM4=I zJ0dalvy;@p_dVjS82jBXLDWLrcUIok)Ls(1dM(Lhz2g;!dJtL6f~@36<+-39N)s3M zsWr9tC|7F%;7%#(1x=Km3(Q-$$;q*z4F*b!TC>vyU7JZzp(8s54fJ74-dHI*OQ|+= zgn)UU^iPggvp*a|=oeQP1PPMkWF~v8cqW%^I*xy?!4jVros|zDgJvVxpoAj7hlVd( zFgYoeJo4o$H~pfWC{TNfK>^&{#fp;Gp%|Ux%NOIY9(dBpZ<5ZEQdq?-_p62D3)FRjS9|b1tRKsYso93!O z`N}@zJql}LmB5X(3>0nMqUDsyI^hSq18?X%J%JB4S?w#kl;*ceGpvJcoCE zEGI1kX_x1tpcy2j6n#Llh!*Ur*|ZW7r^*RnksESygTR?&&J-b*xQ?28iO=OYchbfu zx((caD+qeWUsbSJj*UnI(tYLKULGvOB1dP#AcXjdXanPr$~T)lOG*(Du2B~MoDAB0 z<=x%ZEU7&@J5IE)`;^1A8xNlZioB^EpUq`cBCaM3W^JaN4As7YdOG932GQ3E$f7~g zChuzxOM{dgUZ%HiR}Pf=R7FC*6wVEba)wywCTxT#6ODX>beMsC>cyq6PVo za*HHY%KrW3g%LN)X^fx|p_`D^bCbv5AuLNj>6hO*ar`6Lk5EF6pk4?vU)pT!PMhY_ zI&Et4tw{6(rBHbmIYLRd#)0uUQx~bo7|YPuTgGK-r^N- zBx{EAdr8+Y0*eUQcKeI&W$G|LE+JlscOg2KvIwYmWu9#^ztYU;1$ zZ&&i*EW07yg`C_Ic!hgj91j2hQ6UNhtZKw*x#e||oY-OOz|v@^O#s;kjDpPXz8xQL z`a+M7_A`MFLgSVid^D|iTHamYU^<--f_+hS zowv)$GZ5-)JVE9>;~7Mm{XOEn(@QDoXoi>Rb=IQNVuDdAi;PQ5;*hxbQqFs3!Kg78 zHznt~VZ+S6bBN%KWXS!^ZEZExRus-FhW=q*U)FurN}s1R-9KbxE>Uj&jfVdCrWBNm z)TvP#tEYfF?fFPLsCUvlON{IMS%q9a0@Gt1Fg^Y@8qvr(D(NE)qE`TmDGrsFkc5kJ z!SrAJwKt01{sdy!;}Y{AGjESiUVbkrpL;HBWXBSumb5A?_ZQ=@H>oU7jUows*hWx`5UeFv#GMnPYS|xTrNtg^{%;B&9OsWoBUj7TyXjw zp&P}|BI|Q*L+8HwLnCeQu_XP3if0ihS7|OdnR&n?^|O6U0kDtJ;foOaJm;4wVUA^l zy^Lpamd|pvC-o1OpsEyk^ot$NYIzZ{zzAc-o8Xe&#IYaCF}$~cUDNKi-cM6P+y)bG zr{*#xNt(XW%5V>KJ`~Z9YsI7Cy%Kgo5SYF8^GSy-{pY)$g(%} zSx@y@3VE{^H?$IHiR)elI!2;1JF9`h_Z%1t^N8bccPjf-ZY~9& zNCFL#kNgg0%XEAt256kUZ}8Fvqu&eR_l1e_MW1;kr}3xA=3y zLkykd953oYLHvYeo}fGJPa94)xWtjE%~my*8by-EyMZcX;xYqpqHo+`@C~{CRbURF zc}^<%+@6Hh2Ds_=wiV21?YFx5pMC&itXQyi3o6_=<>HLct@?7pb*|Vr@H!WrtHY51 z-3D+O@8%Nitbl1K`|0Ltill1dAEhxUo1bqZ}?csEGLHzb9w5Dgn4-! zSEB{@bxTEC`2wXDRC6j(K4R;B=`oSlj^b`5$Mub}MDVhNt95i`KjNa?SEiKTl&+mB zb_Bo7FYH+7r7i$Vq$Lt<)wKo#+P4Grm)WBnOSzodunZ{7Vbmt(V3N%U&p zOg=n_bQ_@(P8+iv+}##92-}ZbkeiQuGg97-e|COJKgQxV2WKzHga8ac5#MLn<)NO_ z0YRiUHONJs1b8ZD3)JkFMhHT=O;s-{4n|#PMUuSkUVym{$Hn_jIofn&ymlp*BFF7y z!M7Lt-vISN4xi^m1-42e&p5Y~*TMyB`Bfc*Te!#NgHTAK=g#t-vzEkVOsHfAP)`~* z?Xzzt+@U(h^I=>TD9I2ym&Ec0c-aS|4bAVLq3IPM$dsRDCa+>K{%u3~S(TSq@DrRSa)L0J%w){?+o5Jf^5_Y4sT&wws!wLsz2&9^s>pD;k{ugt6WI-l*bm8 z$s(e3=^3>9=^Nnuhux#MRr7u>vX8(rX~|!d>BI{E%-%23)SFrG?EB1-Z^HH900$Dm z^?VhXk}ZrL>tjE<(Ql`DSUYH@yy6}AKNzTPDeoLR-*W5jVIi9B-7MD2`!iUKoh=3T z){sIpNNDUOwv?Oe`%6B?3|%UQ+zm;#2S)WEBCcUsyRjWXo3>q~e5u2ew(W=@$g1*I z*C;GDZ*DfOE^~x}$L@v%H;G2UqK1ngj~aq{aQQwuB^XbO?v^sAv5a|`YE|Q-^o^8K z>}-DJqMvg-D7+gDFjOHL7b%?E1}ILyurH)9`&*dE+Z?>-RpX^{G$5MPe2(pUvC`(s zvNbe(ld1pOeUFFuv0PT0}hs`Xb!_m@1coFh4SCyfXonyl$ zxIOgy&G{&Ik!i^VgaX^AjDY-jaILQkf(v^B_g&Ni#B;s_%$v0u%#g$P(?=)tFPp7n zLdvk6dRGUx1f0@ar+qY9dZ*#+3bxg|K{NJx8GXpjnou6t+Qay%NiCE7B5JdOqa+!J z1Cm!qs})7t4FYef_c#-e>ue)-mGX)vU+rK*1lxT$dQ3FagS4ym%_}i0naisAH#lk< zsNFW@kSXZ|X~Q=79w~iaGgMJqZ>cM?g2rPeuyppz+`jS2Ou{L!0NvW=hAb~+h0A4x z9+=GHCvKlszmmf$g!&+_n_{))?`(wnnTl(BVda3^oXD*}YM7D_lB^*-opJ@c0poOw zfhFrnXwMp|)?5`70Gz-lqOjJ`N=n@YD7G=VbR6hGGL$aiJ|(9M@=3h} zoArMSp&7u= z$8r<DZuVJx-{OH8<%NuV6Q?^<8T9FkCg!|$2ffKg zCUQoCTn;`q3bbR-Z^Gk~*jL<(<`LR%892Qirv#nU3Svpw1ilu|QJTxX>Z6^FEBO1{ z^Cu<)YmnrFW);rmX)<*NDHGGk@5L=Z4|hosMq+pCp-#Y3^fHtJ6SV8Fp+R$Dmdr1f(CJt9oiI^*_G!L3cG`}u$9*`uh z@}IEzA@lVT-)7Es#?2}K!gFtG*~Uf}GL3#VV2E!_#9JM%s+R|+Jh=Bm`eI(Q9}#0wLOa@StBd>q2;33xZ6VXN|)sN-Oks-B zm%F-6H`4dto*`b%t0hvqZK%=@oQ#^QZl3J#%O`toL|x%r>B+18I}4zEvM6j#(@h-W zlI~3`PVV7w@v#S5V?b*zTVJkIwU%E;89r5L53Rj5dY@@U=D*$S;>#qEX)Cy>(XUL{qofP; z^q<{_1LzyA&>g=)^mJJf&BoqTPX3R~RnTu$4_vtc+7y^4HPLhY^rAjoAIlw=D9f)% zYzhM#1Nm?yhW>;>4yhNKmPfRl+yr+Dh*}IqAKf^w_Gmk1iF`$)c3Ch~iRxoLw4jQDy&5%^Tc@*?w zn|XI}D|wx;=G@4Yla zc|zP_9s6>GIz2?mZ?gaQ-gHy=gPZiZ!OHnERa2y(sD>3}>(3wyROeh2Lt01dggi9X zc^eRpPNoi@r3j*Uu~zXXlcYQeFiAWSe_fkt*HW7_G4V4DwU#$O1O-NyADnY>fh?sL zJf?59pJ?zXR8s;-^nfV#qP&@F`Dd3>+BIo2X`WK8T^XVycdj%-UU+< zPpr%u4n$0rnRjJLXei&den*wU@;~hBZfJ~z+%d4B_A)kpc> zS2q08V;A+uKQ*(qvMVXDZ+Ceoah{Th_Z~@j60cYOZWmlQ^fGa7gqBZeZ6uJsqfOI1 zSn+yBu!nD5uI^0YRyBFuZ{aM_&=|lEt;53P5ls4XY|jHC>Y|>cbZkBK;f&O7tc69I zH)i(zzqC%t;h+Tlt7P)yOP&Vi);z zt&xPc4Tbn^FQr}cQZDhI&*kE8WLg(~uD|aqOFgTZ36A@Ks&QP9gN2kXsZ{45YA@L^ z_f<=L1PKkO9*vaMsQDc2r30YygG9wVlL9dKrdvwN-`wt!&IUMuf%Wm>+KX3~F(dyn zK@=Ep z5Gm)?pNhOzmg444q)Mf!4By0+6r9!=VtqT%k1TA3=&oFrf3D0e%##}%5G?D+Av==8 zQ+^NKoxC;2%FXKEL5uxDeq#C15X%f>bqtU^;&W??#0f#-gh*p+97MGQmE7GKzJ?)v z8FczZZ`JGCH2JlAK2*MqC=$`sh)_KsQ*?KaxGNJ@-`LVs*j%F6+`u+RavY6ZtS>DT zSQi~^<3bcppE2b_08_qFL9G~&7Z`lZ3NNDXL>ezJ_r&2lnQWVO6-#;raUw}M{HQvp zZ9v3Uf4MAggkO%2Qio=Yb%9<|<4M57kjH$4k};N#GmuwWMa7rR8aFdB6%P(NcJm{- z&O1xiqVH@bSUTPm6i$?!q!5OFxxYk>ML(i5a1!sVd^jQqsPZ9W*(by63dcu-DZs|` zH>LXEDNYa1EIj3O>KSy)YFX+@T~yf?y_hlL z6umzejAyAih!&|nt==3Q#0vIp_#V^HF6;}`$iS}UwUK*UnA?kwf1N2)HgS!!UXDQd z3SiD{e9R1pmUoS7(;pF7j2w-32+-S!j`X`2$yIewr4XJ7(fHr(&_60n??Y`cd{FM#yeFi^hH8nd54a7V_FcDJ{9krdH;Orh6u$+OxE< zA=u3SRLft`=J85?J8LDf_9O=UV`=@hf#vy=(ZyiyS5$d5hpWZEi#i8@Mj**%Pv_cW z50WSQ8&kr>mv(j{UGUa_kEW@=cIG+XHVZK^svw0!lH1hOI7TJvbDtJ8SC(Q>{l8!P zJn4-HEj86i*?u%?bz(Q!;u?-}ZN5%P)5d5(3gBD;E-3oDWxz3oXaS9@A5B_&hu>Q) zpx0y<{agp@k&}>yjLUH|rR0k4OV5K+7O&vC9Q&a+wK*tF7v-6q%+H&~e+b}0XMUjy2M&;AUm^W7qCh$0| z-w%$gOpk?XpCV+Ocrw{EOb+T{B3-&>AZJ3idw&fe7O7Nzi&?2VCq;%Hi|%AT3%c*bI4V?xJ28%XX8f zwW1MO8^PFcAIm!UF4*x;ZfoWaqV6tNZZopRytXl3=WA67QeMfa9ps_ zt@LH_Xd~5qgP@;H4(8TI;+gRjCx?bRX;td|qa!nZ6nMjlA1*&OkH9_O%}(()hjXP9 z{r+oth87WD`-e$!cDWejW`?$ar^K@pxE=UFe(o?@VXZO8tr zXllx zya`p*lGKJF>1Mod9j>2P#5VAHe@22*Z?)c5wVC!1s8+J(&np`c*{P-U4qX4i-+2W& zscLw9bSG}DY)8ti3Glc1`rc2L0tSG`mfy)if~LOYxA85SJBvf@ZoleV2S~V_`B+JX zE|L@o&cLG(iWpM$Tt(gHSJ$?Qm#1>y>TsE5$`3uaT1eP>$(XHUrmZuM7rOrZd^6#6y0LHbkV3mw@J@%>E7K&Dqi=`H)U^&LmQxO zl=RCe@8>3NQFxG&ksz9pey#gM4F}{&1{Y3bZ5*R#XoJ;TOTvB#D|n?_Oah*WAP7NC zTK%6_lV3o8V�Gcm6yb2ZP234Sf6>O>Gc@F+bnXXLWIypbV$Yk{=LlxgqJebsqge zwm$ZFR{YhX0Y!%&jn6LwBZ?Znne}8jvd23e5;(tZjSCl%Pk4U^=97#5e4_A*TkX$B zO6&84n{Mm+HlyOg`tSF;+x8t%xOWzf$=jdg$8?#lLIl@WMG?`Glc1(11(cK8@kaRcY$|QQ)x5#8IQbIbP>ox0nSIrx$uj&&;pXP+X`*@w+zm zFP~`^mpR;s|2@tBED`eSGSiiVlJj@xAzAp}>yJ6Mk*8V8lFD{9yABA+g@>y}3+L>{ z5#iT_?n0*B!JgQ#)AVE6v9EL|+o%1L2i^R% zA4Yn{*LXb-gO~cibP693r*(;L-BHNpllTD8H(JVkb#@*Y8SP4K!0*^=-sHEe7B48w zLYD>+jdE$3V>4~er+)7=uk#8llFw8wLS?d?eLW9~Ee6}L+UX`O5vjEdpTxRx zK_OAgscn+E7K#Ws{l*GYA?3NkBPnFep;MR=tZ>g@Pnai4b3Xy{^)f-!=nsRz1nQke zG&Je@c_ESu$b(k4;qwNU>O{0yek^+zWrQZ)5);F*2CoX%w{dS%gvb8+L*xHj-38}; z<}xTczUlIW0h8J&?iOxDg4((lbW^RS==KJ?bDa4H)gWd*m_L8CPh{-6USrxSfMG=D zM+x82V~0$1A)<6J{_(wS=Gf~oDoN?cbJk`R&akwPEdm^kv0EZX{pBsOq_M7bhSw!i zdqv4@3yQ97l>qEe&bqY8i2h;RMiGzXq?UOpa1j`J^IG^3aUye38wq{R5C{|MDjKjv zlx|1$M71~ekZI6b5JZm{>zI^qqMdyPh-*9>$#C&*nb;Y2<-o*=N$#oJhkLhn>bv50 zlzcC(_iln8N@~a7o0+~qKA$JElJ={3kTrG?u|}5`RXX`-ulr?^BqwNnVlZ=XfAgZ+ zu$?}hH1vS&L}T1`JKlt(GHZn5o!FC2Ndo@O$bd{?;2OBZJYJ-4PS_*2dY~C$Af<8-HzKTL(=Z zuGeW{{vtCl4 zF;Kg|utXp|5$UzFBK_@yLMwCSqD9s#lpytqN3EL$TxQn}WjT*mX^M{uXjd|cmv6}s zxC($A1h3Z1zBFqkJgH$OTTlPK6NEQ|fM$vbVUD z)qg}^e!BI&^7Wq5m)ffZf_d#~2n%ETFMtV?hzrH5%+YP>ZFmkwnyf499SD0$^&-CO zkev{yVXvxsDH7T$t1LVtLPd>8LpoI*oMDGE#RqoweKlRQM?GUc5aZ3sQ;p4s$?7>f z8=7mV@(*EY3{UT$P&Xnp#Z{fP62HS>x2dmQ=CK$u($$U>CH0T2J}0=jl-$%y4Gq(n z)i2Hnb}B0e7X6?w_EJZ+cMWcsDE2zP*d1~~EEe2v*!Pdigo^Cli)IV| zk5pJSJk^wB{(UgNy{Ti&J(q)e9h3Z&lPQ_sd5~|}5&e$_`UC7M{X@SMhXY;n5acp% zr6@ARx$ch_Tc9kAG~y~9{5+!R1>i6E)-{Rqw2H!$eP7sSgNzuQpu5$$TZg| z!NKxip6?d;X)Jw9Wq6`>6q~ zfjo}ERqo|b_V>%3Mjd|jqRT`7F4~!x^2n5=rx z3vb>)j$G%!1GyR;$gvXNQQT^5AJStJ!Sm1t^5vS@-h7nXs_aDD=zNV}IZyiQH`8&r znF%j*-$aj!)gSNe+kf_Eh*wzRELyo6pD{4SEpz7`zmZg+{C`^K%0cVG*L>+p6cM-e zlWL=WNKQ{ocR*zf6L&cEdCETnDYk?iYuf%K-$sQt5ua`)sY|l#$nZPh6msys9KCASBTZhYO z**QKJP3fr?af?bP3trO(Mt73&pO6cqdYRhk5lU|@Uc|kDcNTk_G@7EyF(0~|S3I^n zHm4H}7U^l&mKHe~Dk$2%gicp%DAF+zo^D-6CwD-m(@ZAW)jM`*0TU6DJ1<-H62UPzfmrnmuE#U$BR zp&Igx)A5F__+fWV@Ic-4@$>pOrBgxqUaPv}u;}6WH3yB_L;hay)fyI7NonN*a&vCw z!vYSv=FF|vrl5Q51LYy$J_^`3@O~kJmwj>f$tz(F@K_FV`PC6kZ(j&;w^DksCxeGb z&z%p!-;ELt?G#{=EDK;}0gbKW$y2sJ119?@J?iNb?{&R*QM(jT3SFi>Afn!Z&G00`EgO!u=Br~dy0o~kO z^kfl=j;b1famO|l`cBnfpa#!W7I&><5Hnu$d8Y1X4AhN%l0SbgI2u;bO<;Mh9L$BI z@h!y&jxm9UZ?-m8iE-!RyC}$P4F!&Bzal!tIBm*o(>t~` zzX8#GflX@?tJw-U{N~Jc_ERdAR++Z0dtjq-@r?VCnRu%GhXu30nody`H@C&6c;*94 zP69nzB5n=F5d~Wr-EKd{K3sVpuG`ejg{AvFFl~^N{~%hr_#DI08y=~*M>hCXCh$&N z>uR;vpxKQ4H(v5fDm9Q7qn3=0rFQ86FOl;b|z5bVt_y=yDVNj)PQ1|O>>#m2y z9rOew3RHbACqNL8)ZKEQdOzbm?kME`BtzrNs|4Y`!x5R)(VwEbSpMpuDICR@vSz6N z{$lAs+j-VXXDQ$2`-OY5fjYX3v0oRo6Bs}>80R& zXfJx7ZR%ja=)~?eLS?IQzwh&}p9K5eMPb_`@FfXcKG3p2o7*k*37`}x(iG!3@KctQ7)ZGJ zCgKq5ev8fw$)k86Q@N5AwOkionxgNuU$`zbq%-Z3LAk_6_Q z(JKDB@^4nP;pCG+1?O~lzbvS=RDj_|JaC%eDBTh((}T~O$t;8o^%6elZD-z!eJy*(LG}|m z_~m?K`Ny}V6Zj0tJ5cYW@oJEX~m;b3)Da4T=y97;O!An&?H6bv4FZigja66hPK>&d;40elgl3 z?AvLs;x3o@({$fGHGh1j3l0A0+#a0BT#e+lxS5(^AIJsxEdvGn&a|HY5zYPs>ynN9 zAN)i#izlV*4;&|tbq6>(RGc!c4)|WX;n;3bFa7$D%}Kienr*25X+b`Im1VVRoq@B@ zYmR+oF8sQ4XeMa0djVCGm?C%%I<&?!O=+gMU}T%C3)=_ONcYfs+BdJX++I!zv=s#Q zecOb_5kM6ZaaH^4#n5eSg_X<3PeZO?jBEedTWx!%k9oU=L%> z?v3P1rDYxSw$w1B(He;MPdTUOA97C7dDZ#$T!3^DKBun8(3Yq0pmP=Q!weq(pv1hA z2F&6r^0GYS_B6ME`!qf|i-wZ!fRTix4rU$jT+!VJ(W8K2p2{}ml?il1 z#4lcR#0m}Bg~mp#A<{$2LFZ74sp=StR);H2PL5W8K3Ez}!LSa&Cp@IQ%=ZqAy(idv zo@`{+2kFTf(zK^Fc4qOYQ~I%q2QR3T6~)J5ExV zDu``guUWXV3r_^-_KT4ea^~MhXV1G467~Gcrag0BGrczW_w4t%Q17hUJKM@~zoPsN zs39+j=r~3SF6*~Wby~dkG7Rp7M3WPTvKCExGm?UdF_lj3&7OmcItw+UO01)a&G+4Z zldaASs2o?^lSI!9KPkV7R5S5^L&$O7{9=^qhXc#G}E=fIS*zH)-clm#3p9uB@Sw3(ZXlL$H@Uy`atx;%(v zFL}l2UJ_EduX&*K6orNk@b5vYeJ?-*IRI@>!P}dY&8q%@^!()(@2c3pWV2=P5dHjHzU$&5yIh=;Ka{p$I*)&&?1vh zG0P)~6k^q4W_!y%_{-JV#ONxaK9gkE)au)g)MmuC>Ybmr_cHU%5-ztWE?!3s@NaJ$ z$KUjz*?q2Er`s|-`Dl)^-|zsMvwSTU?)J=-a5#M|H~AIeGqWyZH)%8;Q<3a5Dqh_9 zu_TC{+C<`b)OP$upRr7VA=vZf0PJw#wt%(yj+zzu={*vy+nx6cwMEV5zwLn1VUSan zT>YoERe+>%n-rKuZ3c4_i@#6I~$ zS)UO#yzuggkCGaq60*uqhHIde>6_Id4T*+LB1hOf0MFxxm}5J>&j5S$z@YI1;19$| zSuP~vzoYFAzG$`o>8jKuf?Q|shDzO|_Zb$z&mwkg%D*MOGdarrwlge};-Kuu1}}Vu z&5o(!pl|=s)k@%y>?if9|BDdET|BUc0bvWP7Cjnq79oD_Bx(b^XAV#^^APT(^ybt0~k+cnLB06VVMsi?HvBK@@e^2T^BS*e+D>aTwDB8w3b2XGmR-NfQ z{N|p*^lo;3mbPcOF;Ds1KT+u%fJ&tjj9Yt&kDtjD{an2@m_0+0(>Az+zK4pG{`F-H z2mx8hT-gdvB3@ngI3|!bw0xh-`uFR2HmY;#lbrY(hzs-~7jzk1H_YS)oj18SILvkl zfo^y@uf7!vC1vWHJxiz}pWoev>2;31yRxYk-V2uEpJy+zE4fhm;O5-MF>TbJ?g7@lM#GkeHspsTs-$GUU@9bCXjP8t?95(G^^Q*q%mJS7=8HuA$l0D39`y+Zol`;go!|+o zZuq^b{y2;2WQzSu%CS7&EXTMQdn(t`MV0E%T940E??E5sGPN>hroC=GoNKtFc;BVh zifaJ+W_5od{z9Z8H@;BBN1OdcJ<)g>NI+sGweB#m__-3 zT3hn>@_jB3E;MAglbdsZ7p@3N%guI9SYI~krZM=i!66wU;4}U9#j7lYU%!8ilrtg- zd~~nqrQ(VxI3yDk!o$e`KM%J{fX?bG+1y0c(c@Fe0sE&icS)*qi-x=57hDwn2apq< zxtf13I;5`6oaGCi+zT6CP89GQEm;-EF(&DbzRgshAv2}=T*=u>Wa;6+@g|diO?Y*7 z>hc~QU=+fs9+8Md!1H+|pG2pVZ++G%szd>X`uF9dI5gyS8;O{c6Ne4KXLcXCVt;TR z{;1P9{_ED$J3F*XSB>whdWh*IsUoNidLqd%1qF#|@JREewzQxB9cur>U9#Qt@1S`T zMTD=uK=`IrDtjq~s@3&bH>VC2w@(krycW{W_l+^OInu+XxbKE%%UELdvwcxXJF8Vc zm1qv8GDZ9HLA|}X_$W0(`(-oHVtp{e?p{@n&zYI!-}P@DD}jY|mVSF{zjvn)D41>u za)kWyf$;QFi|ADND^2(Us)HihC;k-uKOu+FyKo<|`97cJ8J8VlhhpT)MD2E3u~@7B z`ef_qFP^gQ9_|Pl&gV@Zr6Rfw%mOzEJ@jyW#|ej$8@A&Wu{g33W=JxLz{dlJ4qevhur{?)%Su#cLX(LPO#B z_vG?ub2mBz7$_3cqF-oby8Wo&9TYB1H>-UN^5&w4-z#m4QVp^A+1_^TO*3+qiqJVi z7?Nz8JC>5{C@AaVOlANpUQ5iCfOdW?Yf^>B9{qJWi?`7RbKc8s3Y?auL)%^gn7eNa z$LGP^LdnnJxys;ewzB81AsvIT;n$(%?<_XJSU%Th$_tGXQGnfDuO=+ew+UKsMTwmI zlb}Cp=WQ%LgtVcy3kp9MLr^6aX}#}+C|I;oE2%|{jB%sVjlv4ZJSoi`vLw>|AP=cX z&@QCcWaNjGpI+hFDRmvb)ah?h#+tWaxOfA4eTFf)IWoLM6JrzcIkUOMXAbc|k%S%H zJ@Psf-binTjQtM@?d8Kx0*i~$#pY%^YDrvfq7a@;aafheSK}d_(A*1a z-VK08VoQF?AR!qQa39B%>wgO587Bn)m)OsZi_A+qszTa|K~sP?*(=i zEZ`vWN0hv5erpa#KAsi~wyC$NaE z7p{)A3iIb(b4&fC-_c(i`=KfvHhamAmh$Mlx1HmAlmX$xwGPdr(&P{pxX5(;!h8Cf z7xk)uXIIrJQuFFo{oQIJ*{Pc7kMj<{4BJ96MQ?E`(=WHlLt*Rl8r05jlkt)N35B6P zDDhig5X7^L9aK=m&&%RuazL19$|08XFW`*alSoC7s9#WJ$g( z2E3fV)Qqdg*9A9PV#yYwU$S%_dK0+G; z?V?#UcGAX<1`MxHoc;At#@rw+vZucN@e?pH7TO<(Z!e_jlXT$97l|Zv=kdm=JY8zaSksdy5 zVKMgH@LsLfdShH462Gu-@$o;NFI?e<{sX$@?(3jT+YJqrIxeI)f8)Q>e{6XdbRh= zpH|;5GF;I75pM$`ko?s`tV!56l!3(MulRwQm8aev-u5w}kVd|U&a=!Q;Do4?1iA0x z(_HlcTaUch;*}lv6_=MPTGL^u-+J+(w>1D$I4mN*Z^!{`}S`MB~KZ)axc<3X4 z^E$Nam}2^|*`81z!wUJJ*-u>NKfy$Djr6wV3`Ig(4iMA$LLTAK7?F zXVaGaS&gH2jj*hwJBFnnpvG()0K@-k`4I->&^O$Q=NzNypcd<&VQ#TDt zMW-k4T&Voe?WXa3BIegP;~8}wd=PugCf`htldt(R8}A1VQ)=ZXDND%Kb6vv~u2;f$ zi`Rc^s}CC^e!7<+3jRO7-a0Powfh2}NlFueJ8ttT0oGU-%|icf4nx z;lK#Lna7yz5Gj=$5-`Ft#m+%VKJjeQa3+3<9Qu?b8l_>j!|p#TeAsR>7i2wd8ve zyrDEr?sf?oX+%l`sUO~drO7JB>m4L7-zJ~-zh|p{G%0CkW^jJ> z=~2rMV*&}6j0Gz@oq%jK^Dftn;GtVx_)bykcQ-EHVbh1l%eAc<&f4>G>5B@-OUQIU z$_ZsNisaIPyzot18l0n}(*eiAR>^%xICWb-hzDjEOW-lR+({pq+|gk~2!FV89k$a* zxL_ro35pwD$~eQ5nF2ZE&|rB5tuNUH7~DCh9$Z8to6ex0Hti~4JUp$hZi-!4`9@7`HE$&OQbLKsVWa#QBw4 zb`F|ui3Q1=;D;EEp}TVrr52(99XQ}5uMYxJ`m^c32em;sCAX>=K=2ZXowL_`KjCjm zN9%7&CwGO>ZPh!#VkwIk7}9QCAh-6@Kb*}M76l;TzsC3eWRZW-8*d4!IS~t(oBKR= zGD%6jyl(-3bTj)$my6b@TJ6)Ssi3FvS+xRh>FL$dak*={mO}alqH;1P_k7F@ zD`r|8ZWaJxf^E!mkmTi?Be)$r8c=t9Fc%e`){;+a z$G^jP`|vD@GOE9_Z`@CB5a4ZS@7e;rzJAP&3aZu+fpzMIpi5RENZ8p$zvIZrIn`cZ z9D8Qx_;P#b9;5V!2-N>wpXKJrW(9C-oX2qYM%?n8vSlleJH3z{P884_d|8)gHTqfJ z@WE)ZAc%u#7)q6=;aEn!BFfh;>B-dX37B3q{-pi#jlHsODkdq9!Kib+`+xqDBVOv6 zS43xN>9n*>Z&^R=-TUI@X$)&le|_)sZs#k}D)FCm>&gcT1%U3s_b{VJjx@rCxw7MY zPVKNuoc;Bqem&V4#j=e=a&#~qz3Sw59+>@Fw^k!tqqrwfY&^*XD8gah_>I6vOcV7V zKb$hW-Oj_hYdCrRJ$U^ZG`B1N_ndh8S}Ru2I((4K2iT-4a$>^cJCnW^GUs(W-iv5& zdqV+3)2F?D1bHtiQ>hMk_G#e1p<|xsnBsWpmYH4yy*8eQwy z(bEZlZDFFkOE`T828b*EbK#uVt1X8qNjL?I_jx;CnTG4%?5m!O)HeIOxMpYh5rf9S zTE&2l+Ym5Z@>lW=#)HrSj!2$@@ZIpPpRj}LsFAj#MWS;uiMi3rRwBn*@C2pdJ%}ll z%@`3JDcJFbcov$dd~=AkGMG#u*@@@(@lAxs7ZcjqR(Res#bk)4NU^!LjeA3i0lOue zF5A=N>y*UGZ$I)#5Gfd5=b8z40ijK+vXlucK)WAD$;njs$$SXSgUV}L$Y93zZmelt?yJ)H*S>jJwnp_Pg zZ(!du==6I+)b9m^sSe5GJyA<``%^hmS+%P$D#G&IO zf-w)?Vx3R{f3pwicb$GrL_FBkagix+g(FS22gVq7b`eP1 z%uGH)9aNHG)@k;0%b!k{(-UpCrquiYk$(IF5LdKuEF}oQ=^Y&hXMPR3z7Ijdu3Hki zPtwzV`}!=py}NVz<%P`CqvlgBU*BV6(##WwQ`Hh@brS=}TMQ#pT}eQ@~0 z*m>~gd^rG*s07(4jssn!XU!2Q`l|8i+ne}dw46KHjWj#|J8Ocf}643ODw>KBig90j1mX{|91V{Ss=qX2D~ zefL|8g*chdOx8=NwLDdGvsmrQ$TB`t1JE4~Y0m(5yIIWdeqlXDT`vrO1@PDHJ(XO| z%~-~|egdQY0I~JkTu1?eLtS$Y=o#YXO0OJXIzaKKj0%?DHY)Y$NTYIpN|8c8J3%qHG6;$!2l7+QxK zUY%$=1YCeEYBy`w=5zo%qXkBK%_~RU_TDje)w6_LOa^`Dv5z-`f-;m~*;E=*S|Q7t z2|?n$QoCW)zaDmA`Mse!kHe3^Z?iZ}yDjzaj~WRyJVVQ`%zb*M{#hI1rr=4*B9#F6 zutD@@4gWwPGiBQ8C)1A4y*4SV8Cot=ZEgFuGE=sNDx@5UohN4Ht&=4D8;V`-1ANi` zSZLKpg~b&saq- zD5IC_Ti+HSIvFv`VSxR-Qemf!A%5=%&IkA!yhe$KyTg+uGi@xy-x^`n) z^0qQTE-<%M(WbQ1wMIp;K(mcC8JJCQmyMQPjXZVUNycFH^16^u;qdP}$I*_N%>_Zx zg2xgn$kmza(~`xm-Kl}GXXVL8{f4`P*Fmv)p2e%XF?;tu886&kwWiwN>jn(2W0u;S z%vbsbpeou{fdRC$F|oVPt6@JnrnUexf;}XS59?~4^`17s@ckCmrjrx=(6DQ!O4XeF za62B4LOea(5R7GvLu+xXVSw?YjobK5l8){9O6+vq_VWi)4~5GC&%O_uzXJCy0okhP z=Y*~CH;CAr_ub@A>8Pe4~F8HD8HntA|#$dElCUYHq0EH!_z z@R6)}AC#r_1FjW{KzKSZHEh+N&UbnRfxKOrCM+|;=S1N{bmIy4Oy_<2cD@P*y{ZRn zRw3}o-!5%{KWeT<8h9tOp(MNL+%+09-AEvg@o(Ji1@`+E0ru2$Ta9>>)O;}UxsT#O zuau~XA{a&U7gyX&u9IA{xG%FZ-g|{#R5@;K@~h|%+*6`SW0@)nnEq{M0$u1GYxp-! zQ=joBZh=WP!!<2IcJv9q&7_@mXWG=_x$H(~#Y^4i!*GIRzQtgl;eyq1%U)hp; z`@MRHR%Q}*F+T8Oj}I=kp#MN?KF>4#!+c(2%RCq6FF8hi3UTqS`I0D_pjRTo6^t99 z_bWtTr|PKo9$OD|*B`Kdy+i(rTtgojrZHodGuT%KO0@7D`^b40is#UZPHk7>vnL+B z5AS&~$9AF!U*%YB;lE?k#3;vV3Gm=1|CJ7Ar1PK=S(Np(4Om3H*R?79$EUG%BvI4b zWDM7LUkb5>0wf*ay^4`jH*n5gG;*2v%UA0iwdE}3yFSgKIc)R5sEy+(>PES^^2ZB+ zC*shw) zb$j|QzQt`P^>Vu@YZJ3s@?)1oCYO?qPYp zKN`=0GpCa6nm?;+k*ZK;&gZRho|glI{q20oi%*cx_uTEoJYUM=X1~%iI=RMPuzXit zL&j?1Qm)l5WT<>i^Gor`$WIH9+x6h>rYCx@)P?z~oLuzm^2Qs2_-=DDx4+7lC2dfW zbSLrI-^et#-Za>X=g($v9{*>G=Dkg_ecE)iW|r?L`w-{k|=9<2_PLr_zLQwlspYgD`a-t(~ zpp6$_M5TdJC+8%%>u1`5ni27}y`MJZcubNrm*Ep_44=7mCjkh(krIIuHBY`03~sy&Ojvo8}HV-wjyFsyGa?+-;)7P zT4`P5<-*8La#6wlv)heRrGOPC{^Vs^otR%)VJBs6& z{kiw5w4>E`FXc_a-2L>qc6^R6l@=FjS2>#lyrCG+6@ODwv;!yFm;GA<)Yz#B+e)gGH+1Fzf5PIm5-0L=Y9g>;Y5ORybX6J`@Ps{G@#}PMz z3~HWNIZPgWaD9QB|8X=dLjcmnwh2N})*(;8UGm%oc$bU{?syIUQL=(1W@Iz-MOZgO zX}~@kCG??>gz&weRp*sWwAbO3*ypR1jRV1qi!h*!@*h0t(`>A= z854q38F@10Yz=P!R&`H~nu8r(_cqebI@2;wCzrq#B%%11`$m_dsqU+J#2k|q6EbHl zGTUFjx_;UW=71-tgOBI^2lqGCAMv}|6v{*#u4wqU0}l1`PU%H9Gq~Nm<~i<7uF0fN zGIA+lSKF=p&l%O%za7nm4$^2FM1g^lDjQhTu)jhibA$uhpU{wLfA42}i~cI`f3WSo zq7Gj(fZDB29AISu?uv{#!lERK<@^T>({0wH%x)-%6TjZVcKB+4+tkW(sW zO26_LstxmZd!pp(K%IH+{r~yGKi}KzOZ~u-!QYz~5x~kBDx2r8N^NJk;{W)`vS-xu zAe@`PI;3a$All3lW4R@Q_s2m_9`TYhm=}J8UuM3y@uNi_&gYA*jRajpi4DJ5S(_`36{G6Q zP25y`uLkLK1foR9y_FpL9jWRJI~(_YoqL_g%TiTXV(i3NY7?a2!2$`e;1E>Jsz7o# z73Y-JfZb$FBpSuCinh#0l(ueuZ9F-+x32r{W}kQn5LT0f`;wxgL2t$$WfpClk8l8i z)_W^IUVDj|M=(Z@dZjyaILzR^p9;Mz;PT)7J{9IU&sJk>abuXC0yrfc<10BUZc!}i z0lP}$BWTW%T@0UEuurEJmk(e9Z+36;ChDl&={sxCo$v4TYn`l`(GD^PUtt)L`U5GJ z(~xJ|J>uxFJs{G=iu9}a>i}28C)k$uxJzEY!3YFPRPaluV*<|-YbXO=p0;4MlC*AV z<~NQwKHs+LJx(SX&L{TzVcz9iE3V93w;So|m*&c4QnC+wFVA{C!?weLDoTSjz)SEN z89rWdK3Q@|D78&uV*DMc$s_SRGLw!l7L1v6_cs1%nW_ zM^>G1%=d{r*N~djjz-b72P?=IR4dUB9z39wm&g9+|Bfi&mjnqi<*y&S4G^HNGFkc3 z5Ax6Q0v`5#-&*)`JA{P4;*EJeM?_v))_A-eajH^X!085HCMc<)K>WOuP<>|jWhP|U zjn(wXkvQ}QYOmW5eVu?UH?BSCj;u#-OXf$g`NuU3AccrT!O47!?E(=|E`zXB`yaTV z>62MoTKZwP0pD9Gu-oJ?GVwHWF7aSCbXGFAY6YFV8plQQz=)ghT8r~=xDMIS^?UOR#pmD2cC04FrsJiOPF0@W+XWxL zQskxop0)czb(d|G1Td+si)-(?gF-ETzQRQTHN$v}bdF?Aa?lz*`Iy0B)Sa`^aX$LA zxSx!2pAVFU7i0Nj{%jHqWq4agT+2#OZlu;jK?+e{N-%!h>Nf2|p((D&s@|>Tu{Uvk; z4mjD_HZGG;rIUlIhHj9DFAhg6`@I0mB7=d8o$ zNHY#7*8#HfwaPf)roBr~Lf`*IS>V|XIv^~u(K+Ggw>ds+H8*FU6--(m{nR25ZtlDr zB7#8=4s3ggWkpfNWqtPG`$h3YT_Zk~rYcimC+JEjonqAVp225X0>U^HILezdz+G%A zpz3P|0XEwI4tne_hrWKS0?+zS2x&t;K2R2k<(!m7-DO|5=;!^+$4A*kuy)%z?|@g? zqzQjAT~qdMcbRmZu0dMPmnY9l{e**D=mSCM8$sKEi=s++fuE>G>+TV^ge*}K>>!*{ z#rK_m*6vSIjJ5LtIT2ohVLPkWaZY!Zb6FpBbgc?ZQr2qK5?J8vYRl>mVV6s~N!+LI zN9|1pBP(|smSbu$adUgA5XZC2+dOAs<;s9U(=bUGC8;2Jy$lU1cLGD<+xJTn_qk3x zEpKSIvQil4dmOz%2+xf``+_RVrFiM$l%iIFq}50CWgPh!Mf@|m@TI`xlC`#T(^J|* z`+ECNMktGf<P3`fnMbdMk$b)==z>sGwtVMc1CS0UxhY#yH~D zPY36DTPMa66Qud#gy*6mdxTyDcs_!H#CYP}#5s`9)dU10s`31(^1^{1{EUtJ=w+kE zv(=JskhIbA>3t&o5dl82gbN-5Ug@c@hPuo1t+ZzzJ27b~4y!C7C*$NfGkg%FIJ3_g zW+QLX2XJyti4!n_*8_iU>0X2HhE+~y&|*u=N`Qc;NiDDt+%q4sr?gmX_^oowQ~Ia^ z;T8VNA>ZiS`3F}{W?3)z0pP%1{}T1(4YdUBE(aJB%yOebm{DVCQWCxyg14VNJdU66-&}c>kT3%0xP%4NwTtKZn7TF{c0HbRMw2`i0FrO# z6-S8k?Q)X&LgH3~2yA!-``l;&9-gJj4dCIWBtLP6P)CtM_JqQ$k@Ic1*IVO#;2H=K znK*W|P|9M4*Y6it57MYrP-ZWl5Z{5w#6W~JnHFB)#CrB4))TdvQD_Ez>uEZ~%ePlb zFcUrTM>NEV#QR=*-~2dy~|$c>A{t z$Zy`y#9Cq+CG)`Z3|h^A9Ps2BA+QeR(qFEs*K5=9m|9xau*CRbvy~%#N1l5|Mur5Q zlr^owYXOh3E?4d;09Z@Jx(jEHA{RxmW!Xdb(+LzD@O_UjMAbL0IP`ih3cHa&JSe=V zNxc_^(@d^UkV3ZK?*RZD+}gE#BM7|r84Ft7ZIzEgtw9bY;o^tsMAErw1?}`K&Y>L> zbI%)2*07-%imR3D;xd7B+a1tHos8^dfX+FwHr>47))hA+polyYpD=|<$K?>IFJebP zo)9rP0AstgpG)i!bqBA!g9NLcSdn>IU!B zS0~F~>DQ)K*0(pD+UJ!WM2oy#Zx%UmzmyX%dNsTG@!qU}wKiEFiT_u>j^ zT4`#Ol=!}DAfdL^QPtf?C7nam?RWdHZ~m(|P3-mc)PbS)kdv~c1$`YKRr$!8i4NW0 z)37_$E9V!msdpj8?cj}>2U&f}OIiXm-X4?VzCF*hklNUMTBWt8%JQlWOj@Wpqq*>G zF4>z$dQpWaDIS|n(-U(R2Q%!D%i_4=X|aWop>k>FNBPKc?@6C$(W1?PgWj$c*YJ;n z@49LeDGaEy#ySg0(WLe8WX)tIhmEek_?|m%YW5?nEhvj1$=ZvWo#dqm;x>>=SCO?9 zuFg7FID=Jk^ynf0agdx4e?=>=DoDE{A9XMo@uA-Hb7G2(mmtd_Wt)g=L)H*#sHU#X~P0T8_X! z23(`OI!=8j)DL1h3(Zf}PV3V=4y6yx>g}D3UfHmha}FdE7tl-K<9X3X_6`%y%Gv|`UFo*Oy$XPT5%7IgI#e6Q#@TZdPYJ&-^8_pI4j&luKJ$I8)KXJvD zH-L8jd~*I?igge!8k;oTehNhPnzHOB6nW2Y5ObtNf`R>RWgi&=LXW_~G5he{l%-4! z@0}Q{o|I0F#in3Cg!g`dTheE=-z3mxb@Gv9r0o}4+_Oj-cL7#vj95dN|0+1Ik=Y0n zN{SgoOUC=iIP;$Z>ntTUm^*`KO)ct0vyR0wXHBJN*-E(MZw>!bC2A99GWy-0VQl{wm=ga=ni7-=KUZz;-AwC!tPkE+x+j;Na zAQ&1%qxHNIDMH1cClHZT$}cEq;@9&n^QKFD7R1#vT=kI_umoj#uP@4c@wOK>k@8UA zpGT5$tZQ06Qi&RzCur&PjB6()vC&C4J@B^xp7xV{XsgvO_c=+;ZOaD6dTvA|C_sDe zb#)lx;$*gh;JV9`^dDvPjM9nm&DyhrZdueRVQCmWPa2{8;~}2*MzYu9^wT?=W#FW= z*3a&IKseqX4Z7yuJmK3mdY13}!_5_<7$d$bW!UU9Df614^>8!C6SZdqG90Z;#MJ+O z{^u-APIL8?u&fnNa_H?0JYworaB9UeRG_#OT`4K?^}& zyh$bpFe|j^Ta;fQ2xv}wxkOQzY zFpDih{8i2p%)XI|ii(%Mi3`|`@z3snf@~64XJG{pa%yaBY-eWHlEx%tz&YL`v(brZ z_c>Y-Ily!CJSFq_Y1^>RGJRQZwU@_{vzg_Qi9uXQI=>VFJwo-GM|K2)-WuzjYjwq zLk^h(B;H`KPr1WmSN-OuPZZ{juN@+vI$UF#c^Tn#jcI+^egz;^-kx+(`nZHPdmjsc zk|4;53#->Kf|G~!Ie0fkr*QM%<;807`Pp>h<^=(o|+QuR4v z)rt5!V~vf~$iuLXX*dVRs`GY_SNT6{FCZ>wHU)3BadqQf^Yn$uUHkOCdgwhh^-+4` zLyqyMLETUGTd(hz+0a!kBS$)Pkd^wOInWhl+!v*ORIU{?R^Dcch4aHC)U5)f28PoRwxHS-(B5KIGIS=j^0jFLh&=RUgYW#3!*Wbd5$!l z-HzgWwJLt@PDSxJdU#z;GL2lNUZHpA>E802U5tCHZ}9tB!ON09uPedu$Nh8FTN&8* zD@l5)7OysnI37$f2Hf_PAk1SvQ4Wek7h>4?2oX9Q|JRabd%pp&rix|4B5PZ-LmE|Y z7tXm59vrH7x4`qHQSi+7#g28MeM`eEwbK4cqX3aI+0J%7B2=}E13B$gU=9ZFpM2y9 z-0vz`jv4xBwTrCWc%Dd}QF!#)__4*}X38Q9O z@3K8-=-7{M#QxPur1tOjyt;g`;hU z!Bh!Z7|EI2K!@RpgXjIvhV4(1Z(M(s?l^^bx|C#;*)uGYW*A&mnp(Yl(`rr(1#GtN zR$d%kA+ zSHwB=(nnG*RglSbNtFxY6Hsv`I^+eA_sRNwP%qD-NKRZ0HeI#QrBhD#eY9lQ{0QOE z(nQSo@#Wo{;(prtQRV`|ukIou16%I!N+E7{YrMNd=cK8MessffG4H~Ch%X|d^p-8=;jcwyjD}{O_y%_ottoo61ZnGdTM4uxZH9$BI$i2RUGiE6YCZrr5WF^TwjKc+!=ASu?zxv~H zZD?c|f3eoGkJtN3zMjiAb@w1L6ug#kGn%SRmiaoaNsmyg)j`ovrxuH|vgT=;C zl|ve)E`R<6<%vt(aY-up7V2^8A~@p8#wk%XpF^Ci@DU$ykA2A5KKxI*{i|cpZI)e% zw$Bdk>Pf7C)okc4s&j;=9*+#A`gk#d-=zWg<3nj~VY76{{nc{U*PJ1H=0D!|yqDSr z^Rc*{vK=!%;?Vn_{7`b2?0e9~3AB!u*3yIqTt5ope(}W@&ny0Ir#By8!a47_RMXW} zA=a;t{jQVXJ5An|+5?uZzz`%N)V50e?-&qsg7m}Htsi`jgTjJ=8$9I02i#!%v*(4G z7!x-Wxc8HTTzw|yAk(F?|KQjg`+r>u6r)8GA8n;Nciu0-6l?CC~@qelv*fECTh z*5EKiqov^R$-ESC!?gA@1WfX!6c)Z7u5~atk)T9rD8i~)v8lTk=sZ3Uo8D5jRPAbc zYjRAT=dB~o{>~d!or%4|#2I+pE1K-wx(kmyL>=h^jdr(@<7-d8DW**ConT8udYK|m z1`Vs+pW#OBzi)3%*1(PSpp|`nP`LhFIdtAr-_`b^KScdkVD61;k23P2&47Pw`+3GG zh5X6I{<*>R+_eIcX5VmkFW?Pp{@Q>AO=JsRcd!YH|YpKIX3Epkx(>!-sH;R)62hgK?8F`E^m{2x*jjnmA? zChtwh4(_oJAVykE?JdRzlxqKEdMsXNBaOFXQU}1u`{a7`?_pb7Npnw0Z>G<3T$Ef3 zAj!8_6*SI(i`)IEmBl5%mE0-e@zi%Immy*22qdwO?>ls`RrZH3f<&?9zxtQVC|+Yt-1Zf3fy9KP`QXv*x9B8>;? zH;Fc`8L?X<7wTu_V>xhj4QQrcc&H!lJcbjnqV*x>5VNrd13D)?S`yXW81Xm_ z07!vJ&hUI3GRKHKEQ==_Uwd{C(|>0Ko}((hUIiu_`uGS)G!cunw={4pPkDhMt_%nr ziUZpSucbEtSZg}Mc!u&1QuePBA49fmYS(ZRR+IWV>%o7jwF|V>p1+xuW#^fS2$Ad2 z_{88DdGY|uuF~L{p(3GplrMOKzWS9dN2-qpM^OZN&wOG)ss3LP!Hl;vE49i4Y&U#L z!u_k`iCTD9nS-LouP7hp_&c)5nMUpW8alPYE&sdmh@8^Q^cH;kPsLCMG8P_K}WhY(Evxu<_6-@iZUcF0OCzS~s=L;J-BTJ0N>10&$^if~t* z$KQI!ko~?^PYirK^pF#lQakS&NBCy4oi0`}dsJ@gMGa{;Q~viEj}f}n#&80a{;ew9 zX{uBCl@4Qo%YVAdE(lTGc$(TGBoMKO&ld0eSNb(;F?@%hV=+PxXb#bEZSa;PN{|5s z)YA%9EUK>Gv7!cpuE_2IZKux67qoM|t{QI1cEEr`WW#;LfEe->j*eH-Z27VGS_V`# zppn;<%CO)Mgk=8{T`wJrHKg2LoEP*W z_o$+=o`R45XOK4lLaj~S%%LMfugb-q-)Zzh?RQlvr5-ahB&Yla4~6wxd^dinRP&5rNa!zn^lO%Y)hB2FlmB!$%&{ z0rk={5B(7Us{iZQet$9-!BTfBsc*cS5Dcly_m%C=F2RwtHw9GLI@V(qK>`8p7j~QX zx22g4oDem9e2Ky-v;rw&%rp3b#>Sxx)m{c9`*vx{@l#`CuaY(YSuO$WT^5;g|NFRy z%LpeR?Ur7Bo=`p1OlWx&EW@k(`Tc5QEp2vVMC>D5Y#qEUw`6#KvPS<1>LdHZ8>oZL zlEy1UJQDk*fOG7eGs0LJG3&a9s}ju#sG?g)WCS5gsl%AH%o4-IlIz zS)0;;M1Js0a-;PLFTvO0_%%-xwR-ygEJW>DoR^{tS>FMhu(Z6Kz8-}D-IIp6)sEer z)Arw#PKB!@n8yl76=I(AMWY^i$=SPK`^)>sVK|28{o48f_Ij5Ik5${Bc}LTvyFoaT zbSWp=XpyXZ^>()yKb

uWjUP&t2eXi3*In)ZdywuKv*MJ=!uPFN=2@hW8w5G@Sdd z6E-MBP0t`qUjL_={pZCIe8!MKubSHB6Uojm>5*+-ZM(aQrS)?%%TM>M=9d9lA5A%4 zdEru8)f1vW@MTCv^&sqaT`H3Lx;GDf^$}3`uGmspZB#d?A!*c`@BHg+HeM9I^@8{) zxW9{BhqD>1C|E2km3TFPkW+qEUVl|^cp=(-u9|C@g@BD->7hK|DFBG>;bpFC58!gE zC)zbf)<+BhG;Dj(j@D&h{Lye!PFMAfO0ICqE~Qx&sosL39xzFrRK%DC)4*1z?5CSW z^B+ux?N6YWYAQO9LFzYAal_S(|fMm+>e z$`i#PV3wQ+X~cf5Ea`c68Zzy*VuOb4_({^lVr?#@#=iP`sGsDWXt-GwPPpmX8`rsu zl?L#6@H{7(jUFBFEzrwP=VV`!PFY%y538Qs8Dlz&=N!0sCK^We&xZ^vz4+_GapI-& z^r}*6r^eT=z3lBHt9qpOMmq~*U;iL0>&?LSBMRk~ApU8Jhwmb~dd#Y_15D9Y{hN-1 z-%IKSs~pqihm2?Jgauha_$dMk?n@|^oRulto#uaC?6Fo~>fnFut$H3;Ek8@eqxR&L z+)`+!B-yWAm?ZH_^_u50yws6U+WO}=0;TP28_@;0%%PQRN;(}~+Y}j$@vhqfmy!3* zYWxFE5Lw4xJ^vD8pcQUdE#`TbGM;|}#265B3)l2nw<}hci*6&OD@wm1#O(=61mDNT zYos%4rj}hzE9)I+5?Cw(sAL0PboO+tT_?QnEd}(gF}rtdIv=P40JpO0?pvQk^8g|O zysLl15UP9%8caf4HzGtDDnU<%pt)C_o$ry@RwK0G3MMrbzLZ*Qly5hWIWOjYTW=Wl9!Vlq>^R-DY0C(rWVqCs$m445VWCM8+7(>4^$pf<uC3b=2g2mqBxV9wcswE-9t#h898Rhf(gC&fUW6T~f|GI@5i|MV$wpWk!Ym*qSpVpDmGjP> zl`h8~RnH+ii3q_t9p?LY@m5bPAtF^;-5IIcj?7o8#bo>+Id+mt;!-4ElS*28UP@fG zcy|+I2)eOxvqL+gH9lN++9uWMJl|~Q?UQ=c$xg~)4E-9R)r0xw{X)b{=xN8nw<4mC zcp7R}1=ffCdo@1Pqv>_nlCwx>CY6SaSHIHc4 z0NsX%l^lz6GW-2*;I`W9rIPk4QyuEX1;X53F&cX4FrK1RpVq$dJSCjMnf^991*e_z zK$O3pMN%ucKk(hY`n8+ks4XejDUy0+$|8PNgkyEDQlep2@Si!>&q6i?uUzU10f>_- z^1UBij)dA_C_qG09!HsPq4q7l7d7o(OqK(l-OT9g4gPOpQhkrE92I5FDB#(}QUl_k zcP7gAU~(o}Md&^9aDB?XZc1yClnY75z)x#WvFlf9YLYyAiNag+%DB z$usGQ9e3D9->nMzta!h+9y1)SO(O~ql$U9<1*aK9^T1cPNk1*6bCo zJT~k_=JWq2S}e#$zkIg2GgM>lwmN+)z^uPA$q%#TdCOT0!XDrrIU91Z(Gmj*Gvo7wU(A zx?`y7j-xpUo*qH#Nq#e&uh0HwIK{Mk=9Zk{?q17ASB}BlZ&&wO{r?h*;MjF{S>CV! zI=Z7REF=|y?dX`hoiWY>o^uzNbImESddOeQ=8I{dg4G8e(h}ZZ+MgEQ`62+melyM8 zNTVLmh!`75$keC32{sI@e>|mqKT<4n%)adMQW@!qay1T>`Ts|4$xPFQqa?LclG*u> z56Dz)I5GzrG)yhv(F2>n7McD-bv8-~2M*s~?W{gtj(SpH_yMF^)y>i7X3$larp5zv zgyZ_gjypqkovJI7zIn4P)d7&mp8i0Sa3{La+C*dq-$!mGORK6U{ zHf{z$DM!uCxT#94?@zYSBXd~d4=?yOw%FMkeu}YfqHm8%n-wIUzgxdjHSpRXa1dE; zk4%pw5|^fokzS=$>bTyxZoPtUPVD6T%=j(}BD2}R70w5&!mH9Xz7w*6kFVHUs=YS2 z80)oDgk&QnHR_zc&i1sNKz1SRpauq4Uy{m;Xr>8!gA-b;dbzJfs7QrF{DM*NG|7fzmDS=JE5(J1!D!uY+~GdEQ(Vlo?BpOHV@9wOM*Tx6AFhj? zVcKHxSmeRDm-@JAmBd7|+0j+Pcj9=i$@}joI0gdVNIsByhyOo4#Uhz9%@uFR5H7JY zSD`V8ZM;M2P)dSZ^|#DaTPY>Z4LT$ReSH22mpj$s^T*>gXmSTR>!}m37L!D?B&5w` zIUf^EM=IY6Q`NEbt`LzKi!u;2;0ve2Dg+i38f=9D>6C~YjZ7So&??Gla{sxWC(czL zk}^J0ildDnZPJI4X;^{FyO5CWDVWMq8S7oj+OM8c1-H9m-DpiPWrd>(`>LM3s&jpX zSR7p6jm=oY_2#diC%!J-U2{Cv4ExZQ&MV#f4|Q~}gxs!Bbp}KY3(qo(5F1tR>bLuV zHFln9d2($C0^U;{0)xVB*uG&c-gJu0!DEk{P)I{PHYHoWUO9I+Vd5st<tCHw&W<;D?Xn0`LpL-42Ub z=~WXVEOIH3w`8`wUDrVvN6Sg2Es)h@!r{R50t?8pNjat_t>H~qvoc0!2pT8bcvTl4 zg9n_$06N9FUZwE5q_8}oMGkWg%JU$5n+2q2vl2>BomYRhJT1A(> zo7%gmWoSt8X1QeylFm%Y4%VDhmLD!_>XizH>}?X-ewHL>Xk@eZ;pbRYApO(+{Qb8G z;XM`oV#ck9N)KSo<$0JF0w{gn6KZhI`S+CFQlP=)6L4KC^t4p15D2&-32UY~Bo!{d zO-@9V%UKp{GeiAAZ**YYOmWv=go#}g!kiPaMPUY~u(t9{FUirUmtLJCahHs6HP`Nf zlks}f2A2It*;{-vJN%e)o+Buyj`6uDEm5J?vDLhdiV)2lqq8WqqO(qpoj<@K}FRp;+yb%))ijMi-1fhH zE$DG>;81a59$Y-zJI=bdnU0ozS&HQPq&*CnPZ%vk# z;CtYxlyS=srJe{uim+HC&d=gFX@)C?Q^q-N)MI~9ggL1TgROkDOfJE)FK|a*cp&e) zIbs$4tPw~G^PKl<{VZ060&}X#)?RPn{^9Rwh7Y|0{mkKQMwC;uFt^dQW+)~GAU49Z zo3J>k-Ky9qfUq^hF~ve-y)b$#0HawpKj^D*DC%=ZQISV?;lp>@`e<_jHn_H_SCz5X zO#JbH-%%F;$7d}(bfrbS%()37Dh5D9L?oMyJ^P|9C+_|(H_EfM;2pARd0JS z|EQ&JsC=5By)o?^Xs%1QuX&Joay?+R{xi;D;%0-b^X1hDYYW|Z23A0;t;lP7=lcJd zm6yq8sOy4JXZTzGWbWL9bUqeR;i+zq8OL`OCA7Att>&xoas)=WBAv0tstuE>#|D_A zJC(|Q-bvGf?4@X-Gd0hbPSqQt3&I|b$Gwi?M7v57f`+e)e(&n z|HdmIwQf>nDE*Yyh~LgV1!gzGh92Ef5{~Hni=LVSe2O7iMzjN0ZAlG{u<~jHnQh+e zc|eUXW=~mjEnra+D%);&z<9v>jogx{8vu^5^BonVW3Du_DA0JOK!`EAfMcHoc!!(jZcO%k`0y1=iv{KR`pduhO zba#t%w}_M?9Yc3_NDV0n3_0|7^XzBucR%m%J-)x@7-rxe=Dx0VoolW0JQt^xbC$Vu zGhT#NblC#~e>4RLbaNUlfbzAD7W&zU^!)wtQ>wb;ywB;D38IIiK7O?FC8HYHD+ zz9|rx@&#p4b~gWx%*Krl@0MeY`>}&8euJ5kM3cOS<@B6My=e!6gqBcgPH7pPXPy;C z>?9f78cao(mDorO%V%YGDeOW)w&HOWBT{6!`Ym7F6&fAh9^WNn!tp9>Zj}-qU@bR* z*+uS+q>AZA8yy$U+Z`LMO* zqsSv~I>peWo?jnEd&M01gPC>c2QS%bm}rz=lMME$B$uU943Pv&t3I1hzbXxKF2^7z z6{8IHLB-H^YxL$BX^CO*#OKu%j1BeoS=fo|QV0^Dm{L>>Tf$UxVea8b!=CoK>1X>m zTR&3tjT}L!NC{eJ^7v*m-5C0Vib#A7wfSWXKQ7;VXJZ8K@dt`{{|i^i2zmqeRoip) zpl_S;OJc?cI2-IfaOKt*^3;IJ(9evx+ur;JYw->!L^`cXHA9=33BqH@&SkGICxqb^ zzs7@FmG%Ky&{^Yk3-6?LR<3b*#_l_pod`)dNR;ckQZT^PfN#f7nM*W=q z_L);|gFC!jMlQC!p0(DZpmsg~!>30n!&ZvVJ3E|)-DRb>j(cRh_k@eSh)DB@hhKD$ z%uedkEu&R$YRqZQ=sJfdObCbFwFH1`oX=ZDo!73rujq!0%0##0qoWS@=KLmT6la`# z0rAK6@~Q^LqDOGoaY`$$NXcua?O|2w*>B1Y?8OG}RwltWv&#bsQVifik1#HC-+c!9~MiAGtS?b^0NFA%^;s?~%#KR!Pu+Ez1>m}K|RI`_Gweg%Vk>2>X77< z^^Pcvt5>KSpv#Q@P4jB^6C=5RKy#uA_(muWXF=?HpGw;{{! zW^xqt>C=m7qXILPub#G}w%T2vqe`rb%U)?>k0N$+HL>3uZ92u|U~LFa5XM3E;Igg} zic(dHPb8jbqM>AHnd78tSv|gGBuNV2kH!{W#cWv5A;EO3s_Mcg-eAza$scpnZ`G{n z%;zI{oyUg5m`d(#JGuU%3)Oi-K{1%KfhtXQk&*qA95S`zV>4N;0&l$jr>(g;3fsSb z&V3<{h=LqVURii+4V;XXU5}NNnnoIzyO0zs8cU(3P7(XFH8YA%%a;MpB>pH`?v0II6Xm^5ZlO7jNG?&#hA z=*KxY9De$sqVn0~G*y1^rs;2=C{i`3K{RiR^9}=e8jp(m-$0H4qp?iy2}z8rL$eTK zE&%rh*S$8?@-`n(7se{}>Rq$D;q16KMwG3$+d?+}EVH`k7Yb8^qgwOviK1p~{P-Dl zxL%40_H+h>l3UrIu}(=ZYIom8NG{^+W{0wMY_ zuz;r4lt5iz0cG9lxFc0vKv00ts5cc2O3+?4|N5A9(vJ(IAT{{WE0m8dg{h#D1E;KB z63`wtOB`3X?qs3|g0T0uw#j7<2^qE~nfgbmpOl|`v^of|NsB5=?%P4wSg(Y)Bh2Ue zpafAjHAsZ$zOtR#tpO-tc9gFE@J{V-a|z&3>*l=@>+zDUcD0B=X%fN_!s~GlLm?3d za!#txfzsY&j3GgG_%2p-cwV~L^iN|~ps+kANh(^wr<}WiPY*JD~VgZG>fVK_5zS_zXx<23GC&@$vvZuG>4x- za(hOeI)*|L2|(93?BdMw8n^2!dS59;y;0;TPph+AR&m%0wYuc(sY^dFcjoDFeX`fD zJ(FEK4KG6&h|3SqwiZ1|TkJLmk}`YgZyw6+92}NB|6ckJZL#(@(8z+D3mR?`*;``l zEX~=%HYBY9UPqpvGAcMZ2%Jw}ZFqLVCfSy>C1V2l;EQZfS(>Yo)k9-LJ!_HhlGu`~ zioQU;AG46Fz2ex{-o1?2U6?*6gU#>3FtfYJFsCjPSj4ye1rMQwDFt)HvoH#_=)M5QV{=*vB9aL$$Tv(MlKh#8ib zkV@w$-xszaJWuUH3}4Ncm|_>(L?XCPH1oS+Y^hg_vzWGHshW?F}L$x(J*bt=JabL3;?9y@Cv_3GT~18>&|4G!trc)ku#VVmn@ za49m2ixcj_3gAK{UNCMAq>!NCk4nQ=c-WQcO}U7Ix!W{dzJ&O59m~?}y0;e@>u7Yy z{gq;y)$$R@d;YL4VjeZ192v(mya;A7q-%je9oqKAMCW)e#;WhKPZk*f8^Y9J!svy zb~^365yx%-^}Z-kLqasmb;jWIdf!HJvE+L*aG6OlKtOc*$H7m`ey)m<)~Snd*R|4% zwyn;pXh#0psjdq34p`<*Sa-=>2A{G4Nqlii%f2=D;G2u$j1MZj-fK8%oy%T_Stfwd z&`BrftW3qxbtnCu<{eW-XY;R5f#MM8(rwHfvj(ERLKlyf1xQ2OuO)n9>lG)2QTf#pWK=c(pfMCmde3{eqQsvHkCQR~X?KIZCnR!j_pLMb! zC5%EuIJ)fdN!|=^p40&LH>*%|TONKMNkQqjq!%Q7H9WoiY(Kb+w0$V5R?a!EfZ*;d zj77)qn45$~MQLN?k!PAnlfwm~Oz{hL@ObK&N{mCgYap$GmLE zRCqYd$c)WbjQDsN1^@cQFDTvv&YE!D$Rtoj9%&*%bD+v8wTUjzJc#wH zzko`F5HKgF1zNyqB><$p*~#pprF2oqD$br50*XBfpYglD@Y}v1${dQ2X>;(|dtK8X zsbjQ?`o#O_6wsP-IVy3S3sSk{L#Vlc&F^uMuCQaC(J=?LY z6CE9|*z@P<%XjB>Cy&K;V*9iX+4>f3a(oaw1{;o>NqWVXC!6G8yVp^rF_iS5^5zKf zO40yfA;_L&r$OR~+o*o5iSh5#;*BUOv0iq{5zD=7#^#It=F=wkrOckTvt^;HLgAt{ zSIpvr@;#kx;W9V6+$O??rsH#$%7Tj*f6+>sq+fqgx5VHvT~tdM%AY(v5?gczv|i0j z4<-kfVUj@9pp8291r(6QiyxY}#m`DLHV-XWGaY5FmM>aU9z6P70NXw5ruzTTCLZpB z0zX3=Jxq8*J0&>q$rN7R<3}*VDmivRp1c5=TnnYMn+_RC^#Z8!ErYgk)n}Y0jHPq!N^ve9x<#7f*2wNbk( zj1{F|3{=3jWx2*sNCB&E17F6)ohG43Jr1>yCd0Nc@y1~Q<3se-&-PT>SNQ0zqY`f& zJ61A{)l}AUNbXtK(X6WJKL$7?+(FDwwf1{Gnzr=2<&FNT^f+oz07ZYV4wE?yRMak{ zNcUtOBEA~G5)nJaj|Bp2M^aJ+0ENIJjuED_FPlxg?G)VjSVcP#fXshy1!n@IYK7y$vz5Zt)d{1IPxLD3khGYB}-g{3CTJ}=%B)P z*o88e!iZ1)$}aw5e(Ug$HCzr%wXCgA-Tt!HDeYduHv_aGypvtW_v!_TEo?<%AhoQ; znUWgMPW*81Q5hHCAJ6}stp-hg3ORn_3MdCK_^QnFGb;2Kl{q)w)n*p!@lw-yG`*ev zdUHJhSY`A{KI=GiSw6a^>G_9&0G}mgJQHJS13S8gu4Wes=jZ+0Lv5FzNVxBFQ69-W zrtN!L_;knIe_~$~GJW)~0FGJb(K=@bRBgKXnOW^?|QFa3We)!8~v{hih9d7O%20FJXqJv!j z+oUO{!h`dGCI!^alWpXrm(~ML6?w*YAnz$6I!dkHCI*;M7<}6*X<6f+vlS^qwmh>m z*dERRG^ech?0zpZ}G<| z1HioVOX%dGy4atZ_s0N2k@OP@Ax7Q{?RCFjxxb|kt7!bqkxd6VYR9x8%>=%;Ul#cC zp1dCYsuTUJIYSoDN$4&1L3gX5FKs_l|FZk>yRP$tVfi|5h@6wRA-Z=BMm@=Ve)E2# zR5$uhMbC$F$HdR+w~?3mN(03b9LO^z#qkcEZK*`hol2X|kA&`$RCO9v>E#<>3Z_W1sfPoW|LOwpCZMCfY9I#sb4(BlXT?b^-(#+_2wL|E31j-++Ehm+AQ3HX)K$zn!Heaf4v(~gJG| zm`?AJ>A2&Mo7Jf3FrJuUaPkhdB?058*Ydi{))~D-bDmWGuB5LN=mgWogPK&;cTYqktbi92PrW5W}~A8qgeOrDA?- z=G2q-hqjVjxfZQDD5>9f7I=ge5@_O}CxqzBghjN=d{1JPah(jOSr^WHo-YX&5MFdI zdgQ1diPR*r=HODnK%v6ShVpqTp0$7}l;i^Fm1xRHM&y{ALHh%jP(H=QBN?AI6nxZT zpyi;0hly%^zJ~^^Pf5IA8#*-~-8!Gadw{<_l)ypITGM652XuOm6lL!&{O;YKBUXcK z)GZQ}`S_y#mCZh61i?CFj)6-6+E@P`ka)KIq+~6R4==7oo}Zp7@}{kQGy437Ee7>cuCzek=-<^jN?YD_D=Z4VSdN6n;lHlTMB*FlHGFs zSv9@#J*DdGw)qte=dEb9K3LXK*eitb@cj|y{90Ve0=ftFv-e6~`_+ofml+PN4S@8P zAq((JtrefzsWcY5)d1NeRXi8|<)YK5tKOLUHK2h1a@GE8?VI7A(&Cb{CGNT&Lx#?y>J~qk$$Xgz8}0DK<>*db7m$arEZ=yO};e zY;d{_e$Z5nT03X>&gSGX;k$gYxsbyS&OeX9oL>Uqzaau`l#h`Gw=*-^AFfFMa!lfLsrZsWL5!vMsqfY-gw5B>gB!kEfl=th z*=BD-smGUFg}3R^*^0*?s(oy3a(fgV*UpXm2r0!{DwK8OHj~j~sq#i58m?}rXiSEr zGMG$Gh3G*r zU*0+aBLOO0Io)U=_liuJJ{*+8w2LXyC0xNDYay@8-=Rx&Ly*cuOD5J`>NBFFcD?jE zMq;TwO#iG??!rQzH0eYa_YAw z7@RzplWW8;mITECciwGs_1jJ?7hu!d7&b%r+paF_k2-KBfdgg(?Ane_UT8g-Tn#Fv zS2D_IfKuCY>QxLq*Obc^F(xoQ^qg(dZ$<=?H~UM}Vh|r)*?GHYx2%pgvZe0#lB@UW zxB2>vV!liA_!rbAz#T%tc&^8rg3_X@olY?X>af`-a_yM}eDGAAv(K`HZlFFBeTTC} z5jo|VGrQ{Fn#H*#-qVY!Ihc^_s_i9VJGzGjn6At#Uo85#0pM2ZkT?f{w%c9`>%2n_ zkKV6a@#SKI9unMzX$mhn%D&AJicRb)d5bU}@pH(0;m{tqXZ^djAK2iC*6Rb#OSRi# zvAZwW-s;n2CT@u@Rs@m;YO)pqW2=y$5S{f!BK+2tW`)8IwDk zXc^e}MM0E&lr)d;5;nJ5>4*G_vIRosFsnhuOAM3d+RGVR+gF!Ayhu=UUrI%x>j%e2 zVK>+3ensn}zY|V0M~?gQv=9<%N~Zd<8)I3~8hHs>Dj_ro^1dSqkE46N?yGziI6N6n z6St)m`HZVlAv-+|#=zie6~Uo7TzMQO(#O0FWK1M#@uoYk88%x+COaDZ=}NS|nO_R6 zn>W+brK@$6UG>Y;P)RWfm?uT!w8dzxkBI!P7rhU}On#vQ)~52sE7;=_jDb`rWt->R zMhY*8(H(v8PF?9~6=>U-cl=sJk!PUaqoXLG-^=MyZ)$841v2?)R6psx0Qb&vmV!-B zVTCwafv*RBOL}CRNqrdPV4`&RBAQz%m!wGPdTC_#ThjB;AXgzDlvxQRFJC2`7;Rdl zY&=H=lcBizryjq+*>AvVH*~)wwKIje(CwQ23PoZeFWzFk?#KM;oQ?kYy3uSRu{oNY zudhoQ?KoJ^gLgUJ9IoH;$XiO7(<;J&|9^Nyyh2-kAuKo7U>g&f1pD7&K ze&RGD{RV{u8!oeAeBxZ|(5JHBr1DrrlTpdAMEc4uLGe~RdjW->HkZ@ay!bNL5txEE z5DtDU5p||X8Lsu&OxxJ2Y7o`&iQ3TGr#pkk;T=-A`TClVu^;j85`_fW3ZP|rB?;#4K(Mnp*qH4A>dE08XO(v&Lh4RpnruFQOn5sHW0?y3i?rQOC%a3 zY=lFsvO`imRhT3Br`z^1M9T>w0XQzGDaR$CB!vXVkI*aa$k=mkT6mNpSp{cDC#V*) zP@Zsn(cjD4=jtd$x2Q$8mA6e}qU;MZgm*La)?}2mT&?(rU{8UPgH073e^3A|6#CBe zdf~L(!H2VDTl~p)o&Y*{sw*!k+b6d^9Q^#{6F}q7f zJW~pCce%Zd(pugvM7sRoN4J3??=Qkguos}if7F7gnN(M;1X_?MmcAv&#Lj=C55dHM zgB~%DNRx{NoHuU*QL{2P9XEL6A%NQN~|d@>%2sNRWGmdwW( zV!o9I55|!6BoBiLwhsj#-ZHuH^IhV-^bBqh%fy4B>E8{|`4NBb`q3-o%R&>LBBWf7 z_wkhH#*u*|K|hmgkI{Ib^vEvAtzQ4H;;0Jq3BF#R24U8z>l^ z1+c`;HOOy7Y}pze_Oz6;$hI}u)^sY(rqY1f4;B{k*dhl<1)6tBEIc%7I}KNcgfOjN zY)&tY*>C+i;k^+$k$Z{cFLfu{94BBBu?K(c>kM|b^p&G9pCjK8sao6X|e;x{0{bB<9UP&PZhez7X8gkyVI9d%mnM4x6HAx2u+ zdQfPs4W15W^URhifV?$fX^zoI4uh2<2r%dEoj@TRbVRSVPJOlRqiwu#H*O~-os6|c zRVSa-CJBGjzrXzrd)h`CW0v4OI8tJokV}?i6z-pROhJxrXA#!H_u_Q{Pmg_8i$5ri z>&d;q+TDp~c=@7v%h(HBOu`+_L)7)$&|l;|s8gDJ7~rZftCiz%NF*wi8klS#M9eH8 zR~(MwWY!Bw#=OmyBJxSF*mjLBR$#!$fl^)mu*HXlnDU=0f;$QG+0_XJ?AMA4L>Nvk z+(|aZP4=H(^=?d|&=aqt*IW6E?2yj%l!(01qQ4sIz4>T#$|1Ih-cxo`9^(D9ZS!6- zyt8I=num|i%`2TV^{!13b#Ln)al1jvmu&(F?2BhT(bCP#GWZ>53~b-1WW zld%3Ojsom5DRU}1OB@4X@bP(m6pxCC{pcc&DMCg9HEW2L{VpSfxL&o+$h~Qed z5TK6==S_jHO_WFgWM;+>A5Zk!uBLYfP45Jv7757F`_3?R*lN6hf`3Qv=z7@8qrl1I zqct+BSaAiofclcGZ=B~;f&TmOhVpK-#eS+gCQAC+JhS66)7!Tw5}CT;I`@trSAo{A zaGG5-=D!3V01jxJy%lhExU~OWVJe98opy*s?7IRnxi@2s#8J2Q7kB;N-k0m2bu~s6 zrQLLw($9Uh!&rCmo-77Dr`Q>VCcP803-KP_U=qJ!oCXpZWoVhn+1D3crZ?TDg%AE| zTvOLgZP#LVCh&*p9)2#D$0=>#KY+Z*K$z!08}I>eIpIbRGShFKQuE?cB&$SR1$jop z67L)NpppZXIGBYd{&=;vTzv8BvWDi!>Iidl|E~+BFV>;hcu4+EP7`t6VI1mG9Y}QS zr4(mLZVhJAr*e1@IW=q&E_$V_kW&N`*3$70CpinFdUNk4GZEa}T{(6~smx;2Kb-go ztr~QY(`$b^Uppiy6?a=Ya}16*nI4Jr&GR;}1Dy2PA0Zq(C_*J3H<2wVnKdHUbhPtU z+32h6`CwagC(6+{+pu~BTux9*i&w<+gljUNg)N~CZtj}}>H*9wG*k?cVuWzYJn}11 zTSEB4b+)k%zh-;niVc_0R(9EMvn#v`GC9}V?gRtV>+4|UODL&5vYyj&-R~T-Uqj!~ z&fc7FmG&c^3wv~Du8)H`B@%=YNqz$-8xX1ZEj{IvGPsnKJV)n%|HTs?;9z#UJcwL?d4w#jQ*PJ0%`lPE*J+#etAN)%;m+p zd3Mt4!V)+Q2vcsjkfY`p_}{z1Y}AnSy*wwDBa*$P4N_$e&DFg&(->3N*F)VSa3NTl z|*!76{N5>#xYe`l@_qOeD( z5SphFj}*qs?ujV6fVvJ;+|2B~CDr{}$pk{kl<%&)Ody=*tnptwEN@a4hBjh{s zTjnpoP0eYjr{c2J>zZo^0KeqFsyo2q_O5b~5;d=@afV)b=-=Xo-VapF{0 zl38zhwHKy#TffM?mK#=2`HX<3kc0*ev%cJtet*v41ETYAaODinjqTZ{*YdchflV+od^n zEd4CDAH?aDI(lhq9^{WD%JcE#90RK!=Z>zJ%Kpk5`Q7h_2j17+w=@(DFEru)??N4Ba6`88I$&WOpf>71<;`r&Y=v{^;*Nb!QG zC+$)L1bF;7m)3$qIWVlxO-aS^^eu`8s!jKH>{(2A|IaoLt}7sssOh)9A|hLV=*| zSZw~e4flrio0zjdYttT>AMEA>+|H&68#+zE;-?J0e_|o&%|v=}=CpOdA15Dext=~Q zJ#n9#&sy(8n^qE}(>mvKwS|Sf&5xgT$2Qq5?$BwPe1~Z(fLYN?8rM^vY$ssibySmY zNN02imM?sj8_2qCu&H%EI|Wg)+M1@_$n_kD>NtL`M|HdJQ}#TR6f4rBJr2;#zincz zggAo_Y9*iYKlCR4dz<|IY{(nqIj3Jz!PZQV1F$@E|8nmBf&P*7HGJH_;P;`y^m44pG&)=&r&>x9d!+H$RQHjq+pp$K5 zFb20WA8wv;I@$YDA2<%!q<)&?wEwOf)2UvFMjZYX0R=1s8|I^`;AHrNy%(w@WeFu) z7FDbM^=zU=@TVG^A$M}4w{QJEf^Q+Omc@~kx)V(C6oXb2?pm5Tvauz8mB9dWDPJ;r z9BHH(R>>{JHzHBqqQ4?DW()p4dPZn=N+|hwdw+uaCzOm z_tMVk(IpY3zOj18wiSZSZza+&PboFvQ*i%Lu9x{5vb(zF31RT5CA}8N>g+G_2uN%% zmLS$fF{BRi^o}O3$NpHQE<9thyBWmBR0q58(RzRU+h_daTyj{WUGJpSKohkT)68le zLTswtw6pJ@Ox?eqnMnZz!)7+uiWW1eF^nOhR(8Oos8(ou{ysgFzQ%#d-qSk~-+VuoVA0OVjx;riQM5xKA7RmHK^_sq)Mh^9 zu<%%-w=h*R5~nDxqwAnJM!PE9LaJKYoasGdfLaghhNr$oHB`e*PLb>rtA+(HJe~I= z_hz&s|out$0DI zV&j-kFf!iWGsM9xZ0h@3tMG?Sa;c}1KQHP7Ysq=$=fQMOgHeYSO@0~#QjNmi(kV3` z&8@%smI2|bbTblz4<3@^`4Vb-xPsG6m+Y-9_ zb5SDdcN{9zcn1}_yZ%|~Jbdc;c%#cfw}>SUEX19_)B=Em7ZzqOBt{!OjfIVW)+WX- z(b|~)i|q5yrDn#;&(Lk>Dw{yEFh-N~M=!@A&TC~9$9)&}np>+sC|@EQ#TGqe{~er8 z9dm;@#$YIHU3yx+RMV#Oxu_O_e2_L*A2D_j#1R(yxsahsj0fFcTWPL)HZ^lOj!9ay zt&$l%uyY+pJ`~KZxetG2Lx!}zFGGS@Lz8-m5u013F;Jn6bQt86WHifu`#;oMi>uIRg=0FiU#k-n(Q(pyIS9xb!(%YHbLW&|sI zI5yxT6F|#~tvj{@pjQff?A?eWERx=lGscHS$umUHc0&T5PET8umHu;m>t;}d3z+p6N9s-NGd;8%|)=4X3*E))^sb zGQPk7uMs4msVvi)uXLF0OiB0Osl#6+381|1FO0U~(Zu$-jC#QM_soH1g@LdBJB^RS zD3X~IVHT3&<-FvW$NW%jgw1zObpKz~c%@z`BnV|fGrh?B#*CT4IpdE4tNQ8n?|i7J z07^T&QwMqTvlL>A7^8?Up7q*boF1wg`{kNC8O-Q(Wt!4ZHl>JMp!o=0nn&xA6}pU4 zKTd{`VSjw~Q8BvC7qN*}rOPnQifoqNS2-a{0^>SgKEv7ryxS9mMP!f@MTaIx#vQiI zeGI1|TpwasS(lWIm<6*J1T{K45uqi*putJV?zRcs6Z{w`#`&r+tPhAxiI}cIt72>< zSi1{+-}-XliOkG|b0S2?x0;Tbb>;qubY+9Xe{Dbr22c!5$Q1a^$Y9BsL{m4U8s|~X zl$FUkFhW%3Z^=LjfQxH7UO&q(q70&v?drYgpmw2Y+w(Kn*(6g>lCG}5EG^2o$Nc8> zK#a&%&PoOI>cL9V^Ag4T|Gc+=->jeAQj3TDZ<8P1467J@CKykA&qIWoN52bspB7B) zGm?3*~X#RK0joGd?s4VoR5Fen$(n?}YxY{$SXUm-wNv zEaN;Ytj_fxe1ZSSZ1-PcY;1^;bWWGwE*k!LSv8ZnVTgUw$cFf#c$V7#>j&zLF zF|fClzGWTUCj}v|pYdF=)o367*8Npxx%C*C1_b*W7!6P(J$b=9!CtkHSWHB^Zwwv0fQ^48j2x%XgKCtN4u>N&QqiM?8Gpyqz{J&;GOimF ze;awrMISN@c(8nwI<;d{cxBmoFj{0KLQ2QrbRo~g-z%$#|5BlR<>+;>^~|~*ooHJ+ z=GOcmC#{o)bg(VNj{a!RFw{DQMJ(l;871);dVMFW65H}Y61#)J)>MZbA)Z7S@kvbU!xXs8a z3AyCt`Bm{D0qe*iK3u1=)`XEs8#p2UCO5t7EHA~)aS08^tlZe>NW{p%)qI*bwKYg8 zE0KYrWQNjj19W)8j{{5ck=(1GQIuby^)V9~u{dC#+l~=9l7m~y*`^HZ&OE8n*Os2? zK24jIAu5kPxgG$i!!*G|F_-g6Fg~odZ2H+?SQ7n+p+xXv*eo6RmDI_$9X0m)VGO57 zza-i3h^*teH{mt zD>mDki=hRf_mW;K$gDQ6e)_o$9K4yN#>#ul$awn6pG3M*NcyHwA$Sy2I#Eb2Ul{2h zD76~Lh8=#WCUz!4n0OvHf2*uuK#K5*|b(sGgI{zlkZ7DX(>`6NU1(0)|(!ehmQ zRqSM_0qs$Aa^2Ge6OSCpsAUR1jA&#_=szBEaVh%Lyfi-QEOP}Zad%k@_?y0~1G_a8 z#?`A6F=MJ&sAp{~BP`N%TEC7g*_;$!^trkYE=HJ6ReWAlKQ@?EDgX7v^*x4!;*%ET zGmrV&6s7c>eMA2L_d*YsP3}QLS5;OrKYHXRle{ni%xFyH!#;kQt2p?=kK{}XO$kmX zua-CR!uKVq6V0~|+p10sg2-PHAj;d+H4usv=~Z4!VA>tSl`2xoB06zO>eT+`kfAbsK3C(3Zt7QWA{( zEYzJ@Yj4ZxpYO=zucCfa1oMfE7STNBdu-eF4NCljrx9DK1FV0elb24d4mqQ~A+^pu zIdPHLLZ?{|#eHw<((U@L8GkG;?xwvmXZz+_gfC-nMnuT1&E%}t4MYD(?`V%!f!K#; znWUV#Bc`&=75u@6hoM7&ZyPjIDM@Baky~rr+~aXnUp|Ya|Cu1{gqo@bQzJG7SRyyi zudpZAM&ZAnRhG{xn{JxEDAc>#9@90$r9kcR=l|!!SO8_;Xb#6^L*iq}?MZx^qLA8r z+zs;4PeYQGiKo7ji7)?{^$&$;IvfX*X0rj<|wF+BJ`lXSV zZSJRbQdR+Ib>tK5b&L`2p@d}_K*P9w)X9;TnYkL%MtLzrZ0FUQntji?dL4P}@m*DlJ`GVk zTB8@le`4lLa9s)^V1he8m8-AF<6iAouQ?gXABFJl6&bM@hHNq`Y%?qhZ%RIs2xeulP{cIj&tAcKvFU<_Egh;n6n6e8FERdNm+(hZeJ6P6^1rTsh9N zU&$&_TD5(q8evU zd2l&`2g440_U5@99<8^R8DpGNoG0RcK~P)UbfLpT@JD$R6Si>-xvZN)wPwQ~s7qC<^d8NU|L}hXl5tAtGqQ#> zdYrnZpA!ufeXVYBk7uZ!MA*A0PJJSrINrHt8b+-C-s3=2afsO`oYGF1UNL2u+`hm2 zJ{8G7=0TCV{5fTQuE@q*)x>i?yDn?HYeD6IjvKQWGqZv}U-itgrUg#YxPp;H*D#Ve zUaksXvT>+e2CWEaq1%07We6>F;3shQeK zNkY;gd8f6%{YK`l4kf*1bskr?b~E|#1uX!FM>f z?Fz(B1Pg)oWxUHX%dn#l#799fu&%}RUK--xsz01E5r{GMHEMYmZ^tIf56(m1Led)u z4!!3U_OB9xa?6Xz7CC3vhO6)+@Zkn|be4#nHN=X0u4jGu{bS(`$tP z>u_YkV5>+p52bGW`rE!ryU)4@DCYdi5 zzv(J?v}mpG`m8elePnykSnP#IeXo~)>+o7D{qpFidY_X&OjELLvArZ0cUxTKRYT98 zM{Vt0NBM~z6Q|5;ct>{%k@M0fd+;Ziq~%EAv^fh@oiDs|9|@WN`agRtcb{TamsuD1 zf!QVi3oc(C|9DaX_8;D#!?j9hIhou1^n9O6`TbKVq95;Agg-3Ik~x1^H`+b<(|o%3 zbKkzOwH9f(n*WG}ay7XwagW1_M9%Yu>wn)r8{q!cc90{!az;JnW2S8@jk9Tt3jR`1G9`&`;HL%%#uPF3rFT|6AqT3)cta1Ib;cC-a z{n><0FuCLOZz&18TB%6BF{8f5UJlsQO9c@nQnAS3FzD!8U6w0LH#6fGQ|KJD3HRD9`)pmh0W0<$?5t&M@9b=a} z$=cIgNvj@b8S(zLCd$a)sly~`R(2=L+VwrxV5(oYw0NWhFZ86?hTZJZ`s#p<FEUEPN4S4f{mIqyCz&LLjlwolX*pJ++w}Gd zOVcty%qpa}a1k~X#x2=o3DQ03!fiRtofU+J-M>Rn+?-fP42v*p-(z+4hOWX=DGX@7%q zDMf1rVdwk}@?iqIuX|q@4UNje1C}`QWs@us~fynuH zq5I*%M4e61kcrv6rrtRFvsC;JBuTWpW?&j4wOZk@_>@x70nONdj^{DL zkB)2&0=Xd0k0*r`zvK0VhJAy4$S|<#uzUty`jK1Fc^lqg-dF7y6m^hTzs)l7i==5- zEVgO55l*w|5Iuf#J~OR@M!d@8-Cabz`ujG8471&|iMxuVWU2?=_Dyn#_X4;PA0>mx z+WyZQ5oX08xo5ffyH++kZJPMy`E;9-1vK>2lABG!0sv+Du9>)p(2k~)Z?%Z}zq?W*egFRv_Lfmmzg^p~bP6afFoYt~64D(4qJ+{zr*wC>ba$zMNS6%V-QCSF z)X-f6@6Z2r$MxR#^Q`C7tTk)Rd^*o_?|tke_-VC*o38f-9XgX@2BzeyO*%i#CPkEq ze12~Q$!2gcLPIZwmwsI=c|^QXLViXq<>PL=J199O<4PlQ!b;L^NeWSco_@zwEjBET`J%+o*7dBcpYo~jZ zB$PnzlQd|#QL&x9H*}E$@u&C@VeZD^ORFuQv;6QgIBC~E?0n$7OLOkOXQ%%d-jzVO z+IH<|4jW+%18ePp>hf)8Tf+%@52q;(&?sI=*yCCt{>E%O*3HA!$&X`o4YjL=){gv= zOlITJ!QqVXQX7VnC9e$CWZXYO_DL$B6R=z)C2gT}=c}`Gb>D~ToRK6SLEJbWf?Z7x zbb*&B)fLkRhWBr?W*|)mk!Eu<#{c%BJb~GuAt42$T9z)$D+p|h-E14#iYfY`6O-}L zE^Oxv$2-P6HfwWi^;S*VWb`9k?`0H3JtBo}C-Oh5W+n4ilk}&NQn7UMYRbG;%w#m9 zb}h!9#uIY#bW^5LeG`OhM`7ENO=;JM=Wyfh3NN&i5F;I1;*Z$Oduf}PFd`&YcH`Uo zLDD;6ip^egihMS>;6aXO-cY#yBs#%lWC+dS{uysy>^cgJ;M;Y;_qS`q*M==#j~Ige z#EVY>OkR#n0IE=bIT5-!u}YaA5LV3YF1t0VL-&{q>v#H3F95F#&YS&7&C`Tj+hhZZ zQr1N)UR-6tb}et~gvgr%QRA-Hf!u1;c9Fo`H*2HnuoEZPf9PpTi@$`Zy2J>6&y*BP zs4y?XGiUc*<=2F(yYP#SzWTevu7QK8Cf;T(^7L@*4vX={H^l> zEGYFKn~k}g3D$?Zj9!2yX}dCV!7~nxTK-Dxqmiz2oEiAb@g&9T-r?nrOP|kqes=J= zW?F2xhlCfZ`r!jG{T5#%&PbBdPq4Zy+^<2u^!U<<{8Xt$eb5KKi9t@ifhcq-<@AK3%7E8K(wCTWAvE@Su5NGixNF2GHt%i!GCAD z0=kP*G3iuh@Bu%d(#~75d*{vXDm1Qn#_4~zeFRnYKD>l2pXBuWhaRrY;cHoA0}LQCFs`lX!c~#U23>PL$L;)SJ!~XL_Q+@1B%@{7WEDlG ze-(6HZiS7tm0-@RegzszU1;Rr2p-8>-4x*5eeez9=gqYhJ7D=RO?t z1Lv>>8@;N}D@BH9c&lM|Li-U75Fo!Bnkuzq>@pgk&9{j-F#a-Bk=EO}`hNL<&WC#a zz{uShmvM=7mtM_vddFt7ST9V}SN%&$Bz|pepKarwk8t?5O+omVpcoG63)Ox0W3{pw z;PiQHvDo~t(`N*nzH4Gj43^y4O3~s40an4oIwSC~_+8@RT0Jbnm~F{ibeQG9SyRIh8WZ756+Si=lki&AUBpW_#EB#^rz5uR|WK6+?&>e zizDt9)~f&hiu)lA{K7^K2#EF5yE%*S)j)KtVnH1Ezg^BLtS1ZVe|p{W7#w~cpd@By zG~{WkkSrOqBHimoqsn9_l7y}hoBxb}_4!xj@#B$<1mj|Bo><2vEZlTh7+Pqi;f(#{|5CVEe+nek_d(X`Eo`Lr-ld_9+58Fzt0ZHyO4 z&+;mNX!5LB>7e_y6IVThoFIC0ji&L*Z;ug$r?`Lhf)u zZqOQ)ci%+=>|mq&Y1Os}c%b4L%Cg33l*CGJ^F!fKhB~w7QDaSrD$D+xW76%)ugln* zCr&zDsxP$W$2xE1yCab8;Pf#z!hb-si+-dmvxHdZc0?O2Svw0Eb&DApLP9&Mob=PC8|L^>`-C!0*<$#np6+@CT+ z@b{TufOIf=AE3i>+AQ(8-=FlJi0=sP&Xi{CH(#w(0qy|1nG*%%T&8_FkN0M2{Eok@ z>efRha%J$dI_>ZEPtwe?ch05&Ke~I@QD!EU4w-h;z57ff87q5Fgb9AX{G*4W%aSvp`&u-q@%p`h`Bx`V zjc^=vo4P$)0*hCh-(R+1H3-?Y(Ssh)md2<#+c~~#PLlSC{%T_5eS{H_H;Mb!-`{(} z%nA^4HonIniM_lnV}@bKR_=|RA)?ch_Faz$OsfmtXP7D2c-?{Yprq#|t=CJQeVM#! zhd%q1)>}Lf7M(@|OKB>G2^8??%rs9?4kg5}`M$#wb}x??vQxYX_ld@bD;3)ih1k^m z{v7y#b>!Bx4uKk<{PeilCbXp`1kzS_p1`o|H&$QvZPt!HfaRT^cCmpzET7Ev?jB>; zHR!e~6yP$JfYIzyi`G$vZ2iB>gonN~6ZReKID?PZIeDjk#0dVTDL$NYq%Y5~zq&=`Id-!NP@xb+)pF#%|I-=Nedd-QXUhLRm|nQL>BcQh6DMb~0#s!^!;F%a~; zo*dG}TFm!7XWHD{QQfs+4{q3o{BAuyolbE_C2B3d##(Rr?spD70Z$wG-2X`bc{A9_ zexN7rYryX$>suG~9&Vv7JQQ;?eNzH$-!NyKQm+)<&iBfZU#S^%r6sBVKMZD6S^gLx zH!*386kU(P@J*Y#b@bhp=0@!GH{p$d_yzXuWpwNTWDyS>!QG$9@8~3_)8G_GsK6(V zj!Q<9z@Ru|FByuL)E+YQ5RYFe%7#`AoYiL+$;_s3%g{3y)IJrQ{w^)g(_U zit2b=9kK!w=13zaS#N1y6L~gG!&A%*q=Xs@4KZ z?|a=U{fFoL+g+lDIExIML6cW8c2q5$M*8K=kyf6f&5}0vlX3(PrP92gCrdw^Fb=?H zs3e4O^ZcTJ3YR^ud+H{M!!ME!T$W_v0(?UM6rO3ESBaR>FKJsOq2iLGy6+~6)zxoK zEa@~C5u!;fd;C`FgC%ZQR-ZCH8b(+&iNu>X@wic7mX8uw z(me0vE1hdt41??YHi0^y64r>K|Cth~&GHH_I# zultI4j!&CZ^|vGCq5%hO${?Hvx`%NkTayVLm(V#{ATSP3yuyF{lo$Ht>wf`!Z%ENo z<-#Pw0G%edn#{SYuJt6!whvfDzP>wbw3WeCR1mo_Cawpp|5|rqPc)VOZpG@!-4GYE zuuR91xb*ZF-hVZor$8V~(ar(j@eym#8Dj1tT-C-Q9#p&gE8~3^E|q{v^^EsvKZCOG zjxnUMp+SInheMEh+q&tb=LcBV^WfdQQH-$hnpmw#Kj7j+2b8fEY~-}RE(NxxaA;uK zH6X>I(sb3aDi7ean0k{Y;9La4f59!wnv?p>_G;O6_NpL1?A&F}0E2kP{vPn@Vv7+v z#l#mh=^xFo(mWS{rCC4z)XJ{=z!Y;``Ut3@V~B=z%!IY{(APq`ZqrQ<=xc3gJO`;rvmjY zYrSjZm#-GJTIb7)E#ncj&0;*%{8OJg&$4PonDJK;@%QWN)p@q9AUws^`(A^8%96HI z-OavwuvoCww}Y<;yP8O@#Ck5${-41Y4x2HqDMfqSkhX)DcaNix)2Y>-{*!{Eg1RT+ zEJ!`AJjx>?yZEOWkFG3`k!6~?IOmxI9C3ZE+8nAHgq^}9)ZpdJdlll-J$dSW=EoZ) z7jk#dl6v2B%{hUCH-)Yc^N>4YGpBlx5}9)HC2)P2K8RO_BweO0Es_`)YT*cEXvpdS^3 zl;Za0`Hp)_;`g`hyAvIdO_ozQWC+8k8)C+1+b_3x^E||-&J}yT(RAvC` z1HZ^~?-wd8zJ4On@|t*?o~h2-hVo0&?lonLfLr!8-6nfo_gmep zU%ekVViRaXx^o`xfoyK;AQFWT6H<2Sv=~R#X-mfuD9g7rULRG&Xi~Z_QEwtYrgE!~ zG~M!(->rPyT`h>vcGz%nIM$V<$s9EBQd6kg0MN1n&C~fm-44C!IvMK=sT=}F^tqF{FCGI=dw1VsEZN?WqP{Y4?M(RW9V zx2^Q-OP4P8ui1q^KP2po)JTD&{=HYRe1oDplczT%DfuL0*t9asK&|?~n3nQu$Eskz zad6%wrE%;^A5--h@C`$r_E#SJ?v_9;OIzHlB@fjA;l6A zqzM*?jU9f4j=RSyco0G@yK(o&RDY5ohchjcn}_>lg68v$Csqlb*U=6qX|DZOc#pqI zc=KBC9~u~p7pZs?)61r-Eenr z+{beFTrzXG1rS(yU&ll%ev3Evf5d_|W)cHrjamaCN#HWy&pwWW9Gtt8^T2!5JD4h{ z5Fka%o^pSSah+L6{<~;4)=}{$AyR6lkvglQpa%hrjhmBLTrdpL1?k!N&^Nh-&nN?A zNKQlZ4Ry@juS)wl9d9M(Ei!(DyRPc##*-l;D&CwLG>ujI}Q^%k1&G_XMjNBjVKmj0;T^Uu*<&%rMmal_r{W#vt=MD#M* zYa&*A;7H|xsKN3&v~v`1bc$wEiqdKOdS;1dp9gzBff(XC>7%P8&i)bGBk}TMaVN~H z_d%D^I{VRQ6e5Iq8cSbZRixfuJlhJYWb?l1)fGJ`LkTR8-)NLX(i04zo_qWDI&8Ml zkm5KOZ{_{vy!Fd^Kp;m+6}5UpA!)Mb>$|mZe7}&9Gx(V8oU`B3`PTZ*u!oL+&-Z;l zFFOT`b6suDX@m^SY*vJoSH~e1U1QI7Oluj|kq)Yd#gSC8^=4&_=KGo-1oSEF#an z&Zz(<;ZM>0TV%wCUDeqvqMpFBDnM1698fCY zg|P?u63-^Du}5mA=ZnS6KcuE5!aXjg)nVPFdfE%e?|uol+BE=dx#wEUJx|E{STkRz zZQCSH>5|G8`BeN7`<;>#j-RMz)=nySlNOOby5OBB3TevXsWou+;IcAWvo!KcJ2&N) z$eWF#E(ZUPT@fX&(oE114B>n7)wcQ4z8(?6kP8#OolSwsFdVTK=w6F5N!?CHDfWYn zMBBFs&4+)xUebpOJn?dIn0@qA+oBm>Yt&uwfpQ((-R%03i1aKuSMC4l-8y9ziWYX(<3GXR{q1I(K_$~yZgVS2m7$Qo ziLS5f*dOSyc$D2?#=$smKl^EO%CWV$&e4=LUeNcE{bo0Kb@Bv%>Efs9O0E(+k&X4; zUTCXwdxv|gkQAH9oz46ig=lATt}*2k zw;Rz!_^cx&b{bdF;U`m~y$10;P!@OlZYZF_`OTcQcCze2nGIIQDvORN6$}}C(zHpG zpe=Ud4E!&j{E3pQggEYblj^I9w&JcEhwDCZ`lyQ~9TZWrtVvuX3w*gePnyLQn%xPL zH)SzC@gJRg-E_IsBK^x_{3)v>Al&SUA>BE0%Rlk+3lDM3{bkva#?_ybpQb+JR9#lo zV~w0>6$;lK%`fkS&4fwP*hU=ceVuH$gj|v$kKGvP-?u#XMA$TTH&h)Y!v|J#!n|9K z5T8}D^LA!ZWU@UJTdod<^U%q^XhuIg%n)>mOJ#+wu_Yuz@s_209PcRN3o{}kU5CDg zj^2#vwd1-~+}Q+b5Hh-721h=)ftZB*Y5Sx&SrwZ&B}rIp;#PI)Qf@cvE@mhqeK39O zBf|zT+%t~nDQ}37TW}OtWQr=E-m|UlvwI$$`!6B73QmiwL)M%0!B@GL6DNgJ%mh=; z!33jN`?45lzAS&1k0saP>~nf>?aRtgtCzFOC*e(D`+gL7A!{*&N~w$$^6$_tADY|- zZ~tgUz#tgC{ZXWc>=@anv-#P)p(-t-!OTCrX7%F$K7<$r?h;@RBV7u%stmSjMO@y( zc7Z#tJ!STnX!AxCy(gNgSo7euVm8am_mQ#kZ1qxHrXu&poesnAW_JQQE<=chqd>x1 z(iF40o~1U$eO3zl+sP3_vArD-=CV482f&gJu3@Sx0Q>|NM5r)U`fT2JudrZG!_>gz z29|PBch1j zVn2|@SfX4RBl>48`48|4mYSw#aG6Dyv_9N=#B4#T?`dM_1Z_N92H6__Xg#g%{Zue{ z3d}-#h^(}$74IvZ||i`Hp1a3Npp5rq&QU5lFE;MX-_pPjKEOk+^QO@4~5 zR?p760%l&I;K$xRE{OfT(UO-408*Rjlcf7q7@!&o=9=k?fqPsE11s#qoILISyQ5L(6i_hDQQ+RapV7aJ3(2r!Fj?>hv zqXn=}NgtZfcBq@Z|NPNofHkosQd=bfU=5nktV4u(m(gg&a^&qpn4)R7He21l1@HGJ zfOnr@U!x8WiW$G~vORse=U)N|2z!SL3alvUW6Bg{7f=|-DgHthqu9Ey`C3Q_(v(Qx5W4yDcSGP&# zb*O*P7hjJjCr=+?2}Blj+q&|lQ#`GqrLn6)b{LDBbk(|?%Y>qJ%TLn!XWF+zg=xZ> z_J93I*zYIPn8sc6u(nBO7>;txb9n$F>E)GIwC}$P1;U@FozjfROP+V9ps`!pYJsn+ z?Ah^gFW7UB9W>qHOKj6QE?xJ*{(GWLxa7Q09OuXwY=P6c&pavC?d5J6G!>R{9$vp5 zYRy&>TD7aojcLk;P0~3i%Pk{I{rVJ+1weNrPV>en`#-thKa{Vp}J8f zsQ3~Wj_Ox>TSu*iQ`tw}?Fi2sLYqq;Tp#^;*lDGZk70!nWxik3djc)$&!}0cs zWUWH@M+&L=*9JO&JQl~>gD-mSE-rUN?XOGfYdGB(B<2k}k>W%ZR=2MO-$h&VQoKsZ zffV3^%U!!x6@3wj+V=^|c@$O8tNwIc*;|;Ai>Aqz{|l1;6N+Rb-c!Y?`FR1_+XK+a z+tfRs1iOje&5t_aNMbL%$@APwGvgk7UQJh1vwWcFb4p13Ig*^~{Slg?DB_RloEHGc z2Y18(UOQJzxB8IR*yq0#bJ)1dMyAjJ%PvQzOO3b#8z?Rd4wncU<(F$$U@c$d791dM z>goX__9{G>Jbnb$nF#>OsKVBK{+V3B={I2SD%{{=bJV=z0qS&~XI1WuGPcyon^Ew+|)W)tY6W+~B*aZ5hi7T||WmAg#KO>~! z=hq_kfZ0f)tX;w7bv{Cd&%aJTD%4%Q1ObP8**{pCj*I<4|E!XSOhwfj9W zUfQkR8`fw-oUbUnEo{^&Wx0M7r7uZH@Q9;%)&zVsoF%H;^eSw$hp2y{vtxHMu)b=8 zO3eVqZ<6<3y@*1k(X;Jc8sv2)AvUWu4j-STfJ8g`GC%N;Q4svb3HnX94L0y$G$z_e z@J2ZzwnX}T3!+}fMT&QD#kPUgmy)!Q0JHfQh^{qZbpkY*USTRF~oiv+loWk$XkNNMkBR(NY*jyQ+vURrbxT1nprKXGnRV7dO$>IKSybD)4A znI_3%Hme!kE>p6;7)UF)#4E5hLH~W{C0z*e;*iMAhVkxV<9ipfcN(>4pVZW8*}@Mi zXjyth?j{&ckE;_l(*$FZRAxoS8&K37C-q3!Xm=;Ev zOrMyhi)-_1+Va6){TH#dQ9L^gfwQ~x>Z_LlnZ6xmoDYG!r{@ubCWBGv?`vn&eI&V{_?sJwt-?oR8_-MW4xKZsF#dTsFPpmajARPS8}x( zk<)kI{nVkWC1cR?$m<8+fME0og!%ut=;1mcxa7}GEX+r>DJ+4*Mit`^#6WziHsa)L zX<FJ|zIKy-Y`pKMDo}ZMqC{X}IDr z$XW$-2K~T#jr``vPGEjvp`0`W5yTD`Cpf&k^`Qas*9WA7jC!taq^~^i18R7qG@@2o;iIK{-dU|4;k-JKxi)3#HPH> zCp{FoY}n=QN0!CMC?ck0u-wv)$l?=;b;qW^d%+G2obK_zITz67)8(TL^@EnKS)K6C zJI4YdMYCgrp(e)o9MN}U`ZHv248Oy|it`-KFXHDcP=H7I_*S`q0V-6rO!VEoJ{fsewl8AsGgJLSa+I~HQdk;8p!!rpMBA~2K_*y}VC+{eA z(1Bjs%gbKqXmlN@f71T^zNPk5cI|P|FWKB9!QJX&7{zcTki~cd&fB<`wV;@7cjo}E zja;dFcMyth*wbu)`=Ub=gqGa{y}vF3vmr?6)D_3w$DK(wqF#5M7{aHvl+-nRv**Ph zkagpx{k@o?xz@T$&W<*)W=+Q3{c{42V~VkbZk;yP8#nDNJq&a%y;5c{Iw$Pc~mY3RFKy>cfE80@Ac}nrOr>~bg zEbf9m6xYrD8-ChT_RxcT!s{P25rm5qbWk1a4asE-573L}4KQx5HTwE)7QGs6vH|bM zYgs%|yH}8l1NaNWQTApLO`p>#MP=D-ZEaNb8F$s|#Z%@Y$3PuQwl7qmrwA5qY?aa9&Pi%`3d_riF$rHK9Ez zYRluATG?Nu7-0SFdemn<$u`e@|(J*+kvJ&{aFNy*X%Xy(-hJz}Aze&Du{ z&tJaef@ghzg}{%(B-l*(Qh4klLo!J?iw02D-V(z(ED39M^DvL6glr$qDlH+huk&1EOEkkVdW=aJk6QnrefwJd&HUaMEX5)(iO=Bq>a}GP1v2?V z;I0EMU~`idgM@u<3M{M7vNXVP|BdmLwBz#4D-&>|!ii9bB$e8TSc2rVTzNh-b+wEa zupxJ5y=@1}uz4yqp)f$cM)h9u*|h8ZNW;st`+!8nq7{w`-s|lxB&0n2eDbr6pRHu} z2CHuW4JPD1D3zLOd#TQZ=^36P1s#w^sneBu2EDi7^M~}2K!e>79`+*1125+$DiYt7 zu@kxG-GA?&M;`fnQsG0KXWvjZI*(k{t21z8k8?`sy@bTBttMUP;T?1_A-~>K>+G`u z$J{nca~t;{aLtr4Ve-)p(Cf|7MHg}!biS9~7VL`1+?>NssdN7j!&&pWcGFw4%8ruz zJpnm=qtR6)5ZbheSy-k!3h8y8THqpEv;0|aUpB>l^O0oKn-IJ(B7NC}c5Q=~wh+s~ zmKFf|am>l&qj^#lStd`V_M0#R;Z`wbu}r-)I1FVYZvB(PH+a$ukSI4eUg|>fk!D4t z-1_*!RNPXt#3-+WY0zAg=6KSPo4pdydk)N*Q)v}Z9FeL=`UrQ+D$0T`yf}>FnuKhs z?hjLfsT&+o3t9yZ9r?GGFg7nO@sbW?Hax*Pd;&&rte_naiPjuN%1c`jL%+z->;QOFg%f&N)9D9yU~t?7rnp2}$q*Lr?-zdw&zf9qj|A++N_jm8WqLr& zOg>(&-_c*fMib!pnr?pt41TJWpxRWO`3c=2SZSdBj<1V6a(Hcb474+O21ISt`*$T* zNlw-rjkuYp9F3J`h%o&C!e{Pj<0Kb@bPqZ5%374;R2&@Wo2P-<0UbaJzln+98G!je z#tB!ztdqjd)sm$$X4lD6qntdrDq#m|!YrMVp`w~3-~ao_lc6wo`K4stu%F{dAkBWy zp@mZTX!&e`jl-x#n6Hv^GS55_pDAkGFb2C+pWHGC#bst_a2;pqGp$vPVEt%*GcqT& zJqu+N5k+DDE8B1;S$Frv(|ft`g?s$QGOE}u4rP=Y+SQ<+AQTWQ|4UC8JwD7-lS{n3a8)t%Z$K*n^aG^sQWR{o<< zy6gce|5+z3-qxxT57PK)Fwtz}o7;=Wc3l4J$h*y94249WzCLxQ?04~}K2^5$19$hD z=RIwo$-mQVZ$z*slj?bmqk71j^b17#pPH_@bJ!PBB|SZMYTx@xO1CwCEyaS# zYy5~i{4W~oK$H>_4hc)_3AA_cw{ot8BlBXhI{R`_>>}}D>*GTQt9=TKCf#zQE9u7R z%EU?)%g|?*9y!|eo$*}xMklbeDGKaG2p&}tLVFwVE@uSDfw?pF-W$0wB24pEB#+`< zzPidlC{Cy-2_dI(A3^Cq^qE8kl-yZ+YP=+~bCQen4l$o~r*G$`C5(eL&OTV^4mnM9 z^Zxj94)B++RCzyYfqWE=IedZ}!{rYr>nF?>FY?%>Jm}=rI2zi?QK$m_`TKtI0*j~X zNUe!qlW;PI?w|j)kp}o4Yw{dx#xg{h6@N=o$rlYG7Bm%liI)oBymJ-Fe6&EdUCylB zBXJx0#*84iv|C)O1Q!*bxdDm*~@DgNl|^nZBk4k>*SWKJV@o{?nPR(s($RF|A^1^sW{pl>qC}HGsU8lw zfWKOb&h;T6DpT~WC*9lWRQ)|m;lAly;OzSyiZFSxUZWZ6#u`XPPtzy)LGT;wO`@cW zte1LfXY%N7k;O-|kS3NE#jcsMzC;;XUAlIAO;Y?|_r65Z`#Ldgu@}CWQ+K}WHF6Gf za;_X!tneed;K&Z1GR0+Qt3NGwAYbr^kWI>0Z-f0DYA?xdYtbMj_Qb>GBI5!1?c&GY zY=qc*8v)tN1uQz@>&CsAZ5Xew8wYNZAT>F=C}Lc}p_H@(wk$KtTTDV$J z@$TUo@8)Rn%k*qz8x(456rI@Y3S#T>K-OTOI(d5IbxY@dynE%mq$Q|B-0gC}f7iDw zb3juAs53@t6bHK)&*RWhL(g^^B1A+cPe581=qt~ZZ zH)s^ocR_%)$bAivuGH(^?PE}T(V$@9C6?(l4gkbO_C@R3EP#8$@37*&-T#;D2#oD1 zf2og)j1G;!V#fr)GONblQ>=?h5qsd1zt#71f^R(#N@-*7ygAL)kJ%8st-C)R4AvA3 z#U-BzZ-N=<0>sD{tH6j?=%~oIj=Jn{RojXv4M&^5J{@Eq1mNTndrI%~@eUDFG)f`2 zioeher~9dKJ-{Dxet0HBNehG-=4=9KBf*f?jZ^Lh>XnvF z7kd!@e31y$ce3A|gTIhs_=nxeRfc110Db*GYp(zJNaRJ)b=g8g7JoxPgmR1G?Bzoh zBrlzevmKOb!g?D(-TMPX<^E4;Mwj|WQn{V(4`%5z%p#QVR0e8fc*J-<38sy(O|!Jy zik^5XYy%sK-&drCtPIZ1y~EcN7X17BTaE77C)as!%y&aBu)qD}5WmrS@?Kxp2NI_nWHbr#LrnIHBUP7#SZVzWrJp z-nbajI3xeKp$54gqgnOqd`)AGK1 z9Qo(0-Zu&yH$>$ZW#$q^W;cMwe$-DUv=Iz{dX2ww-}!U)Y*cYYl1;!Q=64R1&NsDg zkT+xij{o=ykMzW2hC>jC+J7`cVMXV9Ou#f~QM_Vw**)?W>tZbwI*LBRFS?>RIymO+ zAqQO~WyYhDapQZfw@7QW!e`uLBq+bLExyJzcMx|`Zof1NuCZ**(4855J;4m0G;60o zkvCfd;&KwVwoLgC{!E6WXE_Woc7*=3BC$mu5rDJQpHIk}0D^8#!!AtXx#_936y`UL z`&AL9^LGGZ@hXCpeWoOR=%ec(Yb|ECH__B^mY}+H<6ow5AfABiHi!K3C*I{(Ild3| z;m43UL!9nu(T^MfB8+{WKypvM*=ROXwo$UMDI}MyuCz*M2#fHwYz#>FXW{DYOsz3+ zVQv9n#?mk{l*%PFdR;h5^Aw0aqtl^43noJTEY>G6zF}Rv{90YlyT%KMwo*r0^SL`< z*v|GWyZoor{&Ni~8p!%)H&XJ3eui2T0Mi@ufY>0Rx*Ti=PG33wR*seYby@*K$<7op zMd*P|qoI5RNaxE$sr&~Eiv3${jtwi7dXBdg^XFT%8QFmB>R?E->EEx|pYA6n3c7X# z)e8J=F4&O)&K*TGLKbie1P$sp@OBdGn zBlxX1Ec)7AlPRWc%#J7uj?+zL?)B9HVkeRuPI}Y*DysMIxEEXi8BvrXBHbEo1&69d zH0Z2RZbNgU)~j;Q@4IH7jl^UeK~-8gn!XALyOE`UV>;QjFg!FcbGyM86fxDP>I`+H zY9|dy&zsz(Y%4gw{ditT1VOb;K*ZJ#78!0op zrfBzQZUV4twQc&4#-WF|qFd^{)zKI@2YcrQ3Io^uQXVE=rz}oJ`kJ_Z6FLX?{;@E4 z^93C;Z%T2qlN-bB5q`43#CWglbWk%3*)x1EY&yRQfN?{PUM!{ifTg_zl3mkVNxg3j ze`2Tvc_^7ys@@(o6vy83fBYNm6AS>1(!N8eeZ3RdT!>|0Jt+@YLt6VRSo*iv{Y!={ zhkhDSFlIxWDek{Ht2!(FAiQzGyGE0ko2$J!occc7`2*xA+ z?(Wqs=?kv25l+SX#-mRML{yX78Z@_nHYVSGBkJs|-0-0A0Kh!f*h7?<$kkB7Y9#i# zohDRJ{UO=PsoVKs=1Vt~$3IBreRKp<7yKZzb#AEwdP<_wMQHD+;$N-5o<J#J`>2ht>X(5#GV3f z0Q$H?<^%oOm>0ks`tL8GlMp%tSRdbP>zS1)>3bek7F+S_b9v?9C;2fUWv&}D1Za_b zybf56f}K;gth)vvvoCcx6%=DWx;iD#jZjIU^~L4{_I;=GXC9j0^r`|?&W4KJowRh|TF?WdjYF~^m&9&cVR(+2 zkO&^}+n+C=qpB&9^*OtPe!A^AK>P^p!0Wpn{3A#h6vqL;8!RV56w?)i z_2-07r{;I#yBMh}x9nCmA>MljFw0EJK`uWXt$7S&i|4%I_P!#q$*F3>Zz(DBdZQ*m{c#3G%&f> z(h*E#UoBEm3|0oKzP7vd1D>aOfR!OcfFj?Fq3EowRlCEay2JS+%w%MP{p$CKm7C^L z;Fm(1&q&I;#AT!lR%giC3gpICT?((CRyz$YV6VV2WB2zs;jFBnqXJf6AM){rT;TE4 ztXvGh)7BND zIqS#oqx=mRUVP4@BT+&gzKdd52j|@U3i**6L%#=!dn_|viW)_spW2q zJ7I+hiJQRaI|^q7W)Au+G-3#C?iAvhPJR79Jmq%Y;O_sO{d?0@GQW?>5xkLn^9_wL zBbUYBTPSEv{IN1il>vE^jH&=Zgi&?a^EoTFJ2{$2_U#~%w9-&Ww+DJJa=SE%p?Let zP8Jmc17k*uv72K_Y64^Z_{}C7$-6nceafxECrYXy1><$8ghYdD0W^}EAi}<{6rIwM zskxON@E`--*bpB?jzI6OovrX}3`<+wmsn`mmL>LP+0_dW< zqS6B!_5F*W-y|RHo9Mi#`WSfGy2$MeXKq;6$Dx)@krSkKhg;cH(O0*6>!j%|mrg^GSzTraj5N#5H5uoJlr!l2&MtdRo&LQ^ zrFMq7c~|rAXY(YU#Yz=b@LP|90dDcgP!{*7iyZj?I;cvG?!`FC;GTCkg5@1(t*iW~ zqNRfE@ics<@M7+EK?mR7vlS59#q`iUTHoY~QC8J@;T)X|k2!srKL}o}+lD6n-Vhu% z>=ih=Adf^NIdZ(!%57`>`T5R)Z;MLTd0S~fTn$5-GT&Yflg_@p;KEs#cSu8aU58-p zSt@lm>cd;H6AcD79KGceA6(b&a`s*8I@=`d%by;D5?z$9QwnMXb=b(&edtOow;hYjF`PFfN zLEG;4JK(1%wg8P{plTeA_1D0$mna;HD-n-X78xp-spGishp)dR{S*`8_N1xwllRB` zOeHSy4Z};E=qEWUBcAwsiG$vp+_0bohF7s@gVw|!X))*3&pe~s6{mw-b^7VrQGl+W2lVZIxI&{WB^Pi6Li1$TZ zlYl+4^2&Q>0dcJ5vaMdpuLS|{k6c0aZkFOJlmF=jz||%kU!E@%G)qTdT&usRH|G^1 zx;HK4Owe}f9QDzWDHEj#+t5DdQ=a`C8iKJa0K*D26Xp1@gg{gB5iThp(nm+a)~$^pkyDdoIRN5-8heoXU=4oYto!vr<|6z#by#_P+r7K- z;2d2lFKN5VlWGTEf4%O&TQ9;2{}%QQLFPROkKynEo6~G5AQWL$ z_(#H8QDLC}>lassw9mRJ<1IxDfVhD3QL(i5f;tr@PA~03SJ>d$% z+}d?pGiBI;XoRm~(G#hFWdWknu-(8ECy3^>WR9G!rh3Zutf0OfE<2bj@%E(i{r;CBA z3J=Kxkon=5$>fTc^wPgwVN7~OeV>3+_Ge^%eB zuRX)CL8wmiMywatcZtJ*4}%whIzgUep#7`z*boG?H5DB zEMmpL>NT^R=|`WU-Rko3vuT1=L94KE22b^*ArTy%Zj}UXlU?Dw92+DFw+SrAl`lJP zQCCq@s8GJI^~wvJQo}j?QMgQLc0!Foj6rU14AotBA{fF5ja(JJRRvj_bfNc8DJri} zRlItEyf&4LN#B5J^L;PyIPpfuMzD@4gS29;;ltyx$m&#)twv_21X70wZnrZp7*$@) z4i2pO$$V3U80i&zPYOb;r5cN(OGYx@3nOtNA4uE2nP<7pBJX1l{; z3lScF{iJ10zAm0@`Ewd^{CteU%Eht=PxI{)zF-`Vjy_Jim>l^(UPTEJsBr(M6&BqqS1vuO)_fp*_Gma`_BpEUtr@6UbZV$f2qow>mO8q zO7z=Vc$^cY%!*5G8ut*rn-Fc0#M-Dv{b5$H@rhEncI|D`n4WO_2g3}Sn7MPYX=MAa zHpr-9IW=nK9bt4npJ)V5CsYPCd0xKeP$gn~=m~O1Tp@z;3am0?XdEvq9k+ZG=oR&} z^;`a9tllMAqRm7(sRUq56ZQM1XT;?<_WH&wvs;(!Zp0Huk|L=9ugva~jcEb&%x9oTgeRlCY zKR-X|ey!M7;eAg3lwbf$=T!yvco#dbO$SzF`Q3?yo-xEPPWe#qDI+vSKT@Xt2$pjg zUx_PUQqm@I*EsocHDXI8cetQ6N@~3P(7JFzei!o#hzOm*TQ>cWvuIp+b_2OSu6d#_ z{}U{9;BCXu)yM)2WP8{K4e|y@p^Q$cd6+meHz{Gv$+mI%n{IJ_DbfCI0=qN1lz}|I znuwX-^T1xEbR@+$3e=%(PR8q3t|l<6l`D0K84(1rR9;C9Mi~Z3NJ6VJ)+TmY-gac~ zCbF;!^n6*{@jV?^Mi;)KM}Z?oA4%5f?M?Io+3ywqZ&sDB==*#_TFrCHOeUM(Z6Cy}yq^30*-W8N%5l0l?Q;tP+j9p(?L|`8 ztWZ}-jV5YKP`>*4ryRUjI$5iX6;ZUh$vC#T?xl^P8j)zsm&>+6dmUCil*iK#Z?8{n z1}1^*SS!U0#QzS+DAhs-XYQtmwT`zP;BFto7&R+JfIMKe?5Rce)L&-D_@c*(5p$m{ znajT#pd$Sl?7Q=~p!o2Eo^=Lr>dKju-L8^S@fxP6S+!#@d0|`A} zRv;*7Ir&o&fp>W~vZx|kY=5w=txp&7gOl3SfIC6bS zxxUf(*JNy?2ToO9HmYN~cf4&9L7t4MJ)gFcnzRa48rYHEd!2VcL@-9tz%L@uU@tm( zWi@Fcb5?t`-ZoWggHr4<-lrb1h_a9OFx=DX!&Jz+)PIn0bG%vknX}r%K=6iHbBj56 z%YK1Oh+mODaBqsREUgCL04C}B9Jel1N>USWQ4pTu+Nn=>E`1jE z@&2%31tgUZnGYLt|2xCrUr`1xhdVlh&^8`!kCK7e!E!)k>65vl8ZfC3J`Em#`9u;L zQ-jFU=;6ssp46CBGc2S7B%Ct40fA_hK_U_9PNOmofOTsSnC)4+0WX;;@CEU}=H_>u z%Q#KZf)^=~#Qf^JySrc@qugQEqM(Sy?qYw&;mP-!K&uJ?W*833e#ip=2Ug-}+kC+F zG{p40*(rD$1>y^NHV^^J%}++eG5Z_r*J_Wh)}oUE9jRp7EeqR5iwMY(*#g9%f)1d1IU=~Ka@i|^WD1n^8Y-n2rlVfY;_-0j{&_Ka@Ev|Tu*Xy>N>_^mkdSh0(H-mHT+|9n{Y%^^u))M^=qj2ag`LEB z6bBqv8q9+UCz!d#lXXxOPZ(8j%r%~)+ja5#L!bJzYSTFZ#RTV`w8;XxK)&?Bcf}57 zM4Ln#OT8mulqNBOvRzhT_tfq^o+txbZ+xcmw>{CPzUiqm=-tkC-HZutjCN@HMrHyi z=h&ZyP4^6Asn~-eeO&J&%xnU;u%wBGks$(%Wx{ot9l23b9yETNg(Qq`7)$yMP?Cl4 z6-!RBPoIVeOLHjEU(|s{>h}%Z#s3;3{Ou8%M*q`Q0O&-t03|X-vVnIawZb=_4wtkF(?t2gko5An^^R+bxQm-R$wg~&n-v(o)NN6#I@BTcRAMrmsC@!v@Dyx_}!x|+cla^9~!UcpQ62Ga6{9SYf<9_TV>Hp zi+{d($fm^ec0JZ((PavI_npiL0m-NR8H%3r)~pO8QNk-rqxy*0SG8GFo#3AZ%z66?y@Z$yKDdHvE*Sgz5(T3G@~$h3|p zUtTMiPf0&v87F>V{ihA~+O$}&(1r2mc{ZxPgfqIFm&32tRPgzW`}Wpac8NbUtW;+= zz!VX(y?Y_MU-wNkM&w)ydj_SmdQ~a58yjTZyO7MM_Ehg_WFoB`VBS2s)9BbUbYPJZ zarIW5B5O}L{lS>$+Qyq1%l8d3#JUyq`5I1mGZfw_2=d{<>$1Zo&O+&G)6esTUQHq@KafC%TA z)#J#plKQQOwk8bn#pOQ@UO$vg@mdb7bFOrLdbTobw6>2`o0)=dxHXAPfC@PPP5} z2e6+0pgv^SeX@o^P^~k>;wjN%ckN5dg4V=NKn*Ux@iHtdw#T8kuMrx>9_&U|(`W z6ukfVuuH*00kzfgV8=K8-cBd?i%z{%!?_VzoMQ@r*AZRclL)R5>c>4!ZI3~=kIv(i zS%!aw2E*|>#EthGcr(m{8|q&BM)2KPG#WAau%Mh%V4Ccz4zFr&88h{6BT8qpYU$p1 zCiUcRyZK>F;qDa>S8Rhgr)=fPjR?7e1VzQLa=7kY6-KO&5=)X0_C-TW%wF80Ui+8^ zwyB+Ej9x|EjzmIV23qyxG-wcOMJwxaM!KPA^d(a_+!uxHvT~y5EU;#j02So;G;Huy9xPL6sjn1Yn)g zpQlbPlZ)09B^Q^*%siEf4Pxe@%y{89Or2Z-k!1W^0YEu1@) zTNCGxq_?hBUpsl7ZIC-NYgAf~Bu7gYYuJYiSm79G&3^sQ9Y^;o@)c2399FZ-{p>Z} z>QP@?SC{l^k3^A$;RB)VmoHyjU03Doy5AuoA%X4el-O5#g3seNTy|d9>;`d}^rFvH zo62o}Mx7t&H>(+)*L5%Kdl(r}N)cK$tuhaJgWMG5N`&qk5FxS>yCh?DXdfrAW*T?M zukJ7e1Qrhplft8CAR5X0y_G}rA0d<7eeuKKmGa11sXS<4?xD0O?>lV zliZ{5U2TEj2mRA;Qwfd3u;#9=y!NA~65p~$d_<#TLj0e#>#wU*_!0rmkJ(knpk57< z*qtlT=W$PVgzfNk~?YKLwUO|Y$9~Dfn7JLHQ2O4GD#5YcfRc47Lp+EkwSv}Av`Z8L|kBS zqX?Pejn~(k7DG~%tu?QgS3%DUMuxYvUT{(U_)=p!Ie+Rar{2U*8goGCy)&?5MiApS z!Y(iOIlV2V)sTC8$rd$()g>V9%ERxZwnIY3g=biT&CfDjgO%Ftju>B*=uGdA3uT5i z!b@1(77@wbL+BkLR6kUTIJ5_!=*8`2Bc`6!1CMUVebo?S-5-$|H0OX;Rw_HRiwn9_ z#N|lzU@{36I^_nGFkH>NY^6>LFx&Gm=9jp%ywH3vX*}A_{85LU?C)z3=Z_&-P&@qRqS?^4%o5pG9y7%He5d?00mr$#*4` zJP$f6ooLJn%|~q>x*;;Ppfq@ydWlW5g6e>c%D5t9bk;Y5*#L7)fd*18 z2BJG@vLL;t9#BKhuy3Vm&oI`LY95aeP8i1pF@1l?fkALn^mlRLP}owR#nS&`7N7=k zkCO|+r$GwVxV2w!>(z_we#;DHD?hE3x1pUB_xMq>Ml#cK%uQx_7%SgIav4OwAj?d& zOXc%jh?zryTJAV{fwccz8so60j@Mk)Yt4A)NH0RAsU7)U23hk&z_a8;2$hZk8kW_WnzqODQzqd~)eU0W`|5)?l4YJUnWUuJ_ z{nhnPHUziCegrB~B7YQlY~r&wiLN1fFzFPA)mI=E~^+~{kR)e`n<2ScAQPD z6YJm~b-vRfcFuGCSC<0Z^korBJHQ4$xIa^~F>6_o2pBh|W$Z1d$}`mZ=cGv7B`}CC ztM^0E3~kRv?v}Mi>4b}3a&(S*+sghe`A9r7opME8J|D?kb*aFdIHn*3;if9vY;wMe zZ7b@>Wbgkx_y26d3~$If_HA}Jq@`Ua#$k!Uy=xpi*k>nh3D6!(uxm0pdO31f1=>A{ zw09~;*j7wmLjjBkWjLLVdf+40d130F8qJS)R?!fJrnjyxw~4+1UQs9-OvKMwrd?Fr zctDGV#MG>7XFXsoT7wE7c`v2)t_Vo6^1VLu<(R=;7^q(erWB%1gFdJ<+{IRTTS4YM z;eW;{{&_cA)MB3cQ*SG{SbvHb26$bg2WBUP5qWKK``o_roZg(c;!zWk+2p+U($A)S z>7KJteGlvFo3`BB9B6sZJl>PR|G>~(x0EMAL)DVQPDj@k`3Zsy~r%DRS` z*Pb2RU7rR~odT52c)^j+bfBHKf9Q;Bbq@JJ4FgdtGRMN1) zK+>i~Y?S%B7UI4oWA9P%hGd${A~y)?EOYDjJ@xEeYd;PF+{a)M%*=zD^@CD6@|_Pz zi_Bg-ayPc2JrTHQkB>r@IBb@h?Eih~{3vn!Kz*j3rr>wd8WE794fL2VNTPi^i2?(n zFVU?Mem;DOgSTK77E?jn;nfmghw*$z%hW>Z%p|2@1^>BYqnJ0+NOx6*BZ|c5(8HCf zkG|m{nIhbY*f)Ot#xa%P&p3%xHl<&IMBy6T1nyj=hL?VY&elCd@CUq?zJtWMDw|0f zc87>ITySgiBbgw-EwWZQ5SLm5$zO3TvJk)lwVCyh5MoO2?JZF3P2I~kHLI^RTC<0K z&MT$~$1EH96=#>>Djbd*u+kyW*0`eIKUpWU7pa<;cObEIpie!=b*~+a>@4?gZn-aA zf9+wK(vL2kazp?2bBXV*6IK8Atssec8vP9PvO>N1?s$69n#w}dWFt7(?ysbQu%iG* zxFqX$x$;00)1^y9iXH#OK1lX9rX#Jxl_Crl!{GO|G!3*-#lVFcg$gDByIDyU!ZV^< z%Cwv0`rJlR`cfz>T&|U&OYL^0WT|USE-89EmpV_r33$$@-1AG?{iCPrX48Ll|w_W&-IVL~Wy)Qok`fFs+M7?G>aRX-kheIKT(&=~Bl$3pt5C<~X>Ll|r6wBZa z4sjr`$NgB>y{T3NG7NzA(_h?s?Qfqv`w1P!f~1yzyJUtaJP0YKkrnd6-K{+o2gA=^ zh0k1wxD(9M!QWfP=9R&xUhuJUK{mu>=7E!k&u^tq=NGNl(iee>o!r*=s+`jC9o7R~ zo(Y^X;}mbvjV`ymc)=8Iy#06m5kjtn9o5#Tj6NT}o}`sGe)ck}7skPfvNn7QwfmY1TPCzX{El-%2r!vEU{I z=^DeS@1690uBDgZ^3JqW7XC`f&yQa!IFN>UFo-gYKC31k-y_qOo~)Kal6D;Tyhz=8CtwprlgJ>=2Y43D3yx1B0&{N2gQq$-%RWDqeZpaTs71z@S}Aqx+2m0q9P{MP95k zw^egGLaMGgV(gW~oFIf$4*ZaI+eGvnc^jIvGCz~w@9?79VJ>0j+OD4q9k6}C2H=_^8*cgHd>qg4(> zvXY6E?_*?_bA1*w|t>-v?J_;z-#Fjy?bB%AQ#iVXZu8lV=! zsTRGx$2w9_!D_RKF9beGmXtpCBp1IqNLokAnH)9VdbPKsoZ#kKT4{sWw=&_4=VPqq zTx-rQZQ)oeUR{b6A+X^@O&%Q}iRTbnNqX5vKOn+sjNsmYUf`VElX2Fq$(eN*esm!F z`VzxRw6~?Km@PvT-zY)RG+&sjf-8mjoZ6^j)O)-@|L_vqDEX#gQi%FD#qDoIBzOg* z6+AB{x=lw{sdoZk6b64XEwC9sxRpL8a_hyfRgwV;U2sF!(vQHT++N+Lp$s&X$nx6K zOJ=j^{u2r*`hziBQiEqqyCzYLBvBWvSVOek+&e<&_U*~BLKicl{L>fdiMw7|S3B>| zdrdR{b|itaLw4VC`JpD1A-!125Nl>o>16U7xg8Hy--3N2NWV@ku0Tj;v=!RlH%!`D zZ*v`LwW>bf02uBp61DpB%|WeURn;@Q625sh*WaQTQ@fdi|8S%)bw+cW^<@;sw$#=e zbaHdq_=oQ@tPC-b|8Gk58fKi68`xjHYt&Tbdh!CTM=JBc3%Wej>I^EH5*>7 z^*k!ZA+Fi$!f$b^2L}fohP{DpACLl2-^vHbbcw|1eL51x%>SvZi05x)c=bufVsv*zi3%=XsF zA1o{4b8-|Iv(kD}`R@kTW(+(?m_q7T^LItBh(v?y--NocbL!~70JV@~A%q~gNc#-a z!6wK}NDgTe8mZdGRgvg}@9Y{QDD|w5d2q~^SNQPnZ#Tvndhu;%xBR|a2)O%k%LiU{-m~opeaQ~G z1;vG+4r6JgM)u&Yep70SDZXjFQz+b3g1P+-E(81+IMWiLb;rGKf+(5Z#S+x|S*Yvt zrPq3}qU>g(LBe`}1l5lx9AVHp74xFRr5{GkJQ-K-p=X7L?nft)P1rx`UK|QZ9?o6I zU`Jo>F(6`Xe%;Fg~Du?UloC>ezDs4cl)wM zI+0|#$YQ5Szxhr;rzDHB)GCx1r36JRX0FSDKwtl9$&@x2-)gyx#`aOmN**e&$wd&N zp-EnBUoPlqJmMLMxdKBF` zyyDW}{HFqnPr`$tArT-&ZWGQTRPQw68+$j?gnwm~7N4_tK04R@Y7mQ3cJE#6wE*gO zvV)@Q?DlHRDSwa1*un4T4I}sZ4#p~8yEDihK@@$?vMuoV(Rmj4f>|`aq0mxS7*Fbu zZ}&GO)@ajDqJ5?BgF9nThi@@naoT#{dB34a>Rv^AR``fVS~I+2NQPq$F0K7g@93%0 z&~rzlLwezXzhja`T9bU%W6u08bRLm-l+;RVRxBW!R^9Z1z zUxu-yWpauy+mZV^3|<@Plcz=qF&1UIsqAmZcLu-^IK2le=E)Bl(_uDi@De}|btdl1 zyLoeRIN`e#FMsabg~5%|?~?NuH9Ws1r150@0Sn^AWdRRowFxvTH2t#NrB&{;<@E>8 z|Es+saz&7ye%(_2<20}68a)BJ0MDk$UENV8u3kGqli2)vJx^4IoStCE8a(nTzljxM zvKf;t-upEk%ZMi~(;wbTwnrI%*!5p^g!%-*7;~bKxB~NH@T_QSH%zC%xz*?AaEks> zl1mGP{wMWEUEh(dv+7#f6pPWRcDYI0*7r4Ku`q59|1B;=uok5~214DN>VdpbvdWx& z3kpAnLK!93^f{*a<#+eTvyPNrWH+3H{_mL+Hj~!!Y8)F&wXQL!)XYZDWk*a5fpt1| z(SZfopDIolNxoDe-d@jRg}NQ6sB-J~G*CL0`&iwTn>vh5c=Gl@d>>GT|@4*fJ;ZvQ#NYu6;?^_ydFhPF!9(XF>%=UjF> z>*CIC0y5a}YjDpLv^(|Dg9A*4p=!T6rQIhy-8Y;6*31J$dxw#DHqQu^rxrWHOKP~F zsEN4S`;T$%H_cQN?V92Iw~z*FxRdQkk|JWf*v;Tbj){W20$~@P1@1WjEs6r&_SI+U z9h1WV<24alFQDOP@ccTF1emoSj~?&atMaX2|G^vob5i6d?k~bO7LJ`)Mh0d~FrHJ5 z-SCJ;$FPcdSbQ5tIQx#Wk04o0OSd|SV~rS3P!uV6QlEXvZ9wIR*=R{*vRa-PD|K4E zFimr+ASRVQ)kk;=yr@!?@R#jMNZ-|1myof+_3PM#A~0F;EJT=FzRx;?1flexBB)=1$o!J^O61`)Lgw!5(%} zJYftEMt}b%HvqEXpb#BVl74PB-GV$xoxs%6`25mX_30Ez)=3&yyND4FR!stYs&La0BHiS z)@1t|@Wl#3fBZ1};qj|mPA;y2@9!hl-!r?%>Utjch^1K#yY{k! zfi-FFdO-dRpCa$Z8#my)n4VmOQ6cqLvn;)%N`MSNb9>-qV{n7s;5z&-qc00f_QrRn zmOo-{dpb+uPD^)95tifcg_#=H<5(aM`oNU+B#7Bl^l66Gb5kIEUo=!OW|0a2P=P(I z;kc)se{_8O%|S`aa%0csuPkAMbJo{LCg^{S5G>0ZC4IcNVm8cHI)hH0CJBodb@lJJ za3`M{_P;7D3k)C=#sKqr#vuUrr zqp6wP*Vwb(pMAk4gnlFfF4Qu%HeY>=br)7rF8>c~DvyeQO~zTJOK@Ctt%M&Rk>K!u11YQ z7J;2zk>2ixcZD!hhF;rP+t?n8Y%LV{SO`Z_BgK($Z}nby#;@0^W4cy%>m-y>j%b8A z&$6w7Kc*w`qCU`UNF0fqDv)RAz_<^M1=+sPt(!9Z{t^Tv9w?C=74js~9zyw_aezCtImW((;fIQ~eRP!kw3S5vqB^-B zxJwtP>az(z@l<;ackQXKz_$Z(n<&xGLumbw#zpJ4pY?d1wIL;Z6C3OREbHkD5jrEk z?voPwzFt+PQ$NstH`q>Naj3I&qyEMQ`|(f9QQPhM(}JJ&`?>b7y@Zy z18+5S$pZocPL88}1PF904gKymx!Zp~FxJn1ceuSc5Ib2+TReM5wHC_)l@yk)UJJo_ z(B*r$T00ki8y47pGg0AmNBXcr>cqIDe>*!hu%~~?=h@e{v-qTSkO>&S1@0`5HWY33 zr^crnqhBs~qz8gP#9~rOd6TTRjt-|y+#x_R3ir9Rof0z=zrEOD(tzk4rq9HvOqAG_5hNkNY42YS&4 z?5ap;ble&MvNsavrG%Gm7cZlVrjRiH@esU(hoihQqaq0f-X37tR^wbdQ&=)%?7D?w zoYRs$+sSE&QguM|l4Skr?82z`szBBqf^5qyciE^UoLTZTWlxv{)@#Pef<3?Le!)4jqlA&`b zVmfVeMwm@vu3h^3+^^&9>a3-(S;)mF`suID5i6s#*Qk01eg=LUpOx#9x|Mn>@KIxx zD?7gZ=pnx&sUW?HPccstgHej>zsR#1JhQZ|ZC&=gDTp#Qf<2_1YGSVzbx)+BcIE6% zDysYB-OJ3P?OHf75M8?4{Ir=Sttq*ghDKPA^BNnD-n3?X5_|&2;|2!+M>yf_zu8XC z@)8b|`^WTYM4XQc2Vl)km}O3e`)<+b)D$)8{kBvhi=@~*uqKNhNZ726TW_!dqy;D8 z8ZBZ^CnV6Cj$Qiq-GD}$N|@TO!{e~=^KJDYQ#@|VGGgbn zcp9hWWQzB164VHvQ*Iy1r?9^+2j0VmH7CJAS+C3HrH^8|9ARj2N74?EiluoiE*GyOoa;{NX7SWO~^b5ykYUJA_h2Y+59qg@+10tN}ZE#q^}Y zgza0SZn|9Rb0ER`h(XK~yvMf{24z(!c>ymt>M1JYuYStewMu^rI3X2X|B`)ilRWK9#3LvaKx-)1v?<9g>zhlf1Cu7=5w zQ7x)Q)-=+!W4p%t{TrTuw)>=!JQj@sUrKKm4G93(KKW?WKL2EC^sqFdb?H8Y$%b|fo7USosoZoZT&anLQL9Fl+$OQThN?2N%4!O(ggA<-G41|$<(}NqD*DLn$&!mR90WF;SH?n z_>4cpBg$M(b45y8(qdL8U{-kxoJu|5(bC1efh9n%paV4SfFS^_Kdk+#hj~ES{Z49* zfARPwBkkQ9>7!y?;M8yb~v z>^*v(Au(&eU|Qj%y!)JsAl=-b0kSS#u`o##wC;CiBWP?`XL!ulQuamgc*u@2sEX{` zIQ@}zCSX^H#-!~-`~V2$gGGz9=L-pO?8j`3bj~|(rE_B(Fn=866ZiA)U=oW>nQfEc zR#2#q*t@rr)Chq>X5HeFZL`6-rknc(#sc(Sf|jPI-z=+yEAp(^XC!~DGF%U)JbpGe zxKYYE_UNz76)OLMS%k6S<9IE4)#uPb_Rc>tS$;}}bqZ~inoj&p2oe25_n@$kD8 ze;x>xh;w-@oz_wzy&I_JKn+6u;cg)M&c6MPbm+QQu!n?5-*ZVQ{ZpVO<)EJ?`Wp}4$2hYJoZWYxO3yFAN#_U#1RGsv*6Zx zm^x7s?`7I)m+@>Q!2JDFc-8Sh@n^`TP1UAp=iQx2D;a|v;c%SP>I~31TU;0T+)y*V z9ULtlb{leBSIxQ^r*Q;%w{8Fn&YlKrJe?u_Eol&el%NEx>_b?$d`GU;WPWaO256qGb6v; zy9UgtAsb!NgDTQ7so)q=B`-~uK$!Dh-8?J|Cf#%*0*p=D7J? zznsZ|d@BDf0#>0U_%y0r)^>@B>VZns-MDLvXhO>8BXh5`i;5ttRyZksf1IYM4bFQK z1jfGAJ{A;L3Qn5$x*G8bIg4+rjc&`xRB<>?)3Fz^6#Y`Kr2C9Fg}^M7_7PxFCtu7^ zO`$e6UP({#p;oyVsM0`kL7eK=c0Swa^a+wy}U$wi7p^F2+ifbHM?Q22_K z>e>Yo#hPVxIz403!wizu!_z%atXlF(u9*(kB&H-s(@==h{#}XkY2coY6XzUZm>w{) z%&UBS>fLt_0x*RN16%%DKG0*m(DYI0x?l0L%*3$gCVMUgpz~OSQ0Y}PZW25}Ouo>u^{VD)bDY|9J6pyN9%bNR$&q>*d|s2<0~Lt>;%hK zcQX$@^v(fyMvV~&E?V6Zy5yzW@7Z$m8lWvesUjjFNwTbHRj)a}zh8Q6Wiknycij{! zH{ms?lXX}EWSIq9oxJx-{b>K9*gpD+*f(Hq*wBY6eq3qfbpw(81ACHC7qK7P#`po) za|d2!pOhA@wbCdWrpqC2RyQf@VsNcHBesVJ_c8Pts=NAO-3!bi-M^`0{4AnHuv3Qt z%I<7p#DNRNqpxzRUG}EwaH_ftlx=~k+9v{WY+oaH467x^-WE7!isK{7CvKKXb|kKM z+bPl%wbjIXb=APMt+8{Kgr{41bpFNJHkOgtbrB98KOx}j>-ucT+xUKn2F<#XS)JA< z%+-I~U*Lz=R@dl6bC}y;LiQF$F=h5V?_&!{H2UjBx`6_ck4)cMgUN|#M-D@%?N{p> z)&$Y8#e-2lbYBTR#8LGmdHQnX;}R4VUDhdhe{vL~Z+>5?6pn8>s67450#zWOQ&hHj zR!Rd3@OVe!jq4ej z2%s2y)~}7emI8}acFbv)&UlH3(U`+P5LX@Z8zjj|tK}WlsEXZu=bS0g#GMYWV zbKhpfaRjTZQXuz{AM?WyLKDI(u#bqIGs{%#HEE6hC?i|^;cGR8Lz%ygH0cWPH|1K- zmH^JA$QIU#I}3=dx=bYwDOqE-Lwg6+x)XVes20J7jqI zTaAN+3v-|^)%hF=!4+ZUwZ`fr{~#Jg<@ta2((+meDXH|T>^cTt%M_J67e$U_@kPw) z=SOTnzT%r4F;F=BA=VXXGYZuK87lp%5-;jRrJzDR2L$XhqLpFOZ2DIVm10#ZJZa^G z;uQ*~l=uFC+`3Wvp^=mkIAGDg?;AA1uMVjVa=7k=A2{^v}7js zNV<1y-xU@Uf;;)9%Dbf-C)Wi^igM*ziwHBrUjj&{58OEcb zBdN5L)(m048^b9<^>N~dL#dDrv#g8Sg8qa0B_;+FIc$=RCt||wz|tTB6HYp(h4cVf z_{#5Tcm?QAT4WC1rP^-7V04ME{*?ugdh*mFw*ehR(gAtVaTNbyOtjD4n(5kp%zB@d zZ-vLgUcz)=sXGWiYD(JO$ZaLLb>Fm;!Q0PMvr$Oluq552apj2{X*(~oO*CCa+jBmc z&1({0f{@!m$XQN)2`lczu-giG$lkgXX3SNYgd{zG1W>F);RpJaRH`0QW^((AsN8wR zOrpatsf++AK?vtc!Q%-4z}sDBxf4h(XyV5c0F0XNub3vczJf!Lao?-s>nsxTjZ~iw zB3EifiCq49h2leK{GaOUf3oP$#k1+K$n0rV+2ss=v1jhE@B7J5)(~}<2^J2FV^F-7 z(Ybm}S&3*&jH&`K8{ZT5Jm50QsgDO3QAU-kj1h#&yGSQ0s&$t-?4nC&uaIMUPNK56 z4u0FDr@XycGaH5Xv6dWTWy`gGCA)dipSx!(1sCF-#ml@7b@cuuqK4vgK^3q6Dl5#A z?Oeq`_;m$78%Kjw-4PHG4qwO;1OuqSD(v!`1FBn=uJteWHQOWJ9nrWc64^Oc&7e4YBS(_@hcWv2KM(%$~#bJ zIK=_UnSI|lEdvok0ehQz%I~iSGsE6>*uyD3hd>zStEA?8plM~C@7nh;;lv(!+A{LX zn|r3Z#$*T8GFcqQoTZ6W$^nk2OS!0i%X!_Y84znv0N!|ymrpE_hlB}wTG568g z*?C}hqT~nBVV(6{VAbO~wQ#J@9n@z$(#bRex-&jL{z*&Q%*z-@H12SAc9tXUjoggT z8vbyMQhuEZqTH-EQ1{0KVH{T*%sy^v7W0)`sl%T6W*m33Q*Ahj6&Q~3i7*6d{wKEM ze2bg?+_VRvMIAFpRIF)XulVged zZrEH`{}XfmTjBH91E`dN0;yq##8ynQQ*l@81S50F38Q#0M9Yn4#(fKiogo<~QmY^q z$Vj z*eFh4s!eac4Hz`V+$A1WnJg9D`bM^Px6vX~L{l_X!%Rs&d%k=S(BC$a(KVv^lSsSKj6|^e zs+p0O%N&{@2`70{twfvZC-x;L!PN{~ylaoi898ut7vbn00y#B$GuQ-w-Mm{vtdQv* zr2Wa1YBf^oBZEbfde5xNjZ5`OSvCd#k4W2?yl(>8$__^E?EZoDQ!SRdAvQc#)ImrQ z44f$zqudE#P6C6ppx>StZt5rc?%UTx!lkQVGZ9J&2fEHD(W|q~Gw7-ji zve{`z#SQ3L%D@c`3rF6U&7HV%?QHzSGLAsg{IF_C-L&Z*cdLnX_0`rh*KBpo{UP#h z%I99=+^FRq#KneG?zP3gMElfm3oWV`@fz)V4C*XWIBvr5T^1x>gRtXDp$y(fZo?j6 zFjzuP7F&4L;;C#FzkVKt}O{IRi^}+|~M6~ybR8JK|Mn?V-$=lxr6XDap z?IL~17S@q5dq?~K_%RK?+1+^6s=X&TyxAm$LInA4vsd{^X&Exq zGHEQ6<7i^>P0$*#(($yzWO8@9(*2tHb4ve(*RW`AczW$_)vIb5@XGC$&AGmNx|&FR zix0a?s2fGBqK_Nt&#`-21d>=^l-{n{2Zx8#Id&8ZS7zQO0D$u?hO#|esk6Y4rrMq> z2BcaC$|(XJ8=?5y3VxuZmkQ%j$9|bLpjQMMWQRX_y<~b-E`8~|b_z1^$CWzk^taGL zriEA{{<{24UFz_FV%9Xf7SJR&u z3g*Fd+m$p*aZl_wOER|+#P^o+o>${S?M`5FNGWFH`DEw|qBSI}zt=x$JBA1upC5JO z*}%ZZ2J;2h4EmyO^^zS9hp%!`ZIMNPuFzEUPf0fpWq7;aF}I;|9#zx^Q|eP$KEV>h8+pgfr|ra64T~H0xZAWUH*FngwYpbV zXw{d=5=P*@b=YrI*_Eaq-Zm!-tFIfYReE6@lmI(ApJW=TM|>{_2=9+Zi#*_+{3cB3 zM*jlSUj4_NGq`^11mQ|3al1S96M)Uq^x!JA8|C@$yHG3@DHM~|U2hl7MpoR`eiU{w zHE*MjT}vf0!VlX4(ZK^y1`n4z8M;@5XYOJ2z^wq@kpfhm&?Ki!5MlFr=l4oQ;p}&) zlB0~Sr?Uv;{%#M`RVAypUw%D=94T^hcJ57;JS9|bxBf8u;`zsw^g!R*i_E}%?fv&C#_1c_wq*vwA?;@EZUdXce~x8|m`d67$)+1+9R<7;BcI8YHD+ko z#xX_wV6Fp2K0ZS)qjH4w_gMhrHF${fUtr|jAo8#tb$|m z${+FOM* zsX4(6OUhb>VM`KyxRb2MDfNNXtDlt@Qf}B2^`*tj%{-JV#hiiW-1oyQc(nTM5RVbT zxW05#5Qp)2xz*Q(-F!+Uvh~x-o0>K|t`CV?;@I9Sjm*1lB!`6IvYvs7^`kneKP=+^ zSl1%PkZ7+eRv{wW1jAa~_1UHT4(SOnDDLf4PV3a}nNzX9@X%Oq=|8wYN`DzPrmuuR zq%bJa025*qi{O_G@XRLI^8wST7iBt85kO`OyOKk5TTc~+;Xjok&qjoIr!ZwjADe`o z)@>JwTv?iBK?if<#enI|gm{#i70KYcM}o*re6}xkKr~ahBvumv$@-0+htWr(OHDRv zyri^u!aC<7DBmTm?}OfBRH}OV-K^eH2(Fsd1;yOQ-5UA)xjWiVva%(dr~5F~l*8^I zh{l|_3LY|({6D3t^RtA1dT#r92$Q+EaH0`5lOFG!F8eFct21~{Vh{L_i>2>NzO4NG z5`?~;1|RE0u~400e4B^jBPp3>G;}&F&dO4I$$~($G@8zqPf76{((kzXHb*rch$YmD z<%w2FboU-*8Gx&;sF|Cer>mCdc|7kQ&B=Sa2g?gQJ5!n^6>z8lLAB5N9=~g|Dc{Ch z@&bEY6A`Qsv0vrl3YSY$W76f)zcH-~6G&QH+uHtqz-ikT%V7C>PdIIwevM4CY%LCUO)ire4go_KSvv-);U|GPi% z@3!qnQIfB=!s4|bP;aq=e$K;oue##x!+fdoBV;YhqhO4X&De;BVo;912UoICrsYBh z#cqoxqVEb>|C#xvt7Zp+4A-hBnN8RancM#8QR>r3c*HV#p&@{>sjk}~v^&bFmw~@) zZu-lHhd5cdeI4Gj@J1f|@w5LfRPICh%V7lFAD5QL^AUqgvdrr@s+e13BSr~bT`P{B06{9V0wdb z0kodKFR9;s5#ZLZser?UNzNUBpPP6bT@j!S zLg$7Y(Dr{e~=O&mB3R2&*gDg{fE-v=_yP&cM{9bRrIo^%wiM^|wLT;ztm>&-CTgB+ zLe&G59$qL(%SE-yj^mnQ6kz&e8P21sQ4S+;_hD@~-B7W?P;8Fq@`2E;|oHv1_;Z)>8n=T}_p>sU%vj2}uyQjWxrT^+1=SNd#wq+qE+ zRbZP%&xTcWzMR9-DaA$c+`@8h2&YaRH)K+E4uIm{hFDEb^0tHPGyncWd%&)%4NT zh2`>W6c;6w@-#zbF~MnKEYc^(9q7V$=D0+SKF3pYTjPY4@Z<-CjN45DPg9c6YT z(jamilMZknX(1@~W7fOuk#Z2V|2;4G-$NfxLsZG{#^&sw^lR!#lEyf3@NT(H+zo;d zZ@!mx!ew_LpMfvI>c9IPZ4tXJN{gC9SNZ4K?BH}Ma?}z@`Xd>eWQ4U|$_<}Wc%1Nx z(L$iH&@qqYxRkQ~5^b9gk1;^IsxDlY{8D{WHgG2;>*#}=dr+&o7nh@$sDr&-)6ig4 zSp6l%Igp^y=FyQ}u4}&Kr>u#=$0@tRl{Hz<`%u>7T_MZz)KCzYWihdF&*^E5ErI5q zMz?Ct00fvcf1D{y8wsRRoG-NlUGN^|%8WhD#WX*K_C9PkPJ{_Xpi&vXq=YC`w|mjI z@puY2VLf&PRy~B8rwfD&paGmnRI^2TgpWdtI<}ekjt?}>d}7r3FyOx621%;dC`gs1 zN9@)~Iz3=uIJW2l3iPe70#Qxw?a`3sHWB!JR*)^@j~P5N^1f!0^wW!!DC7?qi0xa~a`0Hxnb9bd={_Wr;TaAIm}j z7r)+r>_)MOgn}}1Gq3;V;BuH&XnR0Bvass9WK-jMqUD{-K-(2p&=wE?o{Td%478y? zMemHHrY5{@R)2H(ty$xFWBH|Y#hbrM^Wb-tewBLCKGxmAVuQk|4AiNG?O z%7rRDUf>u4g*AFjQu{2dz$y5kPuy4O?p1kj+ z-?$=G7MU;14MB_7OO3EI{s-(($mkG#HgS?K<5g0Jv%v+~)uIJfil(LyX(Ix>Jd&<* zKS=FM(CpK%uhCBP*llkA_hb0);#dR+A#GTmPKorxO!_f!e)Gn&RgbcMte7StYJvtK z1e~{ObR@{iF7@<b8HZK})X%O);qW5#k&2v5`dR$Y-j{|DWmi3_$jY(>4S6&jU zhUKlC28yr0MFZ1MtKt`q2e<uhd?t$_XF+yiy? z!>zE1vXtGmLd0hlzoAAl7A8sbW8vjwXR1>>O=71%Va86>_s{z?0_a)ylx{@g=;>&+ zpXk+jRJ6>psDH32B;9fq%PdvQ0K!Yo_>X2}UV3y*9`%aHaGsIn0$7w4rG#O>yzWA2 zp8Wga2dEEnlRN|3Q(IQih6orn!m6vaj8i$k1RVCL7V6ErU5!W2;6A;BDT!m4F8A5L zLXTuQx^W^r5qJ1mHS>9WD@b(4MbA=z{@gKH_b}#1m4==vN6iFb7dVr|fvVUzA4utB zjP*eE5kBMfUr6kqb98@F#d^5-0*UX7sqNR43_G6P@Kl3+9<;-)Q@Paq~1! zgNUDU$Jwrk*iKKDn^kHzrdHo#bpSo$jhaU{Mm8!M61j8^Iw3Uq?hFSOd6&7hu#r7b)o5_aiaQFOWjvnTLiq zCCL?PTJuL&+FEEQCmeGWkv=HcBkL2p^?w6cVEkiD8b4k~vZWO@`;h=48)szmG$DJ1 zZaaHN{rj{T(KavYVLVoaqA|R>K~UURrQNFGb|Z=a>eQ46HieXwA`f@9#Q?`}C zTw~qXqp9JPAO-iG(EW#j_7LhBg)v`Jg!3Pl}8p^DYOy$Y*3>(Du3q- zK8$lZNY1NeasW+wP1!Q=qriBy2eo;m#{0s0n}o|EPp?Kvzctr=@(&jGDqHkrzUXZP z7c$QughuXAoImhQkL|~sas;C!YZ?#91bC-HC^3BnhmUjUWV&pXo<@Rt?H1(~!FMpu zd3Rqqre8vY*wmEe?3%Tj%QT4UN72?Iy>aZ-rq}U@iK{X|)RXx%+-00GbqeLI0d&?9 znS86u>zlWh3&P!7y%yV;vZX&Ym>f~!RIZw@LRJHny80|9=(SC{lN00#WXZ%cW=m6) z*XHb>oa}f2ESy-4H*+A8CzJgR+o!H!YvNJK?qlNr!<$Td2X}paO`T5rRr(;Tv1eyy zkmHq}e697-K0RmBc6ZE73iwfI>ibTbHul-N{Mnojg!B zw@m5q*ZI|4uUWas>9}oRkRWdbHJ+Z3sLn7r*!rFyi@#}4pmUs zoZD&gi0uM*UUn(>Lqta=lb!FMX!w;(L>LU(G?=8&fbcH{xaUw1ni*-f!vvMPHNYwAKTn&?&V05dc`p>Z9adQC z3d6emEtIv8f4wbx?u5jo~#{F zb+KT$lV?x}dfu3(^D`?M7JK{x)@C#Y=GGRR3SqIcDDz$oeyDiLqTKwtjwPk;OoisN z@(?#F{f0`QiH*@C*&XiB%!OaE}7IgC%4PniR z*G;77ZHF%YqNd&)+;+um8ngm&`#KPvwAJ}gDpGbjEOQq468d<8wuQD;liCfVOt@Hf z&O}Ds%%0eVWmTI?q2U%)>GUH!raOR-+t2?M_L zi`GHteaa-|QfLJ~W$7dhp~vb5ti2u*blvkttqkFM+k}kmWMqhPIB-V!rA!;>m4%n` zkNlW|$oaG~*ii@j$;zMuKkIN8VX`ezD$+Kpn$|OYeQzAK)Nu6W;80w1$yglTQ%W%f z;vzEfiHF@s_5faa7C%i+deCT%?O_wDjjSwq_V-6Arx_NK(?a8kY`H;*CQS}1v>fzn z2s>#k(mZX|Kg>dmVy1gmO~z?F;nmBnT_6RZi44OJP-s zIIiP7Rl! zSm{QJ&43pi1o)F5G!M+qkdsAq1O2f70w(K%q(4oct4yBzwF_WG>v1Q_dVd)*EQq#I z%-m2H|3OAql85(v@UAk(;Nr5}Wi1s`YaAb!FrFC?t7a<1yWY<^45E+s+b;Z2CnA7) zCt3H-)k8?&PbPNm=Bf_rRl^{N!7l{@lQ}7iv499Yw`5Jmmr3ryZB_nfl!Z-SWuBhIxcXE@WLhM&V*K+B|u?6mGdsb2Rix}qNh+x zQ-nl#j#7LYFg_SE{_*kCMB<-6>HG8GPNwHh3Ddk=s#0Eu>ha?W-);e5$GV~l!g(OP z7UHH8YPq642$~zz3t5FD(N(-eQ6Fb~z6CiqTw|k6e$2kOQC1l8m94^eg)yJdj=cU( zOf_k-Oq8kwYJEhc;*_nm{(2An{3WmU==kV1@(Lal_}RxOOMx?$MB-r1Jy3N|`%?$L zR8@w;g!g}n`(ja{Dzc8z94F^6KM>Ep(dWS-LKx@@&L?A(-Tug!oOJf?kQECxVRxei z3lgCKwgCU;4gCj95hMtJC2kkzcI7MSFcbB6Cl zT7_UXvD0;XyGFn?l3B(faY0)q(=zd<8nTvZouA9}-U~^}l3VG0P(e9~j*UUAHdq)6 zw};`8#=LTOM`Liio!a5%Q$JSUOiM~wnV8*>OJjeGTQ~yUH{mz5>(bzQ7Z$PjLQB z6{vM}UuV{~+1G47ovB%AT7CNHIck9Ly00J#7E~m}mbm(nQxu`=Z}$Z%xql++n*&vV zpe|c>O`)-_Yr}H2gRxeyu@EkVsDHftP>;ah=&T6J{KGOLBiWH_SEY` zn~p6Mr44>T^_S||xdv&!SNX+itB{mExgyqc8WA??BLr|i#f|v~H!!vX%HTynAKqJ@ z@ZR{m{6`Kco+*`as37{_K3IeiNd6$g*cYltnqH;UJ(pPO*cD%w0C!KYQ;zb+0nig< z`_vy@rySQ*S$;?8Xw}h|?KsSbY>Dq4Kr^0{*fU~4g&cVz5MkQ;wlrC88u*fyGkLU0 zvw?juAdA^JFCd-cmIHzW<0l|ifbYoVpm%ot=Cd;16qLi_L)n&f2MTmX?rO6A%q3mb zk5*wQ^>4?W8H|9Nqj`miPI}t^IlM}^q5do-46nVlS);}M6{-N@&c4Do`e#wmS zoV^-5@_Q+}_XMRO>u7`P54PNBe1;r4|5Xa#<^{0^P?ry19=7!PLlWz`;(K*=n*?PY zd&wq)d8*;tsi zeWBTIiMOc2r*HB_-4v(Dl$Vj|A+WI1rFafnx!eaWQF5>%c33XME0IP>IfPB-Sbu1P zV7*L$YRgIgh2|GGPUcDq6T`cTLEC z5R3_aQ_ZUTTM%cd9NVCusBhbjg;*C(eM_Aw(64Ob0e^lEyMJ^3hQ;UfbG{o+TpWIW zp?g-x)?w79!`{}0aw~yWbkr%2AW#5_8vXT2;Qn!*C7%~;O6tq{buvvKo$L$oa5PQ1 z7;%O=5o1VLQ_tWp24!1JMi+1(Ax{aX`NEB6a@c{OP0;>lIv}V@#{BW)=dZq*Gykl5 zNrGT&Me+>Xy6mGoDz=M>IlVC2hH#%zAS`&H8e~1^ob+}}|Ko6c1COu>0bO~F4_j^O zlJ6**j9E|Ig_w84g|}pAJ`~j7aB`UrMa9EcDm9!nNvKsd>nRU97gOryG|*ct!M_uZv#3DN0K#Uaes_ zA>|vQ@!-6w$Dbpy+iGfIqn8WSe0n-I-E3Bmj)75%dA-?(uT$BXj{fNGkxoKDo!52e}Qe4x;LDWbqJT-Dww^OMyFeDA^B>*ck9uvwVrbzRML)X zo1k|}?&#dPr1WSRrv_13)}PM6;P#?=7{in6*{09WXsupFL#K^d+^@oIcEeFL-?w#B zCa|jDw`vJCT*}nj$4UO&6uEi(!h_39bY0qO%Y8V@nYM7#B*wabh44++Oux~J*H>Rw zUyA8Ot@nsP`IX9tUqg57O*!=c5+wiQ{`?pr=y;*Y%6mqk`K>&u{y9a=PT)(OjS6PK zN8hRV4JP8hr}Gh1!(Ed`Ew9}9p#@jBgokg#NmCk5Ydk~2xgucmio|BzA@=I#Hau|_|B~UmCoHbjs!?CYb zB_#^30GtR>;2>AP6bYNjnGJ9m>VD{+_0qt^QpjinZAtD^t)tQ;r|qnsZaHniJwh52a?~Cg3Lr ziB$Z6pYv5%8`clRs3rA>7%+J&;JiYLb5-ETeTUP+p9p3{Y$tZSf{dyKJG>I)7VJoK~+?FIE*e z@$wPszb^M%m7gr%gMyZCaiTj=x$`E#@}z_8QO1#wZ8`a<`kTx!bCa!IuWw*rXVgQ0 zaFls_Ryk+0#6eI$WVVTq2+{eB)3fb5&K>&ThP!7RS)JP}|HiNz{IIZA8?DM|kOA>7 z$Ts>w^;Z`ygPI##qMl1mj)&dfc2zi0C+&U`A@`WhpmH+9QQ!zjiSOpnTVXKN)XdlH z6XJfB8~H5U`SsT~X`*zd|3HWT*o$HB0tk6hM<7xBVDWY{hQkfFUwa=^zdnQhaMc{A zMHRIB#$MmpCGDU*6<3;->Yz6-I13cs4!cWoqhFf|^=9(irL%h7YG&}Ab-}iaen>*U z4%C%a-F|j_XATL)pFC$GW1^)>%Y$6d=Itw3L!Gy@%Bo*8L?*qv%0$Sc9ymB(wRo!- zrH&^D|HCB83jL-;KzxB*$xfg3U`Oa(MY%=5ncSOSxsha&1}7~T`aW&A1{7_tIyTch ziy9Lj>OVHqRJ0Q<-I)6R6)X#_2;p%wS&b6$EC3B#2q6>vd~=nFu}RulHg6AULq;(7 zZakl%N|dW=wJYZryNWnt-=hE^?{Fquy0e_$jtX_Re|E1MkI-#$udr5PS$Yp$ASZIi z1k~O9h%a~%Wse9lobFSJFm|~GJgmO$nd<$QVbI(6N+1ta;}SO0vd9iaL<~_HU67JR zsU6F`RI|^=PhoS1DNYg;Hmvz#*!}nOUbK+TB8FEgl&W^*#Z|43wvrb(tO>aveu{n|Jm2;n z^40MhRiJjeaQ{xgE(&tM>N~lKn=ZZ((nkc#Fe&e4+AkFITtDW1Y-!u{eyaJ|`lKV= zI!-!Q40uSZZ-viJ)|c4=+PcFnw!MFfmH#ikLxzQbkI$lrs6lhr0CcY<>`;kO$@NEmlt=8#^e*)_@3JZfuqd@>-E^m;$@rCNRjHhIc{O*(yfP4xPg8!q zdgBe+2Ia$fF6V*>)}*kYp35eelrStgXlhLb#7rlA%C7HhlLyrF7|46P6o(u2lr2(* z`|^iBW~&!XRt2o-`6Z0(@@tE#h zJIgVi5XzlgYht1I8H=V*lPpjyG*IYJgk%TmBkbh9dvh$O`vC)Wbu`G(=O*c>)%VXz zIX|N!a4BmE@Oe_=V<`n;THB=rE`3gU+6H^RiA^0+a)AA-)#2dvY}p}vM(v}-yYM-1 zU_hh}H#MmY#YcD0Crt^ctM(T&%eV|oJUI2*)A-o2-DpRfdl=Wy2b*2Cm6>o7)@kS7 z>!zRH95t^F($D^@n%Vb~*dG+84tuR$5pf-s zOrn-&gLSrB(UYxNWd<*YK2m^>Ft8ol`=^$u2Cb|A=1f$L=^R#_AKta`6O33&=|pf$ z3?>mR>dk!zUz9=54f57xe#LwLD1xF-&f~^k0>vjmaru~Q@R^v0w@PYA&Sfy8(S7PF zA;B*1Sa7#>uH5fkjrOr}nm*vLQ7e5Um%?l(vqGQEr z{dZ7&Hp_9?n={XORiA8>xH*FM(lk=XKbA)mNQCk+-!Vg@6Yp9bnM$h6@ER9QY)09U zoaK!&jO=4y1<^vMgCZ%8DW{ctandm0Q6Yo2R>37Ew|y6MK zS8D$SCIcG2Ijq}^aFGVP3jX+KASYM<*;rsd$oUlNV7#^fMc%V*3vJhY;^5{2)Rd)H zg<^C8bV4wR&-6#_=Jp;bA03`q1o9U8*fJKdk7Y|HeoZhBZ<;njbV%mt@4szE-K~p9 zLy)wm(H{Dy3wU>i86MZH#3#zy7=rCw!0QJjY*EA&N7 zDg+w49&e@&SEN%JwUgYv+#pN~{KU|_SDgM-5%x~^jPjGXkLzS2$&dPmZzKpf*;VN$ zM85YO1+`bCV}dx113n2xLITG28hfRvN0%f$b93W~4-x{f1s!5FUrr_poaP-F`bKJ+ zeba|)p1*=_r_Hi}NX7CW0@9|V{4$5{V}&nJd9M(WD1=NQ=y$^c;Nd*uLpBH#iB}oK zTHiI>#y`b>ixU+{S%NNAa8^LZa+%2$tSMkDOTZM`SLr6f^di{Ao5Qpd5Hi#yC<$+Z z^-reW4Iqf2g16(%N!$i|oC>Ik69}-!rZ|}@WB1EjVpgo2xY+_NBW)aWl98SaTzk|D zaX#t+6Ny{8=UL9-n-=$?{OdzO<`T!`)xrNC>}gLya-Otio0a&b{i!v-_>FijB%T{e!RHM*_t(Z<&og%% z(yXyrP1^Qz`|ce9aQZUH1QUt${~m`H2|)OHoa5INAF&vxT1^`mJyA-Wk)pt{Nuyq} z2GKh!XxvI$*lJNX>vTMAoci_13bUqjD^SpGAwd(VHTTA5$Rg0@@T!>R>DcP8sWtmO zd`+A{l4jqE@Wpc73Z|CO*o64>!*%hC-u;6FA3~wcE6`?JW+*3qXh&Zb_SX2p&|CV* zg1$+2WVN0a9KA$`DN)eiT3OeSLn~)9KpwP8P+WJ(mkz#&ym+}e`aQJIq&zYs28Dtj z^;&WhWB=v#*ay~MSGE4O#SLW4%D|Rx%z6L~*A`MltpSFhssts3st68UO>&+cPW>)C zxflWz1%(QgVCWI7~a0NBr4Q6P)^xk1`_UvLmLAIoTwK&?pF{TH)j_*B#dA%-OTO+ zwhm*yt_a7>$=4fX<2qh)Xdz<{tEcVR^&p3?GHJ)vp6EbI#J~1T)yLl%?d;3S@ z>h!Utl~u?Q0>U?3>(y3|%Om|QIjZ$zfP!)fOmoo&D7O!o&VeMCpS%~n7}Lwk^gJhZ zNm=&Y@b}3k>6@*oxJ~Q8Ym)%mCB?UaT)sqHN|FNqTMEs0jSIVxRHjtAs#azG+v>O> zpnTEG$;o9b<%JQwmpg(#3dOgL|NUF7`Mev!c!m;3D^$*M#*O_p{dNOldWy6dhMAvY`en=iMfxZMcGEMCWf%~AGvHmN?X7W zw)0J^j^r48oON9FR`tE&nM=N3C2uXZM&k|b5 zEBymS4Jwa^#KE46Uz1lZ4b|zo%Wz+BXN8wj4R`o7s1AeTtJ=_*!U2gs(^NII#Bswq zt{&Vy$>uZz=iN695i`+QVCf2-H=Mfa_aSy(^gg|;~&)93oIzJF2nD(LH(x@ zC(CZ{=I#klnKTsK7tGJ7RQ!Jri9QWKxN!nv+v}?PZ%vhfIru0|jKuWQA>-oi893)3 zF;a_BG^n&F`6ee}Ga{}*ogXyd`a5q8))&okzLu&K4iPNw zcq}{p;sXHr0 zDLl^qXpI$k4)dz*0OVu6S=Sd96o`sZywRx1Sm5?r0qd^IeBx(G)3FT7xw*MZzy@5e z9pJNGs?9dA@2z^Bz1iGTXXxwbRD4H?RHoK}kNF-8*mH$e{-Jnbc?Q%>;zqz*X?RmE zu=;?UpEm22LQ#krfhdjgEML$;%~mXr_|ZS_qnO{|A@^AJE z_(n0m(f`nHrTX9wcO5(Mm`+*aFhl0yvFoCore6fn znzmXt&kz0O(;UypK8pk#-Q`%iQ(T44P3t@8X1vImq!?)2Cne5QeNIX7I6keov2Ox* zM4GiAO1PKdZ-NsDHGzy#{0l&+!$KHk>nfbjS)5@LI)Q~Y+c8P_)dw=aEc8qMI#G0D z@c}y0aX&yR!v_^K>{Zb)aOh1tZ3N8^Z}ijV$YJ}`6m!1^VUu6WqDN-=;@9$(D8yNy z(0;M%lOQs*-vK5q2ppDHP-=sZ4Xedt}7Aig-TLpD!GhZ%>DT5#r~sjvPN*18q? zi$Uj5gDtr(G!I16qr+2$&#i)Ra8x_SsYhP6-(>gYqkI{>9lH*4)*nW)z^ zFvtQ=_CG8KhFvkJ zlzfr*)YD!s4|_X`aNoj^@QdyMf71!LzCTZP{B+mVHdct3?`o#k1`|$k_0@*F0NuCo z$)EZawHc$)>oM_aPO%NluPO^G_$iEo8+P!m4j-Unmk8v0goya;gzz41QQ4W#QkIUfOz@H?J*l*Ci<3HgiZ*H5O}2yx!)GzV}`3guyDp?88w^ z&!T_qlj+3ld_8wT*1Rue!x6r%`E9D9v!|rw5`?6g_&CGSsf;~in7tl5XnIX>_i4Ed zhXd!~_yY>y9hefJ-^j1=$zS7oV0)a7pGQTBXs>rjOAS+<#0&We4<9ns_N`#&y@e)= zpOGg;5_0g1HJHBr30x{!NbPqaYjCxgf_6&X3g-*2&eFPgQQqPFe8&&0h_S9t~ zVE$qH2sYE41{ZRLrBk5d(qs&%B{1xe6|o$?PwtdorVFIB5@N9usHgJ{VzIK^$NX^R z(wK$H*?g`t*Jh<74iqOWaNrM#91r+j88cP4|CQqF6B=-Nc}a~;q>CTyN?@EL zF$EK4*E9F|}nhV*+=BO4zf(Gm3F|K7=B=%#W;khy;e{$!MU z#^#^1!TWhidx=>rTRSRW6y)2BoyT(SXP66ihNDf{_KFeGu<$okmVZd_J=RpV#{(_g zHv4+G78R#cH^s1fpf~kM(X_IFbEGWpk-V!`{q83Zr&}A;-x~$dlJUuT7~PL~x{o0t zUs+ABsT@X6M6;+_B}~V%X{ExeE^C4VX$6JpSG0=l0?mIy51b%>y}%G)FbNW0FIoO& z@|-bGI^F{t^o$=XKPXC)sxgSdXQL#*pW`-Z=F&dhg~VF%LawaF!s6+-_=A9C%>mI4 zV&FVf{P49Nrc?uUL&-f1r_TqzwI`*&UhBtbnA@`XMV=7VanCa{(Owh|w0{L0+(>oZ ztu`rQu!dsXlS!fA`lg3;NlARBbl&?7^8l&xiNd2R@U4j;WM%7c_vNj=vVc)cAFX?T zY{f_WifX6tL|7FVHy=XR#h7l2^aeuwG)gCaML}+g=pN}D@ZL|~hl>)lgGqa;X#;KC+;}oLD(aWqa3)4qItGTh zGOwz3P#J;aASvrxVwc;R4_jocf{qc0M@z=?fxt`kN zR(1SETF>@rF!@Hd=3hm|F(e=`5Q1wr&FH$%(vvqaYwlX(Q&nUCJ6DHl);u0Bz=M3w0w;3Q_D}tP6twCqH_m@~0rY@DOU)=YSGN6-O7!4mo%=+!eSmr1`{*6# zd_5>)d>t<0e3`g2F|zD-rW%m_E+X*fp!Q+xXLC%D4m3bvSTx7uxRr!EvNT@2G&3Gw z_9`s-Da*3;;>-77&jDpQ)|*smnyO}w*lq(F88OcPwQD|{@Hc; z7_6XQscZPvu(%{)uLtjMHM*t{57SpM7!q!o7Ifc$t898g#o!`zcHSyluKalU5L3O+ z17V|a4p|fRFx+E_hgYk85ed^T*~&q+C)mc zb1N{=&AIx>v^er7PWI0rSlmv;U|QEjOag~qv_+9Wdk&45tIq)VObJ5fmK>n&T)+6~w&IdX;I{0b zWpmJvZ#U~D#3?kAZ?eS@zCjI>_g6`~`E}Besi#~ZK{|}$cQ3N|C5*7!rvA;%EVyb? zp6}*!^LikHaaSNTcWK0X+}rxAzW?>cfCKfP$++M~xv$LU6F9!~geB4`!3L2X7ecRFP=ZareN%R{Nh-3{ z^*Nx`$)ZwTRCdQ+@u57a4FY`Y_}86{l7@Io@oJ)?@ouDA6||{q*P2z-D!rwkJ=0cy z==UMrvn+vksW?c*L=!qiCnLXSJR5(=uh8TXd1wFGR?k-t6XlZ*6!L|b&l!ri_W8tP z#j+Z23DIV&NI|P3y88j|1H~w@q?(vDYV4Hq1{UpF=^unh<{yF*LK%?*lVKVsApIA$ zq8GqG*XTC^*G&QWj=H)Z&K71>bG}to)9Ib#41?d-Pe<&-8)2uE9W9%Pr39l}DJqvy znZ(JZZUU4}yH)WSWvmaEdjcdlSuXC|9C`fTz+wm1vpuHxP_xEUJ)(XO{ZJ>M$>Fnx z9Toe;XZ?Y0ukCzSx_RA9VR)ogty?1DY5f>-M@Hf-(noHv!ozAOQ^4o5p1V&oBGG5+ zoY!9Y%OpErjT|vGS5fv(!O!lYL>{gIIu}c3+g~;53YwVp`5n&Pn=hA$6AmxYM`a|p zc1<4+3sHvGva`rlclsPR@L-43W7o8+?^`L*QK>d>2ExpSaN519p6-`Lb^>RRgW;6? z0y&|D+n|DL2`_)-yo$WMTc21zJj7NZIq#Q&2@Hpl~bKN*_y&cz3*<-=tmlaG|1 z=Ru(jda$$ln0$cITFu@vP_I2x=bnlbaw^H%GBV!B(9yqvTB@8^-dCmF_kFb1Pumgy zD4QT2NZ@vw@+PuG+H>{OyiUHv-sQqMlkY{;irmT}?(6H$ zf>GSt&Gy~ampRpUWkHg0uL50%zDs1&M@Uf*gsux;K(El4NhY!?wU0?313s^9mx9<%M;nMx9B>6yHAXmyg@i&=sW!<<1f7O7qtHC ztNE*SBRI|$A2@j!aUh_Gha%=AL{#v#K3;eBF1<#{Qp74AMe$ib!9S#%o(Es)&R38AAO;ZWx?Zdy5zzt2+ckGK?mpbw zLW`D7?}f&@p-hkoEZDoQiVKx62AMnN=-&6;W-EI5Rp=ZsZ4liD!Ok>obP_&Bwem(T zaBb5$&d-ikYteZOs6X=pwP0f-3*+VD;>7wm+r(WOKUR_!1$~yCE}@`?H@uJo{~Tcy z!H%`1WGzumL_6A5gHF)rSV560dcghyT~oPE*nA&7bXgq6Y;^T&x@8+2D_2R-buULh zRsZ>x<>4xZ3h=LJ&bnFiOQ;=xO<#Vw+S*{E8A)YK9+?pM4D=e)Mzb5GIF&rTWDM1K$Yfeu zTlar_YQsc1Ol52rx$Ol#+H#7eRGKG~%Xf%9~IMMMl5;R{qLJH*cH3^?F}4>g!hT4YFzkJXsHSa@)iu z1gJ7Iw6?=IcqxC$m8r;1l?8t5=I&ovhI#4QB2@Pg7e}cA7;Tx91AdQ09w+U!#@+j* z;o7fMb}tVEcq;l`AJ5$^Ui)KGrhCAST{`^aX-TnX_ov(>RxV-vUlx|#+D51Bnr|>N z@+q_z{`Dkvc4P)9<%`2Z<6f|vqxM2*#%zYa4GN&$G5HnE(d?*lylWykHIU-4Vs=N< z$va+ds!V#r(YRy2W^E2oIWk`dx!Y>*Lgj1?#G$0p5&^d5I6H4?<)M;s?u*S1Q)w(l z&J0F~!f1p)?f!8wbbz4_jco*aiR7zTYMEP6F{<(phm|H<-j_)^(M1?i8Kbqjr zPlOXAaV2{~9B@aUCxd=)j3ChR&DB#YI{C~tZ_b=Nko|<%&bIUkHzRAj3ze< zLwWQ^EM1if@nD*0de5Jv6;egj(d9>wgS9NJ$Y*z*Mqb$JT|uvNo=dNN8N7{ClR;db z%!1l#=y1K@HgirWHSHhSkmN%k-A-}V(WFvjf)TjYrWPliiYAdl215eirb9Jp?Ska;>$K3# za*GTW&syV-NjJA)etE<$Am-uFB3?58fm&M<%io~q*OVZvW@-eV+e;Blj^LQOv`>sY zRnVdv^Vyj38r&unH?P3Sxl&rZ+kZ{C$^287v0Aw2LqNCUicF~dLBhwnM%K?IA@cfK z{1|_W>!|k`i;CEziHve|q|fKZ?v*Bo+gXAO-{~U>RLQ{=zdbg+CX>3~8HTc!P6M1xU*dQ0x36ntcg;bwa$j?(0KQFl##~vwVZ9YlMa+o1A zlr_zw)z`?#>yJbvKCd8&osoePhF5pf*omJ>>P2E5J3*1#EeHY|TbNu|wU2{yjl4n9 z{v(R2C}eyvv1&SLunAWDyUpG=Fk3yreIx9HcBdXvFMHn=28$<}d-k@@UGSZ;l^lNo zP_FTA;`=|L95alkiU0RjAP)V8JM0zpJ-2hoc=Odb&rMn%kPIO6=yhBjw(K~<05~Dh zhJ=K0-;T0Pm=}^0xr{V0I5`_~tlgvV66H5B*t|a9;i#?rdh;#e=y-^Efn;ot-R!c* zwDVrB{MXeZ;G|E`kXeAwd<=L07a~PybfV~UY)y%!goicb>VBOmA|fix@Flu%UiRNZ z{ACmWfgb*sr#njGfl=jW4BruzF7)Z|CQ%6Pkx^lTv0HI{EV-4qefV~3H08frzeDhS zTPsy}Joe!t4km7b46 z=Zcx`q;I5R@KLknZkQx?||>R7#~w zP#Tf$8ah=v2N)WLZokcQp7Wmbe(&?wzPPS^4KREE?pXI)>#lVQad6ESj@nbFZg}G% ztexMTYtU`$X^4d|QV(|?P7D!{-D1w1D(ojhbuDT5!Y7|pZ4pQ~0|zs`LMfrt2vc0u z6R_1{%rIl+=c_laL%17jFH5>7+1MMJ;UhMy$EN3%-PiS9)H z+@2g?!V-rb@JHun9Rp3xLM@~*0Dcw(v~{(}w220W?E$Ue>#YJw`##$Tbmy821xh1S z^XK`yPaDrr1}0tKOZp+#|6pN))#u)bp$xd(4D?0#Z~Th4nT^AvGkE#U!%TW(a>%Q4I)((yV-N zk5R*u1wxD6O*oII$Db>rZGsWhutXhA63ypLW@)!{Q(>MN771%MqC93p7s{hH6n9RK zyG~O1`eooR%%f@TJWNyK3QmtlJEyNwlpZ;{FQ zD!I1PjSFrA;Pkrr6eBYJ$ay0TefL}=>#LaGNrMbkO@X239fRxSgs+_cqUqJPlFHVr zn1xsPS%=Q|H=hGnJ}C?iK$}9Cg}Bc-)=5$Q$-%S%m?z9#H$zHH1?t8>{O%$HQ#IPX z62X2$>AXwbVghnES~s_{YVGIYEUq)?&uxtXW_7gBQI3<{MvIMCW?l=gW1nb2YAQ)% zPv<+dgwHrIqOgEF8NeGp@X&evbtj_%)2b2V*;vEk!sK(4%Yz(MB`2p@8$X9yF@B?C zn_0VK=LM(q(twLvzuV#YQ-OsK`F`Hcb5wfGX0e&hJr&1PVPWUDnwq{m8Wle52fS_3ZES4b zM+57nAC%C5KnqH*4mo8{EZ7L-XYMO4D@*x4Dx{zcC{Qn6F)8B8ysTlRN&G2t*mAOd zI;DbFUvG;idTH8tbI`m2ECc&6#Mz9UV>(yT1@k|jm3dgHQeIL21b9c2nz5+@w@Map zmgo=Lv5D6DL)SV#@Vz(wvk0RaWmhw18n_;)A=5eqW!qu4QZ312-HGt1#^7zGuT7o! zJe~A4w43^O4)~uwxdS*pOM#E|4fux$r?|q!@n{mld7`>#FvF~8n@+j4BL=;Rwo-|7 zb~C4GD-6D$D@Db|Eczu9u3DWX4?HCgxlnzRcw0h5g#AHUAv?v3^cIa95}bXZaMa)K zBT1tT3ssWX>az_Xe4a^LROA6L5*=y+7VQKQNK!A?2rceW#QRllmhg<89b;M^t+=T3 z?>%BcdM>{p=R3suWBU~asGTt!EGd$Fj;0 zj?r#XIN^8(a}@^Dic1J4H1ikQ9&G4Ihfw(%_kixy#unj4VZnJA#4(i0W0Ru>t*hmG zJ0ur;bd+G{e{QCwbBc* zFpfKn-ac8cjXg-c2|%EI5@>qkf)0z)uTxUu5U3!5GIrlZ#E+CnZudF0T@aHSnXu4g z^Ne#zXnWZ(tn?OUftIJi7IeY*qFmg9QP2V5=3Y;U)_;>x`tU4p0BW3UE3*G zwlBWv=dZkMzTKW1>qNPL{pZ)h~J`KMX9Vy$v$lfawvYiGdxkH)!Vfmwvzklo^<= zj%dSYfuX>^AZJtGmr2YN&ye3|+Z$H58j-hgA7zuvDuZSD;umC$oq8B-DOxXvb2$2q z9z%xrO?{y+z4*uf4Sf9v=Ltp{5qH~t6^}U=7tnEn_SW9$OVDfJC zGppTnJEJ%LR`vFEHv1747He(DQa?fD&P18plD~KwyZ=)dzG=9}VsEf75fR#~y01*> zPn;}zi#|W~&l%JGSX{UG{03R#ToHsMVJ(tksa=!;Hf_%K_7qy9&hGYdYK@vHe6o6G zrL~p*Qha4=cO;74)!(<@GW`SsG||!(sk9y^4+cVYHUYWiSzjhT-XznZ?#*RV2IU1` z&y!M@iR(w-!yWSQ9ubEKW`s}UI3cA6kQZMU_v+NW81jaVh?cgoH3OI^XK@Py9Z@_Bzj9L>rIY!pZWlO1Mpu^NMe7_sOujF_S z!#X}HFIHH@KRQT5Z|HyHeeD5+<$EKhMh0__g&Vkeg+Y^TvUa90yzq_=nLR1OjQIFU z<>0y3pF=y>2_3PNPLrdT`@L7k;U|Y_!hr!TR8?^1vBdt8YfKgn&ZJM@b^6iIK}zU6 zC;J;bpMD*VgZw=?6B@GE&hV$I%bo1g-o0h-$|OF%VG}DwID?O-fB#Ov^toWZ-`AmH z@-AtSy^o@VxJwSc3V8lhpihW}nwmv~#A|8IH{0Vt6)+f%7or3e;vYWG}@U4z_|Fklb8cO3xeqa*-cF4|(ld6IM z#YFABnPeZ;?tdVX|7r8aX~?V{^|(}8FA1YyHLQ(lC1I#qzMBqPI=Nj7xUj@vAh;Gv z`}&_})i`$BM+L=b&UABE6oBNXeJQVd!+-I#I0ll7+G7Ib1*awU-Rf-Q)`MG@gtdv9 z&^H;#E0-?N)r&eHfXxfK-DBj@iLPXD#@)USK)s_ju418rvu$%!3Ak!IyxjCKjYDqb z!}u6eWUiW}Nu(pM=9=vOihosBk4g|zjMY74$`YBrr;w1|miC?!=5nig*#}vSnoELo z4AeYhJtAT$@cW`H4)u#xFw3|gBI&u6a_KwjsvWf=nryuMc}@8cLGK^ov%g$m1u>Nb zzVkr3xx_@ED*(tFE^$ zG@D!{5fQH_VO%z@p1<3;{;Dz*+AgdVp_w*FLUkoiKrvl|z*x{oSfqqb*(9qs`l0Y+;)9qX)L&P&rRW3kUdrii zYI06EtlMh2_45ftHH?;>HD|{|^Et^m0lOBg0{-{E!jC_>9X>!OwR`P1vLZ2QP!dvl z$LpH~g6952)$qg79BQub@X9pb`}>Gn@-BfoN-h!g&vmuZ;2cz>B_!Xtl#_OM{DUtW z1KTGX@r`U7dxYo7=bDk3eygpQv-9*9#(^O*hs+%o_v=UTf^1g3pOtEE3e70GRqmHx zmA`5@*&t|Mu-e zL4pt_F^Tb3jgnvY{R6=Xuo^T1R@xhS1HOYBz(T1a!+@&|b@dQ2eZ80e1*rcWxN~z} zRDHEc1)mI#IsdeeCUvCa*8134lEgOuyfEKBZV!z3E-?A~F5q-0qdl3oBv&V>ZTd!F z=qzlgrdRs4WzP|wtkHgUL;8pGx3^R>pDH36Fn6nSecP*DToXO6(5!g8Ba;hjEk6zi z?7k)5CSL7d_{}ktJ2a2lNs8)CUFHX8-6&Gy9(yvZx{ZtcJX0+8k@q@#xYrd=iTlT& zn(^<~^5uuIg2%a@k298ShVC}}%4j)^p7PesarpI~hAF6-ruz)c5*IS*q+@3A%z22G z6^kp3<~tB{iFHo4W5yI`3`Ip?JFjxkqeuGFU3~pU=HUd+)rtt4z|$e<`nQbibqU(2t>A%%iD4plUA~qFT|e|04;3+{+5(P)F-)k3ew5_byIU3P-4E<`xnBLG z6CR`qTt#)7R`Gv>I~$l8bNX>?wRn+ztgS{Cp6$7s6IO}tc$-gk-YMrQU`(2MMR(P+ zT`xWMiA=V1B+x)E?0pJ)vlBIy2c79qpR z(cZQzUEbogz<&_8#>&O^fp^TP5CUK#7=kA^c>Ny}4LPXVZ*LO^Bz)t4H*N@=*CBUx zRE?qGp93|voR(mC-V<-fP5P_(WTzoLCdKy;7{(%AYu@fRyi2+D-JL_wb9k0}kp0pm z>vGdEowsi%1uD}w5&(1&HH%~yp@U8IZQ&)Ew zyZyf_fWP0Tzb?TS=}5#|dFG#h!Ls^gJy%zv+Dll!6&W=p89C#wBi<(3N7Lz-fFsB-yPd-fp{_UX{))E2)aSkCa55j6(Ux)g*$dr5Dg^; zOEnm8k+5dkWE!rJdPYwHUh7TXqRO1pip>3k*d14ASCQbKZ~JD^xCWscrHC_njN8se z8p1ZoSQ+kbZSuxfyWZT!er+8L2YWJYI8%4`_)gt%G^n~Ght>0A!~HzS=MeDd`K}3= z)~(%NRKwFLiOEqcG;F&DlBuD}QF(So(?t34XnrWMb60m?25b%n%Y@Q3HJ|Lj7%t2x zjmR?L=aDeHC3n}bA+%-TJJZIMQ#@o2x&j$ZIjCK_`Kz|Ttf}I?N!pk9r@V=gzp~r5 z=&?IM9WjAicj;?=h>!0Atp!ihv;uSIUH?=0{Z|9C#f7a}nBK#tp*~?!^BwG(8r*`o z8A>DY9WWRPufc@6>H-Zv1xi_=PJ&LLH5j?RqCy$Xhb|`~;;{$?|LMp-@l}Vg%bX0K zjg8&XP_^n&JP8jmj_jgk_TX^`4_HoWjc2%rtTST0IwO5|FUiNx5xO;Uc2`riP!3h> z4d>vjc<)k>kTe*B0N^_2u~x_@VGw`tnM)whw@;OiudnLP;Zh04euHc$j6i;vwMa*3 z$EWE>o&GMrE*>^GrkC=*q9D9G(TCB3ZXl~fTEsiyw;>y0H8m7pzmhRA_7ZpWi7Orz z1zWTx_zo@mL{rvp*%nkqdxhY$&9i1hy{^$t{&UkUF1WN`s9Gsj3$TQ55mC^7cRrBY{KCS5psCLP zL2^v7*O^gv`8bodUj~wEjcZ5~ddTS^)0}HPkC=2z-GEu9M>AQc3Vji|`?Xv6)dnpg zp5x~RRV>%E=(O*`hqXK&n*}v>K5Nu~dVMw(l|R8Ll4MX@pKVR7FbE~>pdGNrH6H)B zhbi@vi5gt4C!CaZ6%jQ@@Z%3js2*u^k{fB%*HHq0ZhZ>jo=U2i0Z>B1uC+#A*Pq3oDlad@1Yg$mEN)w6fj>? z(W>i@qtctr$2H#Wgw2GxEQ;w)1c{&V?#5T!+r$X6H@lBSvg;{wpm?|2CxnQC1EZzS z#gkuLtk$WI%r933qnuxZEJwo$X0y+kj!4Uf(EV1}R^IKYkiK!V>yYwk{9!^;{@;_1 ze?J0o8gp7TQO&1Tzdjh(7vf1<K{*p7>-SF2eI+3s z>?_e#pWUAgKdP2bEf zte2FRU;N>8oJne4g8~dhv&89ldp4f$3T4ti(PVM6g|{cje{M7Kb!`Jz6TT&pK4S&2dcrLDDWq#dnB%dBk<6u)m8+&qkd;Dn1rq#Hlwn6!Myoe;G%fjAgVwC}`mzAl= zAf@?RPE?<=v}sHvP-1@XMD0cVVn!csx`@%*k`(jgB%rFtip%lrOG2}7>za39 zg44CfWegmqjgGm4c!5u$gO8K-fA@J0~?sB%2(Ue}4Ra0qq9 z(mBFw^?k!p!66Z9AQGPTNqiaXJ0YI3NCn}?2`9Ly^b?kfM6MpW-87i*Tdb?Q=5r`w zDz$xuspqSo%vI0T@a9A>B_y`&c%6)ad!lU%LN&IpA{E4xKkrA~>0A>0bw7miXpx=N z5I6AfZZVchd06s)W*z@wX*^{AI(`)JvG!ve0`B)q=U?WI>ifheXyp>-UZ>$K%YgK3 zBVRbhb2cxFku$$WYrR*OP88NOF{z{vIY0Lt81r(1aRRo$=fG0pIGpwO4XwN}>2>Ea zmo+uLLAukFiaD+P_A@Wm`AeoRF)=Yy#+III4eKY&m-=K(zB~N&`*%oaj4^DU1osHmaKO$SC8H)-}`+`N#TfrdDp$8x% z_zwn(g3d@1`FBU@4QIbcPmn>FJ!>J^6?drLM)rd+eR5*ge36JRn+UgDLPAlTzY!B3 z>(jQ)(=wt-^AuKTQl$TpV>@i+J9MGqFi7w%OOoj%uwBplMjb9ChjF29Yh*~YRiw^B z9(VCb=J!EFpbF7|Fjh|Tmo#4GT=Lr?i)DzLq);S^KqM6VwJG6 z%QqD~krZwb`>>NVSffvFT>X-Di_ubJ%GTTMehPm}tCO1ewKG=aPr4%2W8C(HUiL80 zInuA4?`zL^h2>?Ms1aiH)GW6LY0S>|)Nxak+@R${eL1{eC-SUCb+*XtqL)K{9-^eG z9Y5p8V}l7^44?cSsw4}@jn}BPF(wi?i-6zto=jhfV;~|gLn7_X47QrlM3s3H#yU#Z z!sqEs&$?UuGHWkgLtehiG6^^wUY;O0O0C1s-kcAIlC|}1-z71_fwE3l4P00-3X)14v$;+4X(>=Vy?7^$-NuwX%Rf5 z3#g#yy*r4+w(WDGNij+T<#$fJMABo=Cr#1Ar2grNLqi;gSt@-=3L`*nsWl)e{m0yr z1LPLtSeT=4<=kX3a-Hcl6G}Ma2Yy=>Jpp?sZ})JmiQSwGdp!p%l!^~ab;EnYZuiIO z?ft;YIWn|Y4s)*r_o}+r0Y;5h_0q#8XpLg!)JU2DU0sg-z3*dbA3l7rZZrA^h$o2+ zyQOvIkjMA_k0<8OmY~S4Qd<1{{XHg2>oZOs?=Ba$n9AYn^0MWlw3v*!&pPtxsNP@C z-(c+OGa?~nVX#gyx>%O4l;}rov9i69eZ8;zAxGy~MtxbT9@afeuRuI4Mg+5|d{SR`f zDw<-{&nG{4IACi62z$YoM5T_9)g# zcUa|3CbzMnIBvbd(h}WW4^5P81G?WC<<-E)x_xlpS|XePvBkCZ{0LsxiDP-v@Z(M* zg`8te?Zo9qS!K2%frcM+={|Mxf2r+O05Yp7IA5PyK!CF7_ zI{2WqyPW3N?=iVe(sKMPnsr?{DV^)9lxU%Mh1$4AFs2XAYbJ$&nn%d39>;yR#f2rg zM7u4IqDTl?#x*juVu&JEGM_SyUKkgq)vA3~W=d5aB%W-jW?59;o9 zU1P;|=m_1{7B3R`9K|`@fz{1T>HI4&Dwz*U40YugfnZ6PuUyea+zRkdUS04-RC@c0 zak6c`=IZP_K1aApJ~qZSL0qm_9%5bNPQxbj%A~zrjj_2dpEL}rtS>{6s75j%3vYP? z+IbTlAwSU)5=Z^O*?2iN%-M%*6`KUG30P$GU%5Zg+hgsa-mk>MNDj3iZNJ8Ac)y>m zGCET9mcG?+jw9Bi<3*M8Y8O&+DWfg$NdJD${u#kdO-*goxzg{jTb8kjh!pZ&KguFZ z-*5I^2veMh;gk2XCAC!F^nbYa--!ODE$u`rik#-ggrbGk$TYbdw^Z@JONqaJ+RDLh zx&2*UWB&`Ag|mmC-g*`}dt60C6tRJ73Hs4~Ll8EQ(=*lyyMZAasK+J6d2m8AN zpu>Oj+ex4Gkkele^BC)w+OzQ!$!C3s9;ydzhu`T<^ak)XQ8H1NLtibP&PCFp7qZEmBY7Y^#Mg zrg=H3_3Z?!eb=n^C;?TRG&CkE5H(RfZxsHggYVP(@s4JqWV)?vg<mBHs0Oh1)6TT~!OsYVXlY z;C4TdqXdZ~Q({)b4zqyf?y<|w)1xOnFK%7~yve{B>7l%3?iXfVVFBsMjF$g-kc|W4 z76s7>u5NJloj=b|qGNpIG_jLwqfhUXYcsgU#9fD%CPn?;>7|sVOj8)dlUkT|@Tf+$ z_i0KN@<#<0RlohuNBt)Rj5Coz&VQK7p0RC5^wveRUK9yiP-oZ|@8c)kpi za3HgL-xTxsYbAx`*@tH*Lss`SI#!FDydToTWD^uxD#R+HrW(cTbX#zu-YuF~>zYSXEb{sGCHSEo_j^0hRl zYtsjKq!ov`y-xr1Q5dw4Ai{nT?{;qCk@Qo%Y&lEH9UiFL%z7WP^(A zvE6xIlrht32>@ma|Cp$kO-<+Gb}eCF7}cW~%;)F%N@y!v9YmxA@z*_SUsFZmQ6Bft zSw3B(^jl+npJrAf#NXtJ-tU@8ySKRU(&|@4_y;)K7Wa4Ak1|GhHxM)fL2G7IpJZ+( z8syeDp9C*lG^^Rpg&3JoW3UP!490Sm_|R2lvTD3r;(?eSZkDq<^_k*$xVjRF33b|X zm9-7XYb_H3j-)g@y*kBJIJ*-i-IJT;v5_z$DZwGE^Shuq$btmMo6JXW@mX|SXf&Jy zWf?$7WMCvdyCPBzF^9*K(PqK*Mr)@Kv(H^u;MZ-ocR1J4==ccqM;kAXlesxU+k@sg z600w}@0rDdrZ%4xWptP@8N=^8=$>2C+cpC|b&Y*b!6poGk9R}3YGds9$4E3A8da%$ zA7VO+2z|t>_D*=J%dcIfWf>@wMR{rdWHzGdHDp1u8nSNDL<{b48>%>S*y-JB?dV&n z76q{8|20tkZ#WfTzdOB1Dxo?^XxXP+)g?lS3SKV}DYUq>)YDaE<8rF{OPa><%aN>v zLlMK|U#$NBA6i?Yc|0kQR#)Jk9D@M)u0kg#n;x6Dj7-MGcuPuv*4>rk(9J-VKsmD$ zNyf<;p%b4>z)MJX=z?5@#f979{nrBkO zNkkTjoGwSJ(w=;c5gJo!IefH8H^-J#bkyp%Z&=2)qc2ezDesfQotlo5n%7?d2tQ6t zZ8>v38V|sODGl=x+41)_o(Mj|qahqKml% z>(!n@9nQb-FA@llAB{vsolqyyrd8apPUA|aTG~0mPp1#t``~vkIDqoj!utjye6`&q zM()k#i&94oEAbNRcj9fQl=Duaw_gX{avB@Ij9w|$pW zet!4dEy@dy#~!HNd3dOGSQXdtU9lRUlBb_f4h=Yb&;7@V1v7enhbGi+vDKiuMRM+=y>+Eo(Zm%vpcrL&2=gL2;9!zguj!#ret5YjY{%%s& z&q$Y77;?=tZN}|tIpgskea+gXu!E=-s3C!lehCi&Gr3Eyf<+3n*`~g(a0J5~phHn~ zu-0rQI-)I(P+0&Z{ds5_jTvqFoo#yq$=cZlP(8G<-EIz$XpZ~(i=z5mNy~?w44o-s z5UpX{fl)QT$gCekuzJhs)w+HuGp?6K^Kqxr8r?1W0Ajn)O2bReONITwq+vMFCs6E; zKF;Ng<^a)nK<`{Tf8zInnLK0>>m)J}5WY)bMpUI$>EBo>F8RA3w zp8xiHmB`;4zC8>s+oMb$;^$MLNq8jNk`FcO(0<^G5>ww1N+4?stl>C093H`25!Z5e zFA&n?-Ns8(e>m#I_g6}kFX2*h2v6PTAdIcIE#Osx`m$Uo ztN%#U_788B5^*k!s(g77%q1@OJSW`}CbV6H431g#WI$V!oe z-m_`f^gTH_ChWW$1(vcK)~5np;LFyj2(=%Eq?D#$DvYkL_NA!!i6<@b96DTkktC4e zz9;^@C--C(louql6u6z4!hsSJdi-7N=qpc;v0fe#iFpd6Rs?L(*3sx)(gj7ytR&Yf z`$d+zTq8KaeMh|9=N?ECizhQS@wd&qq*a)y6` zo30C)lsw#HEK&LARm+&ilb~-7PLh>BmHH|zP0T; z%bnm;zc69J)klERz4F%0BV$Fx+^(-9=&h->n&e|RV-Myw&K9)e!~c2Y!GBOtDtJI) zUSByTf7iXyuV+t7+w5&vdc?i-SPSvY8QY#GT1B?=xhgeRdoKOcNqcL3wwI)e$su4W zCCV^`rRQc@FZyRk<$a!zqq!Jn#mqm7t@KK7=Ny_IOAdMVZN)o0p^KJZzfM)I@)1oY zFkrM?R0aYrF>>~&6VL?^nW0w|^q;`h)!{t}>3b24=qN58f3%dHVJKs#$WSOi~drNuEmPWQP~$ zZLQxD*+0cAS%M0Ce#KpqaYfD5F@kc!;j18H{Pda-hE#jqa)E7JD!h1)uL*qV#xlZv zjoHOED_P>byQ=LyR?ll8&b%OZcf~~4KEng9K*xsRRZ|?lFZhY~e&&3KY;l{hq9?MU z{^wW5&lpzmP^21%Lr>^_bPLQ%oj#J0+VTZOMZO9AihCS_3uCA_-gw>QaoZ@q zX{a`q_JLt!dW7=t94v?NTVB?R)Lfl9pyQnZRH> zub-|Ub3=k*reDHXcjzS0e24kcflq1qs%Odu`2*fS?&69~-e?t6O3-h?|>$LJvajr^@Tp8$+k|oQ+>hB#rcObG64lDayu#)>%P$#ny!3@xk+eH?%1Qw76pY+wSPu z78nQ4Tt$+CNuhQL&3DcLzeu5o4QCtX76y}1^~~Zfi6)CO#h4R4qfxolTfmRctP0nR z($bAJO+mJ;c`V4KR-9hRQ2Yg6>x!Z06?K5w)i0#jPe;L^3Y$+N@NppJBo-A)(3!II z?^cYtL{wZ5%QfRxMv97*h%H?-xZJK38_d^%N>^S)W&lVjV*9{>(uqSh&Hexxd= z&41)T2?U*Ut4D{%8}S+Rc0h|WR@R#lJ3pO~M~NcXDb9iF!;8Q3Ph=0%+?V1=pk7a+ z#Ui24g+(4kwcmM+hbW?A>mb}9b}0vMKzqHCCVtkO+c7XixsD1}?T6gO&nX%&9-0tc z51a5BkW^$chNJaE@7oeJWezMcN%5CY+Pc!{6RuWHyIiqy3^kv$#n9Jm9KdRyb?9Sc%gqt*QMo`p011m1f{1;Cuj*> zrOYEw<~n#L3uSSLXWXfd8HsCG8w-+HFMp^Pi2!40sh`) zs6VIHn9wCS*fD7nvr8sY=+?xAwnZ3uPc9}^>a(m>XaO!`Pk$6ZAyD=zJ>n7PlMH;# zq(Tg0ohKMD{LI*R|7U$MZkpc^v17h1R_9SkvtWmV2)G;}tf%~py9mqpdCL-d93~8+ za6uPwlYMR0T2BDF*~`7E622iD_dnvlue{GpU$}FmZ(Udvj$Qc2Rw4045_4&q)Ck%8 zd~ zB_s$AG^*B#U#+WzE50In@l}+$+cm~6<@VY7i1d_|7Eow}sVWr-YJw$7Qi8E^fnsGX zHm9+OL0Xx&@VDGzSoI^xoHS$+kc%)TnVjY`1v(j~akfc3o;Soz zL6lF{tCH4O`g&myJ(0>U=0w-j$8#-ET70{qZ@JTMjICe{>>-8S!ZuHIXY}9#Xwk1Q zYb~>l+X5KOxxk12d6MhUg7{ytr;G`yXUfkULdM`|J)H5cMt{bucdF`&s>hl9uVNQcUgACI^9HAWkq<&^hjLP6-6Ug$5F0Ubo~+Ac&xO6EN^ys#R58~1l63dzys%*v6b zpIsjq-2O4cHoW(w{MW`7>itZ=8|z|%Sq$PuL=L)k4lu-7bK|Kp{ozQZP@AW+{ITEc z4BnhMV0P=bLP=5ZjwbxsOA57GL>H_fx{W5tIcL7mj9Inp5I^6lZFlo~_th)IO47^U zl*W7ko;hUJ0S!|=w<}EDeYfG@y4fyL*iyy)N7aOf()RMP{^dWGw*H~PJxOXG$awT8 z6_)oXk@Se}K0Hv)`sX58c>ImfMMW04G-?auf-ia=^#;*NRR7xxz*`zJ)%s0*xhp`$ z&Y|WXlAeDgQdFus{?cmiptFNOL|v>1e;EF`q z<5_e~8C!ozIpR?@Fg*Mv(WVq~rZSRFA#)6ii=kDOVqSLS*>gIsF@MR=`jlr7y^DD= zDph>6Oxa5~b%eZ+RqqB*ji*f1!Z*!gaLQDfdix-ms{PWN#{|S%zqI0GQGF_3=gL&;i1t`kxMstO zfCLsE-dl1%9mL=W?X}+h>=Y%A=11{~w86%mlcv>umBl0>;2Q3~uoVHdHgPsV^FkV% zH_bGOEC53!Q8=G$aF@zyrYP8;3F$~A+_@vCBAvu`(0!ZTfX(S7YUEK$dzH0Ck?Mw4 zRpYDB_q;EenOVXOrVh*7cPN|0n2&=c3-ej$xD?Tqg@SR@ki|sn{fyPVj$&Hx zVvhG1{g}1Z8^S#j)igKT?$P>=4ZFgWXC92xH#bYRG|NJW?aqq=EPn9?>->u;3mOd% z(K6(|8>-g~hApj3xAuP?&5;C>d(%I<$TX{l&TqC|6hlM_uE#pOs?@T5mT#`SE>ZlH zAKs$VbG@TJ@iA=h$?(g+eBJGqm0wgr5axoHE1??z zTRaKa_$C%}H6cTjYT(!?9k@9^KX3K3M9p}PUu%)`SVpxR53;##r0NU;n>9HA z*ESwt&U@$7^{^c-2NzS^(D!D)ehBy=E;smSuh`zx$?;b#RCj_{*GXCKB0Gp8!17*mcz}__v?p*4|#+-{A zC!Kf!s%h+c`DDGly*q!x2$hpGR77~YaCW=IZEU_`(})^=QT#+-oaq{)_&E&oWt)S- z!Nr1GV&5p^@TbgufW9Wg=eW@D=vVLC%F^=k)VuR}70!m0kSI3J&mz8cw>vuRAAp6? z%D_z})elx5uA86U4Jr%o|3sVqHzCtCIao?7^cmgc?u+-vj*h0dQduR`Tf)RIam=@VcVfL*nEqK`iE2eM&Geri~W;5Y1j#kGf= zhS_4SO)QMMD#`l^xix6WH^YEpqgOCd;z*nJs%_yTh+00_m@D;kP=3(LeSZ`X81|u; z^_If>LsFe2x8Ns72~B;KM7bfx<#8Yi(ycp`E)l9&%xvay*gJ9yw2>F1V8gbn0c3JM z%aETbi9ZqiOa4zKWk5EAgZ4yoW+H1cd2JtyUf|b0YA7kuj980W80=)=xjMN#gzPo?Ck-n?KL_pX()eQbX`Adq#cKgwa0P#8##>DrsiHSr%u0FJS(rOP z0}Qr{Cj*0?exhb4YP@(Z&j`Wlvl}A;{W*L)7Sdkc+x~B%9iOnv56e7-0)UOpEPzd67GO2^V17^n*_&U!uLEeyQNGvP#T(yBD?Zp& zG(I=Cd(e11X!~yLewV!m4EBuMPK&q(zK@Brg@<24`Q`vexxzKkzVp;dKWXMBUwD?+ zQKHlR%O?06iIoAS9Ci*4j^o>tv7wE0lZyN{K>WvPF)@JrR5?85FKhh| z<|8MWd=8&8UHZr++W^(nQ*sfXTKkzQ31Ho6ptUjZ#~V-${#yj=`Vk59^t6ATYP3`G za2~rVW+~#jb))xef6^A{tj^!+x&PsQY)d!(^8Hd^oTJ-+jXM6yirA3HnOnF}hx{1o z(z&7{YGh%IPjmd@{j~%k&GD?(@n46G=v`KvA@LbwXymk?YVukW8nCA=#8ssHY;8 zNDnE|<+UbLiTFpw++*sn1aI#W)^vWdF_ofcSgf>3l-S0!4O16Mx*S~b@So8KfD5Jk zJPB25OF*hvmo=O-D~mueuUvR~w#$))ZxSjq@7kX6Q`%I#bAMRdnUPIP5U zH{!qV&b8}j9g^QEt-4IlZr#_dy}P*xAWB5^-ZcCcb;{?C+X`qvDn&Tj3ZQQS9AG&YzU#!#0C+zz4@VGZm2_u!eE_A^Pdh>NnNPmk5|g*!cs=fKUaj25g^X zwdjkRaKZeo+j|lzc57Dan&W>SUE$kQQc;mmrRSX(!XL9(BkfbRM`}I;SdeaLD)e<~8FD6?c)jYLN|1-iKw z@BiRwkn40?^TF8P0^gF`Enato1<1t6csRO1z4C!=j^>OY z?jeLGdIeoe!FYmOo@GdQ?h_a?l{StAF}LiYCR)MT^L>~$um#&hPBAg>4EZB%N}k6c ziC3sJQbUAxxUt@EImgQ^tgLt}i(6NI9Dbf7WXIue<}$(H?CaRH(sW?v@WGpHDdj1~ z=_}4MbR^c{-SQ8{-ZnqtO6R3xG$H+d07Rj)WOOf-@RcK9$79UJqYzNxkL7`ywGhRbOkz z*s6|!CG&HSxri}URJENeSPX)BQy2{yi*w7kkm=1n&{I^mj%0Y3R~5SP9W{>%*i65k z`gM!5GWRKc3u_!sAC)G7)bKv!`6@OVhqi*k35AWFVXVam_{tBY3$-g;nYku-6WYgN z;u+nccd1}zgM=3Y-P!9!)m(ec!Uy#Ciz3e_+O|(3ZdMy_(#tQV8v_GqxN}!M-nm%# zUNIEg(~0dvZ(HGQp;$wHTv&m^*Rha&zzB#xZP|B|n5;=<_I!C8Z>Dicu`qpC*cw6k zubDiy_2c_nxR{+4IA);94qV6EtY&`!IF#CkHvyYZMVpk^F`;Y7ty|AI4YyA(W#Jwc z76r~Ci4!<7Yc&*$!=GMitw7~{%6Rxa_jL1u;$;wy3Kkw>m{0Wloz{Ay=WC?c&hHNY z+*fX1tl|X~DB0$qxHjsm#v%dKRF@ocn!t1xbcoB*)`uSoTHK+V?FZ1KhB_AXzO5NfXA) z=J5aPVn9ZQ-2el-6f%W*Oz@(43V41;p>M*)*o8b}N=$G#bcVXs_!yx}8PyUkRjZRt zzfKFU=99AyuhAx!-ge0%l9A9|3p2#eR<)1hZY53O)XfUBRtz_nm! zPPlc~-(+(QN9kq6zf-#;W|!6)m8fbcz|!h~-wC#pz0m--jysYV>lhm0Ype_W8Sb{? z21sBJWCY@^@Jk{+wk@QG2^g^zFHgW0r@F3coSz|R=yw|%mUb&3pTiG9oM_KPjNWE- zL)u#kDTq%!LvjEebE@$rWkWNX1K;#(}UH+q{qejvB;rSH?Q z2%^OeV$A|(V~%VV&0bh6@$rZ7Z=riZNwwt;$*&xY=||#A3x9a?-9P@JJZHearniY0 zAOZ-~vnSN`41ivO`Ry}!KzOhrq!AhYFG zf>wh>#JPy{L=9y@X~1y6NlF1?_+Vm7dFI^-bNO?B(Y`yAD-l|IZTwLjLB)1nt(K&1 zV8GUXHR6=7s~eoK|Dd4)41Q&Gw-dVfuUik>Zo-JKeQd!(>0Nb1qS1Z23JMBmm-E@1 zP$-kq=RzaU6s1$^251wF&a{N0f6xyH2WRzMo5SrvNUK%S@9%v)z~rISvB(;v^!H4* z-}`axoZg7_`|!$jKh8AqWiwheJ+6UO;eoYp)Efk)`O{u}ee~YTdj#&-_1AyTi~^1!Ox-B?9gM6{N!P0;K~1cO&n_5jgh?-?SyEs{&v#cvY6Smtn2it(VPiH{rYh(BS{m}xrPZmv za2}zud&n}(yHpZ9dJ$mF&=Q12`Nraf8fdh#J02B+B!-%A#)C)71XC+9x zOT(*Sbqy*FbQ0eNZLK61D@um7@i$tXf7$ERTvHS0e5C>S9y#B$F6Bc3B=T z&WDeG>^Fmz*#Zzto z)_|c8g|#c-FEezs+O1^@%_#d#%6hI=askvbgZuT%oH~Xs(vOW>x-HzU^Z|bkK=94$ zI%5`j#<~+*iIcg-G-%FW$9VBz?{q0${2DM%V{AP8ZLonZb{R}xrEYrLU>ZXXL!c9Y zrVoHF}O<* z?G%UJ0H>jz51Q|7LazGWn85BiApZH^B(cYwC^jIEuRFMytIUM3WgN(U-Z z%Z8MzV?qwrC&I&%ee3|p(i8Y47IR|IhFV1}fPnZ0P#s1V7ZKm_l{rjXm}ub7{y)0j zGAs(c>mH_Cx|9a#2I=mURJv0nhwd)v?vzsLk{UXO20^+(7?7Hwn|D0tj`KYK=l#fB z7xQV)Z|}X<+G~}$izl4CrbKopoY^t}(_o`3_*vvNv{9Fa5xh~HrY;W~Rb%h#O(Iy} z7Oeh&3ZSSxpZVem-Uw2XGy{o>Ab-#U{X~<@om;IV>EcG%cClEs*@7NF-8e=idI+mM zyMz46Ih^ZG5nOb3b_9dnO)?BUa6vnwRHzgm^4xy`cAoM~GrtUtsBF(NseO;%0)#MZ zvVm)tTVYd*w_41Z3gjC51U&?D2E`*$=H^>Uzxc=!St*(5N3w0wZd1T!EJ6~>6Ej+e zmB{E^dD)tOLz^zR?fDwXSME!n0_a>9$Wh79CMhTOuE=fdr&zy*gr3niE;qeP!RQO7 zX#yYAxodt$eHkbz{kPwfpaA75|0VivhQL`+($w2w)vfsAIxT~fzUH}74Jz^85u}Ma!tka^IB~@}44WEB zWyDN8gxTXfPpx~v&FkwNyD40$rSh*G6lf@CH!#yi2R|V2AfXDv>0?C4Y?}xs6^CLW z<1y041XI((W|$f2kc^YHa-~@YJI^Pu(CKyHb%%i6E6>z|meu>fQ{PFUDX-ZSze2xB z@VmTWwovgB>T6;mqFcIU?Nt(xb2n;I;i_UpLie|YMbL^!>}9*b8YYB>0taN4Z4 z*yMB*81wOJABA%!+7pRz>)i_5J-dG4Q!$=R@fWpqHx9Q!X58vxUU=20Jo=?Rthl&1 zk9zI_^@*h>go(*bteN+brI`~~E}}J!x7eIKrYy9ieVZ8Zt$dyCLZ@ks?!#t~LO$Ay zJ_@1^sFy(I+evF5Hwz(~w4E%^uc|Y=Nj%(!xUf5K=PVepCoEGa$5w|LRZWQbcBsF^&V2P;0yi5 zG7N&FcT&WOn^^pA>()#q)Gusl1ZN`0J$~%5d8^duQrQ_k;y}1;M17}1*Q?#gcHBF+ z+loyig?x)xmwB(=gcza}NbDb#wQcolzgdf7ZJrV*&;`Y1T;&Iewu%|q3iKcbwR869 z1|2ZMi<*>PH!kx&4Ts->p}zZbHEu~$4Ihq0_1ge=4Z}oC2~&C%d%=efAUS!4P7a_> z6wWI;I#$RnHU-+r*tfT}BWEu#lLk2qJHaXj5gz__{U&u25fLOh=*Yh5sZFXJURA4* zm@0UAexxvmH!9wzB&JIyt(iTCE{aQ8Tw&|mb8e+wUm3=;NOym1M15fB{QMwQ*GcA& zEUx?-lsXeaV4NW8yi<^{$#d?RCR0`q;dDxc5ck67|XoS(){UuiXbdZ0>cI z3wy4GqHO4w_wn}fq8JZ)JTJ4M4Y*|6mPX74#(7($Dn?iFwJa3p2<-6+5+^S>H@OF< z$Pr68uYktKfXx@zA!1azi?f_m>Nd~(%i1QiSKr698Jt(h5Mw7myYee-&dKow>Opl= zJ3YZIBv%)Sfi9uyn6Fjo;>Y-elkGGD)V#hywrJ^Vt7`6Gw0hO@zvPV`tK$>y+Jyi(jvoY?JK#6g|+iWSPJ805jIyhrtMn4)GI=rj8$Rj8JO5pNaXuiWV3Z(w6Px$R{h$xrTc zqdN8h5OcT0{+veZ4+;&F;M2s$)A^qg+ddtWIBNTku9)q;w{sMn5r;K1+eHDp0&|wM z6zV&>!a&RiO@p6qzT}&q!S?iVtml#fMpU{eH7Dm#e6a`>R6!ku(DlKc2i^PZK$~sz zqf_-)iIg}22IN?H@m$NH>re_PFXF=aVn|_>kP2mL`5rry^C6Ni(9vJN4;S&L$tmKC zeT4EKvxz^#7)QC%GB3T4GG)wK+HGi%VAr9@o-LV5iGtPH{TZlweh;Dfn;5e2D3 zz#Nfhjn-u)R=?^3sQXw`Wj*PYe`0&mibX^5KOvARlVstSRKMu!$hgGa7LqcN>Hj!B zN82V}lJO;;ZpQ@w%5oeS#d*DFl_~EXer^Zk5pJT^2;a$}LY3LLwO*@*n$r_FD_Dm5 z_~Yz@)-|T@cfW`|TfXhM@QSj`Iloz@qS#sPP)S`ShKU#?7D?`8@&rCii4=i5E%6>s z4)u`W?`C_tr_-?(6{aM}&l9Ocx^AxFZJ;>HB)(4_J4o|4_c@&Iz;@$u1)%(U^r-Hs zABPfdIa?{U#!ns6hTTzGP&y2~t&b4iOuZj!VJjS$IA3CBfdKPB)XWt5}y~Yu{Nc!Uw zzNPuJCQo&Pf;||_)^-nbksOB6QLN(^p!v*2nVwh?7`pC7rAmW&qP=zMe!LPuaJ2o`h7h-t};r zzo_C?ZOWBo%21Ctn=I$tF4_vLHf?oKdxdyPh*)yAouhP`-(c(c-U|0A zJANnqD2%}9ivew98s8eXT!eZ=Tn2K^UJX#z-cX#kN8vT+vhC&!Hd&!xFgoCqg3M%~ zd@US2_H}WDcdO27(KT!5Hg}OC5Xl7^J{#Buv(C*0bMD%DQ-_k}K==G{-mOtVhS1u# zEKpY3eu$mIEi8FGg^QxxY#l1%i3NQv@RSw@Y@G-&%$W-O*a<*KsB&Cna?2E}u@KHk zdk=(*3Vk<+S$yq%*M5PCyB}AX!;n7MKUde%=TeQkS{1pxq0DE08XWcLksY``6nBg zT_11GM}oYl^XB;kuI?@BOEJb5cMv2H_cd$upYeim)j)*Bnob#JFKt(ytrXKp2l9r= zM;A!Jk3JbZL*WI7p)PM5nHwAgt~SwC1gRc621#0DmWH_d7yH9fqcFk8e*&8BNDwJ*X3kogk@g-YR` z^l$@`xH4=m6mTv8UU#0(*=Gb%h@<$}*xcOQ=ZZXj2TEyl z5E~?*OfbTF$s^l{^7M;QB6+FNHj4F6P?HIGZ*O$ESjKuI;5wbPrj?d0eQdC6fD*yR zC`sb%ss|B=sqp1kz$;2v8inhEvDa6oGkeqf9E_LD88+qJ&VlE-0ey9E|26qM#)jyb z3n{NBB<`KL4~B(OI)HSFsN+|!*2=esINcmi;K67%wPDb^P1J&SVmMMC5z-E&Xy zwniOZFFhqlbM>e1#~hSAuFzrZ%$+yA8O!L9i{Sn>4odT%09ex&7NN|Tqy(fea;|~H{p7S?VqwK~s#n%E>p^u-2wocV^3O_EKgYPM~u}{=n1pU(v zwuGO2+azK&V?3AcbYBagE^XH(hKgRh?cIHmoVq0=?U5!9wAB^yNCU2x8b!qL1A50B9G<2Meik5CPGKnpi{mW6d-l=)wg}c$?YHPAZjC(@z z>FrU|-zL}3f#4)AMQkv`yRt`6Xeij^-5y8{UmFt@> zcjM+?c7rAG`>}^6XgU#{boy}T1;{A2$t-u}bjo)7_=74?zSXpNgM9zlk zA`*|AVZx2~H;bAjH;H|3I8RpApDJtGm0=(3Jf}5aIjfg>`+TqPhDDy&Q<^isfmyHi zcRf)oWG-fNCnk>T7#mkFo$!Dkz5T!s?WYy0*`Jpl9~OQ8mScv5Oi2Piejd;}n}^w4 zJlk{|b`L#y)6UJ3nMgTT4KRHc!|Oj zPKr;P%p9J!SBrbw06_T`@)dcP(=Y8;P6EK`tu&g;*uXw2BL7>M zYI*`IeoDp}KSVpgwM&qZsK1R-4XP@O@(foA_;xcDUrRRYN&vSEADiay+ai=t~KyhA#`*?}9ym7^KCFIzz z*eEiIurkcUUPWn z#Ve|S1*flujmVb!Fgu878s$-O;Jg&*(C{u%7(W!qr={Di$iL9d@WN1+R%G3#IagJ> z4jG_}|8l0GQAOH>uK*6T6Dj7?pL3VHbQmhKzXMG;b|GJsshC(fzn)l8A?rqjt)Hje zry_t73vRUIWsxRbb7SgOnO8WF9LyiD-6|NSwITb;e+s zhS|sLZv(rJnA=Odv2m`r^K3mu*evq!O;DQjVfV0=SXqjv#$_9E|Dxtd5d$oP%dAcP zp>nqe>Op@du^jYTXGX6{V?_3X{8a1n(ZAQU%{41Ym38cVwtP%K;==CSuI%F{m>Bpd za3)lso#eaK*fKG}!DV8HjY*d_R-8O>XR`PI0!c}uu>_a!khvVX7BDePxwep~na$Hl zuspQS%q(RKw>`M9^>npRW_a?T$msaY`Y6 z1DF)xF2z;J3j|&c!48veC1mCj5bb++39-a3FMpJKI;hQdB!J2Hch|-4)5T~BNPB*` z#Q9`&EtC3*y2b>0aoOulUU#ZJ4DS@KusiDD*E8-z>uOl>dv9zS+`3=b^m^93OH)r7u~bi~T4h;!*R85kB`gnyJYx6 zI9t$LEyMeUD&uQYJ4gFqG%Wg$mg7w*YOWg0{paBRYs>8)RG}sH>SS(WkX+1xPYI9k zr|Qd#i1-2@sq6Z!Hy&J}#Vp{&A(IF9H?NbD;==07 zS#nh#^UvG@o55jXZ^$TX?eL#)%s+xRj7$7aPx(9+MT5N4ra{Doe@ixd4sCnVfz`y! z)(yVZ;F8;oAyBivC=EMIE}(lVw6vj`l!bhct%Pe*@s6qmMIV-joFZvcW?E80 z&JUi-vD>{7$Oji7(nchSvAi!h>%fqZimMp_b1Qlu<~@W~PosOEafoH$ymPz4#aL9l z{dlL{o9869+Y|$Qi|ISg-1)MzUMfyb`pauJ zF2@wOyUjmUcD}!u0al|xn^nYRy{(ztR+iU`^lotj6qOmq)n&E^5WtfF0d?pNkH|C-$JWbMz|5w3##M+i3;t zv_?+BoZ*D_o}?+4tLCW<4z~h>*OeIy!`C&>;pCUSokR*0A=|ryZDYT_)jlc_j~j9f z(j&XBmr*6*T%}AILxT(!w2{p;W^SIk6T8?1 zOs|94vbym@GsDUK2b^3FbS1*E%y8dI3C{jpWYabAjd}nV-)b4T&9jz>o3lvJd|Xi?oP1<+ncYR=pBfZAxF^J?H;z=$YK&< zEa*q-@!XDWX0&zuVoA=`TBun#?COlRg>}3%Q`Kf9x&gq`M|IHOr6{yT^h2eJN;ZU<-!Q4aoXd!gmoA4K3%e;z$0v+XX58&kn#(9*o53_8f z6r6I$x&leiGO4yOwr{g~px_=H`>);?Yfr~pw_(X1I7Lt1lH2kxkUS9xmTz~P&hh+h zfQP>!2%P39T*TY#X3uwrLB=Dq|A;)E{gW zXosR&dR@-^2JZhl-GQBNiy+qb?u1KsP7bPjm^Qt%H1mVWVhD$a#jND!*nGUjMx*|8 z?2tDo@-$)VOspQcL!Vy!6GkD`!$N8(m+X-)p581jbDb;$jY^!}QiXFH6$KBY7wEuJ zQZfU6%imsI+K#|SsijIh+)21@WiO1aB?ig3x;9$v-1*+F>WaVKsldv#hGmA)7Xqas zK7tCGI6r7pzwf(IwM?x@OvA}*E%ZOc^kS->#O5%swXy8XbGvJHodkppHfEY1I< zePNipCVq2ScJ7?c+!3E<9~1y{{MKbG6yAOHmC}@+QF;LUc@tKz2>pidW*PQfIQuYx^^SCX#Y$&_5eGX+ouhW!oyv|?lJ z79$J|9sWk-3!g7iOvaoRWV+}?9cRF-R+33v#Yg^+3{WQc$<`A@2q#zQVkA)Fc zUP@NXaWbV92%;G*D2#vRfz5nNSm!t;U$7bZdjR>L76xV{7SuYzs!Ts)i+?$0TFP1$tf0<^Pv6o6 zm&89FSzi4-d=_tz6kZW|PxXr@-eV;7*+;)|k0S6w_5ErdH2ZqAdRXK7VyE_lXFF!s z4a|WcSt@v*gvT)0m#CL!&hQ7`ecK2KX-{UTC6acG&?D* z`WTDhz*J<=>6&VEb(#8_lhaT>@g?m&m8cwXcRTSHH4Q}&5zb?jnuNyVB_I!boGj3{ zaQl0U$FRi7Q{ltIcek>t&x$rLSYS5IYuZnDpb9HkygCr~Xu0x!ir*0WLQ#jU+D7_jf=+F-ST$nedSP$xd(OC3y@ygkIuGUInsc)oi> zaGm@qHL7xL%H$zX=xO+Lbe{d~@ayQ5(%yhGZ;pas^-Z5A|I;hvCjdpw7m-O`iVhXj zD(~M;)WO=_+O2Dlx)US|Y`w>l5L}_2!NqgZPKg+WL|RW#ljTQj3Q&Yog|UIsmTSn) zyKt%1yo$o*Kd--7P?!23*%|4k{BfH%X{FnSar95V`QcUT=l3Q+$*KAxk=5_+0=zs2 z9!ktS%k@CVKsA8NFilf&+)-ofGdudt1W&6~uxxnXN73Q+A&KEQ1w4HzrwCOFue`K$ z)d-s!T=3biPb7gXZMSo{iBeto(^KMTvuoJc@TTv$q~+grD)7&Dz2`>OQf2Sgc^!iK z=lG&WtsiE2>X~C`p70;TqyG?vuqJ@@2E~HTGj$PiFmw4Emca3Wcxt6rl6YOQx`4hi z@|YcGVRL2r&kuz+(tBb%V{jJ|B2_Hv* z;NdCV1oBB(Lsn?mFMH22v%_2)R{U{q5S%%pWJ_7)hd}L4s3#OgnMvy4R7JvbdRxY0 zIj<)KxN5Ny`=5UCiQHn;x0pdjwk`tUfVKKAov318~Ec49Y+>C>VHuR72`W!-71;jK-#v)4<3dgYdHL9JTr%~1|t z2p%|$7#puBD^G-qHDe^EY+2T+18F~sPD)U0k8BivP>(eNJXoD&z7j!200yfM7K?-k zT~SV5t4*VjKYUuJN(B4uDgZ(eU^%=%@c?%JUUxZ_4zB&Gedz%Qs+nhwLHP7;3Zi3#9$De%me_tJP)0~Z; zL~hTJTSnP~?#LmQuG3qyyD;%;$3}Q8;dxpj6)h@7BqYp@Z#=)7DX1k*cl5Z= z)F{QZ(YKSjICeuR^O|!UcrJTmOPR*ygQMSR&H)EruD1&kuk}ab67LcH<7JM&z8oB! z=A#e43Txd0@pV6xI(&6b33{^R;DNXKO5r5ve&yskk@&>HScC+@O`~`kT8YKdeDknZS_ zs&tmV0`96y-OQnfQ1Vc=A3)kx1e+4sqgfLG`1(tc>G2s`VMCrGrXAMtYEspOaoJFOWCN#kTCt2=YdU|x7FxFWlkCVC^PG_QguY9xgPl>V)>sde6X}A2 zVqzwm^n0^YisQ;h8Wa1F=~~HeES~-Ll=KGl3iD3>l+fm$h4AhBoq=8Fc#|RpO%r$| zr?SDFEs|3IMbcH1V=qCJj1wGR_pjWjA2jdW<35cqsGuT6(&BDQC6Op#E$I(R*#Jc! z#@|bZ3m{nli*H0&)a86f*w9$33E2<+B-AmX@I1{?YShEL;s0NuE3AHdIz}bgYGt=& z7?r9l;@lmL&T8%~hP+%+ZmONr+KqV~sBT-Vf2@o+XS7{AacN}5jT9ZV#_=VucSv)OLA?`fKBQDn0kW1BD%kr^b2XyG{ zVE-r5+a7pbWo^sGZ#k1fj|M_J+Ks#8>J&5{&4#-(Q>$_K-=CAzO>drX7cje`L4pN= z2uoKScg;qAheEhdFXj&(q%-T|J_Gw`qciK05rku|NS}?p#F_i$u~P!B3QH|Lh9r<% z*AuW2dy`l`wc=RXN<@8r>H~ykPEhN(iEireE2hrPcO+$qbS&C-Bbj>sLRb&mE!@ z2@5})q;hg-M(wN96ZoS~@d2A!51Eo|L|U5snh}n1W-=29(bpd#Gs82%K>ZEB5X$?| zRb^&oO4JY&9-y;bOIy@^(P2O~s`$=@=TZs3qsHg&@4=0|^t|ZA#MoMRCQ@69R>Q1v ztK%7{Qgkz;oAU$gG#tT-5&CLF1j z{vL|&Q?uT%e_1GETL1%V-_gacGl>?>{`Iy0{RXb0mqn|?=$}a$JoJ`BG1DRDVK%fS zX6WZplzcMSBEC4$mKvdr^>XXo3nbQe2t1+kIp_qQ8FjNbvvN zS2CwwP(&g2>8Y)PWP~2P`dZ>{aEU2DmxV&aA4$c?#_o1W?3$u>g`^AkivB~?H;uy) zkZJPs6WChFdygcTD76|FGV!>f1UHpdJ1WG&L2J{gXE&})|gw_)jAfGV3DuGTI zw+SMMPQf16kmujJ2CI}X)S~Q-l<^*XJm~g#TM_)j`IOiTDKi;4MH@d{AvkmXu&K{1 zCxnIOmDjLsOm~t(B1wIV)lOxD)gwY$`rB`kI3H+=#eMTt-rmz_2)pD8n|Em|V@8g& z((uAuKb2kGqEtNBnb1}>Y=}Y|A}R}#tef4+TD>j2Ge~FxUGNg>weqd-=E~FC}#Q-Z!u0N$2;oKGRC+q9K74@$f6LQ6iTPw{V zW;L6d33==7Pq3K7Jsl69W~damrZAtds7u+*=DW6Ek8T-^6(@z#2|#|LBi$MJAM2di zCeO53D&-h%G(6+Ky#QoAn>-}ZW|5^-E1H^`Xzt%(mCWL7g`82zhed1v_Qp1m1}8G_-3uJ&Z_L)jl#R21?anQDmo`#n9fa z)jkv0%#=tv&otrH;ivLd@{c$>`^a)UouO{|8JT1?%5sPvqTCK8PA08glOu{Sg}fX{ z8&@9w0Xn6Z=)M!b{V^p$qe9}GbpL#nXY_pNMlJd~r8emKjTK%PQ?%1IV9C}wJ$u;q zx?X)sr@PR{wV2JMRZZ=FvG*0`pf3BwrpB0K%$dRuO;5Fq@xl((`RXM$UYmGL;KuVF zK)<71=c*^m(akul%1D#01n)FuVSY@Pvs+vIap{`*+K5qi;EV)FmFLp;J#L+9`uJk? z_H-xuDzHpf^u5{-%881*X^Q5Ou{E|b^b5GnM-M!&`|5hbAR{<;fJ{hc6#S3<5%MO*@Z}L|wzfuMU$590`@yw@hU!oNom5N>e&TshmNNyFvdg0`|d1Bej z$W!Xy4)a(*lMU2wsCP<+RdtFF=4slCW=?yX4#9B8aTk)PfYt*Dq~sHo+YJL#g(3B> z^$tB_$Ge5Yma2^92~5ox0bOL@z`|HgcLkNTJup^E%IA*{Rdk5-{J7nqf(MrX)Bs)G z4x5MA!S-PEEeh{3)<|5=pe#ZfZ8LGCkntQ65b$r7^*ac*o_zHtu?7^57${^I#zw1p&&F*C zT(S3a9eX=zP?Q@jcmx?4WFU3_)7g}3`el*-D7peNVrIUl;*p!|J`x;UYwa>|>VTTM{>T*na{ugo zZ<*thC@r?3w|q5{8C0rV!s&l3+jf>BVs*7{DnGI!dP_bzv1|*(h{vc)bTdgwOV1D1 z;8KWDIpZct^_k*KeHOj=oQIK2dFyvpA8|G^TYGL}HHA(x=HwTbv9ad%6$8cj?l$af zxzgSxKM6fGYV@+j-#|XzW}erI!Qn$Pr-^?@mELzvl=sAAcD9tSsUCls$EZkd+wVkR zmCiwfKH4H>73Rnm=s8XtNbw`!G?LXGKD{FG~lW%x3sxhiVEfeo>u+V{xylT z#QPadR!k{MeE#xy=IIjL+9vNe4G0;`fiko5UzZ*}$DH&X10`b{#sPt_c!|L|17+QX zdYbd6OMZEznMlrM1_B}6_4Lit3~6R2Qkn>48F~q4v>`c2SSS!_>n~df?rB>X0KH)Q z&7lOQV&vv>-=FrH%+lxi$J|>)f?{Bx$~J>3_T38WB0J=!&W_1P1SWV6uyG(+j`sSz zvvZaDqW?ODk-z!8)9KHFa8hrNx7Bp6nf?WjUVZW3bm8B_IbwQ<B|r>k^16TN7(=PB=o8Ue&*{vc*`Zt6tP6cDi2V7eBd6nzNI zPr|qdK$;q{XHn}v?NrsBrmWfMj5&G*i8pL}a?#q1<+l8`4GC8MWhfz}-Q{tat@)^9 z;5|Nh-CtNpq^GE_OppPexkDCou78C2YFnHPVW@FRY~~gfb;Au}h@oOhAI34O zP^Dt-j?$}TG%}zNZ!mg#f)G&}`&~wY0L5I%=u>p}gh3(GaTPw29YvsK%Bg)Z?#}H9 zY~1<55>FzD9*@~PrN(LY^&V3a4UC?_tyS!a+t&Jt!JX}rL8sO%bN@;47KOha+9e!_ z+4LYmTrzwu!O~f2rHqOGeG1z~6XDY7S(#uhmJU7(lcl_{O-~6aCpMHqrEVyTJ#pc; z!tYNzYGyiVajAB53QFdsuaB;F{lc@;!@!=*oE@-jRY1^VhjF@TI^6N%ko~zX-Hp#CW z<~?6BL|szi^%|&0=?ed5e7zh0h!`e#K7jvC5B?*!3C22yP;lY0QZd)l5WLpW;4qGF z7Fl#0>%d3kjuz<9!1u9!QuMJ%M=$Y$Y1!+q;zM4GbG^)^YSd~8C>itobL0E(BIAN1 zEgJtsOFJchUM#OOo^YGe3R{LQRAvDn6kLii<>kVQ|EQO}|OMswSzxI8e`dflU zB}{ZB6{kFg#qAI{Q!#Wntt%eLswdnJToH`s82}L{JI@;FvgW;LK@K)_2BsJjLCl1< zdHHTSh2NFZTN9ulQmI5@V z3pgB<>x~^bA1r`}=_b{2gs4#eiN_Wl)&tfyDbA^_dhp+MTk;jjxynJ|b(q2T;!=&=g!9%;WkjJ~*BckTaT>w11R%8HL|6-jun- z|C2qff@C!`rID$4EY3rU^ceS7bBlnI3<5z$pzjd~&1 zG5*zA*J=MSU&MHJ|37=Xq%*9io^aH|0H%e|DBl$udssF2Ba-P~e3U<8RG<5P&zW?p zjHOpK)Pwz!Gz!ai?iMhDF7Cgy1;6r7U^JL}dg>)wxICe#l+R8C-&3D8Y$2*fH7BM6 zhbU6*$4K`kP({U*^hnmWeuMig6Yh26%fC;WqOv$rprK&S;({Ylw*gX8p}EU; zV2O?kQ5wT`DpeQyIjsx44;UX0UQFJ5fT5d=6_V8v4X87X0Y?<{JI7zMuiuhI2 zNTipR>ai`_xKw`xbFoB&zUepSAFyDO%4L#55x^KgF?Y_08DN^!4lxlm{HVcjH6j<3 zb{E;Kr6suBRsmoB5Yw9ay#`>Gys{)LB4VWh)ysbKo9kjuIP{IfB{w%Q9&j_Qn+e%GzM?NkHGrE02aRQziY>j2;0=GGzBX#edIml2Jq>~B zG^{{4=ZO?hI<|(b1f(g-i=1wSqw$fAHmht_VK%dA-!wS)eMlNoeR8BY1zO%5J9!lw zIg5;*GW62%?hs|hOJ;PTGZ`AfCsV2{5&N`M{dJnU>G(%P;4Cs|^FKMD|NPaH3v*IX zwD?Im)3y)z`Qrn>avc08nlO`vB&7!7pm5Q46z5e~tb1ID6P9X|R?C_oY$f^6KXaj= z@FS)P32ou+lyWKOvXlyz7mZ#YNOx*v|Kk5L%`(j`6oLaqXoawF;ZFQ4m*#8+LrPjF z#leUax@JA-7icGJrAY1}E-J@J-f>)^r$^SC$gNIPEvNv*4a{B_gc27z2h`R)aNzMQ zK&;?Y8;UCdNen=7VxesQ4B|5&al%y}P`?xiB^fw8LV5a{50_~6fpXFmwwta}bFAY` zUi+K+lf$X}z?1SM)`EH$2vP~*ZdTkJXaRDIUVpR|Ni*N?p!STV+sUy3#?qZr$eN*} z9U?9LN+H~$(Kf_?d8!x4kGZt`8U;!*Z?S)?DA}}E(_$*`F`GfeV+&o=((cwfOWLYV zDs$}UKqqfaEO$cf%$)`&>1G61vlKGyL{UXMxE*Xa=~xZe+pVyuk9TP5IC!HhK@G~9 zEpu%eR2XQ64nvu6`b7QLa9@IF0uuUND3u4XIdYMxwu?J+CTd3*ZVK|pJraMKJ=`a5W*c+^!Iqa&i?16aN>6M{6AZVCp$_5B$B=1K(lJ0?bm@Zt7q(Y1(Yng zTF-&?Gk4=Ch*;oXGs$GnbY526aQq1F#s3l^c@m)@_~=o~Dx;^YB1KregLq5n8>q*$ zQXU9l{L-}xpuPp%BLa`NS>TRcJNk76f+?kAa_*)kMtf7HXCO6(Uj z0=iQVoVP9?%8N%}3;CIQ(>Qq-C!mVrlUNef+=?SE3?hnVp{-p9$}^-Dimy_wDR_yQ z$e-%^4u(;X;B@?aL|>!n%Ee{_tQIfi@3++wkfNjQQQwCyCWMMaPc^x-jSZueS+!wE z8PgU-rBn|4l34DEh+{xD^=*d2lCZYjLSPBleaiE%h zBGBHyAhHN7FL8=~B8kzC5xp^lBcj2g3{tW;Ecq!=Gib>-I$e{rTs>xGKkKXCum?EU z|1ewS^+}L-cQDzGgDSWvVre3b4CRr$)pdt7+%KX{#>(YZwuREc(r4u@?t!&b5eYda z^Fe`9qW%qw6)w-J&$DiI5Wch&1`UBZN@oGj!H-&Co)l9fW`YY9OR#2nB6muv_Od1O z#x!2XU*fY(3Y*P|$3qCVi2dF_g$)0_I}3Rlmvs19fKMf+Eu1MHE5PwKeXj6yH}_JE z-y1kw_qCziJMY0yb1XNa@f_x{Y-OfpZp1)RX8VCODa1hIuTkMh7Hiyemd*5jB`1Hl zq^pC+&ow#EPtke<$H5l-t)0IOg2UR<*zTr&$|r2v<^67M^0?H;7V9V}L~>mo9`_Xt zU3-@_$c=2><@IuoX?k?LsvK1)vEPLH*F79pL@evz;N-i#H+e_!0?jpJA0ts*_$y6LbDTp>hW_65u)XK@@fms z=*%Xas?IlvSNzHQ9Okz#HezMU}IS^5UYdq>{o}!b92T z2NUx!ML3qvb1F&3D!U`@0bh&LF0o5W*x^KjZ$IYdp!NMZg6Inoi>X8p3R}y~TBJF6 zSiv!6RD5+B)B3su)Ijz%8n)tOPc_lSDzhC+ig5n6g62oYKM|JrwpA>tkqcn{I@Khz z3wt@4oAXm#;H}nsZte27H(U*n_#~s~Gd+126!oX!i?AYI3H+S&wH@dD=ZpXE8VZ32 zNmkVvZTDA{j33Az7~GEr$4(*q7C{{UtSjM=A==nxZ1A>r$!psI%+W7t&ciTwds07! zQ7|^%`qm-$cDvoCj5l#Tq2h~vAI{eop`t;s>3@?+ zeEdc{uHU-71aV!>x0dXdQ25s|(w2~$Ir(~U|9f~!{_@LLi3q}aagR*M{rGi+tLAUD z^Q6>~rLsa9g zoz;h`dMRb3%iZc>T%eIJRCzpfB!U49q;8Z&Sz*zf!_gJ+N2TiHdDnd@e%5p4B=lsT z+nUCGAVU86&`T6wo>O~25oMrf^T_uM_L z52pG29VX#k&BOo7mLJ*rK{08`x!%D}k5OO$#w)*FHI4Y>gY!aF1p4YdxfLRQ$eJ-O!L z>5+zS?x7F%nk$FG_POyP#t|V($lTfQhH;kvm+J7y01N5t`(_Z**Oec{Xx_e~KlhMb zinW+Nn{5L)anAzavib(ow=F9Ay~Ln-E@+I1*6%)2wD!JvAs9kQli$zcO-K3krAQ4C zcANrtg?y78D$F7CwLIaRjW>$hO`q}F5?yF_8dQ%UMSiU{LRckOxT=3rq8fig*b5+& zbLoqzg^TmphUd;Z#}P}=9FV)OF=CZ-S;Qd}ON?`0o)t#+#J6e)qvl8tNqELdq=C8m-O4TOhk2J&QMvubieg@!DEL>m1*A$hTm8J~4fAYP#MFS0Pel3Ls; zXi3nX4;vfqDCoLDTg}EM&-HF!yP59Ar1bNX@>1Nc*hmBgZ^Vy={w6 zH@Fy@n~{zo#s%;Qb&Hi`t)E{|Aoko22!(36@A+aR34$8KfAS8KDv+I2-3OV1Ij=N^ zBPCc2v;pMT^vUrFeS9a@@5W`L4ml>v!+fEwWwr#7i)u^#;wrSkhMmw=>+r~HPe)l9FNX7X09>&3f?x5`%9M5QAnND>VpSa#97I85b>s?k0~WxCD(mZ1a$PYfF3ZwkMA zZiaBzr0+?pSo@Ub|Fdq!#Dw)VHjDb=kgwRJGW`1E0RD+LTFuW5?Nbl*j*FLbV*rqg zv}?Op+1Ew(^@;*xpr7XUMB07D_2i&bqF#}T zpmX871)zNPQH$S*&27tZK7kcGNeCV9NzZk(?T@iI&HEu0P&}9qiza{2@OHWPM!eQT9gmp_CH%$@vzo26nro5%?ohbm^|jGG8_A z#f(o^_}kx*3Yn)0ycNv`mqTn9E{^MDU9!}O3A`A`ulV-1hQ6of>M@{`7m{<7DWW@O zU@IVQB6-0qYm&Gxw7e1H8f20wYI7{Q2v9a5SA3K8f`9;)hY2*$@kRjkV0DHA8E)hHf=W4jm8XK=h;c_B-d5 zhv1i<`wF?i<7DbILnpkZk`l4^S$m_d(=YPFJ)YBX9n14e0AuPqt`a$2Jg1G&_j_rryYh3edeSKM4U1cDZh)KF@+vB_ZrQoOh5gz9n!^`w9#~LUe8G+!^ zV^Iq_C_oZljOX3Wk>c<}#~%s|nq_6>vK)b~Elhg{s|Alc`NuRN2U|Z`n9|wW61a1B zzPHxk6joOKzg@Qf$q=sN8|C4XYc4J7s0Pf%z`2i5@hmO3s5NX%z)k3wIA`0gsDoYT zfe{Ra&MgEpF4Pef>Z0sv7grjQgL|{lZ~}x&TA#CePC|;hohUw+@uS@^8JAbEc2+U){Mta~Vn4rJWI`DX>%AvpIc>PfPl#-lGE|bcT z3`ywo`5VjzkU2V&08Xo39(M-B`&=%J`KiCd2DUJj-ZD2@_ZVswO)V@si6KiAav9cu zbUQV?hi4#?x3TlZ&dSOv9>@ocjBtOsnFGAzj3~1{fAP64BuxJCgGQ^_sW{>ZIQF|X z6oRRLA9}n<{FlQW82C%jXBsZ4ZAFJ$-~0E^1NdQ`WqKO(2^+lT*tU73MDD45*R4T{ zC}04jmj)WYdfNYe!Ia)Kp!4p+=-*_K_mmBA{$EdWP<%o!j2}oX>Z~Xh!qGk=YA6dk zuhh@bZpa%1E8u~-_>OfX7}|zl`sFBKpP`#k?^1ymx(4_6c)=>2_wVETomWjdgN$M! zbvrLP?EsNL9d_w17F4`U^Y6W9d~r2KyzT0Zck_J{zzb7R}?J)eu?&-YSJqL$uE_=A^(RTwCg82RyrfMt?ATwR<{sstG zCWo{AokV>J#1k3}4x75qsA(Lqg|yge=zA6`PB*$9sXqV#n^f=E2iv6vxsbM0eXr8t zEH2cww!@@e1RmK@{wG_mtti%Oyj-derVX5%^4Z+=8d2v+3_#x7x894b!Lo`m|JSRZ zZYSC!{1P>*jQ$TYTJ_e+1D7?izOww6@v-}Uk9UVNCHVNJ|JI&^FELe71vU57BX#9=u zzD#^HSCzWCX*?qCF~T-SwR@X$d3o70|Fzbz8}wnW^R<|y9ryvoUYhm`BDbe%1N4v}vQRp&GMW-Vkc?bD$NE_# z#C<3hmH`qbf5b69;M1$$Wn%7rYTl2svYjBp=R8&QmU2|9%zri8zWXG{BycV+!c348 zx)wwYHfI6n2Iz>8F~?4bAORi^O;~!oL;K6eUI`*Ia^XBN)_GZ8W9LMd-W#HiXo=DGJ$zwx7Vl8$(TDzeXgx_ zB2omnf$|vc`&|z!VxkX~euzEts8(wFcGL}_>jc_vI1J}2)~q%p$sy~c$UVDschCLt z;}bX3{%pZ81M6N$`l%&&^yi6^J+MH$5XWoQz;f@Ph(Sq5q2w#VtL^6Y3bEPQwhsuI zN|g=Z3m||vD+i>_ktyI5&&1%C9U3w0YEsQ0=~XVRl}z`xf6fbn-O>^sWEYW?D(Wf*=uRQD(1pM-o@u*V=I*hI6zu zH0Dg2-?_;etV7I8I$B!kyysnDm*EON!mmJyekTm>q?yFTcfOoBSds8mDp^Vd5-i0q zwQvQ8FYDf&(3xiyO2&Zp0vK9l5xBOIJb|2YHe5X*eBWmsjBtFi>HUQl0O!_{Ab%h` ze_G?T5Gj7M=izG4=0SJS*y=2ju|reL>FKn!%IPZF!AImyX?YK~-_PJ_aW2@#&d$y& z<_oXiyjc9!?nvg&f<^Al($g|4`#`^VC1(j$^|xJs%1xcQ^WUG50W3of(aeDdLx;UR z@Rdd~YDJ?VdR|4}J_0Z>8v|VI(+?cywf}feJf1`XC`gsU>m2`NJx%q3AKuxk=X*2r zC|1sqfzOM&Ht?S({{5qir(ckAvfGt~RFATDzB$Ll7u+N&ZY5^n7>B4js2ahzmE!BM zHg`k*FrD=828STd;daWgV>`4XrTv-kE3~lwhk$+gH$mG$SvP2W6(0$5P1&DH8Em+q zpMEhY8(~2h=@W`GG)0=Q3!Jfzh&>^E1>+EcYAiJhN$DPuH}CaJA&ZB|#J)n~DD>}5 zzYb7|)1gR48rj*yu-WC}{_$#hZMSaWI^ttxT^V1_$)Ee{YpkPK$QK;SmuXo3z>IQZ zsOujSdp4on&soa4n8KzS)Btq>Vsvs;GDcvjsf!fxqoda*lZ(eb?9~sVaUKNY&U~!q z+v&EW;`;XP?7^hH8PwCQ0zwhUv4jng+gpjhBK4~sRG^2?{ZI(FoYSz6soMk`Iv>Pc_8My5c|9-jHJE& zc2P#m0d14Hm(Wi6dO+6CmhKMV5aAiP2{fUw=;#TE4HJbDfYi=svk@qdesqm}#;q)1 zGkkl-{FTO<@NUMi8|z{?Yi+=@6W z2JWQb1sk>%N7lo91uyMZ1UXVseF}y(3Drt zf!S!Qj^qn*T*5bzn#2BdS0h4*o+K7~#GT{9r}=>gX}2P|WkBs`y;WjLlU(0Va!g}( z`yzyK*o(aG1lmI8W#7I}B>jE~+fyPbbqJ*F#;#B>F*;#e;ZZrG5>ZoY!9SYerA|O1bD$9MKmz6rou6*u+y4}70y%mD%%;3a%WtY!!yTVw0Ox$$Gby%OOOyTr z&u0eZnT;>uAby6Q(6z4JXvIsZZI;Xeu!W58uOmAx#Be)ZrgaKEtRx6~Ffl4YMfDt* zcuus{)X+C+_h$rN5x8tM4}-dM*i+lu5T1rgtTuSmq$LMoW;D3p20%$*!Vak8w_;o^cQVhCxdjjm;1ALG233sq%u%Wm?Xs`=R&vu2rx5qp7zeFA%|;X;o1%FV_$O9+86J%fO&@S@-JFQycpK3UGA zTr^CDlCe9M-qz2>Ipp?Q1PzViZJp0MjKHSj109%sO_xHVe zz^&0rts3eDhj&BlgjP9x&oYkCzBtO^stKHupuHCPPGmT!m_#PFH|HFoHCTP*LT?pn z!Z5kz)VxgJ4p6|QtC9w0vfaAvAz21I38_7LL9D_Qj?;7LKHA=3ny8VLnhmvAOT55< zJGRK6%LEc3JW)rPNNFtQFGtgl-Yr}xKHz%6?6?ejo|^n_sLTtKifQJ_x_k0S@vr8K zIkq{qVWmTj+!BT9kU))L# z%|DzqEKvM2k2EiZz5dkcuDUWoc}9~{7UykpC(X?AwdO!)0Euj*`H9Q(AeT{UQGy(Bh^eKkx=PX7YtDUh^Tc0^Xi zsbKDFh{&}*{esuA2&F3CHn5dLxJn7wt4La8b9LH89|W9+$<07enxSglTxvfIju9ly zz|KkgDdpf@T!@(FA`YvzWuRwnpO&2^CRdfmXSLa;dji1_!(3+}<6oQSvY5&u)AtPb zXDl!Pou?kU>L8Tq$#JD;=~R?Hx4sD)nt4a`(G{1iWvB6}Ihs_SV$GKwtcWRK0!^5! zPlz7S&)HY!GM7g{WJS!&v@O>qDI~X0n%CB5{)$Gf0m5X2STM6rbv$ey=5I1s(mpb~8F-)~UH-6^kRikz zTJG_y-1aMd?FA3`?{f-R;z!yfJg6((S>8TmAB;j?P;bcxRcuxl0bu4kM9E91=GFi5 z7|>0QPM1#ct?HBKVaQIjQKM> zdzLgsnOQg5uh0N}sc$gnnmx(US{Uk;y40{3bVw;LMiksI z-|i(IPTf0kPt9-J8XDLi_5|Ljm&e362u!|J$7tR7m}srmj&jSqFS8hWU%NG&_9p?; zG6?6rWP?UDJ2z)j(p6AEvJ==daCmrlg1@lA3xJp+jKF)i1Ck7%^mlUazNAA?pGHOy zxIjb76;lNrkgkC-^+WL^Td!>|r&me!(jf8`F|NioD z!KQ#0)k#SfrhL+l!yXtnks7=lYP60l1^=zM-mCXu>4DG3KGebAsc1g@DF2Z}I+{U$ zMd*iI%$2AN#hh3f^i{6Rdgs((m6XzVM});F_u_KcAU9dScZbpG!eKPEJgcZ~x_;CB*{OSVvd<0i-N&H8q~ym{kW=jS}7KfrDcSk8+9I;oiH! z7x%6NwnB9NkhA9>WX4dTPApQ_s7aaLc69io@78Ng@t-fE{Vcb{f+b)Y-8cs@cCtT! zD01%NX@5NnEp;?FXMG{gfxPC+T8@bFtk)qLE@G;xmFu_F8eR{b(>5H)2GiFrY5O4X z+hozp5OGPk71)=RCdJHCCK;-d751~i$2aVW^gaU>u{avo*J*?T)0t5rV`j7U5enF< zOy-T%=OE^hwC;oP943kA%S#n6bJ+8lOK>ZV+=5nm005-XO8VKCj!NX}>s{ovHEk21 z?^8P*V!46)9jtzszsi7MUatdIa-px)E4{^c8K2wHh*D-~>QlHG9B- zFhpR;3(R>k#jkd?!wYlh_W&^Xt)`(@Ow#b4 zdIH=&wxgjd_cfaSLP1A$%JKWzN9S!0a~-|elj+c*RoQyV&9#%Hat^Q%2Idt*n6GDt zmfmTg0>H&$b-X9QBxv0>J?l$*`aqNqkocX#bJ`>V5s!u&gTp30w3BX;^I)ELQvTO{ z>0;;-^w~E(z^iTSOW~#0V*|Jaeueb=dU4oZY`5>CH5tz+lSvo3+SR#*v2kQZglKhL zLK*}_hx~tgorgZK&en*9D5xN&7xd(bjkSdyn=4WoMH={@Ec7e0bx4=sacYGqLT1%< z@$HH-Qu{bq7(iWP zQI8?-&Rc&>7?CWf{Y+vXiFt*}7)l2ii zRGq&832|-};fZ-le1Gdf0%N~}%D)8>^6X)!*NLbv7#5UHK;Z5|qu3F^&V`?T{U*`H^xBg^CYEgcNgNq|qV7k`O?IK|zFtAB!jxhshFI+E-ZK>Tmg;wwHO>h@n+x z2Uwqu8*Udnohe6`pGLG7EA{71GVPR^PX;p}mv{wtKHo;hAytKw?BZKiiu*d#7gJN@ zlS40MAv_)jGI(9qB-PmFGVF9XGT;j-%q{xsWyW7x^21)bbXMMQeiOb`N@~qomn8F^ zG9=BnNK&SE7hODHBT%-BWt9@^ac=gJyeuN_&kX`g@^g0{F$PbBiOXcqP(DxStc!2( zA2)K!igf(o8>2}Xm%Khfh|RY|6`|E-nZq=n?(V)#6`McTGBv$B65RP>Utz3P+`L%WTg1jIPW4SB4Q*` zChuF@a-Bx`&rl%5Onp$*lF?PGFp&%I+e{f$G@sqBMmWmK0C~khDihjM6WXDwsvWDg z?@5UDvc?``qYf|HtjS;6oWiSvg#NZCEN5EZzmbAuWT)WD3uI~nld_N<2*uC9y4Km8 zOHAHiDjG2ncyIvlZG?$*F}v||yH|*LOb{BMDH6mWYq2sxHSy9!td1_1YBp&U?88Te zk?6yH0!39hNt2Af=6$9HPKW*H^}>Qsz;`SN&YcWHrT?K%Pa3HRT5B*zN}hPG9jB57L(9hG8|P2jSrL+;>3VJfU- z8=$XxD&S#Oys+Aw{}GpeF#?zH@rQIaz}wQ@dolJ&EkAtr#a(qaFTr-@+TWlb2Zhf` zX-n0CxHH1?Y)uio8=kg-xRDGMQ(1deDKWz2YFa~IFx6>+NA}$q)o@n^x{S_MI^De)7V2+!NBikq@CN*OqX)cd_R;<|3 z^&?X_m>t^3F`;;(E3m@&-LYaSFMX6nC2MUI$Vch~eVXtEWvQst&9NeWMqPPAG3V?2 z27A=is%Khlp4+LWix$ac0V4qjIcGKa@$~i~`7%MNTh*d(DOl~0WtN}5gaFROM6Tp7 zDJ$GZ+lH&p^7m6wCG^lJ$Ctbf!B!1kki_mukvF^Pr?b6AVc^(GZ#}z5v1RdjrK_OjEX!UEZD76%wQD`2L* zVNI|7v^`o=JpRhw;~Zy4!dvIqU9xHo^(ylDg2J1c-oDkkw!8Cr(||L#;C3M!(m%(% zvHof0q!4d|@sm=t3Vv}{utGuw?5~tWyBZK0ujj6uk3QGC+CDq8SB@tN3_S(@zQIq_ zFDEAoFPI6+zPo;oM@b-N19gRz)~&t`CV-nyg|6p5z9*OnVdE(FMMKVL^i{5i+`@J= zsIg%3C>=^LCfpoh!&}oeS?KD{tSvXy3ss(nP+l#&e#)!F!uagk=p|HN@fJouqO5Xp z(GZFa9l`aAP}^Ni{${2*1OFkRlCg+}veBIUVeH^s@q}&6vb~hjXd|KCU;O6P70r=R zZ$YU?V6pMr;-k+E$oz<@0frMOI@L(7P^rC2#nShu-G&#BlOUe`)skDK?2l=yIhmQ@ zUMk`Sp{mkqWq{Yv3eC37IW!^06>D+CL4C|+k|%o5%~ef-KJ%r0szVo&ASZE zP}1(9{9iI8)y3~caI8j)T%iveEVj%>MM&}j(Pq+jF|WpiS~U|2xr5wiMf|xAS{9a@ ziEVv-tiR~bWB(|rKQfuvl`lRCpd0NH6KMLt_;#xHd~<7|=-6Y4hOZGUsNM#3a5A{o zogsE~PI%{sET2k>(LI7hRHI16{4>>w%4k{4%9b*V7vTYKBZeaDwm8vo(5#c>LN^S> zoX=&ekn^Ab^)rbc9oq9$g~FDaw9!*~nS2zg>cNZVeO)-oJfGiFZPTtrDoHJo-pG}Q zl&E-dw5VqXnZj{LDLetnNlk9#TQl52vrv)(cK)*>>VBkK>XJH0>Z-!nl-;WTMP~|e zkgb|5e*UaYkToCu`FJ{4#9EZfVA;jPp4?z$EJKfZ1P$j#u#y+|QA-k7IG(p1t{+XO z2Om0{fE%uj&gsK!+N@b86!eDnB978r3vM+1(>R7b1+iul$)IBqFJ<_q&+mkXr!Yqo z^!*F)(^+A@8*MUl6VYs5>055KqBcoNsWZvr1*!U<4tHHgJ73-X?w6%#w6lXI=R!%1 zipY2JvVuK}7ZRym>BLHoEUc``1|#U-dTtlZe(SSDuIzi3?io+(Et={?hSBny0PMf2zOO719S2oyf3&@y}*@?R)fX&IoQd)&t? z5sZZ#-ZLMbyv;@u^xv+}=M2#y<+-GBzK zaF?jXm#ZMz0iOG<-^dHB%>$;V*+j_<(a4!b|B>ImMhBb%ur z3A(_q&_IWcord?F5GZjP*;2iFZu^WK^aEZ!%SKoTE!sSW3MO{=vS!YX( ztEeA^!kMS|i67W|s@lVqnjIXY-j7dx#%+go5JS4EwB0I?5F)`QX}MRB)X1J0 zG&wp+h#cP(^OiIuzR8a$*65u0L1Do~xsE5o!-8XX!GmB-!^U>ESvcPtkL z;tJ?TDT@JE18*ErVH%BAMng1PU*v9<`OwVdH;mn_Dt6~|>~@Y_A>y+6af-R7wt`*M zIn*6|k;@u*B}&~8VNN!4Oc2MSNw4Hen^cPrW^OaIZ7z1h+y|hqJ<0*jMF<#dyXNvG zpBgC-c9dcNXd&KrE%YEk2Z{F2bN@@A0=vb#^x09}Fb+;M5xi3UtD6PdUWyUH@yw=b zYCmJFF48Jphu%dB$*c{`=! zuMvwvQ(Iz)$!}|frE5F8?Z;`-@kjbT_i{cLVVK5ax9ys*kJitF*{ReUv;7=?AR7&F z)IMJK68<9C;m;VlEIQE5G^uv|r*`#e?x!wn0@8colg(+Qsfs#jldp@@%?xj+nBx;T z%2)T({?A6kvsS62>bJ4E0to(ZCuN$q130oI%-hD&?ts!@Kn$&F!~LH3RVZBb`It+2 z6}z0;)k1*LkgYQzx}5;pfuP9}$aLd$LHOj)1~F|U1lKsC7;;xM?0Dtj#X`EDq}_P1 z=ld6nJSKEnl6x-Al5G+PW>S`e^^q#W+-=g95|Qhw#;s}RF;{EcoP9Yp0?reAo7%A3 z_gTv^lYV4xBIB8nU!GymRQg&Bm5-ZgNnh@JHrsyd$tX5o$w`ka3CF)ZN0_)jk)Jv= zzzfuOYJtS$aDY5uZzbO|O+*8IEiqcczEiMd$sI`#YvK`>(HZ9@@lv}hs{RvlM=NKY z#iR4br$*Yq96x)nvA%{#@VNADm?X^HAKxVD!GWd>3j-)x+gw|@pDdDyC%%8tG}Tnytu;Oa!$7hZ2d8M0Rn- zPC)qgV+0Gz)3OH92;vPbH+o?&ZVMeUT~gw!?MI89KR?b%u8V9r@HId!Y1oHNov0$; z@ZaTHq&*ghDbS0PiZws&B;TbU4Gx!fB{v!rxM??khKHfOWcD&|wia;dC7qX7I%s;{ z`8M|BNXA`1CIWj0OXNTgQ?e0W?Hh)nPWnb^{l=CU=B!vp zR1QCig>J22^xPc#COryljuih=Hap6dZ$Qd`I{CB;&|ao0FTGx`aZqo}HP7V+Ql9xB zH0IpF&b)=#D2P4u83VU5P=B^!NHo?%hn?Z&=SWa)`_Y~Z9#Dp%u_=mjz&t38!n}G{ zA#h~(x!1y;(#R0x^~rs%ONQDdnJ;7T3lj#}&;9Y#W3^iqs>^j(fmU#ZmowP=Erp!o zA+Lp|*S%B{YPJ;qlsgTDD2MOg_e$(lRqC~R26`maroh!ya2DjzCt|D#EI>-6Kgn!z zM<_#DbGU!X3#r^~;1=Z;L8~8?pE!Az%ugy$AN`^k%)=9Y78N<@NgqkX^*cLyF{@?f zfXI7MX)7z-j&E4srqYqEs*u^2zmjwUNh}voK%1z%I4bDn1kzTiSu`+z@brpipVz!E=EGLM5?kT5~&zruRqPyhV1!FKfwYWfkwcQ zC*P8W0iqu^a|e=pr)OF7nOS32kW8n0%);(VJyOKjft=IUA)&tEqLKIEeW+2b+>1fy z9?VI}4~14^2Ki2>N-KxqI+o?P+Y0kc_zOQgkQkK?ry@Qzm8X_gMv87-H2iq>l+g<^ zG=-s_=+4fB*{P}gPqoichdOt(vBPLJc;PV&Ve()yY>j$J?6YFjCVUKp(apxxrqmJm zja&)Ykp+ulR0X(^7YK?;Z7sWes&jd4%TSErU0=wCoGs25=g*J^E=&TVovSl(0{miD z8ay-D4W}boYqDtCWoI1iaulAbHOKd))q2`C%b|y)sq?>kCVhNBl9BjIx<}vR6_X{Q zbgj8O2+C)YNnn8a+W^p9VTVCpQjC`Wwa=4oa_ej0N^%9;*;YH7KbfO`D7KM;<3Uj2 z%C4}RHUvc!Z`dq;QhJ@+^j7kneaILt>i$IzPVK5eqt>T%k@$}iXjzgZ0#yVl+JBrh zTPVEeIp=viEd-i(efHmun&D@p>R7!GgO&AAXG`J_mSi+bg8tSGUoQ5CE4t(j2v%2! z$87Qh7%$G|QPYyety-x@D(3u-?^5tX{`s(vkb$Qp2Q{06G=@hSnK5M{LOxCv0+VP- ze0*J7bUu?Oy~_&NMmpAwX-cac4c>@$i;*aGKO~)sY9gTbuDyQL$HlZx^X`}>fon3% z&cvrhzG})+mrK5iy3%>!i4_*UVgWP{)nk|j!;MbJGMp8?H0&M0TQnc%G*3t}8RS6# z2L@KdLc-;mN!&lU#OUg^EC;>4B@O$%x$MX|@_e&D4cL({nsnz7&u)EpYw7Frh@M}m z24jQQsVTOHNBDFmZX;3X^?@7T4ko<)esU)-1WRfrCNSFHzHU9vfHGo3sMR**M8`%R z7VzaKQE~8y3}Lix1R3V_-Zj;iDL;3OM%Pb9dNY}toi@xQ@ov(XndRVKvoF)H$CytO zdU9ZoSuJi{&qD|)CZ?~p;9gSotu7~9^SUnx%KLP-2AJ)!eh2;aRs~ZVB0{%lQPli$ zj7qM!e66WmUkHl5)%!WW^2g?sFEx`9;l*=MGRRftkp7jB;zR-_q&|E6b`t-$N%>=@ zu#&)SSJ60Qp5VC4=16`%CJT9n8f|^@JzvkG^74jN=t}T4B9$7e=4!`Ng}Ro?n|A1J zLW2}14;QXd&}0$%hq)7p3UJTG)OR>js$E=MT$iOp#ww;T%TFy$+9V{@`ffU1L{CbN zTii1ws5NvwJi6v{^hphVSdgf_ z>XHWuS8op+MtjYE)SC+Z;Z{b!tu>!SY~h>gC$5eycCJz6oh+BJGM6GQ`z5L4T_W!q zM{b@Gl`UzwK^tlm{Kz#;#XYioJm}53`%!ssl@86tpp!u#mHG~i4kdw^-v&F7E4XZ9 zd>O^b%8jQERlTQ=C*SRs!(ZrI)mD)0%~f3p++~R*_l~6E249(dZJ3vQOn3#Zgzjca z$e-KPn5}P~o7X1g%=g)Z8Cksav8f@*h5%wxvyM=4OlOKy3pnNz(+z}WjqNcN-u$9X ztg;jL36e-s!ZNFom3=SCxdWa_hNEfUpX+lHXG_Ra4Mk5sq4QOJ+gk)eI2?Rj7#BsN z$;JUJcT=wiFLffb4TH(Tw-))I{9|$|t>qn`F1@oh**}lxI3oEHve6LVZ*tuCR&{6yz`{mNVNs`7&zL#6+i;&zY@zO%|MUwyjq zL}lVaGpez%SzBz-2C4)oPBb3R@zWs*9Gw(gRkl`Ly_hTYae z=?$;7-4!Vd#jT})QC4PlHnLN9CCP3vC1xI#NtU!(rYK2WFFoYf!9g8^fl*%@Nm(nE zco;qQShuRZ3_Rt*{Yv&GN3Z3cs0*rJ*)eDa=CKS;UQ6zC{GbBay+`s&S5aG;HZ41n zh5QOQ;^>~1Lcp5fe0u|^TvC31Y zcFQ5Y^lbBMb+}JDHWRB8QBY!`TWC!TJjH#*+QmaRaaiT7!|wRP6|u+ zS(ZLl_N@^Ov#*gY9+k<-$UcSUQ$37QhfF12#-(cqCq!+px?*xW ze)t~wHFiWNaevYUA!H9DeTDlQr0?FBgBf>;$VICdn(CP(H}zc>b`P9)$>^MzV$ z*Qfc9*8!&iN-~LCsh~f~mj|t?p@C@m*2ncf`pxhjNm4<9kUuOr5hf5swkstAY%eWQ zZEtM&VOJMv zmvQCoXI$?42$#GPBi!PW3UzAhJB~9Unf9pj~ND8x80T6-Z3}~==19Q27^h_~K%r*0Tyx74Rx1z-H3Mw0x;s$()vF@qD zNXU#I7rPM##3<0D>63s%-|H_7b|!>u@e~jVk<69bEloC6^Qw=z#|1LQ;V~x|S6FkIa512g>ZmqjD zV8dCHs}u=q9sC%bvRkPYV&d>d@ah%h^yJ)WjM)vTmAG+y4 zrFg+gJ}d4tuSn_N3IwQ4?ms~V7aEBG2b|O+zPjfXtLwRvk!`8gN88;%#S2zt_t_Am z9B`e;Zx!r&pka?4U3W{QV(4p)bqTYmB^3;RRsBY(yrLJ(UY5^*JTDsrIfBEJwv@)< zyTCC(8V@Dbb|#p>@fFPh2WD!3M8J+Lq5VKw(xTp<^UfQ$!Nhe&SoK6t2GE-{%Mq>& z7?}Kxqd5%a=c6ATcE>Up9X-SA}V#_frgroCbc z>9U5)=3tWju9h??IMPIBRB@C4D8mcomHv63fqeYvq8U51S(?;H-{=%BqK{+ITKx2n zYt)+&@bxI^#Dyr73$!>}?@D;^Kn zj)$*_2T>ClKU5%yh#^M!)j;ulT)#EnePqq}9uM>5m^O_0sF{!3Wf z38AY;Y=^QUd^GfvKYrc4ACA_tl{YT`_;blt>#or ziir&`q|L6dvo1oXw3Uv0sU25@zC&@&BvNPdrci{}ydY?Mok!(>pBLYj@l#86uDrBH zR;ni+O@snzz7ZW?6~UUq1o~RZkdHp5*mz;cqweBHpBquJsMt6_9=A~LufQD%R8&yZ z>yqWa9p1l`vn15~mxs^tkG$MA9HcE9*+QE)<8D*@P8c{5B_>*6;}k8w@?WZVT*5^2 z`Yc4me&VZu#fWHACjQIm4et6(-eqMW5|1S28>#o$5dv-`hYxRQ?*Po;VY^m5O-O>a zH7L@Od`cDb+89MZ*{JWeDx{iq;lkH-7UhMs`avaEu~Jen@UZMhZdnU#r?E7Hxq#bI zPi5yz5;ejUpj6rK=Lp4jHa4)+uY%XSHEV6z-(WZiei5E|BjFm0`yMVS($!N3@G4j@zal%Mz;FA=Qa`N4HIql@$z7QfJCN&DVxmGDfVCi^@ zqxH73XOgWmEOxXM?r85fYMpO8$V{me1l3T+m*uF7#o+0`bcrF*GtFs3`?u8pCt`pj z0lfvTv6-*cg1+HC`T-fgCo-m{<3)TNGH66u{M*w^#d05CQJxGOAu%Ai@c1&2Uc7sK_K4 zRf|~lrpETUFSR;tv;hK(IuPd5yz{#t_O$^rE8k0+V{^XW9o6FNRDQ#*2zmDp$f6XN#G@;;Q3NqV<*6V@`{98mRb<64DOw!A2GQXI(4Glsu|+> z=;J$EH~Cw|d54>|7^^smf}PS1O>DAo-={t4C0b3h?(xpDcqsf=pD;+_gO@+N;?i76 z`H7$th&Xyq@Uh`sU7b!@>Utr(0`it&ReLZolh+H)iTQBzUoKAvyx&1#^<;ts}UzkT;qRjdbjPsg1{6z9s z5t%z#+g3w_#~>T@nI=TPFy$-t;+9LIhW$NqBOsnajhPKr#WVG-kFn) z>vJOg`He)t7f!4}W@Cc@wlinV;0@Du{w4)w{GpxM$avH55rlklqaj-v&!Q;BShf2X zR0*2Pg3ZV*X0_WAESZ;VEFa|y==fN&23Dx&nyEhlj8jPgleade&Lr_)C&di(g%UNs z{2$&u6fikX#DyAj@vYE#ja`)Al{fb6-xc(+SmQ0bawV6#}RU>p|(Q4PUS6e>#k zrwLwhGk$IlA-D9uk~>(Z;J`83wT;ovwFO2vjx1j=r`??{Gk0nujL6z@%*fTIV5tv- zn|V}X<)jbUDAUyWsNtuYWP@962rfz=RcYvYw#cu=USchrH~d!$Jk)|IDg>6o_p}%uBjBUaU7h^|8(m9-fDLRj+3`j z@F%ke^-;b#n|+J`9|D_HW34cH~N;{enyj(YN=wn@|-*LR$iW51@D|=KZd12=2x#9v? zm{-VjCw)aa%A7fXIbRRsZ}I`f*|( zzF&gQf*TI>SJIN3R|c5#q*$Ii*1c)?KSUywEKsl2&1h;^?uC14;4oUV)s_AW4GRuE zGn(ORpvn#hzp~3`hs(nw-Acm2J85K>7F^siRog4<{*LKN6Tle(SF<6@l%S^$uMjSTYT|+nAj5tI_&2=4Db- z_3_bqY7q*Wgv+%ebF$?zi<<1WjF>t~_$ zL8~D8J$3`blot=)h1|$5!%|egc=99p4*pZg@&I1s$US2E{|RLNmVtK_925lH`hJw= zLQ&v41I74EKR(OJ`Ah(#PcfCb@vv3RY6GgjLITsCe=fNLmz(tgaJg&7$wX=yw$`1y zE%~q84D1h*?~+5_*F{Lx9s(u9_y|!Oqlz*Bhik!k|k)32pmC=b1mW9Aw7-W9%)Xs_ee?VL=oS0SO5y z>F#cnu1$A?NO!lC^aiB6ySuwVy1To(;l0u4cg}Op|9p7IxCev%VaHf&t{K<7)-|ox z<+ zePw>?6nm-Uu{~0rmpxP|^uM<#zSehXJ9zbUKf14XKN1_^b2|!7BsB)o(G>_)?{mk_GX`> zeFtUsI_aab)6SG+6fZu#jW%;eGe@S%CehD#n{7L~s=C_u-Z}sFRw$jyf~DMxu;Bm; zY`c<`#hd2;izwcfxTibB*BNg-+3JW$i{%}IK=2QJD*D)cT33-{(QH@P z#B9{Icw)12_Ca_Cqp!K!FHKKM>FE$=5=eLoZE10s&1d#p4ATY zm<(HF!KHCAl8&eM$U8<^X!nfU4{?r%QWoS1{k+Y39YV~jnPq$Kk1jt`0Q`U3$+oTu z`pr+pRh0Stu`S{`o=~-U+mgjBwZm+CQl9pBt7Mw15cfgGA$Pp{(`5Dc*Amb(%XC@r zTQE+IDJkh=PT1~Z3GrURnOqyt;^b~-^~mdGWXFbZXEVZJ1cy{7*6JgT0JAE*j5Isi zTM^wa$gt&fp>jKWHkL(fCtoSP&)4o=u@hTQm}yGw&m>3qnxgnq`p7pQV5;{rQzF*QAo=$;q?*uOHhSSyPWjj^Li&F#{`Yt z=U;yE;gR|}zc0%FW$If%Y7C6r+)GmHsR@8>CFpDnME_?Jm5Neo5Yu7x;Iy+)gEI;r z^tQgidzshclc_I?OcXa}i8&(t(|IqfPb<=A>96gLuzB`Cz03wV)#>wZYiYG4X$?QC zReqzt&}CMEVTOi$I4c_zoc^9|vAbu9iME6by@8y$xa#DrKK_MCXRJP()9f1G@Gu!w z_UPz|FR*9+d}xv%#>(JlV0RgMr<+`$qc1ebcsHxL{zUSyk?tazyWJj(xyk13<7?i+ z33AN3KCGCscgZ*6y%L@kEu?<9TktzPdGK+|75&->6R`NTGE_3)#1+IVsC|wfBA~5; zichkNZL3

|liua1KhBuc3L87Z3cOpLhcWRUeeu^A(?w0b{uX;8Ru= zbI-1UtVMau*m!l1QyXu7b&Y*4Pv~;&Fl06=?VM4uss+q1iTh~#&9RUh|4!FwUdxbj zoyAa2WDnFSGY#kpIjc!Cbb=fvxJ%UAW4uWF8h0(i;`&S1b1p@lkMm0NSa0hqjie5f zmw1Z@_w)Eu#EXs#2De3KN>F5cMEudyf(Q$VWiB{rVUHFNLd9eflGJ~srpQf_`TXn$+>LO(y*B^IY$_ zuw+$%(Q~xVgmwZo^Ciot9E#?5(7#-XM#iCQ8bK3qoM}lLgF^I4;!w_u1W}-upvYGO zblRsWaWVf79tf~$Y%px39=J)D%>IqHoVF~-c-SCB7FxHwQaRKn4R*PcK!H&#Qz@wj z?srhikq)xiC^n**=%~I+GM}kP{#CWpJ-}ca69K|iAy->hY=F3|9M-RQjB6`pPrd6l z1w3e*PAW6PMb+IbrG_Ony*dfe7F`iFyg{^22eRMLGAXeXA+WK=?nszLv}y+huX8d< z^&S@9O%4%Yp}TFv-Aqnxy5=`x1gnu5E+IRAkDq*TT>H&#CH$*+YeJ@txGK2X=N6Tx5YCSF_ z=RE(w?^R(njZC$CW)TRQ5lioxaOdTH#I`F!YX<}UXu9eR#(qTyaAVCD5;Bv!fXwNb z?)Hl4doRlM#(>0MZnI?lah|$?@5u!J1|NhZ0MkN9iYxrTQI!*z+DA)V4;qeyEBv#e zjz|Zg^hTUrzi+fj;481bnUSM*1hH@;L74XrkT&GbOOZcb`z}dcchs#uVQ)PA2ZICx zCWhDx=}VJEFneA}um#$WkjUPKOkZIzdl7@xK>{1?DS$Z^%V%I6GBgH6q3D&lH`ox) zO+bnE1^h3Rqn8`utn8 zZL=p*j`kvos-li$(_})c7R~ue{LuTRI5OJUptZuj#rh9{mFrcAK2ox}xLt0OAZG4`y#gq7CS7ux!&RfNL7miWIn@GUlk8b_9NoHd&1pbOH|$t=Y7 za;m*QPpxI7MAy|qo?{jVLvAR+5S%CB7j5-Gob}y!$HXCjF6T@M-oGvh}Kt}_x)y)Ld|;{&}amZ}VW&ez%bhf&3YS=Atw zZIGY$mK2vhmu5~~jO^ZQ)BLsW=6-?Ib4r!Q+# z2*Dib1TG0uBs{2we{fj>>B`rj z6wGEE0VizC)H(Sfu&0d_XA69;yHcU#Szr{Jxvd)>jRkavQX-a?8)S;P@>;F7Vx$UT~;DdW|cm$%EX?sEz`wV7aSY zl4uByInU7EJrL6HF1$2_1G;Ezd$+lokdrMweLKkuRV%to+*M(^60U^0!7rH;mY$rs zjAqUqTNsxKTkL8Z$X0RB7(&OzGyf7OJv&~q(T*P^;{TO`Lj0@vcrOomh18Q#VUB)q z*?_cI>zG>4zVlEXGsGu+%ayiIP}XJ4>tqg_d3H&Az>5R#x`A&jARc7_!KQ41>S za4bFcKpUEwcBPm*$rf$WHf{+&H;WD~3sq0k6w4EEqgggR^!Pe1u5FKP$LR3fI*}Y& zrDh{YEniA89hmv>PWqKq2(3z-X$jM<`l5;Bx1F&sQT_~~dzFLqn@sZ4v=GBd}XB8!M-fD=Lx6=)kX zb*dRJbwKYYr#^aZxzAadX>n?s#jQ4%N*GD zqFubYS*+cdf}4<~4qp2SCc27HYA%7&UTEHN*bd<)lmSIq;9`s8l-$;jFjk`Nh^=CkiLaVt$K5Dr+a#GpM5NP*XlI`t+=!u-O z3fMJf1Egrju$bfcnyB7}JUl*Pio*z}1cz#k^9|{$xQQ^MD!H?|-J{|`;k-|LJ+9oryU1N4wEo~XR81gQ2iicWT3nG9>jh%zTvvBaU-7DR$SZQ!EoOcv*3h_-%OTK`vYS@+k%LbJjEogT9Ry?}BM!{U$OK zaWz!ykE~3W&zq5VPKn$=O?<~FJ>hRFygx>+*^@9p>O1HEgPoti!eHM$ySRD{e#`s6 zwhsc|@;waOj^uORc4|cxL>epZt4~+h-jaStXje$%ANqj-*wwG5SVU2q((W@izquiu z$dVM_Vj>Wa4OpHFi~g?$U28b;hz1ci8bTZ-JO60rTw@h7m0hTE_ z)LmqldA|jAwj=wVo&Ge6*HgDE_CTG{Q+;Wdnv55hQ9nN&fSW@;H4V?%YBo?x9t$VT z5f+{3cag~z+#4@I(4>wm+dZ~_R?knqpTE?0Mm?O7B;YTK`ZyxE#^pw{j-fFheNGOc z@ihS*>fx4bFv+vMFn~LdMQtAIWKOt6z(3hD^lHj?P(_@8wP6wL72HSGo9tB?Nw6

t=-JVGRy!M~oGggC@-(_SM> z0&BcsER}vaT*AQN(trfrp&IZA4kw5inTtOne?8tAL)-sXjK)xfQl}L0-?F}R&Xp#E z8Wuog_{F$FXoVFt#r6qDcxv6zwhYFFC`a~LPX_lfCsOFaciz4}wNnfsP@*RWdF+%s z%QXacBlo*bk~hs$Xt%OqPxt{_R$&Z5ty7XFarHTQIF7LGI(wO2eKomDqtJX^( z@wiu`nPx&Lb#$VtB!TT^(ZM#JH8A-Ayb7n-kL~UvZqg|TlKV^qdGcilh z3Vwha07`*ng7GCoX?2xGzNAZcd-5C?cF0els7Di|l@KNm7-ta4%*j~H8$?)zYq4jY zqU!R)dh(Rce4~lnOB|uW^P`LVoa?6x^t`hsYgLeD#_ev8&bKGn4Xxo_`-1C|t_Bla znNf6&3+HOIrj(-!Yg_61jrM~)GJ?0{PsthQyZ?WEpJ3~jl($WH7tx4`(6_z}zFa%$ zTiy?eRWTBRY{zW!v#)`M2mJ?iWIUf%deT-rfP^ZkwHS139PRcb} z0B2Xf7R#I#^J+9?(#_o7gz@wTIupM{BHkE0U{JrKKey_}Ex~W(a-_{R&X>lM(dcF7J(NTU!Gh0>b(jV9l_4RE zk;d#XP(KLCx{8()ruK0e$e{k@5Pl%Q_Wgz=6#qvE_|FRrCMZ)(Vj%y=HC<)#S$6Y! zV&dX5bbX${*+dn{8ZTu$cBERMT;RFf#z$~9h5{pU(D8KroZTfDxu3xGGNtU2WNcgilSsv^0<`+)0Zv5!eZe|+7HbAZp zyPcgzWbzL7_?OE?d7d5KlFFkCQ`JET>_u?Mg}bv(42#_jx6#X$Kc}{UNM|;lvt&)u zKWsfd7*_@W1it_F@a>=1|5>?zqB4Y3t0ot$A^VS^D>Q*<(*HlafcI}84=?;&UG2hVK#Ou4k4=Nj zhN=FJ(5hFd-raNZm5oAyFzD&Mjx=JA`?8R%JiKtff02n{P3L0-GNPr&iE$viU(RLc z87IPH{QS*wE%WzkuV1Ma8+LkS(JtyFjfid|6>7GUwCeo(dS}o_6Vqt}1v_nSMN{{1 z*?V&m&-75)xwjJdxU^g6WM2|DT@^hOt=^xj1DM?^>VS%;bucvtX4}St=HsmTIc~It z>(8-y=T$2#0?sCjb}_)@_2*~X$}m*uVq8Jk%sG7_e?y_`*OxW)d8J?X@6gz~LO8Ot z1U{UvAtWV*&dba5-g?E%%xq|8CMYTjdtiSX>pH^4W+e~v{sZI{J!!{iWvJ}ZFX`iT z^tb*>uV>&JUSE}C=JqB0thxI6wlrfc{sWscRG=HnZwVW1_vqI&w~1Rjo@fLAa?Ze> zt-v6!h&U!jR}+qbEtxXYSF8NyN^A1o+8y4D`Y091mX&`fN!kK>!gFA0PT12OL>p5O zvXcxM7r*v)WrM<=s(q*jap}9?wZo?8@HI|J^)iFrUd(#wV4@uKs~Ir$^mwr1^EDxq zi1^T#KvEn`BEA6$YJosj9MR+-M*Ef)s^nfPcYDOjN>wn_hjtVMTF8QFa$a0KybvSX zdu7>!MO^S)TTb($OmR459addAzZ}iKl@!~LRJd6zX5_M$f(edfBDn{i=2ELm;8o^# z^YqDnC;ER4r1(#{52gX`=HO^F>uUVF)YJZfWN2d2QLaDG$_%$e0!n0ShBlx z>CjrAy=YR5c)9bbi?F9*S zoP>v2y7ujo^(8~bjL#Qrb6yv9kJ(9$@yJBIovt)E$bsL_X33tvB^nwSj^#5l7v9DH zr(3^5h745fGCq{q|3a=#j6US%=eJ)@YlRl6)vT#4-=P)P@8wH%gh15gD5P$uw!lzR zP<#q=zuG_*9+|H+Lb*De_lu%b3Y0D(l^&x75Vm0`GLA%>GZp`lguA401OZmsL#HE4 z+%#K;tMa%RH72-YX;f}^evQBn7$7KXZkEKv)mCz%5%HK0&K11kUeHJ_ot^qwCC z>*0JkQ;qMqlL(isoM*eiZ<(rCQ+=Tv^AVUcqKaXB{o!PwxX`kEMKXKBPdM_1jU3u_ zGW<_2Tw1){b2ii8sBvvok|vlnkA5w8pGI?0UFmWmgNT1|+1tqTb4UZt&S^_6;t6Kb zFYf0%CvpJUsm717={xd6b4_5XtC-e6dgC{#k=Vz+0up5I;yh=ReS7LOL+?Q%A94Kq z$T7wHj_s;M@syn5_$js0&&VOIhZm`ACKMF!wq@rQE;N&lQ$<|FDN{OWkauqv`Z|-+ z@nl!siiVY5i*M`@t?EJqoWCn4k@>U;S*6(g*Il=ck^*&g#;~&eAGiG;1CqA!1oB0S zhRkEZyhbeMM(g=fi|zb3BXn@+TJI?S$q?u93Lx#vtXQP#yRe|%c(+$zg#~!0RX~Xb zSJUN?8Mugj$x-)kHn6@WLYVw22j>xxhz$i4JTY9ZkGcRwO~1mz!W+?OMUSl)ea#y{ z7dVq3E6MF@_NEQd{Z-ESh=;lhph-gSc4zzWchVDMbXC*hnNhA`J1Tes zNSa$)h8=0T-|9aA>V{oMiw*R8-R~Eiwv#BRO&2o1%!r`wSP|6&7Sxf<>7yvT*?vh|&wp%P7AxYb}@)(ksa20-jn`WMgs+ z31!}@vcVpC)>p+;_?*p46*}OOAc<%!!v$@wY-LC^2L4J}((R7aw%BRG;+k^1(2Mq{ z^j(i~?qo@I*^s)0*|-~Ur+sjpR{cG+Bc4rqnMJ6XX7_m=M%66%a?hMt{i6O?m>2<9 z3gw$Pa^GH&eqtHTcrm^G&-iQM6p3#g$B*=L3*FIO_Nqr*E^x(+5+u_3ES}l+Y|hJe z)B_VXU9GTpn>2F$UKa=MS>zU@=z8YY8ikg{$_gwk{4!Ae^@re=Zy8d;q zB%XJ9<1B@-Rti=>)L#gOO&1Eh@T`VIAJZB3H;!RTLQwyUU9#6MGuX_=U!wE=jvaTe%9JM8~+gJjM z)@z*0w+Jud>ke_8u^ja%J6So`Pt*RdFI@pqKI!5BX^T`I{8Mq5_sEbSR_vY>;n9os zolFPIj3^64b1UGt8yK#uKiwM9PDHFkYd;9O)zU0W?Ag*V?!0Y9$Aimlwr>% zVe~y?B0D}~#&`F6mkjpeBDoO+#F$=3*U|bbOUi)C12M}SV`PQh>ZH5Fi+i?|NM8kY zE*jR`b#Rr@kNevl<3yAAjCo_6nqAq)fGWFY%^Z^;jd9%J<09TR9%hBndrIM4;n{U0 z+?D>)0-QsOgxf4xraGd)z->Y+O+_)Jv4{!<&b}lunQdpO*I4sS&sw)CM+-^;RSipD zCYzZlbkkA@CbDiA5v-@TMGIZlr%;s2SBcAX5CmUQ4J3Ur*uP&cioSBD(!3`QS%z*Ft5T{gt9UJjRqtp2bU?4(SiW@uXiC@nF>DBgJ znT(SOIjL13O!ZiJ+^ceN&TA$Ij zV>1V5cvu1R7Hbym69Pe7m(Eci0tLm@9jS#~;of>v1Y!ndB4;#P`S9UxSB3#{yxQ~# z!mroKtbx%GE2oIO57Gf2RWf@Cn5pGW4Gmi*Sr>f(IoE>b7kPI8uVozO%DCD_jrc8U zvu(G}m1Y~R=1khcFY8^XPp=2~5xISY@!U`c2M5I@t^v_L zX+dATFN^KIaFf?VZr6)B1m{uF(cQO>-IxZsEI|zH)IX|DOgyzHQyvct6s|*9mvWn* z3knL_)|%Utk>5C@kbj26$$l+?Bf}kS^m@|hqh`Nqe?Sq*a)4!TqK3OTBU>!`Z|xWD8)O(kj3^Lm)*K z_IfU$u}%S(Y&$4vTrnbfJCI%gC_ z@dYBMrJ0meD&y)DJJZdY!S4W;#a)TRZG7-p;Aoezm+Z0qFD)w|1dhuhesTIxP+ z%MJIv>e}8Ev8NiM>`M&(%?CTU*HF0h^iI*-DcmPfQ!X{fDd8zBu5&to2gV}hBeril z)jMEfTk$cx{y+U??2j+UheEk4_r;TIub^nBeG(osv9M4wvY6EaS=5P+INbb43&3C) zmsmuv4Hvk$w9w6*)3{-qoQP|^JC;R8L!-zXbWzJ~vn63?h}NEDKWF3!h`vW*m>Y~%Nd^S{iil`~%*vC?(H%_}6f1q1k&sqdDKAK)=S@YU z3rsWsgu3qpBRslxRh4_M7i@;fM`vFna=k*s+BMY9NpY`N9cYoSzzECmE!zozgFC6E zQYnX`YOMz{ls4V3H1}7Ba%LdJewLZzmq{yPrLl2wc~Fel@I{`)Nz zYx|(;z7Z}Qc@im@#k%ZT5!mPeXt-vSl_3FQf~{TXTG%zkyzo~YcdFW_6mXh#9&~{h zKhyc7c!j~i{k~nj4;CnJ{Ov?Z!37T@?-wuP3qc!)0PU zD~uW)UBjnH;}Ri= zy3AScgfr;!QTWCOTX?4yfz&a0WKzv<6ZwO(?7PQ(LuhhLDIT*znodR~}vRa+$D1KN9z_;u1xH3?qB8C&bq&JoytcQQZNW0qG7a#N#3rxN?sFaKU z#v1@#cX7$F`g&)30NOH4x$?6fSDS8jtc`OlVoapdY)Nb-d?X0cU`A%2YS4ZUevM@$ANY1?1Sd zy;@XbdiZ$g;MN`&%X&$)Yl(O!(MyMG-wc&9zEHSnASZbRcRhoL24&^Lb5)j_$`=sx z1f^s&Ob=ocz2!#m+$HXfb7Fk-HVHBDWsr+h z#LQa{TGfGYM{eaqoB|gx^3A9)UfwkNvs(KzZrO?@*+;a!(-u!GR&)91<|54|RoKg) zW0;#%08D}X8nXEnHr2$sgJs@(gS2GoAa~FZjj)0>=294$bI(c_soHxeNb-xL6>?N= z3-kKdS?);ph&~1cJpTfvwAoNb$jx`DY45nBX!7MMWXo0t&dbj1)i+bVaBq;bv3Aa25y8f-dLNAR-OK|YrmU-xSZ)sicMS1bDvJY= z2`H%{#~q91;OUjZ{d9WVShsb(IwI`(4Bmd-4cB6I2*f2e)%HPEk*VOSJrN-*Ve}LW zW0a=BBUuqnh@-_K%1o69v)~Y1`!TU+GEjO9haZqMgVb%iy$WH;hEs%fJ0sl>sO0`2 zs$W+OUrPPaOv>s%#r5m3S8yC`Nz}sq_rP4EpAO4z=rQWn0fCKO1o&v3yRyp4{_*jj zCO1T!v5i9CC}4j|9#4DPQ)>CDpb!NZ%5?3+@bg1xpmdLJRbe63M}2UY_2Ne`mjN|b zim!%wjhf)wWEV=XFgl5&j#p94jwx32tQ&K3I^5RFt_Pa(O?HiUgI6ru~A^>@O^LK z{`egz7`74FS5bvo*5!xmO_v%~mamlWAD`G1AKus6USr?fciuJim&ky01|L;@=GTSX z-k-QTTX0{BG~!kk>8VuQM6~eMm7cJD@PB-BRCckde9&doSYxqV{Is}nvGlir1?b>K zMcb)hkm>@99nHck{5c3<c;#qK?FcJzYgX02gLnBv_q-Redc{G% zzksRyFzrxwm2??vJtu$y4_A^N+2Yt`LTPo06VrirqSx7}D-r7f5Z%b!Tua;uwgP@W z@*yjjS=1|RaD zJMx-shnX}r=ftzH9PYc>4sNfW^5>ykrDapN^01)2bI6Ts*Hl6dIF=Prj`m6Ag{vbc zhPfFde}{c3L!lBnfUf2k*;4HrU)G?*N#Q`s|JX{vK-3@o6-q-v-_;-T0 zZeS|uKXjnCZ(p=~g10|w{&5;$b_ldWx99ui9>8A*0|~g^)xoTG_=lj8v9TR=R0^tA zy;JBIBtoIwUTYv{rvr51i=iy2@?F*fNaazvk~G6JwyglaeP)$E_k0ujEREF6=B%Ns zb3fHifP!{Ww&LHVi(OZeL*_JP$GvzwQ`UhEh>psAK-0s})RSeb}A{WB32HdRYnl6d}cOS-GPr7QZ_Xly52QpM*BVj zEn{Sa>IgiZz=>^{@OviGO*sOkj!_!yyk%E}w=FcoeeKNHMx<8iBw{ucbPNWcyhO`} zXWpMTDRKhW*Y5XIzN*DCY&q^C4&9e&E!Yt4FKlf`qLB6Ewnv18tB&m_|EJ;A6a8bO zl&!i^pY=~={DYvioeK0CfZ(nvTG%%CUj~MK6b#~pSs^n7MuCBM8FTC&&r_aFv*RYs zz~wmufD(PGEKRwx58-UthakBXdnGpR_2s84R^lBOKqotj&U~rS3CNzQ0s{jrdvF|b zd+h<+5~6M(!)_=ZEu^iBKv{oz)ds(!^8&C+v^Gf*@74-gbVI+XDmMf>=vb z8nk_Gpq$>KV_e(uHciO5FEayO51iK)s#JXEdv~ME)TfJk71!nOI^1lty4?|u$j(3@ zysF!VnDej+p}tIT?bN_9@kTf2xQ=b|J}ODUaZq*!rjs9XOt}5A`d@w9VT*G!LJ)4Z};CuHx^W z);&;^J555!W+N6oXS7sR^L?BTu!JEsfH7-#xETJ;xcO2K3pe*s8L4M2b%|fOxVayt z2YX##mYWY7B7yef5N1p(k3A3eIw%ASYY+Y&pv(6r1a5{T8G;{|*Q9yN6D=@MdadUz zjiXplyB*xefj8r;7C_w$SDzL z#Z64OjNiI2Bejd8V-Sch1YV%_a;`0Zd%=maNh|mzJaX?&3P`B7uR9yi}oje%d6YX``*lPE3GwR@%X{xnYWEQ zJdXp+YNNKOrIc#cN7?l$mc@dXjD^R_th(p%=WDBdqtu$muSA_D@KyOcHb~BhadI6b zasoB&+L+mBDZ#^`EuYXqk8f#WopFW|tf_~RFFqzp+jEGG2}dZG{MdR64&V#TST~z# zdQV&Aj1fw82a)W2ZE#~bFkomnpCdayB>14RoGvXjgB_hp*LAYg(*GHPx?L9Bnp%IgTKLo{6KB1btpRaObwjIzj__ z*6cWa-Ge&P4ie&@_M@k#(8^5TH1u3w7vA4hmWHBfIAD0#Vr`KLuQ0FMM0?!3tT;bs@QwG^d>;g@nvpfW#Q5N6`-Kq320FN1R7GrnmSsw z>aM3<##(3`WuZV}>Cf1W^wy$&m*h7vH687agA>5b1CK>ztOu??f&Q+}_D;uP^!P4**h?90@pM0WI~hRlYXJnQ z>b5q%hYiq-lmpB55^#Wo7nj@H)t@Y-Vu0b7VuxMBO|`YkS>9XIOhIpM*-xRpyz2n< zIf`rcbX>SgKzcs_7KMZi=~SCL2Ik`JegsO3Z|i6L6-oTGr7jpOk5e9Og1uQ;8|`5{ zKaIHclYSDJ9r#~L`L#~5P-k2$i4p)w`x{3%|F!H}8VK;vAX3_`gKW)wk-LK%Fd_5w zvspj<3q7>4y<}>5Iia9gLGVav7(i}BDOy4{)F8}mPU(M5f5HXW4 zm=|K|Ns`%U;4oDB;TR~ zch#h}&tDFV@dAeQa91f7F*x;c-0c=ajR|o!FDp`Zdf9@i=n($Ka(ubWZdjP&OdC0C zmHGPkdrRjw#&R`&Sfuc-nL);98`l=MuztCyi(dS*yeSkA;14}9Rhik@ z`K&i~c)}Zdd8MhLv>M6_(XnF@zTB#%+1r=$oJk;{B;{U2sBi=mI@&3*H6d!beMIwn z8BwK?T?TWA=yAiZ-lEWo_WtcD02alsw>&={uc!N4)k~Pza@!Crp7@cv!dJGFJENpT zO$viN9`?1K=jQALj@c#YgeTTfyQ#qO9Cmw1RnJBk>%g2&2^6=z;Rh`9S_s!m1vX@S zxEp8W)3V;GnzKU-4=mS9c@XcT?Fn8TrgnGmdY1^>pyd!jK(UEw24pGnG&f+7k!Sgd$GkG_3zM^7Cx`@* z2J($2)>Z^t==j2SX(n#+*9otLO}EKTs7A)KN=rwAH;V87p}Ru7c$`*g0_~8@94LjK zUSfg>zoY3hr{5{$ixu1lcu3>9I@et`M z_LHgls-n@%O6q7HzBUu;SwQS{^x0(!wHr= zE=!I@aQ2$Hi+94&S#=%y%bvm_Y#D4*NYA7Y$e$sQMMNPZFJ#ZkEv1S0Ac3bz^wsF^ z&u#DVcosyIMJNNwY^WN9U!^YrQ-2#=l1>bfXW$_f6co001Y{7$3^@XvMLI%IYfvxj z*M(NnfcGzwrs9pckS5WDYiF~QFl^7x^MIUB9O6ORzHB}BwD|3Lj@86Z!qLJFP2 zAfwM#6U=Q~+2}YtU=5&ief3#)J&m-3;Wi%b_Ug4RcSGpk+E3TB47HnG8ElHbZ5fCK z1pWxA3OU=rOO9yweDg~Uo27k<;LxS$id*o$TWSWwK)wf71_AA3_wE##6Wg)ZHM+PE z8~?k3^KawvgJ&leDZh{+es*_#h4D~q^vctpo6A9h7?j}1)Q}tg+8EU5AR|e>9~$65 zF@4MJZg$T^pe9oOx(*p(E1pA1kcD!&OQ2~51gpO_;j-J3UHvxCY>rHPYA}40`COm> z(b#Cz4x>gZt1*>Uj_|IFC&M4p1_5t#vWUgLqU9aCU19~JaAEbLPL!F0ztA8`XkZ92 zL*@n_`2ZG$N?Roxe)>bli8H~&b$Dynf?qi) z$;n4d59sc>n4i~qUP@X$~FU=CIHwZtV?l2)9 zDP4wdThC$$BXw)H`&4)mmW>{x0|0MbVon#bLJ= z?j#X7;YXbV*#jLduJZ2gdxPIocITke_b|VJu00N)SoKq0=QC-T1GDa{`^H-w<+JKP zMIhIRU2{HnD_7$mw8-Bl-*+1bjde&74nNstH^$Np)!;qzW$&>`)$bV2mgWl`J$LEJ zHZ+6uo5F$>{_Yiwnd9SBjl4o&1NAC^7{a#8q!4uj{Mr>k1bt`4lZQ2`&c{GF37rZX0xfjTM+Se{gy0up^}uF4F0Gia_q~3nlX7&y%_h^I4Zf zfIAZoFlXiABtyjOV8po7E-HdoTieGATE<6v(w}Jvb>Ut4!S59ZD-Ip8XXxszj@Vc%9|UfIvz9)fT%&oF18jLhM~kt<0P`JRNw z&u_V==(4vo19(%L@1xFKg(`z!onZ%ttYF6_3k2zmjLpL8w?fLXziJNZsw|hPeo`}m zXG{rz!k|mxK02wNjpLjy8Mr67t)H#NomY5}sT+HII{B8QsC6+7(L8&lj_{vDpOj^%xWo+m|Khed+PaEl>YdEM-dgSj3!A>Y<*__$%UQSHv#YiU^7= zRLz6O-l=naOujOAbjlB%eqY|p3ube-wOoAKun4EYR!iXUyq>8)so&OL-7nWJ?DQ+e zg0FlzoD(BcmudAlX(m_66;44!41G(p@(28qvMSBJc$U8W!IXiy`c2T>oRE>>V&MZb za|xh$C+u%|x*s@@K}?g`6+dH2Q!>6V23o+wLYd#1>p=*<-nOkQVjQ$r%>4?YnPcj$Gs|dFOW&NMD}+&BMu^{Y}#%bU&_a03UdmcwGK> zg^{_Oktw$LHSEg3syI!Z08r)PIstz&b8|&#nl5BfHf!&jET#UnI~tIymde&C6U&4R zGGbubaBWSx=qrUy_RMDHSsZB-taem)p>|$Gc zRRpIR{EV@5=Tx`de?LBvG&l72cTW*^_*^v?-q{Kap}VfuKS$|;kWZBMu^3ZW;w4x7 zUr&=zYm^rLl6MOMl9sgkDsq79S+M&R_HNbb!Ct_kLPVxhE1OEH%tbV-+}OMVn2Y8T zCK5{B+9$h~n`xOa3Ui3{OCGBPI5z>RzrTM2sNc<5ueZ$q`%A){p#YkcSerL7H|%Ff z9h-YJObd-i3KUEWJ-w>RN>)*R@uGL%aVXYqCG$1?!4MWBTx*OVx=~Xib}VFz1hefG zfi(DnH8ZNzqN>{>(z2$c^Qx+vJf3ND*;%x2Q3EFs(7V>*Lj1o2?P}qkOA0hdDtJ6p z70n+eVBEhvb_fN-bq!e*sMZj_XXK&9{yxQd-akkc({35{Ue=S2GXqBBpJX+Y9zx97 z$n})X_P@>NB}@8y%Hbi43n2;js-P=6qvA-z5t$y%#N903>rW41_M#52oR*umLOHoB z+`;~AU@^j-#DfX$wI1+M4;6F9^(^f9`o9-_5r1TEiGcdkW3f!eio$eB*ri>8giqt3 zIniN8h!%D@>iG8DF6$+8gnW7Gl{GBjH)~YHtBJ_vFtFkW# zr4iyh)fssyH+1lVrTmZ*9CWd;s@TR$$3tuQ@65p%+C!N6TLJO$^*UsN z%?iu>4!?Ngv$Bmi7FMO{zAH5cUP<=cAS{}g(=MH)KBrK7+Sia1^gx{2pl8g^5-N+){4GIfLceiv%Djm|@ zB_MEapXd3-`<{2soEc_k|Jq^i{l;~D>I#TA!40%*_|G2r_ahtM#@Io-&c2T(ey^I= z_#15V_=|a0Ph7CB@DQ^ncPB|DmQiZkyRuvUWc)d-Y{j|KVQdB{qgF1f2i&mCppg?nq z(4}A7t(NOMx1)UIx#y+}M&#?Afe zL1(;saKydv=)0V3giC6p@!P>47cDPV6{E5XWnRfS*`qzE{k0{=3(;Rr?rWwbB>cG* z{?}h%n_8zfx11Px6Ws$=IERM{-MQ(6ByG&meW2@lBrJDEz$}t2;)8_=Qr?am68U?D zSBRU^4OH>8N=^~az1SGWi4k(fW`6u(Sg;@i0az#SZC@$WR$OyOe;p_9k&&&EI3 z>l)Uo%+r-k9(~77k9L18TlbyMF*aQ;=|ro ^6;@FF%@fFL3S;6+CEuRfyT8ee$_ z%dzmr?Z$`jq?+rnEm)N`mcINjpX>o|p@!7gm}ejQhXD`p^dVuP`SS~UBsxn6o#(nA zt5JtO1;xc@=(EjriHWu@6&o&O0QdnK%XZtR+;tI*8y@Y^sl@vElC-e0mTtBFjOQ0~ zo}WjbZYfn2)Rw&zuHX{$Xy_XWR`~08*T?|w+3)QVRMh`_=Kz}rj)I{3Aa$yGQ(TKy z(@V?|cZExfZ)2xgRz+BkMA8)U~X>i1J}31(YU{#AH(WD&yV!)=hvq8gxPvQD>nkNpxtbj(pN86VDQBBfzFnHdp*F&IpxDrzHit>Xzy3syHGwD3*Yf?}%Yjorb?~HCt zv7iCZFuQcaTK#{Tk-v9t0J2x~6T0~qTFDWR%g=6F`(GaHVrny*%i2^>S`6stq$}<0 zbqCAyO&D8H>F3i7@)qlCn)L@fVIRZLECk@fmtJB9^k>GUeIk&K^TyNec0>A~HqFz~ z0R>LqKFYUt+f#FnDla~DJ*5cBe7j3@`mNqAnD|?>@w3da(_N9Q8JK6izkQd~%U4wH zpD?!T=vD+8_N!vg-n~-=nbOa0zJa%{YUJ*k)dV-i7afZ0?`7C2e{WUOZRc={`a$q= zS~@B-%=|+KnrHK6Gs!kqk~D>I1!PmKV+h!Jf1P*t!N3xIaLN)^`uhU$Qx1qXlx+W% zDe}*fy+B2XDVQXGpW7G_2D8{uxR}~zY(D6oeRkf)P2;T!AtmEcn8r#4aaK4s*y$%o z8Q?$1Y_?F$md6>n9Ppcadv2+2pb`+w_+Q7y&U@tPQhoXo-HM~>*5RQc23}6h`?Azk z6k(iv%>|eV#scBI5Z0NIop;GY47%$flP&dhFWqb}gXnmB1 zM!O!f5wzIbQwNd$2GMhw?r+#%jQY9tJ=Lw%p|J;<$2bzx8*k`k^8shm<3_!U(eGb9 z^&A=JuV2elZPy@it=EV$U94=nANG&-8|BrLh|6nLBYCo{hFZRSKxftsXIIi3u_{V! zC{&7&V<{~+ELT4_iQAj+-Abp+chLC)dT1fpvMyL>J0Q}v_Pg>}#6?*R)X470N!&bS zO%vxT6#oXhkNfMUJ<{Tit?{j zDyp1tDW1hut5;8&vK>3T-K}#v>0zj31sdScaSs(oZ>eZQoWW}-&D6rtQ#l&h|N7{0 zOyr}+b(|)fITZr*FPZgOlarHlDcH@*79XJlq!DbW7&x0*VastbIX8OKocf%v3u5B( zI3*S7Ym08-yRY*MDh%sYvmd`jRQsKJ4U)&w%lo^eW07eWRA(w#vfhVL;EKb`nvAm_ zzPVKYEPFvP@^ol*TR9F%m129q&C0Q+0{>`{`xK{dy1T^U&9*|T!St~b%QcMk&Ds*Rj}Z>TTjlYFkK3cO(W8%#ZgWn~zibjz zBz0!@-OGH1mi1=pMt|5J7f)j^N#I8JKPYV15LWGf!)czph=`gE7!qD~H(PLE(Woza zvg?AT)j1sZu2O2qC2Zgc)brt84AhfMEkZGMe_v-Hi2rzSets;!{#BOT?(pQB4+y8b z-J{ke6z7%a3gzzyrWivh5GutS8xuEib%i-`WncY$Y3_s}Ki|FVju>T5_@718pPH(3 z8T3=;c0r*~sn#qO>K+FnZDpFsr|pr*U!g>*+?LV`2BQt8^FSu15@pyJV&#y}v_ISgQN=;UE=MNG+E~eRfUx0H(*K z20!|q-|+0G#cWjV=OmUKwa5gK8}>+{>paJOJmR*QmRxM!dT<m%-z6&j z5V~*U?-~h8wOU}+sx)kS7v<4EB zYg!gMnO~FjhIcjF(hevBElXJaS22e|Sq}Tv)a4xM=dQNzf8-oh7LJCw*OI)>1Qx*s8xP}~7VRGEpzYiPCWuEyZ#XtF{A)8+6?@Wbd6!TWedr4c(i6Vj#hv-2QKj-B`MG~}+2o48d6 zF9}|JQJ0V83;G`Po&p24C8<>Y$!@e=bBV%Hs8ke}KqmU+-AWN~J9F-V0@IhQZ zeSyN_+gASBTycYCR6(_aZBc?5NVAnA$KuO|O+V#!S@4{um^e)Zkp=GLKtOjsgdWMt z?$+q<_8o!X2~eK2;{K0c`rjo)W&mr0QLAP!5d)BbL|MK`e5Z za=aUH!X|%IF6mu5{F&N7yMoy@hJ`1;SN2CwShk>a-u4Y&06HcHTqN-7$~}$y^@l(7 zzJ`ej2Y_Dk;KIo6^Gl7IGyu<%=gm%D3yj zO;>UHv-eo&3|j?Z*3s+QZLV2FSZrKD*>mOl!yl4|ni==kT3#cx%#;>QxHdRgwH*3) zR%)bOE*^M<2;14t9Xj4`8#AvoD5FMG;q8wJSBQ7at?WwH%N8yjSWWpa^?5a|MjE=6 zN{~B^zZ5=dEg~5C?$b2tQ_4l+n70ygP7WTecQZ7K?e-gVFs{<}PhOxAGG(BMyLyuW zxd?>0rUlw#c<|=)8G#vDz7SiclwhUg7e&m_GSwgVCT0!mqB!|v6ev`6!z}hR!!oX8@xZHRk z_7}VcC;kIjxHSps{l9uAfFgX2NR#8yN5e^--wlxwuKMCdD>;{^erbdxrzk)7Tt7}7 zTv295)W+BDecL;J+BWvZz9H@$XY_oi^W|?=xF5H_DvvL^>yBW1>L&U#U9JvZ6@cpT!1Yz;fMk$?9*k5>Aj+==wYn{rL;r$ z2kf&hG}?jLs@EuENL;&)SntYCA5MT(JJir|@8H7uv+dPv<*T5XzIKz7blA4YGVO1_ z4l4KASNG9f*^Pb1FD8QnQCHbaG6h14ru%d-EKo%-Y`RK6@d>&=+~bBd@b%KQqVQpJ z+)j0C$73o+9N8^Q&&srz~9dD2-cm_Ub|ooT~Tq-I5wn4wDr+s;z`lI^C| ztNweP{kW$abRY-przWL2Z`-^s6idb>>e#YepWt4T(eVA}4@R|=4J(rUJZ034Bi7JW zX#y?bxPMV4&2&-<6|5{q^8Z!5{ktw4e~oO^E8CkP`4Z^G@hb{Cqd0stb8|XMXtR%3 zh2Gy{hglCuSAX`&ZLO=yQoryz_*lIzF8!(VIDXKRMp!Cu`!Ht5^A{@6c4@?Rrt{lv z06ZTbJtePIWKrC_+fX92^UpxEAtlZ>1|&3`#O7uZ`e*Q;MDE_uUuUH1UrE^XKw-3g zjdA06!j30DyS84bRj&Bmk?UhSD+2Xs>v{B||Kt5xl%r2KSEWmj@5$`z7;mbCZ+i7FkF*LY?SF z(3^SPkHp#zPc@CaD>0A}w=SP(ta0~Ky)MYepo}p4uDkViyUOq0%f-0s$?$q#6fdql zT1@-s6X(6(H|Lf)zE|P$;cV>eNn;Xs%CURoyX}YGNDShTbjYpUiO6Q6=51nUi~Ssr zG=q98t(K0Cd;Ir1Or*Qk*(EP)`rRAe-;$mV zAu@9&5)(G2Q}WHHD|+K?)RXCRzd8zE$Vs9fm4NV6%Vyom(^~o01U#A}>e@43NjA$? zxv9QN4#A~<8_ilgkTTWbQvLgCt!3kYHZ!-VbIGcWxQ`3x!m)?DFt}`fzJYl7z*D5o zsdY-NwZow{E?aDVg5&VEvt2srMCSIyJ2;+}W%7#$5}YjVluyHGActAnvCkwTI;@E? zxp_;ay4*dKZHY@hZ|hq^-!w(k#S#-x~ZuiCFbcV-G8^_4NZHE8! zeM$kqhk5~E^?^@A<9 zzUuXah))ZP(glh`o)p>lmm~_R((kBD5H-YJ>On!;7*Ybwo5_ZeKJUL`Jlje6lyy7< zD2|8!6h${3k9U&f!p?9|+von8_mdfy47_mr7a?4b{@_$}Fv=ky?D?D!5+{ZVCC3#z z3CQ%^N;9ldTo(MX(0J9j48yVVTtwcR%PhdrDa3_m%!$iyl5WH9)5p7N45!wkVxJ&t$k!wW)OeZEdYr}8g{h` zdj9HpthWDYgy}$>Jk6ZtQ_YcUfWRV!q;$6-IuTajd(h;&NDr;4N!;`psVx#pKAgs= zz zYe`!>^hjD8^s?`Vl?p1LhL8uZZ;ylAq{>OMs%hU9&|PqN?^Y#i)epQDI?4{mpc8Mx zJT54`YfSuW_kiY1^iOk^4TRp?65^}nt-f%BNGBa5X2*s{Zo8oIv6$$c@qE-0nS#Ch zEMrU?IqWegd7P$j*!xIfxNiYSHS}{emYtK%_6!A-7;+I?b*E;%ey3Xr&WubUHvDG$ zbyUATV`FGU9qs3stQdjBUsfhj&BEurEG6#0ofCddN0a^WFQ^vu4Zt{+YB2j&uW%86 zZ7x5&Tb8sM(f>EA38zE&t^D;bia=bYGf5Y`EZfdB@xn3uOR0749=o4mN80TD7q9Hk znij8n89c2uA@lD$TC(N39`3+_Ls$(|Uw~_Sq!jU_npGhpA{()?J=^EK z{m83yWLQJt&$7u(QyTGb!lFup+@J^%=(c!#_RSqVzM8&GRaFx(k5pbd8EK)w$Ph#Y zG*dl#=lQFr8Yatt)0XLyUSqYuB``DmO?YE+y_A6LcP@x(%l*~DCg4_AHIfLFFN%rxVzVjiyhiFEU*LCgi3{lk2`^Q$A5TK`urfwd7YjvcbE;X z_(d!cF)=v@!0B2&06yYmKzs>b`h6Hc>$!nX|K-&vi~{EEJ^o4By++CwJ5)wPN5{(I z+kSbA>ebSFQ+lg!>HNd6c2ZLxC$T+)-?_zzP`Tm`8UDghW1PLn#h>|pn2_WMVq}wg`~Ic6_>dGnztEC zD&{vqJ28P>3mW2ylN@K|$wgI{i2U%4k}e#)l*%iCdg0%Pmec3r63?H!v9p=kPBYvT zXwW*)1w$D{&mB33@wcg%XvOcU_l}tkOyt;Vz%r1-?>q-&iClW%!YEKz-*}^# z_mxz%v&@)ymxT*`fEtX6okzxzgYFNZ_6sH};%(TIu5&SmfrpTl)Ce6O%wm?2xOF9{~@O{O$=Tt5p<-cBcv#m@z|S(Idj+ zX|}MqvG2g&*2S+E=}ApIJ`1B38RvMcVGzE;jRRa)*b`R;s#&%c;^^W<23#fs?_s~R z_4J;H(Rh6cM~AIMfEZTWJ6qM?asF&Cs;CgW)5AxL-@n<;aij}lH>e#r>3;C=le$oJ zQ@~X}!(+!ODoL37J`W8@MmxfUyVf%+$D#fLHZC6!_JK4)i$DDm#4o+`C-g!kQ5vRN zWN=~>@DAqvqn*a=H>uG(>B1SL5q$Nv_KSSZK_IST?2p?%bV5FcA5|+4y1i zY1-qKHP0OWu4=1&v)J!p`OWRZW&5kNa$it!ws21NYTeyRqA$*uN!O;E__UO&-jLv? zd`5VY*!_W%r}@2WCGD=y*Fn5f&jX`Ei!~WEIVi8StFv{Y(-0 z7w`Zuayu%BzX(YDg#tKPG;d_jmo0jLvG*7NdR#8`p%E<_U)MdZQAT)ei1ztpqdFhf zSJj*W(IZF^wOdf@csys$G;idxD$)jmxXhCxhyJ3}_gbIj3-;EZ04k|>n&bQUvj?sX z=sv$s`vC=J&vS^vf_09svOlYCInltgsRES+t4BNnJj*wea0R(VY2>=rRx!`jP*P+` zQyE*uA35y!r)mNfq)(m*B`QFqwJ>D}dI(`qrDV1^mr>zoG%9#GOVYCeK7yWS7Uws{ z3JT%)m0X-q#aJx@6gHpf>$M0@3I!w$&0^9>d}hkH(T0M8K8R$u2t?WYqzmm^T|*EB zL;zjnkKjno2dH(h17@PAblXhxE)7MIK*0SRHIVnAPh_WOJc zvxjZK#`I=L7v9)7dl3H?>!3B6!P;#A2?fP zpxcG2BE}3kjr`aJkMQ(&-#PU$CZ0>#LBvd?t660sXBPkoZCcI@FYUQkE0au^BH^>E zRP~`Wf!9kc=5I7D=bLWd?R_Tv&~y9!p2vmPa!mnk;Clr%2b!-_?nd&Co6{&d!f_{I zU;lzhj=Y>2H6xIaoJ!^1M^r>6+<9O#TBszS?cGR}xalU+5jE?cc$H&Fb@zaCr)#s4 zph`t6YVt_yZk9w7Q2e38?LK)EW;CmwWW)X z9d`&?vAnHjpc+b;EOjm#S&{!ha`^1^5KbZn5^e%UFiz6xrl!T?$KW~%J)Ci`l{Ic2 zK)1*|Nb{-Mq+P+3^30M#e=N_RD1{}zuI+^Ye|ZAR586SrVUxreQVFJGc3;)4GEZFr zTg8PhiZB}AsDMvsOdfCN_TOydIf`OlHP2D2h<4TPf1g%uo?khNc5(e8l$!tbwSsCA z7H0-qQtzFT_NmaI#tnCpo&n9Db_l=>CnKcxT3HK81*4OZy+WS&&Gw)Xd;Clh^dSo| zJvl%#6?fKfSNu<}kAZyhO7sDSusax=jwYGH;19~F6ea!hQJ>Jz8+(kobrxa84IARp zB1T0fptv!Ur0Ds*w^?J_Tu=a68aQjkKU>SKe@oq+1^x64qqCbbc~?hzjQy@8RggzX z)1|k=cyExm#*tu_9}!OjL*mqnfRqUDP-- z1`2)w9zTALjf@V0EQ~{^v#7ZEqr8?93QlYoDA(L1mY3Tarmt)2TW41KJeHf*<0k_B z`tOZrlH6;|7PUE#zqhxpnZ(pie5AfhWuQ`=f0zxni>-ZVh*TZPAsbKYf#M)&5A zA<9YB9ZXFo)%U?7Y(^C5`K~=oe$tp!nguFcJ8TD2RN%vC8iCBx8d?u=pv6RNI*jBU z<+|?wQXsDI_9!>wD9m*J z80Ur0NHjxx>>sN|IIJ#DZJ7&`S?=C{QOpaa@^<7fWLGlHHJ3?x{qoS&@LAk1`uDl8 z(3`Y}5yS^2+x@`V^2dye=JZaTsY5z^&fNJ`|1$o`EFp)61$v1JQy-3saA&l%;llVd zT{||}&fybl#eovUY)K`amuP&9Wkax8v^zSMY)_$KnnT_!B}2G2(80l*-{zOjx9SxO za;98jmyC!&5HFf8Kaa?;Fzm(9N;z=o{T2~TSlMgtb&oiV>2^hP$*Rh8c>egefE?MAPEstGtA@V5jUQ9j7*o+juY%f0mM_o(!k;7DS1$9qe)M4J zgF-Y{6uZoJ^>|HlV=vwD^vA?EKt*M#475Mop|ai|M`OD81d&lg&7GI^h%fqzKNYHw z5I{Wg4(a!j>)-k)q_DGW2atXrwR0G!X8xUQvj!pSFlNAA<)pR@t>&?HITcsho}W1nr&EwUDWXY4^neG>=+BP@DXi%S>I z5Sr+|;Lwn^kE@Qd4_?$$z|A!A+$64f0KigqW?8De=aJ=-FVrOJ=(WA%PibtMZ$2e57IIvTW)JSk@u%vC!mynAx7}JOL(#Q}O zDwh%NdP>dp_a#~cI<#Ip;O_My)(XD3Q;`1sX^cM~{&&BVVA=u36eII&Bwqff(^}7L zDau=tF1TpX4b4)7I4^?Ha!0^Jplp|Lltr%^5CuhF*xgjS&gv!3dWZ+VJ?wSfT z!NqsMSTtg@i|4Vi4qYxt6@hrQ2ghTLGa%p9Y{eI-?gt(;zX3NE@A=n#@R7ss37TxQ z*L{)PV@Vb?0%g2MPOV$(Zn!cmbnj?Yq5_USn!N*PBqSV#OvnCA^_^ zL5a0c{m7Zyp6d@iPHXoQ(bN@aN_=a3e=tW695-TW!fS*h3~yy%r)1hWatPK5lG~_E z^g@K>8+jb;EYd25Gml3~V=dV@p@!6Qk=-#%cn|NeN9d;~H$yI)N6Y-x^SY*#58Z4m zMDN)~4$r=bZ42z`1hXVcPs>n`UzEVk(3)`gC#$S}@w1mawT|5@P24{J@~QAE4RYIT z^99L~yQ?Hfh9;yneG5Ci-u-iFk$&#*etx@W4NbAS0ske(SGMw$X4 zx7H=kx~Z>qO0%EtQ|}%8MQ!&#pFY&(2~fWm(qa%!>*XokkQy9jnR*`5bcOZLEd(`- zA>3J73Ay^^It#{t3nKiE51@TGP0{-mA^v-lSc0t6lr9f|Nsjl2C;nlvrC10%$H32j z=_Av!ts_~Se}>l|)@#v7_WyCGgkd1p^zv?bIN{El=DL^?ydP{QFg~qq8`5LauipM%OA$SJ}V&gA_XccKa$CHhXC(gyP z0B5|#I}fx+|IDV|Bc;VPAP;~T0t7g4dYEo(RWl1-!U?ukWQqIz!&`9IMbe;X! za*`S9v%x>m13ia~Okn8;m{V*9s79(@dV>poU5ippa71fgQd-J)9lA7a$ln*dVsj#j zliMdvB?6Ri-;i=T=7V72je_x*(ZO0Fd|z}XyL~MsOF|djfV`?fAX&=J&-GF!Jh;*d&MA8ttVeGH-WF775D9( zV?bfj#kW z!9}{bf_Hub+(eJ*cI9)nB8`%uhtV9#l~$%TA#^*lC>Xrx>l0@>vY)qkAg`Z*+nqVZ z#H%RWK1Gb%XyNXtr6R%S&2?8jaKrw9dg-Bg5}$v7hXrj*agp&+9lD_4>uY|ND($rs zTt*|nv`{wUZOvY9Ls;)S-%3!E;9dip$RFI%n{d91!gs*C3m}}N%8R;2_NfSVodY2F zQUK;Og<%dCeFZr!d%q?hE9$15izo5%-p)KRC4`&l1u8n-HYH+KXD&eB3ia(z*yG;f zPEy)JooFU}U#_3CmFg;B=2*XK!R%i!sGz;7aWGP=A+B?wnJOIe+^XR&n-Y&-x)M6x ztB3N@sW@Oymd1Qz*(h6Tm6@LAOi{u9Avb9kQQKo7*6=WqbvF9cUIE*_S8QE>O_yH2 zbirzY9DaFxkh<=`_J+GZ17#|*u3^ew$*^X_f@p8{sYPW0J_inNa_dO^Y}fCB!7d{Tq{)b?(6PNGrrkNWBY z89`Sy&4VeYY~n(KaFB!G{f!@i@mV`W!e1BO#_y+iT`3Fq`w2-iex{)$&p8^3=^Z0g zKarU0)~mk6d{Y+s29J*ra|?ZS;!LUoZxV!PFn2jXAEPV=pGoFs z;_AF3-U{KHNxcISBRhVia&Zon;2na@*D1{3#vXx|*Mw2P#LleCh6T1E3Im>v4JYjZ zXv?gpMo8AJeoT`6^&&QsdV$Xq28#mjx@xDqKB{B0qmx%u<(o|Zs7TxcAc?A1Q6D`i z^XtkK8u%4!>CGq4>5@1h{Q;aLuf|(L4H8uM59^aOezVVb?ngCH2W73qx%n%RV2bXo z%tf0$Uws*9fpTtX2FTg4bfM95fh z_~4!)b(W&uvIG|WBNYx5SMJnquJBL_D=KY}VlZMk3S4KX{^bzPk&(Y@>fCG0ZJ!#Ih5mDO{21yo>{La$zA12zhdf8W&soiN|RTl5lkf zoJ-t6Q?)iz8dgtXs3-_XHl*N%QqzuQm;i7xxf#hx@BKid@#sVshOR$tddh4=;JrN=f1F0Cu7DT-^5J&&5n`R-!7RC}=Ju19SMGps0lFY+Y-{e`Y zW|IlMGaFK-B*5;eo}V{JlkoNOF={Lz<7E&ZNcNCw4^+McL=xmS*w;_#q}H+ndQicv zRi%avqww<{k;T`I{va`Z1>F6(QNoyIwpcta3Bz}s!NY3)x0){0hhE?D_VE;O2uL^b zdk_Tx*2ls~ujiavgJV)UkKw6@5bdOCFzZII7CS5#eS(b}r7CF`C}pJSxn+JL5-v&# zl+|RZt?eV2P$pnPNgIUmc<_W~SP& z7?r#R#aLKal!tUFJ*Di^iDdjO~ljFE3iQMLu$=1zV?7yKmz8Vg}!^BC);|-aPhLB#+IZSeywT{>TX4fmIX;|kCkkbsWqAqh@ z-l>!u9lnCTfF6$#kyD0ABep0$AwUd4W!?Eq3qg_j{<)m4@Nm!5eOm}_UN=c)@f0E= zvu8XYi&u%)1mu$!Pcg@q6Wb_)oxu*wTfdH4j@{!gKosCT0x~H9=?)kPiZK3g?2lVn zEe2?MPdVbB}E#4BJk$v|It4?KVFcp8Wby5=t<;+aDr z{f@uL1e`Z#_w)v}dK87!2(M!Xe6|Fz=u8yJNiGtPzg=8%q&8|$m>o13v)DCk=~&1h z4Co&Pmp$?n$}mu4b@5kASUquq7#ZkKf;*G+IB!LW8EnPJ$TRwcj1LKHTohnW-+D7#U@@7SAl`NZlO+2XR?BIV##` zJjA`Lr(0NEH-DPac#d3LnYUTR_#1dhTfafpwmsV1xOYM_;u^JaUG6q?f09 z{ezE?>&{F1^7)x3E!g~Y3Ttg(_3>`6)|{VRGKfWTpH%$i<(|%4MfvHjXi!GLW*T(_ z-gwQ=Cr3>#7E7K(DDq_)9pU&_QhhFW%Ej{_y7k@ehqu8LCYcTkO??ZaI7|fDOX|Q8 zH<9z-PKk*DKR-37<_w9#2TnF5?UCTb6hfBoM6HH!g9Ti>f62$O|17Lvkuin;xtji# zS5%^*f5GB6OY|6)gSuXdMHO6sF6E%0$DEPx&CA)4&+I5&L3(CR%1}uhC?iR??P+0= ztms7{>=--b33wfJ(WTt?StvA$(Y>Hc7^mp!aiC~MOc`u!?5x}ubNh(ug9RcXslhOL zSOM}xj~qdU==*Z1`l@qz11-o1D=TZw(nSQt8g>XH%rrLn<-2xNh2xzZ_`dFsN-Xy;;>wsu{HThudUp#POfVKlyRxPVDy@9 zwXVJ)U4+0v7lD&$jT}6-iQhqrf9AYKM~y5Dsg{*?SSXlw`xS+jLFj)T-ar^Lu>B1OXDOqN%ktQG7>&d*z*qO^EGIE?LthLpPtJi{zp*{Cqfvz z2C_-Wnfd8(J|JK5Ao%QPXld1^j15iwn^OB*M+&?ia3kJE1+un4HJ753VEwEn4!R+W zYg1k>hGDg$rX&Yd=T&)rDxZ|6W>o=I*eVK5n!!#Il8boIn?L576m$^3eKFJqs*mo8 z8Wa_UimJZ$L)SE^8&|SbvsoXVWfqrNAD{gg(BMR2QeNGb0&$uromAi&0Q2pKQT>WM z2_-e*LL3HOpEor%ZQ*6|>Tgv0US3kfClg<2xRt}MfDg{qwzSMI0<<*x6UX8sZlSIi zMd;V~<@^k+Mrx3k5Z8eot^QPcI6WjOI5pf3mmCdIvlxB}3~w(38Gw4269H60Nmc9= z;vy-_7W&4rml+Za2@!{gDMkBO<4iyP;p&6}u_u$($WCN?6yV3TXT?jB!p+&nIXL`u zec)=4hhE%pH08wUiPw`N>>_1aAmp8XeRF$z!B{yuYHBWkB0mGnpx5=bTZHWOt2 z6L|cN^rdSi{qC(M62Q;`IiVM|qFkN#rWzXNCfBiRg6d-3=bQBlZ+VqLO}VtKR&?of zqX=??SfYXRnAlPh&+DXEwcAz%{;D3X^gw zUJTqOEXqNMB$p2I78;B9t*(ZTD?b* zL-|PA19aK+G`+Rvz|zzDrsOP;qod`3_~u>je)XGfv7&Or&+*H0HZk?kS|pqC7xW`H zC~>E)2HuzNtr{MtOjATLTnox(U*_5Wn06cdnmLF2_?dyKL3@GbOWp2Dy;G{oqE3H? z>e^B|2}HJs9XISLoU6r1E{U3rei%32SBYuh=hrwZ-_Dd(s=>bn5`b$s<_Z07{xbh6 z?BBKCf4^~$lM0s;6fGE_-!~AofXN9^ezt+8@X1-4_S?NB3tlDJ%5G3@W{ZG014;VVK1r%EveLf+qOrcj2XI-}<@ zNRP@4$-oVMD{rs{`0cDC|S*5NJz!D98tW;%OWTfRdSnXdyQZRV&bx_;UDMx2*8*26SN@ zfSx~`gh@t56c6_2+fl~x;`8GLG0~yVSKCZ6(Id)A$p((2bJsMOq8M?l6pL-zP*9r(YqFS*K9029o7L9DJdd9q$ z;aGx0l!Iew|M`<+%+!=5{EC(%5q$tICKsHRZvG7!VNJ{wc?Y-q&qy)Ne`=;fJ zY?hy6vuEU&*Xit~3o6-pN7TMB%wJN_UdWwTo3F#J8r{G8@_lP!=RM1OlU6N|idH*% zVx2zmIqPRf+98uO^|WkkO&!N9%zdf+a(3gv?ML$YYR?vh?51!+gm#zwsUK^4|A&}90J-_aC#Yo`U6gBm z$A^iGm7npx+T{kzi=V4aAk%NY$sjI)V>hFgM77B|=y#(ugmG=&{&9GDB|n+`A#pJ- zE0-Fq42<8|C871bP;UZ~*}e@{JpkeT+(k6_+6Sqxqq&{&8R%ieuV}yr~3S7{Q*JbsQ~F@%#$M&h(z!r1~=LvuEeiSxWI?m8$fK+wWtP*Mn^z9 z!w$&;!pG;K4tVn#MN+LY1{wo$v9VllBgxg5xFjKB-M&}~$C#$Sg2FvM)Mi6BZ7`2) z;J4y?U-Fb|xd)0pOlE`lnqo6ge7@dR_+6H`Yvz>U-($C)7z8C2!akr@krp`sQk`*C zn;K1ZMWuGGSnjxX%4->OBC&(8=eZuf5Lb2kZr@<^+`)L7BXan0=+4z2MNktl!TELj zwRlxU#^AO}l0bGh%-K4pgG{gwYju7o6c!&gg94d8DE@>CA%|>;y@Rm0!9L~N0+A+GQ|=7@xcxyI?M9WB0+n+EXRjCiE#m;AhvSyH!w)$@ zRmu7e>iW88nWQLnH0}9i!v#@M7`=1G@4qKuZ13wB;#O^UKX5avF%0Ke!&@_7eooxR zi7O2#$iUfD=%iE>;{A&m1IRJZ{U4E6hg~23|KY)Tg5jF*grNk7md_{lz5VaG;qwloFY-)}sFwZ|#*hlQ1G795WdRBNv>fRH*0 z1Po^sWN{)WVT{-r)aM6IMnKpD^q$_WMfLI5O^m(mP=uJ4(7KVzd zZ+E)Z%al$=hfQ}zqY+GJK+$;7zynCN>7BvYC$D3~nLNs*iTDSMcJ)AM0Eh0ox;iPMj(ze&7_iE?cGz03i32a0^0GiqD=m@mp< z4(j*YlbY|}IOL0ef3yGeke7~HeF^hxHVsl5PTZl`EmxgfYfan{SMaPFuc0kGrx$7e zo4a)vkP4S;ST|L1=wCu{-!pD+ypJ0E)_M~9->QAK|GH|qqbq}+h+!99yQ=D&om|Iz(J z2@y|9@KCU0HdWO1OD8UMLYJyF^7hzmcgEA}P122qXeh19ml=>`-;(EQm;`bh=b10# zsW@fq?pA45zXs5hL%aYV#BgMDd^)K=DXBq3IrUP|z<@xlhVUTlN#eD@FZ!g$u5nU& zL0<@P!ccbEa=ed(Z-B{378Y1AW;Wm8Cr6|JhW_*7jaDvT7D{_#151W^BQQ&rwT9@^ z6I-zmM-pDMLUmgvterESC&bnh9A*Spc90HRx5M4-DuzlF`IDve2x@QK$_+$L=_7{mm8IJ99 z5G@s5oL!!`kgxap=VOsVZEf5Qb#;UJtQ<)y>w*f&oUAnJIOa2@k3I}8IT@^!$!}xt zqZiboAGYGSPltEktyim@jW}i}?1lb_*Uf&`Z|ql#MP*zb_7x|Xp^?(fTK!cx zg=I;7c?72OZ1&<&aR>6Nx9`Ua3we9VO?;kMwYr;OY;H>~F$Lm7Dk_ZCNB>v!z+dtLs96g#$b5Bz2wy)E=5_n! zt=n+C9J;r9(G*b=+kLQ9K|iB*8V5Q2S~lBHQRlN;(nn8A={q-*$Df`0@lq@VQVi5^ zt``hq=wz|%*BOix9n4x1D?h>Ck-2rOa|d+&0$pZa%{UyRzNZYm|7+*r^^sR)mW$X zzO?80zM+UmyTUG81HfRJH*|11bCyX%`X9%{x<;?)zhv1o#ctSmp!@} zY~wkL#dq$i7){bw^JjQ$Kf-T1YiDIhB;RpWM7LDCKNYqqwTXYcpJ}kTufBA?=6{Tx zEG7Ugi%H%MQDv^Y9*tv5u2tk;KIvO|pa>2$@?gZ&UjF$jotw zGauubMB3XTEn!ZxyjK@h!Y(2VvC+u(PchXBwPuIf7wi9UY zcjTGO$)<=4){~ZbUw?27PHey=<>1>DjYAct-lT*=Vm0ITghfR~ah`E_ef5Qv^pYGHEWOL+?_Z-Yu-WEZq7E%`C@b0p=mjkvc!7WCbYvq&8QRGfjSMC_a zK7vrj)-IMU;=Q_29cjYDKyby6$t`=eo}M|Ic3ep*^!Ta0=W-LW=z? zB2@%-bhty>%Wdo<&-^JFnN-8r<%QbM0j5B3AdV&G^cYQ&;Duu<2hYnFFLP5x2qQb> zKQwKJ&T#}n5^#S>ix=5~toeQpFBRL(F5njTv@f?n4WSHcf%a-@3_rTq2^*Nj)2+=^ zxoFSA9?|7;4!#>J;Yl3Cwqjks;oYuwkRv7$h(>Jalxc+^pvv`08wvqk=dLj zQIZz(C+!<~>r7eN($20I44H_@V0`f(Llh1vIARZbju_C|tU+kq?feJP3tVE}71%XU3?Eb=skrh5q@$)k=a{hkZw-VYTF>vSPng2TP=bT)jhT zE`EP1qBP)aXLi96Mq=Vdt2OVKa?|BOv(ScbyDk>nq>$9C#G~KwG~bsMQyCyB>>auu ztdmb~sk6bK8c4x;LJy+C*}U`x>nR2c01OP;U|ceI#+fg{#n+k-Iw_W6ZF$2=o<0W9 zHh7vpSG>Utrn`Ls68~ZPRLr0IyRkCDe3_tb!&Z2W593?#5#_34YDYP=u<23Yz^5c0 zpk0f;Ney_+ptuoqP9Sp-HtYnlp`jrpu{`1qIb(0S7@(&Mc>>U0&Xd-#JTI5*1Hr_j z(~lU7nMPV&mJo(!%M%y2x_$KyD}!kK;7aNH{>6;A!Tnwyt1-Is2!-XyEtV+PA=&cN!d5*sTK8|* z6sv9djhETm6tAw7&g!1}GmU9}wrbi_>&SsOOb;%C57kNmn{;!+iwmZjdgBO?pUC8SWNBv0h^Y@=N zGlQwA@2rlR-NUwfnoA?Z&In{ns?=l4DD@n9SNwzWd>oV`g+<18fi5FJOkVHF8y+o7 z$2x!j%8cv$5IYvTO+yuH35wTG8SG*JPQHj19Sc@auX~1*o|xap;sM9CQ#A)@H34V3 z9nv9Mv@i*xhs-?)fKzm!0h+zlp-&&4M=rYX$p?0diR>4_TrYXEX4jm5V(L1LiaB^( zW)?g_&9mx=e@GnA@Kd|^#Hi693aJ!_s~wRTKIk6G_Q_-BbGmT3l?NJD6L`Z%Zb8>N z!!u?2rT1m$wBry(xEiDf1T3 zNm(M@SDt2!LdPLV3stw7I}=MO-NINM465doh)i!|bEUDfDqGsx;orap8W&{%?`&wl zk6hw!IH<9mU_f`OqNn{iyou-%*(KfW-)VHZlL{#A}>t{6xa~Ilk1!`0vAr8c z`gbN|;T(8IZLvNFSZg7f=iX`Y9XH9Gk0mlRIMeujL*Xe=$wL8Zs}6VDg70SwcA%k3 zRH#G>sv<+%isjKbjd1loe5pNubu_68hk|o&$aU2=dEM6bBvjw2G;VH%tY{uMXC{+>ge!@l%D zyx!F=0IhK3>m0p% zFGTzU3vI$A0WiT?r#_ct^?>z6x(uma8gIrK_71b7&WcvY^=qWMXgs@C`%m8^F~yXz zM;lGv^xUe9;ulh1=g346UI>4#SrGuNwl8>Vx}}P3nPgt>s5OXHsGsON;S)P2A;s@n zmz}%f>mNVC0M|WXVXr|sI>Hd-XYj}T~NKr}Ctzhg;^X~BIPI`@*a{mMS zdhw=9CuSxcWiKQxgBKh%s-s=6;CdEy!0%l<_sq1pN=w76juuW%Qr$hnLEE9$3_a4l zSWqP>$m*CZ7~%WJa&SrgH;n^9{==x{E|jBe+Lw^o94qDeQ2e_DjNVnr#dLv!k#(o4 zj4!;m@&NDcD!_Yd+VKPLEdZ>m@t+8jGt9Lc&=xWXdQHT;3w?x z@7J2o5Jvn_9k)tHujq|+bd2Wwnrt&oxXs7$OCBNVEYz>f z@1r_UuO)e>M?awLKg;S{Y9E}0!~}wS5NXF}&PWq*aeJ88IB+No7B%2|_ZH0X{cHr* zKaZiSDdlRf~o-W|gMy?VAisJ^p4H?+vbB; zXj@ZGLW$QbUJ`;WyRL>-(0gm@f*a@DsHGF07}j=;;L28GH=Lp6L;Y7}+QShQUG&i# zc`*?Rup~$c&&y9Y-6uWkD}#Ja&0ws!x!4wqHcaCQo{hYU_v)H_6q1&1X6Bt5my19K z6l^_b{uURFRT^aKj5+f&U)9csh71WJ*-40xOE5HFP3Eoi|PVT?BfyKSk9_{Lij>2#o}hno60T5bzYD>p6O zLGirGa#gL$<|*FUkL_&S=A*lOAhGBB5#C)L1MoAkt6Ha24s%6PUSUdBWsMP(|K6GU)?{wmG%J{-z-B`$>%TkhXl#fM^fXTM4ftgO}7F?^{Py@=k?D zC!(E-U-|4v^zQ`nFC_~&CenJ+Fs?1<7{^lvMAj( z)hwn_TDW+(5BzJ|g{MvfX>Q^k`AZMJn1SvvitcA&tque>``MD)RC{*eHGb9DW(Y;X z&E=?;R?Xi!;J-HhQw~7OriH9l#_R^zf0y1@3%6@h{FF0wV4IEV|IPo;g&+LcjeN_I zf`WoE?9;Vqx?6^nSyhZ+r63AQDiF<=MDX>X1WRi>e%c?icglZGyyAJ4{Xq|{x$6}_ zSNWlcmhyOYeXADp4~_ow6Lru!&BZLygzp{v=epZf>Lp{c41BdS~s F`47(7!t($C diff --git a/assets/images/screenshots/hunt-1.png b/assets/images/screenshots/hunt-1.png new file mode 100644 index 0000000000000000000000000000000000000000..08971384777b37988e582824a707a522eb9a3e17 GIT binary patch literal 171491 zcmcG!b95!&7d`l5t7BUoTOHfBZQDtQ9otUFw$-t1qhs5d_n9^Qo!{TH*3??bO1->W zRrlU=_St)%`lTQzjsS}T3jhERBqcl8`5pKE#^Wy*$L9|@ zJ@C|W)7=|O05x2b_Gftzdc=PI?epTJ2IQ4)WIJ|ayO94-<$7aga6ZO|DL7b`3=rB>@D`h=cCQN#e3S^jZ~dPtLOVE#2b&0*FM?7iErht z@jLa8=BN1=OTTB)u@-&5+Xf+|_(~m2rxn9s+^M&&KStqPITCV4QIRsoZDKKAI+C7a zuP_{1rinAEcFiYD*|1(UAX^g8Q`McLdD3$jMo;`cBcN;k_fU9xPLh{>(=HGLrD{|c%Msi_=H zrS6*cs~>8ZI)D2n=%AFu!i?cev|kLbFr&zIM|Xgi%=LHTNkTbkgecN!-%Vji!jO+R z1=r8%N&WD%qO)xd_-pV>{V+@E>5J4kX5oXy-hX5bW4bD}P9F1nG2g5&$C74CA@7^6 zr8bW5k|4WGtCD)UOw+lu5)WYY@+ilwFv;yBG+VrzxVYZ=#=7!yuH2YFFPbA}V|g>G z5-hLAY+LUNdhn)or<3GM{V-uq(3t+I)WkLC~3tU7FdmD}MaiphGzCh8D& z7)O}Y@7Bd%-BC6<(@LyIQ{eY27rUIw9`m+lma7^>0$c2D>PWcZTGW$MS!W*(UK4(c zKJW_Ng*WQCAi5}F73K~%($SB`?%6)EOm7P8qs0;)V@IuHMD`$m1?ZVmxw?CMhh(GU zM9=It7W2UBJ42hS9Tm?Ee_!@R<@z zf)yMg*3qp)t#G$2B)&*Y&U=lqP*~+(b$PK;Foz@GAVm7hr~XOrDxR{iRIIHDPN)p? zc7vf@&nAyWr=4R9k|6(X^&3J_s5odeNwh8YvN&fyy{2V=-|ui)ej+#W{SoEq>gnam ze*g1>@9V>MxML9mz+Nhdb3%k5- zX_|As|sC;Gr(8muKc6bQpwCV=@{r%a2QVrY;j6cp`~(~=YM(+HAm zP+#kVTQ;%9to3^%d*GQfgU&+c&Kc;Tw+spo~h*7nMMLWzf^dPu)J)W&g`10{L42u0Lg?NK- zY_xl(bXBxYbQPcSaUQaRW*ZrsFJ~<2K9ia$x|+=8qvHf_1KwAz>3CbiR$5Avc2L5v z8e65ot}19uNwItaQ*a8c&HF0>ba#1?b8Q{;N>Lk-%cFRlaA&kM92G`+7@rNBQFp=UBK zz$x0SP3I_ylAV&&qCc~8sOB!oeKWpIlbI73!H9n`@2xVfMN8+Po*YJ>w0g!1T86Cz zMs6Tul{7WY6r-TGXbI}%#qDthPt5kTxN#*!|0tB&VNw!JotJf!aK;iC`GuV&RCun& z;T~b0O&SQwrB8~*NSC&Z2%nK;WU(H5!k`s~_UAs*4xf!7U$b`WtSG|ai{swfIxTYTK?li;c}mrr$-m;oCnX0ZOy5g&JB*w=uItsv-itUW zIaWm5>meAcdX1o1+gGeh%b0VpHEjT4UYhPb*TnCt@Nyh8Uv{rt>ma@| z%zSgu`|@5M31oYijGgdNnO;rg7Ua*Sjs zn*bRV4wY#Eknf(x@&>`6Z7L`5V_~<05Cxe4#EF5b=_p}HFpwB}iy7-F)Qug)Vsxt5{@v=}Z%{2Wb7ce^D0gIJ zbW#BP@1MjLZXktsGpLIrGe;};n6!futt06Q>I)Kt<%5@uYtc$&5pot@BhOZ4OPKZMF$=J6AtRh1JX$BwCfBn)Xr z(QZKy>fp#D9+iQga^%N;TM4oi&?!w&vFJtPolS>A$T%_8ArB9{Au$#NAgH0fqj50X zLyq?BkJvMy1c{6Hh_WJWGpU|(7Cte`(uKs3X4cb&;~UJ)aDWz+L;5szO>9!R;Vejk za!Lh&{h^XM#xs!s&D@5~zClu%k4M~3hh&}s@ia1uS1`^HF45-1zkhOZFR&Y#J5p

rlUg7(QEjY%@S`F$YV;gyh?nbSIvT z`g*&UASawxyHcc8#6a;M6lll+Db_IG)8ElC-D%V#-K+_SRJZr1r6Y1b^Mv3{!Sfx0 z1nq^acg!hmLKsYD+T(VqB}TwX#lsQPTJ zk3Sgiup$C?ABTRv8cT9P9aU%tOquP+pWi~BYz2Z2VW@UOs?%gNFe-(18~D~Xv}Ytj z_(cqgQAPAj2Huvg$Vt_VkWmQ%fOl%G0;2D(^a}>aDLeYvicjNIq+{w-v9gO(6L1o%+HdT3L>yFhtJdU!hG{R7ge5a0MHYUS z3Va42ULU|m<)=6(Fyd2$^zWEe$zPo&J)F&hW=fmJSfKP@8E%5%B<+GaPgq9EqD%#F zN_8lPYiL+CE6fNykbgLGfZT3KwySEj`mE9(_YfyS!XozhoDf(2F%a;iOla=4;_W}7 zics7nHf}U%vdn%Xn@y~7;5qF|{b~N_s+q#SlA~o|O4dn>e z?*n6^IXzm1aWJ-6On$=AFhYhw4nj=8A%lbS`E%)N5*@F9A1=O+Fj6JL-M>#1r;(Pu ze$u?(gd<&`p5MpzMDDmgxN+>>FF!{6dSf|wb4!_ybKqt)JK zt_aA~Tmi#(aeY5Qbgig_)~;>g7x)8ftkuu^&iUu??%!!HOel-(+u1qVdOqTFV}{$V zf7DfoRk+}O!v$lX1bFt@l!>(vadSf@v#~g(;xNtCp3}+AO%-zkL>S|AFpNPN^;a=I zyX7;DLQkNV(8zdxm1K1I&#R0Z6ALk2^O+`Ym`1uTva<&Hni!BM1{BQMX6h! zg{TW?mdJgvzA}BQh_R93S&ju_7khOO`?{iBlNOYmSR-?l(VRos^Rl}%ifGzQ6wj3h zT(X*@xIu6#?m#_7*w#<|iUW9Cq)XQjC22k!viert;)3EZPM$W~xWe8KEaq0tOINtlpBpj-}j@ebH&kqY{{_rFR*m02_$zEbRcbY&~<}r1sA!ofWi1J(&VzID63KhZj4LWBSi~M6H?Oy@Ue;? zSI_5NApZf2wyix-EIw^GV!oI6`FUYQAcnS&%uyXvyz&R+2y5kn$SD_(im470A2TS&eP&0$| z)kYRU$yIf(mY}MtVg~=h;w@k$UtwO}&P1`hST@PS;0^6=2eBW?WSUnvv6@6{DpE)? zuczM-=Kbm8;h=$27$8`fk6fj-o;o8GYmkVNexUbOeI_z;HVVrpW7+%OOV|k8JC@~^ z5m>B|+f8_T=bq@t+a~!}NN2;d!cB~KGn}V3iapQS#lonh)gaycO>Y3IHc+U@%|UBcbPJ42`6Af(sJ|#@ zSOXg*d{l!~9ucnl7?iqo~5Lu^Iom}u+QAB zNS)OKKKdyIvqx9cel(w?tJt7slp_B%N+)sy1~~3yY~5unT7`>g-nYx|3GpP53?U{;2H0^r4@6rH{aGC= z#aDdEUz4eTRhre~NtGSvmw5s{_gE%2Wjr}GJ+mU+#5yo|ghL6sYL!MneIEpcP z0z*q(%|h!S$!%jkV=m0a;g`B}nfmuY0pje)6rl+CiV5O}t+0*2Mq(zLm4s~FmyMM6 z0zH-8y!1}Ugm3J69d_~1(Y6G*J{fv~8kf3Ml;`|@)C(Ok>)wjz-xw$aXG)6-`@g;a zL_1JG5n5B_3?|S5=~je0t}UV$@5%Fm+c}vL=F|$P#itwTTpJ=S{Yf(E;!y6I9(+wU z!WK>eINzyD!5^@RL7;%lP2|~PUiB2WNT_gOGz=@sWZ=uUu_K%L|`k{Rv2uf zWVODh?$51;*!X6@WZvo$>OaL{IOfE})<|ZWmJex>XUf|niYLy4oVlhb)K>_-CSd&F8lonq#0zX2GBGou$It_!=iJSQdK^ZJm;hZiltSyUL}j9VU2)=JjfgH z(D>*J9uVpSK3Y06Wx%yC8(6|K&{b-w1^(5O)@>4DMRqLCOU)HBna;hXQog)KZQBda zdoFNiZ|Y^yUusB+*ZUKPcp0A#B|gNXe)!U(UOo+_4&LH;6QDDoS^_&2BvcWhv@>&# zNh(xkT=-oF-mJf4tzj@xrs^W`L|7^#|MeO=lwbHHs(?G9kF*(EeF&N!QxUZ)2_-`A z3ILBb3t%ILus}Zl25p&+i1xcQTRcqiFA(g7?78Gwk+XPoL#7A(f}tDA!%Z=4iIy~QGeo2Qz&RE?pqdbEtE%+X zo zN_juMuSj+)bVIt~4|6#fRhCA&gMa}Ma|GD_18+yRg*GYU#+spDHOFudV)@sFgLsUk z40QBzWO;H;oEMu@5pipR*YghP$MBhgthv}LzDkFlBVufGE5~Z}jN~qA65+)PIaml} zF;DqKTR$;w2eyU_RuBiDh%i+9lbUfLvI@NeC8J1T#9F>WCZ0OHmh%Epo}Wu!!aAX$0u3pwJB z{%G!T5&HbX;+Pc=$3-DGt=J^AwQoq`ZVk5HGp0o0*U&*gk_!E8RAK*Sa}^+V-s8^vF^z7;-E~SdA+~R7 z_d=P+1aXK1a7(DbT$|@&R|dSCz*(f)xU5S5q$@#sHlr&at#QrPALH8&*KXCIAVAi* zF!sLavXU3(;naZjI6poIXY%NXLrcI3q;Q~ezA!k7Tm*B-ht|>1;R_lIX}{!@gAh4% z>)reA#@1y8$5fUmBu!&-*?2H}E$$t&Q)#&`e#SYVHC!*k%ZkY-exy9YAy!~D%QJk6 z35!=Lg-^cE{Sy&(SXf~soC&YP?Mp%%J;fA<5|&Az!w&Uzw!Foy1>(n*i_1Lq&aTV7 zl--4GP~k0@(i_I^EMh=UhD(e)IAj8NefYrlTw@SWm#U#4UvnNZjIL-?aT97u?pe*h z9}QD_0p=EX_+4T$Op2gp8{c%aT5W{YTG&KJCac(*9y7dr#F6XS-CE?1e_5gMu?m5o zghPi~WxOw5_=J&Ye!^oeM&n^|G2#fRSToUZt zp>cb|(saG>Nh*x-H@}szVoWB4BF2my?b)b@bsg(uFKF2NE3J22%f`sjAW7P>Wr|0o z%W+vk5X+{GpPPa+ygw!)9fo?)f@4mE)Cv(3hfp2VZs22`O`3izDR%NT1(qv2xqbhw z-DHm-Mh<|xD23%8!OwQ^(;fhpZOpZxDCgS*#Bq(hjBS{#4PF+pK}BH@j#yVb{LdkP z^yrD+8vJ?Pt>lF4Vw;vC*Uub)=*32Yq?6FaqE}Piq=}dR#S`Lt*UzFDzSN6$8ib%) zM+LSE76I#Q{u~9<`Pp_jy6l<BUik}2Ob+3-Nw}8f zG*o52EjK$3Qcn)*@qq?fy+&SVGGjMJZShru9~iY<_;3}H`$0hVHb&=X{^u{%HHHiKyk zsu>WCeCg86O5xJyUx9w*tHmiR6G-n`%Yp$p*NZMIT31xEOT?zxrLQ~7i;s?(11OAn zb~nV&+;m}3_|d|@1qBfuVtQ#GHsR%@2A54!hftwatbYg+TngkxFZ;7qX1)V57bZ9t7miiPo=+BiQ zGRG&zN)x(oM&jjV{Z*a#mc%gm*rehDn zvyE92xk{o-L8PT%x>V$CDVvRGG$QjivQ>>es=Vc>tM}3>=t}V4GjPfiNaotoc##Wt z%$KR@p$Y9DEK))>q@|Ntc8sr)Ba@V$K5dcuZPkap{BTQ*^H@JK$1{Ja5i+emv}k_b zjuD!@L`)X-^bjEgA-4(y-txMKRj1*4Ge^OpTp)!;s zep;RZj7k$9Tl6k5BkVzOO6Q8!25OGYwFHzkvj~)C)G^P8s_hlsi!HwVSXf`sDsc-M zozf=wb8f(^)s>50bOoiss$Olm2z~ReMoKdS7Ce2?1On&fq4GFoguIWxdV8LJ))t?m5>@Cgm=8dkL*;k^mmPiJJ}?mR<^k6%n56q+QDBWeMwY#~@SihYQlEwO2V< z;-+t!!%C8Mp`PwSL|9bJ0)%OI4{5eP!NfGty=cw7t0wG;eVcRc!3UlD*6^1{7r%ZL zr%7xI$CeV3N=xH5M2Xd~=5SW(lKT3S`1lO_5aiDY_;E{7xwfCb`)oCk_-0-{N|r!V z$nFBW=K>W_4Wgkr?Va7G;9ALpbv|NPkb`To*T(hcEJjc}Te~b*lclK~l+4@Gt;QfYM*_e z7TJ4+nNEEn?1`JMAhDxWHgx0RfqqY-ek0^0Nl50jjG3D|LQmj;BwRrG2vT}FqJxu6 zOMffi4Tg&py37USV{7*mFB1duo(*fw0^ZA>#GGy*jp`p#)cxb2yb{=2efD3Hr@mI{Cr*4`oHgnXa3pQ%`~-_x zewId2Cfv17OV7cYCw%aN4t|=CE0H{aTq*V^y?$<&InuuuuhD z`rbL)Ip_D>u_$j>W@=o)6B!9Q551hO({t+(7RPXR+1oBw5G-nO;V>9j2xdP)K0P3c zI4?a(9;oohz$=>g3d2vUHf@%GK{PfTBN&3X6+Aads>Fp9{Ml3Bc@~PGl(*enKfV2~ z3N=YaA`&^EZqDzIFP$>Bu!|cTKB1uJl$>Vqpwg*`c#`lp>y4^E;gMU~ZD6c~e`qDz z!@BG66db$sx3b!O`_f8v_u1YX&%WC?(wW;Sp?r(PY^_0w&7SHgc_;$+B}vqd0K83E zzbrYk+3iwO1D)-^bx#lk)v{#xmanro;C4hbf`{#$OH;iE&XUb zFA;9%=J7#5zte<*NS+D~W&WaiZj#cDp^9usHY|B#63*H9+0137f7FLiH7XJ5Q3-EQ8 zEZ=xuiGBgRL4D;S5_EK)aA>nqISdg|ye3%DQe>+THGCQR59AD1GHUvmpVobSv4iD7 zkqy;|)jx@zLG})ge;<>Oe=<-vhTrV85?)>MUT%R1RSmFK*uu}atjmz^8BuhQgzBM) zF?b>WiJPD`R!c~@#@By>zJ8z|YIvXi;A&sU8Vm@K_|XqPPoYPdv(|_(^)`T_mZZAp zyr-B*FY!L&I=Ig<1(6DogUvKw#)jclv*|#9Q9i4+cT6-j|hE;4z9sLnm9I&$uiO> zR8L3KE$Y6W5+`C~59ib{Bk~%=sp{|xpIg=|46+Yo^?h-V4p=e2WDR@MG0IFAf{qRc zn<-N32FPnJ{A!XewS@A>QQ#BHYccJNJDf|kR~Or(<165IS;YZ@g9CIF8kP6t(I$RX z*N1oU>^2ftyHniN>=Op?eIrOCX>k$27vKf3b*wq=5BvniK|<3R0DwdN?*{~sk%a~P z5XwbTRut+09t9Z=$L^pC5da_pNQwxmc&wdoy6dR@{TjYmoF(wl zCCgcNnd`|l`|a|YYx$#1CIl9pJrOh!CSF}^Fd~`L>7bTd$i+7DcnxFLm9F4SOJup} zou=ljwwBQ~_m0`AMdR5S3SI9IVh4G1-lohYkMf zK(E(d{Ccnn7#$+0D2)8Y&8nVF@&DeDYKOMw5#l@z%DM+4?YzOr)s0j!FfozNJh_T! zDY`^Z&HdRCbQZIv?CyWFVot+ANK%g(st+#vL`J#6#?0D~sWti?at}CcjxH_- zH~Yi?=Ox2k&7e9QPa$6#blRMltR^&07pjJD@`!SN{CZx`F680{MU`avlU7-Iyi$j1 z-?frtghn!#!d8?b6~xUt&s-g+m#RHHxM z2L`3L#ubIf8=69=4dQTds+z)}T@WetZ)-nq&>ZAMmnv7UpX{YWq>`!BtMNSV4)@oZ zDzbRJQ|2k<>rF=8H`<(!2%p-of$9MFyUy*}loc7N6U#*sjY9e7m(T_{R9F-g#_4KK2WjJ?im-CyrXV z*gU1n^NvE_k1Mt2(0??MQaJ z{4FNiWHcd!Qa-2F+np$r-S%K*mK2RaFQHyfuhHsnSXdYopn*UAAr(^pE45pXUEsMzR|eV`E38l^<54INmf z)jDlLH94DHKxh@sM5j^P>mVN=NoS#y&*d|n=>@6O=vKk({+DO(g$q^cv7Y+$y^CyN zgOBqi^0U=d{4I8n=Epb8WII1T_B9VC;#qWEpRU%&G4*{OTX4e}Fli5>IkfJcZ;UfI ztpALn4kso#Iye~2i7S_>Rnm_DzThDyuVzJJzcCYW=;n_Ql9@dU!{J}Qh`pHlBq@$ML-sp^EXsf;is1N zddqo8U)X;< zU#r6nGjL(9AJpNn*lmtk#<@8;HGbPl#8g$$F)=ZnNOc%mTfZq4w|u21H?cX^)s>~Z z(SS|)zIOEw{368ZsR733Qz*jUtuF7fCEJZw>V~6P z6>2r)&W95l9hhsl%Pbu@ zd&kf7ba#`Ji>Xq{pN+jRcdt=#N zuWG%X(IT2<%^pV<<6+s}!9ljcN9NVl*;Yqovx)cMe(|7I>~CW?iRKzW;A8*1U`&@0 zc%Qgs135dHFVT;%^-QK2&Iov@gwc?{+_;fvKJ?*B1^%;a??RS>hiA)Te>%aG2D%&j zPfcp|T!*`U1lkSjDG-$;H@zOBwrSMMKm}fI|3=$dgD$Zc56NtuzhVIYY;bY~xFI4= zpZ^C5QSA@DxD>0oH0t!B2)KwqFfzLhLp@n+@Xq)-3D9n~De!Ed0EdDyw$A*;mFq9K z)%ij@hWGv#b13!$2>{%)8UJ3Q$PeJcvb|1?t>N@6**?EVGH^Mb()P7nIy_q-6HaHy z0^^PY3TEdI9-ySaJf zqm8ZYjs1EKFz|O4((k~x+xzoL1!XeXgU(kQ&gNDAB{r2}xk|a|m}m0%jPaU@2q~Mj z%9}WXh>HvB)7AFy>T0^v-?5U4Xh;P8{j-`LV&L`9ORBos$#Ec+;HsBmVvCn=-p3ceg2#kqd2;$&AI)qvHdS%ZIGq}H(C%WNVo z#YkK4@7QdcGv;^I>ObO%ly$!A7=Wo<9`Pf&i`7<3nyIO&C_J`MKVNUng^$yUm**xs z*(NK#M%(omBuY6(CD(;YRXA&F>j-q3DNN^{-)`C5fPtYQBj$7}g*+nNcC_De+1v|N zx{2bk1R!zabS<+;Fi6nf8ZA~MxN?0B9c=+gbZ4Tg^?Hrg%Q@IA#Viknl0$qQGU-u| z5vf$82eHKpP30|)^lEBqXtWw}cD!Cng=)6Iw2@W$-f;PkrXA$cyM-%o71G zHLw`#Ph^W9ibTTYaQbD{U`)jFmn`cKkB(AH;?9@If)JTcWwBb$k&S*b91cQdA`x;A zgzxrKsTN?dm3uc_S3nF53@GFY2tp$GaV+xHZ1<)DM}R5rLbxNXFqNv&3i_3`$& zoT>5uB+Y?7J>&I}`KAB$P9VzJI2AT?|EdYIp>bk&@n^NCIe*qO2!fBVqobqgV~MlH zYB{=e_g9Q8F30Z->!(8M`Msb?^J&E{FV#q2^%|Ysl3e$C^Jza=^zR~1cD!jkPtE|b zm`|iZDKtuU_LQ8>jt0klufna#owM`z8}V+v#<-dFmic73*J)tv2wGTB0jGYq^XVJu z`|_FOwKo)fw$bW{AFyOU0QK`Kbd%iR;gsycZlyNx^J6<-uj_SXeH|4WJN|UIWCR4okmYgg?csF8_p{d*1!(&P2d(PWz7C*M$iw>TZJ|yQ@4xP zeFQdOeY-zdkDW+oxzpOGsMM<4D9FxryF7S(us#@1&GmZl)x&lpJ}nT zC!K!S>@b8UWKY^?+q78fS z#>Kb%AIW}?{AhHhq*13WiS}PNd5XnD`VTuEUE~#d{^m;uH@8J@x^oP+2lkwn<&e3{P zX^`Xl!%TtqKS3Ak?f`@N;%JP%!-1)6E?JM~O?dBYmSS1iZ#I64z-Iv4Gq>T8Gizq- zJ)_e$vbG)vrkQ4gnQFp^>G(%HkJ;v06ZPZ6@oeF*$jJRfO_nm?wh+pMBRwD9j99N8 z5w~!x%WjscD-*Z(Yw03%C+hGH3gT2&*hYs!RG7n)wP?&?@th(tNZ%6-nG)aFWzkT z2C}`3qq$)D?wt|-_H@LlIEN#N0m$fQ%G;NV~~o(i76kh>!;2LpefudbZNuN0pz-3V7ga&F9jf+#*M4U58$G3VzC zug7Ey-=c51Qhh5WO$viA_3(IH5)PpsV;~+i_>GeD@l0ROLx2dc=O5rEqyg82&1#`Q zHw>}SV)mQ3xHz!pOeBzxr*YjGQ^;lkfSlqc5J>1we`SY zr?)uiyKV+hmms5|4Md=i)9$%5kO+fLv6xRitHaOb@CKf*qK=e4Z5J93Pu&wT#sPuj z`m#e9rpq_;i)xg7IGNK?uF;6JiyZvR&oK9=@hudsarrYO+E75+VHHY{m zeV*jpZbjPK`|qvk`}P+CDUeOEdQ~x%p_O8`(g z#apeOE$`o%uCJMqh*#?j6eV!z{G&%?f;9a6#j;;%=c`{MBr|2oM`+_u7wfTGU0a6> zWvC23Hn^@|ci#8MD0hdxeeDltD~+CTK-PGa4FaZFyCcnPJ_Ra}&TI;lVm29TZx=0; zoSd8hWc-h5Xj;9_XPV&{{6e7+SXTSlKO{RFm6|@>(YhUea!k}Ovw4L>)23ZxxARlk z)C4sC-S5F6p*TI1soup7yCg}}sJWRhGYmas>vAV^MIfzCe{ZEv5`&pyB!#az9bXY? z64@MqmdU^LE~C+Hr_J@{L*n7-U|s%Cm+Jf9=>sueZXuD9!Q~wuhO_0-Ub-5OYhLx~ z`DP!uhtE=oTUD8TK78hgi6t_FKmyS@mds(slFRR(Q>D#bQkH#pH2v+)8y1?T!e34* z7~yP5DPITzhxK}JX({FS*a8m^uT-~$KJL~i01$?RPeMip&cVTv!Qss-+57TXr5zl$ zJqT18E$vS`Bk}#yKT-|*xBJ)DGX6sj+u>%iw+fXiscxSakd+?$ZRrclGZiIofX4c} zA_cu#pV_}ymCR%^9_CZ8@9zOod^S-9!qkJxVbQlt$k*)1y*7V_AleW8YA3qNi)LQdd z?_t&Y$zlZu0LbhNPm@L^*UHp;_+n4d3`d5c0Q_Zhyd zXFYJtWSsuo=VAN>HfY!!dJO@KGE{ExOitK0#jamVjsy~uc zjdqJ%ZofkHc6T5 z7g|_o9PzjOWg$;IHV1INQkUJ~-oMh}&H=OnzzwcDgq7hTJ6cdkkp_m$?dy+06-BMBArU#-FRj- zd73L&C{hS@gDarV&I(5FD_mj_JW_i3dQ$yt8loS z4^94#u}x&ZLGYii^bJO0Qt7s{MrX1XS}(V>y4;X-Bb?S7tukvh+lX%YygXm|W3u>v z{&+m!lI?o!ZoGLKp1wjL;PVM@XmAdFoUYdGu-M;D0fIi0+XndIk-)2=>Nwlhv(|5D_Vk2OMMYxJSCYpAs6^*LvtsDdk9jReF$q zxf;P>>Rev$)D;~SwI2#~sBWi1G>KX{1sJ(3)`#$Z@4Mm!g}F*4a__D{p@IOQkpG;4 zzWnFUhW{R%Ar5->+Es6DHlpIULd?ge>$yZ{EYPXy2r1ZHHhdd=2*np@ zZ28*$4szSK1ssTvo==mAxj|QU`rPs$ZaUcW5Vsto(_f3lvHu9t^+`#?i&bAL(9#1MU7`O8osw*x+*P%% z*9UAy1IDJa1*T@-uMc;4d}io7{Wv%tgGrnXrw$goKT!XzDug~A2|Ybx!>Y}_yp0X5 zGKKtJW(`}%{~9+r+dzkr%X9Df>tF?zlkz`yYq6_dsoRhtXYZD8g>FBV%n#X zeK^w>biUn^IvDviUML=$&{$`-C?y9DF?*E_qEe-lTre162t;lmYvy!(=fqvA+0V4^ zrr_r09vxJuFmu(jpG_Ew&Qz#yvjqaaCy=)c#}b;a&XLpVzVZT{K|tqX5lc`ge35Zj z4A6m&Oio5Gk;^_f%Jn~NkT-XJbAyIL`uv$Z8d189>Hfp@lnjU(hiVQE5x&>YEyMq} z3lJW@P5US+EB#TZC!Hpuj5+yHKw7cX#_f zyq{LuUGJP@M}d5U)pjlXW}h!l`|0vvEIASg2@*YiAFIu#EMbU*X4~DoI&D6yrN*YV zvNuNLr5a`5nyi-FHI6m3tSH!7!+0N<~%) zzCdcT0f#h9+yDj)bQUvjN(^-L!MP&ov>%ovz_RsqcQ)472Lkk?il%|Rk^lRMSI+^R zx}AGzvg?0;(MJK+&5JcQF84#1(8jmdGrE)Y9)8twl|d6`-Ub^H5pW>Btkj#b;4at5 zFAIbHKi5D(@ni?~q>9RcR`0fN4;m(>dJ3Jc)R$iu%RAO;RyMU(BNYT3MzO%>yT`$} zIPfxk%Qemqr>a1I@=pyW!!_%7DX@Q)jpX(lu!+VXda>r}(Qu{>G;Pqly}f}p+34A1 z#w`%DTx0%Gf)V~CV4n_t8HiAKhm#zBU%O%W_ZOSe|1Zaj_veJjBJbC2bNK~q2Q;{z zVJtyb9_}#olq&xtNg|&RNlL>1I|H^tliLOUkJF$3pF5-f2a6^l!4?8B|KD<#gq}Hk1@1 z6e22-sf>{_q*F3QQKl4SmJnsiR7#nWIb}*AAxX#(GLxZ16UjUzGG^xY+UL5?xqr{P z*YnS_o_nox)_tAy9X@;S_xm-yx1Fo*d3kyFHTbXI{O5V9Y+aI#vM@E@oN$`AyVT!$ zAZMxl3pV69lk&e0Bt9e<|7Rf+xHRGSp8nsj6nf<)0PBMff|Ccaz5XwUxaDnqy^un( zpSIEj4dAB=HnyMjwNyM;T*|I~SD}&>I9Oz-w@NwT8wmYqy|23X#>0V^N zeA$w8eP^lq{Rz>3cT00Kja0hMuIo1%|NT$HsVe{ewg2r`|9@YVuLYvN|H%UU|FkK} z2a=_1Onnm)c(7b1ZO=}_KwRg;fBeCT9E;-+Ut;!M+|u3My_NExMcfqXeTSZLKfs!p zc|B`!aWRF}*Oz>}%0XRUvQ1BAo!e$?Y)kfZY}P4ra79JnfEXJ!&T>yIfX6Aw`;-{q>SxXmcJw3Za=W`)HdxXS3236t+cOS^`KRF)TJhTlJ;M$PDp z1GGADU_tbE2V@oJUtg3|RPH>N`scki%|lZ0aZ2cX3|^kd zw>#@TJ@ocAkJp|2d>ItPeLwGOq|m!j{w|){I5swRW#m&Z9ot^^cCFa`Z%5nnIV8+z z_ZYq+tKjW6SY25uX45Kg*8JaXHJN2HvomsZbQG+7!}mg$8Z(K@0}UL7S4Wh;zBG@K zb>hdzHU+dOUR_xfF)ryydj9xvFI_@$U?3eZiRJggtC0BCyo=h?TOTR>%JwU>o}S*8 zJ%&dr{22Ds7tee;qg==c2@yJY-RuwVX1wryDQjkKZf@nT*QwXFJU+$*J~2WMvsz(4Ge z?*fb6w|OKy7q0Zq?mQas!s^3LqqAqP_WuK!@6`U#ETnF7o9sLP_Qu*)03si(@B1uc zMfaJXRb6j=Nd-yN%`|LCP)vXmAmKJ?#+zGJ>Ccj8kTXCR=aGG(3aXL$@6I=MV=@mL zx#Zm=Jmx1a&yJnN`ec=^6dsNFlzGMpC>nA#mnz)eF9je-*jSL;J!abU`f5X|eehR4 zKqW17`Q23FxwzkTd^?|7M52-}jq2V(0Oi+j0DXRQJmAqFGaHjA5<~CA+l}qziMdQj5k1`(4>U|Guq^mVNhbDX9pE+`V00Wdn^5(@v#@iSrg*s0tt(9=JpMwZr)b`z}@& zyAj<_0Uo-=(ECTIwfbw)&Kenw&(2y_2XTNe`XwfAH;s}w)LR`~;5xB0RVzW$aqsft z?BIBJMbNf`QLt0QTsq|tBG6p?GfFwvA8kB7IZ2fW^9}AH%hs)^0H=edTHKJwL1dSUGsV+vG02=SGk4 zEcFcx@FI0Sl+-~Bu!lHr(XmN;DY{QTt?IcAf$luMK4>~pB}#DzuFj1W{SJ%0{pO84 zGEqC_bE1~lfKSLS zVWtvr>DQ0aguB}gu3TDZ`}i^ZQhOfd`$Q$`y~ZW6&z=1?Zc~HdKr!?+XE*AzYCX<7 z7e3d*sA6kF(&lX;J1UMrY{|-Lg*VmVM z(T1mgwgoQCjP(BespjAy7RV-Q0YIbt6@{GtVA>pZP!NYCf7|D{=RQ+?b>XB^VfXKb zTulxk_F1Z7Go-Ukyvi@k>X=E@dwsbV%AQ&w%w#M8Wg_Agv8eQ4CGddy@lJ<4eB6JO zc($hNg`hU!@NFwunpCHFY5vadt1bWDy-h0Xs9rb?YVJK(Y_-I_Y18=+E7;#0QdUe1 zTcx^Sf#LK(x~bkZi0yw9U>|XTEu+T8uA%twus8Q#8DhdSKK0y)_`uotRJOLZL*H_R zu@LYxln5iNHLj?tx`nbHxPIL#owKtuJUAv!&UA5L)6nR09C0m$`J2!p#noRN{S;=CN{P{JQBcyIoKJyAS`0|a~4l$XQ%2y*@q9I44l&X8e^GQ z>vQMMVH?YT?S+EfJu>pJXP)bzGyNT7Nib^X>OUaVC(&(b=-JCqaw(o7IrQ=pU%uZt z$Ck|w3XXlW_9gTD6lf4yIxl3i(VN9CeiBg*VxKrn?LE5V=fL%l z5JnJv%cZ%A>O5#T5|?|9czAkd=jU6Fe9ELSDspBBudCEjT(0b{xE(y{<>iHAn(Dd{ zJN8%Sn};Z|o4C1~P_YVJexD0-L^}iWVq#`4&oIad8ik$of0+pc*%VH{K^SFC~Vdy@Qcs{uKW5@10{%YA5siKX$8}}B-giM z{PN|?q$B>!a5mT_d1*Fs-6<+M_`7t~%a7|ZiWN>w1U@DU7neqYf~Nr3&hIy~=L)}F z#GBxhUTA%KvhGheN=N~KHRKSlwB?9SMX~A-9<4`*Z+&@X&4Tr*yXXAzVrQ`%a!lXm zc)Pp>A7>T4y8E^%?qH1crL8>POXAQB^Ij`R+H`;;o!bX)Dy?0k``qa3YkN-YHyQiR zH9e-<-fUX&a*v??sOGJ*@Q8$P%O9w#{In*=qA>}Ey{o%B|Cw0`t<~SZ$3a2v^qf5l zvzlGOV?Xw5;$OEn0uk&|jf0}Wym_;E_8xq&x%v4`Y;4C)oM4KPv`j(qq7X5BbqBeF ziOy@kyGKWl<2{0|HKMYy&nEi+&TMf{FrSh*Ace|~qTFC1i5B_j%5aP5rE!JjX&rQw zs`6WOc&&}_nxV;1^6>D`FmgA*J>HXY^Y^#hKrm*w7fh%IL=*OzOIysh`<`?r-|pt^ z+oV*ZhPgrMM+l`^viUq<0Umo?ZLNyJT$eBFyGxzLF*vz7-m6}a^^Rs5<|4DhuDCSr zTU9lIg6X)taMhG4>uiy7IR9}-izy1Kt0_3p%Ge}9KeXZwL|(9)KojI(v@WlxkaZnT zJaFPjAKz2MTp{R{z<)Rejb`@s+8-bNwGL8NjM(||)ukB}ZgBviz^tOP#jYm<*QY*8 zXnB0%(P37hQ+IrPDA0N0&yTLKAi{Ij(bNHD+-$dtmB*1IeLsGpFjY72-Me?oW&g^Y zljxcaFewG0foW=LE-j2?iJUErz;5IAk?C};pj~6x_#hJbxykv#1gE9B%WBbk8;gFI zr~|h62M6~9-vV3lezl)Vt+tg;T^L||EtsQ^)F>TpW?efDDM@3%XWYU^-8@WsXB(_Z4hesx6 zQbvJZgJ77Y{wu4KF9!z(2XBXmv!MA7ynpnUV2R)7bJv2=z9$=He!S1UsMnjjTj3nI zZ2Wvaec9OeqTuZg{>*$sKxqmJ3Uw=&a@=QZbhFM~${sCUT^6N4m)%$7Jc@(M0psSD#f za_kss`OueWH*9bpkmcI%;4?n%fci{JPp^^P0o37e^{RP&gy0cnWnwquInM#<2TNSP zex062Ar>ceYdfCo;gzNNuelea$vz9%vd89$B_+G0MbJdbN)8|chq3>ceEWoKtG-n= z9RIomMMWk>Q^juKEjxE+6{7Vy%}<&qB_(11*%VSWdAkf3)J4A{P>xBFqYD)fXy~cV zO3%nxvnhoY6|#dW2OEz9mVyRVJU{SI`JT-A7US|| zs>+(}>8I1H(P1g^Ad>O3a$ZaK@vJ$rN>P2K>^r%@vTpeLrk#9D^TT6`0S)|+$KDYD z625C*s5N}XB_0IG3ev=0vbANGb$pUNaQ1MSY_`zpXB1#|jb^)#GlGO{w4WXHVN zVq|l``IibR>T8dA2^?OkF5m{#gx;Q>!vLMMw6uw6N)%j*UL8+I#>Se^i>%w8Z3YhB zEhiU?MSmi@XHvbu>F%PA&#d`D&jqQ`Z@Cq1ZIP(qo3PPw8g%6TOb>sIQSfwsIXbtv zs6+O(SzS4{xa(w}f429R7w7BpETtcYAAhoqgTuP-{Pj5#l)*Q*u@Bd7VC}+l?kMqW zPtvrqdRnDn;1i;-a0maWB;1?Ser5loQ@?f+pBZdHFAmFFjBcf!qQOD%7Xo2%2VGLE zJ|u0)k^7c!AA+Y2|4$|_Qdn9Ug|6k`=$Lfz^K&dW z6}TrbNNrD5U~rbm!s22$*8VQHycz&;T`2E59N_-N-=(Ri({)d!>yq9YFMmxx$0GQ$ zEh8f%IxqZFdT4Zb$DC`kcA5zaBosFUpg;lqwi5`76n%Wo?w+1=;Ur?;Sv>vggRf8SMdP{a$yL}1aHwQD)NeU=Np<6yR=>Fh?{$835Y22w}RQPdn2;3}cL;TSN0fbYNDvj+912gq@YIaWXmpqiK)0R8y#wfl8#dLJ6D z@_DUZ8S97vC3FBaBTO4ahuhT^Su(Tc_&8vf zuED_?81i2M7yw37!O#$4jy@w}|MJRL3E-=AMm5=adg?mFRVeP zb`agv0+mhUfs{Y8F`TloEL2JI?$c$Ro$*-sk0{aTcm}yPn^DyW_HN$h&=e~x8NK(c z+RHa646h-lICLE%&8+E(YWVp0xCx{W*1bmeXFIPkdV8-9dM)3*d)H(3y9;T_Xji`C zrq%agfMV(N3mo~Nu~eh&px_`isHCsYj_pZu2g5&qbIZG*czR-oA3eumGqXO)cl`0Y z9)7`xo|vAlY;Wg82LP4}KE;kxrZU5Yer@qY52DPo&?Fh8xD-4W2&CuNif;hJ2K62Q z1W@jfy!a^t2%J#Q)-;`9>1)soK+Qi&4d|{uk$L~U$mMIkJr8oSDlUl!!D5{Tn=bd& zZbE!VdBghkWMiuSEtsuJTja=o^%i}GBBy`m3`ie0u>CP~kG6EZd;w_e=RGQTCxQ(= z{7vfnaYE!g=I#N=I4xDK#|O^_(+AcC{(9*)WkE$nMOp`*U9}$jcQ7sO*ajAlmlG4pvw?3pC=j>JPgmVv+sgtJ7_viPIW&lH?tFO*_uO5Secqb@G ziYi3Lu0zbO1#78=6GR#0By99r43D=PTN*Xz^J{CZQTAqL4i5i1GYJdDT~Bp0x84e5 zRs9p#2>>=L%G6^GaAoqDfl&rl z-dw|bQ79^wN`=_lEJx2BK-XYJ+@k^;?9pGhwbOO?@J1W=jBM<&WVwnH3&ipQ>xSoc z3=G!ldtvU$6co=_cHbZ1Z5;c5o(3x&Lgpk{EmAE{aYc>>Rqt(6(_Mu4cNLt|**g0w zChhJ<4}v>)PL`TMcR`DxL}xO= zCo?Mbii74tH9_~a4LVWP0(K`kW&p>xsMcPmr(A+*RA{3d##WpOVhM^bza34*dbnr^ZK_)pM?XPL48- z{`tvy#z)TWy>@N!RKipLJ4=x*%qKLB_~p|N>!s@kV}EkWgtK`sLvwjHj-r$@|7aTL zDec4~D#)ePjTgY`>yQYj+If?FJm@P}rEmB5j1CRe0>=@BhpAKmB&;Z#Jpu2Y;JqRX zw}(s4^&XU>Fh2Dy3JXKLrUL^|PuLGSiyRGL?XC^wU9)BlDWPdPsbR-++FoBabsT7@ z^In3t0zf_BD$_zWtxwtRICL3=VkJi-aB$te)l%^)yW`)nWI1Ta`shwYD62zIUa zH$##-r!e2g62K~0j!vyTy8Di?xZM8zUv|pm$Hi>}r=TMCg4w$$^ii7^m)fNdqk%d0 zsf0PBy9EXZGoU6)^9zx^f$;#H7bZ%kk19!|3$P;jHB&Bj98pDy&cR)UFB$`~zsBC) zzIOrIfXUo=cXdYhdKP~6>pxx@{bfB|S{=*@JXB7E4WJ|nV&1v@?ri1?fBkwtfpZ;$ zcx*aPR5ta_?6Z3BgV)ZvP_>~qfDN^9X&Hur}rQ9Z?hWt%-(RMT%z`#t;fqE zHu)H+4f;s^98EcqIS}{5W8V@Oh>udd0pj&vDagW!IPU&Ycr}ny#_k?Ssb$ms;GiJ0 zmM5yHz%}|ILOWDqAe3xs%`lMs>bd^5~3Aw(T|Tr8BA;LQYgPrP=W$&-JZ9{A}0nv;56Q)L?0}ljt9457q**vITu`cr?Sa5REFj}U zh#-^TB<#344^ZqcKl<$2WkPXE7JdpN+)#UO$6rzcJHxtLB(EWKs;Kw=E54zYmR6wA z0({#PEKG#Z>H3{V-%bhP@6V2XmxQLp$Sv1}X95md`(+C^x83D%E^cm34UM2p4naXd zeW(X0V^j{X7@?-GuWV*T2B)H?X7`H4p5Ovss0f#yY*rtiYF2atm_VjaLq(;QZks72 z&MUvZgg!f+&dkJg2oM2@Sf5bcZUan+*@yD;DwY507|aEZ>>Wfu!=%E6>{?YD@Q^xG z9oSRlZEbC|clq;g%;mVcxm^Z{&B)Be7~Gm3omWV#oy@Z};7#OUWsSJ-f+G=36fO6R zh|v_%o7jey6Yu9Le@l+C5TH%_Q=xg^bjFG>YCp~}axsrQ91GU59Q2rbQS~GYngPe# z@tdEcT{FXxsB}Q_lk((~ded@1fhe2pd5x~@S0Qc-oqAfvXi0swHanf#GW&s=BOu|VQK^~ zd#}8ho}83W&>w+ejg}@-a-n-*K$)<9j0~)-tPtA^l>kIx&$l{2!jh5_5U-1ej_mr2 zub?jHYFVC{q{iAeZ{N^gzAO7e;vuFnHDt7yU1qk659VLE>tS_LanJR^n+DJDsZ)Sx zDXN2?hJ-XrQa7co>jE@e|rxWg~vOFE3W2zU25QT^8v8v8W~XsdnURDwsCV? z&GYBaRW0Zc`gOv8rkAaTJtlkYkH}`BQ`?byARBVqwnn%>+L=Yre|TR<>w_o88;B-P ztT?S!S63^1{>vZOxTV<52_lE@ z1xumDNdbPetyE(kbNTD=VFwqNRIpp@bW#oBgT^o3-?3vyN2xat{`UhZ>kCg3ROISJ zvk5f;N=9i4U-mOGF-a5`-oK-%1&$d7o<-Qez8&CYce1iXK?WpR5_UbwSASh93b7D9 zyxdm$jELO*durq88meR6%r|Pu9>rb-2!79Q>I3%qAz7UbdCzKaav}#{lBn9<7|M;c zJA{h$tEo{#vkSRYnl-3Ho3Xyjk@Z%Kj4gE$ey-8Tqj zaXlb%+R916os)7aT()_FKLbzSa<1Hxc0OBvOIgzPRKLk3CdT%?HDaPW z#h-4uSoQ-~e~v>8bLgpDkIFJWHKp#nX($5v5i=WG4Pt*0}Wizu~fEChXbS(?Vi(lb8u|h*jgb*9VqZm&} zA2deJ*_*~56SpePo=^EF3vlue)QQ(cMIZ6-Z9YFI0>eten`H4{ z)CoXVs$2fjEc_Y*n;iBQzRQ@qIeZkIz-@JT76#7_5s@G;{?qeR-EaZ>0ss2?`^7I* z(vs&44h3xHr@d|o%En&31{FSU=fkH;h^sX?sP|LLEuctoW1MCUj?%=`)MNBuG?t9Y zb=m?;G&u;3+IAKjxb5ZRy9LTCkl(jqM`drJ;tTVZS2E9{YockTqm|G6=9}JjBdsMv zE2dqf2|_=V!)(CR!-o&kdwI?Gvo$m{M96%Wm6heQTX#)A&sVYIO3bi{0i@xjZA(W%b`FJUP9VGjtm z=OcNmsF(m=6b5fla1;jDlZYso$U7AjRzi0VpLt<&U84CWPAeQb4?sEZVOcslI#V1+ z0`IVS;Hjw}K1^j=9VB=;|J$0(wxjDr;(Pqbwl?N>o+*;t3kaDa5npv#WU5 z)Krc689d6c@bIt5DL~PuXBYE<=xSnSb_BMV7|w;1)O2W#jJS9xw89=(<;ZGc-Rh6< z9Gx;5x^e&|=r&dWb&ao{=a!#e%d^wMI2Sdr8=qnvhmw+V7e9YkM8v7*o^l$_&eE36 z@yR%{I9wd9TwX>;S-vyiEm74k*x6}fzrB;MGo6s>Fb`&7je1UAL0X!8BO*1JJ39s| zKQ`l1v@Jrf#w>bgB6cqz%}3BeU}68<+^cDPN4WbS{_Wbmn@D3ly}ci7a;L|>a|SEx zJP+gRf8$qg`uX`;U^6i!c#t9qg1-v@mND)ou=l_LqAESM5jL+4W>v9J)%es!Lm+d2&ofrXvDmM|`V|IpR#H<=F0?Qe;~yS(dJYZ_I2BxEAa9?|5j@htrZ~yhbo3i8GA+)}cMlES zIhUoUc4PDJ8sF;2u>AP$9^AkGJ~Bd3QtQz#k*pD%X-Wx*Vo}x9+$)*ZkE+G!v4TNn z3xr}|(m28LWlmn+B6?0kLxUbtXYkue)V-1hg-hRF`2z)Qm9p{ydWjY_-aFAL@E-vT zFa_@N0erj7LNOwgmOJ9fqHfiw)#<=-PNv1wR)^7Z?TyCzEjIg2Tcv0pzgzc#jn(39l&;}l$=VRf z=x{!DevVG!Nf^PEhdcS`gB1)J9zxwve2F$QH|HvC`{huA!s@%H3hvVa2+N%Rlwm+r zAo6#RpTX$oB6;MAFB+{*K4bB$*R;fEE7NHLxzJqcbQ5W|vCu9=pULORPL1>qJopXwJanhlH zZXu~3ba?#SMu0j9;HQ7Ne;BUkN==e^4+cqEH#-Lh+}j$M&m0he@uvM4^A!E;Tv1*Q zxz7}|lAc?RJyPu`Did@WnfuGda-Q)3tB~3*;7g)7L*~*)=P!^P6dqXu;LS!93M{-4 z8f9&L{RN0ekWLyCn=T)<$~7ElihBpD%6{OA0LnZGv*9uei0eZA3uz5gInX~))ZQYR ze%Q`#FD^B}+^|yJgO@K}fUsv8u?*1exXGjyzO>{4@$mEQJasKCQSs8Fwzj_#zJ12G zRuFrxZDhbAsdwtbwv$>cahjk+1d3;- zSJvCD{9awrirH~C>oaEuKPL;z(*2I=l4B&?Q=WJ^4MGzn(3 z6+@~|+iZv&1euL{;cee}{8u$EF9pNQD2#xF$Hg@!9Ssy3T}aEAGPSV@K%x)mx1;cC zdZq0+X&B@QTa+*zrrlAQFdC_M?rn9ovZ|Qd0~Nm~lK!IW7tVHJz2|bFCQcu|DA>Iykn3H;_j^NqU7eeig`;(Q zV{NT~Ufu~eIXi#<8u?P3QQ~ZY-wPXj0P?T?^5u2I$TJa`{~jyzgBgaoYJ%#dG{VgS zUCwG9NqyO*rK#COZE2FFm&Fa9Zi;N=WCH3o?T!_RqrcPR>zhLz-EX=cU~N8}^YZ24 zOkGa1odpF2f~9)SFOJgg;I6D~@(t+NFjK0RxoR%QIecX(UEWJ@$JyhIR}O5m$t`qX zOpa({(rQBPQv)prbzb!3Zp|f6(y*SNJxJ21FfY?kG$GiFoXN|mT(hq~GB#ENt|APt zBme|63kz*TJ>f;Hr=zE`E6YaYU@;rgptt;Ogp1E}?LDKLAm~^;gCeVyn16g64trB{e)RWJBpt@te)w z=e_b50CdA1Syd@BxRVM)XE!~!DEvqC3ytH)aX=ec9$JZsifYY&fBW`2yr&TKTHS>` z&kx_R3=a+cxrwT3L9zbg5T(5Pn~m!k6&FFRbOn?5R({kuZA>5b#*gt*NE~jhUnl{n*PH@xV zJKjNF%M0gijj}^B0Oq27a`0Uz*mUZcXeX|`AHITmd>=17Ikn2BUDwoPfyG67&DbF2 z^N8@JQiwAb@U&Q2S!-3%_dG5YUhNM3ysyP~EM&>*wC+#S*`waVnwoc*4lns)4(#~6 zCq@x53H!P=0o{z!VXQ+IbCDDJivXnuQBz8e(YcB&DxfOy<2#FC&bmpix-?K0L$#}noHU!#=zE>p$Ll|r z3b01do=xl1$+NqKHj}5u$9I(9nWe}6Pn4uuq!sK7G0I?{h z<0MavyESAtkw?6i>=iUSbMLNFr}f{{PPI1eInkC8a`GzY^wy8eqtnVu;s)D?f`bm( z-xL>mCA3fZ8#=H=x*^~}vPQAy^z^iLcgHusP`^DLhHge4u$+JpJjxrS#iv@>2ffBr2VZyK5cZioR}kw+#b7RQhPKX||> zIy5ANC?<9f!~NvrHZ(T=H#-W3%f!Rej2T4qbE-tuaQDaS@~v=gz}9;RpON&uq2X4TbY=kf`wt%M z?d|pT_g@d|;XLXt&CFd4*eijk*S%}xTbR2HBUT;TcMcnt0u!gHXdlIMJ%Q|;oGieS z2(Z*)SY=k$>B^NSh{Q_Sw9;aw5YQrNR=fdq84||lvPzp|=(fDarh}eV*U(@FPXeym zp|5udO`@Ss1o01f#Z~St{Y8a^V7_(u-0$8n2+-R#$I6C-LJMY5_S79jh!!ZrJP)B(Zs?lz1yR5GDv;v^Rt`+^bOM1EjRz;>;I*u7VwfJ=}<5rFJUO0 zGes-mF8UosR8-XKYp#hOtX5`~)soA`{ zn;Vgq^`@q#xY5n`T-G2FVcXg^6F-2AT|f}mK(-Hni;SFrg*yvIdM}R{gD@eQ%>YO= zj7^4KEb6if4IYoB8GZwD)G^t z0x%)#k&0I%!v>(>K)=t7)Dt}aaA1OlOTptlMivU4M{OK5*U_^dLM7erG(Zo|#(q%> zH|o@=8Q+{M`cmvBNkB5XGR?agcX_M^!2%EtPA_=j{nY{Hpc7RzG-OmxLGH(4Lb1OE z9RRC@_;X^L4JrY(2_BG?T?g)vxkxqs?P3;3#Hv8Ebm9xMS{z)yFH5`Ojg9}+jv8K2 znJajcY4u82w+KNzyOoo*1$pka+3YjS+>&b;tRNHK5q`0&Z!4b_ggCQb(C z`wFiN-@x9$$v@2>GC4KXi`gS_D?N04@Wl$)8XtzQ5Cjd`apJ=<9zm9;7>g6LY~s3c z;|55uYC(tr1T5Gyu#nf0_H!T8TQJaQ@=vj)ejL6pcAg4LMS+ef5N`6dy`2ziXqOR} z>>wE+WhLC(-_vsgq#4XpM}Z64(u1(?*&=VQ%24{&(+63z#xPT!CAL`5TiMQ^(b-D2CdCrmaOT_Roz= z2}g%?^!FGTx4dE97|qc4A{n?**gtA%v!3u)JKYAi!HH8nr}u4ahjzj{?! zU%$cI+Z%$ndWNOB`C8Vf1q4s&VdpL3@D^i2mt0VTNdZTD>J6nT;onxhOBfZGm{81p zMXv{<`*ESI=)C-hzQ-E&H%{FV|FkE0Ux1g4goF^i+{nz(l|tt013e);)7PwVhA|xD z$81YO`T%H$gcXtp^0;s(b4>*&P73ZjOIh>q(YW(Z(xQQ6H}E(iSMt_*uhHu=r)K%r zb~9jIktULd933TaZtBI;+H8EgtUwv?!{t>~YklCdF#w7nj4l)zfNTt@Y$yh&#}sz+ z^G|*{V^4X@pb#07xrK!-CFiB2J>Iz@|Jy&?+Iq^-(edf&^eyCS4&Id(K404`gnh@o z5ujr1aKTESOmD+z!5M?7$jB;ujETv~XAY|Yty#uA;NsXK7Wd*@|NJt*vGPM|1Be2H z)Ti9W;7h8dOfRDY1%)a<#{FOJSfF!)F-aeXX&D)1X!pyY&cY4YoNJgly^KBpHHZ`> z=q-R(kI+I$o(do3UPJ^5sr4T{wlu15XgCSi{UZix`t5NnPhwUGN8rAkn*`zst~(bM zV0tPpPqUDj3s98$Nr3ZLhI^2?FoW>M_o)b-i$YaZ6&gq^1aTyv|GbA=o$TqBzhmXV zfw;SfE%-1i4JMi7#O~g4Q$Urf3E=FeYtk4aKbxnIFt@AMd-tQGfq4@zd~zTxXgd|m z-L6`c4AIunVW298kP0<8`b#Hl0szI!1$Q&&R7%|EyXmZth#0`ol#Hv1*G#Tl4amvOoK&`iI3Yv4sKVEnm>3QV3k$%B-qBGYHPnlBU5Lk80?HyJ zL@r)JHvoZ^qP3u#$k0hU1#9&V{OEC5ui00IwGo#-j=2N3k<5In&(F6ZR*eg8FVb9X z5&npyJ25+}_j4~bWLPK68lXp*iTNi$3qgA70xoC45a${n994eJSQR8Gh(#Nb zg@iU>6pIA$)J5M^;_El#OGmm_n>}YSXhTrWxpc2zJxtS09v>mDgSkVEyi;;JxDEYoZzY>Xj5W1u{K1lvWe^*f(EV zUAg#Dfaz>&iol2);3i)l;g4l_TWnD2EnBw8tu9Sr;xmlczh-8Y_-uW*jxFs$5?k1X znZ#D{*eGx{t_mzjbWcE=No3&^vwfT_Eck(;PpM6@E_>q@B#;Ev0CmAt7t|O@GsmnX zZh>*a`88k0RVQMgVep*lf!yd$(*~aqo|I^Qi_{QB#3aYjfcgMAo7I545qS7G zlMy_kqM|D^S>BI64!?H!9skzJ-28%GHG6V$GK6JyY+Z&Zw&N7*Z*h#JrKO?j)Fj%w zzlld|vgg;Ypn;I}RBwulYinz_!)+&y7beb*2~qP_e*9^?y1+&;*qlJ7A_*_34@pQ! zm`v6nr(rlbI$mE9j10^3=kNnT1EFgpB8{J) zQ)y@NmWSyHHC6-QXxA4262=`If7hhBkF0C&sz2QIBI8d#Z0Eg*60^&@OQ9K8BbEdB z5EY|DPiFAQAN+^NzOAjj1AElu!iB@QzR^cQwFA?NB!3JwavHm>^%5ggcC2$0UZn-O zZE_>cZ|~Jb71J%qkDyGD&W@EJ)(=Dn5Pl^*dy0vP2|^+9o-a*nHi9JuVj|r~ySdPN zbp?$g0b*-JVFK3j8=`#xuh6p~4}Sm!q5vkY|NaBG7JQ9kzr%LWZKX_I7AB?>1G0DE zuK_j@%tXlH$frGUy!=q4v|EzomW4NL2Wh}-`b-ZMvniKN}@er0s^8pn_Mw%bk2TD66 zMvy(K4I>Tikm%s>ouE5&$MWol=t~edOu!G#^E^SX8GfcJ20%zt7%#x2@m9G{Hn|X( zf)TN7foCQmDar6tj!njOyh}Se+L9B)FHv+#;QNxvE!0h9m#Z?gs3iWA1yEI8n(Gab zC?ris;Pg@Iy8g{zmJp8#GSW%W*dZ(&h<%K?rF`aG*T5nqJ~6>XjpRovSj?gGF~L|p zUBM~`gtw5hIt*@!p^XFRs5^G;deRy*0$x>-n&1_nmfVA4l5w^u3f_l&i@5dwyG7ws zzWxuS3r)P%Fk-*}!H`mbwIrS-%8vdU_kCz{r_}6_6h99b zOWYSZS25tDn>W|sUh^!ocKi0cU@`)MeBnLRI52-mumYhAxySV|Ls0DGwStU>1{1}m(Bq5o8PRGtg5RUzHYFd{NNsd zVcvrWIdcsgVOEm?djK{er)~dF|Dq&XeBVCAR&)h(Pa1*H4F4!qBvH+V26`kd0Rx0% zRTsCTZSg58@?`4110o;-C|tVwDYO^_`5%2ADR3S&^e_B??1c#)kNFrZbM9beQwIqa0&&ded)d4> z0h2{edZmZ}GvO?5eiH-BGZ5#;e$j?}dl^8fKCdY4SNe=v!p$(EMBo%1yMQ*F=8b(2#yMV}5mY zeH;%tvU4MH&ShUQkbv+xyT%nN#n07 z5Gsy|%o&yT&sI`Mw%vf~`L2%vuUDxfghqou69-Gg7?TQ!*=0w^3#9gF(#%S!Yii<# zr3VlWKES(2sY!#GkK&3QA9?K{VppyvVunivB!PoW3b~a4O>_T&14-IxbF-zZdwhA1 zh-ba|V|a`IZNs~F;WvSJnR*1rzwqsYGFAzoZEW!np^gbyqlzD>NirDOrL{oGtGF+l zkAJ|e!^a78q_{P~8i;*Def(s5N)1|a4?;3#r(a^us}yU^1xycr?PTOffqCvFR% zivDoBvx7q-3C+DC{ceE3cew{S%P zfD0po^k3Z?qZo&9PqI&1US5_3DZ|FN^0Rd~)ba)!d3gA3*2L6MCnjmh?|PAThtj@2 zGvqM(*Q_2lGdD*%N06GlDv*rxsgRsW7@+zkaZgV{ja>5Ib`xM2WtN|Wmb~U~VS`4> z(j7d6<4$JrAwrOx4|>Nrw;XH(M< z78!Z;)TsywL2?xwnZAOfM=lw_;}pl3IZVL@jEKE>@#0>(+CLwTsfWh|lUvA_D2%5f z=m5a;!gZo&_qPy)a^+qy5(Utv`XVCk_z@!X12L?&dS-!(LrjLw^yf>vBYuGat{iz~ z)27BTh^8aljPvjgKfhw_bcICYP%+S7o{LC|i+5v;0e>=yIuBhWuTx@Lomqa8#V$kzKqoQcaAYtG)e(-`$UQHYQaqYMKT^_|I`0y0_p|x+! zy-1>UI0cd6L@kFDxrX(V1I>N}^l%>F^nmM&V0H**UiFwNu&4gQE`m040%5(ND1j9VYu!0h^!g3NL*9n%r)1jK{MQi91{h(FLg7mmGbL zY6Ep8!~-+j?hw2GGMV}%7y6j5W))9vfId>)-oALjXYea|#Xd<`bAjp%_YMNz` z!%uFB!D+yAo5Iybpp}?vy?_@b(iR1#GqVA;$;AQYMlQG=@{IkP(*sxUhlf|-wg$>F zJl_viQpDSVT7XjUXxa_%4fkfpgI!2?Ex85-(>aCSrspU}HyY}Ea}YrQGnmmd?Rx2L z@U=pK^`rOOC%g60Te`ToJcG$S_6NVMfYfRty#C~IhD#(MAW(*ph3zJ>2yLO*;LC|w z*#k+aB_|~&9x5oK0C@2a38|^Ar4^vxA3YOHe!l}IE4yHdR@Kzp#(<8PMFTsTLq{U3 zf3x0y>rVU*I9nwRlz31mf+>*CjnoQp23=7 zAHBt#8|DF>;3W|l2&P!Nx^j@TU}W#eSanB{O9`Ng8Hu8#A7(E|qD`(-7y6>|11ycK{bF&l7Nii?Zq zP``QHGf9>W2{4FBjiALLm`EdTD)D?!yP@xd#l;=Ruq&`MN!ziou)to?#B+egcmW+0 zfZhR9r@k$`P>6OyVMf*!ZeY~yKmDQ9O{k@tZHz&b;U5seLTH9DAC!SyyMuPHRU`pv zBqDL(g>VMU=fQ7*n)&(osuKN5nB8Xhm{?i6+d?Ykur_g{h@GCIdNVNT>W(iE)$wQ z=dj69l9fME&X_8;}SJKtYhvsgCA35U)ZRAQ-M-Z_9V zV}=3{>Kina`wt&VI+Xd`zI*&+LC5cs z#k(CHM!qXxa%9XEpN(D7OAe&Z0=GLL0f*4ZJfOEfL^EMwI*cMikdFu&0}VzRwGzn$ zh8r)5*F!u5*h2{5Xc*u@Igw}!l&b$~JkXuSfn7)h0H;m^8aCR+W7w8>0@ooB_4f50 z!O26Wt_Rm=^cOydLs<V1I zyOEQxcRDJb1v(`BF5pH*mFZOoE^1eAB+1sJkNe?R;fl@kXhyi2<0EdTNPNM%t_(M& z)uV0S2?-I+wFlC>|KNcmL;>V-(tqV(zL#b*?JL7f=3S!Syid-5OHy02H8{n{^zr8r zpxcxF`27V=-WfccoOFlaN0J-w$PpA2^vBbjLOLoN6T<+qX&IK*)~evN#G^Y9*JSb# z2gw6ze=?V9f?u2}J~=bPci@2G`X_9WtzXDA7X0Cz7>-1p3P2JK#p5X2AtYrHm+!++ zDg~xKf>8v(mq=!W@&-gjL0or8JV@!mp%)$@q#d81!}cR?`KG{f`#$M>DW~l>1zOCo z*KZP;$*%7%Kg=P&M^4rNDeFO-CzGZAgE$jMEG$yOD9?64X@8NO-3`d!g?)-L1~^%V z)4N#aX>Mjl$~Z|*+8o^f!mEM?qa65+1H!L87o}0=jvPIDxvPxQt&R0x49^szk@Z=4 z<~p84JqkFbn1loxVB(QQ92wk`!Hi|9#%(qL3;A!SAd=FQRaE?Cpc`?-4M)^>xl=3k zV`zN*-_{w1oFWomLn1LSFz7!JkCcM>YSp3%%w_a`_3342Bda6gDo z`JqY3?~SP5(DzB68c4_wT_YBySNJN%4abP%4dj$;H;W(S6A(~YU(3d`2qdu8jFyvw z<1%j1#%5JR0|XL*|K^83!sN{{Sct^JMe$F6pQ|%%uKa<0^UPb+49r*J>J{h$xUQZ9 zz7ve{mghqqTiBSHZy@PULUI7e<~YZUqZPbsV?%J;3kISh+-v$H6B3NaSjQ*t1N2fS z2nz^^%}GC+%io0T4G%HbtRPzzBU&D)gJH20#SlyPyz5H49Gu~Y$H3ZicV@SzW+z>}s? zjRf4s<#2o{{l?aERa#G!*>_OgaCoiwM86_LO?%b1Og@Y1d70i`@#=mF|D|0}0iA2(Q_6qn&} zaooP0d2O(18*oZ9jCxuIhSL&LJbj^5P2}P}#08p{c#(UOCnt%D1CO7wtfia^x)(A(>KW~DiZPK3DBg=lRzC>}DvqH7 zk`BLh>u5m@&cbOcTQ!of)id_2!dJPEWZK^oALOni_;F-TjZtCF2Sy+s1&Q901p9dm zWpT;AY`FBhqaYl+UC7)^QbGb(?d(FG(+;yF*I+p~ywFbSL9`rxm~hNzIOOP;l+xGldi9olwlX?Tv1Hct3SZ}s($kt#Q%*4XQ1Qix> zIo`PwSs23q05|2NB>xz&b3)jI)biSS^nsG~CIJ!IuzUATj4jkLLMZ@POifJm!FXi! zQ_8bYZfD9StKHv}v`PpkXTu7|7!=G=fvXh>H`VC&Q{xwS9V1T+Z6C7<4FE#@riv(m_|4u0i3`*Do>_ija^^vHjlQ~a%y(D-mo zP2@Vw!qc1ZWioZoJPK04UTWq)ZEin~2f=JhB5>p#CK?_I8Zt1(`>OXAxiPg^^q6sqxyr)0e?jLI&fnjXfI09oi~Tf)gH0#3ROlM>u&5 zFS|K0Y{$Q!enT5#K6qU`Ps}R_em;Pox-#^>TWi=DwE|bSP?&(Vp(x0OE*Ap|kjoRm zO;*!-S3$#Yc}#AqMKO&3Q?c3f*Z+CdlS81KxX6PAdLlHxcZl0j;HA1q3=o49^`-z> z@Ub*N!%?RHxo?JK$6&ie!wGd*S#krTRYMvLy&4DuQ@9nd{*M8c;aH=}_`;FE#OYx| zwTavhL`RHN++c|ZSaUJ!jUQ%Zz|fFqMrh+0qVeR8FkI7tt&Yoy$lv3X#tjt;on2qf zT^rp;fwet`-mbX1B#Gn$Nj*>y>`dGRKu+R@;5FcaVYcs$(Fi3WCAhbY0oEvqC17L` z6QISXpwmDZrjSp`+!~ZNa={-3R1Y_lFCPiCEy-^jK9(1i;-A+K%+_rzc^TwqFa zl@P%`r~w_tZsGZz?&+1;XyJ(eGvby+C=+F$KeJ&Qfa6yId=PsawRk&B42;p>%ix!6 z=@)#acI^$8K{YnV`Xf)-{rh*;uOGO{5>J%ek%3=dppHhaK0Q$|7+(Qq2Vl{HYi?o0 zy(RN~*glw0-7DS+7oR9=P&!DA`{aoeWw?w>ug4W64xNKsLFR*5x^8585y<1&--##7 z9sHjl=ildWLr&DbtqhQo@#_)7qN8i*M2k-h9DrJdVZwXS(Z_6Tgs`kg{|b{N#q{(Q zua$XA1YN`>C8@h`4oIT}c7s(*Kp$R*OTmL3r;fr4zpa3rQV`qW;bDX}b?`*-W3`Qq ze2CYeN+&a77lY|WBU9)PttcDD28puRF#H5jUzti+b%66uAQ`$P!o35CZ$UO%hr2)U zI&gKl2`P|vaQg&@qxwG{3Squrpw0Lj5uWx4E}_f4glCGCakz3t#L3pl(UFXnL(MY< z+G)jOt#pOJ@c^xooLiWj=)2|b-qFDmVqU(BjRyyjf*fGv#bO{)%Q=vuAh%U8?eFJD z{zU=e@b>>u_9kF8_wD-kDrF{9h76S2MV)zq_D2ssP4m=DH*UOXU7#Iu~H?9X=wPa^Q)wt3LQ5KPT!wNoa)F10&VU3sb#aURDNg+_cQe-ofE~zN6pLrz^&U_S?=4pz=Q!pN(N;udgMIxa8Y$ z2+_6JY16a3kAtOXsa->=Ni-&7|L038QH&viz+e>7f=GQAoLs2fNXq|F>8;^v z3G-7hTwqGo%I;7OUR;A(1jhnDH@R*F!;c(3JoDl+zZ)aT%ct4pOf(ZRZo=I0;;Tp* z(Y&{;nrCXNXJ8<-f)YV^9opAKuxUX?qGS$X+a!joid%1SC#jFxBSfZeE2p8!^z`rx z|Ggz>^7ii30QNUw_2+WExUp2OXf98I+j$>5R{i*&59ahA#-jLk_+ShSxty=<0+GrB zS;Npr20Vv6AZ&p|t(cxZG%b(EG8*qP?3rAIiyd%=2%;n^k1k#1;?b~7`SWc$b-WkTX394_ zR6iUm%%YE{WEL>yK$U^UZ?X>|Vzj7FN_M;Hh6o$5WG2ytj&^9xbNGm&dgoJ*EZovg z+4Iu)0bKK2?L9i7TRttA{r{%m;E<9QBFe5{%ZI;%Fz(6OMgrOas zW`bS{WIr@4J~1)TROJqr6R@hwtNayXV3sN5>F-4Gw})@r*s5cQdclVE>r+9SgLgXH z-*CG*eE4vYvUoD&UCWAp-cC=16()!Nikl3+Hr@x%Qg5sCM~Jxoy9g2iVN(CVF~P&9LYnk%Ruq5KtSxWo z@4s`Y+kXgC|NSy1L;qJThiUrkzm*cj zVE7FnN)SV|>n5`?Lid0DlqM84DJHhxWfwA2`*b&C-M%zkU-Dxg+s1mVtruW%bemG z!HIOv|6k8)Xurr1VFv@pTQ}w($0%V*iX;%11PQIe-b-kiQ5U=c@w26cLuIE8C$%2d(XYKcWy%$5yA|9;TH# zD|c&)ov6j9@322QwcS(foHT0OxR@trjLpqw0+wg}88U2`!SH8@kHddacut!;S5CY7 zo>zT+z2H6rb_;z-H+lKR*xHJ}1N!;&=~H84W3d3ZKMaMOet#dAq35gzX@dTG2+!^2 zW(GsWRIOs_Ct+$KKXc|x3~Z$(z^QWdiP_&77kNT(<|M+|SiEeR*_UNIzZTt&d72Cp zK2TCmn^^q*eT&JHC%;Z{?M;y}3f2bY^2hAIkCnG+g#3E{WwI^OyS74R(uoa7k^=^7 z7!>!DbYcK@=Z?PUx~4mRcqk)vLcD_Q4v-)Xq}~w zK9~-8MlWfybfR+igZvZuC&g#bxPda#QfK7Zs;?ZmV&%#w zFQ)%}mDe{bcRB*7w z+}s>(!LFRM>x_Y7I`{0U*8vLHzfVa|bN!UfvVy@zmoDIyBi-ijKbALnj#11vnqLfgmNpsv&pU3d{GlN= z{IDOQ|9#f}f4`R$4K+vUzb~P(<}T@+e?RFzuiz*nd-{L>nAUB_cm4bCgm>)0+vEko8K1A0z^?yABy~Dxo8h^icZ-r@6%m02+Wlc6Q{r#dkjxvL>Hnra6-CPJ@ z=P2{npN`nC{{R0yj?a_%>-D{3&RD61>0Vk&MPj~F?teaW-U1Fb#V%cQ3kiLy@}NPo z(!1OhygKPrOlUjG&GmuyS;-jj=R-Qubjv`Mf;=dNFR^Y1Q|W{0(m}bike1Kr-&s?y z12NPt;RUsID+$5#0%uL<+_%W*DFiWPcxM#YwO0>soz#y%Evr${DJa*=cu2_D=IkbS z@A}n9$HW8|#{`LB|9jA&2)nznr-mn9)>abZz|punO>(V2u5gq$ryOV1KH5Yvb;*!> z$yG{gAD>VtZD-P{`)OO!#kgg>uCNT)3axr%Z)`P080vaw#GL9CUg`Ia!Tn z{|;!n>Y5traDKN18TN5O!HAlA=83{egqZ32!Y|_z+;nwyMKS~l+6@7qgv>0MpWPw!&9qqagG9+)S|b!XRxS8yc`^&Z!e`1|xy0s0<` z-#htzI5C~j3Pk=$0LCnS_ih*Cbuq}Mv)h%DGDVbSVz$f#h=KoIBCY@~ZbFi9;MdcE z$nf3?EGoL~)*Lw{2b&>5zrglo)#ME>WG-V<(>o|8Z%4Rx+dt!BR@QWSO5kRtF8ja1 zSN(e4*7tLa-asAhl#s$C#5}0@zD>o}^7aFVgt&D@Qvj&igUJORo2+N72qzR%1_f=y%kM63wxA+s?HTcO9>Dog&6v zXjyllwdRkswc}b}-`;jf-1XP1juWZEmy-Ad!~|fR*}lM=xx^3(pfU#r!&(NUE?c*w4gW?A`&gN@sQ?h&gOg=*8{zqSh2V0lLA}Z<77$ zj>(h&sj1dBkm#Ptn#t)&=P+KXkKP+w{^7%@X=Qv=kp}eoLM&?!eXAq*LEwvQs!n{5 zXgV+dx?r&EO+ancs~(&iT|9Z9j>BZ%O}j0?CFV`(H184#!$tL3*{A+gJ9uPNur?Xsh}X}H3C=xTuA=|O+*g=HurPq z7W)}|!9hvFeP8kR<^;{}*VdmMvuf_)Z}MF#PFObmI(TxwcXBC8S)O?d38f0#n^h26 z3yaeeEc?Pi>z>*~Mo)s?^!Dop-uu&M&#FH?8$58}KqVGqKh@&wjB`loLpj}+au>H{ z-)wule>zfZCdD7IXDpHirYs25V^&#IKYK=`cn@;-k8Dt`y+lyPhN!CEA(SsG=)DN) zGsn#X?9pvggY)=4YF4ol>O~!dx=l?D>l~(T+_(|ilxbPJuyf~>5m52MxAhC9y2)kO z5Uh!iqEe+HKT@e}H5=_2}V6!EFacg44R>?St}~(a@4$ z3Zp!fLc=1yv5+YXY;6^(cGH0f056X41*<Gc)1Cfdg@0&a4;z$#do}V&QWsZ#x*~5IaNAw7OICRbTfZSsBop8^Bydoy1+D^0k0%42%!_M*L(Qb52?C_SNEz>hJya!qE zF&1AAx5#3;dU~y~qwHV1l^-n_U@4dQ3humq-G`1zRQ5E>yZIc)U*w>&5L-;HgQW@0 z%;js0rXb)A?fTmLv`6UC#fxlm>6Ep3!Hq61apIFfbi{dvZhD4abU9kirC9b0%uwVk zrb~7iCFv9xqN2t{<{(!+jj?rwt6$#%5>oGd=mlbK@%hb-YuVEuU|V7bz;1dQ4cbh8 zNM2r^>YpyEpBBJH%DOUtrfNkGC@V)$Dsj{FZ!L#yhN^pSe7tjLrS}gxAx8`w8agP*}Jokx8X>1@RF(sru5gho%|&M<95qh-NJgPgmR-yEZM!WEN_ z%Q$SI`OGR?Ki7fH)!)9QQUyFg6Qm!ohLW7pVeeGtRi|FKxw^Un;i>;R!V@68%pgt& zZpUi;qNpvX&=3;anujZG)zj^ZVO#K=sfEnFnWgVpRFp#1qzz;#5P9;_?6U7da!6M! zIAT3i!jD_230?`kZcCiL)m^P%1lp}zcNEWGq5IZfz2iZ78^0&N^}`*_w=FVF4fNJZ zaq7)duCCs7%$Q>FonDyaEKBi$<^Mq8Ot|{>^|;^C_HnU1n;}Do<~O(&=I5u=%?e`p ziWMu&l5b))|9tgWaT?IFwBDnGMB1t>p86lP;DRNo)IpB0U8)aYR{Z0 z%lIfEZ#$g{-B2qAmKUD7=t;LhcySNF@7ReG`{DVenGM{A_7vJyUC=nFe{Ortye2GjP;9Vt{^-0oIXHm9e$^|Q9N7Qzzo3@%*oK(@rg7jkGr z?{Khv@B|%-3vtRA2Mb{?vCF=o5?2XMT?+;t`wk!8!^!PBUTr0r2lzv{o1$=)fl&cL z#B1xD%*+VGpX?%udJHj7qD?N2b8Xnf`%i;j3M$}<I*q@)1^2#&(FmTvX(f@>W~?gYoB zKaJ+i>k3=kbU=SAweB?Mj}i1s((TuXZ;1&#7{_qWX&XI3y0w2QSdZ8@vQ zw-rH{1)f3#xZso4z(x-UjcnZ5&9^8(0zr(!+%~E4teRhKE0P>cU|j+Li{^GwccgK? zMWx{H-<^ualZPQmC3K&7qUTqeH4P4mxRk1>mD5L?FCBTi?WXPj(<$$)cAa(*c>NGuhBKL&)N6&1?NRD zcZBmIl!I9$c<-}kJIcu&RhKhz*|<^g^uLB3>KPuWUBa^qjn3!vh#{onlpS_EFGfcn zp@5i2@Y%M{aeP-(F9>LXZZTGI(#*Yll3s&zKY=?1F0RAD5jup#k@?=*Zr=|{XXG)`&$PN9l8hWQ>;uB z3Y9jOCz<;0tC~Rc;p3I=f9wa zeT-cRAP)#x%AHz&V=yR)+NSd-!V11e2O5~2EWXvJPrGm(o+m7qL#i+4bwu9LQl(tj z5<-yat^tDv4GKT>hGOv@Reko1bujG5uP>J1@3fvXn|)HV9eG4Ri#@`a5Q^l;g&(?=28~`J1S6{(n}#1ceE1m6G8y_k zovzsByW1EHXa9r(7!V%n=j|;@w$X)0BO+9Z7R-@HS{~*j zOoX6dM^7YTDj(uqX=(bhO=$HG&fi3<7L;!*I9SQa$ztDYeFjG`$xt_v77VugE)l7@ zu9Sfu{0>duiIZOm+e~2)oN0{O{&RKGwOx-K2H=FbvXHPZraWS$kQn(&+<^xXG@R(% zn@wf+LEMVzB#57)x`Ip4I)}`qcUA4x6lT! ze}@=XAoS^S5-KOeeO^qU!9N5?2x-+l+Pcvop87|Hf0i)0k~H9}tW%ktv~ z4zvXk+z&njqS^ zb_ygUTI$W+b>rBrJe@1OaK zdZi86`VB*#N0Tm_f;A$sW#^=lhIXT716gwM>eUNX*1M2Z)CXAV!*jYzWqvL)vK{0g zSYd@P#&WL};FInmVG`h>MjS!3^`5($tVH@=sDBl-sF6tT30?|a#o1){96vvWt^ zR8T*b;n`h=yN)5))AqY__pTUL;(lb{_h1285pxd^TGP^PH$F7v6Fb7~Y6zR?Kl{QW zSVB0@-WQ6bS- zOw%0RFblQ?2<%;2QleNY2kZ$+O4RJ&N7pxg>Ou!*`9;&{!*scx6-CuP`M)fO-4#12 zzExL;7tH(TSID^~1-AF9;9|L(dsY?C?{ z6}9L~hgo1M&{)I~Bea{0_rMd3|ep z4=|vXEn7OTiA+w`5@((-NW<1Rvc_j|_nJ0)b{jDsuJGJO!;O`z=G#_ix;sz~naY*& z%*|9r;j(lP{6M|Ie$AT0@N>f3=)&?mOb_8`Uo$(pbH+B#>j?Ay?@3FhrMu2wxWFJI zP%PI50=RSNCM*t5Z6)uDqT6}3?Ii#N{#q%DQ+LiltrwZ6JJL2~+3rU^m7mdtWG4wb z1ANCcUSxgmGk^m{6Fw@`vkocmp5*0?q^n@$Q(cjc=dqvI(8 z9=Ag{RfiWDG@bR^(dkn~MOz$B*ExLYWjYRoc;1mYnA99l+}k2O@zbEdoXpHj^XT{O zCG;{LVPPtw=nW6w53OMIuNB`9UH4f&#_w|H&3=d54*am)B&vP+)9Di;b*QW>+T{d* z5wsvOyypb7(b(kH_V~FKBQttDfZCw%ag3^VY18m<-vy`OP6@9mhfQC72ul14SKh&z z_rkB@?kurZ= z%Zlf*%2RgyHZFUYMn;T9B_^n$O!Zij*oJWVuDraJy}kVy#)1?$*^irj^b3`vqJ3Ts zY||eUgMMxA-o4B-?czHPijQxYzbgMnVs~qH58tPOSMkmF zt1#e@+aKw(mAwpsFP{&}P+c{kTiehaw~R!yc>f)rHhg9fu%+(%pfQ@7QW8S-T~c%# z9Lr3fHQyJm&pjqA6fg;Ms$EQ=LPOK&U=9oA&-0G9p z3P?r7h#BTf|3f_Z%0Kf&$#I5{G5}lEFYq=zm(c5@Yq6>0RF4)`Q6k%dc8*2Dw!2uTLLTs z6K#HI)*dgfr4X<--f{D)aGiY^?bGoWr{;u;UuL6@E>OJ*rud}x5l7~y;Vrj?3qB&~O-=Gtmr;FBa&f@jK$RyFQdoXd3 zW0v}E{j!!ydvuf`)WqUp#%h63{h&|S0rMeC$fwS?m&45M$wp>DEM69*C-7BZOraHB z*0MP-KmQ4iB4K5YE~RB<{WUb^IXrsnQ*H^kKW}gpxj^7+^QK$8buk;95Iitr>pU%w z_+|HpoO*PhqObaA)dGkgQbgMaAZlz*s%~3Y1)?XKC~6g~cBC1g2_AKLO)>ALCpsq1 zGmyAgn!}rwCG~Qt_8JeFp{KVm``y}7+18O8mJT185whK>=Imz^R~v7jAGono;a*X2>NhwJ$%J zqBL$?K;XCiNsHgDKcSFS3c)|1m)@u`V=j-f8agb}5?E$Zzqu6(#`EU+Rva~0M*$y^ zry1nuw}*Fkp8F~k&CuURZZNwSaQ*C{2UkYquH1UmgnA4ro^q|$(Fc)ZUR^ss+jdal zGZfGv@sWd;$!1UlmR9tD6n%u^^a3)y;8}zBpp2d@f*4V^$TtF zk0`Zm-+l%+4C2h~lbcGbx1eCV$6n3#2qzqTbh{sv1q>98&O~P~?*l+1(*|})v;UxX z{ZOAa5+EU&qYv&jH8uop4~Ur3K7hX4Gp{I+`9j&*7?oM+e*K(&CE7mI6l?4s=Hx_= z8a-=Z7xM|75A8Ucu_mdf-JO~D`bu35X`Ax#s##?w>pi83CK0vsde_FoFO7xxA|^sC zdSd1=llv_&xv&j*Z}#F7%M#F-Zl+~qw4sKY!3Gi0WDwE(=YNH_uGFpVVn;{owTlXY zokj&!m6v-l>N?bOv`)m7zRF#E)cP~_12b$JFnsGAeU)_)!*4ZBwOU4LN`*IV!Gcps z$BxUK8f0s2&`QeD8qW2(m>4nZTmpJ&I+gEpI^0NAwLrWS4$@q4u4jI^Y=%5mNCYdw zX7povCwQ*n0GS8%mVgrlhlJeA`=+*r9?sap!a-%<HH1U4QZ4t)lH4t*C)N!_o|zyrBy<- z7L3ZS*N04yIg(pG0Hy{obSiOmJqzaGXuJb%rZM(nOU7a_8~^mzh@QIj zy9}q(K2u5W&1mPNyeOi6L(vyjyR#dUf`X+dh(Q z8QMD;T4cUeinFp;@rNYrlc~4vS=eDS$wlar0*(n)BAqXWe}lE}`Pf+F2s2~Xl(SPW z=0<$(Ihj&~Q6*2)zhbcdoFBi5nCh-OGTQVt@cq-59@pP7fKu+xt5*vgVy~$--r>$X z#=cefAd1BSK3yu}*B!e!m5%H_Fr-*3z^rb%QYW+ebnCM_UlbH{2ZxsRx;u^IMROuN zbfC%dNe>a0J4C^RizY2cHQF;UhF$EAJ2(N7Mg?nOS5szOUY5n3{Cc zWOAZCG+M!l68$P<7*@LJSJYC9i~R+$c(NnMWYIw^rZEmb-UQ?!4M6|47^GLgsx+Xf zua_I09^aYvcbc}gq&@BUiWRM=1j+Hw^y$;X7D_9ZQm6dWR|-c(HyX?V8e3=e3-whc zYMgjtEPwdA>Y2|bK9`@Eh0c2I`lxWD5hUg`j!l+PcIW*w*rDE8Q0@nB@4ND$iF=fC ztEwyWV>LenE0<>#}m?SgExZHWZK|XP;&R+(I#}?g6M3q zz3O?KNBE;l(a|0G6ZnO9;duCIS%_E+pu(i8x*~sA_@UKX3r%`uJQA(HM#e0B!!?o) za}f!jLb)JXM&M5FtNWQVXUu|Bfy)5)cITE~08yr923PfMYwY^_n-nd*Hb+L3#s2<6 zDk1P@h!rQ$^B`Mj*U_s518t_kj9SIstTy+N-pc~WIqY5taE6!cUbI;pTry_t+BaG~ zd-fb9HDi9mcq}MD3uixyU(}V#j@%^2WSEhRWcAqI^kw4pzZBg*N)IIr>3MXbKu2vX zejKR#^s=kOS7{(zQJtf~mO~~YL_HaYj0_C!BJZjOJ;6M-Jsx{U&D_QKhki>)!8j8&@Y6IkHPsd+ciS;V5zJT8 zG;B~j_ZJjZA?^sCGjknn(P8LAfpPjDSYWhuwfze zFz7yVFTgs!d^+Rr zXh{J~GaDDjS>-ovH-6%})MZw>`IwUxt8Ry_n!aSo`Rw3?fzSKk+B|q$-`Lgn?tE$5 zv9Q<0LnDSChzS@m{P}hDIlXQ))GU6nuXg6ugSAm(uZMJ8$TU!N$3MOnDZYF6&c5Pq zn>{+14@kon@T+(z?#h&)qf8}=AqAL99m~AAqs~-ym{+I$w7}}MUTk<54zDHXeRffm zj_=cvo>~;?YPKn-x8_pSth(hnlhgn&dAR(>DWKqib{oikQEP!1g_Z&0&awhc+It_ zgE0W!OW0E8@rn6IRMc=vwpGjgtC_%)A6w7_%|t0BxG)5iyXcrQz8yp8)bqHXANvcH z{fsR9T+BWIK?&9csVwl_A4piHwV4=+9)>eoLj69?+FAj7pd-S>BIfqCT0sqaz+iqo z=bN!hdtfAik<*d~t`f14n};?+m{yPuq&ePD_{FkUcj z3nLJyVs;L0Metrwg6}6!9DFghqn8H->zOuPGG9J`36%17DBzI}W$K%4`i1*YW&yInBMSB7WU0sD_#U_C%(GJH97h%Jy=s>f*VhrWrZ zLWXo8q3RYR6is-6top@^v)Uv+X#Hcfiz~ zfb7EU;<*)w``ppt2QxkpmI--1PBS(V#A)i8==Jf>>(@`d2BpHVV6%C~hC|dbdtp2+ zg#yF_)J9yw6gfmC>m{l$NLi!T{@Eg0PKNuXKO4Hxj=w{%2IiW$AC_u0?e6hW8J-Ku*F=j-(#fUhHUE<| zV*LEKDXzmbJmMnw=n{@It#9+@)cI<}iata<0f~T`QIvFqBc%Ps@Cg%I9kuQPcn~m~ zV9x{3jearBMYOIGgnEDWlC`l|-8Z3r%%iOW; z)R{Afd9i}bkM2)JfI?ptKDEL{esz<7+>6y$Rz4$lx4aHc88~u><}L~fI-KI_E%0A1 z7koIP8P_rRcSbWkuWI{ZEDEL>7_{SF9G|c&3>*`FH%p%GEh{EC!3^2Cte@`sq=hRS z9XX~wvK!C_dV;=d_&QL%o#P4j4yfk<}F&M9_?ib6d;01O}laYg8SHS%8nr#u~|#v z>>M52!qmFy+R&Yo<~PT^J_$S{Q27to$9cD{a1OQwbWi2+<9l+? z?=d^7W`(Fo^Z=p+wsvF2jDhFSqWi%;Z2vk9$Cmc-vhPv{wrw#S7xH9vjdzS5a|T8n zzrqG?!In!;-!sD0l%lP_!Ud{A;R_=2iJ=Nq8vHUEWXV^qcCb1m4_b`W01A8es* zWTgMP@3CP0w_lPeBc`g}x%9ryG^_qs$+_^h?FRHeaC>Cm=GkpjjIwf{HxEmeEcp7+ zEw^gP!*tu9>4VC@%ceGk=v;Yfmv-OXH`B zv0B~JB&bq>iFbFEwDF~I3)N2&tYPrYOSNl;_1YL_r=k48Kr{#_fIL|)HF^Lg?MY8~ z4;KLPvy0xmG*vJDlVoOY?t~GuSh*pkgv6!|>fpVc(wb)2>vutg#a72d$(>uvJjZtt zTA`|+W(q9|leaLNugw&gfhLy-8-m;*Fe*|k!@YA%l(S`$#P3sfocMZ3b7q(9fKo^Y zf)FpTB2qKWkcb+*n{+~=;82OvLxujF1gf?1qx;R9lRz79?rcYCI#^WbK0boa3(e%>9e1QC&Y^{4!mV7} zk1y{gopm9!MRI71oI%qc`DR}~vF7gd%16zI9bz)yKQ2&h+qy1E%4|z&lws$vpzOOB z7LG2PuexO4&{pTJ9gHo}Rkl_gW_RXRm+Zv(zs)3nHjZlbDd?W&)3BnMsmO@SOnqHN z@h_&Oj}5>ru@&e`W6i|II<)c+UYetcmJH@KdfCvYK^cJ+x!X$3K{|&5+J5gs5O^x) zF0g0)Po|&EQ*=R&1xXMm>%U`OkQ^~5pr0gERM5b#anWEFdbQ*%h zYh&7kn zC&LP0n}`xJ%MYrdsHn{A&s&_KX&i9U%a^dmfTo_lomNBMzoFRXAhC3 zPTn9TlV?p zaQ9oCd$&tgy;GwzE$VC5(cuSwy`N!ivWIc=zN{`KX4akSPpv;t)MLT8s>bz8mVT zf%GMd7oxKK#wM=Hs>wn(WjkF-I5mi+YiHax3DxAYXH&ONCfsgRYNMQ30p*DcB3#D5 z3DNy2sUb)s=#0c}siKAcZ;0K(N=~a+>+o5$!-AiRfuA6!Ne+1A0E~HCe*ro~bulwa z_H@Rt^e3JzW_6ttb$LN+yBFy?pPeo4JQ*W(-nL*){Qgs;Tg^)zqGJ&H`>X3w|JA2A znB0FjAZd$<0^y z*vh!P`PXAzgFUh>YG2B=vK)409i^M*y>qH(Cv7#2Qf?D8477?&Da=np;-?2q+PWJC zvuKQ{wS+K;tZ1KOvxCvDkhuy_gwFDl;~p>)MR58~l9a2S8xC0%qX z{@F}|f|R*Ji*L4XY%*5)G@EYH2p_7`*?aKujw9O>+3Sd~mk3v%$@`3ujC9 z8T&0I_>cRK1J89%_Y6POtNVe(c)9JSGFzHV+8^!5qD1W`h z^E@?j4=g=-ZR&wy7cIqG9j<>|b5D1zaY`;1!yY;Qw#h@ zo#(wycc$-=&ff>U-ac3+Aaq}jk=1zH^J8=eN0p3U@$$y^Ec=@yx-D(=lg@5D=Jlb+ zdFO<4k+;@NSn}FHK6rb(vD*}!?JlS9ZU}7N{UFG5iKky%6~&##o<%#0r6lLSwuv2N zZalckDymOKMaxrCd70Vg&1>N?i#VqG{BI3o-Oe+vDl_gc=-l)Un*J|8*48g`IkQOL!{3zX%)}% zX+v6eJZg47YPRb0u`}8PD(eot3vL! z_&H(N^xGy*BdRY-7f;{SGug52mY>twyPTCaJ1}geQq%rU?~jzf_l+(4dG6u0HG2j* zMVQ|eKA!@FUnKjt7;|0DLFwX|eH~;iU0$_R%(-hjcGCEs8-nk&Fx!&8tH`0*R_B6V z>(j2ro`FwfH5FF-xAL0vkD>d&+Sc%?Z`Y)f;~WKEeguIOVnb~(2G&VHaR=m@L9OwVH>*`Ih(W+jI^XG-IB8_dbUvT>ojdPqWP)+l{CAaDm?I7UaO z-sb32=-WASHZ652j8ixow3K39`dvJZ8fEHu(UrheiY?@EkkV@h4jp31C z5+J&q37Q4NYt?5Bs%^3C7u(Jx-GYl3FSddVgeK^rJrmDQl&S)x^ zh^Gw<8jb?e2LqbmVtt>=KJDFljPF{)dH%K4xGS|t?D}^)Vs`^2r@+LKvx&Z%now&^ zE>%)Vz_9^NU;fmsOP)Ih!YJS>_}+&pimDUm&|ux8>mUUMsy|o*GA51~W6F*gm( zQPs@sab8JH#&nMM#u}xz^9Gy?4o>~^Q0HiD>$;9mCSYw2U`|1aE*p@whYu5G7`U4m zFf-b`kL3U#huZXXLEi&9dY?+`cEwnR?P7h2C?f?m5&*L(Zvsf*In~<_Sk56NCIo-6 z=tPp9c8_uI?yS-hzE`q^@D}9N1&($rF zvp?KC4f%||zJ9jRQ3h^|_;_Lx1}Rv={$ULr^G9TWU2Se}Ln3oc09%p+EsO-wQz8l! z-mR=e$ir_p{_HK#9-c!VWRURMy&xQkIUp7j(@ab{vo&TK!apXnamXVi?f^_Iqi;te zNm(%4al0_x5#<~VReHbaxE^LVnwp!Z<6gqhz@4gl3GDbzt!1#j)?vi!8}+5MbPurq zG$W%9(AY%9DI_8gELfh~0RkA6kS@5g7_y34G48wqphr(3y-VAjN&FpnQ-Xg_PlYp? z1m%vnanM2p$&smyP!+4JT8JD)e7J;#46zaab!37FlL2ceDTx^GF~$?>Ao;5eAdu^6 zT1450l?)1kx~V_EOq>*<>RSAJvxE9FMd9;d>y(pAu6%_Fz&QzF8$~TrZ2g6nDnT^pFy! za?F}}FeRtfr3mBD{Ht^4PlcqV%#sgK)_3ebFeyv9fx| z3c^(C%ug>9hXG4oyF7Un+4L^F7!fv+R11R92c~)mn=D>53mo4%$^l_0vvA+z$05{Q zF5O~Y7=-yGQeith%Y`FU@7`JHBQQjbj+?}yDTcdqK-nMa%`LA?Tr~msE_B=RH?ph{ zu;1VoTRQ&CRJW9uSJ^ufhJJ^-S|Iav--LVP&Q@Gv;WI5v6T$bSjLppM@zN}_aSJ_e zEuUM*wCFxzomQh9wGESwJC5@ip`LYX+6v2kg{J-%IDzQS4nUh1ad%Q-%%_{t{SWKj z#qsJBY7mNYW*;83BNkfgw&S$75?Keo$#mO?crBH8W5m@fvrSB%bU34kpM}+;+hW1@ z%kR;a^KRWgsyLUvp0#lAh37B#Nz*1Mf8!#?P=abObi{}<07YSSMdA2z#~)AQaI+JS z9I}=lxp3iv%xSms_fl3zW*Mb9c=yTC`7;PZ!>&9!vAtmF(aE~7)EIHFBQ_Ac2F83+ zW%LcE{X$6^vM42+1xKy5;nD!v^aS24;VFk9&V23q>y1Qg^n+r&AIHFh%tka=1|vc6 ziA1Ue=yzC1h$qt;XXcb}oeAiPG70TlP7hVGf!VwgH6GnpG0S1k^K#;QpC3ar*A**i znmHt4=NLNwBiY3oWc~=4H&GS`@#lqzhfdZPu!S!+op+~4TOl0sX@JEL{Xd4=l0g?g z!{7g1b*<<(?y=(Kz&#|Bem-A{$>evqfUJKvpz~x?OT?9+xs$48IG2AKikewkE~HWX zBnX!DAIHxE~nLfH@{V(;pp_?^Y&r1> z=-wAH@J>xlUGVa(rm%9NDZE*eGZDdR03*%w7Lk!vZW8EIV!zLhpD&g(s`796azk$F z)Y}RT3D!|%X{{8Oq0XQ#Yhi5anrHDAFdr~sF(j7H&y##DZMMpe8+T2=mS>|pe0bEH z#x(!;W~cZXpMm7n75{TD27_3jcie*;Kx8?2xbDl1uc~kMm~F}_|N1p|-rULQ9K1)w zuoZac5HDiY&>B7%7IPCR;ha!O6(cq=n>kYZcgt9r5%aWdDvf*NH#S(*4uRqpR*A|Y{^s_WEs%;C+8Q7b?))$N8>2j0J zDr@Jv6w32GO{&eChtBkvu-JvMcyio2n~U!U&zQe{Ua0AO-F*Mj%>i!LnrzdLJ-V7* zH4tmErvB6)(_z#yJ)P9>IYG_(%EK<7rLkRmM}Xsb97gVp*m5snh^>?2>Oww8BqG{& z?j2h1XJ~U!p$Z>+cDHDf)Dr89XV0B`O~#wxGJ}aJ<4@V+r=OZ1w#&}VUCvAzEemeH zMieQDQsoRj6HrHrwbg)3QM(W44^>n9fZ?Jd@S)hGCU$Upq-i6{#7vx#fSL7REv=IX z55+zgKstRA8v9fJ%b`E(;nRqnYjA@TGF|4)EICibR(K{a7S%9+(TxBWFSR4Eakpmp(S#x*Z5uTa~CF>0+p6&D+?X)t5?-BjZKLux!ALg6wBm1Vw4 z%;hz%#=4&@16uqcLi)Sb-FlgDp1DRW<6ypST|PH^A>w6zL{_*3e`o=O{(-uXEbt;eKc?LDTvR z55hlhxa*&KMKl3xJD!HcKJ2jbMdJ-cgRoo zADi@~=6z+1t>ds<|E1*ld&07m=Z8o(vHj~yRrQx6Dh~k4Iy0L_a`y=2{l(QaryiA; z>MV>|lA5$cwN>5b%BDp{O;^2-E9m^0Nt%gssk9Kj&cvF{Z(Mpn84-_40v=$cJB;dU z$=FjXpN6!ddIYW9&G%p}eF-Kr=VBkn!D?-lDoZ&uFRo)R3FYr%R%2pP;?Kb~x5m&- z19b(OO?`M|hZ6=_p7y-J7x2=~B3)?Czy>^l4HHbq5ZV+Mru z(Aj#Cm2SLEi6;^0OCfUHv5)5t_7%|S1p{_-4 z2x4^M^yT#gbSQe*!=X*QfKVvWdd;(i9rDjq7H+b!WY^9q#{F6EJw=P_C z!!mL1)hm(1T_P^g7Wup^u9qx@$0IhtmOj|~G84jMoI+d$^M^FM*bl9*m7YLnHQ%}A zNkbJ3QANo}!Gc|ZGmKegJUg%bRKwtMOZ}&dbpQ-6upeT75t6jLmtRzT+fdrmDoRur z^)bs2;^X9!Is@4y4q=NL*&F|sd@CF5ZgejkV_DEK9*BWkUS+M{Rr@gt!v~yNQzdt` z&&8K>I=y-QI^yOtMjD=-uIa)r;b$jO+PWz4%9SyE5to17ULw&#-3MbPvSup>g4=#L z&2EKvvRR=@2dAA218S;X{(P`Z-Tc+t#6>~oo1;EdRjqMxonQEVu;=fkzT)!B(ghu1 zQX09yk98skFb)``B;To%T~goMs09|{%8O?%)0XLM(k`7*9Ju_fD7oS6h;>--J|$u& zDpx+-X)2Tz#zEygNs>cyru~1c{gp?K6qY{RAnS75QQSpL)y{;DxC+N7ZsnB?>0Qm- z0hOgQqZZ4zcqJe3%rOyxI@V^6Ib~kFW3iaQL5u z5rz4%aPy#G9zJzSLw)`C$J6EFhyad-6VY!9zhfu?6zo)_j=kbe;m1n@N}OFrW$&Lf zQ&m0C(4xk|>_I_IG6lO}n6iV!KK^UvERE$34%X4jnf+omC+up+Eev@1GDJD&=rEhx z&#i5YY9r>jM(5(h*oN(7SRt_6GEgZtn%uB&>WE(N)b818LlmR*TF!17VFK#o(}n9S zmZ~k!Iem`Of`R*Jn2~voniLN^SSsc2BKD?9%B@!z6W8e-Kd^w zm3adx7bppj^7PH>>IocMKOCDSfO8dJL6_E`5Ce%>9vGKA77CmlI{;Dgoqz#!YVG@} zZcUR&NXtkB=5ziy-9m#orQx#%zMcIl!k!>r#l^*` zOapt7CZG*px;p8?lZWiJ*+PI9>sQfe(IzEj?r$Q;Ecbi$!oSHb%SqK>sMyRGSrx@X zTA^M-;6Y3nuK1cd<=)p7_|i;j{P9efMT4Yw;G@9^%weylX_Xemnb2zTqXBEC!+V71 ze(lftj_Z*fa{onxe1fhuzaB3XT8{$NGc(LrPmXy-(8PH{iv}unnR+$7gn6dXEf5ko z8`<=yc*lrEZ9UuX?Hz5fX3df@3hRFVxn5G6MVGyL-q!r8xdiZtH*<^%m*>B@v3Vq8 z#(&nWjZvT)-5(RP?p99Lo=$Ft5s+IF#&~o(5F8xbvaj;C8%`THvis8;CUoSa`8*=K zhs9|($F1s)q=x7;zfmFDB64_FbCQmg9|qejaJW|2{Wo-*$4IJ~>{!0v$v$GMpHB*2 z$H=qUm^~kUzNgI}&MIVtz0nY#gOL& zR6v|NNFLO-?p^2g^9R1YzyKt~F$x_3)BGH^#SFoGmXvucC}=LSUjQ@A-|lw_i4LFI zs%1+bnBh-WklJKD(%f&~b~{|k+F_bq)6(`ogNJ^uwy^UAsuxypvrK<7f*B;5S zxntbhEgo=m>P))`m|?kn-671h)js8|o-Z;)V83kt4O?#6*j6SjS(H;r0AX-<`KsZW zIkV^~XB!zsZS1>#fJE4s4rZm;37ksaVCITZaT5dGoh24GH4ce;M~hXBb9l6QUfXEs`k5+qbEF{M2{q%1~n`R&Z7OkLe1yx z_1BJCApJnz4{)`usl|g8W7H`iVLDG>+a?_kGI)z#t4FN5Te;ypjJAW%sbBTZ&_tbIB`!~I)KECA+49u143F1r3KUFSw!A>Rx2N75TU&m>MfJvt zOHq?N(v06PpY~!b1i5T>;Qi*3SG-nqoH)n47XT8+)W=TjPH;L!YZm@YawOiRBCDWg z^Mc$;cLlf4BVIYUl+PSz+G9cHf7R!!hsQ+MMpV`Y(gBOzrCfs#Wo6DREweUSu_)l5 z9Q+ivOwMtKPCD<(%6OSSQF2?XRLzHuuR|ZXHhQ&)C}zA5<*q zHQHK8O+yxo+-MMVrLyYXuNArQSlhR3LHT;ZP=!(M8qI`XU(Mf=#KgM2(W9&VuXtcM zh>6DK!VhOT1)kSkS0=vHDjnS2Z8fYnD4u80ca+di6O2V86SCOzce`WM31;7x&;4&p zeod3ee9;B~5xm&(%XUpleZ{b|+bY7figsD~k!hu1V|;HJL&+cmt61#Pxz}~B@xq1K zd^4f*S}V`!tGPnI1IwK0Z)a2OM(kLG=`)Hj*a#t||Jq;gdv!=ZbP1?DaA;JTbdK9` zEx6u6C|A2ED&~R|4m$&Hp(1=*3r^i;2da|95rhB7>bvBp2C$n1-B?CZbJJ$-;FkXb z>M~FI0;lLYSjOm{?S+_u^%VENzXbj6MU3S@5kq%@M@rW7r9EYb4u!thK1tA*&=P9k z!3nBD$ZXGQTl>)0X)tq(S(pS?)Z}2^ihafZ2PSyMe7>;YM+i;} z&z3^5;`lEd6eY%&l!mnuF54=&xpUyzh_!+Y(COFCJ^SSN<_POUBg z*L(cv{_m96&C$MVhl^ohVhjEMr6b=GT8l>xD<3+8nNv^#s;rS;-&FlTQLIu%$uod8 zm(=;9kflE&4V44KvLVssm@f<7_@=^1TRYY01>4C>1+atW z5UQ*@hm1x@cn--;`X-^EqwBx;vQ~}_Z-||L$o%^h&P)HN-!!zbIa|uQqC={)sw!%? zVbfy3djl=Hmy@IQS{P<$74a6vPn@`cxu6?Ys}tuW{#+@gqJBii!$Q|KT|N|vCX zTJ_pC(Rz`6U+PI17*{4O$Kh@Jr$x`NW@cy0q^=mlx@G%7$&+R3=bo%kSUr(mdinZi z(t<8?eUQBHa0NDFES0Z*Ao+9Q44yJ>nHi$EsFj`n1b8Q;$G_*kQz7?92;38`4`(cs z9(J(k;lEsf>UA#a*+5SCv_t>v#2#a>nfo%ccgG*=Y}v8q_; zOY|VK_eW33xz0)k9_iV>C6Jq0Rf-lP$!DKbC(}_K1^r>M?UmI<7_N|FFJ2vW>XBy3 zTjN)qsk%K{8iix<+J;^;!u5^as8~SVmj4fPZyA+U+lB3dh!_YWB1$XL5=u9Sf=C#2 zm$Za*BOqNO64Huvci(_CNK3bLch{cFH}|`L?J>R|A7eZ}9^sC)))n)bbDqbUg}7dW zp{{-y9q(Lcd?(D~O;83Sx_QVC`oKs=T(UM`U4=3M^TuzPmrDJM(D#Z=O&H(s6q}YL zr2lp02du2o?J!2Hcu2u~9kR|nU~h=_pF=`e|Fz4P!G*^QVh{=XAU`@LV0x5*g*s%R zAPf_Sa~`4wg9Q<0H_Z1BATfiqGLnSLo&~W8h{_A87SyQWp~Cz@M=+T5%TT5LdoId3 z{>QlpQt=FZwQnCQ&3?@GFMlTncHt{TRv#^)K@7r^gxO8-e{O?_5y@Y}x4e$p25lg6 zSVwA=8ZRX!3tyyw&wSg}MtTY(Ua=N4d9{$PN$@f<`2N5#h50IdSo*AA2s0a{yES{3+Zi7PmzXLwS z&&P*lz&Z)?1b~{7TebkpqXgJ!VP_14L@-eVdvrUXhT`BbI8;dvOXn=a;j`eSmG9(> zdFhgTx%E6G$B}Rca3BE){S$bHpwL6t?WuuBKJKv02-;0yK(Rqu>eFmQFXS;8dH;A+>1aF-fotr`mVvB2wtqDud<7GRvBw zP-73{QC@f)7GW@3YlBtZMA;SgAHKtx&=as*dH^`?R~KrFoI_OC;eZSwn({}le3KCl zp|9L~@VqdElHLGriz~zWmmVubV{+m1D=VsoUF zvjZ1L$Yo>T@}bp0E`>f&*2c=}EmT`z_Vhr+DD<^H2Sy7Vi~gpOGGWhza7Vx?G9*!S zvpPwFA*m8MQ$q2ABO>DS=O++pWW`lLRFo9)uNCC)lfS+M76eEz1qcG&-BHS5z6&+{ z`=iJp&Qd34)x!qEO7}iX0vS12V)Ee_!n5841sMb*4FWW7IOWbm2PjmZ5WO>$fR?_j zxI$2jocEB(4x%{3?mgqH>Ayn2zn?CfGmeg!XQM$QHNqxEgCi0MGDo+RpFuA-8W7%8 zW?79!iW!x&`nMd^zz=&H3fkMl#yOj?=t3?BN|100M8Im$39f00S_C~!4^SbYd@liu zk5N$+g5d+ijFf}lKS%iA5B~jx01rKwJk1bavv=w!nCQ?FAl~-hCN=f(0p%zL z>IV;gFBU=cU=#uJ8r4d>*Fj$YeNiWFeZ1ZU@)=3+cvAbqbo#+;9FEipJ=;)s2Jg&_ zo^8nMvtP>fER}oU{co>0nD)C0>tBdqK0q6GzhNxsOAX)uD>^{F>Otrm3H<-Qs*eVj z|Hm|^o8o^>bAgyI^{M|S29)H&F4^{l!_N~x3G~IM z|31*x$&^?}SW-~NM0aZt2IMq~ z6KRafMg$zL&`Ii9y6}ydT1@=I&$5~s@rSBy$L2DwjMB1gx)`8U_h^ytN1kVDu=~Tp zN6~cL<(G8kJfq9gZtt1${kh#}5b=tyFQ{klPk8HNg1md{7uqbP@iRJ2yYfX=$LxMH z1~|ruY<4}LxLqQjocAg4@I7ae+26V3GvYzb!eX8bnWn3d9s|o`;!4%yu8LRtu5q7> zMIIT?{!#aF=v`vLv=N%_C6Ri~l$`0$smtmS<6+mw5EIhzZ9(?4^NUdjo-oo_(h~!% zb>Zx?$ZJP2UW+44!j(&DJ0@a9J0|a!xzmdN^O<5E>V`07H^v>;ArEi~sk6dK657mO zDl4Dp8jj$2$H~xcn$QK_dy4VM%c`!U1>ez;^hidK!(eE?lwCi{QD51RKj~Y;dUlGA zPUY_)u8hK`bB*E?w|h$duBG)RIdDvd{XY>=N5=ua_;dJeSMj}Xw&J-;KG8qwO9*WE zsT2DMwYjRRgj-2wdY)de_*2~5IPRY^#v5YBv0T=Q)<7$-qnMvj71yVspf9En7}z)=z!bQ zC~0Bb7Qj&5S7v5AfcgB`Ke}lEa~M-7f$+y$;a^nEx%^4$FPj?q{)~s;y<07=auvCT zlPf25dj8x1-GuBN<`=#mXrrBnY#1D?IS`veU?DVz+%DM*?5kvM%$-8M>f~1z#$fM} z>FLb$9c4Y#S7zMBL$*du8727rVAHCwtCm95p6&XRY4$Y0EdEgXBRLTe!?M$_=)^$(lQwQWUP#tN2N?WT&v zCNi%RV?_>&D88C-?EUk;A0NqFjDdzG$nq!lS%M?yB;BIOSZ zl^jGo-tyG}DGZXNIQ%0uqr2vGDUJ8}`+~5oP3ixU;_(r56Ewk@2W&3VKm`3Y4?ByX z=LzxahFe|$nGAL3T{#FL(Gb^l2uz+F?oK)H=K)MEij%qX+7UdI$53^E92)dmQ$gz( z_^-tSJ>Cr>y~j>=yOhet!yJe|2f%dZL6xWn-9CtSHROF%!Vs1>M3#-vF<>|4Ntjzu za8@-5g)gMD0q!ELsHwUtAtXsuj7ouwv^>MZ8v2tU*hxf zlxMuwDDlaNy=rT+dropTxqdqj3oTRfW}ALN_7qiF2nZFAKeEjD?IxV=w$@ujYH zCcEeqT1FF3-<@~aw0w$nOL@{42X8VP_g@RN9TT%ChBdyLsq`#xa`^&(l!y%TAzEdu zJ+E71Bd#C~V=B?)>6V?Doy*(Z+BrWfoQ=`vy0OYTy_miIwY^@bRi$%O)*In#dD8hd&h!T&NFDt z18BfQ)zaLaWr(K>D^b8dS5Yp5hzHUP5Qss#Gapo`a73<0n!X^6T7=xgdUejsNhQQ~ z5L*;yIzk4y7bIqgAYBMDWJs9^&~#4|yAk0TByyyn&jqPBXtHcTjuyH!WDEt3MmTB& z&o*(9Q#mw)98P-RLjUAk9j;)Z8l2fRGCmW^FiBhVMdFPaQcYg22C- zcfC>snkbM^@V%vFsJctWgsfDBj?G?LFOMTNcft8<{U=ua=s{X;L_yLvjfqbv)(>&^ z>QCA|33OuZib^mv1SjiTXjJWr)eak$hr5GFVpmjGtHo5t1PIHWPk#p(Dwjkv+VK66 zWS$rnL=o|(+fhsUhaT-`HOZ{5D6zJNhz6Nk<+C!Xno1Q`YV$hpf569OGdp;-zlFyW zw`|b)g@w_0{e7nOp^`Ic)*FL6Qkp2!jr^fZK8?mErG`vYQG|)ruEEWYDpw z2gxoz2)V%p1CEeSAwkJ)F>@J?ce;RWh6T$5Ojy9>)-y5j<^hnE3aFZ0pbG|`?{i4S zl>uV0&*gXVDrEb>+q(uTe~r*>jt<=+bI<}y1ED!ISb*hHGb|(T=yafE4NlnYZ`7eu z2px}z`WaebETG2(a_~^tqM)G>b2wuBv4xv4;Xr@jXeJgnsI0j9c-`7kQ__)feU(;k z*K=#MIJmHIy8R62fGgvm37wy^nweSW1utXoF;~}C!B&f7K*?*z>!#UBSvgVb)5HP; z4l)Yty~o@eW0)A24b>X_7CY2ev56kP*uU4iF~7Ke=zw3=ptmE+ig^?jK{}w?_Tl!d z2Jg@_y*O2k=eZeC+#)1kdvQlnZ+!5LuTp}LT=R8A> z166A zw&z50&9D6;&6%;dL}k0ZoH2EHk7Wl3%yuuSS70Td4De{$#_nnNJz0JcL-c_hmAx*Jxa#E^NzdZ^-30-);PzDWztS{st zp#lJHfL_o)dJU5Gv9{wa(Dk0#AMER!cM=;C;)Y}^K3bZL2*BPBXQw3C-{Hs@2(1&q zN%(Q`r7S(tZVH`iay2OEHia^UG8wRE!=U>L|L)xuC>x85Usx4Njfnb~K^;!gzb)gJzw#s8#_D>PIbVBoUF_=nd~cIHQN5=GtVOZm-?CP^ z4COM(zUiCRV^9!3yTuNf};i*s9m^Zv<*AMndpT}aaGt0G_UKcP_89DHO z$mH2YQj(K*vF3&H*OD0($1_i5ggTtrM^JuKH_3_Yh ztn&3WuU&UxG73tHvO6Al!bBhvhrV@P@9GN*4Gqhrzi4|hFQlII^> zb3EjeC=JzCrp~Er=T)>+nYlu-HP*by+9%C0?logE>DDUnwqm?U0len}3qjFcO?|4lUtM`(y-8EW{n(WYx zYW~UftLyxiHQsqFeC)x!LGUp0qTth7X8o|&W4&HN&ncgyE*S6qJmbxT_Z??OyDj%Bwh5U(Yh0kWbSb zHXk%c3twe$Mb)5btXv?NoX2^<;MU|5Zoa`MxpJ)l<+=TJ!XIp)KUVH)pr>J)-i;~U&O~(iw~g~oh!=ExXbaeS1vL?WG43|Cc6-dRg=N+MSwk> zG9U;ISKmkcV{oyMp75&k@#%4G)Ahz3*`s}hWBPT4>hKLsGjr>YsRd!ZMc78yM0i9D z(CU+FJDW5mB>UEhdD$h`u1zu4K1(Uw^c%Yok@lspfIHx-ckYeSm?Wn?k{6j}%$(cq zi~F=~PFz>!%sxaGrjOVu5-vAwyS@@|>`=e7Tf*Xu{p%QYQpI(Sb#Q#JHS2AY#y&Z! z%3!Jak7Ic^dozDE6a|ab}zyP_nG1$(>+FGo|So~aGT6!VswcCszC@Mol$)dv% z%?*-oBt6{0yFLTmM_@0HMo35q>AYvKw?X?wPTvtEQ8`w{Ohzst&FVl}SgL|O z7%gvijYq8dZ&&5ObJ-#+@P6*?U!;QJ~_ zIo(c5(fQy-SU!l+H6~W~GlXZaK7z&C8J&0f#eunjJ?}ujG}=p>-p_Hy+KqeK`ToD0 z9{1pBI1&UA5x{$9TJRlnXBe!d@sZulocb1|ED+4W;%fHDZH-=UNA^PPYjLWWYQ4EX z?D&rO#%D^DzuO$V$<|VfW}MGpyAWpBK1^mCTro=dGZoaIrV-_sX4ZPlJlIjRW)>+g zZ2mBtZ&00om`{>amXYkmyV;VvXD5}}IFC}y zlw0B4bD3OKMy*DOG6?r$5`Rm*GbjDVeFV+Lw5wQr_xNo5)Le|#selkQf|XcNYl(4> zk&vX&T*348pRuSXiuhb{*r<-&$tzS8$D6_C9GGX1P)^m+2R~WszVI-Qr(f(-XNVP> zdS03D1SLG_KHThE!UQ-`COk?HG z*iFCtUOz4FaONGv;8UfbFWxfNV|6N)x$^OX9XEq;r(sgl!wj_K9giv7pPx-wjI(+O z&)Cx{)r^g7^|1`dzkey&rG0paSay?~`#$}TW`jkH zoM6w7*a!0^t+))#0T*$b(kD2BcfH(VwR*K?PuFKJyu^8>UNBIzb37?~(`ke8fx6pQ z+^~Vfa+DJld2tv{fFfa1fMm9Gv-P6-+A>ag&$fp~$IrTJU(SW?&rr)fB<#Bt-0>}c z^U{BcwFh2dhGBlmAzwUk#Eb^9(+iL^KBQwt1P8E~WQ8yGJiD6&CZf1VAKO z1|z&+Xy1bfy#Wew!5{*J2tH!~1u;1^ar6Rg3;2qyQ+2H?J5U8>tU|GdMy3WxmQ4ro zKFq-YdEM7R#o6!XAi6@dJ|HdlYx1S0rUVo{T>hOKP-ZCG*-?3JvhJQ1x6H(4s%dA; zX!dk)yHQ}7d)2Q5mGZsgXjB5W4Rd-y%q(DNtXz7Fw|(6U6@&7|B9sM+77D%_FZ6ykNXQI&W3 z(w*9VvfA|I^R@QOKxVCqc>Js?*^^HO_vuCg{Hwl_-(*6Q&}!=V5rxrk zDzZ}g*(^VxQZQ8ayUK@~Ldq7!C#9ri^3K)QdeSm2I59@?erOGui^UzJ`505_!F>v! zM!hYiRJ)Mn;fi9ScekQ%v$(!{W+^u`aN54Kj$WZde-X=BtJPY#*)#fH%8qx-Sc>LU ze@{Z^9j@r~fIFB}{K6TH8=5bIEobf3fktiCg#9 zdNc2&`RDwTp<4%Yk}~cHc`rUud4FnnO7~*O_Hz(Or zX_Y8}U`iO#R@ergWbOUZl!t+S?1+js2N*tim%sr?TfBD zk(8ee=utdr2lt9U(on7}P9RlkAsF4dy>8KC5 zy8Ej)+Hfk#{o~Poc<9~atFyvZp5=3k-_j!TEg36+uZZX3V8?f`JWeQ6%UXTw`&yme zb?rso*V2dh!fQsURFjqTjWxqI(ko8QzGGKJi`Ce2X_HNTQ%|ksf-Bc2bG}8#M=_?& z9(T3Bl)`eADw_R$%N!N5uMxW-k&vfwIPKo^0slj2)#KJ)6Mg#{do$0@Kgoe#Ldpml z)ZNuhOeW5TuBP4I+WBOKd7;WkgE=$rW_<y@})|S|uwKDFG zsW2q^qbpyeO}iME&Vm=0Sas9tq2<||!-<4 zuTLmB&p?J2+7Gdyp#(Zv?4UcIaTe*41?M*+PE$$M7>oBr1OyGB4sL`L%5s%!k;ySM z5g;NyFr15rU;-L@ARmLsRzap52}zqRkejlAW^LbgykKxDJvcs z9#>@+&%+~Sl6@IKT^rEQc%&xa@P$KXXu;$Iw(}vMGSOsH9?z&X{T>aG?+dzG&BxP< z?KCQ88rS24dhjB2|JX%^&fmjt$7y-sH~q+P8qd+q0;<@>UHbm*4LSV%EV{{W z#mWvJ4Zi#)r@@w-&^eY2Xv&W2B5og4cs`=V^3{HOUK>e3h09W!ov7AhCE;ID-WxEO z8fuv&g0|Gff;!dXU;%qQejMw?5kd(X{-~Q`@z-5);{3uBQA~Lf78BQQR@S=B*v((p|XY zO%&MZ0I5Rr&8@(F6Md}aO4F^m%BvW6c-Xvfsp*d$c&?y^QhpGmbV{{SXmbSqo+wwgXM8y(&Ithv5)g#q`cl# zH_YvC5^ne?uPnfyrtkdbiZX!{&+{hA*h0Rtq|2dqgOcwu8a_r#F6_2=G-4%j)Hkb& zPkP$-YASoD*oEkgg;Y_o%-3YH*_R7!^vVb6hpu~Td?>%8@$&=Yxpyt%(t962Vcx&^ zWDwKWFH53fjDblpqiWd5Y+rq~YS40<@?guH#@4mAj#&WbHQ|y<4gWilXNm32D`T@~Cu28QZD-#}TM~^5 zG_-dTdK&}{{>t?Ew3l70rZMQeo&3F<`W^T(67n~fXZaO=UgT>2u-(eIk;JNHesyJ# zA#$e-BS1FW*sbS+X7Fz`O02pLHA*TGZJuhKAXJS-sJndPY*u0=|Ro_%`^56u% z_gV)hpCRoS>W1UM=BHn00|RI8hK+v~rI(N4Uwrazi#K}EV7|lr-B6;2_s^BMw!yak z=ga6BhRe0ZtK~MS>48$BWt_qI)P(zdCsxPV4ubZVf2mYgn9S)n_B`1s8h_dPakt_^ zRZ7gQYu`-`xi(Pbsm`XxUe`yoYv+1jOm3>tnWn4MY0~ z`JX2@&FV09a7M$icD24({`M=H)pGpdcsRYh(U~37o;~<6J-7O0tE-MFKJgU!%4xKI2} zpl5vy{s(#r{o>S1YOyWu$anc)f^k2>rj#f!7ZP~gL zuyuFTRrUlGCBja1&bmvF&y>6 z0~Es@YKflPwn^(g!+Gy*$XIWiS5^E9Y|_$<>bg}}X7fGNEZBPbk6Oqwa9$Ct;aMJ#W={}yv*J#RjMkR*0wGmBa&u#Cj$}h|meyi|!qGL%i zY7-TG?@Au-yfyJ}TOpl=Nm1LJ@ge?Od;*-s%qTVP=xVm^27E%AdYYRn%HzFz7`vw< zB&Grf7+X8Xc_E>K6*!GJL71%0WCu%k&HEJ{NO*AaKCFG5st}V8>hSCq(dwYdt7b6L z32u#7Ad0qHcAQ@&>lmM{4AsG}v{&0GD$q$}CR}aZbU0!;$ho$6KE7@ikd$7!DfwK= zCv4Nh)gvvbV*hYeE>HHte1M1R+I#Qm_zZ12f)0j2%=Tm)kMlD6@Xqp=8hb219;}iP z9EGuJhZgOMnOQ3qG345Hx8zN#W#eX#E>mw7J8%_U^wMn%*Kig+Up97?Hwng6sQ5v( zj+5>3?Lm0Kp=-9^DY152&u7~la^J?*g@$l}!V$((!;#>QKq<+?I)5EbSqk~ieT}O1 z=g0i38%?4M>THJl53Du#*u$?T8GmuoSUUA$)oC(Oq*mp-629IV;*?N47O_{Rd0o}v z#k=2|juoON-rw`YX;P#DX0=~h)dt3Un5mT>JL5he@!H`Jnus$wuIkIx%cBvI=+-oxlKeFiA*nbbcg566Lm zvF{4SUrInkKv(oONH&$&nVT3Z^cVx8U7BZ445cC^Bx1hItl*sRm)(0JMq3lyv1Q(3 zKp0NC?BSwpwz&7Yg=6nR~}Y8x`G|8WPCrMImo(xURF#=m0)(3nW_iRed)Hppv$cp!I!q%r<s0M^0$WyxmmzY#w!~U_i{Sg72qEyo9Eq6xK`T>)RUf`{vVc z3BB;HahzLQKlC{d-N)c_628Ff(k-EX=K@}Id8*l2XWed)wb{lk&wyYqNeqCdPT zWo19=pFIn0FgB(PX!SEWA01|KEqfSp$ob&)fR@(CrC=u#zJ-wbYITx7D_YWzEAu`~ z>n5rlj8flK_qbx8x6i{pQQI5wpl49aQhIZ(cw$g%d%58o%K03pXXzD&0@;cvsaEN< z(m{^I6s|@vKlK_*LOzbm!L8A5314QWASv^G*9qSw&*rV#4D#9&wZw~r3N^#@rPE7; z4-6zY8_vdiy-YSD%$h{?Y%Wa&o7DuVC0>xYR7aIkV>Z8XJl>9e(8plDOt9g3B~MfK z(B@z$!|{Zouy#0$#p=exK^^z%l7U81f^&mQqc;PbhbGP*aD2{ZzU_K7BD_|jq(-jV zU+Su&(zTo{z60iZx1|lvoCfMQ(Ytkn6PDq%;*J5WPKP>n8*O>M6Uw}r{Y~a|ghvV* z$1(%AqYF36)za#md^h};b#~cL+056BM$TC=UI@BxzYNOio%O`bdyLa%iYqbVaxQbQ zDma`nnIhMrU!&YO56LC@1`!=iR3iNmovHo&;ML z$0#%R-;FRkk&NUtp-8VC^dDLlS^11ruHOkn-`*p@G>}&~~wl65k6|L{jHF%oW zm6;Ev(#kD;K~T9iRHLnRAU?~hTl-hAUj z+IV66=s?}3e$uac`QKXnQV19Spfx6a{oyzndMSFYYKxJ4!4mu9p9dcI1VX|5g->yG zz+q{)DQ^)+o?XRiElh=XO!w2Y+jWy;(`8E{Ny&AMk-^@+XVNb3yK7TqkEWv0&(!f2 zos;@wH~w(uEpd>^4khv}^06;Gxx`&{di=`c^EV2NR@*1b!XziPbe|$FMH}gqz1>$@ z^T#aSSKm8n-}w2&&iUCp_sZ)k+M2s5~g{xLxPPH64*;j`>0=apjfer(jeC zX`VPiG%wcNwQdzs9x2*(PoncPj}kBRXN#}8ttO9_UpjM3+RaeYcJP*V7N!xQcAw@L zV%dleA1-y2C=tI~DN23wlIP{D`tzVfa+4931TOs1Y(+o+RLE(n#ax%B?B}4ApICBM zCF9#6H{a}}XdyMGQ8^Cj`Ch%+%c32+nPjh}CN&|(X)7-ELFhrh=w1pfWq(lX^4`Sw zi%Y_CIxD=muRdKGQPEyrJFOD8s{MpbJFz>q&vlRSo=w4J?ZmX+&ziHvYi_%!!r7Gv zsp|`;yzfn~j9RzXl1CpyBrTJQ#U5gVD!0U0c9%lNS94y52Kqe6(!u2qXECtEWTX+q zwAL4AQXk(y*GKDY*vBVx^`w`5E4W5yxg93HCeU7@JF+pLdvERdpe8YzltF{~q%ruo z=w)^5A&CM_1PL+0Ac47y?pLDTZc|0-lbzu;?h;3tvCD!kI2`)|KeyLSh)c6$!#2}F-fi?hFty|61)^*)$P|e$b)NaJN%Q}7wEY3M>dXb9`ufm;a}TJxHsGa zuW%ms^}9NIs0K9Zj@G?xp^QQ0!NdUo}s990QM*STz|ic9Xyker5b8XG=z z_9h{|f7_|_io9viY~d<)V-JzlMV+!TIKA>WnOr;=h#!HUzNFcbtcbI!QH2v0=uE%XP;5bFrk>&O z&r6ZRyzfodxY4rBW#NTS>X1$^@>Wp!Cx@%Lid<$En3~Gm0}AGw&MVU)5-OZp)LBVbUhFe7VlwJI-(AREWK^I9tXU#9}@q zG?H>|%~N z;&yWMLr;8 zjU;vJ-apkU9GF(#qz?%uqbfIP(Q=G`DdHl3X*o9!-gP62Ne<uZ3@fwSz$ zcf!Lh2{dk7@frr9vy39*jm!>KXo_?LJLVWaP7ZDtVArE`!q;!*+VMxJiucV`Sbf0 zCy!x9{QKweja%km?D)^05cF>!3XswFk00#Im@&u$|Hsc;A==4@|9;_p48SD+>vec| zcW=ND``7Dynm@d%QTo^Go<6<>XG~_$5Je%LfG>sr_ zN~%v+T}rrr;A%%z?)IxV9ZY#c9)8a-8pwTNuE!;=%LB)1a6L#5ytDc_QbdD1`$}&) zG*-q~w9>uNb0fx#`Mo09Df(g7^D*)3TYNKyRB_)W$<2Q zJ3SKi@L_jjCdaMHC?<+zNZX#q!@QF(8`}YWF*6M~^0K)wwW zZEoX!(Xj55Q+3|$Lx4_8OGZG2SUfn3v+h??ecwQEvYX>NJ2G*`0mMH*8E!z^K0uR` z%!2+sp;i(#=-7cSc(khre*>WM4|WcLZsy(32&c@s5Ft3UztIo{u7%1^BV!W2p61$U z88Up4`v&1ceFQEbm5g($!a)PO2}=3y;o(*_+pz}ZJA>y>E9h8%B7oNMeH50EynM-< z^@D%)0?0ePc?t%>hK6(?QKu*>Dmnpq01XMw_B8o>i0mbY z!JJD{O>GQ@?KP&-55URp9UQz|18Qw90EE~teDg-*nhs#S0}g&AV>ZMfzd+MQU&kV| zOHknkUwp$mr2vtW`0WB}4yR58CGK$R?8WbLxt|&hFb^`?CL1z1)FS;2hS`mgI6d$%-(5}`0fQ%tj zWl>QW;6KUsb)jc-({-S)4=+%3nlfge4ai+gr~_?v`&j~klMNApvjd$o7;e4ene2{DTFulhy&QUSP1N3#HZLm2>;~SnuAu#<#l-z5raN zA!2>BEEI$d;6OZOt~f#V?;)_*xU%jA^sg=9toYE-I@krS)PT}SK$CnDXfRYaeL=Ha z4;&kq9GBp_Kh|k6l`q^!`|K=m;v(oKM1fM%*QWuBlZuif(|Z0sPu0-G-f;mS*npD)MD+4})GZg0zdLmF4YhdZ&&|JKO0MS4xZx3T~Pl*E_Hi%0P0Vx5D zF-rq8vv~%M!>eE|2^dM!^2KCyiRJgXaD*&{z4$H|w4i~REj&ZSf3jXwg9bPfph?iW zbNtRs>2|H=jhq30!zieuTP|mndkJplwm4)D507d%=0Lp04 zJyU0x659yOpma0Of3LMWZTDtH4`3mAU&Dq2z)!x78Vs&jX&`3(iU;}y`pBUKQ`yI( zBL`Ue6P?2uRZBlXvINu?ey(Evnr6S2T40R2!Uf zNqbl(pe^BSE28?-=g;r}kthxrG)M;n@H{SiJ{bjd{k!49MIYxuz(;_C_%k^%=Z#4Y*+fT~yO>K)M1G>yL*3mh&O^TQ(}$fkV& z`>E`R#cv65@o(kj$^`$uB|W%vLIj22oPj!MVBTtF$k9}~9j^NbQesG05qJkVs{Z4L z8y)-ki@++~w{Ow91_x7#!gc)K82x9&#BZD5N*DT1h~DhmBunt`U;8u*{hx}v|G%Mr z2>$6)O=QqdTk*)<{d+qto^0CjJ$UdS_5RaKpT1v%REH3d3?Zt-Oh`^f9Cn)`Vqs4K z5(YZbA#y+DdG&bR^6ne(^>KFQ4-5=EerU@@0^Wgskie1btuHo#m5xC^6YSVTu*Biq zFvC|;0&x+zm>_P1iq$UsuuWlX#o<#+Y69N{ym;d?Gc(bdHJ(1*GlQKEP+hCrM}Qlo zV`dh-e{7Y2x*-H$A+XZ0<0C_Z%>rRdz>~p}o4J8JT#Jvo0F#NL4%eLm6IUrI(oYun z`1lBPJzRHn|Nin!=u2v#>62 zd@TI{4)33O=_`vgzI8E%WoD9IZL)_@syBM%;MtciDb?)iu^b{QB z-%3jnOex&qp+dt@Q4UDGxC>F-An%)l=l6HkMZx={J!WO4qo>z~I1QdVtSk+1Kar{u z@QT2Q7hVle;aV1K5Gvj|Z=ks6%}Z0wmu>0YFOTFY}J&oZel;eEw1B9yYM)WrSG;F#d2-ZnZe}HSk12XfqG_&sBeDGx; zJAMM;l|HB}!T0Ztl2Qv;*dn(bC`jx5f>A((b6I`}9Wo_3+1Yx~qWv`SHF7=c6+6Y% z{9%i`4tF_CN#HtRQHN%4C3t1HZrW>!YC7)%pJqH+4UJ%v5o{v1%O3!c2{Xf`S`YISL=;SDxD^oaeosjF0JmbN{1*#0n9%^OY||n%G!){3O~xBvn_b(H|U}OVta{3j%Me7Y-rgX@ z3vrvZsn|Spvg3<8sD@MkV%A)2f}n8$LM03z3(-MO&l`9t3~M@>WX&k*u&^*dO1+Vn z_o|y($UDj2mi$LV4QEJ5n6~`-wPI-x85T{LqcD?X0Ko`sZ#0L>?Dd5OpM8CbJ+^?( zc}h6Cx~Rp2oK{6;L|CIqEU{bt_=(zl95`E>zO=sNAqc_XM7?;zSFXn{| zKtKX`-y1mIzM_f8JHZa=1=*`W6h+KAKwJrnFyb0cf+Lo5{9EO#n(zt?)K@YxA~5zK zmNe?Jc+U1y>FLa6zo+-vI5--aBVmdFTTzTJ_)fhjr%HGOoQQm%-nX){VgdLkv=_dw z7~AwuhRtpRxPw|z)Nq!URZs{8LaK~RuRx-81=EMU4qQ?kZ**i6y;kGp<#pim0TweY zCHb7Tqn~V2x0zI*Lm~wpCECHM3lw(Tb(H`e7X}M@e~t$E#02<60^O_pz{Ld!xe)kt z@b9Yvb?C$3Wv}dzt5fEYV6+8|QAmFkFK;wVLkI_7SX;Bh2BQlLF|4H8cP^Qh5RVkY zIZpRv;{N@up|s4*AC;9c;7x=qL9i~vi5^x&kT%1}LwvK$xxi~3E`}81Yd9GF;WTwb z%ot!vlF-t+hm3w82m&{PtgSbc>Hd8zWGcf9L3`MSEGLj&Dr{Ol0t;&h7Qx_xf}K4K zPIAEDf>cCYoHRJdkp<5u&sGlgV*O1;!d##IA0apJ7y{ zN=Xoy%^h6t;6E0_TDo@Es}`hP2Jhb0&sqTN+p}$U$=cPC7YA&Y>sU7I_+;hfA^yd= z;P!#2kmM$kmkY{;eF<6VU@c>l0=u$1JXQuyWdqApH!jyR`;?RUZaGvTHa~E3h6f5} zBUB_fNLnK*I@-~>Gh57aKQ6Frxxxt5>cv9Xp|r?tyNfA|0Yc>H@ju5(UT=hXN6`Mk&L^;|FeF?nWYlvQO^4FI=L=2RgF+PdFi`TN|y zO>3`V){}^aSixcxrhFE;qISchMm8Ijh{N|9YsY4ZM;GzHa3d3qH_kf5TqPLf>joWD z?iTx0|87{O-Esb|^L)EV;FRkN+~Um{`chnOb>qJdyScf|xz{@y{LsQ~s%-^4M=l{n z_YoDX#&Jwk9KB@U_`L^eRuT6pTN?U}KBb)xPzElz$=zri)t|qSKda<6AtfUtb8$fL zSHtl4e&$_nD~cxvxW`YJyT#Pu_+Mr#6O}(?V{-;W?nAL=j~qR!gy3J#!Wa@fwzp#Q z5x|$-wDHfM8Ne}DC z7+*BMz`T*S0`UrFB&@p1qcQdv=0%MLFGk0{^rL525#NZr*b9= zN}q1|4~H`QH;rUhsAp6W|M=H8}%*)F&5JpWx?raRo*@dX%l1>p6 zjHC1KvG#F7MAa z_(T9snr3GFj~_pdd-}Alr9~atrgE&Ou-_3pE(0hNU+Dru!jGOhrH(Sj{kSjxJ4UA6 zGY*v!fQc_P50Z&fKxrprhZhv@3GncE6efn?2$qrpSf%9VCfjM7)!dHLXlj1JQ@?z& zftB*>WgVjW}L_3 z4&>N<6QK^r3=IplW&){DcMBjp+4FMG$!0_DY7fHDIo1b+p7?ejm`D|(U3{@I-G4{$@ubi}gj+$|Cb1jd60zp|0 zkB3x0tYR+iutyvvftBp5_ptguj{frMOu)t@jILmz zy<@27VTS)-D4C}(6uU=q5q(OIIAZ*xxPSkCi)|@ANzcdHA*s)Z&RrHJZm|~0;=56+ zAUxzJ0e@?1E?I=5v$%o^iXs_VGzJ%cY!R&J(0OuZ0dO4Yxj>M>X06#o(kUq5ZJ21jC7;T-FmiF54kd~GJ z8(r3l{+qVq75-4WYHkEH6Q;hPrxQ$fkOHzjAj|f@I#xc!-ya?Sg)r1Nw{h}#f~pWhO72uYNT##mU##>iUfD`> zG-c#hzd9?9w(Ru}2a}U0=El|dyz71pXuINHOA8d|>_B-WP>oS`?Q4Hu5uVNGWfR`tCFP_C*SM>)vgUXB5c1aE1xdBNMbgMy+yD|1>oF+w#0i#%hiUIs)LZG}XK1Z6 z2CZGIbM9VM+Fa6Un|TJMx2<$b(of)%l^$7)niXpObr%IF>#z3h9e;39`mjF7k4s}D z`v?GUqk-E_3|c3Vnz!%X^~6gnY){HaWo@jfODVKn<8+iI!+7oZHoevthJ2@`vO1(jI zjf&ECUxDSk#VexMsi~FyiZjZ(Rn$eLwKhXwL+LG_!2=~1wwUJRvpv+Lol23_6QQbX zirQK8*{Aihcl~Fd`%+x?wfAUU>rA66(|BZ7Xq8-?UB(l!=vcyGKkoXe_oL0--;d(s ztQ<&RjznP--HkXdJq7}L97xblX2JMQ&*=)ouMRS(-2)V6&^NuoMdPm$8^|stWT1lS z1?Z`sJmCjwfpq_C!WDob9zVWXR#xVD2bW~|J@jm5mC==m30hMG7FWZ=!=td8d4Bis z+X9YTNxa`Hi$t74=7KNQ`3K8zt3)Y07+x&K+gOqGhk8El8D&4+sNvpCxgWa zs|aGikd$;$#!+OjkrwvQqi>x(lUHThoq=Fny9QuK|+PnN}2UOB_~QuAtS;ZXggah9_K7WXTz zua*3u2xxl z$YSPQ>%Vi&isVPjXfw*ayQ!pi%^r3wGuZnp(55yt@@k!fk#>@gvzMyNtib&CYFlYh zck-A;kN(_rhVh9FBVX^p#tkw1x9(o8F7PpSz|ts}ImQ0qFSiHsAv1E&K-`!&xU(?g zr@$vHY}1H2%{%>SlRU?F0Gn|-Y;yrA-h?aEFHGrmh37)kKKM z&t$E;L!C%{UW+H|X3-tCLrGtMzCQZu*HK{=?*3}y{US=7YzU@&u03#xo3|yH)Bmx- z=B8Dbn-&LccQ|D1Gg-?QcSVYmSCljFIa_qo;(_-i?>82-o7%YMg%zAiXxKO}{ri4; zyRvBOjvc9PdYzY7aCKljjOln^{k$jh^2l#Gn8!;L8S<%N$1SDVk==YZGS zVwLet2>K8TfK2piuK7bT7uG))I=<$`iuzJfZB~P%dnn7QvpZ7dh9lovmH(nInZL@t zmdkN(=EwZj28;MNM<%xwvo3UPougo&%Uq*sB9kGoQcU!2SEKFV``(Bf-aju6U~-5P{)71Ne) zA>|$YunVR!fyn_-jQI2WyUwhlAS0J-@b@uwd#(LQ=jz%A5ok?XqU?H<`-e1EuUs7K_1P$8deNPae#1U>mb45nyYlp0&&JxK}O;t@7N;^xO!kYB^!!_yZF6ZxP;vQ-q zZ0~UId;S!t^aib@QK*~jkX(8zEbJ{F^LtX~o;^#^0q)QoR{d7WDzMRfTeftLO#>S5 zl`5R32V^9(icm-wK8SKyx0t)L_NOH=O6ZR^RzBGtI9Y~eX4v7_mFtnr>u=I@~& zzE`Cy$1H9P-usyE@snEJY?>WS7n|Cu85~XgWKzELugMzfq-&MAP~MRPr^Wa$Rq+LN`i|DaOthTlmtSzG=>lH5Lnw=i&($70-Bo+p9dvKy9j?+er1xxGDKG zk-ML5*b8tY_nYy=>^u-cAlA@#07TnTkWf$%4T8tI8S(aH)TSL~HrnHAA(QAUId+h5 zQ_f-Tw6cmlnpbXI;cKy(xwy|*ser${=kCru-jxD5->V$i#{1V;CQm<`$&;}3FK}I> zQhzjX;v&b+W>Lw4LoN%8(OFgxjF}sbHGci_^T=Gf+UUuw!Z|*(qjwAV$nW2r{*WfQKmq1j!uCHxMRrE20JfnbUK9N8$q@`1s&I z)bI|mhV7Pl{B*P(dZ`?>aH{zy=l4r z(e923(KI1tbCXX+4d*07pRD@hCVrRE3;FIMJCZ=(q*loU0BOWH$ouGnK+u+CSdl3y zNS;UUPX!$pZqihvVsGnaEsTP|G)$rnBHR#m+Qf$COIqm_)#4h7**zPfSyK|>`(?#uj)G>UQp$LS37PxL8_#^`MY4pYGKn&FDPJ`+iUHK3RrevhB zL($J*b6>HQjc*h-@0uxTWv%l_E1#FbpC@?F9+nRd^zoG*QS zklTCun}FTie6zB1pKlQPiX9Iqt3bC9DPW6ZqyG8!0?wG~a!3^xmnB1vNK|2DV$oVU z8ekIUpx0V6409Z|k^g@}$D_s4))Q-3+xNZhEIU|LW>>jrTrg!-BC+F-y=1rA z1?4c(b%nJ!=jPvk+i*E3fJ3Ci9RX-gv$NRxCV1ayb^%2v3$DIYR;I$`KC&0c=#PPc zxaZHe6_5Zk=EX@Z&!5a#z=7?<<-?Ql``?ewns!|n{U+>nA4n4OHDw*>naI+m0Giqf zc;H%+DPIIX54^-4|?TR~X59{e2Qq^PURKzI` z?uKXzFq>xBYtfA-l$H>`IR95N^HYG^dY9vva^xzS_nr{1IbIY2zzbg)6;q-gq0mXT z-TXB2!YYzh8}h9(#>>5Dr&EtsN#4&%<(s>l3Nwaw^4PRoS#N!;i}{CNO}Mt*iaFb9 z;o>`rpCWw64uyPm?`+Pw7As$U0I%F0|xA9dJNhy&Iy7O%OG3&wp11Pz zQKeklz2ZXLNgLiq0wTPEwt!HxiG>RnG1&$*Z#RY~`d4RTj>yMBT_Lo-%^A7+b&gI> zYiX%5H?+KW%&|W~N-jn{}p4JZ89Csd4jDgs+~!9E^cGg+s&&y zX0#%`78xc26^wFk`SZnffbM=#2J46lE&iFAap45;iTI(t=UK{34$0>~Hf@x3b% zZyd}>JVPW!=bPKiPl|7R^TPoxWtY|~$EZdCY(n?2paJuVM481*NbTeue3n%A{Xj3H z^dy&vK83Wm=i0Uc=JMb(F0USpBpoCYM7*`H7qW9+_Fu>bl-raM)I5lRvr34nN=(o&C1CSEV9ud+v^GiL?wSbUXllxf4e$hH8F~X+GiNELM-Hwq3vSwdN;DBO@~6ynI}Li3Ky~t_K99G!JIA4%zz2 zf!7C9$w)`D8=}dQq-y~IyxX^5M{x&60P)kS?qQze*Kt6LN$Iu|`Al6mS0wA4Q?b-L zv}$GkMcLw`8mk3rPf@x_cIh}t^$ho{eU(YoxKbzaeu!gnkdJ%&HpRZNxd9KZ^ucv2 z-t4t|CM9f=5tOI4Z(FBe?FYigAe0Dq98uWj;Yz{~;T@+6Flwe?x`&+rAtr1pe}2X4 zUdtN)TfV{Sc1D|BA`Q3$EUapE(yj{Y;gq4ON18S9;nw-hGzqeNki5Zav2_Petso#xwR=MPCC#Ac@p3j~Hdj8_dxa;M zp5_X;T)Z6|V|2rdDZG`zf;)EZe3>cF#AKmw;5I1HVlAb$XM7#@$y3O^JAX)kDSmrt z8CBSBdwwF?1g+48Q9EQpAPNe?$6zCFz~Ez0Vw9WU362~S zU6r$q=ks}mtSdD)^;T~GEO_AqwNsDDNeTLj#hoJN4tv;pw|E^j`qT?lRk>UG5mOaU z2A) zk~sinMlpY`Hkad+p6U7Le=MmrP=LQ7E`yZ z3jPg4bF8>+%VNO~!K)cqNiwP$vm7r>sr37aSv;?PLik{NRAB> zmrY0vH5;$jj-jdUlyllsytUEJwK8h9Ans!ExCTo=!_q=r@#azbn~Kk3RQ4mx)GsCM zujsBBe8f$WnvS_7uy?-t;WS#rCAl>$WyZ*cg9NicyWx zTiR}YrtFIwo>aP?LjII3^TM0b@L$n299R}$qZ3Y)u0D6-4{OYa&rylEbN4RScuLO< zo(+>lJjc^$)$fZM^YWih9aa2(r#WKFXF(nXgSV5M3tqvc=RTQY<)615t#w}mTIb!5tW9A}jTeevGv47Qa z6=mhP<;S4ez>hB{sG3^WALCzKqjyiskD!A@?(2}o}*O6p+iP+ z0>uYKiX3l6C~Z!}-}&%CeP(iaO%ZhFCsEKoJp2p?iOiu~>4C-%rT)|VD>Dk$j*TlY z3cjz?;H&lCu-mJwVVYh^G>SIe*>rJm-CWYVu#eIza13gzW3k`x<0a9!lkt<#2AD3) zO+zV)QQVpoWbhl7@&*M@IqdSU6U{c@5kqmylClTb4jX>KZDPO}L%%4{>VQ2h0R?&= zgwwYCix|Oo#KvQ1bmg^qXDwsCNZr&8tBl;nLf95RKVnylyDAocFu6zW`kRCUBJ3y- z9D6iY1(MGc=R=f~YCA|}o!RbLf&U%CR5oeE_7b8LnV7!@KHmZsO;>7!OONd+i)+B&q>GY*mp2W+KjX|6DpL-==IlKqKA!}irQSDN4gb&`F^+oK{uN0r-Z zVB?XJlA<$6e`qdCHYenyy0^f1>>R!*$3k#h_RR^y0_9(#?rRjvT{Fe4#$oP_F!+9@ zd}`>$v`&JgxBg6RXP%y&OIr==r9Zb1BOZ+SEvTo%q2n8a$hH>BB_bqVK-rRdrhJxgU1#3k_RkjAs5{-#l!9C`GCNnL9-PC= zy3gh@L@v$IhSp!2BUpDOWvPgW2J_Rplkp#hCz)xfdETSyysY@3Z3Z3d#$Q~moUON6 z?r}wwS-Y=|Q}BLsj;bibOLifX`*m-UOiyEvPPFr(x)as>78Hm>X)vgxR-UQs<@6s=pdfl3yBj}o9W`he41tBP*~ODlZGC+ab_Hb z+oH$=03mX9ay=`nX=bxsZlRVpkyYsG9<;Nwdu`%{zhYJy1T7%lA44g{lmw|AS%^9V zgUR&w4?OdzbW7J>XPRdx)l+@rJWD9QwPn(MPSJGVZ?6isZvFG%R@#cvMjg)msh$WM zX;@mazunbK{(K%t$hUugAT0e<=V1f7Qrh9MX?MtEL?FB)1KU(UzN4Wj?HcvTTm}i( zyXtDlZa0RM??Z&+z0O?) zY}orV0!@P)k>;nji~RY?C^5@8)XWL!6HGTxp_381*H1o?wg-b>Y;nk}M7OlCnTx@P zuEbQ6l@b<$UnqZFrj%D#B!*S{4viJ7z2X2H$@5(`u5-Vq#`bF zaFwV$R@8|@{&@P^`#TCchKHEO`!`cpv2nCzB;F55>M(8P<9Vs}z-UjE@Ll6y)A|~@ zLyuB)3SC1E?@#fLmDjp8>G~<-7zgUchi!TOpCy0t&_DJ`RTHbIs)D{Y0w@TIMr{l@ zeQzpx&rBaO$^x3o=Z!VllN>s+Cz^8d4ie#5!$ZXcY zKfR{?4viW*ZHU~iv2A9dr6wj4)E*SK@7*Jv( zwoWamC+rd0w65-&Q5t*so5?P>S$1iB2zzm|(E2SN9GM z&z7}n%cpL4Rb(}cyR+(qTS`Lo!hCz`?H#rbvf7t_^W32^p=0cAG+})$MK7_)R4@ zWnEa+(0S5l;E2!KTPZOTw~GXX$ua~aR9$po;H*nV8V&V2oUtP!U$nr!1wr?^*N!j-8_l^r^6}&U~_+=Xdx|;_& zX`ftnYYqgtjvc}uC(-T^y?&~l&C8Of->+O4KdAI=g=1yN z<&2u%kG;Q_#Y|I~m#>9A*S+4e!Yw{tqsjdF0^*N-)x@ARl|5IwI=J;z_&7P`F65=E zWGB-_FL=Dl-pbw8TDVn&$0~5qu-Zhpb+w|%cAD9%rt8-c0=?V3X5iR4G~cjCJoLXx zO#xp|738!I%SlBN{+1XUx7<7BUGdEX^*V9BL6(l*9igsdSO?bKEwH{s)&9LXQy5Y> z^!LQN2y}Ss_U$F-(r@0se*j0^GEBkZ#gf{xZdJWryQq1($zqHJ+faDMlQ)L@M_$g- zE`RU1&p%D{$&sKlm4aF4%qk~-Xqz_`=t><833N`(#Y%^qt-j8$$=8<+PuL~^` zvsFH_LKb7egDp&)kZ|f&c8JCGb<~uReS^-@GAy0Af%VOsc6)hx%WLhkK zfizxlp-`V=(Laca8MG=fp4~RcfBW|Bv&@2+eV?*v<5!sAFhegA{eRWPu>6>WINRE52G%JthF{0X17L$%+H3zosgPigZIP$mK*V9c)W z>jSF$_Zzd(6dN6OCOCWADpmuR%_PGUA%Ya-B)Wv-zb@5W3)3$T{G%qJfE;zi<=omd z6ePrftgNa^gxb(d;q<3SnE%d;e9&^t&+1FC0dH3RE0U8Gv2#b-rOqoxW;eIn6?n_I42hJgdd7ts*8#!$MEhoy~<_UdkmK&aM4~Blo0c z2Vp{iubCqgw9^A+BZ$=t#miaAtZ^Jkkb%(?%@DrFS7N9h^yB_HU|;=%fe|n7L?>n{ zpGJR01`9h3G=)OaI0|nxeP(kI^yg4Ixu1u|8kbtwlMSNnXP`1ggNqsW$dAD?T6OQv z?b{%4{6j*LQVUGq^~hYVxpPePr9|b)*-S3V?2sQSj7;9Mg(ca8oPlDAFFxCKw(9(B zE2Y~=iqf~DHP3v;PMSw8FTyx#OO5VAEL{J=WmGgG!1N=l!tZQ^?#d)Zym{qGK^7w6 zL05WT-a`i0h@?|)6l83pc#nP8;Yd@9|MYO*3c@9ccrCaCc5rU@kb=Iw6JwHJj33wD zx~{}5)i~VjrCcVS4(E;ON*>CyKJTV5`-lsS>p4J#WJ#GbJ#r+Pn^HK z=p>`!7j7XZSa0wp$t7c!$7rgP>bIU20HN4bQ1$aj>Trewy9oz$#U;KF7{nE}N5jyocy3D#@ z!LiwS==J@fd^@m-5#F%IlZG(DTxpBXjg6@NTB{NhZ(2h|t(CZe!dP^lPU@ofWV@{H zoW#uYUJp6T_})az1^Z~XZB-gcMXrS_9{fz`42yUr64Ym=V1w0>QPp;8JwoQE$?E6~ zeh&>v7Cs9tH6?M_V%#zRVw7{MBP;O{pqCIl`HJrmGck59O&POkqfqJcX1W_RZ zYQU((taerPXC&A^qEGrY)EWVs8kFVlVSQ7CVH~w^;lg+lq5dIICj~#MJslhp_>--t zCfi`}rehPi1hYoL!i*)9?A4IYJ2s}@S#z(o3YDiSIspo9uQ^ehydz>s-LS@x|Cd!> za^0%Yk4U%qp&5h}q&D4B z8<+wFZsedHZy>emA@pbRF~WKJfBbQ^)%s~x7F%v>aPuI8R!k^JIE*XDEf;B5wxP2T zBOS@SFNm9ga+6VA6=awesR*3~mB({9V%s%3t(s@-``C)%J8l0V59$S~R= zvrKhSZ^Ua(8zli$XclIbyFN@oHy6V8IS(pwa&p0`L4mHU6N~D6ZToJVoxn`Yh$j%> z=wts~5tY#ToKwCzo711ji{1qnga173 zDU4qGGm)wR{6s1kAL6{nW9)y4+DG>uq>dM=cJ~@(HU^pWdAO}JJAMrr z2TH&>3T(UGxJ-yAoI}Qewy?cAwOYOcJ=jK}!oC;rYC|8d{1Gp{>gi6{;=W>j*F&ft zVbO3JXxfWzYuWeO$E$HCK$(u#WaEN6@i0LUUEZ~96UttQxqUID5S=vfB^e~KUP|Zo zP)6&mgUbSMqWhfyi?yNfUs`||G)BZ$40scx;+H*3E#PH!Tgw#M)&Bm@j@{#*j$z)# zIhTt8u46sRlEH+igm7u#PsN=psFx9l5NZmXZg1cqgnX*VB*n+@Rz$=hI2G-CKEOGF z&}#TczO89!JS8~6pyT_2r+a|nQtW^pB^nZ?z54D<&yN{(DJ1{OUv^4>F)+B?ZbHPp zKl-m%@hNU)FOscEV`=-!6&zuwg?Km`uc$ByOBQ&gd%!@+dI1Gy6EjoKPnyOK;?0nP zqY;;(x`Tr_W_g%kvMLEL`PEk+a7$C>8lH3no`P~-&)ZPB6>GTo*ywy!r3>LrcIf+b z4c`7cs5)<;;vdy{k>-g%i+<7F<@j7@@I^fO?4EE-^feCw@jzmK8=yWTJ3G6l+=g>p zeu;kp2J1(4bZ{mBXqcLEfmBr4^aU(%SP|-V390fD;4yR|jCnmbJ!U7(fo9mhaP035 z$8KL^p9&b`iK>zx(7G%yBQ4p-CMM@psJOBZJ9vys+y>_)vZ$5GO7j^>D#XcTD*F3Gv!~z6eloZT{KR z5fyO8xB!!-a6#1#>5p61k0%j0l8;0srOY)t;o=e3z!8FtMglI*psECXexF1>;MVe8 zocxvC*O$W@nFZzU28na)z)hRLq(MR}6vC+QHEffS2?sQQB#bxcT`4f1khEq=g$v=B z6CXv`5u`t3x_wD(-x{DDo#pq}REsi51Q>rAbb{mRW#eC92v@qiU+Kq=QYI%Zzg>21hqHkGI|s{G;Xx`xN>CkoelB~=vI6cs42 zw?|jzH1X7KDyTNt+&5rMZKB1;HdxlM$fC3uo>T-e)I^}kL-b}EEGv?h`pJ5}mA%*( z%6t)6RmXRHj)bV~@jZk0P`?pFa`-R4VD&j6gtf!f93nfE#Tz-WCp_+$R#20shQ>FT z`-ra##rXdH%aJvqmsRQnLxbehyw1xLgiZv%;rjKOK*=nF@QqDYs;Je-d>G=$0fe_& z%7>xakVb;{Tj9UC4ws>^Qdmggrhzr{NRNXITqf{0jF=C9$xijb?=zO+4>RR zM4_RglF=E()Hi98=+#SDUw(an?{+Sb`%v()>e9ULvx{k&Ug;d|PnH9+6F*fGl5Mw) zZpO6IsW2kNdd^Q}cl_TUNW>d&*U0Fukaq#%$8QO43=0cmTj(l8JP7UzZOhYR zBpb^oe9z$!`I)VdU6QKaY48i@I7zdIi7UAN++)mbCYL;kY*DP_l}1f~%G)$u_kfm` zc}LM@otN~hNlDi`#>B}Pgv*3j8dCJGal+?S`+Ib2Gjn;e)m&gw$7Bz zyP=Xr&p`(Y6Q%|RtqMv;R#sJva3${K{5F4!lfQ3foZU;nPAk(H*iM%2``X&iCR&#l z?`ziR)>Wl(x9l~Vj#CZDo>Fv-GAHPs){zCKNeXy;uojf2s(Xm5f-G$WXZ(b;oXmV4`B@>cgRKy)9K_798<&D^&c@Hk z>zD5IVRk`6IbbhDfh@;FGdVJW7KYJ>hy6)r5xaHPWe6^gI~%ZzxQrN)DIZ8rU`%PZ zVI!(}U{{>a?l)uF?2tR~eNa??!bFEt58D5owkin;$Jd4(8@hEMN=~AmT z)eq?x$$c0gcb#>%oK8MWl)J>K6 zfXU5+*c_^#oOOU(P4&XjPHv7QgM7>}(4MLox}$AyO^14~?$c7!S(_ikkwk+W(9-(Fwmz`LC|APkKOO)mAU?ym75RP8p?1 zRm8GOq&@o5k()_P{%Wxs^bATpCk}ht37Dn@yzv|woND~==Y!xk+l_=GuV3qU{T3&G zf;3AUSGe!EVb4Wzbe`V=gbO-=xNCPm-rt9N8|R~p8GYKK!NX~h+*VC>^$$lXOiWBJ z#R`AzcFKjtr(7hErtx1KO_zg@|9>JHHLpyUY=4q^F0+V}FolDhG}jK_59eTXm8)vc1jx zg4_9VhdFk`T8~HejjsJIUKg8(KlF_&hOtMlMI^`c)h#b8*uD z1wgV-n z@#7Q(I{?Pz0;22&O;-pPfIBQ@A{@dzpH`ath!Y zQ`+jaZ`OzMo6^uHEMDxKmG8TMUq{yAxDkPb4#%oUYhgw!4n36w>SjhVd=@LuyL#+}cYY zOf8m`{sY|q!opfi>j)~e41Eh>Ia;0D$;tg!7mRG4n?@pRcIW@M&H9=eH0z}bdS3*N z%1>DYI!W{|YuX-gws1~fkn?;^aqEl3y3pR%hO~NnFpu}WBMcvWy{T#`dDP2qHeS0} zJ3$ynS}4DfHZ6hFg1rDMI8F5e^B}T0#GhFr2_~?#(_gxw(-vG4++q$gmUpJ-Jt;3M zD&MdB!N*A3F*)0xkOaDN@9_BB<*Ersgc7u?`MPDEKM^?`bl-7JTYmHj=b*Gpku3C| zvNJb5u1JpA9eCJejd$?G@fbVi`W*ri?_2?2q&c3rs)!HKJ#`O3Hx=Jj*>H0`KXvL< zAfSrD1^JaX!@|^n!@$hMbS#ei_3u69{=Bk&)TZqrXHqgtJqO*DuDzpZQliPoSM1)wcL?g&yvu0Cy4J9KEac*c`1pfcFwEl1$3>V(gd z8iMgpn40d#2W;ah_et5aVz!u*0* zRF??h$iR89F;Sm584>*fmodfvx??|gobWU`OGG?Up~wk__ym%^fUb%HGe1s~G>6BJ znV6YNNz@lwTM`>WW>~?+Daf)K6%`c`INZLy4xr!_i*N{bUV$6nPDqju7Mf3vti7k0 zyOkqq)->|M3B+*>ot%piYPh;C)Kp+y$*D;>y6BUspJ%rxurH`Qa|kh6@^#JK9$s-( zG0yehjj?~-kJHd9xa1q0NHVB|PyQ`*O~5ILt_iVa0T9E%*Gzh2M7s?j&1&;LU(y>B zQ6^@=15#CwmfHY!P0C3So>4)=g1jT+*ZkG`Utzo#k^Et_5b3l;0&P!%l|xHZI_Pu^ z|8(SUqKG;ZsKkgU0xA&-j8mY0ktB3v-q$4BS@z*GhU3i~VRwhQ)9gKGR@HM?*6+tx z6iW8k9Xy}OEZ3ck}OaaeCzv+I;{CEs$RV=^>^%z#!jSvc(X0^%OI~ za8`obgl$j&Rzj4^H^Re7q!(Anic*ocAY<^||K5?_BiqpP7ZdtT3kUL6WnA;yWSEOk zo2c#-ql>ND9ae!OPtmQjN(f3P_tct7zsC$G5#47t=zI3T!4#%Ymd#mCLZ>F(E32RCdk^{;P*1w8V}lND zi379HF?fBR-8IzrXvxXA4UV8Q(T-e+l6BsNbRhWcJPWz~N}22;{{$FeGHlrX4}kIP zaSuqLfGg6>AF+CC#~?@@(#YZe4-M5Pw#5`Bw+zNrGnRvyGw(&m6vCd zs_5F8k`70w|_1n!UD3-_Wv(nv|FRp%g1 zx3XZ)3W%JDa00gJ&R3|vej*lZ7h(eOONW${lr(rhp8Ez#{~3T1M7oGPHJ14LnJeS< zZ!)d9iob;z%}&`!OBGUcSG|eZv#jn}&2r{Ymg1(_4HNp76e2rW1PilO_Y#qn^2WX7 zq@{|lKZpgchFa-oh47kTFSPY85YL~?vfWH#hIZ}@LZ1evs0{rV1yYGjN_2)i zH7F$ENXH>?E?H;@1t6+m0E@s21rWjc?v?-opt{O}w?J--0>ANOJ3!Yy51TS6?h+~P zJ|+z&ixh9mn6d#od6xJnNI7gLvS_{9W{J25i6gv(DJKACtV+;}R5@Yc5adZ9O6+%; zYMM11eR)(*jEr=9*uJ)=`GWXaRpz-nXr#Mj}v#{UFX^Ci<5xLIy#zlN(lK*C1=pdW}QkTotgzbCAWOg z79BBGyAdD5&Vg~g-@WNH6Uitb%B1f=M)NO@o4}jRWWQaOgTcGl=yeL5xe=AV7UAjd z@l%(f4>e4@GjxO_Y1A`3e_rr}TWOitT-YCpdbctzw&nEX^pxKl9AZpM ziqUq@K#PqtuSjJr}`{hHKlRiRIJhSMcmMDy=lf_X|B? z1YbRgF+c>;&yv-`Bzg>y3Wyl`SNU|z2ELpBOZfzm2I(u+EKS_!c-%9&FBv(=1*gfb zL!}%_Q-gyLKVG(!TwP7NMXVMqe znSqWj;Z*j|6=Xf^RF9=BFN`kF`c+NA=8^Pf=7)*WDHt^K1u+!1;9 zSv(Q8y7h&de-;UpsR&jVmr9ez+u>cu_iI5tYsi(td(Vo_?@mIOy~nQyku&4y3arfV z0|cu@$m#)vx`i;vCj7}z0I#LMv!g)H4IQ_9WVU_pE9m1$k}6_^iPaC{c-W9cTz{U% z$@VW1(}n*|0@a@Yk^(m_Rk^Qb9SAFMLmKIn$SHGC8^~d#~-y<0W5bq$dI5V#DiV>U$>KM{+mK<3Dm&0 z5mz6{-=O0yPXS<~)UJnq)%B%ktN{*!1!)Vnu*y;Xtb2 z-j7NTaia9V{2`hOMi2VR*8W!1hc4DW^RY+aN{&dpsPy;X z5L{;mGfSI+h7lkT8vrd+>Tu*|7S8_z41W>h4P8g85raB051 z*Uu#o;}IHy`=}~~vb)!M)OHI*NLZej>Lpx$rBwR};QDaR%EPb-F|qSN(?s>N6WcBU>EmG{D^=pb(jO zR#_SiVOQ^N%(cCRb8P*p+g)=;EM<%8@t+sQ7fTmhS<0a3iIlAQr;@$v7l)U+LEOWQ z5`O;@0ZgMp;axzM^x}1Cr=m;Ckg2|NZu!WuTZO9qr{=*r3ZPmcsonjFxxom52uUz3 zjE3BVUi@}g>5?Kiln&&o~rhj-Pv{*y6zb-|X?N8j79}6^30mVJm1>(m5HiFXG zcIs|em_PJ-e-XLCTmP+?CtimynKsq%^SniNEyO1X9a~Q_^}yK~l!b6tKiVIVg#-$s zw-;_nLm)8uKY?z-Qg%9P-rlA238XKfwehTI)(DUFUhCpRwhXP zZliW9LFU17sB+UN3F9qXoGoNpM9#oQd28}0qGTi@&l@0vlY|VTQqYjRS4+}0kk3m3 zyA<1nMND>kfrLtXQ6?p9|99=@8rWkD%kF9jGuL0}NKIY%y!i zb?ybRSkg6G^HNU=32-G*^Z#h`xg~%N;hyS%gLLawTB+|0g`TK>e{yC3f%(Tdn~K&xep~8JUmu=ZQraD-0M|YEikvL_hcqfIHD$J3b*=LL~L=e<;g{! zZ-YS*s(EgZ%uwVpadWrx74{O_Fdn*epJ^m&9%!M=cNocl+Xdm?R=c~)fiaao=SqwT{+6(mY%q^3M#2T67k0#WOl$xyOfuok;cF-1 zuXx+Qj3#Y6ik5+mc!Lb0-Gga$$O%~O+)Yx;;WQ!P*8r?Yj0TAzB8kdS>ER`2f4#ng zTx?`60Vv{b@>l^oVcP2mc{@0blM#hVeiz&nHTs|513H16aDB=!@i=3_ zr=K`WgCLX5fNsD!`M*N^An2bG-U(m?r7(y5TdE1>bk1lAPax63Bsd;1trg$SeNs9U zq@T6zw+LuWO?v(QvtNFGmCfmqnQVCd%4+la{94f#ebFdR|MxC8oZ_2@C~|DP> z+eMgD88LAIe+CekuSguBI``zePKwEL;A$>er46~x!y_$CwUWT`W!U%m8h<+JbUL=b zP~r)xob>-`pduBcs&Lw;rmIMNBr5CXJ|5?s6*vCU0*G6=j&hPx{KV(`2D{f+NK_l? z3QoD5^2r{T`!c+!W2j7?OPZ@jxGfiCy%;0E(piZFqeiR5?&erndp$UqVK^RDLi@e4SF^oAs?~MA3u@f@Iwh4_iLWzs$v*WfpuTOy)d#uQ|3q9 zNaR(&-V7SD%Xw9nbHY%OS5%AxE)3!@5`cxq=4;$7&96vxwZ3@-!IV6;k{XfHp+wKu z5>4PX@6|&7I%j{_s{V&}&2bK2d?6PFWX9_$GkVSHRe`rFC}>Hw<|+0d?kT>SRl}1P z-%;-;+&N!>Z3KHj^6C!sEcZI zooyJnKF{`O7%L!&Ex@!{h#!4^KA+6K0G?oxvzl!{xQFt5KaTsIWnYd4X&!Jpx%47HSWr-)zS1 zh0-pus!{Jhh-uWUoic_*?}$wOcbv{G#R%tH^(k<`H~h5IKH#255uRg}*~-E-?*VGN z&ziJ0DtdV?qUhO)XPNrSUfkO3(Mk!TIL@4wjx)aFN9ede__S-%Z2B&^4-`hyEZ^h6T05O@FR-P$S&a46)YBD>`Sba*&G zY6?8uP!K>)#M>8Dx^3Mmgd+F{2bY~oU(3l^iI2V)#a8m?5Uy}kQxqs)FNc48&#Mwh zQDl}X@qG`bvS17cVRnj*Zr}wH#`?lY$KKXZvc$FmA|M&^ua_KFB~~nFTb53h1Ilrg zD>pP=ITn8UU=UCPF=(Sm0$VJ9M8q+$vP8s) z5iMQNKaePRl7&imUP5a{Md=Us8~#sJa9YDCl8uSnr<}_z5Z4VER$>4b35w-uR0m%k z#EpRy)da7A_72&g;rLlJnNUEa`uK0uogb6FKo=0X@~dez0=;T5EY_50IPPpau8l*~ z>e{#0bt`o(C#kLsp1Kj1KmiasqV9A6O~J$$ONHhG?x5(%`i;bF8FJJPd`Sc=d@A(2ZKA=d?IH+IAy{%u{BEdLU&*@FmyGen969scqwd!cUJ zs3}P`(43jn7WxIZAs)mIIUD<}>%NjCs*ss{Tv45;#Xbe9Z5I-1(EogpxNXUV6;J{2 zE%Utpe__v3tW?tcO%dGxci9<~_-7X?V?W&6wB2&DOK|;)&JL&F{gj3MMv2IVe{ivB z%VEVp(gNXoh!1mQ;UCgxT5clDd|<|)8B$KA2pW^z;y||{GkfJUs0;lqg{8ubKgz2V zX#G^`wNIXW9zY^Acz!Z3ck=Qvtuy)V#Vi>?6|kYCFTP|>Zgu;RU(XaZJiyYzRyd-0>gi|>(|Aw zyN7R;J=zKHF6<{)CHn@P$hZNh?v_oVTp*({E}6=PJn>i4J9B%TNwdChQr2;g=o3x< z>XR;x@t8Hk{E=l-+r--Q?HdgGPjfZ9Re%0=NYU^5Z=kayON|_R4WkqJK+-E%yvu)# zCxL&(uuhUS=J7n3D#0*?p*TPim{)1WPZF~Z8`M9g@u^3e=*+0FWfcKjf(e5Qc z_x;CT%;v(C@P9L#S`7cGmR({tB?;GJp^vJb6h@$`p^hO@%y0&CM5~I)%H}rY-6LSS zt1x{jIqncMtvh!1?%#=Yqy{bVFfg)lnEuPnO|6(|-Acv^`~~HIN~n$ehdwmc?6*Et zrIE;fD^LlO4s{uvSVSx6?d^TBH$N~a$g0*=94tGbmzZ*uHeDDXvqJu5>!thCP)+f_ zY66x>i!{yu2UQgOSuXsyt&hFB=0q>``3n2Zec}Br&>RuJ$QK#{YTXAU18*|ZEKW)` zEH06e$nHQ7b83+Vl$ss5RSw&PowM@_glTkz2jd}T#-ODdL+l4s z-ZKG!*?lnAgFPqM3<{s;Rb!g^%p;lxtB*J)$`s!E`BF5b41k@p%+BYVFEBrji)(VY zy(&!oiHYn%R3nm{NtSz}{ry|G&NU>w!?}MF>w_RT0Q`%B^i_{x)0=W3zY}57pw=a8 z;M@T8C{R*bYL(Ic){(q2{78%Q#WnYKXO)piO|tPmNQNt*TsCVhfNre-0%v@tjdpqzRX$U%1d)yYX+c z_l^qv{w{2f%)-6|rCl3Bkq11*-*d$7At}u+fnz zXDwcf^ArPZ`4MnG7)wTsj*XcD9Kbuj5*SDaK3M~%%4_8iHsHs{Fpxm+Bg~`&TBsfS zJ{hB}B@HkfA)^>(N72#STMqdlA;(dAe#0Io3Bi}3ZLN8BgtyIW(W4Dgs*MuoVY8Q` zECQgm+w~_O{#7y|j^tE(c`dFD!8^r|N1|vmZ%b9$vShD(p`BC((%sI%0qFNtM0ru@ zrk&k;>J$goG{yg+?#;t;UfcHXk}>l_A@e+jqNJ309uq=_C1t8KNFo(2V?sodkjN}a zQc@WjL}hGHDKsF3GNtJK99h=7pXYg>?S0?v{p)va+r93!sO!4E-|u-I=W*=&e(c9z zTeb+>Xfl8P@`uN3vGJ+}0G63ykI&BR?fm2OY*b?LWV_q$E_ul(l1n{`bhL9_yxV*K z{*ybJG!1X)xOQ!ScqQnvmD#fn%=y#I&#c?8FOc9jS#hbS@3Fa|DvIU@E^#*g7|kczqO-rbnns};7{&%mW!y!ox!W3(qF-ZO_Av|ttpkVUa%y>>!J6n*RWweAoD=0tb@dk zW-VH5zHwtH%%axvva&K8YwMVsHx)xNEV8XMe60DeWdl{#?ar`>d;Ywgd#qvJ$DLz3 zKaYBTa!A^v6BA=MW%r${s-kNbejwIwSpG5FX*x!eDBe?BEyQ~{#LB_Orsw1HmoDGe zs9(SSjL|HAOPzx0Ia8{C(yPl;+og9#PncMJGZ+2PaHT%CewRL=hLX|%pGkv<40(29 zP-_p9Yt|cixV{^9?b^k0Ve{fvt({{`{l6ZZ)UA)oM9=tp!bRwuG*W%~=!E9tu|N4j zYg9(c7y2;r9AD^kn_lKi^)T??wykbtWTeGaZ~IxsbIg5+)max!+kGxJYSgRF{*mL~ z6~DWbrD)^%h-sjCV-}u|yb%sGZehMLzp(Jt>(}FKZ8ZRZLan}*mfph5lmU5^A`@sA zy--p4;|K75R~?;Jb?VfKym8~ga3vQPmqzXNCpkMi2eV5&bw|!I-@M=cfX}H@-D_`s zG<4thDSiX&x~DWZ^y~eeMO__!YO}emF4gbWj3Qkxes}xA^k7q?bF(}ol6_8FXsY2O zeFvc{o_3-Kk?n)v8$+E&EccqVY6a6!qQFT}w{hd{;1dvF99;KV3F4(W*zPm>6 zq9*Fj_wIe~_a-mS_8f+)5mBZxZ3vw4JA}+sI)P?{A2@ zW|orUoaUWpSuw7KR&N6!KU7`ukzI%5eDB+bTE#IV?b?PAeZNme(xYC?|o?aNOFSK1; z+=8bTYLsx3x;0}{Yv)%ssIA1-NvrHKpT~4|)`bbSwwI42Ry)~M$5d@2pBmL&e}wwc zCAxM6J157qQm=j5W6Uf2d!tz3q9T}lXdqJs6p%S4<4BVXH$TySCmq(8EsJIqxO~Z& ztP?HXYy_0D2O}HrFSp~llw+cFdTwYhB=$p4OB&UeUd`&4r&{17#X@EfHg?5qUNs`A zlw(yZC=(Qv+=qx>lm3lGOP9{JYE`#x-CRoG7z-_&sz+h&xGeR2E1}JA-n@C(z~u-B zad}{i4<35aDt+fp3tcf2RD9}^B`4;FRUf9+2kJELqiW5aEWF8U*RBnIquy9cruPwQ zkw!Ntnv}D0kcd-FOqhPCI@tbga|Lj*mmoZUA~WIy$_uQ0cvW6``L}O-yuIV$E}vW; zofl|x{&BtQ-~Co)lxc77*U8|`wqAyE&W{>c(6pyp(U%7?lrow$N3Oi2qo;RRJI84s zVXSteHgqwj4074x>#HWpbgTva1|6K&0l5;e>7$GDb@lZ0LQ>pQ#0-={QUV-+{ypFa=GLV_?AJX2@QyOy|Ky~JW8Cf5E)9gK(2v{*YhER`eNS9>?-N-1DC z-hBNQty+}=iWnyd5e;)sZ*As2JR;TM>vBa)nQ_E1d}dKzL~zzqg&847!rqlueAtF=gKIQNt z3`^1~b%^6P6a1wq8MTQfV-Ths9(`1^i{uM#ty%Ic^j^1glOt!1&eWK8Huo(pzGA(|yK}=IUN)P^@ndPOH+IaJQpgMA zh1$y=xC-7&$saA+L|*c|Q74N}l%V6Tt_nqc@^Batn0~Zb37nG zv2MeLW=tBq77@XGzLPa*;5t|E^5qDS7lDpB*=aP}#)lu$UNyzo_@FXqAzP+t`0f2G zW5P-MAQ>}STYy=H*|+j2dO>C%6MJ&d#U((91ii;d^2M+Tfq5d)#4WWp%#SBB@2jqk&Yw${j$O3q*r41>+84dvR4Uvz*R0d1&7~;)^HR__KY0Qle z_v2aMYMl=3smMHac3e-+IvI-Qo8yV7lQhF*nUh#GV^g-Can0kcMvDxRI>;`h%Zfn}?*~g8LxVF)BxKfn-E; zE%3!9jIh>vQ>-4{BtQSpVB`M2NyIf`)6$UVm+vlFj4fSijK-oew>5(b>rjrZoWJ0< z`GZycNjS}hdQVJw!Di^#t=pKsb9O9QwQAw%$)q@@+@>{azO=}B?-BM{cm5v}OKsk@ z8ETc(XzU87Go=T8jyT4yEyW|F0t1t^4<4LV%-#0yzc=ND( z*NVyu^BSod-aFYw{pX&HoLjRE>sP*?)3DSfZO1*AdCK3r0|6TMIbd6{Aw1jbyKX>a z@0`SnzJ9C1hsNtUjBp7Ym@}_zv)88j`D`zP0kaX1-QIaF@19>rc(Q z+~)q7?ukFNubb3JPV&_btEWZr(Og+8jU<@|XhYkM?Yz>CXnJL^4OU1DuG@Zh$@l1- z8g3iqrgCc1Q`aB{7nwV(EozMV#6+!o%N3qP6t?qC>pS-fbCNu1yQ7bGGzS3Z`!4(F zprC#-+v?LKXl}eYVCwV4f`DN*sI)V_Ja%dtXGPidEu6iVs>2pJ?E>d=GwF-T%Fb>za9I;z%HFoKuGAey_K`I5Fk8gh z*7hX_RWIBfdX}wncXLyc=dj`C-tQyHOR8%Yoy4xWZB$g^F!W&Yx8Kn~YvEKnT?qrP z2aSj@dueU!;1S(}~`T7D)p(m7FON&T$Ue=#BMX z&5^QgPCcU1Q>1y^k25pRsVK~kSlyANoJG?D#{sYLAkBQw)UBOWE0ayWw^1hR@c=z3 zG0DHWrHtfh)!c4tpmN?nzfrGlT`44iq-{o#K^iK_JlZEa_wV0CTU(ou zY?*pOxn8}FUAm0AF!wy_DyAO}T6N>I3Y8kGSbD-vbM)jLqO<-l1P4v%$GU!9mjopC z%Z*2oG7`NuDliD93 zrDlHD{o7gLc#44p0b1;I#mmN>`9yjlZ8wws|>@9IDz>zKuhk58B{e_Q>^ z(=sX;bl7z9V)|>R*TdW6?^oSvao{L<$t0$yMto}@a`*fQDKDuX>;H&4?bqXdVp!=# zry}j~#j~pm+|zw7uC}zyjtCt+x|{8E9wa5_wBf(sZJXCd5R-rYYh3t$ndzFi*=@(L zQC2g-7aEJVGw0%szGd2|$r;Y3xvRawg21l^U(!u0@&5&HF!~m`ZvFbQ7^TLL5fSIs zEo5a4XxV^Vr1H?ciKBMRVsajN!&r~jgAl|PlEf{d!*lbanL!KuK+mU>H-ik6OKC?3 zp#tp?C&-pLRGPGJFUAKDzGpu;x{!Fifm5)uvZ9$tW>VARrhKxux=U@hjgoSZAGCLc zEtZL>_X~F1P+7zV5m_rYyDMgv*zvR|zw{yVO!82Y+`%@-Cm+3)lCm2s4!VjOGHA@0 zm5I&U=I8SaBj)*&D7+p9DDsU$;$nKB`?~iaW?S6d>r2b`+$-BYefl)-c(Llt!mj)8 z78@1Hfm=KzZq>6ZJ=d&RLnHre8&BU!njmJqP803D$jTPZICdv3?dyRzP5@Qo_p2K! zHY7tMaUtl*)r-$22+rn59_Z&6y8PImo4ZI7Y6#>VHy6e5U1gdf{t_avhBaX>qw(ex z2Y@u`o;*lfnCvTPmIiGGUz!%Nw=@kyM5&0mGbt#>#s+L@=$Pj@w%6(?%+W<|fb_QG z;K2u(Bs75D3-GE{_l5+`y3m@P{Ayv|5ajnuAB- zc1y{p&~Y#nBekF<>ww(ChfD}}9oxrcbI#4`iwnjiQuy;Bw>x$2{O0L7RY3H=Hg8sZ z!0%EeN-&aCbq+-BkBZNxKejZ))^c;dfUUo^02>8>h_3qSD*z^ZP)S6Qx@6OcRdsA$ z)`Z@Z8Ywk8uOuU6E2OO0KTkVj*i{tZc;SGE^wY@pII`TxD4eoEMt^ep92{cbOKKmK zYgc-@b3KbQ$4q~A)p8v!DCPQ=*f=1~bfL%A4F}mLcF8E+_st8~|_0!jpMh%Rn$Wc;a$$jwU3G<92f|bOEOI zKHh02-R%nBzJJ$P@uY{?Vk%=@Y}~%#Q#5oO`Hlou^O;P=n9wwgiy+IRf1dj)6e7a@zM2Z^ntyu-C^KBFTUA} zw{PbzyZQmgn+fn5z!!P^u2hStW@WY)N7p2DX;kq`NUok-obO8^OhfHGd0y7J!@>)$ zbI9Ue$ALFTf$m`$Ag{RW>Dd-&eA<8q^c&zp5+-xKQm%Ru*^KbG++IyN;?T{{DqEl<>2-xTRlTA-aCtOhkFPJf5AQ@U~J>oS{4bUMpnjt zU!hbuK*iXk1g{rprtwRbbdhI4=~zi0Hyri%LuI}`K6lwx+dMo@VuzGktgfyuWjJ;N zP4?YgGWjuZF_IFCME`56hi$g1VA)`?@e?5GMeYZe+qd?<4Fa=Gz4|^sKbCdN2sDLU zI!9~Pu0416^y!(-Hueh)eN3EhTt8y(9Plj4M9sm$q4tlUoc$my{CvIo^?T27>87Ev zm&$W1c*mU~YCi!1mvWhHhOWDkKEQBvNs5W3OVA11-s)9EiE5mH+yDU=?H#=)wXd4e zuB^HCtezJ=)I7$BjUszyI8RK*mC^6?CwYv5m`JhP6vvJoOZIUa^tr#!q|pmTw&%xD zYHjoLYa106Wj zj?Qf}$pemBdDP9Oc)S4M-W;-z_^?JI6(C0`shn6l@?6dAvIzdU;*B5=6iA8z;Q0V}`D7)1wC0cQ;SI_mDq^5exfEmwT4rbi z7g}WYm@s^)GsZFW@_nRvKA6&2?BziEUjt%nF4q?;tF7(UZDUt_#Q!7n(5l%E4iw9` z0YKLRVuDQOl3n##qZ{*J_JWR_fGE?;$^s|L)Z?W~3;)PW@hEul;wI=Pz!(h9D20Y(dF@z{k z6tM(DtWyUgr!5rZL?1Z$O@K4r>!U(0U$!u}t@!pW_uV^^LS1su!+MT?9J^Bq;gX&; z!3Bq>5t_XwMjW7amw6+0KPw#(tMpAiYLG&p5RV&aHB3tKsMBukv8=LUB%uwjwrWsY zYW2_d0dKQz-*y|@euEb|hddNtGSD*WGffP;#7-KC<;LsRD+U$fiZ7f1!D(qo_TS}u z2ZjYJ69%;Mrx`}ZNK$sswR|MfEyhPCDVSg_Xzl!G+zS}qFy0i!_ zR-G+rh{yRdwWnY5pP>(G?#emzfyesz-0Xg>wXIA7e@?pTkiBf++}-bsirn|@o3Y*W z#Exf2drou-x>npZ-{n`bT8cJJ^wj+cmAz&&Fg1RY!>xm-P6SV|vCN8%-Ar(>12mM0 z8au}Xgc?)&JSdv2_3&!8X-?w3640h^tU{rUyn$_rs*6A6&5rW)p`T%ky2O)Pn=(?D6d6Mfj|#XS-KQUx)Y zx{d-^Om1}5kACEvT_G+=9Y_k~Tvt^$$)!N&$X4~e*vU(%j-|hKYYL(D)?iKLx4g41Rv=%ua?WFgiVaE|()S)kz!W%Zobhs^z>s<>i=V z<7VfUVPQ_$jq0Ob$X%nnHPCc#(}GgqPH=qh26oE=en4oH-I^M;VLjP5z*S2+G$@7l zATT2R1H_5Fch4PUZOT#oBo0I!$L|BV(tNfy`dK%uP{|?YpAGFFv^u-TvW2zM0!Rnb zo;mhAn9;LJ+j=#nG+7p^licEB%O5|JXk;UX8b4-C+2a%An}M=guUR7`9AlG6{m}p4;*`W6A$!E$00LV*diU+m)MD&j@YC>j#7w|Niw~Fc0Z%jb&w07h% zU%q^)-e~hei@jGr_rCf=KutLztHw3T+G|-g!D@+L&i$+XW*5A9GoDQ^t%PWf-sMCe zr9wfe6>s}K#cSZ0v!{RfT>kWRN9F>PpGe9Dte{-%2rEob3TEI(gDpFnzKoa=uNUhv zb3&OPTX(l|XvVQ)9i%!XBwuh?9v2_4y1wD$DO0-9eNH?q%GPdS-)C*8P19AY-YSo+YyRDqM|C!TnZ6MN->0c7SaZtrPb@ zZiz;VjE>=lR<}4~qMUgA1nXTo6NuF;(4`wf~ufk23aoUwv<@*5^=?bc#w>teorgvtxXsoL?~})p5FG zwBG62&(%$?O?w^oXxYHU8a@;Jk{1WF9;2^(c3A%48}5(-oyj5Gw5iR+t3OJYspZcv z)D9@Vw}0kYqwOpn-=demZOcjVN!8bfe_49*N#l##el618VJ}M;(#(QB%d%wP>2b|! zmpmCTl_JK|bboKs#2%NA+LRlgIo67o7X_&S*$+_qOl-bnF60#Eph2 z^;Elv0DqeIEySO9r=+*zjf7}(llu#V1j5(zP+p|gzK&!3Ez z5tJb#@&xz2dF*`c9p5h&!vG2%Oz5&L$T8)}l)JcL^^wk}*;_2DV0O9)j`X?i{tXsEk z*6ZrENe;fF?R)aA3#?7iIb}^tPEMA-Mk@EX?;X0iQocSqKS#63(n~5karZ~1x*LFf z&MMD!AbiWwI$M7XI?a(yiocht{Skpd*)v6~xdyIG-3hWPo`VqUoL9pCyEK?TfBuEA z8~gLvkEzkKYKUhZCn#d2Ge&3rkkz(CWBSPnEmk}^{pW_Gv5SMBe+N|BF-_h3NKyWT z6>8p4(rsWJWd_NoqO``;5=acrD{eY=?3l9Mx%tDNLyTG6c>09|K99<++HM|04A@3g zN6g&Hv|hdX1fMwC%7Axb2~v=%T>G|lCu;r1Q>Ug#x}ZWjMRImQ=^}FQX*br{e|euX z7359WHDGGg!{RI!5)u;nle?#E;#9i&W(R4N$Drfhx|Jp{kQa{5d}RO17L9%zeW!zj ztQ9&Q_wa&WtmR7!RCa99f$O>)=2vPTv z*+*KYsJhga`d(#S-6s9hP7>#iT0+aLiR-)yY)4tmp$LGCo4Qj2P9M}eOmjj^YF(hAub#>=0U4%ud^BGb( zkc0D|P4*n!WU#n}*U0g2te)ETcoW&rvV!D^;^|?;MSHSM*+S|YZO(=M=pF9I8cwFF zl&ip*Atts?-8EDqET98t3}$@T&}(hf1n{bGI`b|@v^SalUDNE%`}t?G)KjYHW`h;K z{G}MaS(yCuDF;uVHocj-;r@&)q4(m z;}0udb?WNzwbu%hQNV_ITUM|v3F-c;a-u#JXQs7&u$F>ECb3~r>LM+Au=b#{%B}+6 z;W@yB^yTxt*Yd=*{H}09bJD)X7MrmRUG1cV4Ew>UlNEZ*JZVlmm0e=C0CWiCW#7QiuXgAX*x#q(x1Z1R91*Y|K9%&-}}_ zr*Y$tB>yjo&!>{sbN6>xs>RCS7!r1K7Q47}ZTP;LlYq!kmxmw#K#Q04-qUdrdbOA* zRy6V&iQ6}Fda*zzk6i2Mh`72nO$zQ=jXvaiFBEfyb)Q~uL^Vbi7oCot^k_>^R-y7{ z=ZYYdcjgMkL={U1vHqqi6;>Vv#JhLzM3yWPB8mwy#o;tBCD(_suboSUhfTk$4DjS) zk$ap!Iy1{YV6eDt5eBs@b*De{nbb{2384xZ$5yggv&Nh|L6rti^%^oqq?wX*lIWTu zSUeFJ`10*rh@yk`7jh`u%c!qBeSEfqzka@Yb0W9i9Zw*)uQ@L5-EI!Us1JmvKVbd! zo{k1E#PUwygq?WO9I572t5R2iBfPyD(k|*^%l(C!2|3KVD{)*sIUxtr)XdL;BPyZ>;U@yD|%lU6}jgh0W6+ ztz3x-QbN*yGXPm9Fjn6g2G=@$TAKJMhp7bWSF?5`y3qR}c14IE^xzU&HmL0kAiUVy zfox-k)nv&XK|3f;F(0Rleia=QHA|eVLH5tc+#S$ z`rTTgwlfk4Dbh%@lnq;i$8w(8F>AN28=v#hqA4e0BJ6!(foYuBwK5-1mk z@cFq*>1mUkjjEQ?+CgVG-C&{v6kwq{z^+MweIlJowc z%-?3@VjmNd%?U~ABL^k z_FWUIZ5Xjo-M`hp`eL(FV_*DBi~SGgilKV{y#9w0*)`-J%4?ff{jEhm6iNE29DJ!} zGA#^Nziz^MH){Cr4`p?`xIRXQ?FZBR;?0}oAva(><*I(avc^ChuAzPgJOuG;@k|xY z3Mh8j21_m9dW{+ply!h3vP)~3FI~EojE&-h!auY_wG>VM;aSylMvNo*FJRf(gbkn! z!Sx2;j#UVKxGYk=6=RGR_}huziab@cM;xFvnzU<|ENB#poyL$D^b)sfew1y~?q3fO$*rNm#N`mZ0fiFjpOdQk< z3K?FYr2-{CUu-m>x(`!7nO78Rp>;0sUrzI4h(@i$^=rftM1U(I(^q@f@pYhk0?a}N zgw%HP&(g3VoQ@bd((-C-e7uCfhX|hN4?KNH?Ad<3!jms%j#R=sD+S-2^EV4Ve6SYm zQ8fOfDLTgWr0DsPOMWJUPDYwbnLi}Azx{;M=YL~;jr$9Gp443@;vciq`Xqa~$w z9kLC8kD;5t7*JjccmZLl>0G&1I{IO~rl6O@ov0H{aMan44n0p!-bJ18to5DRVrQho z3aw&@^kB{}=@+NlP4O7{fhY_B*>(wJy8LlB!JKh~X*3MY85=GaOGeS?N!9tc_@~8? z*@SceuH^_CnO-#WlC%%}di6SQd-O#XlLqi&TfAXhF4()prlhoyaG?TGTiY}&B>R_r z4*NmJ z!@?)PVwrP1gKNy{JL~sVjN&pH4t4+|mlD-2iT>cL>H#)G&CJcA&dfI4ps$^qzA~iP z(4g{zk}zQ~ZpTTfMez^Vtozgh50#S?zp0TeU@N4MAa=~S zFn18N9zo$!`F(`s573EGmz>7p*WWJlxd<{S_hx*t5Tn!K*I3sT^O&DetW<`si-Am0aAW) zyYWB!`NW9c-h&R4TUj-;Kuyx4xy8kKVd`)qx$uq=;jOe2Y#!u-sa!R;}{QAE;b9BZl?MxmHGkgVAQ=VbmEGkF?Q>0?go2pTc9OMPhT( zPijHmlQwPc!v`QMxU7>*43&ijcg&J| zSyGZLm?aL(5P*WR8=W<(=gJj42D2qeR*E6Ek0UQ4b5n{T;-HWVaj9}f=W^lbFEN~C znur1WGo~uk_;++`dgfB1*?13>K`foo{C?E+VslTZJEr7_2IZk31zW^2pOP+FsY?&mx0BMC7cOVrcnG?4MYnv~t z|IXt2_H78ZjNl}WQ^H*@=SRg?zC>%8FbipVA3XDk?Z2zwRxrw?(EJrS&D*tW6oWsT z`H!moJ6jIe1T7|~3T8pJk2S5J_o;_uTM!Kuq+bB}(8`#~&8iEI0rQ9>b4Z5C>y}jH z!o^}-Fk<)`5FVPDwns-BjNR3yBV#)sRBYI=0dB4lxSs$WD?C~ZBWTwj`awFuf4wHe zznGG=mYfleDlB6SFk$ZE{?C>Td<4BJ9Za3vk`(w3vHA%qi-SQuR)%yd%STp%eeSH@ zl5bSMJTph2H|Gonl^Vb)rEw$dxEca6DU1lyrsN(g5cvFlotzff{$6C@Z!N&q+Qh8-HXfW;6l(y&=g5D0LmhL=Y!1R;qEe@ns zH&|8wXwT~!K`+`+hE1BZbAn7${QKpqp?-$encpv4onP|&Uw?bTq(^R_-+x7hG(u6V zy8eFkRQ=EFkNo0cEt-QHh+udg7K&zLb=lA=J`pG8`wU2MxZhS-M>n<}`+ZlXs%++0NT zGLm)k)uXsVMKphg55r9`VxJ-QXXozuovUt3s3QL}Y0@7lf)-Nt*ud+0>5({pp-8+# zI49QTAJ~p}6!Mwl&;HpnO~beUKcr^beIEni{YfP!J$giOj_|u|sm0mvA=mjX!zp6f zAWPU{SgN!~pa)4M+C^ZySa4ZV@Oc-IV*mZB+23Th8v>N)=H_;5*AAw9r}s+H`sJN^ z@TIe@juz(Sjgt8AqxS?Jp9~-vH*Q?6m|q`nSWWDJS`8#D3os1BHW5I%q2o>N2Uph)lXfw%%QGIYUc^dm&ng{`t9| zf`EfhS3H%25z;%rrRpbhgC0b?xPU(>;Fifb)v9LAnwJoN%IKGI<3#_qf?@Z+UsW?M zDi#u&HIO*2yyVE=rkV}Bc#7}w5g&DxXU>k7fZ%+XFtil_m~!7NyQHXSB6Xpw`^_T$ z2#x)!?Du(jf1#N`#Z8)PctN=1U#}B&^Hr>!DIRF1**p0^k_>=N7MFAEYO(_gaHw`z zvD9LyN>CM)hIB;K0ese~nA}Yys)ZzsD+c`j(w#cR_V9MK!%x_9QxeN|^QI(_sFR$= z0-^v0WO?0Za0fd4(Tu@?pbfTKh4`0xo_SZ+1aOpID?)OR6wtggL2+q#3C%+0A#-XG z`DUL)tw)8e`s^pfsj#_{z>ZUtbPYT=|GE}aMquKiA4GB2E^}WoQJL`B2LSRo z2P{{8`qx=zH6Z^F>n|jowSB+xv?xfFlPpTGg;c8DU=g&WcHi6v;-J8ReFva10}CMO zeSjJhkyw*I{un{lC%Qax*8pIKNK79D&5U(dRZ?AQ1Vi2`;NjYA@A{sZIl@Gva3Sey z2kK9<^#`ROj8olu^};Wd4gt6l05b>|l_YZe#rw=ri|a89D>aS1$hN53ayaM2_O{e<1+QGn}H{1N#-rU^WM}H;y zP1I$jlo_SC;CR0s%BByXaf%-EGaGj#^j*p&qk?E0TS8ytOB7zIIn60oYt*Rmp|te! z^FK}dx0DtznB(40jsmotGCVnfD&fo7_i-`=*!ts?cH|;7k-#cS1Ld`EkqrUl z1i*HhJ7syB6_mDMy$2Ejv^pT52H)@vTKluSP!`1-U}Df-maGO%jkz!F`bkDeRiUs9 zIjbzdn>RPYEJBA=?KyB@)?2%8)M~AOTA_#oDRR)Ni&%()Hywox5an%Jra;X#=+b4~SL~(#MuW&o@7unDi00 ze6Cv(`#zFJu)~9GZbi5}XN(AC&oqiIC^;Ls+bA!f4~#CFWIWq~SnCWC0_m7mkx2v{ zj3^k8R7ek!$UR7_wF)^LCcr@`V2mJ~ZA8Bg9TZ?9AYKOdY<1iitZG0iH>mp_DWl7evO&MsP7 zsSzoQ`lnY8ppmB$?@JB~;o9{;4h73bclU|GnqP^86WBw+VPW0Ts6Z4n_qm8S{lH}p z6gVphapx87n|c2L&{$aJ^WHU$ih8pVz1%&sGH+sMst-y;0+jqh*IrBVFM=GEA=-boRju)3hU|^XcXH| zO|g(XLGcnfz`WXrEiEkSHfj{ef2a)4r$BpzfEbC+WQt3f(d7{VF=t(xH(rK`EnfVx zZTu=kV$x#)+V6f0YEBdLk>GK4YJ_VZ--^hH8p$;)=$yD{lC!nUJeXw84ubbBF!kOy zZ&bU!U`s-1$5licta-{gMgGz%B@is3^Mk|jOEf;BnwB}W3KtjLNTlrDX>jR%_Vu*2 z8xT3X+U-zolb_h4bBZ0iiIa`WOkinXLc~9*vDNut&pVUKGv0h(IIVXn$VF$)6*tSU}L z`<*?`Aw{=hdR;9gaPeyI1QU~za6e*o%i?^g3}Y;#=l2Kq;D#;9`xt4PudKjfzZlsk zzp$5Hcq1b(&qB?iL$epRDH-S-<}~imBuVqeT+-3i&0I#B_>ANw-gw|=7%K5O5Oo>z z>VbgV_wR2(upr~x4D3@>pz2wtfTkCCl!xCOzJ2&p!8Fb~cyVlxS?5~Nu=<1@urDZq=(Eo_a_z?rwY)nx zocx5$+9RU!9CE|l+*}11AFt7VFtD-j()B2YUqA<|m?3v0`;eY`43J$zLkAHM?j$De zfTLh-#j=Ypg@&53Qcx=)rXIm8rxThs%%;Z@j^FV7MPK5}XiNt>b zV8X&GhKEF~(smAejF+A1)z2c(&{$FzXu|x_iSdM~J&2U11ExxLO!}mlPIAT3pwt0f z1KOM#u0)<3t%h5-CAf*0onPE(U`^I9BC~+!Trc0Rv)^>&UnHe6KnoD5%5!iX<_*su zCuNf7h)y{(+A?{70_Q>99a*P}qI)_0n55y#QPX<4`o*s_TxBgQXoZ4MG3_ zW_KoQp?T%p*zVzRV|fL4Y{rRkO%+u7Ettd^1G|<-+%%*44Upj>3%}c>gVs}j|q%(=eig8FHx4ih>jj~Usa)EfL}k(MuAvhb(#p5P)f&nfg8 zcvP6>Qj%qr_d$(UJU_U}l!OZN`&YTSu3=$cc}t+^);G-)l46~R9}~RQCv%LHoV!4Z z3THAN7=GumI57KF;l-chSq{eZudIKprM;`rFN>QpBg)C~)iXKTdl+Cw<>@vsh3v)R zL?x>H{hn3pct%dBG|Cq&nm8)YN~MqSFhj#feTxt?q<~~e6-n*_e0F#3E*7RQ(O$xs zC?VyqNj+uqvxdeWV!LTvxeR9WC-Eyh zvSf3otG}l?o; zxO?xZNr?Gm*nS1XPVs%iZs;GBY!RL6k7*a5mX{T>kZ;Gu)dotQazw9Q4D%`{@^}@+ z4^!xSqQ7MP7$p3KJ@^sFf>yGs3C@bR{`>yJ0+t$UF0VVPT@=hv!ol#Tq-^3!z*T(w z@F5o~#}_!z-Mn|NDC(IWegvR&O2>$?^fuOZ{iEvyso_npi(R_${SieE{FPvcBqTb_ z??Axc&YRYyULd1xIb`+e>0#8Y6+;S0(rk*K4dPEvWA}+5OZ()Rgpl=Ltss#U`N1B% z!LX7MP7?3IZQ@=!rP-}sT{$o9?RSN>Sd?%$2_^!4_kjL-ikZPq-}(#3f!eSS)5|1j zqvV&aAaYrcfjwQm8q0AbuXgryMwB+bw))K<@}vmFFaZxqfN4Qk96TBCTL36@WIv8P z8|a%PF-~eW<9YK$(oc>{gDB?S+IKw zt$YO7lSn0LbzwY|0yKX<99C424NG4z0FHzj;R{bD*YB0{nkyB5N-{`8y6vR9h)Y5N zrf6%|M^eS~pFB+z$l{{Gj)-UPdd$iA`bwH5aDa}<&i0dmvc!}>O-)UAzCoo&=VT|` zA4R8)PUIm?9nvF4%go}~9dX75wJLtY+3jXm-xcX{aC~#p+iLEjo=|(_MoqzP3E%I} zB~b_S+|BMUSi^Z!BcS)J^SNBypc)Z~!lblCx}BVEKo5m<#IRknukNNbKfA?cbK=H5d-klZ)=`AF$bQ}19Hp4ghc;61>NRr* z4UUCHLr$JLC3^NYrvPx+T4X1h(2hcQbl=fxNo?+qEtF&h;YEr3)*OT}vFg z-&gfhNO15?l4TL8w{7beZJ-oeDyH4=R<%-+ruDQS1 zvyYtOygcLgvtiT9Pt{1?eADA!INMXL=hk10edRd>eU*WqHA~W9ZpuOY1|F14*OtE3 zlJS&k;A3I)pNIqGiA!Qf!yWiJ&yv-@yn`$QtKmHdjk*{hqb3Z~KhvN{S^p6lGRLSe zKYujop#TMN`1u^&UA44kxpk`=g0#X3$(7N0;{gjR#*QBSkakMwe7l?qEnF^8xn*B< zChm)t7^7}&nS@I__-3#qVVH2a3b%eygG1*8QwX`>^D*6(o}8WOzGu%K-$cnYo@}mv zKIhU#8HVY+&sf$qA;n9zOJ>2DE|M^nFV$DI7n7clxiq_+v2;=7Uzp zZ#EmCQZq8Br`iA<}aIyHyOsY?I6zGY!QzDoJ2YPrO?juP0#IU5ic!BDhWOgTBU*g%m~ z!|VPP7N*U9sh$)@r z_&`tF`}Pe*PLU9Rt(h!^5f?{nRyI04Z6g)jw98BG`o7K1&IZ?71dkkN5d&`+0%DEX znka89v{rV=Us&k8DY;fFizrp{*Z|5&uaLnI7TQC$- zN*>8hVyz7~PQhuzhBv99y+aD``;$$P{ge^yo~I4?btG;J2nZPMhs4eT2R%q@0@ptZsG*3YszbM@Hs5x2E&B(*8B;2ufJ?VF3zbX&o=>2fP#77nn ze3g@*JI{^14_5rB$4W|O!34Clw9d~B-GO>gx}NA8vN$}JBZTXASp+zSn;-P#d4Z5Xsl8&o-+rmbtC8| zDXgY>BfJEpdSM;MvQ~C(7`wBjm?Mj3kobW`fb=o%r56*G-FUEFmVZjxwd}W**HI4~ ztA30*0oA)C!L$Ug8iibv5S4t2XGNIrDQ;cL%?Z9_@n|O^Uag^gd`Upu{mzk|8L{P& zv90czi+%Jw~ies-SYeF9RsPn`3M&lz~lY)!wzxLjDfkTLa zfCt~l9gX+U+_h@*Gf&z2Azb6x*rmz=59vBUmYOBT*)24Gq=d9CNR{i(ntF zTpCxUBc0vi(drILiAXawj)X-(PhRTt4^i40;s`=_LPoTU0dLZ+SFg7RDma6))5;4^ zHI}bw{qNVc|AKv4-NDzx!#$52ah@@3LY_0}ytIp0&v>BIFa7YIJ;ye#8%A#>V&mxi zPOh~=JDjH9iZ%hdx9*J7-K#z0JBj7>{5~I;+(J{3v@f}<^gYfQCo&M=(q2ZV7iDQ` zN8}hWRAQv0SZ(^YmJyGo2j?+-0l1PNmU282+DRNMK}j3#t+ZsTvSc!P%(ztk;@aAe zok)iz$%2-yTu%nFGqyr`1lbD*F-VQ$(WM8PhC)a-86Gn|P%W(qYpDCPa(qkj=V0rmR zq_ZnrPsHTa@#ZJJDV?1|X^Tpo1n3W-L|8w%L_|)6a#8XcG7q|8$09IhVb?qcEkr#! zjh1|V$0^NuY(t0LVkN#9Bo*E5*~$e-f4r!5gtP;{WArPG~1y`D}Mc)WLq-Cn@?!4Opq|Kf+Q zCLZYPPBujLx^|Jf|Mupy5X|O@yIv19&;6f@-9Xj_3l4Mq?D}MqMpAP|}eX_LY+$#(NQy(>EOhHlQ`;*nHWN^E+ zF&RrVf(ZgdiB)G;J~+1VqN|?auf3c2jkeJ>Pj-9*1Klm-Faq%ry`ZZlV`x_9nBRfa!$pV*Apc8pxOM0)yrip z1KV#fXHblRMt}}2t+1G{ldH-4o+pH#=hQeo&A$c_{*kMEde&B_T8GPO#DNBwk_Clj zm&7e90}&MiOCLQ)jc)titZHA0j&5gKi(W>e;gjeAc&C<6YSP$#*zMc5>osni=2xvo zG2F($&YtO_`q|8x`x?cwWjj{C@{WEPRwFq~ zS&KXosGwd9g*mlB%*de+@gmu`XHN{vEqvYQUR0a65kDvRZ6AtF405P)x}Wbw-B>Sf zaq!famj#e&;kLJ~5bPY6pe>S!Fc}jY9m=d6H2^beUz%88W$kxn3C+O$W#OYfB7Hj8N9}O{@ zr`T+5DSp=6sBF8VEF576u3#KTg1*SiOd4f8Mz?q$x=@x#^~>|tv0+Ndcu&3{-PPEX zBwYa9?W(nxTJ=}?qbAjESE^y!+hGSkVko4qe}p5pbtc6W+B>s{ao22KRj*VZxRa*C zqNbCb5tKzEhu2X}>MES>=8)oU`24RQreVwG#xdpS-^|E&Rc;or#gGiN-`;HU`0?Rp zj^uFEaGVN%f*^TeJ|;dHefHE9)Xq0ar6T9s&oRV|CA8Ml^Vp!@p!4wtc^;Yr z-Jk8x8v6AzT-JPCOgImLkD(UMM(IcI66yi5$m3BA)lh0e00+_(M(C)1c8?%{c))2F z-PdX=Dgu;>DvcW?ZVru4%AG5BXvu&~a;MZ`b3#FXMh zY=hb4KjBWIv)7=R5xE7=k&qQk61VkH5L>TOH}Asqj-7T#AReW)p71K(>!=^ZvS&~-h>{Tc zWB$WFYJgWzn`8y_(qJiBY5D}DPU`AY0@Qc+$^Tb(b~oCo&>D4ThfbYFbe3f1@7FN> zU*jeJzRIj||JLG2+M4_qY1zjAVi~3U*FTUO?`7EG*O~J7Mylaoog@GKuFdQI7irnB z|DtBA^|wtj_^7-AA7hk~DW^bfb3xXo z|D-*-=YPogN?YEY9g_i%Lr{GA?w!+&Y$_0xoIW3)TWH}_F(&`i`C^A4Z`)j;5@utT+9viLD02Ntj=y0Wys#6UGfK|wGjv9jlE zGlU{R;uWO(570ZRU8}%450^;KxCsp{c1j*yX1l&!@)&eNhV&%^?3?_bsAb zRj7S(Hb}Ii1jYvl6iBySv*tVk=Q}xS`yX-oq{MN6PGm()njS$W=n)|TZxZ>B%%HLP z_MjuCR^vG+IlL8*0YyZDT)m@{8LuI!QlwvF?p2HNpv*FpZV@Ggz<*?m8g!=#h{&x< zLTD&szQ_wUJv_ykji|8zu5t;tFk=00#CBAkr(v$<;s1WHX;|2)0P^RzUg(3Yi!%&+ba(nt>Y9VKp%g&h7=|b zpaG+E_P8-)YNLpLNg7^L%zwp$W`e#x-a!YrGc`o@4ElE)rFuLETuTGz$cIz;6=?lH zI5yCv2CiUM{Vme_XaCz4Qku~7fvX+J**AnN;KZcQ9s^r9uFhluzz{t9vp7}ksgahD z$%2tOTl5rqEYgg@N`mu0t^yME zWkEq4dhIcsHm5ny0Zqb&ej)P{w%h%3-l(5@x6 zun0?BmUX9rUd;Z%{yX;Qk#Ia2nwSjrG1h7HaAFvvL>hG|-5fBFVp)|Gk!+Ksm8z>C z&{?(y_o+`J4S=+?Xgqf)ezqTeVFvI&y`kTtt11l8+gN9s_M3jZCQC}i4B%Su#)}_j=k!QQJl{=8LjRNNA-?*w@yG*0+ng)Qno7}1)9@Ha&b@1E zid)0`ie;v(0H{^>4YzOILXY_hgGw=r(5`i&jABx(;VJJtE=$Wz!W>HtpVxSlAZ}O+ z_UeR#fB=dw*IKRq_;NIbgxU02I4E?`_K=Ypzg`Ie7fF+;w~!mq`@@&X85p7i&yCXd z5sRmev!NJ;@}$A`dX1SwCppo%dEdFs_uZAY7%8f|J+9i)0bcj-H8fIjA^QJ4mX zjrx#bKOLZ*9{N=)uc{CI-I3&ARUqL4V*_D-I&iaKYhR=v(l#Rv^D>WE^t=Lrftty% zKSo`3Kgj+K&L&`j`gQ8l=iSxtQ$R-dIr7fHdV!&I!b6MIN!2hO3_w9B4^l64wmFIW zAIO@dlY(}qx-?qBt6-VGGXZ!*K)8?3oSA_UoPD;O^|FIGchG;k!7+XfyZ-;H}X zZv1!x@J55G%6)RaRKwuw!im&|%3=*E!<&m!Jy@!VsfwePdW#C=F{Edq;cPUV-ITGR%4 zFF-t|Qn6rR*6Wuj=0HMoSZtHov1A zbYaC|j9{y!Dtec_ZvWF7)}^Y{@3u~-PA>zU5`L$Q0AcU{MzVi>@VMdsUlYUT>$t`K zJmS`Mf89J!mxGc`8ZP_%E@K}Wpi7{wGTfNfoV9PyoNBi=n&%}-(g=l4yZy=J4}p#j zeWEYjgRrAxsW(d^ipi9yv@ffBZ5yZ9V_}qDP-Lkx8M#AtD!__#%i%qmZJ!AiR!T3R z-lbR04~pHlRnC_zcbq>=O>c3vqPP=pP672P)N}c;Td}eE8@~)?sR8z$a_>;uas}`* zoobJu+!7Nfxb^E)x@RT~hCmX^EqY~@g?wLdBn`<+C+Oo(O1dR=vZJ;o1 zK`c3gMK`G+UWlX`ml>Z<#vnP2g7~h8jVm$UwcdJa}_$hHd7qZIk+(L}~4Hl*eiXdUkB45ySx#fA)N-LGFiDmaNr zYe6{I!m|id0^g)pRar(15;-}0ic0Rbh1R^vO*!<)5#*!=jSf~x@FLL-Qli&ixNsp1 z@K{JaoW@O2NlSwuik;jyZ|+iJ(F}WQiN-^I9b9Ij+xO3R?4|pg7d|diY=L-Jrk=kU7qnb^vOB1(P4cCIHNt0o{%ZrYoJ~Jmx`$f0AWO|Cnh`ubF3Y+O9uL@(8B5z;+iR ziV+VQJRcTWTFMPpl(UJXwt5Beuv#Giqhys;Mj@ezEhtd_-Q>jMkWS5e&uXx8qh<7@~D!;+CXPGm%z?k`#sCFXe5UHFJYJ z0|TsijAw%a(Uu}XSHJPlp+n^;2h8P2s|UgZ<}sNvUI-!N%^Q(zxSIxtgqSjOff8{S zHU_?r&NQSN5p)=d2xpWG#R6c5AySfoCq!&n#)z=xU?&)gSus1i@h}o`aju~VB8%Dx zY=X<^+IX95!Seh|9WQol($w=-TvAd)H8nNjuz(JY@TrTx){I48C-?DJVt8Vc>iiCiTtYZF-AfMq`oX@!ZLC+i>jeVxSOw#JjA} z`upzQ!SM)&sy$1S=%hpz%LIwrs4FC2Cz!>v3u&ZOD;CWYxT8!zQ6Qa?!PJBCu-Q{_ zVQc2lg*3g+pj~Dp9%OJUk!8ucGVCJ3&!_NLO`>B{IrtSdjQFo1$rJJ#QRx|&Kn_5# zAwFX1C&y^0OJPGPQu1ZQE2~kZum{wC)|+za{3Q+$*p$Q{GY?b|eP7OJ$AjE%3bU3N zVUqI7qJz|6tZ&^Ic&Wk8mDgf}`NOtU$%xQm=%kJT6y7<6+sh9nfGs7XvrfdPLO~Lw zZ)7{%KoEFg-JqV!3D43(4}mArvT;=fg@tv7kqT0Yt3i-=(9-&{>y@=>1qfLuwT2sk zu(e2wk%G(!UObvo?(Y5jHEow3AFQj(PzH-WKmU-{OvJH5ZWXrKpaAfs#Poos34Y6a zbZR{NdB1#7-}Z3f%ZT<8XS_fH)``GCd^E(#5*fFm_|O#cKkY9Z27?w9)^gmpcdtSZ z!xITZ+s}ZZ;-ygm6*!b)1CK9O>Mf>!B@%HB7ShjDw@P$H3l%YtHC{r>-l%x!~QRYk;k|~K&nMyRP z5Vs-9&|sFzTuIV|kdP^)LNZpSN``Mg)$@DTyVm-xcfH&9ZJ$4$%@gkXy07azkMlV8 zeLwbtA|f9USjx+1cwblgNQ9xUG@aU4Pj9-0y9x9B1H{o3VQ&{PivWnhUdRwJ{w)E~ z8nN~X&adp89APMIQRkqGnF1t4_7w^wVz`FDJCr$tV#NpZq*d5NX;#3PC^%7=_e;APfTAj2QuNJwYH?NF0H{>%xS9f{yeQa9lFs5Jw`B zdLX;7htnX29JFVbJW|U;3WeL{G;r)|ctUt7cK_F2A0SkuS7YPGtAv8Z1af;EoG=?h z1-=GC7hDs;j3G-a=dyA#5QK7X{VM73}Fb`uh6B z{r8VpcrCOR6fu#25S?H>IG|6UP(|4%0NUu<<4=js=$7-2-|P!*`ZXt$OXbxtsV430 zsMUpW+T)P>4se}6_rtKK-{-Ebd(h+vZRmahZb}m@GLm{i$dH5|O3I?~LRceWV1zGR z6U2>@SOpzlnOB)SUV=pq3I#J#s$lZ*6#8jBh}j@PehE(^sMlcCOUOJVvLt5>3QGDz+SjAvXdnC)4`ntQxuAl^Io9d1h2!#y zEw5p56RdU^aZ22(Knidt8Mpxik*Kk;+I%I#0CgO;YsuC>(9)urct= z9RZ%A5G79O#7_c?_Fh2&s9`xNtAb!0Gf4bik`o004$Afx>#~m%3j;e)K^>08e+X@qdtYiNVE>W@iiFeSYKzPM{a~EtFIi_(WmW?GOX2ax zfLjEy1bm{Ga&4yI7Jbo7wM<`Lz?t;XIR`{Ge`s(j~ zvSbOj-qh>E-kRa=s$t{ap>J;q>qqs2m$yxnSyyEzA?iildr#y z+(S{PwR3tI`WYG8ZjZv68&yijK7-k4M>yX~~;XvdnVMrpD%DZv9{qd0rFN^18N1uvsAS}AH z5h;%YNUXzFg%`$r3q^xxqy?$vSzO>PD~ z`&KBZZB1@Va79vy@5L`8(!#=ipOLfgIgHr8sZsKS)NtSyhkve2c!qbP{?@-r`=I|% zNtCm3AvL+pkB51@7)~oJ{pT%*FX!M=xosLl9c4;>iZ}C$wx%x9G?I?U?qOjM{^wFA zSFL|$k;Iwn&by#MGvr502=m??$r~q8$Uk7gIz>XgUuYJhXA46~!rf>~ulyC!y~M>Z z+PH0Azm~epjItq<$P7PWx&U?~xy(g=cB>8ARdPze!4`g)Ku3@T#v__Bz+r4F_5o>3 zB!#DxR4}#-BwD_eCrD`ls|Sn#4V2@+cobqK z>95PmSRk|~F`-HhPi-|W7{QtW-uU{cg^0rvg=3UZ*Hv-KBPrv+(n$;>zBCl1d^b?w z65CO5suvLRhLQDshfJ?$y2o|zGXz`YA;}=#iK_X?7lT{HXt!C2?8{ms{MZ{P!a8%k zi_t7hG9$n(MBy=eWi;AHuocdb1HAO|&MdKk{2!*1%b`MB1K5qgEFAdspX0sX-$3>T zQhX6wV91z2tOx*n#H|FV5k#ak^evHYRd{PL*x^1C3l#vXb(nhz3WzvgAu)Ri2{S4k z!UaG=;eGU!0Sr_0??~=#JHVs1xg361LuP`@-x&==*;U9rNS^ljb-XSyxrG)vd#1f_ga9tY#s~d_Vi1=M zbNKbddqc));#YM2NH{1>~@YUI_Sq0ldIq|d>7>Sfht92GN6NC`H**#4Ea%ArGOXqvb{5?93b(J`psAUdiADFKMvmqWd#*$ z1wsx=)H~9V<(m=IK#4O3VsVg@8mSL43PR6UDpo#ZBrWA1F_@V2#UZs%f^@?Bc1=By z83Ghy(UhXhRKQ1^;RM-$Nc0+agH(MCWb6@XVgSfPy0GDTMCKP!#6SW%2U5iY!eb<) z6Q+wX5u*zr$`>FI17xS>ZkdnU&18^aBA(#Ci|eR{2HRDfif4n;^Om$6-DDMM(Gn$N z)59%3UDEWLN8G58g>O?y?URaS&WRq!i84HELzUbe-ZtW;2DYFn_N8LLsSGXAXFG%0Yhf2vlLKi zq>bdr;5*YLv@TWE8ltH{nTw@2KM=ePad9X5n!v3DbVLI<@*eLj7Jx2JSZU~8`?LBo zK^zdo5Bprp;{Ar*Sl?PG5t<+S7a3kbx`*3_WKQ-KHnqbeRS=yNI%$A?Fg&?A_~px& zYmE#@ZcFqrIe6Ri0$tgUds%IBjCNlra!^!hHE;NZeaVewANM1TP>X1EASK z@)<>h+(W2>%RqlZFMjaXup@PmTl^_B{BSXc7yYl4afG2~@O-YMi|P{YL)Q2mZW5M& zEOfj?aZCZ8El2QkX@97I^qmrdN(}x6IcVbqaOH!Yg*IBni6!B!$he639qAiiZljR5 zlO>SOg$rkX&#XgzOMq!uCl@s`q0T20ToFZxzmOE~5*}zJGYLwCJJx1mhV}3vU~88O zSTl2rDG%APN0H7=MUST^Dk!8!c92yVX*c_A5Uwxmt=^*2U42l|;&fKArgf-4?V`$W z-rj)Vdg@ilML=wXn0G453ndMtZatPK5;x0I6rtE!unWpt%fIvXaf@iC*-MW5dp)k)xTt?XK=sCkulJ3&uGG3z4Zrw;u8|3}Bw<=)Dk5Sg5F|g`#O2?CMU^|qRbWJ~`4ekcuv|v0 zNl!~llNym171add04OL9nWm^?Lg^cHLM5l9yqA@xfh%YN#N|-f+5iVBe=J`ecmecM z-#FVI{j`O3{oXB8z&G;u)oYz*aXyji3*sT~;Kyw=dTMGa@XA3SK}yKu!_AXwk7LqT zw=C1_5g3t(_6;g55m7HV=$C(`%OsCc`FRHhrQ8Edl!Bur9pT##z}s^4jBS8t1P$a= zU+t~)sLf3t`5Zbr&}@jjWuxzKl1`);Ia1Sc2Gf&P@3`s$o*NaWPxNDeCO1(#N+>9p zLQ`&JU=Ri*WE7BhMSZ<7pzT@^XV*bGK-9C14g^D#j2eS;!CSymOQk+6#Lc)(Xd-N+ zSLNjf_?&#K`ndvC-6n_kH z5m`Qu{bt95Z>IIVojdNd1Zt97dDeuKB zlyA@t5Q<)Pl!JstP7=aObm8js%*%QnQ$p9S>4zRl<&o9t*l4}FL#<_F^_9|?k+0e* zbBm+Ck1S^9`x$^@Q3`PJAh?yv#$}K})B~hHib!8Hl&Kvqj339Hz_j!-!I}*i{g4jk zL}$kiQzIk#-lL*{zkB-nG7x+Fa8d7olx!|zpnUa#T^z-v4k@eaG|0vyfcptWR74Jr zEW<9a!xL>8@=P6b&;yN|ex7Ww64bgS?l{uHax0 zy1bXeS%^cPM?z9}EUk4#{k_z~~2hdkr9q(IJ=p_^Nd*#+gvCOl{Kw##kNW}N-q8KzxIOujLLKehPk z>OHfzJiB2k!ZZ65ierIf+)0%x&!OwVhiWQJ@=gsfKbtx_ek`M|X1PfEpWpGZ6T_d! z4fgrAgl4T;^yeSTN1Bb8{(MV?N#Ym&e(yPVuJhk-)$UyXu;B0a`Q`FsGRNy2W{(B1!vAurcuY++R^Zxu%;Q#Ory8jpNz#Yf%_uU?x zIwk-2TOl)pgUrLqse#OL3W*}d?XN}tUMWWumpC=N?zHovCyu5Q) z`|m{yvf;M<@?|_fUL~bCb49f40H3uA4L|fQbyFnM6Er9_L2hnt5t`@W!x1fbR1Y3L z+&IKU4NH?hj6|*?C$au@ozu}DQM&Ek4ps{EIUmD!At)k~JEr^+C{Pr7Inc+f;2w80 z6kL`u>b2qn9oRcjSdFUFKRcxcp*Ao>9yJQdilnl#1(J}nXaiVF^YrrCg`C0^elhs{ z9jI53MqWCCEQ@)5`7=VHH>4YHM?hZ5M}=)i%akG1%n=Cl01-2hWx66yy9y^Yq{As> zvy$#NLn`dNA#RuG=>;Ea=?hwfd-e0e4*l5OvQA*l4j%{WVn0(v#>%?S0|U1~5$(hO z(324V#W!!ZMzP@~K&pJJ@fIMOa7LotEgrv$qLePm%gvnxNZ%E7>;yiCDO~%jV`SA) zQIN(*1(bK2VU~RrlQ^&o$6jyxnugK`t)Gtvyf$HA8FlaqYMpMpDFU7jouG6OuwQsi zsi|%&CnN;CZRERD-hf|O0ea|<5_(YQ4XX7Wp80 zMW`}cp=*8s5%9%QTEDpemIsfaU!Qm%$q()wW@ zE+!&*Ez%8K%9R)PhPWA#;o&Q3p5ER~&|;;abTM*c_S}l`!;h!Nt;#x)S>O(lagPxq zyt6OgXaXqOz|HM8w13wD>xSu3K0yczzk<_uIy-WUb@{lp zDw`FIoEN2?)7g5G=2;M#5ma8W7EqnZyt|v8C7u~d=yGhT@ zd0yA=MK8?~!p9)K8@^Up<)qkSAz1+J}7ne~ga4#dB0Lo=Xi= zBj>pze zjpeis;xM>IL{q4!!;etqop7ZP2WD0bx+Js!^>ig%{JW?p>Mz-xg|^7VB;8Y0KL6;V z<4&h_0km^&-_h>Y=mnHY1akHo^Drq3IQ`3rX=Xg ztQ2DSA&x=-JVztMbPoBJJUCtu&UmEE4TyOY!c_yPD&J$rNL|SI;0H#9J$L*AYF}e8vOIiz;-^cmgZl{KlYg0APEp^!k-UMSo+~TL@V;AU_Nbq= zgOBgI+si+9E#0tmhmp^E+VfStD`tM42g$V#dnVZ*uX7axn2CN0JdF#&=R*k2QR#Lm zr2uKcc{Xi56%R~nA7ChQS@?}xc=Y?Bo7i|s~v zU*Fo_{qr3Uk5tGG4c9MqbW2Li91N>2I!dw%MNqvYg|2ttRNSDZo5Me21f$ zr49Y#oOc9k4A<`!8R-XoM|F4g(zYYi%FzhKSGe`P9@@ z0~-D@_(^irDs>1VBQV{EpgO>OKL0EvGFtRvGqaZ8BJL**SypDqU__9apFi;akp*74 z5oe?}Gu6d}r0#fyn7RguuZygzqvZzUB>T^b)SW4r3)}#CnmO>zFdUvDz3>=<6w5lg zlN>0><6XfDwoLeZf3ZXXI!*`|bjgKaM1=xia)i~LIPR|CFGx4$jghRP0A4 zM)zfbHfrr4Wd%}|!%}Xub<#JnTOSs5sek5Q>+n4@W^a|dXSA`8twqn#)rLQDMDfnylCH$oEELcnP}4> z=_LAiR$i-KO+)n;U269R5geC1AT@=V@kV&92B=>7gg&UAJ%1i$hE2;mC{OMJn|Osp z8@lSp_=r(Rw2?LSM(C>^67Wv_nV9dRx z>dvY&5RE|Fd*b4S3$?^7KtSL&6bcy-s)nwJ#N=NhwhUP+yA9b($$`lfWR1OWWHmt_ zy?|sFMFnhzYiRN0aOK5Im+H|^gWNJ;`jIN;DM*z;N2H5-C|YE>>Tz={u3czM!qKu0 zxzt*lN9I64ElW-mgFPWeFuj0;M3z$1!ep;MH@_ErJKxfIpZtBFjYF;R^Cu6L7+jCr zUwm^ktDYtxs0>Juq;b1<#{vEkIJTjuE5FI69=PLO&^2w@9b_9}Q}_YO#WaFV*j?Jt z-5KDZCwM1_jb!A4$b37FkA#p5xMF*v<@+Rh0%*|MOrYtMPekYnDL$e0w0z*1jKC#I z!!58qQ!Dn57QhUaYf!xiIP-8L$%2qm!tmzv<(+hHyaO21KFG1SuQ7aBc?@c8)9Y#{ zrJBmjVT4xD30Sb_e!z&l4TNlYAPttog$=`7-k{XW2Qf-&3sB7b6>|ei!os|KX?t{-Le~zyHa5DFiYH;hP0?)!g_MrA_8V*#30hx!QQ^ZQzxGzf zLMp1@)@*>*_@V;=Kp(;}5(K=r8ImY%6ykMw;BT>eXmtpA`7qll+c%Ed3M(QChhIc; zA}TuQIyB>Q=5>v;?7C%$d;SKucDdxc*;0}Bk|q=*q&NVCBE@?NzMtu%qoaT80}?X; zFe9#SptDmP z@7+yD$|SN6jc>^kTf#Z-N;G=nun!!d3Se(A% zwU92R2Wcoa<@iGghlAVr@qRISB%q<7qe*cLqon{|?Xb+YKZ|a@w?K7h5BE;iU_T&` zrr=`I@%AEuU{TOnfJQwdT-;mi^`ig+q@1JLUxVbr!K_-HxW$&Zpn!ISxJ>u}qzlg( zpV*cgpjONREe>n|=%_K25`@VM?4|GCnx$~RS@ z{?z+dKYiz&UNC6})}EV>FC96m)9XbMG^}j`A0cKUx#@MQ`93;o0(HnJq;*O=%UHgB z16Z2@)Cb|`Dqx;tHHRp*_s|d%KovVmqO8Wj+vvu&xyZJ(0j_?0#}5__C)>2hI^MYI zng!8g7orP;m!%ejiH-$|RP<(v&awg(CwkAgMXYixOp$*Rm;|;-TvgQu-D!U_+OEYB zB_%VQU_gMByz(r~KCilUepJ-hgOzei-HU&RL|iUeu!P=i(wUeO?Qx|4_3mPag0`@+ z=U&YG2A>~S1F4j}Fq`)ZEm00<6#6PRxA985&+mO#7jX*DJ@dugD zliciYa!^ay=M2lVeh-mLO6|4`IH#VeE%7IJ7F;?@40N|`Mf=4Aie3us%J| ziNo-BWL%uy;y>3${SS4_65CGcp6agiPJDo904k#fj zJSZyKkFcjhqZy)MA4=LgUJShE`k>{%#o!?TWDjR^?A}L6>m&@W2ZD$j5W|tQrqZRVEmlHC#sF+8VGj8?g{~mw z|1Xex=U?A@c7ET2lOvvBwm>eCPK6x@Xbp;bJy^WWV{eTg`h35M9x8M-Nf4WOSAITm zq>BDP_egXhL^(7jJFrk@u@)Q%1RW=`B%-H9@wXFTUn5d3niMsuNg(Z^`YY$<`lbx^ zyxxzk;5)HtRZ*!(KYX|QKBbT5jCBdTQH$QYzkG?{KA=gah-z<9dlr*H81|@&c7gwf zJG0QWYEls??|M2J0F_-m6hRFjb;%yaW+;>KEDMb>~Djgd;`W7!h67gJ~#EIyb>Xc|2Bje^@TlmsU(VLL^7QCOMU*cVfyf%cj^885pT@AYvQ^;8o#XnCboXJvls)*Y31O3PI=~ zXT75vC2y&%EZf`q`aw?o7AcyXiL3C`kDDh8?j_WHAEUSH)P2)N8$cw){MS*LS2*Q5 zUibwJ7>odc+_0(0Api>)8cEThy^GGei}aG*5vaKd2ZNh6N={tdUxHH-$i7VQm>%?@ zC}bi~GmZgc%LIn?F30f_0W}HpO!nUk`&vMbnULn>yR{hYl03|Le+7yIs5Iyzo4-Hj z0?gS6Nm(RLXjG08NK8=U<)Es;r@)zv;V@dE{N&Z%E1odMNlZBRF^mra?zsjsk1*8N z^@qGFfhvxn`H65{oV)#}yIgm5%s z0cj&0olBNsP`2GZ3)g~IbxsGrd$tvBT5_m)o`W%{=yzOCyL%oVipGVk5t)LBpFx)Z=g;RrSZdEnDA`KQZi8BO6J$`X;PS`BiNq66(A(DW{SGNQ_hQW3wHj56Ol*KS{%|I$*vCE0^X9q!k5muVe ziJAnMg=T~(MV27&+_UG->AadOtw0HkWUyrK?pG@6d;T*m!J%~ULty80_5OqCT{nSy zo%h%za0%rh4EE7nJ)23q%ihaEYLq}yqqsahHy+*I6_;H7t%IkU?r>N2a*MU-aiKNfYXS&9ZLq__AiD20?k_09!>31p%k zwF*=mgDyY5e-D3QAC4hM@T=|a?G?{#KvM723y=ef7i2VNN6{To-rBmUwNZr%JiiKU z@nt_w6-8aW+IRnJSLB1&ukEwL%u&YQd&*b7M$a+9$j`uK{7Lnx+)|NP>)bN~cizi2 z^h;Fc1ca-p7y;tRK*P)?!DS&@r2Ya0`UWT3DC$Z{5fKfnD6iuW#Gv*NA?HBLL_d}= z@R(7Ed^f(s2{F{XY8(n2wt4d^hT}kB_u(cq9T>u3 z1nD3Ks0g*+Kcuc3Ew$%f;BT}B+AszL_bA{I>I0m@zeX_BGjg)uzVxn z#y?fcWDP;X(P_aBv+*P*H9@bbm+WLCt&R{M`TaU%nS@c2cJy8xU=rw^gwxngLWW}% z9p0_LPWi}?_z>88q4Aa2ZpAWlzhY^*M=I)#3lDn+FAH8Ru5uLxisOIHh&&eA2lp`) zt*0UJ+mBthg8)_Jc0lN)Z}eHP217axpmWHFj2#aAn%E78xS#m_7+Q;~f-xjAcvEtG zA#vz5U&;O$Uh=oy)tHT^}{; zsj#d1)zSG##xh!6m(O9c_%JbO_U<>d#tuZi|zk+y_Z>^lTi)7{c&e$XDnYcu;BZn_@}zOmIi zb~5AD?jM6zyw^l4K6S23{V*=V^YbngG?y=xA%j%ec6(PQ&`FV^c&-NwANJTowsoG5 zX`A~4&6hj)81!ij`t7Cx1%aIV4l`buEAlvq{Ea;UKUK=G zO2OMd-%-^6Rl$M^ZO9mqp*G4R6w`5WKJyu;7tR(+jY`y$j+4myOYMXfQQv|#d3Kc_ z=se!aBKYkeDbuvHx%;21p{R16|2FaR_ey6~T)*OsTMS}n_|{wrlm6%B|0<;-%;vS& z2&{^2cUWts|9W4Egny5~;y+@l!1JfTR;fC|HwfDq}}#f1ZRk$Jk-C0zi$d1rHxcmH|KOL=Is**JcZT^++QE-cEpweh(CmC2N*8$pHNg>NKoSxXI;bZe-aSG52zaD-6A*WG zI*^zN}N+t5T13<>3z2p1*DN$S2Mef+``x^fPenq3PbD>j62e+=J% zzBD8st~ly}RvNgtqyhU_b4#}0$_inT2x8{WnbVeYm*kBwzkmgG>UxY{w7&0Si2pT0 zh+1BTPD?GgKQ=<&E>L)FZZ|N@3}n2Pk9@MBpG^X8F9{2Pt&GFh(d_UAA?p6u6U6%g zqTBE@jB2Vzhztnt8gtpWh4`p%6w!9AJRHKC^Yb6E)cY$UAH&hKn1s8Hxod_|1T>XQbNmEo-3hX_FwSV&$|5L#u-)udTDILuIokj+RQF&^sCs%r8b@VO%b zzmY@tqk@eV!L&x@&_w(#t}+>fdK$F(p`EA|ZX;WDMM*IWWBHHd??H10dESpFhjn3H zqDxOAg%@xxV>D~7hc>!Xsd6P@0v`m7C`a@ zdP$cjmQ2qadjc9B0HPSJ4oEkVuMw1&73^!t4$CDREq&gQQ;KcUi~Kn8 zl`f)d;IACTE^6W9U?Ihev&9;DTO=uw`{9q)gsk@n=2Mj&LhA7rgSc-Y_I4DM;GE6C zZS1Q{z67)c3Ef&S2wCRYkUb;a1N2IsKS93%^Kvi!Sr$77FdESeV50FIoP~sWgS_=F zF|@T~cwpeORNg5Vbkhweefl8uB^bgie31!Ri3BW9%D$slCp4D}+F=v8X81$NjUMoK zk9=p9&v;fkbXbqwKq_{?yu=35l<*d}UC60$Vwj-AmyG&@9xDtxH3M{(3;eT)Fb-(~ z@*nAVr9<1mMTCjq$?kxc3>}Z>7Kp42$aT@6y@H9A`tilaX7--L*1`q%oL|M~9uS8l zqIhvrbUwymUg#cArb5ur7E|xpc8;A2+tmDwuiPU-G3k=jT((VuR^C<7-EE~+>$**^ zzUsT`TdQ`=XGL%G#tJ9VeLf=XZQfszXOT@MLW5h*#Z~Xo+d|-Hzy_{OciIp9epeDu z0?S`gu|kklB|nE;CPqHf$SyQRiM|{M zep`AH3^&q{5y8$3?PMbaxGaYp9-w)Y$P^lwh@b&cEbP~b!7ftu@P%l#xG6F(riSW@ zA0-g0Xu|lMoBnb1I9N}jTt{t{hg`<(D+6%EOp$%4Dgf**u3!#iIde)r?DEq2(c$^K z8ZRaA?N(V1Pyc`cO{aC-Vm+33#r*q^EIz;e9XOW^ToOTf2?>T~_BBY%NrsDbtt4}s zKE&~agd$-9q|`2;2MsV*%d#!8LF9Z3tvZp7qdJ5@9TYWiUu>qaI?%twmAk@D1_p5_ zpxSPL?{x?N z+b9ajjN`wCiM9kfkDNiS0Ar}vfakw0^7cSv(1G;+L3cJ4XjRnOWDI~Gxp*c-N2K1q zHH9p`9${!mOsS)9Gn7FezKJg_-(K~xmZ;SfANnZ|z1yvlbLRF+k5?adg`q0O=V7X!bdj|LWCgPS0no`KA0PR3mXXh>OArR}Xu?m2TBLNTymINnC z!hR#tHOyc4NQg#|1XO>Hckb8#eTS(e>2E-hAOUv2=uFP$T>-=t$0JSPa`9I<=j}6z|4S091rv}j@8NW-4MIBw;dK6{L zB|AOqaEI3JzHfkHq6rMfdUSg-b5PSP-oO1U@7aC+Apm5}7iKW-L`4cKu;XRWr$0IU z3|vm449i<%tq1qq21Eb%T$Z>=S{P|E!ZEpV-1#vSe27x3k=GM`1#XkN(LM00(7~Bs z2V>9ZtSxvl;3)u-;%pJfTmwtUG?>p2peWP_s>7q07(tG1@cg*rN1wx-F%4d4t@f@=Q$plp zsog3D;sW4kX~mqt^Fhd!9{-=(YgUPhi_f;Vz&!|V%xgf-k~ug~nb+gU&xiZ(EC~iy zBKFSi2RFfZxB}9pCy}fP*G*5tO@jIIHY7AeFowE~Fj=IL#OO2IRWQf4Xw;5G9LLp} zf^qRjBqGXF^b?U~ICt*c3Jm8!lV~)K{(MZxW1fFsA3zA9k8qYQzihpGH^wC;0n#S@ zC4J4=xA2Q&I4v_lL3y|TfJ`zq0OMUlAGBggHl!J<1LFdgC%1F~8bU~i36StE(3nbD zzj5y*%PCuf&0+Y!aPxmpoAq=P&7Pdr=&B1oUBo2_lC-xFM&x6Y5gbna+=4^g zkzc#u8+(L11%_XD0LJcbyMG7(d?Gn~NMVWt`ijWZ?~a*9=px5Zsf)?V8qQ4rC>aBm zfe7=M-r#Bqah}6^{(Q_UMQxe^?;&VoA|Z`=rpEAtq!i=@iQW=RZa=Dfu)*QLeG1y% z|2|;G9}kbn)Cu(k{~j@P?qFdS!*J*wX0MRVMih|f$i506jnk}@cdw1DJ}`~jNF(~u z+}wm^{ubxs*w+qQl5uCx0Kw^dlFYMu;2$l(NhWgDuvyhsqEv*=VMVsmn8MN>D(LW` zwR(Rw>5i&g@z`lMcU9$=@w=Xrqa*e>lVksSTjss5H+9GGj_!I{qr22W#RwC)Op!yB zEeS$u)HZfl5)~eMA1*{fA;Q6NSs>9C90VjJZQm!1aI6zyglqmQ zG;`F~*UNTbBo7btUr_Foe}%LN(wetu&*W31?w8g0AmX{M=ZDsmFu;TFi>)9Z@E+(u zmW-0!`{<#4)RSV+wv#j)DWz+Pd{X^fYd!cj>^!hiw~v8FueZ{5ko;->I%2ABUd!t3 zuiSSyUuU4d&C`| zbi5xXmC8R8nScD2mG|d9(cJEHx7QR9wh_Df3!2nL|Fr0I2@{IT`agFFwO3czjX&Ys zw^s$V@Xi~v_38%(((nhZ;bX&dqj|ggYYw{b(B{rog-@7BAm_-9+a$KP?XVnAmQYdY z!GQRwgpAR{EVO^Ih-|^_CuqF!mFJkYRf$msFCH=ll`icPzeC? zhX>+L$DvX7I38{M1`H_Y<4n-?w7Tw+5_jpxnMz{!Tz) zW@i@&>0DYPhEJb1FyAO|itM}=!Xa)Rp6|~&_gSEvm4#k2q#J1q@a*&WQ{*Y+H@bRy zIsu}?_AE2Q#<4qK3`N6UWRfu;NBVM42L(-Az^9H_m%}XS!p)n)(5kJ&b!6tj*u<4% zb=-yb>mQyI>m3%3y?ywrGiy%74elTzj~@%W9%_ks^)beuYZtoo`04n~fGns}g#h1= zwUw4KAexFvNonA){Wj1dpMM72?gDsRV!p&#WC5Oq``z6`QQ+-Cv4oxj(*v8t#8}Z_ zN*q26&CP>Q7JY35S1x2a1Zah9&osCFh~POi#c^UWV0F3fP{30?ok# z8<1?2M)-xjz!GE><({VQZ!}4t)F;N5SSc71^~^zjQSE+Y&rHU~#_$K_z;YrV9V36| zAcV421_h;!+dYl_!oI3cX|5qVw0aLnw;%D*K%2nUs?khjLHG><=`0t#vCP z87ED~bOC%Ck&t{J?KOto;~d0aO)swk%PAbYRA6$lq*R^97eXYFsidp`|BcFxqwT1`hjaVj!A&>O6Twfl?c<)Nzdws&n=_9N4k3(YfrW4q=&$vR+ z76{i&$oOP1rv_8YwwakN5f0bRdY@>#$0X8CQC7AT%&H6=4D-9AqoYxyFaU2ki_-E- ze}5-Rzo)R(FsXOvG^~ax`!m2qhu|IEV6qX>Y1^SgvLIm>qB)KVOivdN4hg|TOXGdY z6dCu9isw1*uhO>Apfp}$A@~9FivVVQLiR|!_rXL+tX(C1^PPJ6Y9YVV@9!lXzQNs_ zww7yhCdi30_`;tS#p8XI^<)Cyve4-$$nNgJL2Z2dN7o3D)*KL;d7;lb- zv+%1|Er%4#LYAF}LB{UK$1M){!qpr}i^-PUnwpw2q*a&*^@MBdCfXJ3ParE};Ns#U&OISJG)AuymYg%6D>X|HDx!G%}lUlyv{RXUSuiazswME2JRXX%(4%{JYkr6gL!~3I% zC+3%E{F?(iQL-kG`aC5pW`7O*G)Nw_d4qz2CcYta4fhZ1M@56N6EEOqAQYv8_`w0v zmI*48j~9e8_CRX;5(wlys1nM%J(V_Xde+jy=j7x>1_i*@5zC7S&j=pkPnw#RK&~2A z*&P)<(*V#d45J7i1&%DLMXy*aG9EPUD&C>95v1F@Gw8%x-`z1W<1Gh!+OSS%2J z44p`}GYo?RhR4UXa2HH#Hmj%zakAnu+|DimK@InFdlU#TsCkNmoD6v;laJP%1_8K2 zRbbl!P(>52HZnk0 z6jcx)ubW6@1Bt_kU221Sn;Lw17qGKu14Nt+kY0=OAd|0f5|Y4JY}nIYcgrRip~^>@IZtygZ}0heyj(D`la?~W9j<)_PZbWG zhI@yc04QSO{nBONFNeqRMjtOqnDkKMK*k7@Kl-j;Xo?%<$^l2cUFLZXr1xQK1P zyAyx-1Fnk`cLLQ6rd2go7jQZ~-#W07Q8eUOl$HKUg>#{|IWImhQmNITVC5f($f7vs z?`tZEabIMseBp*G*KK}tt4&;P+NAED{F{4+8&o;@{iwq6dwVVzY}_vN=l2)wTjIg5 zZE~q%uZNmJ+}+|0$DcbYO8ouVqK2gi4;e4G(-(0L3eGusl#4oL_AXj(!(7qyMQ$el z7?x$o>M3zGcwU@bFZ6livQz&!l(}x+nZETuri56Qo{|6Obr&t#Hy203zrK=q@CyI> zVfe0ZDJM1VrXf>un{(5ZUg5xbsb%h>sU>3EY^-MmI@L5rZLw%pa*=KKAlBU2%z0njKk=FdPxA)oRJL)hU4tl6}Uiirsc8wXnhYugZ zoo5rYc^7bSQ54AYT8v$h>xYDP3BK87RRH^WWWC#O-7!jkj*N_f!WmHpmt8xgLgzVF zkZBtlE-o&~W!p6JoA3){ux&7!VM4ZQj53q32I1@5=n4lp9Aaq+=!XP4HyRil%Qw_f za+%~_8#XMVfbpvXWnzNy8v2a4si~1^s8#1gh3n*I&y|jcr`}(pSl8=t58YZR=k35% zTapkG!Va0tC3HjF00btpVS`ze=JxHKfDT+QS5@huA95}vT>Py>MwJGXnnPDtmwE#7 z8yK3c5G+kGS^>`eF9C&r`1HxBH=B6>hkK!~a4`_x^UxmlErRA>A^?3O_t0zzBVc>r z7Qp>iLO?&~h5;+0A*T6q3x~5J3OoU9nCDvp>Axy)BtsLEBtx&6Y5%s80Nb&)=H{h<;7Sqgzjak`g-j3?`>~w_RBk|~U zwj@^}88sdxO!wEBj7dn&WTLs5OoESrr8sJcmY>)G_YmI5F#@pc8PEU*3L*AvXy`(O zGM4Szx5K^e6N>J&ho_L$+d%??gqw-N)X7ysLKFmR@JBlLCxtg%l>of=BH%iE9I0-{ zg@xDJ&*rCZ70%r3U*B-JqCN3O)y`9DLZ@y|6&dJ+2pt|`!)9>Mm(DHyVvCEnx_`8v zS7h-#C<7#KLp5iKvn5rhez&=~xgDT(bJ+PqBSKL)6R>RzGOr{ia$vrp>x%h{O!Yz9 zSlZvf*^IWPwSf8;--%0~rjJY-}$UrGta)DWW+(+B2kf1|}wRFrNqWC{_W(&o723 z3@0_p#s%13SYf+FugwJa2nYxWakJep5c6RS3d%b}PTavA{j%(GOu7w+f5kI}Z4Q`2 zh2<@s^B`|D<>ae`k-#sRf!mO;&#Z?zA)JcIDmTr*OxE2P8j0i3Hh%!xw=d8lAOnSA zehAv?$P@w0YO!bHYPg5hlXfEZ4Xo2(w8=?UDB6hMAWI?H1&pN){cnhHvt^^z9v|l> zz*L^-nF`GM#R7XtEdOB6t+)}#YTof*o*3Ip?htXAT_~Uw2%?se!Uy`$*LM+T_VuKs zIpDt3pk0v#uZ#J4TgAAAq36n98>@E?>{86NYn?d9V_+l>aEn+|X^Si#9c*1PF)=|B zO%y|9{aHReBVW5r!=;fLR^0nGdft%`lK{!13v4D2d}NJR{CfT8xQ(K~R4VD%CP^1b zrL*?i+n)koO(xj6Ru;OooPrnDTtJiC@C>02StKYJiX<)P{= z2w2%(ym;{iz6{ui3=}dd862FTXe8FM=xnbc`Mu9-1ER5J;f-wAU33{H zwt|>Db|38t?}l*|aDQI`B$JFXl0n-FJaD6wSFB&up!P(9`x6K>jXir-5<>|~cUM=o zSUqNSb@ioue5K{(tVo?OTZ-_blK7~pwPe0AGHsc|pY;?K7a6XFsT4(F_^1|*cER-* z)|hF96UEBPss`=@?d8GXA*kdZzkW(0??igeL}6T45V)UDz(__&-W8~A=S5+1C^YbH>4e}m} zf|=n`rGrBF9*;5*qH;3wLMM4KXwj#LNT^a@Xsr?U+fh|rosG4PX^E^*YCa)FE8xj%t;iCuB-&4TN znaI$}Duy{48VZ4{fIOkDgV#zd2A!l4XWe5Iu1d=O6dqMUP9O6b+}A+3AcB=I#VxOsBe)FpaH#Y8y(7}O zdhZV~A9>%xQhLl$pHGPMqR>EbScvwFGV&KvW}|;Awi}3wCU&z)4UPb|lWL^O*#CAj z*d<5?4xu3oi)J~TEMhizB)rpCxsc`r(@;iK5_s0gA_Duq14s~-m*+x+*^V-cU>EQq zfAZ!HCtCBUK%L4Noz)S0P?CPBOP-JHr{x>s|4Cdjz9-h&@JZkVwV{b=t2sKz4C`{PN zpU3NEf4mTsr}qX=U-a6^v`AR^fuVJ6x@O|aR@)U}@Fh0dLV96y;HTDO$ac=ye==k} z<5&~9YT~H0j$pz^+Ukh_Qbog6*K~=DDHb9d%$OT$lrE%sh3O;%ht=G=l>wc?nbtcs zG(30_bpUIuf-$CC?CrMUEj{kLili4`cmpFgGIB;hMNPv*UFp2M;emh%zX>&)ojH6I zcXlB~4UdWi!Vfcd(S;z_u=2)6uh|cqoh^&Q)wO2X+o$t}rzKZ%MsE2X z()^b9)TmOB)#X!!Wu*gMM&h{aYoh{e-IAQm?C-M`zCq zk9zt!K{a&_v5b40lW(yc+`DF3G;83t8+NNmGKa5ye6v-FxV<~6O7aKi3EJA`3g1$1d~(s5O%v)4gN(^)-&~hf(zbpd+5W$lC67$RZr;sV`8Q1uN^9gYkKvPS zS@0h@{%8j7;_Um*{^$Q(oBUVR!M|Sie=chN|Np~Bwey_UtZ@!{@#%`C*>U-6up(5Le& z7A=~}eA_tvBk@aN$6KX=qtA=pJsS5-&$>P3w)tJbzWH}mH#bDjeCuRDN%v^ei8$Am zdgt^oZ4v&~pWmKw92_m*(=gKfQv@e6QZhsHmL+n&jI47p))V0yt2-LX>k$d`kx za~NY{V^@lOQT$vT8*=81k7+#bowbL0hrgyd?+y8MQ@Fts$LI0<11t}Jd^w4Hf;0%@ zFpk;e%qwmED6Jqdw};Vgzw`Of!PeP&=6Yu8`RC6a@?1Wj>gq~e*YE|Dgl5NyDMJJE zK-UronT@z;=`!8d0o@`)EO+50({ zaXr(Am$*bz%uI+nlsrNam85c&lzs^eH=}KX>n#u0j_g&cS2r$?-WARI?MK;3b(XNW z$fRA)U1^0fZa)u-@vsS~9HiFl6u4XWU14bfWAxzptzw*NZZ4q%i(Q<5eZTvq=YiHi8}l@>Z008>8vY!Z zC(I#jw6|0i7;mgkKC7sNpVK2tx$r`CcJ&D&Z4qL{x;Iv=$$H&8qhdh>F zsxk;@7$5jub1J@ReVa`kZ_cUPY^}8gHAj>d#B%uV5sYM07GZV@`Z2?wUDlW}&O&)H zeSUK2Z5eC(@Rp?WaelReBcUrL2ZTTA2i&mytTfEER4MQI)DHEAamVKC?7LOl7?yKM zayut)YieU|x$N<=c7w4&+}METv8#>hWi`*jJqI}jhZ2%3ZSMZoF!v2EEmkO&^!JY` z6bzhTa#AmQ%WUtzmpe&g)%55R?P7nEtORXW)+-!dPx3T5xSdtbHosxaIVGiWV#6{% z4(YUp1I1F*zS5HPsk;G9gRN3+*6s6^4Y#g)cR!J%?})(3O_D_n)aZe$HwXJNlkaMt zq!@3ohE?ix_D3$oXV=PiZ&fJOR_Zz5RoT(_)3;tWi=`*K-)`XTLL@o3;pwGii;f=r zuItY{%jkGkAMnaGrNT;9(NVk9>Aq)|aZX6&CPy`Wibhpyo zs30AZ(l}ytZty<7@x%8Yc=zLWUAuN&yFd5++~=I78-2E(BX&7b+>2j+7!slN{#U3aVVF|% z^7h7qHb`iH1X-5Q4^XLwHH+o$th|zST{}E(w?%{ouSs~Gc>O+qBs@vAiOShJDM(DE zE3(TDPj=!y4~Z`@X*EdDu@NH-VcT~%Di12&%A@%O50Q7aL^>@*gI5>=4T58IM8sw1d zVsWQLY2Y_#XshNd+`r;(% zl*Kn+5|EDuACiVeTIRQ>h+y~jl%e1rytQA*))Y+b?X7atrW1qu8lSEan}i&DxX%aP zj+p4pHs|x$57CI2j&BLPInOH=_=Wh@EG>m5VbhUOWE&-R5udix2L^>J0rk!*@5wmZ zdeTLN*6o&F-0letwk~!%Izhdabe*z0?2Y%OVT%&BXjOB!M)Wcaggjr`jc@$2LfxD# zt_`Zf)sbvtAKB%%O(=Kf8D~C^S>+=(-?o04=)QzA)u6ez`sWF^&5S`~sXJG_@V=(L zKMf5QYkgrkcO6J4)+O?xx3rPaspby>b4v?T$cuw=kCs0l*o)ilyTx>_pdC4O5dLBc zB6rA1HtM?k2FwXU0;#nd$YpuG^+JX%)pjjR{i+)lA5EX8hgFuXBp%mG;JU2-L98nf zaopPCMD3B*TvUg%LR)JH)3R`jGn@^pXu;%e%|&k=mj^a+OQRDmUW?o2V0j`-=; zIj&{?cE^rGhTf4}EaXB>EthwFN|*X@s{kjo7aepX3!%Wi>szrM+(25ziIe;+?@#Zx zhKQ&Bu|-$Vx!)>}oYH9Ce8^V7E87Wo=sUdHwrHDqLgkcnGcIg}cWPCC0$GH^)>SlJ zOcv%^q}oOb@etZ@F3#qxgmTVnMa{Pf!QI#)xa5=K z@7~dTmi5-oxk7Tmis^+m)|OUd7N0tlDX8>k+2RAFibGzW4QEf{4mG60)ObDky4=-7 z_nZ69o4;da`@;6;ht`UT&5Q23>{m)>!DfYVnFhXGW-kK>yHJ>hAPPYU|`)r>vZwzJhM3Ld1 zEl$@7$}1FktM{)y!5 zOx&jP?~eDxm%A!})Ul)Bx;m*DHO()W>e14Ki$UJUM&Hg%WmmZi$Kn~{-0s6! zz2p>vS%oo|wSeaQU+LqWH`T!u&^MRSbzk1MhS249H&0$ql`ndABNxI!dE?;V<gBTHUms(omk^FLQf;5nDBiXNVzoPRoc%FUA%$SU;;puR_4yhps&`+@7gp* zwp&P3?Vr8O>)YPlMHCkDIUt%ziHSqg)7R@B$7sczIS#o8)&|Qr6H)NLp6%h`NlZ;P z^e0D_TSvuR>!#oe2q1^IZr$CPy2u}GdV`oQ2*sPb;j;&CA2bCpGufsl z9x#k|SD!Vo-T=Y?Z`REaNGE|9~)7{7XlBEy?I^VJgo#EW#U3 zUAZMmAG1+sg*^iRz~LG^gNl{<>s)nlPpv?6oGw zA55unlJN@dWU~--j)VT4?X5SyY)^f@;M`g=l3;AWv%`PYe=ushB*h4xTs@2fio)#} zTx53R7?D;spO(p;zfbn_gzHC!Ckj+;_(l@{k3d5F%Ui{22PG%7BD8S&JU-4lPo=?7 zWCue)uk7$M_KcAErWJv*3|D(iR{rul%JR~%@8P1v-UgB~%c|+5@>_MdsgOp+mlluJ zR4#`}Hc-g_RJ#6gj55^&{+Bmd)x2KdW!uwwV7j$T&CI&cFasSq(vZ+E^G!>DEdkbM z{Et7&MYU%(ZLUmIjM_`pRVo2EG|geZstUjf4k>Qa_3XzxTlPm5Yr4OyuD;fQ>@Cf_ zJ}L&5e`$V<%*@MMJNHMb9RveUcchKnPl1}lZUUuCO@B;q1DMb?x4ofYH99o72JFPM zO(w?B=;%!}YO+RI#ZK;%gpaa|_FpI5C`&|_B18adkyUu~rgdgBT}(_YG1*kMVET*% zy)-82y1$l+3d@hzk$>jU^6}&!dUZi~@!=}LPm7YOxtc|+D+F%TWb4$jDj|Ee5aq|j zC98JPTe*9Im;p(c&ue7u6*zPhdkN+7+d*lqf{RWC4(->k3jnXGDeAQRU z$>KW?f?b3n?OJAD>sv-_2wxp-_*QzeCRf`*$<3mDw$Rx<&Gr-S0d6!*A8~P3*P49* z>|otcQKV8zj3diCS^TklEQPrK(Lz{UqIkbwwv3CJ@ssG%==91L7P8n<^>pP26f#!- zCj7?r(s>3g75|3^Em*+;i{m?|8r~u-eYl~VBD8ohh{=nc)c7vDkW2E$TQ@6rkJ?<= zLbM(;C*yGtsJx7CNpTTaDEn2T>)q_tdA^^c3G&CuRh!}20YldO0(Uh+uN%a+E(Sg$ zu7WNL+3ht_Gd$QOJsDr1Ogr-tJhI*|hyYFq%E5X3ZCqS?ti!`UBSrGEuU!)0OG{@i z7HeDv?`UY3P&3s7>5R2o!??Og-VY7d`pUS*<>p~)f(mbvvX%tf9sp~mm)Lc;kDt=A zo}ZSxaMcTl?_)`vR>yHb8#HZvaW06i$h-{!*s06$ajt)K48n0pNlgs|gR$qBjjcnk zKo;8Z_RSbIJTkI}LN-;^5|vb>9Pf>;%37r^c&+5+SuuY_fk{C8DQ|NGq;ns>*Pb-Zmxsfce&BPWAfOHxW(2Diw>LaP@o65S%G!uo5 zm>3m6 zUKe^E8FY{EViMsb>bd56DJQ6{8=75D#j7JH@k3}fJ~SzUo;BV4x37|=FkGM^@)j5zSI2w*{ZMmi=R;zShp?GVI9d5XF$8TY>;2o-4K1g|dfJ;IHPRKPtHq{qip3cQPWEB8Bk#2l|zOgw^AGlqVhw>|MHkEhrz)wFU>NX{Z_c2Mz`Wt3=p}*u`U3 z`=Vtq_qa9I6B*47n+84Kvv+)Z$rs-+hNApJgwJvenmn(W@%($j{t+seaojZ`Y4UgVp^5{8~6ER)7nCe zWlAby+J5WLSz8Sisk+gO&0{a(N0t&I3UOAA%KS83f*8++Ee&>aQo&PYQ4c4xyr794 zG4|b(a2QWI}=B#vR?Ko5SXA zY1Z=^{Q zRuVXe(a^Qow_^=!71Q`u1<)xcPHGZR&CNd)FUNG@;2x#s(bg115u#w}E-x-F4hZ5B zd9P!EYo?{cal_565=s)vW^Nef>3Yrjup|gB1j)0_3uyy~jhX+-;Woz7;pmFi! z)W}3nz7A5A_q~ZMPw%^)x1#=!es`e)j<#b?*zOx&C=O;QLJA%uJ7IkxQ9#cJ)JR#U zb+voj3v7V$)o(K$9PAh`8Uvst5r8p402x&QaPRkO`EkMkMtEhV-Xq@-PMoK6vn#fa zj2YgR^o4A4RF{CQJ5rR%ompoJrH|S}87=}<4MDF3I zmj!y7Hap(jQlcgaL^fF+B}CS61VG_#|6P-)_UP?jk}{NjA<+}UM+ z$PeF-pylcq+4USGujZ?iTAX+lRELv4>x*oE*&XXyFjn~Z+TvCTA}7h`luoP@&oH4N zwJpNzaJTq8--Z`K`+%EDi-JQ+6s}%!<%C(1>b|P2(tZUosaXt8gKk%3p9rh5B^(q? zP;G81b4x}doaMo(1h1raAzHDuRm0|?B>n&H_RgM304)b3k~~nPGDyQL1?v`)Y!J?1 z8-8}L7FOZQ92a-w1(kLocqk~Ct001{?Hz&%ntyu{lOCoV9gheLOX2`(QqiE9WC6Cr z0CYSYxj04KNE;5owSS_4r7k$*@FE#7MyD@lVP}5>3Blk3;r%3kx`dwqXp+>vhmKLR zKyn-rp^6`Pw!}SA4a#?Od7sk^+#7{(@<|g-RkWS;I)K>0>BGU-jIu8nleKT}O$xI@ z3xnZj)srPZt{i`TL?9_49rZ6^UESRT27J0ITJ-Lr4}c&>2Uzo}Kq`W#TVF}9iUE@H zHUK8jI*bY7;XlwKnenYfZcR5myu8%9-!s;@z22Pz<0OSJ-J)%poHF4qaljrippT(m zPZa@Ws{ePt2RV-yaUnd?dny(C#17P97F2|S^0n?npd0!~Ee1Rxg8_sAXEnZ}v!4x-s`UldFXijDRj)QQB^oMo#)^DJz*?l_OR4Hr1bfY4Jp#4d19O(qwG_qs1A& zE%7l(UmoDbRM`>(zze@tenC_JEPqZ_(tKZU)&7Ct+hLk5K7}= zc}`+W521)FIsgc$sobL(3XUr6L*+PhVtaG;iDrl0gNU`okjl@VA;NRv^-aBG2P%Vp zEo^V@Ms^J|7-X+@&vnfkiMWq4dOI|bf0I9a;6UmusIX9rCis;5vYq+5pa^AQzqet4$ z%Z#KI9yPrJ(4l$e-y?Ju{{Z}f38i1mlJB=yG>Y2*B>iB-V=R;)BtoVUFPm)fCHR!? zQMymZ;jHG*G6R58=jcvNz}2@}iLrs-W)9-uskcQ2B0xWR(As>Ow+y|!61QCp;mssC zpk=>(KDr=Qz;x%K_r(sX*EZxsD%~3ZLc_r->yXkE5{QeF$$wYPc-2jAPNt!gh22F} zr>AM6;iTwhSX5fofllDqWSJ|zrY2vcJh8g5j5JjQZg4;9H|xm1$i5;HM>9U+6!vlA)ke2@EKqG>m9GLfj&Y_z#oF>LA&&8bxm0L( z?%e}Bw6Py)Vk*a|WN53Kc>jTz0INP8j-5R1=4_2p$5-OAKx$CCs%;2yPg<2Mp%uhY z&2jUGRwB#WqtY7gk37=2(*6;64ws+-U;S3Rkfqno1#_ERJxz=Mm-af5C}8zm4fC#p z#taJUf=bW=exbLTNE;Qg9C7>BO%oPDf3j30$G9o_j1Pn j&kz4o1N#3#mtGUioaNAqkC6Yjk))RTW3_UXr{VtvE@kWq literal 0 HcmV?d00001 diff --git a/assets/images/screenshots/hunt.png b/assets/images/screenshots/hunt.png deleted file mode 100644 index f4c4347a83720e386038ec4ec447d046408e9158..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 195653 zcma%j1z1#F*EZdVbcaEAcL{>T05V87(%m2oDIg-CG&7`)@C-S8it z=TV>U`~Fv7uL~UKoW0N4Yp=N1z1B8TLroDMhYAM?2?<~6fxIRX5@r<=66y{X2JlUy z(g_?131`k$PEJEfPL4st&DqMUOLY-*lS_DVi>rfouW!MD~`3 z2ni4`D_-ik5+2 zVJbv}r`U!&OX7o_hP(U$Hp^FwBZVj2x;$g=LOzMw@>KC=5X&t*dHV8uy3YuRo_E~& z{ES2|jD#Wg0jXw$z#Yd=jyaf=_oU2RD5%0C%iC(rPyjs8ZOFiNBl)>O z%*4})=yzRJGh(igT0#lB(#V>QhIzRiLw_2O76m2-mSLpZbKP zl*MQ$i^z+})!z3}qhNe{Gdi-QL*sU4irnPANks>ysk?{7ib`+qg5$(l;}VqhRoLzf zz2b_ado{(z%1X&n#{$kZ zZ|8Lf_&p1ZRWM;MfjJ@ei-4uQWelH*Zp_DIqT(6fjRSLTbg$w1_ z!>?Qer>i3Mtm$&Z&Pfk5Y=e4)?7CJcnvsE5{cM5q*`|0>;@TuEH)9J?P8;m@RhZt*k z-|^|F*^^v?IlV$5w!nXNYGp zWeGYAmEwDo;tS>EeaF{e5yNktnxDEQv{e?wNyGV+jFe26(@cd~<<+87cdy>49#=(2 z#ak;+gIC3)+GE;P+D*fFYd65m^Rdy6oWY#dgMXmRJ*AGkEs&2$NnXGf|4O`I&Q& zbFgzmCe$Rsq;8rx5cP`WO8;sWsVis^nKO8_b*A-ot5eL4h_1p}JWNr{V!ZmBsyAY= zxCjEM%n5Jf+h*YQ;X@l7H{bYn?se=@$;q-Xdl;A-sDg&!|LrXw~OzuMyYYF4Wjq7DP?AVE4x|23JQs7< zHO`9>f6w1X+=u(b_?+l6tJO$@!zW`s!!S+aVp=pe6jC71XS%F)!S=BSuXY7C`DlJ;H&;7zZP(Mbm*I=stUf{=Z(kAvX z_M?&zZN_3dBga}XXU{8WkRawr+;CoTQ+cnI(N4Yhn#Hj2^6EnI=e0AgnTB!yMSt6X zBa9mS#A%CWa>#V^*MRxn=xLl|bRAqr92MLahdIak)6fk9OX(MmYEzTVA8orciffDK zioK&GqHd7ABU>gra)dP$XFt``)Yx@8o7>P)rd4M5e(Ckedp{v8L2yH0yv}nu+0D#X zC(Qf)1=ofVwKrrGJ`J&t9m%LyPXE&OrBC{KKx2)tsk2<7(j!~J60wHUvE~(sqjY(| z+p*HB7MH6L)Hzg1%yt6f0@sp4(Hw}43a24^DXm1BOYQu#tyg(s@9LWlUYxeQnJGA5 ziOM7nZ1&?g)?ITQ-l;cv5jf@<;`KTU+3u4qg%gR;p} z=|`^m7yC*4IsCrXoxMvLw6?D*@zPa9M@H&v4`xqB_q@4!TKWTckLMOuE|Ys}$|rh_ zy;}UgKVM6X*U{6VE)_Mhuif;y=)muyW*$!;r*;yXcKGhHYO|S!@Lft;E_SbhIGfbB z*SQzl8|y58D`+^XC$9I~+}XmPRByRDl|2mo8evaoMo%iC?Q3`{f2K6#ywoyuByy0p zd9cxRDKNL%E@eF3J#E<%xZ3BZ;H!OVxaA8E`qo+~d-WlP9M^ciC83dq_RCeocWJLC zKEH!*dgDMt`WV{HKu(C{p%uaaUV}L$+GtOUP3^lYHGi=Z5fTffCkQZy*qzbrot&%; za36D9n!sCx0&y=7Z8$6(RNE5WnDvp-XkFa+keqL1UAWR9Ro*~)fXj5Yh8@gwh0TO@ z&YZFSfw==a=(`ir?PS!OZm2=&i#94zr}?k1(9N{8wlGZn{5~Ehe~R1KV1m4o{5rg_ zGdgO(kFd`bFj1uQrhR{07I=CsQtIfu=k=?21?NalRsx%sS930 zFy<*mf?E2n&^#bC1pwRAmnL8@XF z&W>DWkDbjexqKX5u7@B=_=o`?9W6b~7+5AjHMP#dBKukz=Huf8?%;Iyb@DLt;dFAp^Yj(Y(^Y?pN`q=(@l9T&C%K{e2eSL+Smy3t{=iI(TIcG=Up&nAd_U50#|GxOoKnd>a zwf{>Ne+&ArZvjb5;Ye`*+%+kjwBBVuBqSLmC3#sbALR9K*o|727soph_sJ|>O^Ce* z(T?zCLHyqEDztJ{m5+=gGG#piu1Z%en(~!=a_H`?I;#Bm$SQ~q4HZ{(9m5YsgqM51 z+o`>@R+~MO=u1;)zQ(0~%RPFTds5cDX`<8Cwl(W~-clo*YntEw`O_4>8SYg{`7bp7E_H0_dh>cBg+aM&u(Nro7dvM zSQIUzMpiCvrHON2fAbMtcKcgcmr?4`Fu&Q9eQX$aMlJ7C0%QBt2J1`G->=#RfwGZg zly`P6#5vPjV;F2Xf~&GFa=X%`*?Tg=cWW7CG!t@joV&(2AX6%EJK1b1zHX*k=}&Uh z&k2&1e6$NL>FzATG23;G7$p`y;1%=h{H#7^sEz>{kbCQSz%9o9^t@|>}4%f$ubz6=zD*wkvFNnn13!(g&l5f!y!js&=>m%x)u)az^oSR zT-8%0SPcU&YI#JD#tm&3e3v7FQ3;~oIok%nE$5#6$?A&$MYtU@SW7G7qA}`T+9WsK z3~>kPbJJS&_^_(Ngg7x2yJG1_Ufc1Kk9~ao2J12}fmUsvY?&SY9MO0jbU6`WTz6Sf z5joH2`z6O^DswHS$^*AMGE3O zm*=84n+bU|1T~3Y&tiZ0d-=?$1TQ8TaM1*wN1C-BPDF4S)j#c`&!kd_uD^SJBzY^3;(yO>ce`+1CPMUz%+CrFv{3a8NgyolovMnh;A*)BE+$!+z?tPNdXw-E}xWt#-|#Y$vSkbQO6pba6Sa)>!#CtJc`a+4q zbG7t)dOkFA<6Ww#I5$L<*wXpabQE{%D8I&iQ}mg)3Kx76Xa9A zK8(uJz5}!7`5P07csB8n4R zvSfUN1xNJXt*hFXR(Xy2zD>>kAiFUiOHK5oxLG;$vU=1%-fp+{(=z<9%W$L97J5GL z@J+h~I6tgrI+ggUAVAtQN?m1MhXP{mn$h+wXK%~Om}3b&ND8>OSL52Tj*gtOoEAB|L%;)-FM3- zDTJ}EcHvT-umk1pJln?iTWOej-oqd3RjQt7q>%SKU(8MO6QaMt{(DR5*9i8W_RU{^ z?cB2Wk4)gPIu);y__lDldtU^1@meT!jgJm3!DN;kYo;mB7PzW8swN1iC0OWPKzlb| zJ{E=cb0uyz?!_1~cs-~+tl!~9(l-g5LVJK69;eB_)o3kIl@O6GWuDFO-7FNdv(;6f z>j0KMmHdVL!hqg;o!9L9yn2V;r}^WZkwmB@Myu^odgUq;gzPP0rlVJ*;ng>^9B}5u zd?~$7K9ewlNow14)8`P2mB%=xu$zmT7{<>0sp(MvYAqf%BZ!T<3x11)40+;QuQcr+ zeNiOd9e0)RC7rrQ*lDt=uDNv$V-##GA{DWKL%04&V^5;Eg@@a=vGfm^M<7>bq{OIw z{wjctqh`{LQRnO+-5U>_FQx7Fq>7lz5DdfjTCR^;x+ z;p=Ovq+~H6TV7&47)bLiHMW0B(ho0LJ``tKKpjVWhj=gG+Uo}ubq1awLl*Bn%0D`T%vy8vX&IYRBNr#CEk*Y zxY1{QYbdWb_7mPshX9A~#O1y_mvxtLu!}gH&!Y3iD5mgMp`~$A+FS_a4+P zJAdYhSO(hW&f1v!D$j1?)eu`B7mPMf!JBQp)y;>v-x@+Qk4;QASU@jee>%+PiOLkysDSD zWqT^|L(<6?LPpWJl!~H`I8?T4SqFj)ky2W}Gf^L54?eIqSSZyENSO=nWxy@swi;!%H zHkV!d9M8OX=qEcp?zf>=v*lRbeTwBz+-fb(%IjnpcGk_898E{uhyOw}NzZw=*HsHWDTF=SV@D*QUO z&F6W6RS4gWBDn1)e_=tU%4L^@LtI}tvoAFR4`u&a(WnDx@v;cy4S2zQteT`FJD67 zH1NIdfQ$*H*Y;Z&g2`X+UFJnGH({3AGDaBFK;5HSyso<-m1TLajJ!`OUXVXJB8uR% z%O}ny_tvV-nmkAFAVT`m{+{gz=DFjYMHPeZX;nZh!k6zKCWlARohsIiJy*Mq*{|pA z&F+4XgN92jrC6YTxE~THKrQw7lj~0Gc#{BjMsXc1q`c6|z3_tJ=9een=sAa%-atH8 z;T+DH|7`J=bTWaRi6M#>Il%5dIc|Uc_<$-qSe8kbg?kh8zL+Y)hA2Ya%VSYo6k1kAF(pAG9ibyD614zA;k1osCkl+p8tDn0;|?qaIMo+5gX zJIpH>p(OcaA4@J`xY*2Kx;Y>EIT1}_%|Klcp*cM|!~tGy6ex{Ru?vwfFc3FjZ_+ZA zME4w{L*6tG-XQVM0BeY+GI*Dde`A$NGxGKd9M~VM@$wpfP1lRD#Hw0efFs87{ldfV z_wJulCCl$JROA95olZ_K9k$9ku|auHpb90jcO;+{YE9Jc_PPvKU zC|IMRf@fDzisr;Ea@EN5{e8Cu5{&6H__c{Gbf)C)L)=sbF8IruJb4#UjH(s~CW#G$ zy1cGbg7`u1BOoUsuTn+0z6snrCAt6;(`4{lt9`vJFT~G)N^q0zmpESxsj?5{dl!0+ zs(Z0gcKsfiaM%S0T$~E}!~+0*+Y+HbO*81E+V6O{el&1suwY-U;EMD7{T(z*?%J8g z=SQr9=u-f^dY)W(Kw0=%tyOvg&6g1rn}6||a_8Y2E`kU=nuH1(N)ST87#oTZ@P5lE z?Wn&)HL6I@f48@tk3@jQtN8}CP{?OqP^yF|K3Da~Ac+`d+3Ls-{M`FU>QIk za67dws}*C>jYM^tJKEf9wF^ZQ z_SvAcj!{ilHPkG+CqWskdj}VMiU8DRVuF~rg`;JGuZEX1`~s-b0~uF9aQlJcns1a? z#@2`+!-~ZbLw>FoG`_MlAQzvGXJ%u1b3A*5BFsk80fsE3G_m{wb0&hz3RlRub{o|F zPH44JY`?{U0(GsEb?(%Sy`3B|p>ZIcX!PA{i=Yn}&1%W}pEh zcHV6ngHbC^M=TR+x>s`V_moet0`6qMSuwtG7iZ0R`G@X2bU(wAO+ZNk=c)D%ab*y8rHk*LYrMsgoR5_{4HS&RejZETl11QTM}sKx zDwi*lM4tpBmUB<%tfVzBpBKL?p9hGDhhC)X#AgZ&$yoxv%aC2R8kCT^!3?IaJtBc) z9s8vlA`B*PV77%qKG3Z;L;h`;)BCUY;K{^T%-i2;wmMyhd6P}FD{XfxGdi0!S8fe8 zmTXN@_)eXCjoOH=^Y^e2UfcbHMGK_14z)C}IW!F|nN33ui@tBIiEmNFh@N6b_bP^- z4La>7**l;^PPwpH2*e@s6e;fnL8h;m3hDh_l<_nXl_K+)_*69RYA?Mywy)4zW5o|s zTqZV%Q7&$)L;Uq;E)rP5<~+$+T(T=>`2?{DAZI7HQGj)b6?|4j@|i;gx1le`zJPlW zV=;aLZG5u`r=bq5Ky$-hA*!_!PmZCY?WN$AXo(K4TdMpVs4wJ{6?vJvRELd0oYFG) zyxXD-dZGVhHFxhUUPuuM=ARcNu*LgM;2|{(X`im{f|+MZ*xL1cM{XC{W>>BsYSmGJ zd`Vf?hE74cCI|E7h98WipUN`37=!3n5|^4>qz*M2GN^i?g6bV{2K3 zRt^qJUDn>ZHB{SlSics5iR0}u$e5*txhah4BYih| zt}UCy(3}-SV92PXZj|J-$snM!c(y2*2bV+0nm&Vmc-u<2^ zlyS$R80;+|s{Celc3CI0lN}75K$EKgg%FQ2iol?FeH>Jnl{a#fhapoBrn^g5VQ34_PG`2 z39hjx7JN%fV%J9aZfB#;H_ygHbz@}@T}QaI8d7!^qy;5=&+LeODbm)6VbJlxO$lZY~5QKxGPf&$t0api2$zgi?<-M;*^% zDw8=lme*OacE?7YcykQN%S)^s7fMZEry)HNws-PpvRM%zn>T2pv=fO#`p~MBU`_+p z+0aS+Z+dpEh#X{0Gnx!dCOpY@qkkK$05uuBE)75>I5_#i z``#!nyK~+%SpFGnuY%js-p(5}d~{YU}Z**xupuF_KIa{agvV zO@Dg2)*Vxg1}e^FPF9(~A%1sw0AfM-LI;st^K`M&J zNdI8@f5pW92gsr0(P$ojBJTkZAG}1&Q}E5dx+h(7;*U}9 zu{x0CH3oU~dmcNB30-qzeV+i8h2PbOb2eY~Hp;oTpUYOoqf zc4L2pH+i>Cupm9(B?}+hW2OJrV`)rBn~`si{`BUW4Cs}g4HZ$Iuu=}H5j9scB1@r; z^~oBHdmlae%cg_FaeSsnHAItt)uwDXQ3^$ShTltXM*I-0hCPaB$oLqnbls)ca{Qd7 z-w>s;z3*pb?K$pa)KS~fv(7o~m|qgH@k1H&n_qXChkD{3XG^#YlFC z$9r>97fS%W_H%9U2ATVDPr*OZt3*N;Cvrl@{LJyw@}jQy1;JjWCgxSivG7^~<6m=S zSz^1i^g!I}Bh*Sc?YVo3e{Mnp;9>2LMpO8IyryY6&Nf2~bevYqL$~O}W&U5fREdVX z2?MJra^7lLdidi#ZIpl+37!xU~`D5S6-pSapz0wICk2=t({S{Dx$(UL%+z$il!z`!Qe=b^(-E{ex zpr1`o%8wP59i#g&SpS^uI^ujmYYZ&u`CRuGg#=YIT^}ux5MQnfJg+T+a@*G%ECmo~cjY=6L1fs=L7yR;&keIG1jTs|2p z4In)nv(Ah|*jwJql!CM=(nCmwbuFS@fNpqU76U}SIzixZJAIq<)k)v>xP58Z(R846 zQCS-fP^fO6t(}j-HM#h%qf(M=aa56c!6AJSPVIzc;8bUM2`LN~-)iLFK02O{?Q-Os zwtH7h#sq?DdAt(eti6-L3``hkp51&fY`~32Cm}-P(JzY&H-R_ea-J_@g^uSwrYZfQ zl$EZ?bf3O@y#60fk&PJ0%fFZ%H;F238x0ml7={6QRxBEfpUwk z{%pC3?XAEoaXeZv0g0>gy&b{ge5fyi@1rrk9XZ%F?Z;mAE1(zY4JZ&aHWdGOU6y_h zlu45sz>De)Zz%t5u`;H>K1B+K#A8(XU7asWchz758Q3ULBShqseN~`djIf88c03~t zhPD7?;l{$cf3anX{^s;auXo!L%$d%rFM~GV6pEgnMZl4+NhmH@9U(JLP zw8g1#QQAl8Sd?#6Pjpg!gE`gPimaElw^?UGv^{ooOdx_9YnhdY6940kRoI4|cz*|5HS7_Ijt@6{#1fMZ!_ z_*!L=@w6M&dtg&Ll*u~qi3zSjX2ZzCc`Z5@lC#HbE+2H!xT_Wgi<`AQb%6_xJS8{w zxz&@(&s@E)h!~x4tT7T<&53Vgdsh@^(wvQoroCp*2h;zsu=h%l4ttPeYplXLE%4LJ zTW0go!oAL3Gp)hA{a>)4Lz{pNr6tj-r&$-~CgJo+9vL2Y3O5tx6JOo>bOxI~XBv*l zW8H~Yml9pCo^Wy%yTUp(_V{{#Hp###GWhYX%1oWs+dREpXULktET;6aY`~+Agn-@n z%mtW9rl`ABfId|g4{BAdXda2_r_P)KiG!wqEx+k*^^#HzW1J%Xy^@AaswCqltF<&% zXjOFtr}Okz6tD-SR#WGlDtH2V8fSZb(geiJYA=|%>0e$K=bd)HD$?VtOCD(109^#8 z*7cri+PB$bv}Jo05v73_Yqpx9#@IKe zpR5)0ZeOkDXJX7T?OTFoe7<>(M6Y#3`D#KXeBBsyW9%)6Wl!7oce?186$u~rF`Z84 z(L2tSFJ}e@PzXC2db!2ln14l7)d@bGi{c(I^_h!go^ui0TO#M;?QiZleyadpOpn7! zSU(p;D1EkG;Y!Qhw6B>p%$)udbzCcwMVb-shUmge-QAD@B1Jmi$1_h0KY9QT zvg_?>Rf_Q5?*s=x%qQqr9@h@d6*E?3?wL$~N)U%&krE&!OT5Ve=3U6qH}bBXSgESj zJE9ZnyK3SaB=*k4XLq=c0QsN~E8VUIxzv^0E_`|w3~e8i4*7`oFz|eyzDviB_-Z$~ z%7YH8kAH|0Agmp2^7<9jf};?mv{~HL8$E?-!;h-;PoA zF1+UZA!motf>D%x5|y6}mBy`Lj&1g(O=P`5Tp7J9ENcQqRgXmSanEJW^ykCS(36I! zZ8dB)m#?}&)vv?NoRzJ9dXS$5QSj_H?`g>r^W}8!-qPn%ua(fsz^@BkpmZj-xruGt zv+anLFylfB)#kVOr(oNZd#C~c0@@_A?hP7B z?wIY~Tby_BZt8GQ8tO6N%ETSkbt)l3$kqcc*t`%^jOGdmKeQ?yFX(}mwHL^a-}h#1 zzIQya&CIa7@X*R2%Dpe5#}eHdnfCT7e-(5AeLI+s3Z6d2u7;5msLw1Wo7~v{oDLG0 zexF_I1aN3xoc8WD_P8j&ga9LiaXo<^}Fuj;rh7mge3o zYWwI!Cn*~n;9K|Mr)#B|w2Qyc;r})M!4xF8c7EQwNan{D-eZ@wwrvfDw~rx%4;6w zQ-Bo~3q%Y_P|QUnaVV>{fp|m4If^9)RzKJv9XdNGPtR*E?@%Y!FnV<{ef9Akb|?lu z4)>BBDBi|WoU!xavuvPfWUKYYguD58u531(y3>cVs#26p;6%!9u%OlnWu5gAzq5Yc zsC}rN9k?kYh%DV7AhA}w0IR?pzn|ak?6TULp5Vydq>Dkt7c+p7mQtx=k`e$wna+nJ zCV>$D#hC$lU$fUjM`Q*L5A!820mTwpuNpBn+k*?o=5mj!2@%R$OJk33m3Ps(NV?cK{ZU% z2_&{<0t^N<`!Ejoh-qv{Q4F)FU{c33p{-#r++Px@`n$R|58TCCHepL28r`VvBv{AjQeWLvkG6cu{#k*VNSI+QtIh`$_zt@CT_!RrTO$^nJL9^+14 zCM#>O1pK@CDU89sY=pzfVje3R(+gsW_+an^hfMKzb7aRn!kf$ltUSH7r$ptQp*O@> zFe+J}$q=u3d^AkaoSxS@%|+n}92=j}3ZRkjaS7mMQyAFt6^l8+euS4ZT(N4Arrh7b zUxAJcgu#aM@wchMEgG+a-`d*|-+beN_VVuQQ>}N*J}S#=tMXaHLPP7T57HS#B2o2p z?QW|T%+b>eh>=SJ0;Pe(B znQIcL2PM6SbCJM|9Sk8RG#{6^g*JiM;rSVtB}}tdVy}l{v?Px^(tP3<9Q?ll6=yI5 zsXV+CvSD8yW;v&^UkZw!1vGtI^HqF@1OSCCXn-J}JI{W#5}tCI3)V=RO?YPU5Ib>n zW}{|0LqT|red6xr1N^1H%e~B5^}thb(Jj>=A;CVlhaF-3d%^J32nOCnpw;H$Kw+`M zqy>n~g=nh%DdYVB>hlcnpG8X4+cB_+7HqpXnl=%s>-EDSxLJ|YDYyfRR}*91#Jxz) zuNR8LbOEBON_Iny0@?5;GGkpOzScDng8zchBj0EbnD2 zDuL>|0=ud6d-pNk;@GvEEWvhU^4ZQV&W>U?au6gwLZ(OS6@AwrtpoLe$$;>bj|Inp z?8Yik+-4XS;)+XtuJCmq8H7^Qxch~1nYk<-YLbV4lp*QYNrZi!!p!rft}ie%g(lNGU8dZoeYk5J+pB zNaBD{$oOT<0?_)CncojG+#5Dj$9q`>VKR>^mx}RbMy*dD#v(%wC^O z4Gt#OF|aSLYQyDjyg83qd0X}NrR-5l2aPU4qG@CuAp?_4GYe5wfbB_23MT21n&iQt z7z~8)Wh9(eDHaD?q>f^Km;m}L2Mf!Mtre z(SGDX7Sd6O?KN^E=@u6y%+5__seuX>ceM9R28O*bFu7(HUnO0Sm9 zN}=kZ5kdJVfGOkoM2*JInRv`ul}#s95R}g(Se1<}mM@?9M42dOycg{l>pb_yG{PUP zdX-vYqVia5tq9DV1#jd~obD>jK}l}}w`IFPY?}n+w)YY05t2uf{L#-#ed3(QKQccw zpRZfaz};#(GR_JYq35ytNIaR>`GhU{74%6g?n&t*?3}$?Uh$7&ER^y!NFB8dgc zYm5GOU0(q(qggY546k!9)!P3swlC>_WQ_l-{ld;9X!u1T2ow#R9^QMAIsCjZNa-dY zIy)jmLo{CGk=>3+v^6E$bEgWpP`Rg>xx?TvV}D}-5d`SEK!A8}C^Bl9Q#5LhB|NWI zRgd)75g$r|duLRBgP>KdE)ab6pE(6=Ad3E5O;skXc->CWKrMMh-4Ycjd_HL zb79B%h@m@Z)UoE9`Gy6`cmh?5fURZ`sj|uB5R)37opcM3<1vz3>Q|GoeprM#H;X0_ z>AAxNErR^=)4jfAY84irIe_f7Gf=h?c(Oku4e)hy5Svt7*}M;y_=+Y9e+`}s+SoJW zPQucRx3M~(bnh$X$7Pnx)qfyB9mM~^J|w2-S_7lHf}m9ba?P9dYfF3D*7utq&Zr=B zkqLaxBr*{(Y-FW*rCB|rK(+i&i)fU7(3!IS=TsiEds!qbM6vM`T8*eMz zfsO8L3!c=lCI)dlG>zAM`~PVv$r8kVLBV@_TZenmrWA}q?WC>qi(4*F?{^_g zym_}A;-|(A5~woMnepiZ&v$}b!kJJ`&PkcfV+OVI`P^pfWNLcOAI14hX&?6#54r(B z&yMy*sYn4F1KZ&mYw~9G$jQ7uStNQiXZsumodB|P9~vf}Z!d#{CSH4>!f7-%GLT&C zq!<=MgAT#!l8^F>y`c9@VS~d=S7=Yc-~|pvR+Ist>ucgQvbl26U@{hw<{IoEKT9ZA zR(a?>2zeK*Cd!zk#$qV!%lObfDUS}z80-g|xf?knG=Kai(ha21 z4@y)AWE61g=z!Rj!|*ePkip4rL7{Y)HtcAlu;gCgZxQ>erN2Et5a{sq7JhO^k6 zs}BSLH_uSB6gc2+*2J>Q03{lE zA?RpLpkle8HuA7YCWiN{2at5yADl3!QIP()2WiF8lpnVT!N+#Rkbdr#bGPdrABm0} zQMb)27KR7H)Bt{Stlj;>zDFX!tJZywKyqIrE&1dcf{UcvhJn;vo$qHq*sQ5-d0jTQ zK31`}cGgaRc{BeZ%d0buY9;g}Q@gSJZ8Rt;%Kt!0hvBxv?SZ>)jAYu60Zx(;lh zV63?v!Pi`^8ochR?#JUeUMVBJeHVJhJyhwNmW_S&)lF6ia=My7R`X9kV}A}xtn{VN zOhb5*=kwgbVq6H1r9pf4G(A-L_0?S*M$NKUoPE5A7iR zmRVyUxj(nevLwL~mpYns-!bN|a%uD4xenRagwa#urYB+SCAGK79;976dsg|fbfohv z+0g6EbzW-6NKNV=HNWPmL3el{r~5KT4q9kg8g~*6wT(Q7UbE-R+)jM3LU&D9MH(Tt z&-;F%nf_fgC`Un4fpCRtxGZHn`}$sEmTL}6Kq43o z|DgFPq>U79X&=OvEEcfNjv19Uc-LNpcW z76I#d%|e_CMp7YG?+aXlJUYn1U#5XFz{s);q_}VNP1eOM}<#3VS&Ixw##x)UjA9Vt)vJkIb zk|xrx*0Fjl&z5gi{})&wtCNWrly3gyzKKC<6NVB7=>=D;HSYD|0ufbz-9U1}A;5i8 z3RG%Ub06Dgw+x_Qy2vQ6UF*_hNtTzqqj&Spj)<#NuiyHG=Isj8F?LBsL zE?`yL7Dca2%{(FzdE?uiFbXuGM!5E{ zeGt_4Y_K=a9Eo*kG*2c#nZ%0&&xRgg(oaGnY^DBnr+$n~Xvnxgl~Kxj0%YuP(nA76 zhtxLDW8>gzE|>N4u5iI&-8U?9eHoJN+yOgLuMyBEcR|?%G$Lh%I%}tY%YubXrr1Wa zx+-q{g#hUCaKf2;Q2En<3U_)srx0>4mffaS{EAq_jE9-IA#ieM)3qY3IVF=!Ra2OD ze*#3Df>yU06Ta!JCUvs#HgrAgWcyc>fQ%6`%7h}Vr$LSwo zhDZXHi547yU^JOW^`|QU8@!MbTkUp#m`i_k+_lp+%ULr?Wb88=whb_f+;2e*wAb~c zU?HZm&rGlmtF~*-ZE%%eoEJbrlI7F#bPue+X4}vi0b795>gm_x1=M zEH_s}JG_Mgw_2_O)=!s~rLTM)JaY|&g@zp3eSdA)y(|>`U`Hr@AYern?4o~>?=C6$ zHi&PgW>M0ozX-BQiC_%$syf1)z_wGOD(z!_)_y4Zbvfs`cdY(!;$S7yGf1!Kaz~3f zd*J2Ca#VD0Y{L@Nez!drqcfJ?#7;9nqL@>o`-SvBXLI4KGPt)S9C8%!jSTlUCWKo= zq4ACT11jy`-<8qOHtX4|ed6p~z$<)1uY3En9-AUS!qID| z3-Ri^pqB`Bq2N_OeD6OIEh?6)?;jm+w-ZFiXH>-vewm=UN?NB5hw)l>Pq=+&%Eyz3;pFR z+R<=OCyFd#j@8(hG%i7cmDCE~HGd!>84%DdQS!OnJnx6M2(D(7fm_+x#ZvM!VdNJ& zw$}n|AlG5+gTSG%RUje0aZSil@I8L8GF)sxA?9JT&dm!~oQ~Wt6!Aaa-rj830-9*V zxze6|FSK>LObj~m95Et?VN36H5L-Ap)=y9ZwAnSgAJFWE`d6@$ddk$b+>=Tix`I}z zm;Wo>$vQ#PG=&YXu^85FHJ?%SJ4rc>{5(d=K^E)<^cj3O|M=cg_^nJdR!<7=9f#W4 zaKSk0iodt7b&fPeIxt|p)c&Lr7v{^tgPNSVb)>d?pTCGtOP`8P+RgTDa%Ejmt%X+LEB zQ>p$h!xE+2Dpf_!TMPRM&q!?2TA}tOlo^0&bQX8y{<6Ox8}%2)_=u$oZum&U#{aMK z_kVa!r6kam;<%O4(Dla`l8GV&nqACqB>r9B`pqJd(Z@4@9-3s1!$D|5#ro4l;dn)${fhwOmZh ztn>kPmh&@*P$Zt&1Mb0}<>>Nk zE8;q_0{}$zCkQX%U-Jp%BOQI7ep^`1;=>B}ln z8t;GUS#TQCQP259{sxs~u5t#JFxk35HN^X)q1Qj|F?gQ}zEW_VTh#dIo@JDFI4XBGJ-ke@)1wWwu6Cm<*z;48<_?pC- zcMd}G*C1mm;CW$?@w-|0riSa|KdKg$eEcV>>R(K9`tp_XVxeAi%F_ev?H+C+v!3W} zaCiV;CxahULaFD$rF;z?M2vyNiD@bt?eMkW6!<%>UGMKKIuEm5j#M>LUhG8q4eM^M z8C`na5chhS>=1m@ji7F$Qf~}wz*Yc9SUi&OJ;AxSxHyD&E^h*uiX%Yd;Ga;;+ShHg z02~G_gZFyrgSEYX1nz>(vyY`YI$U(uQBjEC0Xar))W(V&I#%~M-Kc5>Uvph((zfh| zf6mGQDE%2ZyX>9%qFsD6F5)VvsC=oMurB4X?>Jvo_WL}p%8#&{r{O_Ci&-MH7SLOEu zKEIkkXL8$dK<;cu9-jOj!|iZ$TITZNTn5;QM{w9V)}oTwPMgYS(Z16yxTM(0&&&WR z!HV){!)-YZ+vw8HJg8_MJ8#_j(s=S~9;AyAaEo+6bVVO)z8k45q)QfOAQDDRnx*_j z=J1bO=zkVHpo2(b`b^|pK|2xb)l7MdLTd?YrJP+*Emo#WfIUY9f8}h4+x+0Nln4fQP)m7yYJxs&9SzPf8Qu zd7x!dWh29&*5Ot*c3mvT(;@J?%SvC!Boo0ju-3c)$5OJIlSDNQHeMs$48T_eB|gs0 z-?N{t{h@0PJoQ3U<8V^N2$WMF6pl)B4#5d!eBicz`yu|%;s0^q zr2+_X(3Kkyt{yWvJ`-8G&%|JZBW{^EM`Rg|yU})Tdh=`6YS-s=! zbCaPjM|rB5gshY)ei;e!;psI_7X;f@UK9-_dxku@`6n9cZ?}m`l$56Q z#!2DAO!k$?CZN(8R9DO1eD_PJaNb0iT3{UI?togMumBvi=sZJ7|)a zwnmGMQmpF7!6`8rT0{r3BD-C8S^;u^4qfWq20>FtPH&X>!B|jicchL*itDFlw@Ewd zBu*nxm|LhMI5^yzmHbk@5Q@oa9meR~b!+^|&A&8P|Gu1-{!;B5fwRCGm%eeSm`pd? z7}ocw=%q@!1V)k&=OYpJM4tlW7aII91*T)Z3?ZRsxpVF2gVz8z5`2Cz$)gYMu-{O8 z02*P4Hh@&WEW9&TL1uJ{yew}3B!6Q23ISM=uw|F>6pm;s@u!`!i>Xe)RI z#?-HD4ctm}miAE`x54fr{l8oa|31tA@{jZkEXu=t16yoxA)1d_W=8CObephZ#h&ma z#{c`_|M3O1oZs&DMzOQ1D*vzy-Gd$G|2?dGieDI-B+X;_3c#02ClBG{9+B{m;Mu z#YZd9n_4LHRn1?{(Z4@7+imb(g3!$W$H1&*Kv-x;kMHtliso;pOyx0n?{x~A@TloiOCVKVL0d45^;{RiV0U!Gqg{=B@UhpFYAZZPL=~ zM7mV3;)LQB(x3tM+*4nrHy&O8ClX=0Q~{}+^!nZdAa?Npb5pDIBbP0!+IHgT!N#OE z#h6gubj!7`4#NB4chDU zZ`MlyB=ya-sc{m9FgtETnVu0Z^TUqk|F~__af!10-Mkvsx<%(tM;pi(QjS9~H)utQ zC^+VH92G@`Rzgb5rd6nWX(2lK^7uz$^h#39kjcLK8peqLQQS*Zvmj$xaqK z*crHah=+0@L}))!2V6BWz|@A?4LSYe5s)e)%nbm5x&+6Wiv@BoVt@K=7ziatOC+`oM7;TZ3ZpuK=!p2D{$ zXD@_`Ufnb~1?(fj^OJodGyo25*E2_qs<#z*8Yn;^zt|C7$$|)tXE{1woR>UrZ2`A9 zbrJ9r&Z?m_)gavq^aoH$=pYo@{o(j8_R>UsQ;Pcxjn~0C4c^roq+Bx~YTE|YCg#dF zU8oA%U%>Z20!eaOH}FF&eit#*k$=!9rEJKVRIESS1vq!+{gS9i11ZTHI6 zgZ1BF^o}w!(fI%eI**1tWIl}`lmuZ=D*!;#*w?P+lw4k%26r<0)w2sP*HT!jVM;tK zx0I5`CbT#M)&IA+QfU91Wjd0xz{t2GoMv7dexiv^Ag-mA_6?(H0cRlO-x|LU4%E( z=<|=401f^IjbJXdC@w|1xTM7GPa_1D7_w=9LQmJVKOT1U>7{v^j;wtJ2_86xU`&nj z;sgr(j=0$I(#HVr`H>HX0Fvbh@aI9G49c{fg1Wqzy(B`1u_llhU=8rCEm57k6;+q# zTYmT)K8gwVvnxoe8Gk<--~^D~TdoPuuf!F3x{q5~@HrpyQ5I(o6l23aA0!&zB*{Vt z+hfPKk6X=f7n0d*V#9=f9;b_3UksOUELI)EC0Vkk%+@5Zw82$-7#r2%$@9pc2O~pt* z`M2|R(yQ~fR}q$T1%UGE8vq@`C+x3i)0lM)V&Sl=%&k$&U+Y@9Z?}1F7jEj?na{Uo z*WbHKXOdtRdj$YDlx=4E@wW7Q5Bc?nN^FWWY|_qGCJ-(ABNm1t#aomr={s0F_1lk* z(8&Ze5IKm!en<=dSo{@bj8nhg54~T5l4V-fQ03Q1!$U7 zEQsw90X(li0(g^SIK!YMb~EV#>pR1EHUn=o#vPr8g9uLxBzvwTJdY3@=|Vj1|AsDF zD5i>u#@3qANuGR!97(!R1u+#T+X8`-;=#DuMlX?ygCZz23@YL~W<3RCospm_Y)dbo}i;js#d5A?>%;s*E&=`b%~1@ZhBlKHo3)<4O=G4Ew%3y|+5l3YIFxp|)-bi^~!V(=OF6Tb>A~ z;3_a~%*s>4p_H;~OpOA8K219TsBT9Z)h z9`idNG&O}LUU=mE1H{-IqCub-`=S9;{ttYdk66xhP8IlMH z$>kEOR~w5 zoiP@mJ0vJYeKlW-R5CGN^ohyrV5JrAt2P;$B1W|J-CKaRw!Usz`wpss^k`;=Wt$sY zGopessb{>*x7LYCnVnHzW=&xofArdkLu)`0BiqzRyILyQ^&!4oW5|4Ko_r+vao)?u zlU@B)0fr0p8=>bDz{;GeA@5SQCpJ#7)sp4 znO%O9P=CIcZ{=ZVpk{k5M|$?PMrDyLw)D39ORUTTsC8J@PQIwYL9WI^S(p12(n3ue4JhwoH@)EwMak7c(EP4ldOD-*!LdHdS>Oa z-#BQk_#pSFPi5?j&cem#sfvg|nqIOWdloCT) zlIYKR|<2l?n*L^~ibO z$U~J1b-xP#k*BXRD{eQ+oTJD804R=I*L0a?;n&KdlnbC43B(~4;J6Hvu#S067$>$Ur|HH?XDj?VS z>~iXOoNl-iHQ%1_K&#dXw8ybscv?|2^c!!_*y0s@7&^crU$F~RBfk!Jtuzx0HoYNX zOfBwcY`ymI1$9WPnAA!~Oq+}-Ku^6`yakhwPF>EpMKU8NR-IY%nBfJg=aoBy@s49! zaNJ!i9I^FAaP(S1{*J5@jc(f!JkQK`WynHhMg||VtD5@zyVWMF1e1{HRbS7I<_tM2 zwH0y_^TbGC=;4jP@5{-dX4;mC@Fo*nxN=~oz{nqoddH}mpU=nehU|;gz=}x{Oqtqn z5e-Pc(YBJoA5CQmyi=8QCvs>ksX&@;M27%6df+O+PE4==rv;v1o0nU`igkJ>R#MsObADFkq$am`_xm0)f^u_X&n z`8IX0hjitpm{=i-tVfT?opA8SsH8ceADBqQl8ueVNdnKZhQ)ps6gSc;c%l-rpAZx! z4eug54*>s(6uErzRQhJ6OzPOR?8$LNG)Jk$sn}6^JKlgO*=S3&jwF&}NWCR|<&r=j z&_X5g2(Og5Y-Hd_lH9I-s_OB||1RWVwBKv&C!@t9wDlLUVF;nu0;`I{06jLYy=XlXO zszuc2aN$wY*IOaJEILmZJRRFCg0UWX{Kh_HJRax_iq%p3^o|zEhNKS=C3Gt#!FlsE ziXp|k;3&rC`igDRhAQdn^W|ptQz(a%(hkic3=_KuQy-t*|DAX)M?)p>s+{=dJkew~ z1asvu;rz*HnFYeDn6rJiOTx+bu7i);@x}9LeLZ$XncEH&Zl;px`kqdS|DrTg@+r-x zc#nbXLg@X=Y6fRpbe44MAseYo*aLdmMrt*?yHpt^_@i!{HeE!cFDv63Sj@Bx+)4%! z>ZO#LAL5*mhQ6bIo6p$A9%U#F=t*d!s~Po;L+)&&dSpmSB!HVe`{6-#s@NX$;^Mj# z@)mdVi-FN~_ebWHXH28F8%YR?oFQ`)@eK!AG@{zaSKk>8&=o0ANG#Tcw~#GG*su@y z@ThgYZHd)3aMipg*X(`;Q7Eosk%`s$N9SUt~lgk?Q|U_9$_VT$RFc# zz*$3`zfxvY=){~RY#W*_Uo;+ZJmpxdQ|MXh^8n-$eo@aEeq8eraysX^H>E2Q=`97* zw$Q8YEy|1yE`xC7`0Un)%$g2!C}7$UChzElwH*o^noTL}+zSnSPVq}Xle=k)Za{D| zSAF5|9%Ab#BF5J|HV1GY;8F0J>a_NmKQeaZZUOsR>-3E^-GQgsoGcAAIRpACo{moI z?w#_&J*^SWAsF-|>+;N4P_bb)w=zTPgg4<9bmNbkf)ekFjjcTQlg9}lU~wkzl`&5| zoB;`a(-L8EUIo-H^u|wfQEL+m_0LZ}bnGm?V${H?tY%+{F%MCbN;-};a2r38iej{9 zzuxs}L_`{kLBC9ScqT*3Q)q|j0d6^sa#J$?)OgeN&LC*=S(8Et;{)O8m+C$qa*h#a z(cX>;vHKMd0&ELyu&T%X-P|C_MmTWMH)4)iBYp>B-2;SU?Q&+?!0bKQAC93}@BMqE)qKtS%#D)Ll5$eGRmV@jOW{!P}LT#Z#9s|#zR{2+v9yJrH~ z$Z$DNY+in!XdD?*TJSU_mh-R&o3b%Z4hKdcMdriW^`1CyH>F)BZdgos)MHnPm-eA` z@%0xg)!$66gd`#;s!a^6YD6;T7-u0k=AxJCJ*k;E1q6+y7aDS}q=-nSJmy+00uj0u zA?Lk#ZTZc?{6T|kOz+hW>Jqe6ermrn<~oHeJZN@}gBIhwAKbsgWwaTyWrTIZ$54*q z8dF!7E30=SMNx42)!Fa*$PYZD4;aME)tN_y0#BwSw`+3dp2&~SpA>OgU9599TL-?T zNWZ<4u+r!cm0-_n=;0{1H;jdY#2RHT!ksfZ^0i_IO%BciBtmK z?NKE2=^gdq;+g%DJ7I_o#v$7jzrdkOZgn%unQX?2Z7<|YqVL?r`>pS4A+xn&?w|bW z5u{XRDoL}sK5!St$0{jXcAMC2eJO-Oak&yu%7I|j=zVwmsnz>ti$q6a&oJKw zHp)T|w~v=t8`@s$b_iNyfU&xhq^6b2;Z11QQgY)hlQpy3%PX9#euCHd>5%@M5B$g= z>Czs0_Ujrsl=c&d(nzpB?{@6ux*%4=S4&Ol0uf zgg(HEthn7iktVKEmdT&ioZ@bJhagFPO~Oj^^GaR$kvMDj`-&##Vq!c~PoFcz;P>DN zs?>k?z_;|{t8)FJ74z?f5iT)w7=hg5k8UTYO{ITJ zwv?Y5b98wG5hF{(we~W9C0WmUL-WSFg?T(-k@1ycU3}>{+uIl|7Gg1u2qjM8KG)av zX0N#JeGH5kUq0qj{+K*`H=A8^xA&C|R_a-df>_haN`$M6M2QcfaTdM^Mc%y6?RQeo zFVgO3%Y?!Cs;Sn&{9J-HipF^w3jw&&U)Qk-2f9s`YLq9$|gU zJ_+@v*I2mOWC7&6AD|v`D5w5rR`2O&Lp=?W>(j5c9q)VV zd#F6y$gusqG|}-&um~4tuy{alz7M;tgQe&eI}jLc$Nt{(C|t~PNg^OnYzdR3==-Wy zbZp@gCHZDj^@;_#(v-TY$n7M8O>^?&JCrMY50!meV_>PFg_-(>wBDOesU^gL6L$?g z*&>KZFpjQ$I-orC%nwSp7AKNaA3t9Tz#<{De9wlPUpAybY(W&mOM-jrC{lhjwVWOa z5lZj(Y;uj;`a$u{+z|SqDPvn-ZtYod47X9YYbJZ~^BC9x=Xt83e%iVG=99tFyrl~0 zqH|i+Nu@40`q61gC%f|kKw+mE<4|;UoWN#YSRhEShDD9Qpxm8*-%d|d3(9zJJ28j&m|-`K&e>PHO3YZ#{HIr z|2Beq#Em>;qQp^K5a!`h&Y5irw|IacRcA_^Z7!ea<~LoC_fb~)9w4;`lDb2mO)?yz zCyNR9xFWBovj{yh!v{XQ!dcGJ>04KF&V|#rZ6c{gYF&x)Pz_sSgCImpXdy_;m$L+z z#jTTGcu zX#*@+2J9sr9)WhlwznNSAOy%ez2=A~5_h5{So1zW&gSl#fs99E$sRpP|2T_eYMEed zLY2OJkQ$*)lCxbm%ZM@vA}k4`p@~!J=Nk@wVZxeIyfF&VcuVG?SX^S?(u0T&BAQI0 zsT(Hp(iA5;E3|#DZpt$`-z?~8)Q5c?x|H-j#N?LMl(aufVjyF>bxVqX`6bqClZ-2J zlpz$DmuwB%0gMnFoK-pU>p1T@8r}we63D*t_LJNe^Q~wVGN{)j;^B_|iakKhfT!_9 zpr-2VdJ+(Q0|Uuh>`Si}qtg7A4!Lw}^Po4voM~5ChjH@4#W3OxMeo~WL zb(*ql9w&-?GNM3a2xUPfr{C?QI}P&f@upvEk6tgadd4xGqamk#B7ToM35A1vJ?Kv` zv^^OgtD2mfkIX*xU-gXQKGfB&>G4{P=djRAyo4g`&{7z%)Fp33KV`E_tvxpttxyG5 zJEGS&O0;s&^Nm$aO{NLcC}FwBrwQv*4Ih{dy zDvb2|WS@Q=JPff?P*?Y~3Nwu|7K}-+o>}Qg9n}y+qpJ-kld-%A_pI9Gt&1#H-9J}H zygckL)y;PgT_|ryE)!1F#ImP)$2Y#5K2zFBQACC;-1jWbk5#T1NNYr8&(Q;4aSr%z2`R?2+7DZZax1@FRS}fUEGW^ZV^>UeKcC)w9_zK zPovK1uJ*CG{Lm+5AwTVE=yB}}NQi~$#A*Rid(cC!>tUB3D?Q{}XSR;X+nt9CCw?#* zo--6lT$r{*@{P`^3;Rs{t!k~U>LYxGj{B0Hw^)=CuCM8sWN_~+IdOI(7jrvmk@bm^ zISKaDehD{(oYl^bA`f?~HpOj^b$mm5c1DCHQg6_u7EFVZ!3l}31@PSMtHJc$ps`^Ab^&qXCEOtEo$nJj?b zy2$bNCo?+f`-Gi6%=Qw4xb8IwJrqL#E7o_4y`0!PINogK_gJ8eTJnktakAz2I2#f^ z3n=gSLb-S10>@rb1BqzY9}4q#r|*$fD;2u2J1#y>t#yMeKBh!LgrlgEjShD|^9P$|jLO*!hM<(2F?5lt*MSn3R?_LzRMy_*=TGR3>=(HxNB z-FvBF3X;mjHq-VaG8|gJ=3IB`5Npu{S1CE2-!XESM@L=`oMwj{hE9{Hk;=UbHx`N^ z7ctCtn$Wn7z!5lJtd~+rPAt9~Sb$T}B^gk?;K{knt~p}0SsAwywwU;sA+Jr9yOgoI zW6ry6|EZO{C%Z3vVr_7aerT5gbIlpkPC~g;qh^f-i=$oMq9S#23>jXd_~~5)9nS$a ze7=0eF6#9iaiwp!v*UYwwL{aiy&{Q1P|`cqE2m8rrYH4-XNA7-ku7zFks+#1hFN98 z%$hfuy#hrP3Sl-uC=Km*vrSl*=c$wfb^xLw1`@cue;$WJvV&;UhMmgk?C~ zRYS_gK2je(%uRNdH}q`SGyGy$)$W6aV(i~-I_Hic$j?&h3!3Hb;bYHSxNu+mLaiG( zVWsnM*RasyAqw`|UfpzWWcIHA15~ol=v(VByE25itrc+?CslY{QgWCs)+CPOaSL^43%inX ziSUm+uEyCZW3!n7xO;C4)MDfPv_a2A=biGFOmwDI}zqDvqP{Y z-<*wUDd4cG%P-pJjM|;c&5O)ZV{L@Xbl^(Kv!_FtQnzSlGgep#=?E0nGXm2EF)Ie) z3-?#K_V0ce8;??2SQ-{cSnp4}`MGRbe5E5i^+9&noQQPYl)P^W!;O!y@$f z_y$OhAr0@d5I>jGb>d}btX6fPG(od8k$Sa9nViVM&G?~R4skVqnJ1KyHNzi1*dfQV zgM&=u1D1zBm)A@h>Qf=c&9S7Xwl(B6STg25Zt%FLT6XWqKDXNOSb+wb28A-mke$Ar zGhG!8MA@(M{rKQQC#(g@Y}jjEb5i+i#PQ~{Am;EPL7LGYdym_;*b(a13d%){$M#N($^kAl zO~z1%o%ejo>W3Ni%Gr=2S9yeZyQjy1lhnodVf!&VX|B{AyN5%u4;!sh;ISz1YrMOI z8lU&;lrL<~Q@D%Drof#)%HM9L={1vV^WOP1XUchUuzG4YY)jB}z&>mXqL)OC+H%3A zc>8tQ+c`z0-l#nU^#ioInfXa8a;z#LD9p?e=?stKaC3&Il3mM}?)YNAthgQbhIy)P zXozVPTK@S?wzpytAKR$vNwu7(hG8M8%XtFtdTz2SJe!oO zdB&G+l#D?Bh791xsg7H&e5hC)oCjnaFQzK=uwEmNwXwOpUDB)j?srRn z6d(Mw{D@nr)rHn3M(d@ic(e;Yg%;@0cqi`qUi1@PnjH$S`-|>jvm!%ZuE)dmI;+j# zW~TkjoK+8Ie5WOxM%=;>iC2F#LyKTOFV;~JL8ek$+>|aTtr6?f_Iv*Qvq`!Iwu9eV zyvv7+1oyiGN4>vH3a6c&!C~?E<(_=j>%%(7OVlXI)Q<#i{KO%i@$On#2}yjKI-Ei3 zIIjx~^0J$RaAzonRZ3)T2~&@=Qz|R2HpGfKlifA$dq5y`T_7`v71ybqoXk|}{!=Ew zfJn)Uqcax&*wiIHX2R=?1GV_(w1G|KJy{(Cw}Rj+O)V}vedJZYKD+B@Ilx*Bc_&E^7xZ26!{pD6k z{|TPC;MCD~WJma8qMw61Rwxqdqt3D9^4*mvW7^&YlR!IWbatIsVcsNAD-Dego|)j+ z#Cb-p!k>n^QrPv=IdY2&)0o3n1!HE4C|slY%_E-yRUg^o3pJHzFe^bhE<3USfsyVY z;utl8O|oh;AH4x-c0S2jQ;v}BbMqQ~oEW^)_*4v@0J%t#NPH|9&eRwyPQ>xd!V{^a z#hiEo0zRH0UPdHWWty?vFU(I`-t?kr&es;il%>5tw>@@uP9_bEMyZcQVP5gt5%UaU>;qr;<8SXcuup zQ8s~zoro#t7mAAtZ#OK{CahVd=GxaO_))7f5XiYibn__%V4c32%^q}7PHa5t;=M_K z>EnJ}w4F4t#W8D95n3d z#2%X(gy=Qk&pe-j!cXn&`f53EeuSiyO)hv3jjY&4ft+F^1)Fw4+FIpsnL*+Q6eaxD zRA;o-0#Ae1GgM!9)S1NnyH_!7dmPkmi!?d#js~w9^7@X&dE2U5# z)BQo~B*NEM>tv#W^)F**Se+z$onkrGsj8y1P*ZEsGgZ{NJ2e2a%UevOqV>3jwc(wr z;YX9lV$LLeTbO2F+flY$;*&e4qscQI>@pc=0biMVJlM9_bH=}`YdM`uAiUhxB<_@) zzv7%t%x^!iU)u{QgFj?CO-Xgn+Jw!A>3AC>L=N=AIxeRV?CTsvrbFG=rfzjW5~;Ms zgj^8m*)+z9tzTo8#B1Hcx$wAdR9zs42A@rwx%Nxjai_D(v35bZD6uCg`kZdb*+Bvy z;(TX|x3>F48U}}wQ;(lf4gu)Sx9tyM%2>)VWWrb5SBGBW(1wOEX~}07Dh{2BsaeWp z7*#x;=MyGq*Pu6wKMY&rRO-Bv5Ic58sb1>;?o6}S)JY<(O37d9R^dJYmfB)?iw{;c z&b2F9Wc2g+DWR14SOmgq*#S`_%b(7sK=h1Psmp_TpG=w$i?n@HuZJi9tPZDHBr^X; z-;Vrt4AG4NTnb}q@}O{>r&jw<8s&-jJs^%TSPs^+-$TPa*>vuH8=88I5kGgenbcmw z3ZjU>#V+%w4%%ziD!!M5!7xOsl1arxZ9271#o4tzof&i!iAU(z%`g4f+LK)B9t%g^ z_RVbLKokomQ6PrC#tzN&Mu`L#b8;G6J%l|%7sB+`ln_6X-?|BvtWhA|NsIgVrMSX# zf}rN9Zyz1mD$^Im1GDcXaeL(jDSr!^Bf=ylLkb^|pPr(bJlHEbs;YrZJ`F6~pG1|e z(310-C3|AMqi19<(cs#uuos^7jJzHx&S76-dmxB;t5%5va;D{2uihORwuh#0qnSg4 z-Md@t%_Nch99g8VSB~Thy9ck9lP$-;U{t;SCHAp#yfGOiD*+z4;-}qbpJ{rx#3mne z5))G9lS-+C)f*?Mxm1bwYx^vnK7|-^$kDs>@g0jsQ;oAX4U}u>FVeRPnFM1V-||oF zSXu>=GEz78+qtP7T<)Z zL{gH7@>j;8EsKg{n{x?Gy{8ojYte&v_ykN|cuyZc=P{F#!P3J=yh*b^ zhbcvc_m^SR-T1RR&;jvwv0NmMlBk8_X7(Unry!Dhpw7oa{gZ#fqZc_DxDPvtW(%N5 zhhONB=iYK|ekZU86=zDLyVJ#P;zJsSoW6#=6$Ge}lW7MV(-DK!_%F-J(-T_|@AxtZ zNJqrqY7)2nyx#v%-+QO7t%5hCr+q3dr>HC6N0IrF*Qs3o(ZdfjNpuXNX=)j4%uw50 z2FL2Bb7uktWTS?Kt7hTeOdJO}OnApiTxk|RgtGQk=HqN=i@2&gjm_aMh?)E|FFM2s^yOvEef$>OPz0b6|R%U?oaoziss zVGwSQLddSV)vcRfTef(TRJ9X7Z%Z`S401z>7=^{MjYFmGv(ndUGP5aWkZl1CP}YF? z*5E4d0!!$*b0$PZm>Jf0tjdzEn|O39w;fvgL~B*R?l_U|IX6dWeg)>n!dIW7rgbu= zpR#k|u{r&aa7qQH=otxl8+##l-TstRLMnX?{>Qk|la=x~mwEb45m-SyIlr)Q5Y>^l zMC=k>a3|JI1(2cT63D%&$II6VF+*eOpzs%Q=~BJ8Vir|X1EQ39te70bs@J(Rbut4< znjdo*ekY9Y(WZFp;yd7azuA`KTh6>{b!QHlr2?n<=qucya}AE{PZX4Idzqm%PH8g6 z389M`ySBYlzcg~hm=6gX%bUoIQH*% z2uT1smS?uDm%yj>S8u5I66I=c1-yo0k+Umv`DWn?Q3hLewK}Oo&AS`avwcdYHI#DW zKI=~Jdn;6p9)q0|FwQPzN)OY{6KnhS@hp{8Bgce_`0dZ@Q9XU^-z{I^(fDW;jw*R= zXY!Gb;^OokLpVm&EmzO6h;LcOKhC^L>#F&SJ?ts@-kz?l#=G60rl*9wZ%`Mb@SB|6 z6I@EYSUI{P+2bKL@)v50R15qz$(PG2-2H~e&)=kc_1{G2)AaO@yymBAl()ovf<)${ zw%YeE&$8yrBrhFnJeFHSoccDlgz7s#-W>gPlls!QTW5up=P~W2S4dE8+sDpAdOf3E z^E3CO>T0**fbaRHZT8wEVS0x~EN{%F!!AK)jg~8zn$t`RCwIt)AEL4x;oR&AHDo-l zb4O9_AueCWFvW`Bxt_84YJA1Zp$#s49a^ev`m(va-;%Byd4vDqT;e+5=>wYayU)&!=o~C+EDH1u2CdI-E_O6xMk zyDBTL0Y@E>Z&g*`F)b^@zgp{pGz@{8Ffr47lMCLZ|4k%CY7JLyk&8nv*YG+!NiME1 zd}kF^o&)u&G@XEYHOu$jlNj`7!Q}T+zgw*oWastP>T_KE!hN5aMy&EN7Jt31kkT(U z&oWt+!VJfSVsZ>ouAx`dbA)lq6(o`S35Vft@gsHkMvRIqYN95W8qOVVFvw`>@m3m@ zx%)h@w@yAmUf)?bT|}9wHybA@%=QIB--AF3)$?U-hjoUQj@4mWlIquY_DzqKvh=#W z1Ev0J)*mx|Xz6in{R-g|%)cTd-1PF9e1uLdo4#3$<}TAgGVIRxnImq$88Rl74vz^R z3j+Ni%^TA;JJ=9y&EW$RTB!0a4ZEwfWC7OXuo6qW?1m*AjvCn!Eq3678@*gp-0-P= zjyyt|Br;GP84j$j0}K zO@4NTXvUpEM_NwZFV6*(Xa^;UIFt(?*eOV!^`g=`@zazCUQOWS8(msHqQE{tG(5c1 zloE@un67=dd0Ml(-`AW%uQ)3vUQ2P~(r7}Iwh)jN%{ zAG@;-KhFJ15Yi-s`o6E@%~~ra%+AY0$UDF{Tj%vGoX2SM5j^`ivnsk$-%tU?m)ozs z`Nl$N5)Vc9ePosua>s#qMYR1+#te>_#pomhpCnYLZ)W{2$lgdQD--$uShS#f4cHWmxKJZ=m zw8cX+D#6FWqL@mR^rha|Hm)LEV%L33pxbfgoUvoEvnX0wSYQoSFFvTQtBpj!C2!&J z%!tDhmR-8q9opi*1ReVrJZMAb{*0E#4`HN>tjbZxb*_DNM#%oldU5+$pi842_G+R} zUlFf7j8;NBeHp8K%G~y|i7}9jwE&{z%QbFFxWCl>cMgHb(ZBG~nv(B)gZo|jBwKcr zzL;9H4w=ERnii|t7perZMfiSya=imYjf{WhJu7WBbLc453fT+6h$=+%+qc{X54B8FqES}NGzy}ia1Z=>` zPCs<-(w0+6k`l^4O7=gvB}^Q3YG_?oTAn6uURv*dn^q0gSt057TdNz1fikRp+F|ox zH20t*f{q&Sj}k2oqv-z67D@u>zGg1vw8{$9OOlf?DIc?Zh6u@{*#bY}n{=#G$1vb0 zz5be3wb!2$IAJ$(?xDc{(+3b^bkl)C2VOZR>gZ3ImcQbWNzoDVRvwJR)zjGA<1_NH za4Z(t^P5gJ+MAPgIt(*vbJ>b?Xs!6sm={^0{44r*ip*bq)BpU(AuL4=qu!;Al zFz5dwe>TN##ZiP))p)Im0wKT6@C#d$>+u$ z6JF0Ohs)P7untA$8^qNODE^--0(PO44Gux%V2mKqDQ}Ec?!0+;ZJG?}Cbjf&X*%&?9wamwHzY4iFz;__v#L zLPCCcMTNY-Bl-5(N0wz%`%$wTiiUT(053Dnx`g3ckR`L%dzzQ z%0G;NxA+PLc2>$m_eh{du~JxhCFfvmln1?HKsNz#xgwY}UemBnePNj}4Y-kF>5w4o z1J#o+)mv(y3l8fQ#(yB)s~8tumupsq;-MLlBw4#6b`t{F6J<_3xpRW2K~xhE(1gpn zb3EQi8>mINWHh05aF2k5%0!77U_L0H0YTePAcs~o-{860eT6ld6!Z@{u$^2QZ@3t* zoJSpnqE*kU0U^#J|2LIwIA~d8zWTr*;onT|H$yDIO$-GLlKSU66*ETac)LK~MYwM? znHAkB!=l?)vv5+4YYVN#C${%Z<_C+_(HE|f(UOw!vn;_=cOi=gh}I=QOSA!5`e~M4 z4(=Cj40n{pb{?Po(uQ-GcY@43psQzLa75+P?J|gaEpb%==IVu>;@!- zbZaJRbw|Zk^_uevpb{bMW0Y_JWZ=3GH0X|4Xeml6BcB~KImmSXhqi;xFwjMz zMKgO$Q(Q-^Jfc|9{W2uB(3S#yqwOW|{2Svsz>5N{k#h$0XF@?|WA2W~n{?<-AE5if z!^$y}u!OIZBZs4mzI&?4P8~E(fHKuzUR1LYQCVrzV`2D}%VG!gOKImvh>@ckFVsXK ze;z{X9D4iVefN9&%9dkY_L_}XC@ljpFo&W&l&ThU#(7j~jXp1TrMn5-zIOq1GJ3Jihien))M)iyZSq<}aE|p7i)vO9 zJ%E;t36M1k!NkVHX>M67s^bQFmLJDJO95-Bt<8v$9qup#9PHU$AJV=TMu3&K;RKo$ zb$})kN$!+tb{8wKr`o*zP7a&9$edN#@Eh05*>s)&*_Jzc6+M#Ce3f1RARMPuLMZ~9S+NNpfM7|vg7-2*HSt+&Y(Cc z<#!TvCmY++_Fcl|a)}%#DWLOCw_Mh+Sxi^>g4;J^TEEs5`JsQI?ze_@E5rfLm>RDp z%PeN851$l@05!EXkrh50~hS84zW7=^(p>;*VNviGW{oTU#Jag49n51sQ> zq^>>!B^a#`H00fr`iYOyLK!HcNjP*vFbd-d`lf-vi)Wlccs9Bv)bbkAv!?Bkp}xtsCickgx~i0=nL1O3|P zOcUb>3D8ZIlAU|lOMiX}TX7g_x$wun*3~dpT%WcZJPOWws`l+MV4G;|8^hL+Z&Eh0 zDD8o`kqIa?g#kTTmf6UarHI9OAe|VF=JgTh(97Dg;-RU)SPqJo&r`9I*OTr{;gZhgd*~58d?^>*@!>+L zfm&es8MX7Mp|_pS(R^^}*>10Fv0=mR`Li%&PG#KU62kAog~4&1KnZW1yr85}OpHOS(%`R7#~AL`pg~T?V=7ZV=dnbZ$2J zU$--J=FI$#&b)p;&zm{oLAdw*jkVUbu614c{qKIY=cJg=urI$~c-x$AZuWG-OD^&` zBd;l#A@@Q8o6hBuUDsW_E1^1oq92s@38lRFh!wG*I?^zv6h<~tX~_(={;n4CE^sB| zlbbi}s5`8r&f0f}aE!H)vG_D-YjV;MmfxviobHKK=E)rsQ$DK0ftb`S>+o2YtE(Ca zsIV{xzC1M{-IQX22Z{X9dBwViSJ<_8E$AEa-pGn1n%Ba!ga^NTPq%f&^IgBk(%!mX zu82!6XRFt_>x)(B1*DX~z(1*uN^RPG0kt|5j)LVPtx7=37K~iJOjxrFi>@}rQ5jsV z>$pPo-s$CF|9wJLo2+PLMzqDzs+4#q?KmI4x^lVt>plDIWBYyf(~M>Cv}nG&FQ8uN zEJ>g)J&R};+4oTEJa#ghw2$Qp43Cat%Sya=qV!}GNSNAZSR>PvOFb~OIX^+MJ4Nx@ zc?UX8+*b}rBzIaTPC3hqxo?o`f2hydu@IUcPja%-A6$Kmr3f)1E_ke>ANy?S9QQT# zqSl8_PqaWTDtIJB+qc%kQuVP0d}R(!VYfh`YuRlL1P7L4xT#{x8=iC!7eWKGx(}ynr-2bUF%KWmozCL;EJPqPM~?_%HkKpL$%(2 zHtVb@zg%+;hk^H50j?%`s%YXfr>nzb%voRRAVRzKW?TgX2N=3vqVY#O)ymzqP7{AL zXpmTla>{a=xqoSIUUDw;xWqIJY6mZCUfuNAgL22V$q1Sx)P^4We5zT7yg7~AT}ebX z`sDk|uJT8R_xn^#!37bdYhd>abyFp3K)emZgNmrX&JikaG+0nL_MCq}DS_fdNJ6-w zaRDJI=<(RCCp1Dui4(e>+ZBAIAlVQdh&w@?7=N|RzdWdjYWY{xmVCmw%q@TzE|z~C zqrPM(^6iWg2eWgMi=@u9ZxuQIP_phSuF^H{{y;sfSY zBrrY{&Y znj$rXZhQqeIlevc3-&>j*@wsBb9LcNR1XRLeX}rjXWw&cDvuV_pY8FZ$@Nd04ry7) z7J<(60e2qYn_x+=1SiWY$Q3y;#gV7R^?NRzpCdga7L;J9LxM48z`OMik+t_f@|TvN z5^bB7AdEzXTQE8tigWTjyw}^Zq~?Ox815oVQtP(Eltf)m>*IIm(A(yxrA<&cWpCyN z^I!e+ehK8;>o1F z62rbn^w~-dR+#6!A)^W*cE6*_VHsCZN&S-TY2m>HU6yMmRUPr27hZP0Ck{Sz+u}_b zWZ@I;om-!ocJ){9_}qVD^$U@GU{TDw{hVofgeTp33{NX&I-EEHX% zdLsBTx<^}s?Ot(6liVi`j1|K1qGt3cK&S4h6X)R*J^q{Y?)jqt}v`(%-F@fc|t(eU8|An3 zR3xz3kF|!D#Eoz~fT1ulXcaSB#@M19DkYNzHbolboQxaS6q(C4L*>QR=WNTv=NX># z1o+=8yLDk+J}*(#ZHb`{e>*igTlmS`dh;f|JKoB8f*i9zA1JEC=W|_26vxNo#yD#d zE8vwFyr<49>Ajf1c$IQI=^9EWX69nvn|8WsQyGy+1q9ISBJO=3&v%X1@X;IJtKY7u z=rtILzv)xSCn7#P#piXS;kIc~5=m%LE)!|kQW!dgcy3)?!+EuX;B$Q0a<4e5>KCHX zTuM{Z3%6^ZF{^oy3yqF@29@H-P+Ymk;&s{7__9pdoUoUcq&PS(v1uBWa>fS=@NyZ1 zMv_sr6Bo%bk*=H^OGq(DxOh;KqrfVR$81VFYn2Hl*sqiw(Mlu9bg`MNKvm0;AQV5s zRXEIMd%dE8c%G_QeZ>9)CpP;P)_}>3#cT9EwUEx~F;e?&RU}e+acb6CJu1d#| z@v)R-i#Lc`Ooos~Np+evq0;f;+?_%*oVwR$wxJGhCC*azwt$$N4oW(Zf(H{R-#lK% zPl{Klzg{@eu~fNzMMuEcOd>$#?s<`T3H&!IbHAsu>HP9|{e#9A5FNZ6Ctk0|z7u>1&5ZWoJyf6C7a##u zq2aofR;e|@%j#Rmf9c9iDluFU&G;vO)92{7_nGyGCUbq+)PJE27SF$}dV|bZ_YBdS zb_v$tg3Pl))`pLJ|T@sqGr_?s5m2#u`a0k*(-PoLj0?x@r%WmlF&p)2zBSY8Lz&9_~7q-=5;a}T5=aksW zS+(^iRE(f@(5@&rAd#k#+^r@xrJlB~zGyFpy8up?W`jm_+FPw3@>Q7zZ38z;R!S4< z3}3Y+8ZZ_!?!V{NwosCs{UjmJKWeF!!xZ`>ud~q~g4pK-8L^D}-Bi$~_YC{mZGy%N zlV{l?MM`yFa6c&y5V-p_+R^d3XbS9#z`DG*D)AOYt++%kuN9Zyb_MpA7|Bc#lDwWq z`LY|I{SeiAvxrY2eF4r9R;_mk6P4M=>g4plyd9Uc$7P`j5>sV54r^38QJ8=x$P0CH zd3f~(Sk*k2zau?Pj0-v)`Rqd}Q>Uq@iB+jbpQT&fA0a@o6zE#TGy4XSj=H6mL)mrB z?P-=_@5L5r7SS)4Nydry616*tpYD6E&`7*IN#@zv%6QVv0sK>!D$aaVW@D4Ht@Ea- zU$0NjV?Yp^AdeoO(bL_cCZ>6df`IfFg<&jy7=}Y`gl>%zl z+dAY`7@mwMW8Jc@Gb&4U4fj4= z5j#=VsU1AbL9q{@i*g(xzS`YN^-Z;59~S@Ax^0#c73`#^WGf-R5Mx2TNpjqfH?dun zxrq6*FvTYbcKwgEC3^X%CA>-&X(Wv-Oz#S?KduMeF+Lxnfn@yCM_41W%Lb{0Ez;e; zf^gPM6~ZU3Da{opi#3)~_7FNG!dCKL9 z_H<-6RTStm>{E^io`73xYGsNSzfEi)cig7Z;x&(Sym*}(b$RHf{aFE1C3T609z0`= zdOtnJ)Kv~gHRf5t!P?5G7pv->eY5BlL$~z46Ls!ayv|KVGF{DdsS~~uJ!V;P)w ztY}#gu+`Q{{QBzxRr&f&^#$3kY@DHLU}RR~(Ablpm^FYqlqUpu9S_$hnMe-Lyz^qK zGkdKsaEJZyO2TWhQFf#QW{-VfNO^zMzc>7sDqoN$cN_soxv5xp+_3~qL&rxqn|1iL zxe+JU1~cD~;CYg3bqQo`7IB|$vS3immpWw?r&OQ5Wk6r{@3MF~m#ZX7`1%Ae#V)gU zAKuY#&4C-BE*9ixf5XJsl&1ubhFbH|dY;REmZo6NZAos~p_G)drLL)zsJRz2-5I^~bO zHL;`&oBrW8h9~^H_0DSRMVQ~(5xhHN7)7Jui|Plg@yph&7ZOKj@P^3(bEoJQg2~im z0BcjWmo!-VvM5o(kLi|ad*CpZ;1f2{1@@*}V6NU+efI)&q~Qt*QwkbUMsytG#b3@;C200m7lW|?zrhrn9Y%(J(+9D`b^^Q>l2`aFSiOCFEMQ_ z3eQnZ{4W1^g}wPaGi;`&j!z}T-iTk&bGK%&dXLIq8LbYxflAM<7#s1p;SMU2r>FUv3Oq+&yypfH(PuQ zZBh<6kU8L5dGoL8SR%coh#dQCauqMw)h>Ctf6h~<`l!UVLThn;N%QjFZ{WFm&h?VGOi8xFU)Y`WYqJmP%SjRdJ2tAFAqce(C*D7T3PVgx z{jssP1caGRtp9E__g{TnAQ0*6NLMZ+NPcX7VGw(Rz;Atn5JBRwfo*=)r7J9nlysvH zBS5O=T35N%z(@Kfd%vcT=jpdY^=vK~;%7nVjXTW+Oxk^(j383%>R#S^D#3v$+BOYQ zCd2VohlI{)9n|+vVy&Vd^*}oC_C)O=@0s6?DAhNp{OT+PF2g&hrh|J$<;Hk>l2;}1 znzNz0`GVTdeCUL)&Nsd~$Htr4_ilt(%_d8zsPnlEDR5dU8@uYoPDFe;|VExEg^=O(nr%V9!ZveS?jGd6(b=xl?SOrkYb%BiU4^ zh(gjIoMw**vLvp%<4vk{Ukru;`DL5E_Ng&7#2 z%vU9D*d%{^&S2)TixGew_}Da;zI7K>5Ye;m(z2qcD!}CkwhZ(^2ST_w=j+DbJ2@fK zB-GDYc#p*$aVoM-q%r&5Md)z-34MjT;ii=g(qRF9#mbV3@1-n3vvDFVGBiJav?8ca z*}LVQ!Au7j(x>;cNS9SRd9zDsoh7f@XAijKatz5pA~)sXmy2RjhwG<^XiReNEufgm zhk7K2`tlkN2;a(8yb7w2eMT*8`LD!;3)&j&RBU-0FLU2gaHPw5ptODa|MXqIiMeqm zF#B+;9q8dc@>^@T-o`x)$QzF0zGp-ALfG!=N8WlJM%h;)0-oMWVcLlD)v{^zY3|@f zA%gdf{6XlYs9ZP6*=kVOng&OK2a1gZuAN7AyvyB{qd` z*4Pc;s%YW`yMy*)99Je=uF&L0#OW0Mi)OXv+QIg-?MNG96!A?)DjrHDO?Q68QyIXr zCQIoPn;>gtYS&0!ME6~A9Pu#rhJDXBVAa+QDEqR3F0LHp<#}@{Wv6vmd=~#p zOX1Ic^`C!=aUn50X6U*cKIHw3N}d0>A^CfC!{qogPkN09C79FN^_dUZk@M@KTaO9O zoJdK{mWVUZtvs@{1=I)Jr~~+W3v1vIp;PD*8?AiELgBeNeZ_7tnznXwroph{*s=sdbFZkRd&>L9z|d z{&ZdtPthM7a2l^7nxgD~QNg z@hj4=&f zD^3f;AMH^?`*STX{4J~fpQj;LEaoOF#%ubau>sl?k*O#2A)7UxRIOS!@zdLCiZYWBauIYY?NHKp~&AO+hr@Hl@|L{ZH%{PwXoYDW268-nfalcG5<5F_x0>j-H9U|?^GG3(_w3L430(m+|9y^XDx7@N;6j8~Iur+5u<#0;Dp@pmBC zG{&Fr;oP`ollt2@#1A5by8|Wk?VB8{OB&t~MSF*zaa84IIS3yyNpCMvuj96jk`q^F z`r@>`XejE(?`+%}Tp*S=P7bf-Csza*oOIOPI~yB!88c;}7D6<8X`!>`jy;NSw)n5G z+MkKR_dfy3h89X#3t*HR0W*?Ufd1sq*swxRCkuqvZcH??s^9FvZ6pw_vMfxCi})r! z_e+^z3Cl0MtJwkrDqTTyr@dI31rntF))%~L7sr~ju4U}Symu`ZX5+Ux-uGUE)nD+Z zR!JO^BdscZ}DA=wsiW}7f z;wyWJXzZe=j=EX|ZE-GjQqIV(0}oy|MrI9OWkNOpvHplS%c+3zS$6BWp&2n zBjkuD5yldablma2$;#7u5hsB-AxZZ|WUX5}4lJ4$p-ilTiPDo7Z+X9f@;K3_b4=@0 zlJxM*rpSvd^4ZUYe5{FvX%&9?sysVpZ8w?N60|AD1|P+fXvI-bzG&Owx{z*X{HW4^ zpebcD6Xj3)d18(u=9`tvUwiof2@t>CK=p=5R!x3c>IFjDF*_-J*%Ks6C#->=%4xqe zc8f4BOxA|jHxZU0m#hSxS-OE@+a`_tao`mVKuzN(Fdouvlu>$y)etB&21QWT#c6I2OM`ToKAXkvc^YS<-Xa;=i!uWV zu2wM6=d!v`{a~VyRq(kikhdu(qZ%Il^j&|ufn?-Bbf8CAWKuml;L7vloMqt(@F9p@ z8Bd-Xg1>LYQi{F}23Uu04cr7mgRU(=)`Bv#+XeE-3#8vp=pH)4ntL}D5S42jCEdaV zg!Z%!-FI?ur1C)wr@62!{<1j;Wd$2sNnnRoJwjg_fKq0s^?5J`T9+=o(fNw=alNSi z%aUG~1C7o*Qg!2U-T6?W-e_HIJ@)oE^Zc*z^R&^{ay#|KqoY}7=p3x87P-1iV`vnph|~nFUy$daQ}3y>xlE3(_bRhjlbbbA zlRY^;Zx1t_%ih7GRScpAAwg}pS{1yRo!ZpPYKu#!hklZ?yZ2nWYbiO~9&cyF)k}%h zOr1llW3{|^kIl%}DNc3wB4jEpP$aHV(P_J|iP%)jL|(0guFKGgUxvWl=L{tt#I!5r zWQ8fZ)NIu_*k3jsTGD`m!5qB5QH9>mpAjCVQ`jwTFS7RLdGMk6*OcYK3zCd zyx)GoBCD_C^9aLrO0P=}wmyhhj`+}yY01*Zr-;aoJ+n!IGp_xC{R>eMz-^t{yuXqx zp$_k^0biYeEPPw*BjIZ0z6__6vgK`d#fs=$m52~)jneVA!tWeA2Ud;frM+|JPM?HG zb#ZtD1bf8&(rHJ(2?sR>Z!Cr|W>rnGi_0x@F7BmaJG+@G`uUsJqTHy)_3Ek}lv8Mv zbk1U&>q^>9?fA-~>Y5h05!ohZ%87y9hf)z-!c1xTnFc;l*^!RvT_`-^(MB<#&7X!COp`*ZCYz^T9m4FF;dc8 zdmmqIVSf6z=Kp^O_y10!dhf%nVWX0s%Nq1RlG&tl8S(N0p?x~UXJF9U4vo5I@T3>) z5`IM(l)hj^g19M+0_JH5Mf^o+N`&RLw8!DFe&TU`#vQO08)FYg-wLa)E>s+jV|mfr zZ&gp}Rdvj0wQ=9O3}^oH`;UjPyX=%+(pvdquoyfc+T`)hN&Tqdd}imbi@l!YG(^49 ztQT=p6)bjT*az3OA5q>AF)H3`UfU>HrCV+%JlH^#HB`3l6IMh&WD!V`g~ zy=kOO)sezVEpD2p?|o(ym)A6uCfC3HX+n9A-3>aaL7P=|^MOI^m**3uXXaf+1Uf}F z1Fv+E+Q}`OWNvMl8&hVAEL45%$@B9Q5x!bogk6&gr*d*3m`YaG+WORZ)DuTFZOyrb zWJp%8*U}GV6b$Yt>pV%6Q4%=rt1Y7?yy>F-m4CHqzFIW9v&q@f=2(%w?9_*W;KnCC zv?H5}B@}Ymb49W}x{C!OeO1z~i)hM-D9#SUp0ZztcN?P1{8tg>#h`XA_*tzUZE zI;X7jTsymtqs&S;DdZy+PJ= z$93)dlwS~^N}Eofb+qz{;t)RcL-!BYW`oXRD{-5u|GnyePp|ZikkH2vX?0&EqxdFv zx-Z`hu?@ZDP2DoKWyR~#eC+{!_vPw2rrpR+ChXAKVvI@c$aUPhMj+Aup4!q4V zt{O|g*#HZ36xd*-MH~#!fXtvXTj_A z#|dUS`qRZ3#ab*vt`kBvkqHLh-c<107wtrIce?friB}b2SG*~xW(PT@5(4ySlHVYbp@YnF3P-OLDAL?810i0PKTE;(9w(rIs`?OSw zjs426T_$(eYR{vNH>o^vW$tU_ky-Cf)groP{sar-Lk;MMu5W!jN*|Y%tjxC$Ruo9U{vYuh9%#5@q10t2siT=rk-O_GITd<{S z%Z`x7_CBy(IRA%m7wz;>X#pxAnRwP5_KP=^WMNo{@kHvuHZf28kCzcJn?(hye?k;lA@ex zxykET%}%#|#mrnVQ?~25m_94^Hr8c3j(uN6^rJM)o$avG?dqJ)P3{_E33vqc&A??SMvYS)%fu zkUdLJSt_K_!bYdJeQ*v{U&B|z4S2`2Z*)qOsJ=5=Ok=mt`5K4YZ0Kh9)BU&%3ezHL z35jleZ6`DtUX*F&$<8~QSE+u^=}N}%%zM{$<}48T$mW}!TDv16ou|5lW;L%5xIEbB z94TUdw|Kp$Y^a85PattFA)<5or)7ht44M8}o#eNcRZ(og_q`@Y^sHuujk_~PR7^IU z0H^hWHMojc+y0hFhHsr%NWiSFFOF)vlThlf2xvc2l#nV0+QWple)-PEG~p3&v`tSm zM+4(KHMdnFP}jt+yr1ig$V#m$b2Ix9r82xSp~9fhCt=gD^)gjS(1CQU^k+wJTuGZE zRh>t#mGDl+Lv5N)xoIvXnQxTg6O5d6R+eq=Q-OLMrn7_C= zZpvJR&&4WOrbDr_-3b;f7qvq$x@Oxqq-wq+^mr$ZmCDOZW5of9X9?tZ&*!+4`Wl!^Vvu-`j z!LTy^rlj2mhF8iIof@-@f1do_iRozZ0>=0i#DG@(@cx!k)I3J7*8FU%t8nA&JAgWEd zQ6EU;#lxK>jWr-D^OoEG=1H%}6YKbGG<$efG3eXLzO)wR#=`l}&kc;!ZhbyV5hb;w zVKgBleWOqVyCkHa#a?_y&)j1J<+6>5cl?q;w~-WU^ca0OBcMTUhAE=LZt82RV!HCyt}dMWcOkr13*=pWr%GB;HCLiYi}h@jid}RU5~ez^21g zYNb$G&K>We2BV@Akb{46933t0F@N1EnnSs;sj+KwJ!Qcpo3maHHA|rGQzZ2f1*0}4 zOlEXcQ_wxuEa#tY@t7!LG;Jv|)IrA+)j?woG>h?%(_qxh3k>O!5FUg3N2xi^Ar7bA zU}&~HgV>wedzluI>v_*SP*A=UZ3D@uNzL3V=5%VXO?^Cw;~(%tpx@*Au9G797UJP^rPm8=&DBOr-+;D{HEtk`BN)Ze>(#x2zT zJ|0_-J0orIsVe$UigOLim}uz3ZcNWJ;xxKbD%QW&o_Gz5^Dk>dMx57qu6Ol&({9hFPFoOlMEgXak!}#r%nC($^^?kKGQ8|+7vJ9wD>920cd3=c}#GBCn?L%9rOG zw>nZgmT-PP_0?N4ZChiF_>qYrl?zcDwK3G9253a;kFee~Wl7gmG~pqnS+?Az*toCP zC}PKghj(c5keqfoDP`lnBDI|HAv4{NGalJOWJei6!Kq6kO@c!)@xXS~(L{Fn9G7 zV!ZbZcnrbpaZ7nuFl#1Oimy$@%CBtolG#|=yxzuwt68&T1x;c`?-=!D;5h!TqdtFw zlwyR5vrn2CNqVzNEB3QW*B672be@&Xgj`HI$#>jzqxVB?Y)wLltC!%2Owpx#u!toW{-9%e#FdxLU$8&flxdu2{gFV$S`4Pz)N9_W=bO!Mu8 z^bMJ0_br-63Vv~wp+4oDV_qfwGo(UH_>hypYh%*FcNl9Uv{6^)VTOB}z7&%v*NJXO zHq3FOapT=49HW-L6`RqrzLDwFXNHv0;YQM(S8|++YGI!ab8_H|`QjPJ0QiEB&yb$> zE79%7^)S9yoLEx*t{b=;Kl$|>UL;{1_Z=xG8afy`B#C=Jz-x$ioS0>E=2qX){KQgQ z%zQ6~mAEWh-mhT0LMP6#6W#ao^B*qOpl#TtQUzn;t5-N&^L@=fi|mVY?c~k9<1TPb zQ*$UC%Cdc=`b~!fu|hxY8gTd>rf!cCw=D@Da3LbjJ!DKi%*S}QiOAW(>Q(rf+GV>x z*a-h=CjBKFUS-m3PgBQx6T;$1_Oo^h?^yTOEkaPOZ|QqDKB4YT8XPT3x7{LfP158K zBEbK;&91<21nAy=J|tfNtr?rTIvsg{ood3>?4^?3PNU^YUI?L3JjSd^#(d6q-^loO z&>`P@KmU32M6_TH$z3|gZLo7nUlx(XsgAh@!>tsYx+A&kI1ln(aX|CUDkz< zN$L)T!0w2Y&VPa zISP`Y*TKl?l5H*d>XwLEq!_-D_ML1~V~<9nl0nN{*6O!XE$jnIlC69IGT{Xs%KmJ zbIpO@;$t~~7Ya z{qgz#<1{a)B3(n9uHvu%>-qljcVgQ|z!H1c`O&d|egb=iikLN_;^~1ul_`F-9x*#4 zSG&S05u0^5xpLEEJ_*x9<*qEHE3H0*%g_FCcfco+J_LN0GGGvep%p5df|YecyP@wJY++`8eARZ{Hb#SPZyKHMg^TrQxVpLM(96-!}r_=JQ5En3V1{rUd(EXwt4pQp# zrMBSglfrKRGeNZGh^;4(o@n)=oo(Wp?6R^dK%KRWM~p(x zQOlm#ggIs(n7pq-rVtNgAmhLj5tcG>I!MEWFpV&IE=z@+0QkXdMSxua96!I4dg=lg z7lGzlZQZ3tg^)UsNoH>8X_~(*@BhB&)5wzqk_HlGqbY4g8%sb9A8iM+3^b)E!}cU(+E*LgNqrC> zxW$@_eqVxAOndatsIScSw|&xA)%{Oj`rCitni!>G_V08l|pe9m}+3 z`Eb*j?kqxe?pu-R)SM;G%q}PZW0=j+YF)h+VQ%XPT}b?_`HixY^Vgq`Y3uAF))Vk! z%I;Aru}w!pcSR&&4GsbY0zI=pTh%Aw-yANGxC*0fzuYWnHQ7v=7OK!@LeWkK9-gT= zjaNwtG4U&~#I*bNAFU}Sn(#oY7<}J|7I`4UwDm@a4by(#o@y-q+AN}b+v1?8tP==3 znfskwq70$rU#+m9yY2xDY`?(~Oup`5YapPZ!fXH$Y?%=C66eTi7Mcx}wG>)TgsB9y zt@3{~K)-bb;DEq|8nhcNSgfL1Rv2PokH>VPnSFt(>!h~5iTArnsr-xcSlmC~EMhcA zcm%)i{@bI9C=@%fPajju;Z0@@f<#Z{$ptzgyT>AIYly)yrg9CIgCe7B!>}v@T86F( zxB=Kpi;i2OW$eU{smYp!L1e%&bZN z!1sPC0s@U9XW{xWf%h|p&ySuaL-d*l(T>oOWft@?`{w|6I5+w`VMHoJXA!)tEuVR(9X-R7M3=2a_xCmVd-f1>BSyP+`W3s%nPy%0 zw9tI5=Ue~0u%K;1h1{j_lEIYPRBPjR|&Q}?jy_MH|#ms1eKjNja9iV{}gi3VM)ieMtA-8yT3nfNz1snmEn z)ocg82ZP}Xca27#1EPH}4nGpA7gd`-3|c7O@XGUMI*}0~a{%?mqv5T)n14FN5D=Lj zgo55xCqM86M}ZIN2R{fCq#SYUM*;o&tB8q2xSn|EXdxP16*Cm)UTl}nJ7=6H2O*G~ zh(g6;@z6Hg9IOCn3+@^$U?N_4-xMM+1AP26CSItlHG`A8Jl6#A=l5DG_BrT1EjBBiGeE4wCnU_4#J_P;Wkqp;uqqrvB>LW~N zoo0E&c3J;1zmBSQa1u=% zh32zKt~c})FCM&sVsHkr8o#Nw#0l0I$%!};TO#!Q32NDcgN-Bts zjHN}<+YP(hEqpvMx-p&M2dgtpn$zq|fScL>fLCY~8|F|hVsQI0qz!R3{+t^a#Zk3d z%Mg85t;p&n(2H1t)E%a_e);Z;jaa}A5gKio8m_i&GN%`4r529w>dlJ`r+k>-^>e-L zCf1$pX?)`B)AJWzaj72t_@II^HK%o?;#DzPk2c_gD}@2(ScT!8v z4Q$*PA&@{e>4ILbgZ81V`vlw^=*_j+S)eax0ePec>f9N4r&(YZ-vhkpN0qNAEGHhs z-6EwDnja|6R~a;8FNs*sHE1(l8msO6@PHY(>M16@xwY(P79SixljLXWOzA^|;xp0U zs}oV|S%;a8FCXNSwSd%!B3ZOHg(j8y!nJ20%u;mDq1u-=4b(PH;y>OXJ|VVe@BjV} zzd4C~k3!Z3>wym+vL*VNC46FR?rrc01e5ngsRip;n~yWir_nnAQ)ebdIn=Fwo}DO#0Lped_5OHAiXz^BAmz!I9$pet3Jx}n zvXUbwm|xKJI(1r3=FU_F>ZGSW-sV(ztt!3OhF9lxQ>0**kLPZ)`4zD(h?Tvdk3%1k zcGSc~_H&M-DRLv-+*+nyi%=LFM|9JV5FQJ)4@Ya{=r%0e=_ylOP^zBZ*K^?5*-Y?` z7iHTNLPrlWWpKJ|*-bacdN8l18C#0hh@EaRtW#<-krN#fAk{bPFK9VM++{xmX$p{n zdNUfat|B}90hP3aE1^%>smhMdpZwu6iw%DvJ9u1wGe=R=5q8~@C&&_+*7o1FNxVF?M!+nGdgX zX!hpl$%doMqOj@;p$l*!_K}o#*jmekZL})LCC_Xb*4EahKPr@X&3rpm^vhxNE+Pe0 zbcAF&@J$-oG*iyWGy}&%6DXn@7n!aeTRoKSQvaEr|KQMzJe6V_6MV%Ju3`!yMFTsX zK5>Vdb572K7k{{FZWS*to}g=1uo$_+5c%jsXNp1qSKcARX#Vo92!oRpSL71Br~B;J z7rv&`>jzdU6wXNmG8J+wjOW&AqSk6WP#WvWTyGJNT71b2-<6+RuhHr_)z&EeE=Qo6D_r-M*{6f9 z{pc+?Yx?M zvh!_;e#!Dhb+0x>vf@mnt}SR)zUrCj$x*9aLYA$|U&650#Rbzmy0BX~_Necw&8q)k zxvMK)%snb~1L#2(*-Y3U-y&{eC#jO;5`7~f!lzrLbLBdVsU)URdl2GD7!8+!vwrQz0Lr%l4kj%Q=kJ3nakfICFgY6Diu(N*K;?&-K7%+Dqye}tr zU9Z@@p-b;=q;n8O=#Nj{9-^BH!|igi*0nEV_nNq7A2!a{Z~1i9YVtMX@azOto?@LJ zRi3Q(sPI>kfLR*!6ZEwfa8qwABaGAF$9y)L6h!;VklH^z08{spxh5qB4@zO8R6-Aw z=h(})TG_v;LqlckNh>^W4vcLTFOnRgEI2xwARUelW>e#0rQaD3kdw)Rw%Hdtm-UCm zkdMy-k24cCZeN~B-wa5x*i^5<7@=oIP#j(d8-zisFLA74ER4>4Qb<=dh<4dXww~+n zp)DrrI^5h8j%o@tRJ6CD%|VCrnW)~eT)kAL*F=|s#(W5O0VpJN%{g}#q~0v|PQSS* z-n%l@hD?~%*bYs}fyd;_Mxx!!G+SX+LY}=l6kI!L6 zpDIEaFeO!uzQdEx^P#`oMuMhrQ{YhgsHo$3oKC14QMC)%Rsz?$>8>V{R~>rzROKAi z=>Ef(Q|fQp=zQMhTN-_^t(?McPLj+Z6`~2b9E!lGlqy#28xQj|AJvjImH?ISgArIw z0HdOg7#ocPE)kd*lh?Qn6S5d2G+dU6(4Q|^_H|T>(QOFp1U$>A_5Dl1{myI~M<*I1 zrzL!tudBFQlk}|$e7m;qr&0LvyF;grth@;?q?~(sxq=Y2K$N18mOb7O9=&jE&rgmW za*3YsBU(wO^@~1S{q!ey>hCGQF!4ddWv`#@?%%)h1gNxNM%UuLR{S`T`cLSEpDFnN z|IDAheR!Xh%MOpGrlugr&*%Xw&x@u^oSZFe1;a#wP-$Ll)VuJ56zwl>wuN{pBDvIM z+o3Jfb$925$CE)AL6gqi=BEAG3HyDe+>?mx8`~ReY7Ux~z`y=z?!$u4tsw=*dn1o< z`5>q#_W-=D4eG4CBuy!hWka%(2hejb8e9CV?EuT><KO%Xq>Dnwr zQj(@g0Mw5Adip+PBfq+>Up?e7&1%$NU>@X_H#A70sQOjh1XmZ>87F?6=Biba554H1 zZc~&Ah%A;N_PaT^an+!&tz%Y3NH7^H8|ck9GlOf0)YR+b|1M$vbMoLJ-A9>E2uBKd zR^Kaiu!cpu-yR>xIRF(^(z2!Cb>&VkD)v0+1)vmDL{{77I{4`*wTb6nya8?I1<7_)_;wQgH0(*eoPZuAGI7CF zM<#@+N5xJMLDGP+*uyqKRZ~;*IPUAEh6fv4Fgvs2)dSo+L*NoUSa2@3nSC<)=GNLw zk2X{srKCVuYMX(A^J$FD<&%T|a1FyLt(HAkeQg%-)wmJ-K zw!qZ|g@ou&ccx);x8YeriN@gfWxMY?pc|Hm%940*v;#4IMe9L|f_27@IQ*-vD;Ym2 z-2S)~s+Eyn3aqrIV{}5)LL~qye{OAUodMd_Q5i2@F0(-)x#*7Vjn$mzq%=i015MPj zAJrp|2BN8TE1+>>27YY5LYw+(9T zmbA@l)xD5xDl$2Z)x1Hnv<{RV%nBL9N`&U|T8`IC&D(qY^m_gNHXd&gTSO$MT?Yx@ zeB+J}4?=xq+S==a+078$!4R1#HT1|I0Fw!tooq*E z5C>7E@71pI&VuQrMx9qF<+BhuiiaH~BqVIYYq-kA{pj-SmvtRsBCJ0PW8BjUc3N>vv;FxXPA@_)S| zUSurrBBg8iFOv% zU;qAn=fWzeG@Ks7rnJaW!5HcknNRgWX=Maj$Z3v_FioWbx${3 zsvqI5duKWUlF@6xN9}?}swsS1HoUv=qS}J7w~{je>3S8>asTmA+~1vhTup1M-ao=hO|01G=cFb8o3lwe0A^#F28*ZyF}c5hZoL@zx|Ri)EtS-BYoV^bqi*!J1ss$U?pVv)gN3k?YP)!RvN1B$Qs zwhQRb3EtS_{ww3_l$g97>dp)eQALIi>`A{zo5R1J6A`^YC=Y{Ht)LI2Ur4*ZsxxATaf=p!xb_M{oO;R zReHwLFEs{oNlhRqnC~@_rs01a6A3(fQ^=*tO<-~`)aNvJm5xs^i*hT;R|r4OR11Sy z+MW-R?^mV+9*uWhfa;E=Rml0|CSVJbc~jg~tIuv}7zZ430Re$t{E({|K*}0vh8-Vl z0DA9%1c2qzrOMJ>NYG~MxtpvepiaFo-IWm?3B#3aDXKlVI+iYvz2H=k4Ny=)qSN*o zlVbWzokwE`=Vyo|`cQmfpa5#7#X{UR0eF@V0(@V#ju*D*?KCg|^uq8U&Cye0zibTa z%EmnnZzdnc$~w|$8V1bzSic23z!wH*LfRG=K02$-V#NW{3c$e&AHUeZ!{iVUs@xSd*6Gnwf5Rja(5bsjy3j{x=uj{9;yd%1tU^4v%SR(EIYFGF|P;UG&Z8X zoyk67(AaM}yKksFt&)xcY={2+-A9bV-#mP{WAWx^AOk;>*)!-vrx(sM?YgVh^zm(O z+71-4P+3{IFhbC<8yPNe)#XCbPbgN%^D&q3xV$UnjLI!Z@5-LIk zWGz4*Q4*5@#}9^~b0T#F&THaM6 zLXcRzW|eWZJ8j+Bn80?ZY#zx7`)=3r6wuFvwY^yYF7nR<=jdOOPJD_yEWWH3E%t#H zPkDQ>=dyx{WJr5*X<5|Tk6LGsk^*4|y#YyDQBnlb5$8pbc#OU_v3Jx-5GdEyt7d`^d|bfa=qfN@ zfPA~mTSV4-!Ho({tFP0Q>Nz(;=6tY_dAi3BHCpSqKXOWmtQpNoKS6Qq(tu)oX@+N$q9r^ zE7TTKSay;};p&cJ)gxENsug8B6Q_a_Y*TNI?u6CwNC6{SJT#In#r*dUb>T^DxNclT z8rSyaZT2>21gu{mi!$C?OObrZ&;|1d-W&6fE@^HKD^%N_1g+$W`VWrk!%-E`u97}?rflW?hscM}UtA9&n?dxH zBQ>c${^%C!F||w zP(zC=8b6qo>Ux>kRPrS%Te8>bmZ9!y`?L3T&-E<41l(~yH+a?d!-+w3;r6mNZ9Izu zahwfhkRlT)w=1dmcbL194Ahu*Z$J|xTFxs`jc^6;nV}>mWse`xLO)(fKOpB*QuZMW z#ag9{+OHEo-jNei7LdbUH?eSmX(6MIap(8*>a(c=)4Hw3+~S#nReuwv#th!)IjfTR z$QPvDw8gB<9pyV{lfqFsLSxsBBh!O*#fht*B*O0ZLe=b^droJ8g`03|6VJ6LN8R4P z@>1ztSI^l-?`r#KVN@XZ!ZT*JZ_sIL*%wI0NU~Jzj^#ECNDgieNdUxdE$hN9L@) zg856>$D{E|IvNJ*#dqn7eRcC!I5b$WR*cMo59TX^z5@v$;EMT-v=D zDMiXxxcGJr|M4;Us2*)m`+SP3swwl@*E(hO@s+(^LVT(z3SL%oQN7E9oOt7R-^rZB z8G!X(MEmDyNCvl`$(5b&Gp$TtX#o0GoVRmL{DRXNiNp92O@{uU%6FHGxlH%AIV!Dk zr%#D{{Jl51D`@8*`+6*Yo!m&!+geN}@RVe#*b)`TAspwC_QW}ZITP`|rMq$R12kSe zg>DSkT2@@hZbt2H!_!l-V(>PYdNW$$E9GCH)@6AFhno0XWcLe_M){*^B#D*x+meZn zEd_GVWPQq;$Gb{zV@PGVM`+o-;~wj!=gM?pbg`Ta?XquTC6Jz&+dgBy`OQOD4^Yv3 zK6^6}?c>9EfELN$s*dk&X4@(2oMAT!RWi*gaXT^2;Z$mBD*l)qYiGMw(FV1#=~1^m zC~$~#zz2S;+p4);C7g%eSE)UB58hrLquKBEKzsFa>f^qw;9AB>PAw-dRBz85zdZnSHZyOj&G(=|<32*NgAH`Vu@PHJ2% z<&YNa@F?H*jMR%E3d#mM>C3#(q7PX7~Q7LKOCv7q{hHlm3 z>4v|(500Rbtcm!78ea)Kx!)?jQZi*#)#ejf(%NKfouhp5+ZOTTD6cbYH2niF8Nihv zLP)SJvK6OY4!@d|SlJ7yyFJ?%U2J(^4`hA!OsN99zpi#U-S~F5%YP*fxI&R7lD@w} zUp6UY_wa3NP&pTZ3+q1^O0Q0stUT>c~R0`J`JozrC zsJK$tU;5>tUh&PoBXAAM%K;_Sw7>lytci14N)@g7#VdAbrS=$kW?2s zd#I6o0!ikKXU{{X+UqMTtDTtIbQ2PpuYw91G8OV%A&f{k=H{YtyPP?z@hN&`;&egf}bsgwQWuFwyZw?QC1ar8gl{Cl+`G>Kv&tYiz}XNYCB8r9Jmq z#Z_LO+#$K{qinLf_}MscA1_fYHa~nhiOs19oxhzONZ3DbUZ0Q^qG#GXZ$1XRGTQWE zSmTtkruk?*u>yMe{(eEn;%_=sO&BNbK~r?(kjxLGM2ubh4w>-Yuz{N9rWU<@|p^1quQIhdFk?F$nbh zeycwquiyTWUvZ8nyUpgQ=^Z~NUJY5!8tD7!h(CHQ@J{vZEBVF6C>Ldomf|9@No^=|HT zV}+T?z5mA@eZO38?|{!;!mr_CnVYBq@h^rx+V==O7|y3t07;p^$e_@byeb%DWeZho zAz+i;5G-r~AliXB0iq26GNKVU0V;G$z^aSiyg4W74{893>u0@$cWbssQo1%Wiu?YdUE90F+-Ty zk^|vGs!unYlss_Z&!0s4gPRHt)55F)S|cpqZz%Ec_Qx5<@8v`o*#evbUcUTG25K&( zcpoe*c-0Rz4Khxw2nLO`Ac>y=B;-?%B>T1rN!oS@tU{e{4>o`c5NUd5hwJTIUS4wW zyKv#|PA<9LXff;SNTmugpC+i!_MHU^(CTdBDe;ps%>>fIWW)>PgQQ`Jb!j&|i;ZR+Z0>6-lxFI5^KC zyy&N(w@HVXFC_xW@~yB3#RrQuI@KCr(c^;ssjBReIc_jotrIXJ0SLl^l4kFAM3!rV zqy&dR@KLE5Ial&u3lc!Q!Vi)U)OgEV(Ap1)CiGJOsFkQ_W_dIK4qgR`hCOAXy%50a zQo2RAM};=+e7NCWqtNt;1`rFV5`?-VI2&Z<8cw+S*zY0Xc|y}ZO#E2i3ccIEjBIH3 za-5?3!9*Ur4V!Y$XS0#NcAY$whn_OX0yW3uvy%5&pLe*4m&g0eeyCnHKtn!;9;l*{ z%mrjo7vO1?xpjQ?{f9p{1)RpazZhcej>|fwrIJEoO+u~8A^uw87e1jvD$ySt45PWG z@H`1>p^ZQP&5x^s@cKmq_Aq18l^p=DCHfr+H|OY{H)(B0@aek8vyH-895UbW`CPTeB*0MlO%i*FUMVd1>Q9?#K3T-?p{}i_G$R7a+{MS$qbq3+o%nf_tW0 z-6uP*4UTe5*B%&Odhptl<&JB!r54M_7d)|lB%FU)$wDic!?UKw8t#fnL_=1E1C@d{ z0S$68uK@&xz1LqYSFtFtvah)~i0NW2p8QEV8svaX{d!}lClM5cf$|fpx4m3K{&a~o zyx)AY%VIf^{sWC%(9%-k?2zkwlEf^&;;%XUqd*gR&W{H^kYQlm~Q*^n_-Y@u~pPqqBwS#yR6kZi_a|>GH<%8|ef=Z&5pQ1D`nc>(`GfXY5*b zS0(3vv}_F7(Nl7w;$xbf=5bqtBP+}4-lc1HG{tjT&+HE}k5U5<EwcW`~~Q(TrMxg@$rp1y@I*M z&3@1cM05ZX_6y1vmxk+~Y-~1upxlEPU0OhrIR6b=K=-s3KiZT(Rc3GPS4295%TMrs zvl6Jwg7J2XK0oZ<<-d@WV0vx;sO!B@b$)rdpjQrub4kjgxjj5%l%c@`p9lY(U6FcI z1HX>He-d$m$~ba(xO=pFF`{R7=c)^~aHyzl-PpF%K27IQ3GT|~y9KVgJVO(c1J31v zu}ce&c4nV1FWAL&uw&V$*d~-XTg|kK!2kY!FsF@!PTd8@Yw*~cEF6kg$={P4%219Yi8VF8mh$6X0;A|KDBnb z*ZH(~+33TG4f|BW@@2J~XYA#_@zUm0s{p;88S4QVnmQV{5Y%vUL2hK1J z#9lC;B*q-x6x;?t`#b;Avu4h_g?vL$X=7)sjQ zibxrIAlDvb9082A2%%4s&j%YxeFdVa3Koh5oTe^wpk{IeN1W0e)5<<`Lv^6p#Z+@Z zA1QQ2_S$P2f_zFuYb&DhbedZZ_{oy!D0In#5*a_$Raom#GPt$X+jw+LN3e|aM9Ouf z6Lh$w2vrr8B0zgX^1cSn31DoV+!! zPG@XuUUUHlb!!Ru3><@jqGn0)5&VvTmlBUj825l%t9q4S*uAF|rwp2)u z4oJ1o;&lSoKxI^PR5iL}xy!ic4PJJu^9`~|PloFwdl2(2 zBja@P?-aqw_HHpSe`nC*^ZFyJ?T=e-Ko_TEGJXNV-Q)rNe3faetv{Xt;zMJ1&I zX#MM$GCA_N5`<>nFpJF|I#@gm0j6Fc zFo!7G*@NvbPA4H(m%iu+QkI&kbN_G3Qp`h7skv1SIBVFp>bgg|49i zA}D*?&NK^pmWh?qavn2@h8Iqg5eR){pSIS~6-4@h=mL8L31W)IvFB zyVYc-#Bl2763~zHb^#h(yP(@^e5GI4$soX1m5@ctwKsHB;NCjn&H;*Nd2v?c2S z^`FPn60k@Ldx>7VABJtFHaM9-3c^7p(hU>8?O@I~MjJn3D-RN*k8O0t;V6!7Z3|HU zkW(L$<$PC4^y{j0n>S#&xKD?F%1K-U#r>@;A^n0kEO~kgy*Pvu3!Qxc=`K(D`pCm< zRyz6#1;=U4Mx~>i36;jQsE|pv-{gfq`R04>0Y;HrdQNztOcBMtWV*JyN2{1TVpflS zMcustrW*@Wz`|ptQ4=(ObVvIErPT#JjP`S*P42EZEy_dssx@nu+Y4<*j7(#OSh#4zm}o?FrO`E%d4&7 z;-;l8DTeA5ptIfLW5qzkq>^Gs8lucLr#IK-wRD$Z7W)}COMotaR4M=CzwUVl7+Kno z9)^i$U(HrBskNzd>L{o!Qoa0%a~r`1s;+{NK_AbRB1n`q3#k*-3^9)wc_2{Rh7 zhUZF;{h>a>(3DcQOa#jm@&3u#UGyrNNiFDOYl&z^`|D7}>F}==P)2DfY(S#~x;EFZ z3XU!7OP4NT)SWnDqCZ{|JjMPBRB8_RO`sC=N`e^rfCkrdDc4LE9SBhzlP+5TC(eBo%a6t{LOYe`PABFN@2`+?PKQqcR0ul#M{-4zq2K@Fvi3HRy76 zB?+#TV?E*2!e4_b8>3E!tmBh8W^tmO-%aNSa{hCT{R^fDC}DYzTK?KxsF47~zdK{x zmv=I#32kmFdvg)~Z86EH5fLMSgrw6pkNA~WklDNpCj2D4b!#fb z`%B)?dY28!i@s>~`hv?!rd(-p`G;r6EDg?g4NOcM?(3?E^|sQVgGQj}z?KT$v#+2@ zN~o|`y_EzA+}VDM{gL-Y8+8u(0>2+M@^$O~SW&-j;GSN<0ZSYHm@8+$HHy^R#e=vZ z231YV_Pj1c*tFu5&t*0iM&a@}^P~f68l?^iM=%>@tV_NiB{ROd0tYL)+RR?5_C-Ys z2&->E6K7U9uhu(S466}BL_0b1HRdSfuQXRc*z9#Pm(DV^pBmMxT+wmrdckq|E(!n% z)vgvgCQi50b0GF9+rR|vWFL|6hE_I1z!2=A$pXAFab1}@S(EDiE6-x~;!VSO{9!JL zahIF#);bLW_Dm0=F$1zxgm$4=m6DqyFaw>*{BFnJsfz@J%5QY8tC6T4AX10^3SZ(` z_W0A4ick`}`sU$m2_G95Qz#UtxA%4(?wx*8M+8r-ru~u*lX}CfKOY_UxvRAm*CVi_ zk9CyfT2wE;7r5}Fkp1~Huryo_J|0TM24+K~Yb>xf-@<<~`)a;uTsSe?ZnU}KdZi|C z+r~FLDx2!FR&tP*TciFy`cA$-^aDnb)M#%vu86u-dciW@^W9EJ?L@+l>MfwgT%`Ag zbHhOFX=0YVgt-%cI!AQ-)F?+I33@QiQ?~ScB+(-KD`Jcy;y|?J(rXZC^Z;;deeHfg7>+sL+?rU6BZ9i{I5Vf zw-8ym_Ey$yAaaoMX7`m6r=%S}Yt5g~{`b;w;my-8c0Zn2z!)_N%atdWyJ3}uJ8JMQNIA!3 z_~}C5&AYnAb|IC1=lf5({yQ87?9t$^b=NsWTQr<9K!NPooh?kKS$POlT@Not#m93x zdpR6K=0J&oimC1~;zoxJmWKfusRxT-V2Nt#!B@N&Ir~^{>LzqnSXU-ZiluwPkYZNj^o*SESSKDFpp|g!v-2uBeJi?PEj%hG+djNlFA)z3 zo6tbcGSZtf$J(absvBoJ>=5DRO?jmGck^hKck3Y|lWyp?I zzacpp8Ih@=TJ>Ao{<(g>|NHI}O)Zesf9OGDwWD#3juv*9qv3EPy;8 zY#>ktz{Q;K*#(VMRnB`sA{2`#ZZJ1W&^dC1_WoCne5BmjrHTxi(&*HnrdGGcP~Equ z=YDGWs_q}1Sx;R@i=5GxnQ4E2RH$okYgE`JrM$hx%7*pNp5?TE2p~v*&`s04zvof# z+;wtOw>6xofosTz?v73*I_P9-=YvH6 zUXDnqfG*;Qu&^-Ri&JGgn&)Rcr5PF_&iPcwF?;`%<$hL4Tpb^tYU08)?(fuHKwqTF zBCay_JY+2+4yY$xA3tZSCETSs5ynV^f0lzH-pC4z9kZN!@T2njm8Qq$QA;t}02wxg z^#_yC)8PX8qUxkVQGm@f(eNjT-@=hZ3r;6{aJ5?;Y;E-4uP27)9_0dArcycLk+9z+~ez4+vU_QomAo>EuGmmg>)RBQD`kAET0 zH7OpV3%?QCrs;klM69$bb$sqhsf+rX^;+rBd;D((-y}ORUKgYvz0C44py^P>#uK(X z{TazFjQFjI!$ye)rJvC{Sq~P-Yhp6j1mWz* zgX|^>;v8n?!pd_593mSzwz=^S#2Ja2dOevf8~7DPe;%HY%^aXBZWqRiio;^i@Sxo< zW_1+;av>t=f@N)-imeM;<#vY~vj>fLY6VWmzz6hEsn#|II8cL2Kv7TXD=%vVDF$#K z=1|$cr%5&!J7)`Ck%)Toe5^4hc4f40x3kGGlTpq9-YkMJ~~mD zt|#mg{_y$eWo9~WmQ?{jidu!fKZwsf8@o7bbRN8(*1jwiWVUpitxHv&kQPF5(E4!K zZ~m6f4!1?ofi=Dk%;_kV(N*F*UkQ2U0h2sw;@)hj*=Xy4g#PSHGFNR|usyeP{XMPn ztSNu7jXCV&F~mG{pvC`O|G(CX!sWg1oi)mM4m&w)i{+u7=$8Ya`7R@ejrYQ&^O5)d zi)H=#5a|z`21T>cyD=~go&=YX)J0H+pyqb(-fai{{0J|gwa?YusUL6vp(WqsCFl6> zC6v=7ZK_(F4I-xn1z0x><+BBJx2dQV+Uo_iXnA##K8Y*6ObuGR02=w=y@CZ_zT8;6 z8qZ0d14$T)+-(7nHPr3mh`3GMp|`V10+sQSj(Qz+8O~F| zehFHR)>anX=}TSh*uOXD@=X~Lo=y%AW2~GDYYc>#sJqAKTGleFpAOTz@fR8f{H}ji zLmT>N*uvGH&M9!yQPZoK!UQshdsvTLlX8`_FLj~X2SN4fp~mY!yM7)EQ+sui3+jam z0lhg#?1Mc&k@?Yz%DDfWErjc0$jQ2qE<(5m9Fp0gGJt~EQxE!J=tC-V(Ax^R%L$7H zn7wtk)LbXu0z_mBK<4#;D1vy_2RiTrRY42|Lb_e{?w;{|haNlU4B{*kzF@=sxNE}s zOvgm=p)`2^?%k!z>30ISOSZ;1e-Wws>&TVh?tm@s+|PQ#g_vmYI(5G=ieDju(Lb1oiK>btNFlDx{jZr?K<;Vm5vXu|8 zYtfUkcBVPqd$wKO)WrMLgxvB&&*=D~o37;d?DV@nEP7w)eU5^Ay~50^zr$Q%gKOo^ zpFsYv!y+J%8OSl_iOD^`{*HrHQd?0rJETj~ z(pIi|oFBgE>f%JPxD>A0!dtn9Xs&{cdNjUTU3&pr7hYyZPFNjP6WS-cO3bb0|G|;{ zs-&Gx0j0>LZohEn*Jj*8?YUcns|PTTVn}Yfq0Mdz76J}2U(j+gkkRn(wt>CqlDm>r z@Y!#r!gp1)vEHGgL#GvHbKNha4IK*QGY>W-wAPhXPwSf3`EK^oy9q0)N`{|cf(ACm z&gh~ki9ym-wf;n?VSodriO9!1hEaMbV^#C-QlI4^@H>IdmjBVH;KV}Bx0Boh4KdRz zuQs3-&xXpuufUs9ZAY8$s~{~aEBohrH6HVGxG;YGnlW5E`j}w<1?78b z1jSBU?)Qz}IBOyw$7@#ew%iJ+7HPry5>clm1+YTB>1JX!wAXVLxkjdJ6!Xd#P5J}>)M{Jkja38=U z1nJWhV+a`ns|$Ou4n&*$k=5Z4LKY(>GH^n1LE0aM7uE=e7MG(z~>PMh7T)c zh#;BNZ{TaF9((c=twkFS+Z`+AI*BwyB1M5_5qx@4uI4UG`$XTcSP@o%Hrt9b z)>eF~eDuodUGv_7Cg<@7+J^3lKHM)>BeThkWsECb)dayZrmi+~8REb(K5xTySBMJ= zc``?sCp+YRgUl*8z~M7`A=vyM(O6;NIlYnJ@^I=wO)WG9O7_usRKdWyWBGPvQ~^gk<76RV?sakIZ*&|Pp@iVD|u|1*rS$WfUZyqe+g z9F+Oo&8qzTE;%idiF1u9W}&pAlx?F|aq)ATTaUNM;gkKL0{wYSVz84(j+O2p>+%_L zLZ0?N&fftDi{9J+`;~_nBwlX+tJMjT!fJZ~lQK!>u|6{fe<9J;bE2arV%$8rn{zZrer<{$=flb4@HGj~6J#uXsTu5`FYiJqr#+%m zM|$VsWV0q1xvFZMTfd?fBO%!7e&g?K<5Qz4&LNKE?(&~m$;lF-!@r)@w%hcvCRt(D zWBwh&TBDfWXS^>A_w^0hFILn@n7wt7T=ERB{|nEJV}eIeraAkBq+Pk=KZ5MHGeScQ zE|9IUDZKCucd`N^R{-Aw8v@22*r!C~poP8$E+h0ma)lhX@s)-ZYd zHVsbc?Ssm&Anm`)*Rh-^$n8#;JMgEMUw=!F=-r`_1b@{7n&2lvMJ8@v2uXufm+U`X z2_BzMv`cLB2zqBu9I$jCy1pObeX%-vb@8>r_PLyZM6`$DGjvr4Ea|VoSUSrLc?U}U zR9ysJU@vdLP01gEw_jB;Jq}K{*Xzs9^V_~CDFlqelj$5NV6nsiSkp|GBhgwFX`)=zk54j&!}%Po7ZN(nD8D z!Sjd{wNp>M68yde_Qs+N9)0e>2GG_;MxvvLs+mV_*C1CzH)DIrC*gd5=LSV z@QC}lq|kR1p1(8TSJ6`Q(%|_mtr?xb^s5>y3pi@xm!v@3U6HRklQC|*Evu? zI2?CwA|$)(%##Qilh%39>>Xj`hi%v66kiSxIU4}8UivrFUS+wlQG_il<}#OEEfcu%4(C#sWa_xnM(u=DM(RWbMYJH>okXTJN7sNN3_8sjdMc4OYh z$NvFUe1|Cm0^t}no=Kom1f*e)hQccJKt90B6N`ZOdzA9>Wr?|%NwJL%|K;S{*6|J> zxlVaBKVXxeO*;$)Hqu*d?LF~ArYM1|a^eq1Bolzp!H_W77s;QdITElV`lPk=$BU=! zr+0l7!I7C%HY7f02R=`4N;WCa+~v+Ocj^#km;avN*HRaYe~1Z|RwPYW{L&uONxdOB zZiV|?pcbU|wX$8B>N-|>rT>eaOZ@_5(C~Nx+Ky{e}+7fdy$ss_)o!kDn@>o(p=g)>r#C zv4~LJ+!T7Yb1?Gu99BpbE3xpsiY5C(szQ|d3wqg5;AMIZ5s2>Vh0%4v41Trkms~{t z5!7!S)~L`9MA>O}?DYEtM|*d#0#1<67y}WgiiDj%3zZ9M`L1v3wT4$k17iKcIFs|3=e-tA84)i*=~~+`xT)9LzGhPg@3wqc1yq#i&aNw0rkN%KYi>?DJEH zsT{awe!GJY#8q9UD_(@a!N4X|1akJ$2DM6WT3i-}Rt zygsZ^>2j&n$y4dhz-eK_O36RRbgR5CU)|@;FHNrtQFuBr0|8 zzbK5VZ2d=?4karMN~c4Xg|t>LLfB|p2Nb5-)9=R5!_vC0PuHo;Jkb;?ten%nH~#^~ zem{V?3l%~R=hroG%6b(E0?jeE_e>uV=2~N&hc3iOxu({C)@?S7>fNsLY^Fx?sfD((OOm>~dg z9{aWADZi)UIq@vpT#nHN5+OzW-3AQUV~q5wgYvU>hn4q5+VkyPxuQ=-n-UzsSWUv* z-5>gB(RI9OSKtg?OZN1OgEJyr$haF3VAe&;^_`wVsA{n7IE;T-)SWh|_2n64- zRhJdRI*fn`l?WdH$96=jG%4nbLQz+z*dv^8nfe&69E_=)h~&nt4D=O|5)(Llj4Q4s zSpRuKSn#Ckx{G8+*tJm!Wmn|9{nV((9Q4l=2;NG-o-^EoSK?9vvyhl}1gkDR{uhot zoS`Wf4dqhIDbE5#Fk;S*v|J+YxE5Wn>a0wis%g=PvH{F1Er1sMP}EQt&OZepJP!DO ze>Bh*NSmm!f(ex?2yDF@5pV?Q&qXS#BGZ1Biv&EdPo=xQLaT3SV!7yh#K0A&9=;e4 z>6+==^31g*V5FI2QzsX}akyE`C3LI?IEN`a zgu&_EjC}J#uK|U zGEr7W9d+Rk)>w_HX7Ym8T-RGSyCeJct5?hnWkCV!-XSov=V4^) zf8pvppQ)ujw&`A&|0EVZqC4(V{DOGl<$C7JQtCEH7z+UhEUm&&f2xDNm(!NC$*UC7 zsAwjb@qUvxtWB!q((mB+SO){A(v4EMf4{k|anR)E@-D$ZCJ_P-1TXe5!IW%3fq|dJK($*+KLEg}3rIv2!mG^PDYm|-?JOA?PoHqQ zw2RxhxD)`-Nkn|Jjl|0A$ECf%afMvn0pPX%-$l*w61l_MzUU;P-|kLL0^;FT%*wS^ zIlTg(!KRdYwzSlqzFSdT%>Culd5zz2IV5SiweG^j8x#-a`LZuX4!EIT2m^AJ4hYB& z9rqsEmYM9A=x=5&Kb(5et#pj~5F+*U2K4j^^y#Fd z1|B_lR2GTNsCp5^HhAFiebG+&V17`>ZVAP*`{{{+hY5--J1POa6;;)3mM$897q^fz z2L`2~z|edkwmplX?$3`_O0iuB%i}gdX!>|L1HzQ36^+G!mEL&wY+q6Ex}rC^`u-Tn z{_|%JT7T|;r@@voR8o3SM%JS} zEbEa;r+rvf0oKPAAWYI?z!TNW8(fBSU~ywslP9q$L00mcYp#e2s|U-+{vG*!GF&mc$ zr%M65QY6pFzeys6q+R!ndIVk%LbvJRKYJgE$V|L!YtwGs`2vg#%2XbtGmKonEBchx zsAA?dgRz2P7N42ns^);cYJgjKuWo-|Qe)&8V_fRj=8F9KFkUnIqx>b4e{>t9f`%Y9 z=30KVXsfT2L4C#!Z#b*$q5prEUTY0C;Ad|7-3Y(PfLAmUsXG_W&jcg)E~l2LXrqm5 zKw4>p^;{~*?@LQdQxt1Mvv!(*Ho=JkufXa2gOaCt>V zVkAJK8N{-ppJ0gL_c{97?3+Q}4&6O}VnIbk#&^08KOJh5^h%>%l zIRnfDoeUZ^(Qn67?B44XPdz)WYBzPlvNPxp_Aaw>o6-SX;J}mUx~HM0MMO@fFkZdV z*$YfUShXf0ck>3thR*8@gqMm2kN!omyopl?IZ?c4_im&6cEq(0s;i)K>HUnz+Hjh_ z6PpJ6*yzt?J;X)_mVx9Y_302jpCeeLs^)@6n>R&XJ6S|?ZeOime8Ka>s&grA>n?-2 z2I^<6wCqSzp|(cqucKwbhwPck_2yO!nbCdLyOO zBQBpjip*wu==~{o>Fa_dHvJIl?n9~U^uU9E0zQw=QlS!F1gW3R#X-e8q!b?Hc*dA@ zd_`~0S1bIm`PD3QoM0mYkejyKD-voa(8uPh2?Nv*xt(HZKW0bT?QaP2G3{aHxl}PQ z`gGV!r%D=S*inIvq{Byj60tBbn7L;df8hNW%nKEAi%?34EH% zfwm53Ub91zr|pU7R=`)6$P47;seU!p0NY|{n>tZ10R!(R3&MOwWW;7N@6_~Lb}3M) zSas$lf#t6&Ikg88Y;!PBe3ijPzG&W3D09kO9RyOo&RIptj&e)W{i9#n*(dH^wVIo* zxwVm0FY-fr3AZ z$}W229{-7SzkGIan=kK#VSK}Y3n=<_gw*!ji`AZ8i?+o$uivQG*YChvM`*eB`7HG!#&^Cy`U=T3^^P(y0w`{kFv>>=bP_229xl_0V_`TK-3JTqWpTu<4Pp-J(| zdo4*hEN|Z}ruE_D_jBWx&fa-%G2s0c2X1F_&i`Auax#?~zm-yLQ+XH_r3E~|ro__3 ztuBK;x|hY-3Gqbi>rq={an-bg8dqr4l+=nCV!~Z-$&a)LJpGci52dJ{E`q1{cnPmbAF64U3%`z>gMgH{_Chk=9`t*QU}%$*$Ie1L&9Oa7aT34CWqr{AzdJkAk9QzmM?*D==|mw z%9)rII)9KUA$B6E8!h4C92sJ(g1Fw#1@E{#zwFXVxPyR=NO20o=J5i^+Lr4O=60RZjiy~Dx26kI7>e3cjh6+~KXd{!4Z zyaaw(^bAsGo+|=+LO+X?vy_x?eeJw*VT7;D{V!Y~p6?E4pWCerP|_e(Vi(Ls`9kds&c4`hmd@olc3%;NEg4V3 z%;+#omOEfGOzkLHIc7R{iwlZbwdbec#4kq9f7%T5RZu2J2QEA@0BCIz5(?Bl63o*; zQ<1M?1Uh|@{v8@lVjZM4~agR>Lxh8$hL}lxq>LEdyo35!MZ5KCl-@S1~V{3 z09__fFPh}EjpyV#w49a+*y>1Zvq!jJkRL>I=4pTkI>wv%+-ZB1?Bj?C3&c-C@*d@J z4PZ_-fT+4KVQxDFIscGsf<2D5;0Ra{IW(h!12eX7-;Qy4$l1`g7z|3_k~-DQ*G2Fg z2HbBUT?N2e+cuq=duUhz;G2WK>?CMZzp*&u-3Ee?7{Gu-GIs@&caZPMM+)d!&!&(HBbH5ZCu%yT zPFW>vIEj>?TPH4IOvw=_>UB4|0=yP=ZpBx4`|tnv+uthH^6PB>Y|2eIZErkg>`Q4E zI&83S_n@k;ZdP`Fyvuw&-`PWz(V}O~iecVNv)B?Egp<*Cn^UWBj`$BRCx>QI1x994 z6CJGvaG-`GTSS|Z!C_u>=b+##M?2!}xg0P|Ca1>ubB*gnbt6vkqRRRmPohQfHKCPI zR7LF-1dC+`AIs=JJ?2K`H>G@@@@~N#G^ii}^f3 z*3)XIC8~71LbA=9So!OX1h=1%>0?vs%xo5~b;Odc^GKx8bv+Z$6b1(pl`<*_)Zi?U zQaN>JD)_=Ut6GZ-9er2koe7^N9M0EUu}_#NLWl5`9?fE2^Q!TK3jKo0V~g7=nM`)^ zWKvIP8P|n+iVL z#*+5P?r?^Xrg(~*LL{$7wNYtPq&f=nSw6#>}}n}GeMoA%u)!R#KeIn)M#JLLi>blz(cY^ zq73sFT~i{-{f6(7aa7-aqtzRw;g^)0_Vo&q{-P@=4V`Z?E;|(Uv@iU>0jg|jMb@?s z3j{og%+Go1Gd`|Z5nBP3paT=$^X1J2-n7`Ks8E&DTLP%}Xh^A<|9NLIpUiY|y(DOB z#(Jf_DpNulN~{tbp!`sanJx?T@wGOeRw8;!PuO0nxzZ!mG3OS0WKXbpmuj|Oy{7w( zDSwgrtsz4+zMTAe14_lbKQu=HlX50Fm;r(vd5*M}guHmjI2yoGx#Sj7Eh|;}e4Yc;%@b zxiE}d#;(=Bb82g)38*75MxI#;A6&S`Fk#tpmH)~-pL3uz3_ZYY(f!D3TV?OlBg!hi zeb&)+E?JJ2h;dM46`*ITw^kJOwAiR&>UVOz!USY?W!B{ujr)}^U2>ii2V}ebs=qBh zKL_!MExS#4+2(^+^4J})*!s#Q7A?fxoh*0JaGV&@FoEFY89FH;97a5F#OMy=j$b;0XHs|2t7vRr*w{g;go z)6*&hL6cmgcfBqn?Ji92thao!_a~R5i{uw$|1vwJ#Lc{o=G!Oz zMaxV|OH-h>Z`gvm?L$w4Qw^%e(2b%Ld!EHId@yI{6%j`+7o!^f&6S`;%?SMjIu^jLWS&XO~C$JGOR| zRk;i=jP}*L5006LxOWVZga1HY=g<59@sTecDKy1)zu0-UO^(^)`XMJk^W;Ki&ce7K zqmVV{V-NlSotnM$;O#xpaSzOX^9d^S0WDI-CsSLy-zK*_Rn%o$brBX^7!_I=@tZeX zK%4Q#4Zh{<8#Tf&G~6xh;6G6!g`eB#?Xln6!z=cAuRq<7>-hE2B1+qCYk7wm@K5aj z`)X%ypB<<(j7$xRkj2_piBLU1;ac7za;ic4P1&z|8n}OJ3s{>TbG+gw+P)}g9Pa1Y zYNqDEI90}J5Tzd3&m?Rbw=stgs#llGAHLgKFF1h$Bud(NNaO8}z&t{;s_K}HyJXUoL8i}5(UeZ?=AJwbh z9l);Yy)AVdiL3L&$T&h)&lgNQ`~)r zQ|AlWIh9&d1=akqqzmH>gz3i;d=b*2yZ^O};5(cBXeoo|(6|JeE+Cuz2MTro{PD zX?wln0~IoVaFe*ZkpJYD7nPGeaoI9*_G>L)a4b=M{_Al)_1RO#40J0Yh7CTw<<7s^ zK>-ShlCWaSBu~E6`uA%7`w3iq!|d@<&Go6e5UfMv$@+4%ql33w{RGz1{l(cHN|tW! zB}-Em_vNpPllxj*$UO~e3?mcK3)` z+s7-yDYDr9yeoA+bJv;3=GND~=Cip+wacR0ySeHaEO9A~zVGTh8R{Fz#=+TSBE6#f z@{>X18|a`y?;R;iyM8^5AKy~-CtMlltwVmlF6_Ub=ZptUgXb*KW$wHSV-dvio{muIa)uzB z+26pqx*A+X%dOs+t@Po;s8}o)@%wTFrXoSAe)c7mx`q3R4jw zQtz@plGUP!>Fetp^$*mQ`YXLYo&4-BEQ%*spqqp$2o~`^s$b@_-23{I@ePmZg|Q7{Y~Sw|$)DoLi?9*gOW8?tG+;{*y7<-D zd0{1F6xKUNXYFa22WJhV|M){WVAj^95s9<~P@yL56*h@A*_e$?i#lO>bkW3P@Xk1N z_zIlB*K+Qb{~nHPf~(y9R~1%1`}Z2htgP4AV%25rj~7Z%?mzhX3{j^O;|f>hG590I zLYtuwZ}f}d2^Yud;qjizebbZim2c`NzAyS5Wh(0oub4rY*^*aFhT?j8_Okq(valNYlN-?qQ*J5!<@>XcOR|4I zho~R?4f!2~=OH6hOByb>f7+5WfW6~ik2e_y`~!QodEsp@3fn+`W9$a0z2L^jlO&sp zzL{I!IRJof-Cg&v*z)WL{E7sSZTXSX)kPrY)PPt?Do388x2_%mleVgPsmQ*hCN-CO{<-c4#Q=JrV&Fh{Irmt)ToICE;C5=bYxAJ8O=>k`I;u})K! zB_aAoFGP(*JABcNbIx@-q&`Y%NCIBCb8b!wxBb4VtxQKNLwy8`WJe>h7t<6#X0A?@ z5LU(+_8?=Kd334X6%3YO*CZu9wPory;~ zwhPsj*RTePH^Pez1usT?*P5$NVmU%V4d^oN(eq8`-fr4TrtTxDM;<~23bm4Y|3U+X zr&#fhzy!c>{o<@{e^E?qLnXg$m9*IonyG7LxZn~7SZ<`j2c^P|g2M_Kv(5m@G=^~{ z|FUUPUFW;B$p#@9aDz@TAJinlbOs!UbDMyX8*?1oP@BrtiGn#G-~m$!-K@O4R>GOg z7Usr&o_-dlP#rN>u$4ZIeS9}=R8=;@wR3kgYn+z?w(^n?;9noa_E2KerJlin|MXxn^`@$-E4c@mFg+t;O(hMcn($u8@9xG0aEp&U zmNgMV!qLi|bEB)B-d*N(4?sbjcM(umIq`T0Kn{ZMjx_#tJGz9nh5;q= za;Wu6J%AVp9T81mg3c?`-r9Q(=!}0&yIEz2dH@Aw6NPPn>fr&ckSx9iUV?jF)g=;v zZWO7C8!%6LTnj!3qhT)cI8WsEy%+E(<8YbHuOE_Ue^J@PseYvBJB0j1AM0! zygOq8?(7#GUGw_=oc1e<10X)ETy29H0WgE?dIJYKDk%Qy3G?B@`waH=B6#6nJQy1UlIK-^;2_cciEMvRP#V^kwVrE48$oWY zA5;i&x=wE@icSGRBbU0+W9@E3GvKDDt1MR(*sC(_Q}Am!&0%30>5CPDZDvgXEhb6u z$(i4Xlw(;&9xwcF>MBenD%`hLY!9;L->+R62gW-_!JCSGYHx;zZ4`DHOK151@nn+( z)w5`n1`}I8%_YN&DrR&bsAZT_u-gxrowH0b>g%w+1tLx>sb311trCzk}6u zCQ;@y|5igR-d|s+ViX&kdY=cqOfxqFp6o46vV(Y~iX-FS;0D3ppNevGxPYTjL&R6e z3o6{Z0M_dVppo{}&=kEVdbEO0A@8D8AZUUoi=3 zv|0zEbBr$qoZ>L8S#z1J2SZF0s&Lv6oIZc z#SzfH^Veb(cu;eJUv_YrS<{Bl0bS|de{Q>e3sfl~Us!0D6 zfmJXbUhCcuwA{#5$p0v!AKtwHez}QU2#bCr?;g;@c-3og z)vu8Y^s#>15cm(SC@1LrlYXK;k4l+`4$_`arq=AuG~o>GHt*fxZGnvy59I6{y?2Rx zZ7Tc1#_O7NmX{Wa9bB&0cNa|EcpG{i;`#j_?)vM=slEWIoJ`qRX8(V`0{>PV?1zv^ zniQ9Ja^rwFY8xI1BT{Poz>It9Ie%SNXM?=t|GDg09T6)kuOR}%MD8b&Df8}vW$g1u ztrA;3(}JA)d^!Zf`}6Bg4yCRxEVQKaNyYD*4=!p+R{lKDpI`tmA5VcLEP1OUDfK@q z=r3x>j7x{XK`%x<(8h83;J(OQ^UL|8rR`k2x&{Zg>zfT%%t(QjuFn$`&`RJR?D;@au!*$_!u_!Z?7uPjYb6FbY|GB)tSr)qpl9gIRz*?&pCICw{Z;##@a% zhjj$M#{c>P%V6Np>4@Xd0Gm7=+aF%KOaZE_TYx}C0T2nk1=|7xo&k2kW<)3K9p37R zHCr%~X&{888=z>$+<$n4LFj!0R6^6>1=%W~mRofP8$<5-5KQs+vaoW(6GP6;l`j8Q z%jaePo0q;pJOKK25)}A=MklR;u}o^Ke~<@%{}n8h)5reO7Vf^=l5uQ)4v_8Blcd;h zX*W+6Nrvc?=Sk-x_b2zDixUL|T?e9uF({0HEO!X5&!dZ_)F8#oJ11m3qWZIPD2SiG zh#I8KQrvFJOh6aT!Bv362u5_Lhbyo;rwIOl!H+N#5LBCP)>sq)O@=&+*I4K{P{xlh zX*}+)0+{gAUwB7hf4_>qUpWwA`YA{IAfT(s(D6*O%87QVfpLJIv#$%gk{Hm)Gr%3T zOS4MgaMoU)(|@-M)pPY2QGnW$YgMZy|8jRn8BFA209ssac7MUMm=>}TGoayMZ5woT zV7>?k{goYS%>Cn0`5R%&*Pn|0-8 z;j?2WXBt(FwjMOGH%78Y0RknrYV}!96N_gp@_wb}ccNn~@aF_t^IR+;x!2gFYzURs z1U9)?=}4~wX_58SI8W2o+pW40klnzE;|pNTbA=INGiCt^zg&=8?$kTg2pQD>y+HoF z=zXl-;eA_kT)EH@sM~ICu(=zHr|DbR|EkX~C$W${Ac4stv0`c)o7}1)U$;OHduq_0Suq<^y zqanm*7DyinA1R@R{C}LO1xnyv9a(T3u0>XugEaBq!eVpQ@?hytr_$7U8vw#jhHRd_ zk>_n8TAton!R4)_lp)|<{&w-Qn`ay-5b4c&1A_+xRyF^NGTjbnjjyS9w8xEhk8sok zI4c7=_+Yd|VUSl0z3-?P@~e&S@Xn&G#k;-5@urIf9qE#$b*|DkKs=sb*@U~trU2tY z8c$mvVZI!gYFvHA@`lAjjA=UAQ+Iv^zLB$?=D7LGn53$K(erWH(%&M|FOLVQP-niJUm^2w+Q&?RVz)g7Pns_p0P)hD&{(`W(`p>3m z#X<5{AKtgNujLXdTUg)PHr_h^@dn&z|OaqQa+ zOb~6~Pr)5vYCF)+l?+6`78gM2n#ba^jK0@z^HZ~=-4{gu`_K|1K$~$}fDg_U2fMDap@t z_Sc=Ob*M&f;t%EZ&b7Fj1*dd19W3r`PUhG}^(rZAcI|zmGjKKfOx12^ps?fB8c(&4 zSs~ct-O#M@ShaiJR93^8uQ7#Y!wX|M7_xW!OzI`MPs3ypldqrI&TVAwcuZ*E9?22- zPy9=7L77qUp7wMeH|1!EE7tw$>kO?pRw*uDn$-(^&^%wG)nIWE@ZwVI!Rgn~52v&$ zIQ~F|?&X!_Kf^$J1d5A`l>uN8wl!lC`4+HHrW0ZDJqn!wbQik()n*33YV2W%D~^=pncJ{#?05cmw5c227i(4B&e6hPa`Oplj$NvxfC0 z@YzIiAbqU@EVRQ4Ypi{=zvq{=jH^QOOz211@GM!?a}mf?{6AZUswaE%_T-7DCDL;~ z$wThc`TL|B>S0@chs@gm3HcvDRjRGe+fZ5$(z<%zxbz-c;_6~AU?Jr-T!NX6B<03~ z?D1a*8GctApj5e9>1ba9jNls`oAR!i>)T*1lHGQ;>U7w>nF9pO zNK=G6JWWIh?8jpWosL#@U@v1T8z~P{xB7mEP0;E*Z0G zAJkf^!v>HIozU#FHkt0-5Of7%rCgQ?&jf$ za&6^aX?Jh$>-gpGX3hvkDk< zcnbJ!vhD%0sydd^Eg|B!z#0kyP|% zB(dd(gH!2zWzr+Te#;l5jAQRP>9llq((@LI3HDSL&x67F_Rt?%Rf<)LP1u$O4G{`^ z8jV14A8^g{fX6^Ie&G!r#N$Q?W;!oi52&xdwVb z$QrDH8IxOpFq-1J;izXK^}K3zqR0o>L}UUt3m47qyY4stgk68Vg!JLxNdArCzGDwr zoXvm>(8ih#_~nX_`5d;nmbm?7`t!hq#0bgr-g{+YSNZD3ddc(C3jizab5Vn-O7Y!o zc^4oY_!{^Ci{B$uaXoL{)%7%`5KBe^e#^Y~OSeL}2jTcoksWl(PqhmNeb~ zm##c}O-KIxQ!mH2e|F0uAp)>WaZHU=OxoNHg@gM$Xfib;7bV08y9=HJ$P@cg)E6c| zUa&=UQa`Y(Uk59%?=JoG9sl_wFnHbx1Hb*rh!r1$G6OdJIiQ*@Mk0^IpNsHx4FBvG zib{s!TO?v*-Jce^^55^On7=FlP)~8HOS-Xj4PG+*nE*7<=9m(esbT)Z_tj zaqpe2%8*xsHDuns^`>t3N2xL~BUc*XLb*3=egg@S%tp)|0Bd}>8M9t#Aukt7u9>jl zH2id{02-V9z3@Q6dykg}v}Oy0;SG6;`>0EXKWqQ{#iirJ>(2N?Sl>|)Q+ZJa0l$jX z;1o1Y%a8e@J*w%?XEXH~jp$GF^F<}XLSbQ{`QvF*NMk@R2#pTgnlY+V*O7yjg({#` z`D+_&3L!uswsa>}%e!|HpOYS z1A_#0T&>xO8y=<{gZW0ry^FrWiSHDi+n1p$rP{w!mCUA)$D#1@4vsi{p5xmjyZZNu z!a@k{)QEErnDxOnTH3V^MzioRCrx6@`GKdKfjU5RPyk1)@P7KUO2a*256S2et1Ok_ zO1=qrAa;EC<<{4aC9TD@FD52-@$S6l)zctSr`K;(SQgoOEr0>R6?3^8fNs)rD@tMn ze(J>3Gx83+00Y`_cp0k-xKXnK!?C=)5%Q@H->U(G+!4RKldU0pUuU??DM&5+O^Z8F zUHzR)U$)&|ET+MAPcAb?LE$dx1Mu5CBJJvABktybAIVy#EkLS9oC46u>02M|PBUPp zdkSDxp<5t4DFDLS*MN$BXW}IFqA@yW2WTQtya#Gg+QV6jply|j9sP^?=qH)+=c5vs z#Y7PGFCoYXLZVB+EhPKc@qh0DN-77y7cvhZ!@~A5KoGOI@7nFK^P3dj0 zhHcuyW#dp!+LxBkA+7L4@oq)rj;d*e?0}Zzt;p?`VjjSqZv~&Y{Okwh>8U^cB8ARr zQ>aLx1bQyY@QUpCXA(PJtJQC3@PHnN=-a$&#v%uR9Eu6RPjSuVbWA2P8|d9h29`e9 zL`V8$@n&c-tg3_4oi>6GqZsZmlmf`esotn8_sFJQ4O)y-C)vbc2p+b^dE}UcDA7WC~!L}Y@3Mxh1)-_t$>+2dgu{96ba6T@q;J zu%Aq>TZ#_NHvYeYw1k-G;|`wYqi}ZE;`j=CV4@k95{eGqz_*bkp3=#!Xg)i?Bjr3Q z%O5iCp>CQ`jIUir6&HnFe>2;x5Vs$Xo_72QG#g~8hh?0Wl+JxqCy>+97#M7y28~Ye z<;1Z`$)B-DPk!`u`Vvz-< zV`wVoVyN>*@eR=30O%t3NkRPJ$z#`2v$V5vK)U@cqEqB{LWGP&VB1jY!}hjzATZ~3 zA+W|V-pLX@J8F5?-Ib(Bzp0R71djOo&)bsB#sKMEcg~7x`T!hoANlA`zhwmwyE9*%RHmL49goS7xvCOXbqqTK)YS#d z6$DBx>--NQ3=>44Cc;*M8(hmI;wyiJW6OcwDdks^(!@yXK<6~M+OvKy#ZO?YE-#>f z5aA;5L$J-`XDFCbG$e$4Eg(YK9`pM7z%i?Rm{rDZKV{jV!MD5ThWTQTizgHWm{MHE z-vqZE0o&{Sy*}YTwM_n$hD0ZELe5{S4wy-D&-ztu6QFc&S$tcv9W3q3jdpniqCQ(5 zKZA|Kp?yyZ1W;p40DYRNrU*`)nhR44t+5m(&d)1<)8D^SspD;7cz)2sxAt?9e7Qn# zN1s>1%*a_2?$d7OItgkzo03b`sY8LC*0>c|1O4W%unWKY3pgNniNOoW328;JeR*;N z+=aA{barGVs`XD@yqHs(w2Vk*je^Mfo81AIZk~p0^`6la`}=eItw$7>qOe^H5uK^G zA0#mzJANS3%&oi&;`v$UpuX~`!l&gVfmfzxJY@HITeGvGVTvAru#Dm*h_zx)vX{#*ZP<_gH= z8$GG(Q$(-u2kS3GSOIKl`0M#gzoSqCMzXfp7>dbr+`TiPp;ctB@nqOcb-_HzmfI=Z zn1ZnXf!PqEY#--xq&CqRc&X^R<^JM6*Y9q_kGUrZR7`80^=vEQI`p-%x3F@o44W|- zna9ujE0Oy=PE*!qLISuFK&IU=8rsH#1mwrV^xtJybi3DqmJGcnQ&V3O5@1K^*UgR7 zjvEeFb|%_<5wrl(AAG97`yXmQea%@s`{epftu_-##WWC9}8&a&lYp z%kaX*^bYd2QqLi4tA>|VudKELTdwC1WapDjR&^F(>RX1U7PWv9WI)KG`V*zGH`poN ziX)-g6}TSQW6jKfF6O(ON2w8(2}TMqT`(Xzjx1o&$B^Y~2EqV#_uLL`H~srroEs z0d@Rsrq>2b$U51M0pzaJ>U>|Ul5D|rH7%q1;m#`amW5M!`dOLUm4E3r2vENKz@2mh ztd?m$ZzwY*<5VP>1%xNAu$eH2L@AxXITXiU6;387{ebPaepO3!j9%-Kx?J7u&KfLQ{*KfzZ2fFzivtx|*n0LqJeE5}|1}&j7ABPEu8_RkD;@U$dr!UR1;bRu+^mdV z5}tn#9MgHqMg@S{{eXIZ_`s^2+aha(W3A2tpG5+c|7EF5>sYvkL$7`9@@KQNW3-1J zM)NlKz|>ZWtwCYH#YB!|+8x;Gu?Yhe)kr6o;A1he&?Qs`4ow7owqd?Hv*Z;>GSuVK z$1j2-hawK7D+lYj{CEs0WzhVj7orH^A)OrlC>3LSg~cedez1u&eQLCb@#a$;IWF2a z;eNjnF(ElZri4`ax;P)@Ws;I)p!Pz|{s2>`A`{>QL$doe?vrXdTDu`3jod4$V0qpn=V&4cZ@e6(CGvd9VGNs4q zUHNKrTl>PQsYqM2Zg8x9v*5b6HLKtzxNQ?In`_vukn6KYz5WKe@xTrB;`qWgI8$Ty z4XrEgWR_e9&E!)#GtP_u)yuOMpp@;PL@feB2{|GSa}#|G{)x_V!&gNGUqf#*tm1m7 zr^nlck=na3gQe@6ihB5Gw|ReT)}G(2 znXaUl;=8GyqWxHUP?OhC{KyOqv!QI6czQBZZ>ECRlkX#7VSahqhUr`Oq-nxhA5z%; zN)!58hrf1TEMZ|tHa>e|imvmS2_5B8k$I0sLaSLE&a8aEcIg)fE{M{c{5dtwY2wF% zu|6^b)^zkGM*8p%bO`dxQ8kO;V5e~ah5GTODkE*7LAozH~w z=^TnZ`KE1S?u91*zDhU>&65EvJ6(msmtJ4)9U}Vm@%d=w7T#%od>!DZ9(BgFm$UD> zEu%KW``QfuOJ=coht3;>eMH0S!!O2C6#Uz@r`6@pPy8PSix&;D#8MTOP(BxJe>UTH zMBv9}{_}@1+wNlVtauZxPAms*a406nYu4n+;vY$`mKnEbQ2LXDYKU0~2nK-cgB+cm z@>FQ0$xgZ5wZoP0Y^$rHtmB9Kia;I$nV5u0A;!jmWl(jkB7RWcLMi@NP7%Ev zKRQgI85o>DGccN3vB{KYsYH36Ne+@zsg@3O=#k53XR<>*^|Ly zkxX;Rl>n-O(WitlM=~cQ2TUSs%{<;JAsrind65g0O+SWbs1V<)+HwTQ6kVJf;noZ3_vgNaP$BMYjAklmR)p}qHJlnB1*AV`!GtFK+hO;J4v zJ)TwA3E!*Q7q$W~naplMv>}m|LM>kNl)g2;Y?E6jjfp(CS#)$)Gi`^sE=fHf+JDuh zAv7XHVuC4EHfNNU3st!8INQA59sz%JZ%Ye=#siW7hF!^ziV)zyhOc>871?V7=zS>36u zn`PFgvUcUR97|eJMP){n zB9*cC%D`mQp&h0N8lio{CNme){-61O8ddBmAro&a1?ew+iJ&dUHasZHV@wGqUFf6R zB*u`2*<#GCZvMhuK3q0DtYK^r+fj8v9_Cd*2u9uhwxcQaf%$dB#*cN*923W3M@~(v z8KKRk4~8ti9>h8dFy>(j1s6-=v(zIdR2FjK!-C8_AS5r1Mr|wi{Hg9I((YXH@5jyV z0D7hI=-mHy$f);md$e58cw7MnBR74OgW>JP{oSG*ltd`BgB}^%c?Ps=Lcw5*4;EUz z-1_P6{g%>#8yYE`d8g(rQR)7k}v&SG?&$p@{0@tOY*tT@uvA4aNgWNgh=jaF9?%1U1X_h1_#Cnrv9cLUSlFufv zyVPCOg?jyT=tho5W@TE@z0paY=|@#&T_(F&Kj#Wd)b;w$il$#av=CwI8g;Sxj#QHzXy&wRmj}2z2vC;UyVWi}{weqR67W`V_@t_-XvLXrZ*!`jNtN zDLwxcU&mdpWz$i(J!4Nm^8(>m1Wz!#@KGm@Tp;?*kWi*W;n=T^+>UD^mQ#jXq{sq# z<2qk;qbROYmdRolEA&(4{!<>?u0E!1y$^C+B%pYg{5aSbSeF4EDXuHXz~GsO#QUNM z?9W`?@%%%c9i3$g2i&oTYsxGt{t@XJ`Q=QvY^#;hyKZbdtzHoY!anDCIT3EtT&4)CRhLYWs}ovG zdmmdI(N@g14~R&klA{BsoR1+*NyDDj97ToO6)#D7>| zcOvWkY-?U%U*H&?< zOLcTqcl2-HiVa_j@L`w)d|5&jC-_7oGrx9SCFhEo?c;;BI5hhrQYXNP`9+!(8Zr8$ z_{=X9{5A%M0CuIg_6N@eL|a4dm_5?9eq+B^ z5yJCZ*Ypew*LWL&pYYJ1LBN|yCF_hxIBxcQf@3o~zF=D#lGn8w#u+)w{MpGsz*`J6uFGszJODO6>QK#SY^90WuNHO^PJ)GS4#jU@kJtFZnfME z=|4~3G`s};@Pa&eRm7*yvS(= z=68Q44}9d3><AD_VHQV>p(G^+1?w@pNm2}A1d1}X5{4=U zT7olfsxEIa-wRd~xhf@M+6S3=ra4CYbq=*y9=u(QTkN!A{4EBj8+pQK`RpBuneX%- z%gvi&KQrX5<|{`vdLc0;*H@R}FzoQmIZO+j^ni8qiN%@3BV@E!A7V07sn2y8dou4{ zM4SlEezfMq8Ru0&&E1rW9JIxr3}i$=-?hlXIFynwc|PZifjxuLgUGEl%w88Xj}Lp0 zQN)(WJz@AnGuD6td#JzM(g5!w*aOdBerp==neX6T;T#@by(#kbtFc0_(&A2Vh^@gJ zRhX6ZD==qs&bFdxW7?cl2z2^|y+4+&ScA?khH0cv#<%R;mc_`k5vaZ*anH`2csAf; zz|vBE3+Eu6);{i%+MfHkw9k7?bK@G>8p*HL?}#LqdvKHUY(7D~zExs91@(UxR_G(> zOOY!CJB0Hsj%&pB<2)UXwjWg8h`CAj1=S>-Ea@_JbH9@81ZR#cHN~d1+tb;FStl$x@S-n66lHZFW< z`eG$%Vk*SaMOncEoa9zdt3zzjJoyO8UL*8ef&&zF$Drgv=!KG!xEEsglWrmkqnEo= zUmSDr(}EoG`r!I$G^q)+!)<2O+xu$BsBmP2C4jVGZPvP!Nh2e>RGT<8!tRahE2vVz z^!1Rh(HjpjTy<$f_g*pF@aglN1NFxA$?GuZb0%ArYO?VYK0n(bT9O%A1e@qU@cXS3 z2aB)9k=s8P&!|uz1fW;w5#JkzX7rGVT>i4wKS^|SD^b6flZ~LeDbR`MCX^`4iM!Ur z-WkuCtBWVgW)krRfn2OL+xRLU5L)Kx5(gXhE6cwoz`KZWZ!}>nw2i{`T}C&cMPdv| zc(SqkQ3+Z6WrlQ>kvba6=(*}L;fpUiUddEixpj*ltHto6^?$cXz{!^7X?6~3h1zw| zM+&%mW_@_Fh#3)1hV3$#Kwl4iUR>XF1+68CDO(9sG-F{Jr8JQ>_!RFGE?I>F-#TwU zsmg&-^(Wt3k^7B%Mlx5vchvh!@RHv#4b39#h07UuDsa34=nnn+ea;QF#UOp`>d9SX z=f|^jy6ciY;DQ^CgGjj04W_YAp218^@PybgLRO-kGiBan-i)oZXAHe_vRM)zm_Dk=jJj5%@NVd4e{~Qq(;Led zv>vTTZU`4jK$;p~DGJFI;w_)WbKSr->c~W{JV9X;MYo7^6WmM>e4IJWT}ab|a~*s) z8H|51p~FWFAsTHX%GHB>oC!ST!e}foDTR1@g9dAtlH;nOn?EPbPd)unWN?E85Cp4w zfC8HeIOjoVcX@}{Fvf2IM%5#(bBO+Q%aP}vhuBK>m3@3A8R}+iO0n%vXpo5xv={g>GcW!?1rR!K7>XZGKJ455As3R)(w5P}pIw(eqZV%Dp4>L9cuL({V7Czg@`w>HHHEh|!HUNtQ!XG^X z)}KD0z9&R*Di-}AX2xm}fG%yTmB84$T96P$OoJoNyB74p%0y!Itt^$*pFs1eJ~Y4R%&?J7Rj#4VSk;ON3|Mo0JbD!D?!{1qVgvII>SS zUYUJq=MDp>>-IC#l&PeiJyNh1f6ehw*7U@@#>1t2YlM5Nqv|X^A@B0ZE& z^dC>+fAnb+Mlf3ds_AhaU}sB}T9mQwT6u&B)$W(KEHzI*F`hugz*2V3D-S+v`8y@I zy`DdUTD_mdpS1pb2DEC&?YyE4dUuk`)0Ce)eae7VUiS=tJ;LY+qTBO7)(#%VREBE& z=aKNvj~sH<$vsL5JG>%{+}Z@ubm&LVv=c{evDhucFBZ zGZR0>lu)3S%&b$s$&Dq-Vd%q*Zpbjhl^M2$(f(Yn&GBG@s=~;l=cAv<0?ERjzPKni z8jaa0V78(3AV`Y%fWh#tqOH0hZe`wo7y>+b9ZvB z5$#e)8}IKTc56CzYcdG;EA~d}EAvD=`Pt)U(#30$?NcW*s{1mzR9cjYkDzwfYEA9# zY;iGmKIL7>T5L&VEmHyTY)64IHkO{Q-qe@MZ_lU-4p+Y_GDGEZO;*TzZ*yf1178iG zTnx$Dp=0nNpl=u#iqo#iuXB>Ejcb)a4Y#T9Y!(lZr_jUpeF(u@P za%qK%;_7vsL9!dUbOvKSx_{gUhA*M%MNNr#puV$jUxDgM3q#y!N91x8dRy({u#LwW zTlAvNt(~e8Z*`$yf!7`@G;=2103+~rJ7L9K zn_k(a4Pa@`(}1A>@L$gj4Sl6Uqtbh1Iz!tbMG0HczR40P@fOLp9tD{O_2p*ssGYeC z(?{_0<6Q@dldnq-dXYC>R81(56aXCF2T^M;T#J1f5!l!%U?|<<&M18Hu^uEE3ZK<4BWgi15kjdnLGqL*=vk@nT$$93C0!Xx-?p0YAkgO};(O;OI_ zl~v_4(jiY}#HIAtN{$k5cxcFiQti2MpcQ?b6mD!7$HLv)R9_OBmCV-! zQ=t!0?Nu%g;jS{}gFg0-kqkCMe9Jjis-thXi~a#y)c>)ZrbPq(b&CA57=d7Vf91KkwkxzRXQ*L?hkQb(2N17ttrsD7uIAf7VhjQoN?eUODUl(5e^y$Ljo|H4SQar=Q zfbqXDtO%3ei(oB2K_X;mlT=O2N#ZR)oq+UB?zT}=2XH)3mS8972b(2GJ;2dtihlc^ zSdtB*>DI^2fr}`ssD%8XaBu#B$ux;@P_Z8K6|d=vp{uCdOVCh1C4WX0=()60r5 zio8d{Hg)aNiV*XdtL3zStM7s7L#Ic4V(XHzCk>z=KCSd;LX-of^9wut zE2Hcc2wq7;Yx9Bw^ppsBrXEFdhOESc&g--gKb%RkLm34$IlQm;>jXs9p3qpk?E_-} zC@@BQ7Vni2A9i55_wLvmI~*H%ZYvslo;GpzQ*>#tl_pKlE9fSA{LPCnh`E+pspLdO{g zD2ri^zS1qtTPWLEm}VQsxp{ajN(3vIEWIZf0-wseK4*?_JqCnDcd6ElQLko_AOxoE z>U$}>HQg~wct}&QtPcdPYBx+jga%X*XnXN?n=ZQ~*Rqc@KsR|fEUhFnVSSz+B%U3M z9v$g6xd}cu-|q}5-h-puDmXyjZKFZe+69f2&<8Bzi^Yj2Sh5c5c?&7cpmy$s^rb2F zziwx<8$oG*DE6W9%TnT}G~ib5;u~{+!i-3W?MY49jTxXIAdw7vCXH&Ism+(j{xtOy z_vdUed0y%Ucs^^kT6Pg)zSHgSa$6Jkpiuv;;F+vAaYkMAzM$th!h!k-rOSKd5WGh( zj5H8Ec;p7Ka;5g4$%96p!@{vc98!2luL$JWn!rJ-w5Q2m1nD^3gsd4a(8wBLgLgxVa3Ace*I`2qcKMnu$q| zge`V=Fe?U@ec^n#&%lfYB6TND;t?_$>2eF3Xy**Ms!r?3_{L>Kn3KYu)whC^@J|(A zx=DkzxtKAtn4E4;8P1Hq{UCmMeARtm?wkr93qtgWKiM|*cwgjqGf(<( zU8NsGw}FZFiPJ^bS?iR}#h$MzOb5G62)X#fNA?%T7a97p;5^TJhmIcP=k8~TnfaoD zb<&ShDc?MH0|h@EZRD4g!g?OmI2qS#vd-XqAc@8oh4Vck!!|t6ZbRE^3@+b#r@+Qj zBzI)z6gXH`q=?G9>Glf$CQRklwbWaW$favEl}vDc3fa$8)dz62(K(hFW@0z2>GHWx z81c#diQdPu%Ee&nILyg$!zCQ&sP6Z&bS!-Hv8nYX+LPT}A=A7Rr+zvdyAE9f_Q(es z>|y-qoT73(XCot+o~eT?$g9Zn`@$KfAmQ(_8-=rKj{g zCcPInFHdRs85=s&H_TQjFthI+vbFXbwVrom@Ue&~?6V2;YV^99){%ao4~%wRsGgtE zN^G*P=s7g@k&h)$KEfZMwwRwfF|tjr^joScGt8P$Kx+=6_!WLhDfD<~{;>1-A?Q+O zQ3Ad0Vau=r1z7jt5veeYw272rVx)Ig_B;7S-{x>1G3bZYgp6z_)>1#J?OavG?P?OF z@MTX~xM`599l9Ip$a1G~V1@)n!>Bh?xuQs~+};L%^)IC1%C;F9!J7Qe=eNug$!Tm~ z?Av;51i^}Bl71M+y$9S=94QF~<$G2d+`KMmFR)Fc*(l}WCy=)ubUzBSXtRRJH#AR0 z5G+~jf_7iSW`1`K_(fZO?a}WxQ(C;#1Q)($SBX;>43-bHNXRS5=|?~IAjY@fi6yUK zZkAan886gB{2W7a%G|=!IE!YZ)r$E#ng|M8@{)U`4w*{E}I$+p~3}VFy{dGi=b7u*+srpygNka2RG@{<$dC2A3Bx zlD_LJOSP;*A(`vomw2RN9?M@yRg+BlQ3kge_~U=gy!CUkF9i3Fke%{Ke0&8ybH0%> zc((Vtj(v&_=_Hhr6s;^E5~7k?F8-4Ju9Yz6>1-HT_}+|S;*wo5T9oJ`BzdxmvV(aK zjmhB8%(8jbW9iLLb~e+#Jg=s3S#G)%Nj1@3wcJ!c$h2ARB1PQ5eTe$R)YHCDtVXIj zVpj5;S1J&o1~t>YiWh;~d1bMVHY-Tf&DamHbYSd>W&5&dpv$YzD^5sqbX-pWieJX3 zFd}UwIr6J`+A)!ikWU?mLxod^(o*#<9NbDFoiC3>+UV9wM%w>iCw@r>LsqbXBq8RB5jnmMHO^;Tety+L{^%Y)ZPUA@=TG92 z37h)@0QczH*v6HV)m=rOUpQvzFM1wowdSd1Kpi_{yw6#}LQK&f3f%3x>5kzMtq33b zV}3iyx)aT{kj%Ny$oT50@S(iC2*csR*NJ16QDfFJ$}T%dWk_8eeCx=>h-is6lU)jH zP{Fp5ON+{XRofTDhXN(&i?2~N7yF|W4Xh_uno5U~-SQ0=Z&yk0 zvV=)ByA28hYDVkEq8`Qb%^^a*hHo;M`aG0guQ1wCzQnqvn=n;~LQOhr7Zg#mrP&p` zEFCmMy6@BxI9gJVFWzx$-+f)k z2Tu!P6IX;>ArxR=b|Xp>eOT8_G*O0MOXg*)W8OK*e49|yxeI)<)$c+iYQV-ynDI~3 zfuICO@B<(>pH;C}HWEBI9ovkvrb4n${eY28*t5Vk{QU!aAM+Vbt60^I2lK{tWjC>7 zjHT*`!=}Rb!5#SH1L~ z(aLV{8y3QLUEl6J{YXiVo=_~7x#URS8~&!s7-xqNbZ7(%d}H851Sm-~6{*Uc;(rp< z_^-5sO%oFaua3J(g9kU_ZQn@IXBk-tOSxtF-3;b)`OJ-6oLWTPX@{$1)YKZxy%l{v z9d2_E$UGy^N*4Ad#_0c+tnj^~Tz>%43J6b-D=h4Kt0bB+tcFh4isL0UaeeQ>4CV4) z0d6!iccQI^GBzU=PjFy_F;L0`2|ZuUDTgtX=Ksz4qUk(S)Ce;ko3`~YlqA{xwrDX^ zSPLmn;Z~wSQuVuA?XZ5^8B=1Q_dwfRE8?J~QX^$QElp*Cc;N$^(fS8om?iL93~Y!F z{tzz3K6mFf=#X`W$~Iun2lgIz$55=L_eV6oeoUceQi*y4Z_{E2Uh)GF1?Gnv0dSPW z>xad*es}>O{=?%UHYOA#pD4yjS20yX;tHVOISK(j9ag%vy{!B zQSbfiui2K9X;kBPeOtfVWk>ec>lANu-kQeJpn6pJA<`%HvPe7F?9`t3oZjt$!+_J0 zdDk4wRb14-GFB$UuKtAe+#A+^faUBho%z+WD{12FN%E}ARFnUMZ67!5eddnB-JTc^ z6BNJ|elJcki^!Oj4a@)t182u;a(5{~5e@V0pG&C4O^gw{yd#3s^&;#ptw zuHy(J2O;}k>#^@0cdyo(B@k_9_~0AD^=hHGiK9prKWW!wry>kfdK(1Bi;cJpH(*U2 zHjXU#J?|pwMS69?$Vy4&)b^fc+5VmAApTDJWx2Hd5{f)^pr?MI8#KRYODLdHM-}A5 zXJQ;Qd7(uJ9bN9CJ)fiWHhMymk_Oo<5Y>u-kUdc^vv$?}{okeyLd{ z1Wfi$>Er5xIyb{o-3h*eOXt9!M1xG?=E}IIY`e_5_vyUtJ*Bpk@33;?^Nd)pxZ>D> zrGg14tYPl9$uUTb4eE&=0)z{tpHS|=omJTq93n|I=-5|oY9d|pPY!GsDnlufbK1Z7 zQ9{td!#J0RohjMT3>8j=p2U z-lk`lM6bg_J~v_agA>2!yk!1dF9c{XH!~6GkgzTG6wfmD0%B=ENr*&jXSn-C;UoEh z$d^95MuMy>I!S|)S0MomlaQ6PR9*m}b)7^0Iwm}|m6Tx;t~Sr?zj zX(kQ^H3=>@xi@)9m8(;R7Rr3>hOsS_@q{t^%TpMnWtGdORj(1fLS( zui%in1#Umx+ov48nfCiGU(JLT{q-ZFR!AYi49hgm57sN!F=cd>M66;QFcc;p?v6KI z|J|SQAqFRp=1{M&F50KCK73H17cZqzx>(v z3S(&$whB9-PutBlI|EKSUcyr+4hWn&$2mQlJ$9%I7c`C9oD0YC#yKeWX!DUY?DGaZ zNR&D9GJp;bO^Ekf!!P9_(FOb}9Rg|KN9cGvgh5Z4U%M0)vLcRKDy8>f|tnjIjbm(}r#ozTiCv0(lV@mOi^aHFrQ5&YfDVMd_YHMt2vxLlX*KOAT z?T;V)m#X_PaqtL6rmcD?<$dYJr1_}p-2bv3(oe@5_X*gl-8fxuR`Z^=x{1w%%olzd z-@Brco3~q3zs@>zRx>-L<#v++f6np#8%29!X%b>#+3cxiC6dOC%<7Fx7B_zX&#U(b zPbCTai8p>nm>N@prpsqOp|>iz$KRQ4&j{Judq>DD!Znn5Smg%ySs=fWx z(Cfyggmt-pI0cM*q=Vj`L zHiG-asX2chkn{3}RH?7MF~~uIzhDPf?sbxcT`DFM+*kV|L)oY2fL3N$Y+kH0)5Pw_ zIF={mDG$*Xb4F8`<+N;f%~`^UZR}~;>Fm^m>Wa2Ysqfzt2YkU*bzvAgsry}OaFgV3 zAL64blYL!xYNL>uy)!p3wV`1@!m|H<-*R5*%as?HELUVIsCH??|I@YV5@zLQq66gW z)3f?U*pKSKfJ)u|poxlI4$0Xh(uf%`XagcxY7(}-a5`X}9Y!2$56d<# z?eT6MkfSo!=+36)*b!R%N>m=-;2h=R$<&Vr_5V)4wAAKGi5uTFtFrr(1S0Bh4*2Dr zm?KNBvqXxzTFF+kKVt(vtENG_dDQQ@NDXN7YN@m#i;vX)5m)oxgP7qz9+b!*QZS|_ z=}I`EQi4`2G1q;z2BSDcjDR#02sb5q!%bE4o<_x(&KjC3Nf?2L|5Z^Zg|aaDa{|)m z>%T5KLHH$T^OjjyI1nnj+^$IUPo120*GW({N6C5uMTG?FJ6jw%o`Kwvv@`Gz{dQ9weH!?^sODO}F1)_jg-Yjw<==Fk zh^s%LLS}7LUS{hUN(HB3M)}0$w8{U#N4X);+U2dM0H6}Ai?wp!0p}zI;;aB2Fac#J zX@Dumf#ClA0RhdE%kal|!pADZzXT?4fiqM$P_M2RSby#*G7Jdr-3P-cNX{6)c{5cD zBIYjXQ8}J(GUfluKQH%pt~**i_St1c5BTB83m8FK;DFbX0~{fta$bJeam|;OuQ%bNGvS z1;6?aC!}A;TTfArCG3pEk-qP6!R>3--pqBici_%S{(;nH-96S$=cV!!Q2spb*O+ZS z``ZlsT)B}q6{3pFv4J6?^T&Q&CcS5-vf!iodt4=JSjx^cVfE+9Uu{`}<&{&HPMsvu zOu7A{==US%Y9gIVWjBA1BN5i&<%JqrZFeBHr1t@2ibSXVWLC) z%X)>c2d{S_4O`A3S9$4S`Y2x$9$-~>EZN9Chy21gzWXHZo^j6p2)!e~jLcJ=gTkY~ zn(hQJk;`bwndFVIjV~yrqmP$98#yuF03%cz_C3)+nq=+GdN=99d|P_SS9rHi=j9iF z#a_akmBi|`zCGBI1Vp~%o#5Uv7*3Fu#y8I0qwc!}z>K4Apr8Pn!js~e&!$A1iMNl7 zy;tJya~K3dT&o~*`YUsAg&;$GT`T+HoZ@w4={q+M&=O_7&SMOP`$<78VkMB|uv#_M z;xZI7_8rlaszj04Ms-1|qompRublGk8+JVu3gL!@%=G15Qu~~t%Yf$x!ZV6`B0qmprRoljYtISvI>urAAzG9waSTn*4E5j_QY+yy4 z51*31(43K&t;8!}sr9Hp|C4ADN$&R#qL#kypMYrW6qjE6 z3~3mwVv5G^b$N{soe$Lv2rVVd>B_N`48H$*0GZC|^~vE-$yT?NvZd}?F_?^A zp}2S87HR(VBo#7Vy4*@kioVZJOL6@*7|>7v7JZ1ocF1vcRH z1^7LLipflF@>E{rye!r}mT^=4rYFoV`9_lM&0spBIoPfsH(fR{10T@{nSVBV@GCv1 zmzVX5zRI%v&~oojqwuPP)E$nBi)jiKlL9YRW_OqV3wkXfz?$fep> zyu>X|n<^OIwy}T?R%K0|w3G9E?%BsqBA-%i&ite=0trCmkqw`h59J~=u8vMTc>qn( zAK6mm5tMs?Zd_IGguukTanC8r?8MXqGt6&y1OXv1l)Qxk{vjkMJuAjuphgQ^NBnrC zO#woyU=`<5NOCzo+u5GTU(D8R7Gm%hy-5Gbw!p!&$#d(>5$br63s=WKwb*M{@((DT zGls17Nrr0jdyr`&;O#-b;Aa1IjctZPkb~Ty%mb)ONax^S{$uunMdNeB!;9vlqrjmO51VboXP&^*txvvZ4@OQz|#|_6sFVP|rWw*fX0olZL`s<*HXN8sb0=_s;>u(~r zh$eHhi%y7&NKCaf8yJhcnr9Yfz~8mz@yv8bK+jA5t71_gu3Mk%9QPzxp2?eK&3Kim zXT&r2&d|s8IAw2!@cD~% zKlVx=fNKh1_CT{fy8dnIZ+FhG6+Zf*jO-t1aU_Vj-c5mW)^vLr;#c{`zx5W({1V8< zhd3lbtrl1@MB73S-~C+E&<%>?T@O9A5q~$;SZ3GxU9DD{v}eB& zG9A}Tu@bwCv%xH`w*YdVqeuzT%g*FDm(n5zN@ zPsFlsd%xd$s^pI2&w+BdT?PlKEyk3LJ-^(9^_1xn2+@3C`^|;&Nlrrhrs?y>K_;nC z3hx*xXT(n5x3@>WgYSx@EV2_Azji!E@fL&Y=o}{&`x@DAW+b2vn2fdx)D!PL&x&F1 zX?M6}NzmU|QiwDsh*kkfpp@n(|Lze^6P;CO9IqdFYJK=)`m%_U0`27ULy=BY_yQtg zy@}a-!e6U=`Hzh|>PvzF?EsHb+*J$KxEk{phn$Ce9^VgT=jN~i0gLkl)m-3w8D@ov zLd<;LX0I-nt*>K2&$4}uFP0c0+Cg;eR?Gdr=XRl}osu`@fO6g zai$1{r=Rbm(3j);!w1Q+;PV|+Lva==4ETUScqu=>DeQ8~HCeDO>AFztiI(~Ew16eAbv{LLAsz~k6b5idUOXfIzv`g|5?t{c2xH>!r; zPu)Kv&>Lo}HBjcj}#PiR7utMR66mPvvkvK0+5?*@nnI};m|59kR z#Z2H>pO_g+*_M_gJw=iBKdehlf-J|yuIIIt1JX5nnPTo@%cj*EkLy^gmb}gQd76*n zPh5^$#XYqnJ)axM;*w9|Css*7CjD-^2%<6oc!e#0v-d{a%79?Z-) zp=@2jj+(vtQ-{X0$M+AZ_eiXHXA;0~I55yufsZzew$R zz6Ln8$@v~hsDpClc1~UF;+2$TMIR&H_7OkA(!ezAK9r%tBz9}6jJPAp6rbN|2wVeb z-J01@Vr*rgvY4jZK6*u?B*yF`43!N|;d#W4iIP&}xsxy48ShmL-%x zkyXDIMI5h|&?3CXJDGN>=1PdtBBbcguytrd*DLR-BI@0$6X&G(G@vaijMm(^bzMO@i_z`%04Lbct5UcpjQ~fQNBp?B07s>U>A(YwiBZrU7j-Xz} zzuv{~c+YzYeE$w>x0`dZZ?8Q8Pq2Dt zIw%yO(Jn#P`N6enmKE#d0YpzKd_ClJ6dYmw+(1I=xA4(uOQ0GCMR}GiXlEVTSKF0! zjB|E*Kixl(i%yo!nfI2{IJ6{W#?l5%8)yu7uL%rQPGydtdS3Bd;PN3hAHdK9VsfLg z)oL3$KbYuI1d!{8eV6BB074HfY^mjED;iB@1DlnIx`+KU+gcj9WXOj|<1(B?*e<(K|gIa)x`a$CI#G^s+|K)qjY&9qz#W znf(i?bC{=X8w@Fv?PkMaY7(w4XX!5IvlC4+v5~{-@xUcU_WBz`U@^&TdvAUxn{3__ z*PAF)CZGibG6F<;`(YdC1xemys$+(di)^00)%3?ofOnr%%Q9JeJ`pW_!FN9~8!pq$ zoKzAxj!V03eq6#IE_f68`Yv=9p|pi)zSl5`lCdVX7~--(BK2mE|zjY*Y2s%hD; z(K#-4cr*6S6Y8Xi_VQu2QYd@mvXqx!{T+LIfGy@hf1~Krun9+5m!(BlJ|F{-l{N1n zC!J?&#;dmi>9}%_Iq+R&(+_)Ko&^qWJV8z^!;F2-QD3+}*iI8RN}+r)KJw6>V;&9|Bwez!n>?2sVXNU7 z2Y;@*Jc+CFTclhyS^7t67)RaIKn}U}CW)-S5qhKhKy!Rf^3tcaSaqnUQ5?|pV7*ec zu{JwhDXxY%bm&*r`=chzkN7bJwD$LR%*%d&2U953v{kQrqtLyK_~=-Pn^WfF0d5Cs zh6e;DVF6oswR#;Du{WNf*x>(ms&=(4RKKTCOF^RJK@D3HsDH>SAQDMo6K2U=tNiA! z1JW@Wk8u}kOs5i*_Nxb$Q?HG9Z%SNI?oG!C{yWfywn!N9RY}g#kSx00z%O30^9fup z5uP~kyMGRt&+(PUOZg^$U=!A;zay61D=288l1IO~H_%3DLAOfQoZ9ni64bFRmkBih zfz8D^y-+n0P&Ke>N2kbt^5q&tT;f~wRdaj@R)wCYRJp=h7&Hi zd7n^K+Y00eY_2#jaXDM9%4KTAi>#>C>UdrD9)rO`do6)G z03$LnRIOBp+XMRq4+ET99+Jaz{RN zDTp75D$1kr@&O(j4jP_}#2rm8DKy8F6rYrkKX(^r`m`2@JT-Ot77K8=qO0wQuQB8;yCsM;%Hb!p4LnKH=ED<5eU6Kn4qw zk~5HQYsej%kvUp8xsHWN6$FFo_02~$7A6ao`t+UA#Y&T0)k!AVF?|P_?n-X)$E{Al zZrTN_R!Vp&Ko;V3fQ`bhL1L`x=kKv@%*;wbTKwn~aJ|`5a?K9hgUY-DCE0#{K3Jxu zICW#QkC-aZ?iYE(qg#ZqKfBJVsYJqk+IifClY_>7lmARM|Ls4Zu8O!Q@GW=+gbD?R+gA=?6FhW($G< zU4l%Ob-OBSax8RG(y;Cqa-O(}!)XlCY*8Pk?%~ttyfNM&NY4kpAlu9 zvBnWXy?*6{6MZ5#3$j~S8jX2;Qm6O5I6D70i83a`eC2anDLllthln}sHkdNAY3L#1 zIm96^(c%G0+uEHSumzz?x7k# z$M@-{TCZ+<6|XtyG12Zf3j!GN>w@?l!!W~k@}FMfqmrI`(hiA5LBB4s@43_VPrp4W zoExU^Ac0Rc|HO33-CYZDHm#OlMzB@ZD}}OUkqy6T0>3s@3oA}Tk$4^hWdob&(p@vCR_mg=(G*>1U9nimp_=svx zgSuZdsN$2l%IrBSRKJfkX&M=cq@LdL_mnqAZ2K$)D0J^hLp|(MBH6GcEit1KMFO68 zk#I|_<|sr#DVd=dZmTDgE0+`2N9FRqt7=A*lsJRGUp-|NPnM7QyXZG6t>+x7!}X+3 zMYCrGdQk3bP3PpEN7Uku_Q*5yBCEdAGb6fYGV=TNk-(#v|IDu;>9ysjPi7S5!BKc& z(d`sWO4Fz^VI{aY+eeTn0bHmP62RA;j{yL@Au3 z6fv&_1x1_ap-=g@ne(}qS91Z*8><12p0}4ZOGoSf!~!M{D%BS%9u}M{22!^)=ZO$v z6n7lHkRAEPIHp-+dVwNl7t&<8K_eP$_Y*I^5dw)IBmUee%F1hby-L!P|W2LVn|q{^rGDL(!& zouC3+^=Y9xY8Sk3t{Qsy+&daxkReCH+$HQIaNXX3GiXAAJ!mERDND!CX=T7>0wW|V zL9s)UVNqUpt23_&P~<{#;^`bhUpR}OrZ8=h)eIRYsng-{g5xz zz$JKUa}aQ1ThX=vKu-Pxa)Hl7IO)w5VfRq?L;eivY!yRO6t|=@{UDr&6F|SS&G0a8 z!AUjM@;D2 zupE#HaC7Y@%Et!e!JN3{+T1v8lOGuZM;dn(b_t(H)x+FK<$%bJ@q@#I1*8kAetCuL z_$JmpzcflruY91drWFC*4_@8(@IF#O&Uu3xoZ0840r8TT692e@8l|v-O*b6X_%4qY?+s*b|Dbt^4&iqR6a+C2q%1&-Zbh4$VjEKT0twX1=cw_{d$A2CC&d z_Uw0*U&M&zka8H206)ZZjA~y>{#(MycAnAPpWCmo1FonX@+zNy+LMF^UB(<*e*ROa z%{jzHM5Nfem*>Yf)`J1nXl43Xo~^d_^f~R9h{-GXpPOjTjr49M%!n1o1RjMyfJPMW z8Dx|;AAiU{;X1Jw3#3x7iQem4ewhEolHIlc@jz`nV5eeN7AWXlo?WRtAD5Cy-Yoap zsTPnVPdlZv)0E+pf3)r{xR7DZrqW}P0q){ncyP_ZPf2~cc>{nz6-y=yh3kOVdmRt( zmv2U~wXd{QqS92^tCO9ic!ym!^Y^!Y+m@|NLIfvYP4m_j9&EipGfu)#MVQ*cp1u8pQ>TT<74`0i6TeR9*(bCs$N5@h zbgZV!I;O}~ap!l`=Gwc>a~zNrx^M`EWAV*@^O3t-4QfFjMghc_mBhW- z`_zHRO7~{l@#uqzRRBLwx#&2BwwEC@LN@CM$m$4eTN9iJbdvpjpdxXmkSq?xgP-*Z zee?>x>#OA2Ywg+JE-TZ`jL(i$&r zkd<|EzzH6dBoo8oX?tkW8(i4GvkB+%5qr}(l0Y$I=*BYe(N)~M+uuVW)QA+0<63?T zn>u4X26ZbfJCWOSKgZe^lmRq34Cyy)UziVnx?R_52g(H`YrwBEyhmWF^Br(djoV^D zPu-FgUU~ukJ3g8H0;yO64#u9R7$^BUE`1SoZZNg+W4l^iLAIjl=nLcxmv&U?HO)o! zSC?3X&ZjEUAuw4qsi_b#zy4D;Z|h3%q=*kpcg^OKHQI6wT6O~oM;83Y#f%LNbsH#Y z5W;4R=UNo0GQ#UGHvaqvF%1;XfPzm)-jvdpw{>%Aacmwu6X_WTchboLC~SSEg~1G(ko4#Jr(fy{JcCl zsAIM$$baY=EA~~=>J1g{MEW3_y)ZpiKe}Z~MiM52Iq8Lz=+xVh0D>}%>U zx|*{gwttFYpHX?!Tcpx$*4q{Ms+7M!j!USR)tTI^#t|jm2G(*;ChG%)N31NBggUdX zaxpjDF?che1_frGxt4K8vFq2Jnq6GPNfuWq;1-W-dA+y)urwF23(&JSN29X@dhk}t z#8U_5JPr4EU+JAZx!=6aX*ZGv7^kkyC-!Q#aZkm*V|osGX?YQweE3VeQ^!tdDIGbl zdQq z#b{r!9lSJvvK%iCYdgHXV^(WPb|T-O8`-hjpOG4>?$K{pKnLIC``1_}eY7x`6A0^P z*8GXPkGl0aZDfG|B`67#stCV6CsVQF5%;qCCxl}$E zsTAZ)^G^`|YM-~_{@3&7F8h)qbs`p3v|SK}ZMXY_bOI{6T&CeJ{R0y!ei8Nb==29) zFoilqtd}mj?LU(`ux?7|sM@#vh#7@J?RG(6izeV*nNZw^xBkN+x_{@IrAAy>ng!s* zby@^748-4h4e-gdFv?}2Nz@+6vD{Y6HR!!1;lW8++0OnN$Gsv@=IP7rwk$PUV3mO! zhq1+1Z9gv_P@c+clik)DGioxRrni-ID?04yjf%P?0G`u?a2cLoeSF#an8l?FZF&|1F$P3;2zMxx0fkdbCqEor zPnuN9{CvwKs39%Uw2z` z@a?FU0K(N!%WC|my-cp&>WZ|gK=NPAf?CZik@Nqtk7FeRYd2b+dis(o=V~4(xVTO9 zR8tk7yMEVUM*Qc|a1Ev z)WybZGiy=^>_9NWJq37;;O{C#(`#&zV(%8QL3`%TEzy}OzSUbgPST4d*A3Q7j?&#X z+elpL5~neBr0SNzS?nb)-1SRd0;l_3pF@*GY#}`4rU(ME#|0zOn$#_5!h!L@TDJ-n zx2MK|U2=9usBgIKCEift!l`$wdb8hTsQRL+|0+7h%itLKNxa8$f-itAP0K#u>M@X2 z5}~Op=BD^*mV9%Wwz%(B)OFBpox4)HD>63wkc27+A2+O`Xfr`k&3fc6s^5i+#@2*& z(bX?X(vG(+chEfsTDtuCt#6;26B}rYYJ$iC{RrRlqzn53{(O}0OT=2?{JF$}z-V8l z$78i;!*da75L+^nQzu9!kv1OUc~}I7*AB8}JSy5Pe2(Ui=h-R5|}qM3V5hjBCDE$Lr2%uMB5m5Sv@LEXQwU%_|qb*gwYs(G4{xC6ne{zB<%-Z z=&;g$qm>IkY_+X)QMuPc_pIAidMj^8#LMoJs{)^g_xy&zV>h(?qb%1^8sGAMQh+3E z@2{=@x=ROju^R-;MF;?2w^>pLq;g78Wdo>J)WEP$gi20sc!rCQcE{Z5d=Uw7t01UA z+F-jCgbqJ(%$|mHIYFggvS?AY?TNVxl@%7#5p!8(T);}a5!=*MDk+HlDZ-+8Nb-^c zGp>n~E}gTSMTcLymSXD59ENJxuB5o?Zq3xP)Wy~c(+2DIgX9<6;wOg3&iL>uo{`pS>>GZ)U?JE{(ncOfxy0oHvzFX^p8TF)z)EG_o+W9Jxg~E(= zTQ)lIGgPXl4W6`{YqH2DcITvH#Q3&kwTQon9#~pySL?rUni|;?DLM8>UG&?(9T8({ zwWAKx8r(0}0*N_LgAxCReAJuWZQ6&j$#KdN1joT2LY!(d-Sr_ZIZjh=wXAb zY4iADtur+L^(FHpnp7c3-mK8!!DuS(ylW+8pDd+ql<@%)R&aPCHC8Y zDPB{6ov&|;^;8z&W5=0r4!U=;n@Hkz6Wz(!``nAt4SMB7*X{J_4L0^j9Im7WSrVSf z;n(s*sh1jxB2ioQmBbR!qxedqZZU<-tFk-4Ks&0c^Uei%MJUNs0#9_OZ6L!dH0zz< z#_#U|UPsKTZj5xhT*j>&qi4X)KPe)53S(kp!3yvd_$SK-$R8w%n9&D*ZzR z#;Cc6V!8xhfqpqmUVI5B3|3$TknGIwY~VY+OKRJfGaJ&2l$JfqD&y{ z4N2~j=gIp3Xs|v-eAyI0?Uk&fjm#bc?y>0B^yZGijrv%6yFogl_8njWCotrRIjOqa z$DH8(ED@vK+J#{5Rnegq5r`Ok2_))D6JDVb=23T%K{Dr&Ih6B5BzO$4vZ#OC>BJeA zJvZXT-W}C}M<$%xdx9};A~-VrD_b8ZJ^bbB{jQF?Ii`E^cN~7TdhvO4l${yp1My{n zW=$(%caaQrGW26j@rPHTxXd4JQgx1yC$(4mf68sEteH6W=|#t)L7@nKxvM7+7G%ZQ z*GqgUvy#bhm1{1$vG?o;?XKTb8D?w{=Ur6>arb~ws+N(ZOq z{c1&&;Y0RgAsxyy`WWAer`}VtW3EGvOAGcCLJU%o0m5T`+)=IyN7k9K@s- zvE=Oq1}+KafqjLnj=JPthXRZ8LG?C|*(pA1j_JuyLOjKMA;ZD;XQ}ShY2T{{2(0!w zFjxN7fG+DF@hR=jj?+4UEwY$g3P%d40V3;+VvGeJQn=Cg)m=w+mhpc3 zDlB`FGZHQ(@2qs1#>-0vU28U6*#|Nu^Svfb$FROA!XzbZjH%^@sO4jlF>+ZD-mW+~ zX1A0G)DYE?fn)G?mw7meXzc)h7W}`0lz(t-TW%}=nC1Mr>9LQsrqS?KvlsLB0;*s} zr|}eeQz2^5IClTxh7`uZqC#|Ee5m{)j)GSoi6UQB>pJ^L><8*!k`sy{;Xzg!&yz)(5;ya`K^i`RQoW7)WZOx2d26f7GAAZ$LY(Q?D?~SQp;;h zhIBN|T!Sp0@_bD?$4@4tE`4yS!sm}CXj{fpNW~SMJH`bNQkv!#&9b*+;EzQ7E6#4Z zI8p@Fvld|TyEy*15q{YuMbg2>Tgy02`ef`bMiPMbm2gWukKSF}lk}nmX{~a?W3BJ+ zXxwuL7wm20g8cGZfUFPXAg6ga0wR^S!L)H7a6j`e7iLI-qLl+=PBG##HQ>_|-p*0f zG#JX-4SzD)LDR4{bV}&j$~;XKqVMURG>V2jr&%ywES@@R+5IO2iM@z~x6SdnWlDaD zFqU;?x0}q-$^Vo)J5IuHOb(nTC-PgfXN*762L=J1cXabBSfI#O8vMm+?7L%ODmD=O zM9N;$*%581WwZiwvJ2+1j@IJF7S9(4S2iEh<&m$JENTvM+z!dHe*gD_zx{Oh$GTR> zL!i6ei@a^^jT(Ld@yYfX^G`{ENbHhscO9h*PkedohDhc1nuv3&X^?|M-5pI>3j)QL zjyNuGgi!;2Z#}UHB`QUm4;#Lsa`OrH4vYloKHs9+1H-&6J6+(ulC^ zj;a?4F3$wc15&%d*z1LTJILG;IOh#_N|x1Qo??}R(@3<2028971ZJ2juNJ~8GIvd1T>|3E|l6>M?|8*>4Y|q{UQnR=1;fjX&tGs3=tNPG|CRb(k4Zur< zJF9}};ZE*GX3Sq$kgaJHxy%=Obm#FP^h8`ZXu$Tc@_y()H{x7Hdz^WBqLPrws40$x zDxFKp`^SGjoJHqZ!W_Q1-!?ke^+$%L7PS$7v{swUrlsUim2<=!U&&D9fLV~42Y-kK zNt876zr&*gYSAc@wqhBDBTd1<4SyVp)npA&F267y!?&_3a~-|3qgXhdXBhg9JND|s zhW6ZI{LgBW_KYF9Kcavmx_P>jgW=Ey@P}3^A@D1n(S{O*Mw}*gT8ekLwH%*caYnQG z1cN>jj8A)LWgzNyh4w4BMm()pHEKjS+euDCXYPilVHbU{;p}<_ zC}*ygVThqzKy#DR=~=KR$3O_n_pnc9JY1zai^ssX*GSaU&7gYf?mgt1JB2X(+0L@A zS8x?9$-tLb>~3A}aO-#dpxKoqdzHQ-Fr|%e!X+oXFj5Ly5k>jn7Jk_*Db;wRLk7RP z6!*7Vk)4Txlfl^5nsu7LfNYOEsu^wj(Y`aKc-d?S=e)zp;;`>A$5>uPJ7KWE||aJf4L%;xVnkcrJ0j1O1@@T-JjXux;LLgXInp#Kj2 zl7VlTf7q@CfK)J&gY@klxGbZ|`$X3(_j;2%jIXr1Qzt%Udqt}Et$7+XkdhdT&t7JJ z5nhpcrKrfZD%2xe(R4;6olJv2n;#@dVq_#T)A1H5EBrNzw#>@6}T(?;N zIpWiU{qZ`m*q2v)+g+JxmJeI?v(NU%pPWnmvZgKu!?6@*`tDF41>SeD(H@Up0u`CX zAKj-VC%XOs*iY9W5-0aHegg3?(LKibWwDvrnV`5PmN~YdJwImJB#e|)wj{A$aNdT` z#ODC(6zai`9`l;9cv<920BJQ!8`tsT)e2wr3qUa=0x1e>R2K+|7?$L!8dR?n07nn* z)ZQs9zVrup9q2U^J!dv1{-SC9$VF(Vnm1Iz-Ul#(lZ4v2QH$!TLOrjg7ppG`FQOI% z4`@Z$4{L-J-0F*i$kO-Z9xZf+a@q36^@~SShcdJsv2=SCHms`8bHP{4qXtJ!jlf^b z&kQz_Lc(vqGQAw+F^1A%V$!Hxj?u`~vF=)D`T8k;t#+#67j^wZLEB;oWVXQMvZ~*J zN*m<=#tB~a?pr*y_B-KAbb%B~&n~alg-G51#8=OWI=sxqF3%PED20PCRh}g>P8FaM z0T^OsE-X$HI@PTku}5VI5B9XVm_SIH9-#hn2!G-!$0_}eBjfBlPrJY_kPer_B?^0! zQO?$*i>Yw?OKW-P*X@o~UJ=*$H`A$H$KI_B19wJqa>yKo(xycMcfU=2I%YYYXbLJK z_0;Bn9OBF|dCdrmc_e4$(1gaQ7aom8RI=ysa;$RXqyIExcy!(L;~5zrsDQ2tA%C=s=^h_$!5uX&rL6Bdx5GC-#+DE|E@Rl z0WAggu6ElC3asz@RiDjdrbvp#`n+NFzphl|qp3YUb(yuGCNy={NLU@`rSPy?l`H+= z^Qz+6FNTT&k03t(38{*MuQHo{R+QxlHC>0icvO()K5W@QHt%dsy`zOA3=@O4+13MEY7Cv@$^Vh(_$MJns-3c8dU6CNq_`}?!xk&XR)agpE>)dAi!^f4 zrfx6}f&V?2Gsrjg3T`T!UL;xfNa29@3nTf^UARPSx;x%?Cv+enHSq-uQ%3S!zU!n6 z7&DGC{`v0n4#g!3v(|E4oS1E`V5FZtM#`_+^qX zQozAZ0g@9odsXM*gZT>{c1d0r+=F5!8Q*MAnjL@F?Zy4o4U(m+i(=h=^Eo-W7ebZp zPw9Qqn$@`qD1i2}!Zk_G9Z%P>lHdO9KBR=8HZ_hAM$ZjiR9 zk~z+Ev8{0YEbPcg>Z#1HG@&JNkn>>8(Sn}e(d%EgxtCPL;LzW}L!NigcnOq+Or@+; z7s^k#rK1@{@In7W-djgi*>&r~kBESZAfmLCq;!Lnv`C3cOLv#VCPf8AO1fJ@>DqKC z(%sEgVbi(k*zjAo=Y7xbyyv`UJbdH({`q*i zSbC}TsfDWa7+UC)Z~wYsD`3KTjf{l5(m;*0xq~!zuQG1M=_{q5@T8PBOxH_)4{NE zGOqhCs`43FyL2Rt@k^&~UTbd+^~w?@%TaNS{|o~Ry~p6mu;NoU{Ob!(xR|j5 zY=Lx(*Wn9!RO@`Wcq13Q;(mJVEK9p&y3!jt*W7YU^BAZJ5ldy|fy?}!k9JpjxD`vM z$Qlra?FjD+Dc2+YY4aaFKkX5eVU`BM`GTf5fgF2S0y;!slV|nEN*O~Js{%u!!iz`T zdN1<0aX!8^n4xSRVF$Fdx(1#q1+6t0TNEcCE5A#3643XVa=NeOZsgs$Xmj-znmQe` zm@}q_pC7VJA6hOM(ojr~*KK)qbA}uUT2KajEA5RwdxHJq{xfg$R0TUu?7V=+1HO&J z)&7|wk=(9ZtIu?;h8OuaJgbWL=lI&L^xK_^^xdJQ?5&)3j_6zSUR+?iQC!GGL~6n= zqYS@4Vq-}H!)c$y3BPcocpNc2-#K=&Kv2dERb&ZIA?y++xe)$>v8YITE31i+&<1c`Q$B`bW7>G^YX&} z9MAd3of(a>2^lX_;O`hJ%Uj2W`8Y3j5jNfur}YP(kF2?`qt%6(5tN|)S%u7rY*{x` z8aZr-qU8FgrpYG-zt@F+(tVqJ=F?LZ!h$A2t;AlFYB=97wtxLrz2Uw~!c@ra`2~UI zHfo;14ws$pxk`IWdSS$fN#^F2MTucCy(ax-mhk)CQQVyF+c5d~Bc3NoHY0&e)2R8o zRMFV)uLo(|HvBH_KNx^beU0B(Q;8u*#PW5)=yVUaI_0yr)kIz=m_c+D?s6vfl-}%? z$9NrCu}FceC1(MwXRQnKwfpE7L!>?9JkETPM7alUq8Itz^)#0+;#hxu=f)Q!v{k0L zt5WHmxc%ashmyb{S-8vOS-N7TNnwzrpJ6IvhO{H?7Up05)W0GhKR}H*_wU9ZCYi^e z(qkLu?C%!88@q}73?dh$(9>vQqA-03a_sm_RPU45`tti)FD zm)4^-m@32DMsx3%$A?L{0krTlcDa~UB@vBDL8|!oHDMWVX*ESzTb(7$26E2e*@lkv zgg=GI6{2{;?nht2^yv>VPQB@Lg|uZy)!m)Ff<5HH(XPQLaYX1|c^Em5sK&yV+KQ1^ z`;V3nDFQmIeeA*9^)%AD#oA&n|2s*9Vd78!B9wDtX~!VsFrKs77aF%;I8}T1rn989 zg~ve8xcH?vhSqzD>4^;cWg;OF_V+m%xSGF`e9Ml@kJWxv2Tf>il`vrLQ~@8&)>VH7xSJC3>xcsmm%PSAm-2k=-jA4xT)# zs107GcEf1Hfdj!15!|lQ-Vskcn%B=l%I3z|zEo&9b=!0|)y=^ccup9w{I$ayhuhZp-IsyPC?p2z3ic}okimlydrP)CHqC^3rsT|hRJHPH0P6P zGLzq0RW?;zAtFY0-Pcp>!d^*MDR5NXwN?5eB*@*DB<{FAbYRU5AKm!=6;HdSptD_3|n2r1~V5Pc*&Lk!``vZ$qcvekqZIjf5dHjF_b9xmR)@+8F>CIz%m=qypJmUAEcK8F#e%V2> zqhEKESwC*vv?oWJ{&mlIp3+~#LTe?W6PeFMw;A4WS>@O4JQ+3^;XkUvzA1}4r+?ST zWk^BG6^%k}Rm?;8`9ptpHj65EF-U3(!^W=LVo3+xDZk;sz>6Dk*Y`a}K)d6U;pfEV zr3-_yIC-bJBhLH9A$jjr&|jP%tyQGfkrYSg;Ns!xp>h!PdC&e@*;N`@SSjmfw?@g6 z6sab+-EQMPj zlreh43HLd12%F1=OP5-I%n6rYg3_1i&~~rz%I=@q^JKC0-lZE=qK39H`2Fw1+vL38 zN?&=S@*Jl}=J8ATJw~SIBrGAMxWsqwg%~vEmJA?5trG*dpAB79T^u0DWQem%O8uN- zA}7wBSEZU{f|@4K>yoPp5=!qAgz|j~$jJ8W!LY?7ak7h$S=&h;nx-m}@eToGI9oW= z_l{+hr6Qd(DOJ6|xmIaUJeQsPbb2~>se5*;*7)`O6c6 zd7fO`U0vrbc*Lg&?F&;@9=Dj~-cZI!YlyIT3*2hB(6{_1f5#-*S;81q$l|G{J9FH?zUq&j+_F&H1WT1;VwMC4M^PKt8X zBWI7kmB?kikYCB)1U0Jz&he7upS*UUkcb|v){EL{SY_%wbrE~kM1@>?<^9bDM#B-2 zy`ovcQFi0>=kr{vrJodrdT%*Alf{ZwOFDv2Ok8^l!E|}qw#Y+Q#A3N~R9h5u_Q;Cc z?6owmI;F5y1T&Mh{TQG#;0m4cd11_FXz*##QudofO~!mNp*((KpYHo;QyivlrA5|j z+6_aBL!$4;&dq!HNrlXgxifIz@A6qC{iWKd+2^l8Fdt^YcMM9*W}n9%psUF%g163uc7SPW(uI9>d8U7gviw z#!J$u?=DZ${a{kyi{&+QzuYGUUsGuM!sn0p^cyepiSQHUbb)xBA z==$QCzV}z>h1s3SyZa#%3^sQ$7$PWwWDQ05j)hOx%gK-1-6in8`O>%;ev#z9H(zQV z;AC@m3`fo7_fQ%tQt394#coYBRz(bNOk|yG=tIn##$=M>qtKT$N zgv>%1){^W8m|q$jomK&|TW49aXSky|I&R^aZ4~8qAquv9ugS)_Q%FC?fRsu^5zD@U^`8XT3iHpua-|Dp%%`1X;t%z&y+~GAOqb$rAMC4iEOV*)@xg#k zY~%4X<7tAuyDS}S!l7oz3SM(fj_A>YJ~s8Xo%QN)$F{9*;udL+*41>772EL%C$ukX z?&;1OXp&$_ct@K%-QCSITyTSXE(eRWXSwok#WH%!^Oda>_c$U8S4sEXLP8c_wLLxS zG;EX0@2Z|7Sxo%=i|`r#>+~sH(znUq6Vk)3nA{3mT8Oo}&8L!+w%zmOwUJ5GSB3jN z?59mxUIPd#jW)sj8TEz?ZZhXkWSh2WB#FZG32T6zZPBXP$;E!Q@QeF6J$G6a^?q+_ zwL7K71QwaS40?yDOQ6-VtCYqTUcP^=0VUgSyJh2aLo`BYC$IfJ^4D#N0DH#1?9^*c z>7TtFpN=0CxW0&TiYi^0=2Oqhd(^yV8#CnIR0Q`jsLf4dojQFyq^YENDt|CaJ!4IM z;3R*;&ymi6c6#!9n1a}?H|_V`UJ-6sJQh%0lwW{x4{pQ=0!L+%ERn#N7UuQkP76-U z)oa9Z1Zn&9A?gi7``uYxx2i!0e8J9VShqc5X|+;*gEr@Ou>o91Tmz1Rg6kzMW+^72 zI=Z-BVTS_QEDy#_yC0+qyej%kQ28jS%whmRv2X%aj&TXTT*~p_=pui6tNl8jDs5s^ zfXd?w83S{iA#6vxjCf(QnsSmWdQ|34J-cJlGVia;VQ%Edp&TY^Dm*@V$5ax?5_D@j zT9pUJ)GMG&W#Y&}vpLLu{5E;8GH&Dl?37os@%kiF+RZ5XC~+(*Lb*QJ$=BMHF0VDo z1Zj_vAdMFTGUoysx*y`XeJoT^{z5YFem+SePuoJ}?fn-F9122M?A-7fpNQ)YuD?Wb z!?#0%KGU~2e55so&9#Yw{ zcQJmMr_ERKZK9o{USgwGNpp(Rd!FNu-WE!8`gC1zL5r=3okl!u4I3#K!i_sc85j}h z??9)aeeYSC%^Bl^XCH%C>CB%SB)05-)vz6ZzW0`wB(n2q^4fY(5hAW5`{Y9Jqxn-^ zG(Pr+)n>Mnh^SDyjur}doK)2lIc4@#nxK$%ue9F7&h%*bhUuFmLY)h&UMWGi!J;ir z!CTDr4JEuu>tm}Ad_hH`;0kwAjO@POiN#lS-C3lZ4^md=vdry@V!Tun@lLaaQoX`NP{J;6Zm97UE3YCJK~*sxmy$mQ2^jU?|%7R)JWPb)=-fZ`gYNI$25)E^~LAY>8`p{J!^QW zwC--_V>=b?Q$2DE_Z)7A-4EOjdmr_FindWNcz#sSA>|}ti!rC%^2MN)kfz+GOWxKt zU0#iCD`c-lIySa5#gNh$+DViu=6zw&?K#xT64YOKXso_Jw3~!G1y4;k8Nyb@}zraMffYw_&{3p1Z@YcgHwyW8eXkRbA1e>ZWQH{wog?bw({=U+F` z4XxF7WL?eIV^H7SmEp6#7ijXpbQSDQRo38QI zqAb>@Z2nPgn_MKHp5Qp(=oDZ2Y?4t(>sKUeNjs${Zy)ul&6mBfy-AbnsIW)r!?Xes zejQ?bE^9Zv`^*w4x$@$^xLA>GVoByJXXPm@k_PUWZQt@XCb^H{?{Oa_ zE5~0^n^Wu|^NA+BDy;T2UYLd2o{yT{NwSoF}gB2Dux^F zhp}ZEpr_yC1~bj#eyWRe9DHU%MK_Arfm-SV9t~r^IRzP3JE&g!!`Ye5=c({ieMNimFfG+zBL)%vqENSkXMA4tS96h8IIHydL_5TpuhNSV?+xJ(aQ+XMNYyY&20>v z_^ZR-gKmTKlTQ^87B)jo@%k%Ok+A`9xH6`>I~Q9+zPc^cm3Nby_La#wLL;P!Q4%LpYX!{c%^ufI`?w9_>#vlAJoJ|des=LWJP^Fsm zmr9=AlQNCB0g-nx=ARgR37ukCFi(Y<%}=T@bJQy5+B9=ckbfdE#EDFm`mU(9AjCi# zLSoGPog~%;H1pPf^ns@{FSftr?&s`&+?jKdps(B#jm+44*BFK}g>cyK{urGm#O|IQ zJ44kQvBD`RuF0$Qu$z$^<(0jv^h?H0^h^8whWi`WF~hUxCW7qYSPJ{9S%0-AG~ zI}{#$9aXuvgLLsQmFJa@iZ%=a~Kc$r7pg zJX2&b4uQbAY0Md?aYGG8tDo4UfIFUSf2J&4Q-vVr{4O!OzZe_onB8}=GP}%FFgBL( zsGAcZ^4^$n&h1vKb$zJr$70HqfKZ^oe}!l!Dn=_cpHQ zOUE|FkZgv+N>96yFJ+}+Y80z30em3=&ZYaBhcpE*e=*pYdI^Ku-c|)9!&w895X7O+xo~$Jlt9W$ zUos+Vs}ReT8ZVfnxMl)7_Ox@CS_xs+V1B~tST}7~$M=+|jfmiWBwAm|M=6XMT_5IA zqc%v2G8X3wAi9dlalATW^q4D1pp$s8gS_W+Jv&0-1H8%KFMxVOFH7&_pbV*i7yPyY zKj}(p#E;0>E@{J`B>q)TUcb#oPmjFY!ik%IPOK!0DyDhdDLwgejZsrp<+1qB8X8V# zyd5u?nQX#d3WHKC(^nnxiU*w{(;;+Wup-iYW@%=5<|Sr0X)Ejw56N`P;n< z?t3KD$ecznt#%_Do68RZIo>w+HXCC_zGy`ST@nRBQq_8gPX^5@H~b`UCKT476n*hg z@=6DF^1jF}#aag|Zp+E_sPh!JIT*chD|M52h_y_78o0<28kJ?b>7M3Xzgy4Q^Qj6L zrJD^wx< zA@hqSH|4>F!3x|K3s5|eK@Jk|#TeQ|p{fA|p>Ud{tN21H`h5mAlS9hyDr$f7N`ev1 z66mpG2^Vm8#F2Vj<2jBS1D1vH+rm=8v5_Z0*mQP5-${tNdbicl95ro1gd%wW_f*R+ zuc@!eGg<#tqS0iHcfQo5XSyu#pFWe~9j5DmjCO#=fIRNh{4o3S{anig6J_JJNodqh z??;WS8wO-)WV*@8?qRluZ&^q~UX6@J47d#v!r<1Nf5F~}AbIYee?GX@rGPabBE`rM zQ6;GO$+F!0`|pYx$7*YYtZmdaEdDmXK@7gk&JEd@5-_f+n;&1i;<{ufB(LVQP zbXX_QW*|eeRG$fXKP&i37mp=3$0)s@;(FY}NxL@^nlB%;{^kFv0fRJ0sVpYEUF2QJ z2gxqsfc4cuyP?Kkz7O9-+cHOH|7MzZ|4Mqs`YTKzmlBrQk$yMUe93_#UGvxWi-z^~ z4EET!v(@K0wKPnOZ1=CA6B|2GB`)}>s!MHjDbG|GGA#CztNgu=xoU>6M-MU)L*Xl) zqHFI>@w~fK88Nchv3-1WnjWsE48>$UR%*i|Y>lg5pjS#m3bx~Um)EN(=;q<~=|qoJ zZWZF9$S`*4n;$>bs+bQG=10Yv&%SDxo_Hvz-fyUQkHA9FaG9iX{^u*x%=bU{Xc2I0 z8sXKg4vvL8c#mkYklsVx=^_+jLVn7>Bj;yVpQ9ZuM%}D^qY|a1-0c`@^og#^n5l;O z(}i&?T1J0dyz?(ML@eiBe6IO}H`l@YiqMCQxCeJy>9M!%+J0&iFJ@5S39_8rN7I=W zoql*bTovzpm>B*XH)+esiRhM^M$2H8lZ63E9JZ55mGod2ECuh)i)x=Fn_N~tB}!I?sV^76aR?S{6PV}#2}5%q(i zT(UsV&~k;ix=yqy>$MNR6b?=KSjuh)r%E4C$K8l0G*O?vGfPktNWuHX+fS&rnefy8<&CT-mFM9idlGi~&Xh;#ghiQUfx#~}l{jHjAZvVin zf|b0b-Y=E7sh?IPU!dvi`O$WcIgar8(LC|pUM_Z|vY4cS8tvm>$IvV~3ZUzTHtToW zbz|ns)i3fDTb^)5G-rC%vY|DLwYoGE9Js4D>b4qrCex{P;Wk=4s)iwq1HqrfkAA)* z_w!l&!3E=CbKznTj0(MWyW~|>;R~j}p!;}5ud$8M({l&#Hb3c+nQ8_C-((k&i&@Nd<7zN*-tRvN^Am7(wYt z$)5T#5l5Onia32ASo!Bi@2<&xIDUA9%_b$-S2enDb{oeJdXe~I>`g7cSC=p7JV;+` z*qamHsCZ%Q{PU&fjAJ{W$En90UE__T^zQkQ2K2$SK-i-w&9DWS59UeONGihC*%e0- z&o4V{ME2u&$_In)`1?Lbzd|M68YT@IP1{!4)_-L+JxD#Q&*k#j0^EG)TbE>}U22mz zODi&5tW)n*Tg{_<6ppzKpjL1;xZmp6Z}IP@)N`06+&YP+h*6>3y-QI)v3|uyi)f4f zRBg&Rsx;|}4cy{QYmfcreGD2-UySJ36YXxNs>ANZir)!l6n6~iKFYp45ZqVY7((S# zo@F;yJT!v+{K#8%5-5%(+%@OV?l*Pb(CRME=2A*xY%TS@Y>ak7TtN{!m;&$ovvJtyJ2`tgzW)>r3o@GcY0=5o zncn%>W`Nh7Oi^j>7XMv>MyhrbjynOck9Xw7*sfXF+jf>YueJ_3M6v$G>)#2ouWQ#G zq%+=BNE3#ug$bye4q)quf;-dm+tmlEUllJ*RAfClwLd0h%yD(^bTyqnZPGa{bu3)8 z%nNojP4enhYUa_qMS7r#oEftuDSa4h9LqsI{(~Sq#KQkN!Q@F9+)x^mx3yI=lT=P^ z5j@vCO{AM7HRd_T6*S72ayQXalhfkNSMJljc#!@aBh^Fycke;av_6554-TGtIIDR_}%|6XqVe|KOBi`Um7sOLd z&HaeI3eU~Q+S*}P+L}q|wy*ZO`Hi??Sw_i#tcKNcl;(EU!Pgh#%$E2V^F||$=O=4P z=x>SzEtVbF^PKnq`_!DZyP2$Dn_L7 zpt6`RU%uj&Rznea?mQ5^=6~?Q62z}W8P1EC6XVh1&YEyw87U-eG@fpL6t+tw)_nrMgT<02lKDzgPW`jr!~zN)D$ldmYuAd9d&4Rm`WGkT!J<~MjjihW zu&9^s7x*wG)3L9FDW)C$VC;gXbG6~rU!0!`bPZ7EhHn_kuJ?N_^7Ib<&g_=Cp_Ir8 zPB9lel#Vos_=?_|y?YCJ;?Bi}y{~8KXfV3tV8*%MC}C3mNyr^J3PYp(J->ElDjjgB$|?kgeBs1x$*uC-5T1xMxQ)!6S14@3lfSY>SAFOU7UC@ zl4xUO!uUU&X8cPGisaraLbf`FBO(IKm^q=%R^1OIwi4iy*&;NYR2Z>6@VHSyx+qT1 zT5dcYC$Hzj8&!xoX{?~JRNe;)rtFfZV>v1Doe+^_df>H{9*gfRL69x=;nMM2*x zM1*#I+o(Lb@pnS?<(kmi=uZ2n!iT1jDO zo~`OTP$`G_(P=#VEI@BRY99EP7J7purZC}~E_27D#Xh4p8I{i%&Dv&Ed{2f$f4gUt zWyeUc5?Wn!`+tURjkh?`EI2Fu*?aJYi2dw+Pp6fBw$T;I3hL2CB{?#H6CyaSjN-q8 zF>f+LDet%Y;6L2he|!|Z?!aB49n5CPAjJHx@C5_?P(AsYC6iQ@6H@aZzZ5d7|9mx{ zUH_3M>T6bG)P)27VR|p|_y7IR|NO51@ejp&extcxd6^ae%dh$$-}EoPsQD$q2UX9n zUwQnm|HC`{V;}z`1pd2^E3{y(uSdKHS4uEoX5aPR?Dn4arqxxty#1g*KZxAqa@q`vWq1MgC>ueg27m=`jPd(Uh(%j3U zhJ&euX}j`Xe&l+2f9kPF2l=5IzKRbjs+%x%`+ZC@E>?|O(LV$E-&(rr?PcNTr)RtU z9Ej7o!`em5S(kCPKuVA08wm7d8d|Fc1Y~`m!#YHvgO?_ivf!`xsEBZ{&zu-kAXha_ zaT&7=X-PX7$^8>{A9IHmP_Z#qLA7EI?u1=yiG9WXFC?UmqFuk+nB4xlls z)a(r@1fqmDlE7f0Ev96GIrOGm9C!zfx3UfnVN{p(8}rJ5*giM}X+sXHby1C(mTl#z zIur4{i!hf-8sHj22jSjcnp;iV{v5nm8{0+a z?RR{S0)3hKJ;us!NbNRkx)djfY`~}O{J(i}MIz_iKzxpn$>fkFb?X1yr}`h?pqBI) zAa;VLNMwP)ltotR2uVf1=-~{C>SBkgSID}!!FAHEZiB34g9@Y(spGv%!T4T3uPRYO zp*M!T4m`tQ*0qhBSh@iV55feE{CDvlEvKVEPn?`&=RP5xcD7qSXFKh2VBI-3&@m`! z!DG<@51{98&I=k;M>{6-R(x3k-%1lo8F-eCQlP?7)3w4X_ATFwQ*tcYc8>b(@0shg zmD5-o9vNP)Ipuwi^1YU&s2<|Z_rv;}yCUQ$YrZ>e3d}f28B?Xcy_Z@vD$mh zlXtgJ9+a3R9Nl-DDXl@0nkTECX`yDUpI$_2aK8h2A@zt`{>)$e|XHZ0U}a%h>hCmYoGFCn}2&z*!ouOoBiCSYU1 zdG=VIvcJN8_Og&b`(Y=3eb8Ytp-5ddrAVc6=z!)=%zJG z*rh#X5F@9uJG}BayV@8p=0jaZtG#c;2mdQ04?(ZWtVkMV)`c_jwj3 zcCvhr{T_jB!nP|)SR9PsO_FK?7MG~eolq5JVcF@O?{|C!-~I7v^kRdB%itI~=M(|@ z5G7l!yjDmYrxS;u)A5q;`I1K->>mBx#-WBFGu5T@inlnpCL^0>1Mu)&BUuZb#M2-Z zFQen3xW61F9xUAzQR519~ z9Ue>pUvL+e1P%bbKc42dv!;Jh`^t6F6bUu{>M1p>p9JTp3*Yys#c2+zxE_Z0tsW)3B4&8-7Hw*WhI;5!>4V;fvHI546zh2DUG!#oaMb2E(jBk@@VB8EF zf%6{PVA)=4{1re>cD0Jk8tH@aG(8J7XR;E)dHj4*KdQdY40SAuil&;epIcz6T9-Mt|I- zk4nX%{>8pN@!%}(8sfOmtxI@rC(I+is2JaSS*p9Vol+;3O-J1oJg~M7cB5%~P1%{X zoBBuJi^g4rkE(o6tB~L`$w_dWyNl{Jr%0+s0~_FJyU9z@w(!ZEX;UGhOK+l_!8h5B zTl^F0kRxD19JL92e6ryB{(y;z0=n(CbCN}cwh%gAh)NR8MFtHfmR6-u9(Tyaf+IWF z%Kd9L_QGu4XL@>WO!~RLb1z@3w=$>=LFLJbS}pQpQ@R_xXoJ>-Y@s@L(6TP9O#EQ0 z`V;;6zUxFrM<9I<)Ii7ypf-W-6miJeK_eDUYFc}Qx~TD?>!mP&?DhV@`vAALgHVAv z_r?19OM@7B#*!%%{r9bv+}j}?L;3pX)wcNQem)I-Zx^A9v)y2(RWQM%EKPw3NkM?b z-NtPOn$AY%nXKKT8cZmLm31;CDcW6$+`W`3#T!9(l#0oanZYK{&aF*XlU);a*|ScK z$q)#o8Vauw-iNcjbHlrAb6^6h7(yYysnNR%U+m~7>Vup}CN$fvb#7Ar-{iypOP(Ah zm2S_nm6K$rT~xdJ^;*n2a3a6o7Lo5|Lbl=s^1}Oj{54{i&zOU7_8M{zKo<03UCA5N zg7vWEgN;=$-#e^l@9L!Cl*E{P;rYH~_r;~&Bc}?6x13cme9Fr7-7Wt3r446~%Vr+{ zOtB_6581djY@aQ5U22d1KwY&D0C(m;GtJGr)H?*vmD3W!gcW28K2n#1wvq<-AOQXF z3!_5%2SyFJZAcaHXQ#dY~Xh7aYK z_Le-6`uKmJ23?1?7*kEXj0_{D*=1Z;;}5p_PTW`m;k`e&NynyC26o)7uLs4C-=~%; z9G;WiWLLQ!>_DkaYO6QEgS^gjL5!&ryY)VeN6T{JQ!{H)R432GbC;4YV+S<1!L!D> z?HqiY2NmC&Pr(u!&QNhptkC76#4V2MpKn!7 zt>t~qK?1}?bvn^ryZ8&hFz=e}?>B>;+h`yhrlbd5fN<$csgtkXue$7`?PhGTk|Tx7WT(q%k7+AU&0~0^4CJqK zPC=~#kz$86DnfuTtR<^31%N`pCYAvKVzEZY7RdR>SyRv;%;o)oT$%m?lO|DR<9eRG z$!?=+8ZqNQ;X(p%?*!oqeQ6@-RwFW2$1XuAw-L4ztUohT>|@t7#WPj*^Wc+RZZH3I zK}{}>^P%_Zi?peQU)MO?CA5|!=Kx*lOz>@vO?$d@e@v%XtNo9g1IJ;B-0W1bu_;bq5RS(FTAc1iPUI=>7=6Bz4h@qAT)B zq$!-!sZ%J&#RPMrCiD+Ru~Ly=*HtWNH^W5_CQ#*R=z^LiUr>K<4TB=J*Am5{MkCb0 z?-hvHJWI&G<=>jW%KUU|I@LWs?)Mdo@mKzQ@KW9S245(cQ@sUnDGH>d6_Zk)Mci`$ z|8IKynfb_Gvk+MZo>OeoS$7kwFN)E3DEUz3VowDL+6z9+FNA9!Cp8@>p#}oQDma~Z z-UK_HAGM3?0YDn)(y-)(cm50Cm#J<8u4DK^jVMk0;<%qUz({qmJC-e}e}jxD1etcW zz)0S*3Bmlu69C2GuN+(Ng+??|uGQ~=oO6sMwdt^7i?6#{=R10{Zi^j+e~oUgc8V8} z-VigaBHmzFw$*qV3jwmwowIwz?lR6k4Tv;Anv7QUu0d}*nga~V?)6#1J%Dn5jibih z77m}C;4+W^#`<0y`f`NBdW=7w7S}8$D(wkvf>Wn^yeodO3qesLSufLh2Wkx6+LfFn zvIn&t=ytJ#(v+(HrN2Ga%#76O+hBKD;AZ#gnV9Sop97xsWfF7uOTubY7fTXK6tHI$ zdC9nyv;kCy)$P4AOBzilYC@o)ZPJG&2tE5pR5J|zg81uhfd40@ImYL2df(eecgTsA zaSmy;2pd1TdI$kd6y&ag#8Ugw`apn<6{!DpOUb+e*f4M0!@!DRW#O1&U-VkV1 zKr9+pjx%fC3ZQOWUT}!%`y3;ce1xu1xXn23M=!>3rDi?;TfzYtV7l#qI?9STfuY4U zmP)^J>h)9MZXOx3F7@c*5%?r0?LKvlr)w9H(1NzRo%U3&#v?^8lXuWRsQ2`1*nq zY?V34);`Ck9dL3F1m@SxNY81x`*ppYF zi=0L+P7?7|XHw*OJ(gf8OAF3_7de|>6D;#uj1O_yTmTxffQs>)FJg*N-=Dept7LQI zU_&I%ZwN!Nc(IX9iFKz~2D8DJMP3#)o~$m$ixvqJUj1tN@O)nUJWHs*Y~kH!zA?=# zt=PINv2kdb$O#n~Ajd>iw){@c+A%px_ba zqgzvNaR5O#>ja2NzS}v>M#Ac!)N*xmKNBkdl)(3RR=&3fDP1v7QD;lyzHQU8(pBg( z&ul1iuy~suJ6bjXhq+RB;FvO>z5=1`6?l84XjXP&-0^uBeTR&dzQea`y{QwvC%L}b z>*lj8lkM7NzDMkJ>qBc5LpA!Y{e(LDuZ?F;Jp8L-zMyNDo`xLKPO1Q$0KSRx0n^XM`NIht7gXXNL6q^exCUpKwZPYI^>O+>VSBys@m(+dEoZ0~?p^v< zw<=Q(cM`ZJ&-+sXHqy}R=DjN$h-FvrVq+DLp{TBT5EUR8eec*bFO>~dbKVEV3RH-> zNY=P5Fj}+2>+}5vTah55jH;gPT46v%Hu;Fbr6>Tj_eO>GIzLlboc#Ja3W* zzPvRBB9(Vyzl+QyTJ7+`Ph-o7?N*I$G!GNd;0)o4^osz zA4meHv+>dnWKd>WJ5aIN*fi%`o*u|;WFzR?@@dW?V<|XH?T_2=8u^x+wuVG=g~Js8 z@C=ZPZQJddTmE~1G_3N|5Z_bNu&VS<0nUcifVvYuW`OOtH}DvUNMoez0OG>Np$A|! zinkAAioHyK`(^({Q}PnieE{nFg#-e| zEKN{tO5YWzD@78za{4g3sg~~a;#mA5_e=1>;oNCzd9${4;pnlN*xwsB^A(9;h(cHA zv>4Ciwz)v+pPRxKdD15LK{3qd`h$kE>JDkyRXEL8qM_9Cl+$mUK$b@WKARaL_Es&W zJiXh6=LSg%Uq0u1Kbmwgi$Lp^?(NhprRw0{Lhgg!E?!Wi>aJ?sFN}%Rrrg6O>HU)| z0G%7(Bmb2+60^d7C1uOY95T2rz#MG1-E4n8h1&w)zwt46q8jTl+n_x|u{~LlIOyx% zC4qharL^F*IkZ_E5TEi9*+;6!<~FN*-~b<~GA)MQ*dNBC*J&cNRu^GyigkDbbnJ&zGJ`7@O8%IXLi-U0-RQ|<6@UYmV}VtEZ7-V zHv*5;9iySA+TAPI-5GAtCS0?-|abg0kaNnJDfmUb_@|W zWuxjkG0@pK1F8N){ga`%F2EqAqDFGXDvvio&wsW*937MG=_egH8e(|}QyM`E&c=JQ zhW+m$TN~g3WjCPKm0YndES(@X)4>zn8@ShKvwM<7v8A zKEhEPV8|H2({@Z!8K~rXvYCs%@3sA{H+72kbJNLaF%b(jX9@RLyNW?sWM#3pEkWrS zMDFPQC2g(KcH(;$exce37|~d$k|A`^75FhWi1s0voKX&$Ls8dGIQ^y&Bl#>2G^c1t zau5xj3aO+z`-$D%$(Z(v9e@xN6icDJp9!}vc8JonENvgiaXW2K(3AZ>@K^4?{6iyB zO5LHP9rsMdb86VE?6ZE$5=c&1{-l7Ljdyj$KBy+qpb68Cq~~#dkUsXc{^A^>51K_p zLk>ZSGWC2fH%_BrRjt=)JC=+%qqn4Q;(S%3sn(_j8OsCfP5RrE>~=g6D83VTH9M?g z2(iKpcRopc9WJT+hDFXx5W6piJ4q{e(R8tOksoNLCnJlOC~c*~kU;a{SKm@15zF(s zIbSY4(xEv(ukjBSwNy7Dzf7+!;?JiJd*KiEW;uk!n+2d_LkE-IeOR7{T#673fU_7`w2EFHMUU6-oY zK>p!X;DbDBFLwhi)t|Z))lga*`r~qw9RyHRiyeX?cyI>dv3)G&Cj6}0G*~9?LuFnq75kvRX`eBz%1Iws-rbl$8A zX&q_BMuhd`Z)~w`zh0jv^h_?od41ZtX&REjCh@DMT|$Opulb&Z18_wH6zB$TFs5AUI< z)Dc$f-U(YRv%`w_rKX_(O|7-z*oqsU{(jmQMbZ(+rZYxThP?QiUu4zQE!g){kI>u? zYA!+9z+W;#nLZH|m>A zv!@jl#P`3buw}NhY3YSdakziGnb=@M8cLd;4S-?6q>curTa}5p4wkh-Aawj}l#hd( zj)KcTs3>+gfkpy-Uosb&CzaW&Zg@{xiEI^Xh%}vp`NEu4eqmz&@jpxW{u{ycKR+FoG+>go#o7R1%o_=KNULhj5$;;C1sZ&< z*UBMn(6x_pX*a%e*YjmYv7Mmb{deY2T{x_@TD%8<9ezQQMYZ!mj(2csG>^^dgjogl zw0yyB3GH>h>DHt}iC&iLC#kq^9PKkRPr01KuF-fCT)w)j1^q)BVZA z8=+p>>S(oMkI@_Y!OHC*V=HEdN`cH9qsBkqCUL`vUA?6Ib$naXTa3|7*p2zt6smkN z(K;4r`uRceX1tq<5OV*Md6fYe6%DePLa%jWDi%m&bWY4$N|d$^Zfpcdstb~^Q6RI( z=A=G+3Q2%nS1GsO#56)?sv*em@eBZWo2d3fKuO8?=z&ndPcY7sJhAgDR~&8W{G)7R zj#}7Q$QDSE??Tuj?>d#Pw2fp$AUgiyMP_Ha`==E zjYEf`hf8%b?v<0g(021xa;XETqM>Y1mb}+;!1WzOeAI-Cew+T{Q=|}H)zp3Z_kQjl zZD-8mi8YR`W0P3!r1xZI)!KJ_m3uaoYhX zvdN}^EkyWd)TKz48=8XphvkwJT~%dSxAz9)I{BBlBYEn@ z*A4MmKuy5#jV6w#Gk1_nX}&&_fP?KGl%tyUx`497WQXt9kzFjstk_gu4#yzDQaeES zUM!+-2y_Hq+U%Z#sIO0Zmg>{xI-)Aam)ihRBD>g?%_TA{lYl8G)CN7#)pf|^b~P}!ZiXZqZqfuL_Dd-S2KOG6v^`Xx%OE;@M|EaUz6D=igWw+$STvh; zL8&a^H?a|_uHMVaNe1`m!8N;Sr)f8Yw;MRp&WoX6H@QT&ZnmGj{X-H%oakbbyK56(@6vVfakE10Go!c%jnyu2Y_{Slo$^^l>vqSo;z`OFLyM6 z*^~%kp3J?_d5Hp={>x2J2Ma@*6jqKs1ia39eNiV+l%7J0Qgp?x&ZR7oQ~X~PCB!T! z(!W&L{S%#W9~)Svo~^Iwt&)FHi>^);|d|D9%P@FSG(^)6rKbzAc#&|x?p z&drGYJq-AVnHby#KY}mGF@D*^0|;slfe1x>&)$ym()-7W1AYWMBhLC#mi|XSBZ>hE zT<}K$flH_?|FB1r_uxm~4Rlvteq(~40=_%<1O zpaNz7?(Mz&^0A;&d+I$W+soTa<{cpOsO~H-UVi!SAZ6&bM-Bhw?L`$7Bsb)_J6}%l z{u7xcpxRfQhF9d5wwM18k4yX$jKKS@nl*r7$Lc!;Ot%&U*00T)f3hatdsoBs?^n(c z-AqQ9xMd>zum5fE^g0C~bXZ7}N#9U`5{CoU9k!~O=a8u91hlMu5%UcFWZ&~+D5ZP| zoZRWtstHi;(G5U$-O!E?UPUn)sB5nPt6?7l&4Nl(a8~~J8(i=lav0fPh5i3kAnl|s z0eN9;t_YHuCqdUZbSJr11Z4Oro%3D@T&E2$UzUGfP55s>qM446M5T9tj!YyC|G9XD)#(|^)%U=&QK^Y(mKNiK51qO$}Ap2DQ0(qd8*cC{cay^rp_a9 zQLFnZNEH^(ScRth|77EKYsPccRFTGpi)>}Z0h*bfa8PBo4 zd5TL{nQ3>TGm7J1w&>jVVDoCO{{HwJ-{X56??3Hbi)TI0{oMC`UDtV?=Xt;3HgyN7NAG)T{TW}zDwqOSC%!{U z)88VxV+p;(Oh`=>tmiCHjqb`hn~@e-ukF4z^ue?+h;?6iQD8mPpRF+E*bsKs36Q1I z(G?(~+=5tLlk($<$uhr@X&SuyruxkXQw6>GG^;hG?+lm!9;B1-h0U;bEAVJfjE z@tms@`sE`gD?*;iwO3@9IVRn9wpPo&0Hj0Ay{27(ais1Pfgr0xG3orE^-7m8X6dfI z9>-nXY(3$k*pW*3zNGTP5f9fM71x!SJ`c5qY#L=ZXd~XO6PU#LSVDi2x59jF>5^4{ zuT9m~GrQrLhyNP3-I4n356eu#rOsh3&&8MgzYXc`KMQc)h5W4)o%c9pxC@0sS(AJN z)>QX$M)&uoDE>0T`ehM8v&{mFo>GR6w&@=xsF&`_E%S+T5gS2gtJtOILVYEIw#%)D z1gj!7etFv8h6GE5A~9zrd4K1p8(|6-AZT*UJXuqt63(tR*gE8h@7%9HGc48eAk!tS zVC(GzGAl?%Ida{zxRey_4*ztwzh4DyN#M&EH2YTh=dY|kj}4?3>gUKVKa9UoVcB;f z>ilhAjzq#9+Dn!>UmGL*WQQuM%b%R2x8RLUComD^shWp-E#XPMjFY z^5li{fc?%*knmeQ=);5acY!>Yq9Rv|0M8@!o(He;E*2l?BT_gtA6?xTR_4 zB|%F@cl&m#eiWa@9r&>rUDw%yBt87r<|>b4jL}bD{`)N*ZwU-^A(fBE!(*5B@@sbrL$3PXXyhyF0( z|KhLhoMC;L`YQdfB9z74?6D|EB-w3 ze!EpBQPeXYed`)OilXJ|o@6)g0n5AqSUAm*{5COm41Zjb29ioqJE%VoIyww3CWhTw z`w~=W`=vI8?}NK#Z_Y`v*|GXwnqLNpjTx;}MzWvm=iP^CfN<}=135fZKiZQNW3BOA zF2G#tL+I(x-_r=#B?tp&a0POBEtsb>PcAm+fP|vHA)JHS-t`zWOsq#FomsjA%>om2 zv=@w|8?dwLnOd3?&Cy2$be>vem5kG97nrMo{qS^85fDS#HkPJtv&OpR(nBe09rgNl zUH{s*FSAhXImYta3|q!a1r-8uu7`%#ROwVKj{0M?P!CdODiz`rD`8D&cO=QrCWI>F z0w8}rpS#26mDMpWEhFG^JOwVIp?U>o`8u`VmtU3}DNFzr^lj>&$6q?z%UfDLlGm1i z7?t_uG>RQab?nr=h-b1TzB6?N%)6drZkh}1hw)3Lv@1=`J{Bp>5W*pI_XE!bvDq}W^gE|gW`l-ORamK|H7HhNJ-7SLD7-XXoMQ@s{WQg`XBpuouj2qTpVlpI_Yt4%}$IHzSZ)1CCO| zaf!pOnU2%l+`*ZL)1<~8ALXzdt;TXws>MqNd_49t{-hUrcz?p-UiAtG2yS8QI4cuHytBs7I9vjb(Tk)OqC!dqTk ztZRtiv1y9rvlni3zm0>Z?Ss~$Aq2W}X)b@y+3!VC~~zo>IzMj^BF%--r3$7O5ZL4zXMBX_q_(G%^SX?jjh#@p`1nY zn>dCc^91zOpF%lyW4Hl^EBwkAh()$^SAwCH}hOnm3Bf z^4-Hj+|`+0`Rz+n9lCoHvvkXReJ{e|i^Ex4P5VPRPWJN4IcYnBCU~z7tYCPOF;1F0FuC#TWs4~ncAOn0Sgn2zitrz!R-#3)*@ z6UV~nQS?mrd2&yw*_)+D6zO?xOtEf4r`;k_UuT`oEN1qsN>cAsa;$Zvr*^7YN0PO* zg*<&6Lwmpaz}Z$hkoORSrJ^n)pkkJUOnQ>*7ru9tkru1g;p%NH}<$>SFGeRdj2@ioDyxx z1aCxD73#`ucy+DatsO`Zi@sWS_K|n?Cz;rewrWY?$476HUog|N zJiYulklWtSFpiADkFjOd{Gh)2pey;=N@yFGF|1|jmR6Z!Qt`0z+m8V{q`L#M%T@dg%WTTW&(5|tMIAb<9BN+e+eBSG&zKh*-!}#@# zm{CEG2c$=5V9vRIEP1n4KGJ}$_^_;^qy#4vZe~KS!GgQm9ol%sKf)Cq_U^aRj!ZD@ zuE1fXb;s<&E{@#f6<|NCyyXHm>i$09CVbdvgMpCKT+a2jXm!gp=< z;UO00gQ++vC~|c6oW6x(ggl6qh^luRWF0i5rW;;Pu&V7|xveXcEHm`9_>$8yE69jx zlYhyK8|`|?w2=%?a%do8#b-QOeL?e$;b~MU-^j{K0sF^v+Q$1S%r|etPSwY!XAav= zQ>^F+>Sck#q9Kn?ajVU^o_kHw!v{AQRT&aZqZXQA7oYcDq}kRT*n(4UKc&0;lHQ#- zhD&zxeIr2k^Oh0Di7PRW;MO&Vv%t#+oFQe%x)3^&m!}N3_u?GxhtD2DEXf+f05C)YqruWh5-mj8&HSQXZTS^ppZQEYQ;v5nM35YS znTL6Gea6$XvU)3cfqb(L9Uo$H9udplbJXSCI{mQs+?(d3Dxu+>vcW2+t7p!@o#nTPY<}cj zUCq$Un*qrK+v^n4nCa(?ZVT7}^>wqX@2M)uf;>(0Tpa7ypPzffOH}52lJ%FwWrc{u z+@vLj<(DW-hb7p%ubAn9e&(pZ2bJ?W@aDE|AqFqHtzV!OpMN7>@`Z0j1@y88%gf^e zoMA`=&f=;IDXb@q2o`Zl=I3y6!w|;|H8hZ(Z#UF8LQAdURxr)-p()gXis0)k6yY$S zvylGYuIw<~-9#=XVm)}dY}A`91MX(-a-@wmIc=xCme|;MQ&icW!oXy7xp!}5gewGV z>k{v#p|X1vN2P>|y7ri_EqqEUDTRPF|Gg3zGU5a8F!4;wX35dx&H4c;y!T6dsaFH` zNCwiGaj0k9^|V(#*p!!9C3@=T4YWQ6U80t*Zq+>eN#FuuAGK2B-Ga$8KMxeLE`lF= zVfHGY<-+hbbGyKDOLvYxnbR^;-^xjwFJfq9qmVCc}#Uj;O~%TB zS6L{7t7rQ1G9f=8_$qnn&oAcpXZdZgDHHb81QDmo=>5|V!t-HCDLW5_g?{|QYx%3c zdQ&l_&?lU6`9By_B6cXFl@u*;3Z{N0_Ojk|4y=71oXjPCVH|*hlsJic9X4;H4{okl!mbtnpotSOJcBR16v1 z!ufnRz{y!!>Dxz}x=#hqt{oMd&7AV2op=oIXe_5XNOaruqDiyEqTS@1almVBzSIWT zpB@I@VJ5(FPD^c4+Att_cE|MHzCCaU5LhBGlWYJW#PHrD$`lw!k2V?V7J5MkT%9uS zf!IT6rYtYQF7u^OX=U_T!IT8`amdcwZo@m2Rz>%S!%CAgwMUi3(|*dg8hD0tx{9%c z{@6Mvyg88_CjovU%6bXxR7W!Pe)BqxZ7~G7*HApBk^N4n7-Np$i{I4q=&&!3 zIfDSf>c`r*Zou$`ww5|Nl)Ir*QTkM~zsSZ0afr|g{B&`)BRR<8<2~>Zy0)aVGVSBs z)VYo*N|GcWrsnr+C|Y${KuO6~M);z1UxRTR9IV+pl)ZxQYJ@IZsPc`HTDeC7(Uj6< zdwOtYtj+xdg7@YuLA`KKwhn$5Ks6&hNY2Nb1ejp~1?N^L$9kCWB|exBs6nZV%F#h# zKy+u2hBWEX3o3~tfJ?1FVR>_YxMCK8n;Irw(ZfozpcQm5eN8a3u$NQ2@MDa}h8fa2 zyk6rmA-e&H`(v&K#4Be8qt5Jw_8>8hyuYzLtsOwa*N(XgjaEAfIldl^Tm&2Co{X9C zuna<1?l%>D3S@$}(cLhI%{TPUn%%T?58~UBQIc640_8-LZT5PCyLl@PTeeSjf=@@V zxh_KVhngO&Cx3x7`8B84!yId0wr*#doFF7Qb%ruqPtJ1wN5AZ9M&$NXyBtpe^mD>q zgnpsP{`ez}jg9au*}L@g4%?<@O%|^zm)`; z&=B_An7xNP6&^ncI7D(Cri4M55z=W+P&9ze$O&2MX0h2)YX_H2Ck2 z0m;$;v33~(jCGE{rpjYW2d(LnQdH<6=rm*MLrl^A>V7EqRYYfa-_=ygsY z6E?nSvA#q(Y6O9ze+Z`hzk31H0mgR=hzW(XC7;7o6khXLbl)7QbRQDzvYk(2e0#>rJ4g3@O!^o5rUebQpv{0BBsK{|0b6^IlvuDRsoFx!_ZiYspEaC@Q8z zIf4gsjpd>)7(eFdfHPJ52?KiuDc#PZYI2Xm2#z1Kx@mXvuvJYfJy{PZhtZ$gb&SWY5I80H^_G4rq8LFH0x zCH3UEp~u>{h56SQs%d9he(QW#GJ;FO-NBO>%A^gMH_t##+2vq`i`#bm0bBA&I0Vh* z_^*OV*%3b$zMSrI^kDnub5O9JegahXuK|(h18*N=!R(tK=8sIfwcp@*&n|A;xa9gu zk6q!RqjsoQ_7Tj|q#>YtaZ`fVR&63l-w@k<>2fLcc&wIf_9E*+cb4w-+z~$2v@Cm7 zR`X)ZudbksFWJlmo4I;-Mn_9sja0oMLqGcKj?JJNn4aTtk4};7PCEjGZTfqPNrGpt zn3go5q6RC5y{sW2wW=7}u&h(V0Ug(-M0JU`tAgL|SI5lrUPyAko zLZ*JzFnF*jA{2-WKsNjNa^CUjAu9mgK&a!>ox8AUOR@Fp6=A`w<;ya4kcCYCh{#Jn8Z<<7RbWfGP-B*^g2-p|r6;3#aDNf(epx{tTI&tw%v9D<9y22SQ zt^9gn2eqLLzlIuLa{B=PkPj>v?XEAW2YR%jJusQE_5`g!I_a8(enRuol!{0<;@T=s zY1DY(nXluV4KNEiXwrQFis=>PS@Ge?smS2kgPYVq7PWRPMYV$+errPiNE50 zPCySWbcKgrr6WEiOa0tBXxuc`%r$y^87<}pOXg_gvG($=xIJZfjBe4?hI|FRJ4*`8 z=aH^5QrU?7*s7J#lDX`o`5HAR`EIrg@@;q9{%{}@tPD(b^SQ3`1%-fprywOY{joW# znkBY8qd=bKke#{l9qd5v_Ox#_ox;p+Lc_Yu{V0>-c)wuVhzEO5PU=jksS5(VKBi7l z`eELUa4AT}yuB#)OdCERHs0gPD^8jWKvu}In-jL5B483@< z-1(tQ^+k;5$Mbc);Eq1!eV%k7K`^-xqZx5&%24J^C`0bj{D|o1VEor@Xktdv5KLkf zY{jdm31i|OF|Vz8p{3D|5h3_u$i>UNg2tn}#D!7mKWYY%28*zC=ju1O>wDPrg&48Z zT~>m%$hb|n#`z4Fjz%yjr!{x*9+bt@r+-Py(#|o!BCgI(8&k<;jvEc z5k6iq`O061vY+B?>UxelOWd`^N5cvfvF@Xy7~S%ge6}Fgn(sPCT1PZ=T}|H|U*_#x z9azOL8ZW=G(A}KeOweNl%Ou=%N#^M5Z0$}1NdjY(Al2v%K_I0dmIUM#JP=oClFnX^ z-{VIphNn-NW(jzQ(+exzr$lj>UZp|`nn0}7gJ8SlGnAgCty;MtP%!jnXD8MOFNkX8 z3wgj8e)Y}iiXN9Uk+7X6e!t5T?tWNUs!$x4LHZKN^;xTVStmMgYb^)hvqSLZ&dZTB zJ@{=o#|Xmw(qU!YB)!J%QUiD`PC9s(%!H?Ayv%_#&4b`eH>Y*IV)|_d$l{Ka@~i2| zruj3tj2-Hsl<83y8ClqRHDa*@wTCK`j7yqfa8}7%m9^J;9_z+Edv1tL=v81!EQ&xK z&6t%@s-Uu$1*Nydf34?{heLMAO2=|6-Ujt9Ja(rHw`sn7P_@Nzd9XXopx+4^_RSJv zF1q^rUKH1oDTkI*N-KC-v}$ENy^-B5Fd4oFeb%=HA?bAC8Vl~?v34WQC@5}U`;VsI)-=9eK%luSFp`W~pp^W#d!{CB5 z6F!YE?U4#NxU@&Q;+-_4w&h-!zLb0MgdZTgbvVJMlr^ruaC0LwZ9#^5yVq`3TDDsRazKWr9gk&pI zY5hm(&AR1j*?vXGj4Ept5kb$Y?7%PcqV6Idx*4~VO0QQ@@7z1rcIC%BoZ{FAd&(`c zwRwgf+_4+;avb3nO8Rvco;!NAm2=m}`ZYWie~b`)J>npnxP9F?7S|~6K>|EaqJpCC zkt-7c&wyyWRgaRT8>cdyD&sCCI{%TP!z;coDc zlCGq5m3oWQIHv5!ens+OylSPXD zX-}051}RxQeS)e^%?ZBe-(+0Qrb-1XiZIPpHDU}-3~km@+{pM;&$s1;L9geoxxLlz z;*cGf63gU?n&+aa)Xkj_C1*-ipzxHAn)%ktfW1!2_AqXYkrVIkjFyO97FLUnD^c#U zf5$3+5{HohHi@{)WLfeJD=I1tpZo;_|DEB@t=knF)tDv0@F|Gu4&q%agBM!T15<~+ zKCv{cx%&$RX4^kbpZ@WBtKeqFbiQS`+=p%%!C2LmZwJengR==Mn;(i)!6vdWTQf}? zpc*$HIsQ?9{ zX)ILSn;(vIRT^PYTy_4mxoN?o%P}RQCetHRX{fYTs5LPyCz_nr+{J%+X}a97*hin* zMpQr9+*yb3)I!ho()s1h25}d2?bsmw3gJQbo%XtTt#-{+dzF`gH}^n%6>V(y|6Ej zw2J#dn%ajH6||7{oAqi58?^@HLsZ%}y?j|%wX0@7ir=v&lb8roKk)jt)N1urEHx^Z zPpXicIb1RKLyNrC;p?h;LRWD)Clsq|^xUg|n70s?P^O@e)wu{~3&jIof zO~>{FO=OT)s(5_m8+ErW*~{9a_|r~6Xpvl^^mn{WK9a$Bn6Ts&&c$3RfaWVhN*Zf| zrx%VXN5o=sTTyhYliVb=RIJ96V`?*bY$CnuQfWzNaOk5`UHXynHyl%ZIn^!PxL2dO;UJU!} zdhSm5X&ggW>GloWXK)cMnpR6`qk9{Q-$NcSnXGwZRIEpY)Z9XgK=|MBz7GB$JS} zIB;w=vI!%z?2kV&lAd2|x8cZJxOljnSt%DS;}}!v^BT{`rO~P-Zl8WKaE_%*MSJ!3 zMw??8<5XP7vwdaaeg_KxK`NX6yJe zdcGWmlHW3PUEJ;((lo@X5`je<)vA{m1@MXL%-;Jo*y2Y;x7kBNIKHa3@3R=VxgJ8lQ^DcMr2`Tjp)$*(+ zAih7G{#51_xmBmMl(@gentc~5=5pGGvhj_fSD#vzDK#ntyQ(EAe3q4piv_QLeWbvi zjgd(8OJQKTsVs;Ii8A6q?GC?cijlYM>1VG zi?#*UZn593BWJGP6+4JZ-IC_1JpVX}q>Y3Ub;xF38rneze1J)VRN zPupaFZ(E&)+S*?1#K@Pn`Ep}Eu5ae|Gi6)UJ7eXuMx1<;kqcDjjgeQlWwjfOONvh(mY|p zZ>ZvZT$n0){q!+DjAW|oC_>nkXXysrMysk%s@~=qjFqn4)OL|Xu4C59t6_Q7h*?S! zJ>1|k+Uce@CUSu!Ve|wAhgCSrEm?;+@nVsf;1mtg{aCkS&k?q%u-c#iKF-_sTc`Lj zRB7j4VZkW^TYwZ^QJZ|t(@IP`FP7l|?ETa9ME>E5GL4>=$CL+mXD($loTzMj0ke1YV5iNO z%A96sMM>TjD#%9563jw~fB34FiRN{!;z-DcS8Xanq5X7ZNUxxJe@fz=wP5?#H#-GA z7Is#9)m!d1MV#33Q>Lyf33)s{q&8T})R;ZoAIakY#Mwvn&%B(7h#4vCX|YDyeynBg z!)RM(NdC@aja*AlmATg{+~13E8#Jk;S0cIkX7ilQ=@9OEy#Q7f->SOuq2x$1nk4K7 zLa$k(mU@jK@41{f|Eg=4ulI=y`5bJV4YX@aArl`qesPk^IOw3|kyZt=i!Ydij}U$s zmWFRsczNmp{MLoj!Ir|IGb_fVK5vnl>n!OhZT>T5?vLN!0#F*w#Dn7H^NX!yZab0y zuln)stG>FR8N%{gALBF`8(W3Llrq1fm96$>^$Lnw$G~c!&~dR^KI&2vVw(HeX&|j< zy?O;IuDS85>Gs4%_1QNcSc16-nwBr$9j(r%7wMal4H*)#Lb2Y4CyYdAb;+F$7!2iO zI|wMh8Fi~$XF@OG2fe)0W$rWaxl}L=BnqRj49;(bg(qMfzI}ebpE?4=Z^(Y>8q-|@ zj5)D_tnY3o>k+8~zVic07YJxtGu(Kqa@#MGMe@_#nVFC`BpH{4z4DW!;L*07ep^KL zy@GH6uxW9U!BkqUx1mbT_(q=VQ+L;=}-e(3w{skg6vu z&|3_bmlT+F)XI{&nH1Mc99#uA^pf=qeye_}*IB?)bXxAxU=kx68^|8778mrEe@ zw6x>B=2F$>k3}qH%gcH z9tKJQ<*B~E{7wXy`1c1yJisn;R%ruNBt&fIfbPG?o`vHd zen*))1yDY`5OEHx*z6w44}@483aH_<4$sDZ;p+Z$L;t!pv@9WqM%Hz+DxA};wQsmn zABcayjsNt}FuU)(Hztwz`hzc0x@-|5f8DF&Rq zgR&uR|1grs7ZFm!JGy-KZzjk8yeOj6@Q&DIzKbyh5gp6s&JT^<=sQ@l>gsxLJnf3$ zMFrH~4h=2?Zi?HY>U@JgdLPk7!1LRTJGuRLxHN4dwoD2$*?PmU@pdHt@FE{W>y_L5 z?O~!qbF89C=IcZHToflb``RrwK{gCih6ROD0|5HOTd&U3lPque^Sh;$6NbxUuCo{`T0 z{p8BZfKA7&HZ1`9L#`)lf^k5C?@Aoh;zq7pKm|7 zynQI(V{|P-`h60)_hj%UVYUKvs<$c&rN#KEtP2Mu7ts|Y*Pk8x`22hgB(7uL^lcI; zIwiTwGkqPIj8~jB{5tU7nd{jRKBZi{q5FTTo<>1&IFGWEM zDTL$PU>_pL>PS`$DrNUSG4A#|7+ znshIZ-OTd{9TN8N7`#xq+(f!LTBp_>*XCqfWGJzLTDq$tW{%R*gBBAr@soqa`EXQh zZ4jdkoKc$!x`M3w6;5Pk*h!2&WC=XCMHKkV^Y%Ukw_zSdj?j9U2QrFZ7SE3fJ4yCw^9a#{vlVZ?0v1` zz6V~T$d26vwuAiYeZ?!^t~sc??P`M9B++8ipXX36+v*1x(vgydm$X$yD4^IV0Ihj= zZ9<65YWs0OR(4Af4Oaek6idG4Dlm*DL^G!}DL%DyZAwG~Pr zR{(3RU`!Gl1ZgLf(g^b|5(;n!2h39~Uk%(z#yOLO8Dhatbp(tm>0P0XDPPmy{Nf_( zI4=jHNiM5W`BJniwP35xOgK~u2Nj*9rt2Z$C$%nugy=xJk^}4!OhSZU)>1+5Jc_l( zaPkRuPdGoCu=!?m6DTkw5K9ziN98{p!d_rKXVSNic5VBuQpxm8PG&(Lh}R;EezXv; zjWqG(#Km&Hw(svIv1*L^xIg9nHZ%aNLF&f7f&)fFJ`gRsNy*6Mx#XaQFM=_n=BSkg zY=Vps5|9f4>NkMB@$fS~k7k}InimB0s|e>`9x7I0CiS3Xm>h|2Dc57g8&JklL=CXT zRH<~58IOtXdw&ggfYcQKG)~-43uIuKP%+OP0Dyr(a$vgb1a|c7U}K(gm_e-uv8$f)LGQi$zq8K<+qb(VG*;rB~j&?;xFNattOd zfR?`*NEk&*l2<&*ZXk*i%6de2^W=s-6Oo+;Zl~8pJ;&BQ#fyV%dnT|V4R6{W@ommCK9ASV*_xR0Nw(PF@IMBs7*`q8~Yne~`N* z>Xpl^REXqov%XXmRVFG*7%-~juwy38y`Kyyb}y)rJ{@zMYJVT&_Fabh_|OANIyjOi{0a;6Zn~HB?cg51{~f@bX6czUVL^ zm!Amr<^r%Hi0sw~ID=;;$7zL!Aj>P4GY6QuD<6M-!0;pDv7(l#h!=A zyFF)5No1#D(72S~v{+vvL0V)t6f0a%<7%}@9vfZW>!Ddb>^a7_mvFYfz`lkqfI+x_ z`E9oa%;&+uTuc>0HsE>>+x7Lu&EVf25vK>)dFCg+nhu~0%z!gDDe{a6%gGAPCrc#7 znQYRv6N)F17~NnRK;A0n_ICkZLYFf+U~=#RbH}fxuhgZHyv(;y{?gg{R}2p#FGz@g zO%sbrQa*{)Wh4n_5RSy=CqG6cM!dgMy;yY1`*_c;nlV%?Grk`~z0;6Mduh(;E`yNt$Tkr=6RESIl169K}cMfEDiD#bmR< zSi~>D?>OlmVc5t$j_gvaUQ)ICcx&d}dC-t#Mh!-?v;*MNA-?!*d2VO`Y7%3x{ta`z zDRk={3Bc6zGoa`^FnbRO5s_N$`Vi&fj2on6?Cp5;D+j-(Z>VI>hTr-4+z@;&qM&o+ zo^*1ovqpx3i;A;n@3^AK`a1^Kne#$l!&G##S&KTJdGcm!wZsVPQm}E6;pqTp^eC@G zC{%J0+y#iYAc&2LJ)QLq)w^PGl`88>JY!otQAe&Ba8M%=IT~6=bCvS(Xj8ozFvhDz zCGgEyy)uKqJ*SlnFw|V6@#lAsl181kHkOYxdCwv*F;fq%qTo2$`UcT0@|%AKXY<*) zWd+f#rC{=ZuM~vbA3sQU06Tc-_Za$-kn85_wm|1K;(>yV!b{&aduzffeu}E+7Yz)Z zhFv2;T(c{o^!a2z#Kr#NK28=t`L&Sw#41tP=5Ch`N;qZiLhq~EN3IkehM z=(;xBJHXdhkh`_oP^%vE=)f((T*|*ouIq^j91o-_Cq546(I4hLeKYAuT*`HS`zu6t zXoKcl@=FU_4{YVyZv~}s<1)#$deV>GE1Msu?rl|k_D;8j^dE9=Sq?zs^Sx(+&?l&h zCz{sPbIxxwk+URo+1CVem5 zPf%ZWs-hp<3hje;Eih$~9&ABM9&ry7?11-EzgHRpdgClJT}{T$f+ z)J_@(=-}1`Hqt-OxPQO#-~JCkCb2&nr~Ji4MSgfJ7=Dy)!&r&xAIE(U7U9kR3%mM< zJFY(oKPs@)i2DbY`0nC)3h)4n@EQ>Fw0BGHs)HL%2VEzrUFZF}p8x0Bz5A@eeDFn@ z@e|b~V_DUiw~zIP>G$+zoSx2{UvMdWWuP*5>{-Y^%+dlFf%5HTJ3AnvEcDG3Tr%Hi zXbqGrT4=WZS6h5%;Rw{!uMZSt`7eqzoa9E^30io0=1MurJiY?@%kN0zo zodN*Y-mD9xpMB-e&A#HCf#4j6*A;{}CgTyN_U7iuj5t{NxH#u}N&EG|P#mb=Wqr`tGBW?DlB#@K2v8V#$Iy1fjim5~(l!{o z+Xj%1B@!1QSoSVp2^%kxNUBt81rUEp{0x2d6q=h9Coa6x<*^!WkCG1H0t4t{JVMWQ zHP>NGN^$p>GbAB7yJpa|A@8(vf34<;;+l21{DxUUfz3@Tjzb?RI%e7v{il+Psp#+C z;Hd(jpmDiaX57%kw$6YadCLc}*YL$)2-gf280V<3-#F1}IswgV2Qg~Y%Ug+nb^CcM zk=|zwMe;tC`MGNgb z_-z89_A>6VN2}H8al}Eg4XZq!>;8~s zboAm`U@l8E3tUm$sZ6-dVF2Da=4JS_bR7fjO;j;abyB1+4E78{_D1Alk`%xnebuPl2|#x?R6!5pegE zSe&mH9Z(9mz?XpBP`kUu?>mcEbvGAIeHIf;JA{_18LlNIMa3n01ti(EF4T}3O`Wte zQ@+$3$NSY-pQypxi)O(cfRB|%o~q){X+yBEetXV`H%I_)|A zH2Z!)QNZVZZ)fcbMbtUNt54nh8(D^?JAHI0B)aypr6e5ULJC5#?uevS(5c8<))U); z_*q($!kq!>Aergr7f3|A0LF-}(68kHW;{2p_7sh~B+KPV1_e0VIXU{+MvU1;7?h*U zTpBeY;M>>juJD7z5-Gu$f}fxfr<&kTk)O}#$r{mC&4VY94m}Xb90y>rZQVlZDFUJp zD#*k_3@iiDBBUQR3*W@7-<6r{bjs9wqh+(-l4BiRH0)Vr5M8m`j9%=r3CN+IH1a(^^M%$NlnMCzVG%nP4+qx?){Hzip z#CYy|SzSpEJEy9W)N-=RE*HTR(87<^_}M5`E8SeEz0_?C$@%9%a1Aw55`vd3dv&gA zE}p1_jmVm@N_QSGt!bKKsaZY8X6Uf|pQ~WOHz=?*)y$SO8iYj-I4nwpE&t6aje5%Xhn{b1#jH zSj`THS?9jk&U(psyLDrHh5WACUpmN(hT5!?fp5k?;&7kjW+j+BCylNGkeZqgbOP$b5R%5@V2Zzvtbv*i2J zPENWR)MZnA=A)mWyjD`b7pp_v%GZLpW&xt(Ab#7T_gmRqX(M^i?A`$|9h98p<)z5? z&PT8%i=4yRpGFW%nASD$U$(a&Y>DD;aj%5qymYqX4&*IJ3cu=-%TtUMnS1HO`4#{S zdEu*$L%n$>iu_mKS7Y}My{3AnPGJ=g94GLRk2BX-G+QaodjJs~1r10u)n5RO_c|Ny z)4Q%cQXOCct2s=FNStDV0G_{mLhk+y1kC9wiWpqCwTa*&rW7$8G77Lrp)>Mp=jD9JQWBobB8 zEh(>m!d5T6d+S7}-iZ}GS}sjp)1b<{`VGf{)3+E!z>UV6Yn#B2K^j^BL5M1*c=%F@ zima^n?zM0y`Hx<|p_sIgZ}j0Xe}v^)u0uIslv}!rP4J%~)H`JX$-@@!DWc_r{0qYd;SpMucWTwZ3c9brx4SqO;;FnLl7*^P;p+sja8J68nLG%dP zbE3)9YW7R)B!yrElI-@-5`kPzq=@WP(PBEf6W4+qaPw*1@8w8IEGp&+PFM($n`N2l zybTo%^vpR?$sIc1g}wtOh==^#ASarIE^q+=v;E-VO7oig1x2K|_J>%DwM|nMtGq_; z9gE2gkP^K}@-Z-Cs;d(vN#JaKB|+8^B>6}QZ45lJBwS%T!o8;nOS$n#GWocO+hwuY zu*5#(?jLgDaP~`%-AMmla=H}sLqi2E5W1BDYD+S*!J~{`q5E%&KLD575B~2Rkg+lgu0ZM%bd~c;xGY6&Ny+i z;&>3abUU1%ozN{?ACJ;aS6pUjuj$=2Ve#s$@kLZVW4UN%$3evJC~{h>fsl|t!S+&Kip@FZ77R|M=+KB4kDu5T@-0QW7i11v-M?Lr!Y% zm@HXx8SMOZm8Kyv<6G`mZK(sC*zbE+a4jZh5ClL)oGJFLFY{?)ntRsqj-_CTsnL_( z%z84XfFx`wT6sas5i6N+!{#}7SC%n+B+XfwY^ynMHfPp!2=T9^c0hdDW5FJ)T1 zDr>5>ayws)at20jVpi&_Ev?nM6uEWh!}D$~4ns*+a)O29hc#^40Jkq;xE86Xv#bxY zMWm0neU}@T^y#VEF6b~>lOf<&$wu-spSzXoR-aA_o`z6rpy>k^w@wmVI} zoIOoWu99W(0)hW%E?GXWV}414L{oYKK86ETG0JE2Io(vR>1K!L2V|8v$fr#w!T|RJ z+HD9zCT}ux1mf-!5D46rSYp9Y(>`lk;HfpkOUh&~bS`1(4NK7a<(8o;D==;;1$r5J zC$Wr{a=sSbHo46~KW;5*SU!2--l5B(IXlbITPB(jSfWR!KUv}jnI+d8MxBTQXE+W( zr`o9w6$OF!!VX=e!okr%Dx$rlEJiOp+4{pGGB)6Urpe2O?6`g^gBvvrC|ow!83Of0 zZnBe?E{m`QkjrB2B(EpFG=U2E*#y5jS(T*gwvLJ37fR2xnvk!j5;vGjWLqghoTsin z7^_$YWnogBs9FmDC(%I6v)`IoXH$GrpV|dA=nNA~{EycBouje@< z=E~FWXT7p;r8ISG3H#2gBr7a4if1DRPK`oOF&z0FJ5?umO@ql^?mDEYwK+zqhdEeU zEe^ZRm&65h;UvW@P~X8rP`0O4YC4?vK-qY!x}pmoJXRL}j!8`wc$?y;A$zx*6?z+76p%cfu5F+}n@({8N|V?RwdL<~m+#oJyC z9F|-zz%L^nnUG53@g@ORlFaNK7-f)b0h%du1bo6c8a2P5h49qHlPS?>%>qO72(>Mg zHnIEtXI`%|Pn=$^N*H%!@3WxpDtP?0vCqebC)cx**0s#tTqE~&L}%Xjfi+&gKmYL|g zE^eT5fY|Brvbm+jW_K#xO^;mxM@3uq^}kh)wtfHo zt7U9|ct%6vSJ`k1q1`g?KVOMb5w`a$C!Vnc*Aad#e1}^dPQ1ksd-7)o%)c0sU>?E) zqA@&GGR=Gc4h-H6%=O{`{t#D+p~0;8E~5R%Tvg+nY9bqinqS7Erno2JMs z3l;}7#eOnE?8e_e>h7n^!03_MB~AX*4>S28z-}v#&#V7DseS`E;U=yDNhWY<^avq| z<)NG9rL77ccoU(q;rZF27wPAAoeq8jE&gglV6uSw&y#Gy9;(;Hda#W5)>UN`YRYvF z81KBW;vl{B)!OhZ2(16+F3@_2pX;=ULxCU6}A6l ztI%E=Vq65IC<{Wqdbb_cfN|&u{@l>J99D?|nnzKk#4sfM&}C7AjUueai+%7IMlk5I z2jc(5(5V!$=Ipl2_aDK!(!Soqf8eZbOp$ck#cWS^+jmgeALJwRL-nE$gI3Nhe?fpZ ztzm**5LyOZtP`+*wF8(XkTEM7aZQ4+0D^XAB!Re@1GX2)s%&CDpy>KjdhRC~_DjjT z>A$>-se2O>Q!WbiAfi0o@w<5#^vM%-crMI9d*l2hyxP7%(!wL}06AL1p=6 z?1l7m@Bms$xGldwcW+k*Y{&>)a{{O?4D)^9G9i6{5Cp&+g<-85y7t(kB-}>}CBlKv z8AYC|T~;;2EG0G5@#o-shy13I{_D%HnrZe^8 zHxb~pLd%WRA>mNMSPVhq;{Cb^(Aqw0-1zZ)Yp4uPKnT#k3z}- zLqV|=baF>3jCNvlUrHi@y|=_!fwX=`jw6$eiFawU5}J48>6`EYbP!64m!2k_nOuyatO zhQ?dCKmxV)4w!zH*kgi)7Y zA1B~02;^S$O#U0PwX3x3q=UJmQ+r#dB_Lb1x|^ecH~)=FG)0>DU>&ApdK4>DLEf>5 zbsI{rOwCG3ln^`vuC+^ZtYdN4YX!@kp~KL(;gGms05aECw+ae?F4S;*$WJ<*%y?Do zVo9LI77-^kW`#W_Nv>rL=e4!j2HlYJ4RV^4A5lthp#}YQ>|x~LJ3~ZYj%>KQk0Ss-Xz)e=PE)z{!8S*DdS!ImC#1*|uYXs`fhD*asU{)yM*$x=u|{W|TrNz0i# z-352@08=m60J2%e!;KZRoeaf#%jTQ~02yTl2rw1OrjpLSgM53rE(ndf2@qW#G%Zrg zGsJcAt6PIV<(%FgDNla$uxl+>Ld5s7&Jz5Ol745Lzb6mfQ^i9KZ6gTS9zHD`Gy^zoci<2r ze(X~cf8H0r^E@w1W2|YE*;#5s(tLw~wQlS0Bk2h z@dRPIe0w9s#$YbI^U2QKi|uBgo37Ru^8AtKO+GtEVQfQi%eZ>EDrtHB>C(;>?T2a7 zs;V!*oAvgx7lhMiNu0WkR^dCREm(En44T7*ZKyaO1TV1)c8;g!)Y-{6Z-QD~Tk=}* zWZb1(GmTvEL?JU{;nb_?@n6idl@fj z(g_abzNEZA>od|mZO;M{bipqv1!6PIByF~`<@$q|Flc|ggJHb$sjN|{liYOd4&^li zF!_HUuC>kDBvpg*=C!i13@a_kSKiJWAP0?1H`jHVCZsKR&8BsSxHhaR=uDoNXS|7R zjFr=c_o80FmjlsZ&8VAH*>_1%QHatoN$MT&P74UGORA8NU7w8- zHUbt)Hq0&EiV8jAuZDiteWrdGNK4hlcEj?{maneWaEp;)yN}W&&8i>KW3X!;Rn(`g z^v8rf$pz#@=JBe2wsF|ga@SK8)mN4>67Rz8{Qv~6M)u z5Hcq?6P_y@pqi$ObVx*CROag-gGu;XRT|>A>@kJ!n(CH*q#m-5V~*7f1UF@KFy$ntryjp-JeKcFdD?=4}$dzkv( zOdCeN1*kI?tO&j8V2({vnY#|w9R<6q!li;s-@N*1GWkvn<}7){;gNSu4~MBPeuq_j1q zxs-%eNy$ljnTGmUrd#G#Mrg<_Cr`Eu1wcSNjH#A_^c_i^41bIlfR z>*0VJn|rrX>oa}O?slk7viC7vjQ>?%Wy^mT&af(CU|gFC`4%J+Yrtw9k1r(0{f{#< z-UrD=^~YI=zdVeVwr27y*4TO%92CKLYVn7DicU%O#UoDQRH$hB?}r@dL43ede9e7- z5HVJd-S*n_;1Lb{%Padcb%rVArtUKR4H&c23yy$*@0Y+7Ug%E>rcYJ7x6f*FCU!DS zA1+RcL0%wzT{K5XrHTUT8vZNhfz^VJ^I7iMQ5n`l@DS78lPtOV!BTneRUjZVftYTrLOnd4Bsong!S2Os^c04v`;CUWW@9KkKL z^8f!1Hjsiuh$BH~^0}Ax;Alt}L)o#>^E;FO(BJ&)Zu!#_6Q~cXayvxH$Bs47pLkW# zz-B>XD*M%Cx3tj;3oEy3tfji>V^pyG>1Y1!dji7|_!F-bjypo*TkdnM$m%<_n7hbJ zs-;fm(-tpnLWTe1hiN>pFrUYRc;d}i^usfM`tCp?^kv@EkB%In;lV=4#i~+A;EaP! zZI^kC@T@|96nz$b!S}~J$Srbw69xXY@4uh3U2V`Hj(i#vtl&E-;~a_j2n{(;L1zH5 zQr4&$ut+cbdaEwtpg?rK9r*IK!MrzL3C2YqJx{uSJ$O5=sJ9dn|9Y?AE0s;ALQLLV ztFAVfNiu2r!jJEgVBw*?KjgYiln z)IHyTS$I>p_iilIU?*7v_Cw-_+hluIY@}nGwgzxo5RuHPuT+B7Fm9fhDToB^GUrI< zkC~Pv?uWi%KLp(P)PQtDX(LuI@K7a>xB7O^q zk6fn6KZK%foRe&-Gq*;9w*bmK5Fmbej+us;u?ycH5UE8W$JW4!F?JCUB4Grqokq zST#v6Oo+YO&%-9<4{TQQ?ml?n?|P5ht~|Z@x4TCQxAso ztk*UJM?FV_AGc+iHwJcf(CA_{4P3sU7zQ+f9-Oy1o|ijp311yfEWnL;0BOLX-r1@_ z;k+R=4}mkwX?P+ZsI)r)*csGim{2Hkng$w+ybwS-%G&OeU^X$TVk^SKwb$`AFwPON z4iFs^P}0`OpK9NYy-)k_vorSrS;Zng;uNAuSf*15#euC`E zvv!xj=V~4E{3duf5#>+c-=}EHj_-!bk!k>@TDF7>kgMgq)(SAvOxf0E<_xPI2o?0UGDs`N$nyGg<^vZ*Qt83SEFdAUmI z*dn96^EC)_3;q0of#Wyb$AbHT+xpSU^8@ZjrwWZ7T~|a6U@m<%cEt341R@~x-V?!`Dj%1Ql4~8r zl1N0fM%;Ei`KDLV^|3#D(S;coSRm7_0}i{=H}8JSCC`{wMWZ9l>0gF z(&baaO_Rp#JK-@HEx?ee-B`RA*K$Kw# zWWvYt^|7WcA2fG@q=SOw?T^UsxIl_6HWd@%8(>Fd=v8>Vq+~~~VhWe$`skevcz6^( zNtl~<8C{lnV4;3U0Uszd{&TZJv8YE^ay;&36U;YHOrH{b5bk=w{L(x!=@1kh%1=tD z1h(9eF%~t}Nvwd~bd^_>8Nh4gJyH@`SMTa^o?yINbu6Sn_Cj?+RJS~%fu5HQRExKGMoA-?`wT6CoPvU_x$#oK zYRz_7yo+bM^57N+adwt;ahaMPL-r3Ts>i<4RP>e6QeM(k8zF+W2E zN}BeG)O0gCtoyP+Z3PxVMzkL3FX+yXTCfasU(fyx;2XQpGb@N=!2{3I&C zauV*##;}o#ri2(~s^{ENSOa#t{_MC>SHP`E-+?71Kvc3}@72w^@kOs*Mo@H-zsSp= z7uBUAmm!*n&$gLstRtM@3}wpeHVbXMt5xOn$A3yqK27gI!m|5u*9+KkgvEA5ydImyP&=8 z?luoGa5cMHS8*AYB3eLZwdo8j9OkieDm9 z6@&RLu;U35dUpZ&>n?ugI@W)T@=4Ml0#v5mfO8hUxs@@i@&(ZNMLYR~;ft_(;4dm8BOPy`q zU12pkgp)X>rp)i~SQa88C*5M3M37G}d64P-gFS;|%<(`)4egcTWKHjXB5asX2z?4; z5RhIvt0{d3s%qFsgC|I9yNff?mOA+=QPwZoeg4s8A(RgWYD#iFUP)KC_YMxSG2sxO z#!WAftUJg0qPo<bmOS6O+DtctL%C{#OnsG-s`*32-|VO}ZkM z>@5D$@Ewlt+j!JdVuygFHC4y;x%8W-M03RyqM*{cCGM%hd*xFh&BJ@%I!)tpH;P|k zI&rL1y(L|_rO%vPoTep=Y7MlkC-Y{hU6UD2D0D(^tXMAFRGrJW7#7P{fA4$kiEnqE zZzTnUwEFQ*H<$hdCNk5IF0<~);Ld2OR>CjW|f!%C$(b|5z}DB>2@H+4ReATgmwbX?|kv< zy@(eKF6FbBn%+|aWpT^~riSk>wVtzg286Mu*UUWwxh!HG`^e!k_y2yGKS-G;gU-&6 znC^f|jEqcI@(%;FpRsCxu$VQtR8I+&;kXYT1{sd$7zAWv zITXOic>IhuMV)Bmg2Kmq5|i{L#fkF(yXHtslB***>4Ku+Rr=b$&0-6 zPDkh_*;cyOw9RG_7~)t;#fPXY{{kpM2ueRG$&E92W@-071{jM*AA6g6sZ_Cp#dQRG zS;{)U#+)v9zG66^jm_1}?HH4Q{Y!l>jXON5-a@CN$TEIEuHU;=V-74Z_K>a4z5U}* zGF%Z3acX$FEd~GW>{y>+z9k)&b61R%AhsKv8@w&GR0Nxy>=e;~g<1K7%VW>lADyN7 z*9rgr#eeEoy`{gAKuI<-6afmz^h9mm8>H9dhw{UQ$uIt20!%+rYP9?o6f@I`0@CxH zu*EJ@a8=T5H^mDtJTph=;lH2WA4l<72QY}#FCr|M4r$iIvAz;O+X*zY)lx-**}jcF1VL|G`JUBaXA@a>PM&?f>df zp-S0@bq}??4Y1Ycb4DCQTVn2N-=iPkkOyC%w<33?l>E zoEOx8{R^>)IYI&C{5QtIT?f+SuaK$`0MXR|H^s>_)no^S%?3@N3GGy z%ho^o2S;!kaWww_9V}LlGgCyQHQj4Psi=S4L}(2kS*YyI{nsd&F$0`x$MDM-CQ@T| ztY1Y&o=q@ES9M&8)9CIL%l`+2DWAu=DKc^RT*+@hl@a0 z7}O-KLqN|3<$manv+E+ox`3HHnvSAGC|nm&m^W-xmSEwIOn16q6vX^H!UV&Ed?mP7 zr(vi^5Hk7cieB1wV{BOj0+5M}3zXs}PMWuHA|7-aj8A8}VY8{7E4IAAszS1;UoajY zJ_V!BY#7Dr0M>volksG?IQ#?fSov9s?2ST*7l2)-A$vCyzyUm@ zn_B7P98RTEZl3>TVu7B_Bm6XV3;D_}tAyEEProQo`a8j>w(CTG_YJA_Ihi4fs_k7~ z?5tF+}_o6TP8mgWzi&AvdFV$3f0%;Cecv-H?z^lGDJXou~R zf@$2(D{&DPvmId%!^NzLy8E5% zkc8`Yr-l6PI+1=cQWTuFPe4*kCXhV}7A(pjY(*Ch6fJOvwE#`|?e4Q}!3>Cd)o?0} zH@$wiay%q*>%#Iyr(We7-N#=*!9;?}a4IW*4F2P$u#8JOrzUNKx1fUY0sY>-L@GxK#$@E}K7hm?Y2|{sGp*>Ic zdpo}|Dz%k`=)5E@2)uL9BzcL*%=yz`AwV9+(Ng_VQM9ThS+bihNpv0bj7|ybBjGk5 zB?MP!E?vR`(}=j`N-RTSNDZ=G8QgF6t=jQ}SfZ>ur&eZ6{(-qwQ08a>Wnl`)MtK+# z@&egY6IN-y4`4y|R8F3t<2MlR4|}tVdzCrGFZbCy^|u$ugkA6F*N5JYGOMbpT87N; zLT_i_u9Ya1;sG-11g!0<1m00!)fH~F$S>bQ&*=AehafyT@Fq#irBM{r^WIQ{G7@QeHdBr)80sS z`66o(S)y}xsT}zpp2O45^6W=UO&1PX7koe>T4jBG%?SvQ#a!v#rEk-6rMoPlApb=B zB*-Hz0ot@CT`=m(Rjg1Au%_f;=8Z`cCpY4v=TiM#G9d-g%h|vm_$m-23a4#X>dly+ zxbxdJP5t3?ImXLxVe(zN>lC>W1CPeH_nyegLiE+mfOj8U>b8cGAV<|$6Kfk)_TXhj zN*{>H^hblh^P&#?I2>#Qe^pp=oZwBsPRuTbdBpkKKvCAPwfb;KU!53TyM|8DbhMwT z>sAep&du5LMXuCV^zKJGa*rd+hpJvGNH_`@vTs8=Rv5557RbHNubpiy-I@!gjRRYL zB$ncjNhGw|)_cj1)PiU$%4^d_7of32+-Fn#{C~%zipWjl82w8d5>?nWKc{*oIP^4R z_D!s$Nf-Kx;KlJ7rK`y{pGoyK-}gwl;8`dY3_y0brEsp#;5vPwf_f~#R-$GbB1|`x%`T5&R)H|l!gz-HsiHxa-QXXe{f)oZO8Fy ziit1H0F}D|RUplF;G>G&MzV)8hv2 z32H8bpY?cf^X4c>*)!Aii*RfY1dB6+{is=@gu-<->K&{WFh3^Vq!r=>-EqA@8GzE? z)Eo;WmhSYDWgWb20tKU6-GeoN+FWEbLZSbQQzM{FI_ z(Y4Xbqo!(?EFpEXM8egv(AxvC8IV_vc?qZ-@N0^3Q4;cD7FM7-vQ8K5lij8ok{yp> z6Kb{4!JprX8#XFo-B`Hry~I^MS#A{GBUT9!cJjeg2WLf%lNzS(OAFB;0OG2Q3n1)k z$PCl)(UFzNrtUUmC^y?qesp{w)@wdp${@gM%gU^e=chr|jf)KK@CaioZ%rQ=b;R@NPtJ zaZ^D3-AHh&9c)iGmB|&+#`RfAn%b@PrYnSo?0nF0uLs~ZF(Z9}?Liiveclu^_9IwMm8% zmgB>%$x}F%q9ok92iEK9Cw}(cQ(03%w}$V=_W+Xl>!<$cOT;jqQEBOGqfWTR~X zhAywBf_1I4XxU}8fK!Avuz8_v`W7n<+pqT*ht?ed;=;|3g`*UCQZQ_RRr@xUR9l82 zw#zDieNor)M_*AhnPo?AUw++INxq%o#JNdfv$T?qH`)1*@thQi!it>(!|xS8*~II! z48OI#i^_Ix3~W?+z%J^`5{&BtU`{{9iR5|E;ttIdonSjsBlG3g|_$U>63XuDF)li`qZ8)1u~8ZBSa4eWVBxYiok@w>qXZjAYbs=wiG$r6v3~a zhPu_so;CTZfvWUniORmagOoO}+^&Vv+m;Ua9>TO)oa+KBFl#s{JAAU#)_U_&LCaDi zAT@kmofa=N(BxDj&r(~B{|B6Ks4wqU+18qrGgJP)t#iNxK9LEcI_IrMaJ9gfk8Dq{ zcH;2L6F~Yd>Qgq-C7cE~i-n$wp|Qtm+Y22|c7I|0gxBW!c+{779Upmhw?kJe) z1G9zxnNhkHaMX1XN)i0B9nv`^SLA#+# z_{Rp+fiOw7W+-2N7OOdJ|Ak)jr^dx(Dqsiam4I5dbkGT=ge5E>^~wdm$NVT^(xbTT zjk4tREF>a%Cnqz+ZU$xB={E?T?>nQw5##rQoYSJ+u=e)kF_K#POEZ0CWysrd1{Whj z17p51lT(7FD*&Xq*Yt)XN*)x*kVB(8T4L^Lc^KIU=K@WvNSyozT>aYl;kD6G7r1`Q z*J!Sos1q>=E~;o-7flPzX2R=NnuL(GwWR+OB zDvt{-`hamA^vOcu2dpOcGkt@jKH)J=V{%i0;LYeV1-w|NvYY$zM_N#Z_QP~(1T`{0 zo#8qwis{frjl4Bq(cO^w{x@0WtvX87`HSp8@EkXroPH2`$R{fPFX>QMjsG_~)E~eI z?8rw*6KS0wzwCrfZ?Uy}rWXE@vifgOiP2J<$8vRqKid`6gd4OB4H~{s>iK>n{Hk13 zE2sY!tTF|K3`-j88haoSNmN)~o$9h5bKLchFVd{r?~tVJuGNaZPPtpr@HS(0#9uR& zyrl(*U#p2RCNu5BTJoLb`7GXHkmVf5l$n>2F}MGWyMnx8Zgg9`7SNtff2)xF8?Yq% z2vlgPiCNSb5xxH8&WekvyEsC4jdH6Qp0)q@8$4?VW)mc6%m2Z8YKcw01E5r@YsYzw zvtCiLqEvsYB9n(EoAY2Bdtfc7M&@vEK0T3l-Vk6s<^Xa53!_FnWJsMt6BGLHFA z{raD;=)YPiZ)prlIxVMu#r-#QAt)ps9f7`7Me_2*AFbGbgVc`3z{`YqT{-Drjy3=7 zldOT9n3cWnjZENuZF~H+W`O)U$yKA_=W+$A*8c+8^upr~iW*0mM>`e*Z}9g+cbsu9<&xn{Ice z{)jRZOZ|_;Uc_*Ts1}X3`>+3To&R*4zs`d75I9QI$+GOa_%|9b^fjb(U<*C=0j?0! z-u8$H^EA0l6aQ#KYs2;6r)0nP+W+OU-2ss7u&}G*Q|V>;F)^2tTHUM~jpNg~Q7jp` z(_Fi=ZT?n5b{^RTj0J>Lv)K+|C^V+?9!X8jO}}p$orrp3=wu2j}T7WZxpWH)0H>7?zbH)-(hL?(I5n zD})LYc?`@HbCGlmN{2D#Z;G!^vW`>bU`N9P4JD~6IQQVc&nCi5{3$0 z2>=7Qv0py5@)vow0j9kf5RLYnl$)1zW)$-28BtH!JGB16YLYDv>@Arc{@+UlixvEBa~2uLe30RLKv za2*6BsYTSy8=asnGlwQUhiLca!D%}H^3KifbIf?%FdK9v3kY56Uoy6EdkXGG9R$UaT!e&jMN#4xhCixhql0di7-~kW$O(<^d z@b$nTIb#~7%(J#QKImiIy9~vqo6R;g4Q`-#qnF$Kt3|!k3#`JxNuE_pRAxg|vTMoe zRnM=&q!b8pCdjN;AGBoWLLt!RjPq>Vr2o7E5b2>lkmLc-hQE?Yky)akg-C&ad|(&| zWFtNey*T9zM63VugrN&8rK0(2z$MHE2m|+#)fJ!C7EHNbr^|tpcPfR0n^-qMbx^pL zg{I#_u4h&~xKy<~~iccX4Ua|YvP_7i{iE5F!ujns>@>#c7$Q(RbNuoT8c)2EqG>WPs=?O z^kxryNrHUbnhj;g!Jy0bgBgi`5M4nS*q&RAZ-RRYanCg@^U?+NRbb`Z8zIZhhGHka zw`U;!QtJQ+?;H~%U`Sh#aGV80#zj+CQV*roVP$83+mjxv4!Q-l*DGV30ElXuUI2@v z4ltu}KR0bVuMX$df7bl28WfU!r!YdRClV9#n!q;BXIE}T0L!co9-*E!36rleT?oeD zPfYWBJE0&6#@>d~eI|ANQpefHA7?yQmx)LNemD%3u zY>Xa=CYFgnIMzq5J2euOKR{Ua0EWYyG{>e-QVf_S-5!CAE6{<$RXD;!Qzy|2WcKb^ zP5+=+b!c_*V>$#&`IY(MD+FCtyo3K$*$O(j&tC9x2wpk4emA(ioecYV-vLREsy3^> zS#FI#Q@Bd2C6~u#uWa0=JKQJQ`&r3oYtu`Tf9d2Av`;_cvz=>TI_Mf0o;NxSs=5OL zoOEQ=OXPUlugI+QIlCOruTsvw`)DSwM$U0HVDTC zsW5w#wc3t=9?Vgq^o*$DtuDGuZq>L;(s>|Y?8+$HGzWyqVG^1Z`({#lBu@9??@S5Q`cRTt$aLN-g((_tE&ueNs;H-7Fi1F}78g(DAVFaw&K4@9ZrXtaXXupXgirFW=eUKqF^P zmaGxAO#^5op{wjDam#NmB7zu3&&D6=j zZTG2;Ypg9L0lxhjC$;Sln3Mj1$Mm#5(d(xZajcDi`|DFzDX*NaiS-ME8N%rdXUD|B z`#GgRdy8NB3_cU~o?tIm&u5hGmmIdGgFPW};F?kl+$y-qm%hxJ%5I>D7jpkOw@0ZN z=(Nozr{|l9I^M6u-r1xd7()aVwu=f}SllcwkVH{IPtb=6+-sg^2fR_a}`X+D6Xk zp-P^4R&wT8YrcWauG((n6BBg5BWGVJ7;kBQYI?>fSWT(G@CS1XfJlz-!;M5_{9K7~ z_NJGVDP7Xp&ap?nRq?wN@_dkuMhW|L#)BIq!>}{hmjvCei!fvC)%^sW^>Rn(er@~P z7MtdWw;-XJEKDjwoZL0qWh4~w)kq}1K2Jqi(|U6_c<1xYrK-39`*;S^Q^B-QFHwML zT2(8A2QzwC!bDXsXob|~cw(=g5cDd*;2G<*>}4hAE7|!@&b&I+hL@TxhWxy65`l=H zXt$d9kRV%wWJYGhz5suS1XCRrE%4B5B_5jZr88z4pZWXUMVd#4dX zuBIf>Dk#(<@h-i~jHoMY1UUg&m-rt0<%Vml@13aLHr>7td!I%t(>z~c{kojAzSE2d zQ%mmv!65X-3pK0C)CPN--AoT3B$AFDcL57$6cSMs)u|#vwi^wPvqQaIkDLG0UoxIo zx_tREV&Sc3Jg#;lNm)F3zJxs|?7O~SYH;`l&BJ`@TLejS)3^Q4eA*db5}=WDt0n(WDxdL$N14b9QRzqkq+A0oP_esCd`JQ&K~9kU;v>F z&ZH72TXX9vOfB9CZ^im_9y~@;44CW;W*9LJ!|&@H zCc)#(|8u^EKY^zaI3GQUhSf6LwfI?4DB|QsD|$(XOtCWTgIZf$hniYHNCi&!S#;I> zY%5O7b6+s9d5%9omMHwpwdrcKWRJwuoNv^V#&HqEXr|HJDKT{|U>sgtqA^VNqjipx zL>jW!&r!c>mH7>2qtiNj6r)04IRVe}TN+eBdB? z+ZrzV;o{wQi zQ?{%4#C6CS=1kU%bG@gLr23^+a1BZvUAW)$Vbq_%avSRNQ>erBb5B*{bP&a>vD`U{v@EW%!SK4mzmCcQ@U^?3+JUwtirf4}8; z&Ym&(jS)<3dI;4;vZey0`b0q=s|HUquLfZ1!Y1=BJwMXR-Iww#_6?Vz+q7VxDCJsO z_C!%BY}9=ck?EIlLR@FlqWW;Vpct=ShUuf5L0b z6efaeFK5|C`Zv!^#$I&G5R=?`0^bOK6>>ZF>d^ZTa z=Z90U&{C7=S5*oyO@PWxD~BPt3pc%XFDhBK!$%`tOEP>z*REk&XQl20Ju2ha@^jd- zG3L1}sSN%)^OFInPX+ob)JWA!qVl@CDI0->zoXAQH(1kK`* zRRYHEua|rT4VX)k^Iu}bZFb{9gZXy$X=T`(&O6;`E2#H&6o{J&J znf*p0+kGfcQRZkqSZhQ+*hacBgq&~kO;WW$_3OPmcJQfRzHm+*xCI#w3yu~==>ej_jKu<=DjDX{NPR7KtJ5O9 zS`>suyg} z@cZVZwpId=HdxTN(YYA*eCzjQ3g=>cMHrvy5!j&Ae0a&_EFydbc9EPes%Xw#g@P?J z^vrEsqrF2OfmlXD8wS#4|m?jzg63Ei@aUc*emec|Gg#pFJI_G3P!M` zi=eQM5Oj}-GZp7p=3-ybXK zEiDA8b&>v(d;Uh1xBVkDFg_J)xOePt4g;11Yl( z4on9!zZY6P`H#%+5%4Na9Skhc!19qH^`gyTscD~tkd7%s=No^mLG+gXm%201gM^v6 ztg}=*%97{ha%Ut_sfg|QJO)7iO))QH>F zi5#9juf6NJ4!~90d$Z>EDcaAl<>2jf9bmYC51~}iH$M1~I8}2cw8O-cDq{#)Wp7`q zz*@LLZ!b_k{LV&mWg7&%s`YXvD8nnaBiN=l+**R?2G2HE>`$byFlJX?gW|J!5Bfp1 z<}DpWT)H~JGud63gY4dCc6PzM)F;Xe%6%u$*dy$*=TjM2&xo5!+6)7$D%FiJV;zkI zZD6D^YgIjWjr!qIO#PM;HPab+(B`KTpsme8Vf2w+(B>VC47MUYnkpSvs%D0@`|ikQ zb@-P{#3d$lyCc7*u(R}UkCPq^EC)Dn#`C4)bf=(k+WFx|d$Fy)m#$vWs``mj9ol{Z zPeZU@WFf5xqy%Gb?zhVN;x((N*$3rdTHjIT#Dsf~emwp$SfL9I7&1?sQA)4@aBKVn zN`0lN9LE41E*l2yTEJ|V(Eu+RglH9kX{iGKGjxm{hn>5xBU)OeN6T6qBts!z2Iuv_ zgZC_zwIS4aXw3rXIe~h9nlOt4IIS)2^1hm}4^;y>^HeaxdI*M6Y08Sld~s<+HL$Yf zy(N#D=hpk*>|b6Z%+}|!n8U`Ns+nO>n766Ugq`A^18kzB@;STy%|T_8Z@dAXMXOu! z?jV|zIsABO`vPAFi47IeBVN*>UE4_2OEvt1)QQD+UDIV{vwI37DH|CMK%Gue4F+Eg ze8qF;4@tTgj9;Gxrd6z$T^+hbE@=0^xWadbdVvo}?SZ#Z81A9{IiRX^0-AXjxZ|?m zZ;Hh-w;&i!0{TcNU_l_=$a!Y5c3;HosyjQlr_T^7gL@_mX;0J-Z-VMEd?N9=$R*OD zTid!;#*u&NS|9O4cqOmc!nZTiAkV+^>RLbR3MCuKp4@cbm*&NZc4M1Y&Lu*zRK%XDmGu!3@!KrCDEFn;f4zc|zmc{G za+)TfmvJm>E}0%^;mR4PfRI=#1jpuRuq%^%Kyrjxx_DaO#o~Sh^9?uL7P9FT$L}!M zQdFPe$tXT;D$@XItwmO%)?nQ{4QW1$heN=!;?_WghBxo;jV&CKlb>gPC-akz@eD~19PVO4PS+iNS)KyaSPTD)>xfAop z>oDe3=`4$=2D86>Rs!{h9y|46mOLYdPpsIobiI3EhDd#DU`ca-M`&^3(U&5#3K zXJ=3N-9z9uB!U9{z?#Xd4e}W9$|qx=TO#E-WZq zitA_UG=ScO;l@=kzOO-9lz0ji_A%3=r}z&{)x7?2h{T@$tR`!##kT}IoA%5P0$-lS zziBVDPe8d=&OzU*hiiV838S<_dvzt#RvERPL~KFGi-vuW}% z_s-rXo!){Ub6cN|496Ipa~;!;yF`m`zDTW%&oG>IJ!-PVl$9={QB&nfIz)%n@=7S+ z8w&C|7_<)?aUw=K!>5YzjciHG#>-$E^kjm4BIOqirH*U2+ZUxeQ1iR0E@Uaqsr ztUt>(m-zFwV?T2qKpk+A35lR1FqO;tbn>mI+qgIp?Xrkay$0Ju7xIZQ@YWoS1Y<)6eT*l08H8KN|Mt$rzY{OWZYi;_|jv|j7_`Y>Xl`@>r%U>s<&?J z$MG|ZlFo)e`U-qPd|WBYl7fNn{iA&xzNwC9T^1vo1?BL3`i71Q8tfs^$F>(+7*y`d zM0z-B)?Jf7n zbAK*+y`~+!Vf#xRN_tnq?1=V(CF38e2v@KiX~XxXDt&AM@AG`RxN{iKaP2sptXCSj-kZoL z+--ZWkI`Ntv?M0aRh(xoj0~?k+Ys)h`b5V_QAfL-<|MB4oNda3VY@1>OsJ$A zOo;~g8WUbH-b}s|rz-16&XKr{hcmZ`=KGr1z#9VB_@rfD%N2u;jV;PoeEOYM8Z>=U ziPKv)a>K1BhrsMH+?f;7;v7*T>zzIq!9Co11-1>VelO+3Ky%)fUly;H2+GVu9x}~D zOjVBGoN0bJ0v=G|+N6afSCUfw!kVxAR1snpeuk`WMSX56NQ?^g*r;9ZPYpwv@bT*v zXg)QtzT=sVnF#U$p*gs73Da~>NaEpwk`9$%MW|P4tVaghDZ%MaK=O+mmibadrOkI% z>`0)(FKuR^!q#O@6@sHX;kL&dHi zCiTMB^w|9zCfiOJg}AR!5p?Gnok(;;Lgj9C5h+$P|sbaei(hGVnM^;aMVUU8ati}fhpk(;mc zVf=knxSuOH1oGJmqDk5QrS~Z8p}S!e8AzbSCM(@+<456)a-Rw;Y|%VxcSO^Huux};j1w!Fk9^wYg|pJrzRK7PwRoj!hjqGBmQ z-o}P?owmf?14CpZ32!P|FI5~8Vbfx6+vcGd^V$|1H2k{K4z|%`oF{KJ?$=!>%s2>k zWl!2Zx$zt5nbsGVyL`*9x|iGFCTk3vP3!4JNIq~}s0Q$+CGwig6PHgk_%F!#GG9GYNz>snKcB176Q`s=*eZ9}wc&)hT~h{D3g??y}) zUpSYv+!I~0Zp?ONccGqIoXY}_0hEd)jQI+qfu77Kj5sxkhXOW3nb$w*@iQ$&&A%AA z)k0JUHBM97FR*h{oSHJf(4=O+@aPZ%TO*@1ff~=M+Lv^pfbZzKp8^T3bU8=N+P)=5 zYtY&162K|*XWj$X*f&}9rjk%7qG};t)(fdx`HSMyn@S!Cmu1f+EUu~6Fy`qHL_6yb zZOF>Za0kR2sMxN-eAb?zO#a>ctbXl>RH@pEb>Jp+9K0Pd;3|}ypWVh%n~B58At9zk zLt0_UHLs6wfH@!pHleLP!S zyVUv9nhEW?8PEBO2?iz2BPuqQl-H3OML7FG`U&Kuzs6_5xbwH#5K(Gs{Yz*ne_)E1 znKL;O(kXNTmbwUC$L@LMWPe%c`ex!cdVjuN++*BnZFW{HO(pl{hUS9gW6VnqC8vd8 zv&2(dEs$K)%(C4eRbeL1HK*%~8Pd0S%XzuRj8Wc9+Krire7hru88<#K0urGfnF}^@ z5?2?g#Vy7v5Cgkwidl5xoDtZS^qjQoj4|K?qdi+n-}kA~IOe+(Z-ziG)Fb{7EJ*Sp z)Uqh#eSq)VMb)^87`79F!m%N!5$L6Y1g4(#5Cdid+DjKuN3nMR7x*xmA1pDk4H)vU zzc!-$M79dTP`2V=(-tXYqY*`@~IfmyyaOFpl{!d(zCFzVJ4Ut1uK zd_T|GnPZ352H;<7o*Q;im(-Rog$ zLY#%!z=N-@gf_KZBbZNcrMX=a3^s3ydxY3COP|#}Yx~lSN{aJs`m9Z=gHH9h4~M{=a0-L_kO-J;cTI}R69Hm>og2m`nkwBZE@ZpvdT8Bc&b_r}e|EiVgt<#-C2J!4Zv@vrAg+h`-ad^0 zMG!~~2lbRiPTw2!fmQ3M_z;Oqru)dVtdgN3sABhr;*FZ8b4b+H-PCw2{{ti>v zUcgKoc&p+81>d3PyPV`4=4C?3E*?%gutIxj$M#H{$6m-c^>XCni+a+!2PZVS7*F@{ zPpVG!tXu{Rf4jum#*lvh<2wfgc!jln@wyQ4^VM3E~!Jpv#A@&(W zF>JU8B9CJ&9xlxE6tR4vZAVgy?bEt+6-?TczSY0dVGDc%RvvBI)te3X1g>gjx27jv z>#k-A>DvW7%z><3z{3=d@F=F|l0Fo==S};=e?u&#pOOgdjTrg%%%n-LYp^1K+Et!1 zDeZbq?DO-jjz}i+)0(6J#%;#Jnm><)=}0YGuBAej zE*g#Og;Wwz_I=Gx7z}ZXtXXDk*H+2CBwNw&dya0)?e?kr&(B|Dobfs5opavzdB4wh z(bvsUV^%Bpq9^`L-89^-DDsK;{Pn*0=PT2LP%5;)ie&M;#1}ZM!L$TQXEBb#u!orrMraW^%i!gCI>6`+hLU zF4n6BAAuj8&*%5hI&1Vz^6Lv%?7`Jg#c%TSUw-nrFGR(k9P{_T2@Hc>OT+a}Bwzj) z*Uc&hBY!zz`01|>gs(OXp=AF5P8N+~`;NRB$w-@e^rx4AzJjRBu~HlBJOK*-5r0#2 z^cP?=+7^M(BcyD`{L$OL@HgM6NRq5wo@c0*TYTDsd^?V4b6P-?E`rjkXEW~{_?qTO zI1F*kxOKVuBFTqYgrV?<+Z=#qu8U;P0TV{$MSbn32?}|%s*u|c5TE+j3r$=wCw{nJ9$NM@u040-|`TVxT+^JUIfCymv@t+{yq*sraE@rP?D9cZF|4_`?f=Hbt%WvSH`5BiwBs?sOS_==z~Kyh zs9w7~n1y{0Sf-x9+YYa~Xib+ojcD&VA|QUrbopxxrxZrSvyL)=w9}ubr*gEyT5AHA zPDBC;5tOzR(d_}|#zeS_@4gRWVA=+d6VC;H@Uqd+llm~YwZ9)B;vI;v!zPXe1_haN zU>)!Eg3nI5+3W^S$a@7VVExiaXRML|T`0oyB)V)ZeM#Vy>;oR-wPtuGpp$?EM>3p) zwz-h`4q!(0XRTBSK&yKtu*P&fa&w}Gs6QNiAq$j*=ge#6+J*Di!KmyT)*-=@-=KX4 z_^9;zAK(R|0gg{LQUO*aLuWNIi3YaOkhbp2?-RExoAD6=pIAh5fg!?o-vxlL>d91u zP!xL>t|xdc?(Q!(dg&k?P?tearoDFJm_0CbOSGFJ#18dn2eWuyXG0L{gKA$8>%jL& zq)FkL$07)P5j?L~30vZpR(ZED3W!Pwf9JU0{CG#i6mL0Y!Jy-zdgVZa&lC?}%8cz3 zAcpKUMsR<`8W6FZsnIc$6-iwIEk_2RNeDsH1)!l!u;wdtS+w1G*u(?4x%F2jI)C36 z?HmtPRCfp8G>{YuAa0-&QPu&BnFEk;*wkPCYyz(WPF{O&kD=@BfQ;PsLfc*|#O@4< zw)$9?xLgW4Bfck@kzAZyVkOA&1?G^6sZImcZ6bd|M5Y0B?WL4r3 z!bP`<>mszo?VAKKa4z2L-cB&gvD78)V+W*)7c3oG2e zS2h|<&T?X~+Pg_G+;VdPqK?hG!P*7b3749EeJMaAL+K)WiH^Y$q>TW%f| z@_xs}ElE<9nMG3V(yYzXje@`u$i6)+ zg7jM{UO^&GOC0jc+U@E<;YeCqn6w5IZ=;hqsQO@`y1ol!Du)A~d!geQ|F({KcQ*gh z%r)Irkc8DTI*wEF=3OQzv<8_rl-G}y{PR8ZtH%|KeJs{eRBxhU>7wutQ$wd#l!@-5 zwzogB?Z7*y(Upy93cIgdTO7c!7_m3kS^0mK4S#22cZq6V1M!_A!XA3c=xK#$i5LN- zZasqY(F;MzN}92{%KY6I3pkj=9+^1g2!l_S8G(@m&ZYzljWs2S=n8G`p^9*If)SBpL&=X1sPXN*iLuv|6WaRj(#&SdXxT zAKbvuuqv5Qi3}lnuO6i>ap^nMcxdxh=d<1Q!1tslmBUIUal=VYc7D)4#cgW*1XD91 zTTPEY_kwTRXXm?v!JkQ#A|AgtH>kG9t6df{^7G`OHZd)W4SkK*i1XdN!g9>ikVy?G zbj%s4vO6^PFt)*lv;Sq2Avd1S*0zh-r3Y;GJG6=1DqTya`AQaPtT!= z$-zNED%$Fn?Ip3qm1p}4!?c5;$KYA%0_p;OK0j6us4HT(N(c8_V@T0YM% z!}@F~xm;_rX2!F0K0*5O*^SR81s$>SlM(FlfqbTC*i?EmNWNB^TjJ+8is&b03LRk~ zKdsKH$amR`tG;?#@)+*u2Od9%;l5*wJShMd0%SO*mlzSX8X4Tl~adbWd;*kgO|6=k!BDw zDo7Vc#gJ4n+5_Mf2*Dx9U|j_jUJlZzkC?9C+0FI`qo&gz?SczJTt{c6qyF zB`W4}rIN``?o_itE!_C= z6zUQXiC>YiN#eq2GC0yUhE%=+sx9g)VfuXnx==yV`g*}oe)%77{1F|hYm<6hl2~qA zNtyFZ)m*Tx@)agGUWTCMSI3V(Gk8$PPrlN>0VEvF6j~BNvHuA9vO<)}T!O%s0AA^- z(2(DDM@i1?alCT~g(@t?O;>;B2n)mQodO~i8iupzHigVbA4Wsk7&qj3CltCqb9ZYq zDOznC>VFr`Pvu&PDG_bdOZH`~oU@aVqzOl4N3vU+y_N2OvD%Od=}4rcQ(fj={jeKi zc)v$#;=PgWrsGZvuFcvB^`OjY zPkTLf$%Ul2&hz8uX8JKOS1E2fG1iF2DwE9k zl;nwOZm~FW^(1WC&{PauCGVf2C~qf1j#)c*-}~c4@q`dWMKp@?EO$x8%=#EVv))7_ zT=Nj`GZyDL6auXCbnCNJ+id+D-ZI8+glZ@qedf$9az}?^x5jBP>@ax6@P^f2hR&Sr zsb(k{ZCVqRQPwwjj%FDYq25U(`D+W-gJH+1_7CGpJf}rPMN24FQwm80ofhwQut4UcDVGEIMs7< zaz=We*iS#l=BYwaWv_CIOZnI&p-#hk80Q{;^)ZMghQ%R)A~;BX_N29N+!Qu|`}p}3 z^_W7)q*su_EllX)>|PEBMS~6`;)VW>ebsk)?e?ih3p=rKLAup)0~Afz3s${$qov6T z#^dErUsMu-SK3iqlAd0t+7dsV7Jf{3hwyzPOqdf}Sxf4v$upiyo$;fFAl#aCo1;Lf z{&;Eyr74;RApxakq_XxB=`&ZDa&4Rzh(pB8)KvSZ9U`XK#XEgj`OEPDyEq=A!q$Kj z-43T_{S@m^<7{g$;{|pzV0k#yI3A2S{JR$vPtUQ60AfvLMd>T9iRVVbVLO;bm=T~U zAwD@|b7&&_F*h;Zd*7Vd>uk|UUR*|AJZa3ffJRI{)Vjj15W4W4#y+?PPxh|ovbr<@ zJSVMeY-~^=202voksT}uBWR?Fn)6_RNu}3wfr~3v6eL+x)V61&T|H8~1?saw>IVFi zRNrX)NGe@&`ADVZ;kOyW4^F#}-qLzDTKQ<`vd$1A`yIg&`F`-OP-sy(mCbtESR`rC4VznlRK->}?x;&zTfU^M^@^^saJs^a?@U58_~5_v=MloVMccC0%FYW zeoYa~Jh*yd+m9^1TwP6Y&}lYYlo%^Z;Zx5^FwMydg*2u?$z4t0p-lTYm|Je*!trG{ zKv1X7-QRuAQz$AThOz9^_c*6Qg*|rvo@|GOQ%1X!PKQ1qfAhE2SWV3$p7BFNLk~9k z3DD0OQn@1LLXIQr!V{DooYH;&NFJ&^eMKv#oav(7DsHYUv3%ut_JgjtyZw26zsWBY zW%G3PkH6}8lzt#TT-`@sId^r>7vb9%GypOVIe$NCQO9Ng{lTg~wFV5iDQp={SGsb| ze92_8{GGk(B%J?ry6$Z{Fx?X}yvZKA#qLz4SM>kU$@1 zdbX@5EX*$^XSMHcjUFhqyAPg!f@Q1cuU6qZ+%7#{-!HnSr)k5#Fe`d>wC5Ns6y1>$ z4!h~%RD@xE6G^He-#=8hC84FKazgZ8-PJt%sU8XF+9*eJG5dZM?Xvo;8?E_MBSn=) zcH8^8HzVU0D)y?izI}tcBWmHuyKJ^ zNNg0FynM!`+KrLSOAK>7g{$T?Rs4GNk6uY|@KKzbYAwMjFqw$GcjS7UH@*vWN};)w zT>gKJ(mx?NFX}{I7OR}wXqL^LZ)K7imuJz|&P&S*){7{Cy!5)GLepnSa)aW(NTM)A zvJW4NPwon&qn1Bp*39oa*W}IrlJzT6@xxb2D2>Q##|(ZB8h-jDJrYFWyioAf8UG&$ z;kUyQC<})&@QME1K5nh%xsKQbo^a7$3nlvJz3VL;#F zTG|f(6y#caZqb5pXxe|n^pN?!dBpO+I1h$Aai_xYsoZ*ai2C+A_)(TuJC!AC;`KkU CITVBd diff --git a/files/firewall/hostgroups.local.yaml b/files/firewall/hostgroups.local.yaml index 9e7babe00..5e16461a4 100644 --- a/files/firewall/hostgroups.local.yaml +++ b/files/firewall/hostgroups.local.yaml @@ -16,6 +16,10 @@ firewall: ips: delete: insert: + elastic_agent_endpoint: + ips: + delete: + insert: endgame: ips: delete: @@ -44,10 +48,6 @@ firewall: ips: delete: insert: - osquery_endpoint: - ips: - delete: - insert: receiver: ips: delete: @@ -67,16 +67,4 @@ firewall: syslog: ips: delete: - insert: - wazuh_agent: - ips: - delete: - insert: - wazuh_api: - ips: - delete: - insert: - wazuh_authd: - ips: - delete: - insert: + insert: \ No newline at end of file diff --git a/files/salt/master/master b/files/salt/master/master index 5db41fb90..070a6f3f3 100644 --- a/files/salt/master/master +++ b/files/salt/master/master @@ -65,8 +65,6 @@ peer: - x509.sign_remote_certificate reactor: - - 'so/fleet': - - salt://reactor/fleet.sls - 'salt/beacon/*/watch_sqlite_db//opt/so/conf/kratos/db/sqlite.db': - salt://reactor/kratos.sls diff --git a/pillar/logstash/init.sls b/pillar/logstash/init.sls index 4e96b400d..7ad31cf9b 100644 --- a/pillar/logstash/init.sls +++ b/pillar/logstash/init.sls @@ -3,6 +3,7 @@ logstash: port_bindings: - 0.0.0.0:3765:3765 - 0.0.0.0:5044:5044 + - 0.0.0.0:5055:5055 - 0.0.0.0:5644:5644 - 0.0.0.0:6050:6050 - 0.0.0.0:6051:6051 diff --git a/pillar/logstash/manager.sls b/pillar/logstash/manager.sls index 00d82f86a..cfeb0a6ae 100644 --- a/pillar/logstash/manager.sls +++ b/pillar/logstash/manager.sls @@ -5,5 +5,6 @@ logstash: - so/0009_input_beats.conf - so/0010_input_hhbeats.conf - so/0011_input_endgame.conf + - so/0012_input_elastic_agent.conf - so/9999_output_redis.conf.jinja \ No newline at end of file diff --git a/pillar/logstash/nodes.sls b/pillar/logstash/nodes.sls index 935574ff9..18c4b39bf 100644 --- a/pillar/logstash/nodes.sls +++ b/pillar/logstash/nodes.sls @@ -2,7 +2,7 @@ {% set cached_grains = salt.saltutil.runner('cache.grains', tgt='*') %} {% for minionid, ip in salt.saltutil.runner( 'mine.get', - tgt='G@role:so-manager or G@role:so-managersearch or G@role:so-standalone or G@role:so-node or G@role:so-heavynode or G@role:so-receiver or G@role:so-helix', + tgt='G@role:so-manager or G@role:so-managersearch or G@role:so-standalone or G@role:so-node or G@role:so-heavynode or G@role:so-receiver or G@role:so-helix ', fun='network.ip_addrs', tgt_type='compound') | dictsort() %} diff --git a/pillar/logstash/search.sls b/pillar/logstash/search.sls index cd810106d..fb10d18e7 100644 --- a/pillar/logstash/search.sls +++ b/pillar/logstash/search.sls @@ -14,5 +14,5 @@ logstash: - so/9700_output_strelka.conf.jinja - so/9800_output_logscan.conf.jinja - so/9801_output_rita.conf.jinja - - so/9802_output_kratos.conf.jinja + - so/9805_output_elastic_agent.conf.jinja - so/9900_output_endgame.conf.jinja diff --git a/pillar/top.sls b/pillar/top.sls index 1cf3bdc8a..1c3fb9635 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -2,6 +2,10 @@ base: '*': - patch.needs_restarting - logrotate + - docker.soc_docker + - docker.adv_docker + - sensoroni.soc_sensoroni + - sensoroni.adv_sensoroni '* and not *_eval and not *_import': - logstash.nodes @@ -24,113 +28,124 @@ base: '*_manager or *_managersearch': - match: compound - - data.* -{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} + {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth -{% endif %} -{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} + {% endif %} + {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} - kibana.secrets -{% endif %} + {% endif %} - secrets - - global + - soc_global + - adv_global + - manager.soc_manager + - manager.adv_manager + - soc.soc_soc + - soc.adv_soc - minions.{{ grains.id }} + - minions.adv_{{ grains.id }} '*_sensor': - - zeeklogs + - zeek.zeeklogs - healthcheck.sensor - - global + - soc_global + - adv_global - minions.{{ grains.id }} + - minions.adv_{{ grains.id }} '*_eval': - - data.* - - zeeklogs + - zeel.zeeklogs - secrets - healthcheck.eval - elasticsearch.index_templates -{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} + {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth -{% endif %} -{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} + {% endif %} - kibana.secrets -{% endif %} - - global + {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} + - soc_global + {% endif %} + - elasticsearch.soc_elasticsearch + - manager.soc_manager + - soc.soc_soc - minions.{{ grains.id }} + - minions.adv_{{ grains.id }} '*_standalone': - logstash - logstash.manager - logstash.search + - logstash.soc_logstash - elasticsearch.index_templates -{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} + {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth -{% endif %} -{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} + {% endif %} + {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} - kibana.secrets -{% endif %} - - data.* - - zeeklogs + {% endif %} + - zeek.zeeklogs - secrets - healthcheck.standalone - - global - - minions.{{ grains.id }} - - '*_node': - - global + - soc_global + - kratos.soc_kratos + - elasticsearch.soc_elasticsearch + - manager.soc_manager + - soc.soc_soc - minions.{{ grains.id }} + - minions.adv_{{ grains.id }} '*_heavynode': - - zeeklogs + - zeek.zeeklogs - elasticsearch.auth - - global - - minions.{{ grains.id }} - - '*_helixsensor': - - fireeye - - zeeklogs - - logstash - - logstash.helix - - global - - minions.{{ grains.id }} - - '*_fleet': - - data.* - - secrets - - global + - soc_global - minions.{{ grains.id }} + - minions.adv_{{ grains.id }} '*_idh': - - data.* - - global + - soc_global + - adv_global - minions.{{ grains.id }} + - minions.adv_{{ grains.id }} '*_searchnode': - logstash - logstash.search - elasticsearch.index_templates + {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth - - global + {% endif %} + - soc_global + - adv_global - minions.{{ grains.id }} + - minions.adv_{{ grains.id }} - data.nodestab '*_receiver': - logstash - logstash.receiver + {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth - - global + {% endif %} + - soc_global + - adv_global - minions.{{ grains.id }} + - minions.adv_{{ grains.id }} '*_import': - - zeeklogs + - zeek.zeeklogs - secrets - elasticsearch.index_templates -{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} + {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth -{% endif %} -{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} + {% endif %} + {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} - kibana.secrets -{% endif %} - - global + {% endif %} + - soc_global + - adv_global + - manager.soc_manager - minions.{{ grains.id }} + - minions.adv_{{ grains.id }} '*_workstation': - minions.{{ grains.id }} + - minions.adv_{{ grains.id }} diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 3dbc6d24a..ed530ac91 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -1,10 +1,11 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {% set ZEEKVER = salt['pillar.get']('global:mdengine', '') %} -{% set WAZUH = salt['pillar.get']('global:wazuh', '0') %} {% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %} -{% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %} -{% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %} -{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} -{% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %} {% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %} {% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %} {% set FILEBEAT = salt['pillar.get']('filebeat:enabled', True) %} @@ -35,6 +36,7 @@ 'grafana', 'soc', 'kratos', + 'elastic-fleet', 'firewall', 'idstools', 'suricata.manager', @@ -77,24 +79,10 @@ 'tcpreplay', 'docker_clean' ], - 'so-fleet': [ - 'ssl', - 'nginx', - 'telegraf', - 'firewall', - 'mysql', - 'redis', - 'fleet', - 'fleet.install_package', - 'filebeat', - 'schedule', - 'docker_clean' - ], 'so-idh': [ 'ssl', 'telegraf', 'firewall', - 'fleet.install_package', 'filebeat', 'idh', 'schedule', @@ -133,6 +121,7 @@ 'grafana', 'soc', 'kratos', + 'elastic-fleet', 'firewall', 'idstools', 'suricata.manager', @@ -153,6 +142,7 @@ 'grafana', 'soc', 'kratos', + 'elastic-fleet', 'firewall', 'manager', 'idstools', @@ -163,7 +153,7 @@ 'docker_clean', 'learn' ], - 'so-node': [ + 'so-searchnode': [ 'ssl', 'nginx', 'telegraf', @@ -183,6 +173,7 @@ 'grafana', 'soc', 'kratos', + 'elastic-fleet', 'firewall', 'idstools', 'suricata.manager', @@ -204,7 +195,6 @@ 'pcap', 'suricata', 'healthcheck', - 'wazuh', 'filebeat', 'schedule', 'tcpreplay', @@ -221,26 +211,14 @@ ], }, grain='role') %} - {% if FILEBEAT and grains.role in ['so-helixsensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-import', 'so-receiver'] %} + {% if FILEBEAT and grains.role in ['so-helixsensor', 'so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-import', 'so-receiver'] %} {% do allowed_states.append('filebeat') %} {% endif %} - {% if ((FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0) and grains.role in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone'] %} + {% if (PLAYBOOK != 0) and grains.role in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone'] %} {% do allowed_states.append('mysql') %} {% endif %} - {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-sensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver'] %} - {% do allowed_states.append('fleet.install_package') %} - {% endif %} - - {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode'] %} - {% do allowed_states.append('fleet') %} - {% endif %} - - {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-eval'] %} - {% do allowed_states.append('redis') %} - {% endif %} - {%- if ZEEKVER != 'SURICATA' and grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %} {% do allowed_states.append('zeek') %} {%- endif %} @@ -249,11 +227,7 @@ {% do allowed_states.append('strelka') %} {% endif %} - {% if WAZUH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver','so-idh']%} - {% do allowed_states.append('wazuh') %} - {% endif %} - - {% if ELASTICSEARCH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-import'] %} + {% if ELASTICSEARCH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-import'] %} {% do allowed_states.append('elasticsearch') %} {% endif %} @@ -266,7 +240,7 @@ {% do allowed_states.append('kibana.secrets') %} {% endif %} - {% if grains.role in ['so-eval', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-manager'] %} + {% if grains.role in ['so-eval', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-manager'] %} {% do allowed_states.append('curator') %} {% endif %} @@ -282,15 +256,7 @@ {% do allowed_states.append('redis') %} {% endif %} - {% if (FREQSERVER !=0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %} - {% do allowed_states.append('freqserver') %} - {% endif %} - - {% if (DOMAINSTATS !=0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %} - {% do allowed_states.append('domainstats') %} - {% endif %} - - {% if LOGSTASH and grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver'] %} + {% if LOGSTASH and grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-receiver'] %} {% do allowed_states.append('logstash') %} {% endif %} diff --git a/salt/ca/init.sls b/salt/ca/init.sls index 8bddd4798..c857b331e 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -1,10 +1,16 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + include: - ca.dirs -{% set manager = salt['grains.get']('master') %} /etc/salt/minion.d/signing_policies.conf: file.managed: - source: salt://ca/files/signing_policies.conf @@ -25,7 +31,7 @@ pki_public_ca_crt: x509.certificate_managed: - name: /etc/pki/ca.crt - signing_private_key: /etc/pki/ca.key - - CN: {{ manager }} + - CN: {{ GLOBALS.manager }} - C: US - ST: Utah - L: Salt Lake City diff --git a/salt/common/init.sls b/salt/common/init.sls index 0eaf5e77e..c391c127e 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -2,10 +2,10 @@ {% if sls in allowed_states %} {% set role = grains.id.split('_') | last %} -{% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %} include: - common.soup_scripts + - common.packages {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %} - manager.elasticsearch # needed for elastic_curl_config state {% endif %} @@ -15,11 +15,6 @@ rmvariablesfile: file.absent: - name: /tmp/variables.txt -dockergroup: - group.present: - - name: docker - - gid: 920 - # Add socore Group socoregroup: group.present: @@ -88,92 +83,6 @@ vimconfig: - source: salt://common/files/vimrc - replace: False -# Install common packages -{% if grains['os'] != 'CentOS' %} -commonpkgs: - pkg.installed: - - skip_suggestions: True - - pkgs: - - apache2-utils - - wget - - ntpdate - - jq - - python3-docker - - curl - - ca-certificates - - software-properties-common - - apt-transport-https - - openssl - - netcat - - python3-mysqldb - - sqlite3 - - libssl-dev - - python3-dateutil - - python3-m2crypto - - python3-mysqldb - - python3-packaging - - python3-lxml - - git - - vim - -heldpackages: - pkg.installed: - - pkgs: - {% if grains['oscodename'] == 'bionic' %} - - containerd.io: 1.4.4-1 - - docker-ce: 5:20.10.5~3-0~ubuntu-bionic - - docker-ce-cli: 5:20.10.5~3-0~ubuntu-bionic - - docker-ce-rootless-extras: 5:20.10.5~3-0~ubuntu-bionic - {% elif grains['oscodename'] == 'focal' %} - - containerd.io: 1.4.9-1 - - docker-ce: 5:20.10.8~3-0~ubuntu-focal - - docker-ce-cli: 5:20.10.5~3-0~ubuntu-focal - - docker-ce-rootless-extras: 5:20.10.5~3-0~ubuntu-focal - {% endif %} - - hold: True - - update_holds: True - -{% else %} -commonpkgs: - pkg.installed: - - skip_suggestions: True - - pkgs: - - wget - - ntpdate - - bind-utils - - jq - - tcpdump - - httpd-tools - - net-tools - - curl - - sqlite - - mariadb-devel - - nmap-ncat - - python3 - - python36-docker - - python36-dateutil - - python36-m2crypto - - python36-mysql - - python36-packaging - - python36-lxml - - yum-utils - - device-mapper-persistent-data - - lvm2 - - openssl - - git - - vim-enhanced - -heldpackages: - pkg.installed: - - pkgs: - - containerd.io: 1.4.4-3.1.el7 - - docker-ce: 3:20.10.5-3.el7 - - docker-ce-cli: 1:20.10.5-3.el7 - - docker-ce-rootless-extras: 20.10.5-3.el7 - - hold: True - - update_holds: True -{% endif %} - # Always keep these packages up to date alwaysupdated: @@ -188,7 +97,6 @@ alwaysupdated: Etc/UTC: timezone.system -{% if salt['pillar.get']('elasticsearch:auth:enabled', False) %} elastic_curl_config: file.managed: - name: /opt/so/conf/elasticsearch/curl.config @@ -200,7 +108,6 @@ elastic_curl_config: - require: - file: elastic_curl_config_distributed {% endif %} -{% endif %} # Sync some Utilities utilsyncscripts: @@ -211,10 +118,6 @@ utilsyncscripts: - file_mode: 755 - template: jinja - source: salt://common/tools/sbin - - defaults: - ELASTICCURL: 'curl' - - context: - ELASTICCURL: {{ ELASTICAUTH.elasticcurl }} - exclude_pat: - so-common - so-firewall @@ -339,32 +242,6 @@ soversionfile: {% endif %} -# Manager daemon.json -docker_daemon: - file.managed: - - source: salt://common/files/daemon.json - - name: /etc/docker/daemon.json - - template: jinja - -# Make sure Docker is always running -docker: - service.running: - - enable: True - - watch: - - file: docker_daemon - -# Reserve OS ports for Docker proxy in case boot settings are not already applied/present -# 55000 = Wazuh, 57314 = Strelka, 47760-47860 = Zeek -dockerapplyports: - cmd.run: - - name: if [ ! -s /etc/sysctl.d/99-reserved-ports.conf ]; then sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314,47760-47860"; fi - -# Reserve OS ports for Docker proxy -dockerreserveports: - file.managed: - - source: salt://common/files/99-reserved-ports.conf - - name: /etc/sysctl.d/99-reserved-ports.conf - {% if salt['grains.get']('sosmodel', '') %} {% if grains['os'] == 'CentOS' %} # Install Raid tools diff --git a/salt/common/packages.sls b/salt/common/packages.sls new file mode 100644 index 000000000..c6dfe8f7b --- /dev/null +++ b/salt/common/packages.sls @@ -0,0 +1,61 @@ +{% if grains['os'] != 'CentOS' %} +commonpkgs: + pkg.installed: + - skip_suggestions: True + - pkgs: + - wget + - jq + - tcpdump + - httpd-tools + - net-tools + - curl + - sqlite + - mariadb-devel + - python3-dnf-plugin-versionlock + - nmap-ncat + - createrepo + - python3-lxml + - python3-packaging + - yum-utils + - device-mapper-persistent-data + - lvm2 + - openssl + - git + - vim-enhanced + - python3-docker + + +{% else %} +commonpkgs: + pkg.installed: + - skip_suggestions: True + - pkgs: + - wget + - ntpdate + - bind-utils + - jq + - tcpdump + - httpd-tools + - net-tools + - curl + - sqlite + - mariadb-devel + - nmap-ncat + - python3 + - python36-packaging + - python36-lxml + - python36-docker + - python36-dateutil + - python36-m2crypto + - python36-mysql + - python36-packaging + - python36-lxml + - yum-utils + - device-mapper-persistent-data + - lvm2 + - openssl + - git + - vim-enhanced + - yum-plugin-versionlock + +{% endif %} \ No newline at end of file diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow index faa546774..6738126df 100755 --- a/salt/common/tools/sbin/so-allow +++ b/salt/common/tools/sbin/so-allow @@ -1,19 +1,11 @@ #!/usr/bin/env python3 -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + import ipaddress import textwrap @@ -28,17 +20,13 @@ from datetime import timezone as tz LOCAL_SALT_DIR='/opt/so/saltstack/local' -WAZUH_CONF='/nsm/wazuh/etc/ossec.conf' VALID_ROLES = { 'a': { 'role': 'analyst','desc': 'Analyst - 80/tcp, 443/tcp' }, 'b': { 'role': 'beats_endpoint', 'desc': 'Logstash Beat - 5044/tcp' }, 'e': { 'role': 'elasticsearch_rest', 'desc': 'Elasticsearch REST API - 9200/tcp' }, 'f': { 'role': 'strelka_frontend', 'desc': 'Strelka frontend - 57314/tcp' }, - 'o': { 'role': 'osquery_endpoint', 'desc': 'Osquery endpoint - 8090/tcp' }, 's': { 'role': 'syslog', 'desc': 'Syslog device - 514/tcp/udp' }, - 'w': { 'role': 'wazuh_agent', 'desc': 'Wazuh agent - 1514/tcp/udp' }, - 'p': { 'role': 'wazuh_api', 'desc': 'Wazuh API - 55000/tcp' }, - 'r': { 'role': 'wazuh_authd', 'desc': 'Wazuh registration service - 1515/tcp' } + 't': { 'role': 'elastic_agent_endpoint', 'desc': 'Elastic Agent endpoint - 8220/tcp,5055/tcp' } } @@ -77,65 +65,15 @@ def ip_prompt() -> str: sys.exit(1) -def wazuh_enabled() -> bool: - file = f'{LOCAL_SALT_DIR}/pillar/global.sls' - with open(file, 'r') as pillar: - if 'wazuh: 1' in pillar.read(): - return True - return False - - -def root_to_str(root: ET.ElementTree) -> str: - return ET.tostring(root, encoding='unicode', method='xml', xml_declaration=False, pretty_print=True) - - -def add_wl(ip): - parser = ET.XMLParser(remove_blank_text=True) - with open(WAZUH_CONF, 'rb') as wazuh_conf: - tree = ET.parse(wazuh_conf, parser) - root = tree.getroot() - - source_comment = ET.Comment(f'Address {ip} added by /usr/sbin/so-allow on {dt.utcnow().replace(tzinfo=tz.utc).strftime("%a %b %e %H:%M:%S %Z %Y")}') - new_global = ET.Element("global") - new_wl = ET.SubElement(new_global, 'white_list') - new_wl.text = ip - - root.append(source_comment) - root.append(new_global) - - with open(WAZUH_CONF, 'w') as add_out: - add_out.write(root_to_str(root)) - - def apply(role: str, ip: str) -> int: firewall_cmd = ['so-firewall', 'includehost', role, ip] salt_cmd = ['salt-call', 'state.apply', '-l', 'quiet', 'firewall', 'queue=True'] - restart_wazuh_cmd = ['so-wazuh-restart'] print(f'Adding {ip} to the {role} role. This can take a few seconds...') cmd = subprocess.run(firewall_cmd) if cmd.returncode == 0: cmd = subprocess.run(salt_cmd, stdout=subprocess.DEVNULL) else: return cmd.returncode - if cmd.returncode == 0: - if wazuh_enabled() and role=='analyst': - try: - add_wl(ip) - print(f'Added whitelist entry for {ip} from {WAZUH_CONF}', file=sys.stderr) - except Exception as e: - print(f'Failed to add whitelist entry for {ip} from {WAZUH_CONF}', file=sys.stderr) - print(e) - return 1 - print('Restarting OSSEC Server...') - cmd = subprocess.run(restart_wazuh_cmd) - else: - return cmd.returncode - else: - print(f'Commmand \'{" ".join(salt_cmd)}\' failed.', file=sys.stderr) - return cmd.returncode - if cmd.returncode != 0: - print('Failed to restart OSSEC server.') - return cmd.returncode def main(): @@ -156,11 +94,8 @@ def main(): group.add_argument('-b', dest='roles', action='append_const', const=VALID_ROLES['b']['role'], help="Logstash Beat - 5044/tcp") group.add_argument('-e', dest='roles', action='append_const', const=VALID_ROLES['e']['role'], help="Elasticsearch REST API - 9200/tcp") group.add_argument('-f', dest='roles', action='append_const', const=VALID_ROLES['f']['role'], help="Strelka frontend - 57314/tcp") - group.add_argument('-o', dest='roles', action='append_const', const=VALID_ROLES['o']['role'], help="Osquery endpoint - 8090/tcp") group.add_argument('-s', dest='roles', action='append_const', const=VALID_ROLES['s']['role'], help="Syslog device - 514/tcp/udp") - group.add_argument('-w', dest='roles', action='append_const', const=VALID_ROLES['w']['role'], help="Wazuh agent - 1514/tcp/udp") - group.add_argument('-p', dest='roles', action='append_const', const=VALID_ROLES['p']['role'], help="Wazuh API - 55000/tcp") - group.add_argument('-r', dest='roles', action='append_const', const=VALID_ROLES['r']['role'], help="Wazuh registration service - 1515/tcp") + group.add_argument('-t', dest='roles', action='append_const', const=VALID_ROLES['t']['role'], help="Elastic Agent endpoint - 8220/tcp,5055/tcp") ip_g = main_parser.add_argument_group(title='allow') ip_g.add_argument('-i', help="IP or CIDR block to disallow connections from, requires at least one role argument", metavar='', dest='ip') diff --git a/salt/common/tools/sbin/so-allow-view b/salt/common/tools/sbin/so-allow-view index 37c6ad87a..58b972ee2 100755 --- a/salt/common/tools/sbin/so-allow-view +++ b/salt/common/tools/sbin/so-allow-view @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-analyst-install b/salt/common/tools/sbin/so-analyst-install index 12b940897..656aa5e4c 100755 --- a/salt/common/tools/sbin/so-analyst-install +++ b/salt/common/tools/sbin/so-analyst-install @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . doc_workstation_url="https://docs.securityonion.net/en/2.3/analyst-vm.html" {# we only want the script to install the workstation if it is CentOS -#} diff --git a/salt/common/tools/sbin/so-checkin b/salt/common/tools/sbin/so-checkin index 0858a96e2..db35af410 100755 --- a/salt/common/tools/sbin/so-checkin +++ b/salt/common/tools/sbin/so-checkin @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 7b5f29c00..c0b028130 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + DEFAULT_SALT_DIR=/opt/so/saltstack/default @@ -162,15 +154,12 @@ elastic_license() { read -r -d '' message <<- EOM \n -Starting in Elastic Stack version 7.11, the Elastic Stack binaries are only available under the Elastic License: -https://securityonion.net/elastic-license - -Please review the Elastic License: +Elastic Stack binaries and Security Onion components are only available under the Elastic License version 2 (ELv2): https://www.elastic.co/licensing/elastic-license -Do you agree to the terms of the Elastic License? +Do you agree to the terms of ELv2? -If so, type AGREE to accept the Elastic License and continue. Otherwise, press Enter to exit this program without making any changes. +If so, type AGREE to accept ELv2 and continue. Otherwise, press Enter to exit this program without making any changes. EOM AGREED=$(whiptail --title "$whiptail_title" --inputbox \ @@ -206,7 +195,7 @@ gpg_rpm_import() { local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/centos/keys" fi - RPMKEYS=('RPM-GPG-KEY-EPEL-7' 'GPG-KEY-WAZUH' 'docker.pub' 'SALTSTACK-GPG-KEY.pub' 'securityonion.pub') + RPMKEYS=('RPM-GPG-KEY-EPEL-7' 'docker.pub' 'SALTSTACK-GPG-KEY.pub' 'securityonion.pub') for RPMKEY in "${RPMKEYS[@]}"; do rpm --import $RPMKEYSLOC/$RPMKEY diff --git a/salt/common/tools/sbin/so-config-backup b/salt/common/tools/sbin/so-config-backup index fee7c4ffe..3a84d9ee8 100755 --- a/salt/common/tools/sbin/so-config-backup +++ b/salt/common/tools/sbin/so-config-backup @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see .. /usr/sbin/so-common +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common {% set BACKUPLOCATIONS = salt['pillar.get']('backup:locations', {}) %} TODAY=$(date '+%Y_%m_%d') diff --git a/salt/common/tools/sbin/so-cortex-restart b/salt/common/tools/sbin/so-cortex-restart index 3ebf42430..fe8193bf7 100755 --- a/salt/common/tools/sbin/so-cortex-restart +++ b/salt/common/tools/sbin/so-cortex-restart @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-cortex-start b/salt/common/tools/sbin/so-cortex-start index 787393583..25b2c99c5 100755 --- a/salt/common/tools/sbin/so-cortex-start +++ b/salt/common/tools/sbin/so-cortex-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-cortex-stop b/salt/common/tools/sbin/so-cortex-stop index 73745a1fc..036ab5689 100755 --- a/salt/common/tools/sbin/so-cortex-stop +++ b/salt/common/tools/sbin/so-cortex-stop @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-cortex-user-add b/salt/common/tools/sbin/so-cortex-user-add index 3ebf42430..fe8193bf7 100755 --- a/salt/common/tools/sbin/so-cortex-user-add +++ b/salt/common/tools/sbin/so-cortex-user-add @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-cortex-user-enable b/salt/common/tools/sbin/so-cortex-user-enable index 3ebf42430..fe8193bf7 100755 --- a/salt/common/tools/sbin/so-cortex-user-enable +++ b/salt/common/tools/sbin/so-cortex-user-enable @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-curator-restart b/salt/common/tools/sbin/so-curator-restart index 2f8a19467..f57e7b22e 100755 --- a/salt/common/tools/sbin/so-curator-restart +++ b/salt/common/tools/sbin/so-curator-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-curator-start b/salt/common/tools/sbin/so-curator-start index ce92fcea9..c5f0fc4d1 100755 --- a/salt/common/tools/sbin/so-curator-start +++ b/salt/common/tools/sbin/so-curator-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-curator-stop b/salt/common/tools/sbin/so-curator-stop index 8daf2bd52..30fb07e4b 100755 --- a/salt/common/tools/sbin/so-curator-stop +++ b/salt/common/tools/sbin/so-curator-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-deny b/salt/common/tools/sbin/so-deny index efacbab45..a8814b7ea 100755 --- a/salt/common/tools/sbin/so-deny +++ b/salt/common/tools/sbin/so-deny @@ -1,19 +1,11 @@ #!/usr/bin/env python3 -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + import ipaddress import textwrap @@ -27,17 +19,12 @@ from xml.dom import minidom LOCAL_SALT_DIR='/opt/so/saltstack/local' -WAZUH_CONF='/nsm/wazuh/etc/ossec.conf' VALID_ROLES = { 'a': { 'role': 'analyst','desc': 'Analyst - 80/tcp, 443/tcp' }, 'b': { 'role': 'beats_endpoint', 'desc': 'Logstash Beat - 5044/tcp' }, 'e': { 'role': 'elasticsearch_rest', 'desc': 'Elasticsearch REST API - 9200/tcp' }, 'f': { 'role': 'strelka_frontend', 'desc': 'Strelka frontend - 57314/tcp' }, - 'o': { 'role': 'osquery_endpoint', 'desc': 'Osquery endpoint - 8090/tcp' }, 's': { 'role': 'syslog', 'desc': 'Syslog device - 514/tcp/udp' }, - 'w': { 'role': 'wazuh_agent', 'desc': 'Wazuh agent - 1514/tcp/udp' }, - 'p': { 'role': 'wazuh_api', 'desc': 'Wazuh API - 55000/tcp' }, - 'r': { 'role': 'wazuh_authd', 'desc': 'Wazuh registration service - 1515/tcp' } } @@ -76,73 +63,15 @@ def ip_prompt() -> str: sys.exit(1) -def wazuh_enabled() -> bool: - for file in os.listdir(f'{LOCAL_SALT_DIR}/pillar'): - with open(file, 'r') as pillar: - if 'wazuh: 1' in pillar.read(): - return True - return False - - -def root_to_str(root: ET.ElementTree) -> str: - xml_str = ET.tostring(root, encoding='unicode', method='xml').replace('\n', '') - xml_str = re.sub(r'(?:(?<=>) *)', '', xml_str) - - # Remove specific substrings to better format comments on intial parse/write - xml_str = re.sub(r' -', '', xml_str) - xml_str = re.sub(r' -->', ' -->', xml_str) - - dom = minidom.parseString(xml_str) - return dom.toprettyxml(indent=" ") - - -def rem_wl(ip): - parser = ET.XMLParser(remove_blank_text=True) - with open(WAZUH_CONF, 'rb') as wazuh_conf: - tree = ET.parse(wazuh_conf, parser) - root = tree.getroot() - - global_elems = root.findall(f"global/white_list[. = '{ip}']/..") - if len(global_elems) > 0: - for g_elem in global_elems: - ge_index = list(root).index(g_elem) - if ge_index > 0 and root[list(root).index(g_elem) - 1].tag == ET.Comment: - root.remove(root[ge_index - 1]) - root.remove(g_elem) - - with open(WAZUH_CONF, 'w') as out: - out.write(root_to_str(root)) - - def apply(role: str, ip: str) -> int: firewall_cmd = ['so-firewall', 'excludehost', role, ip] salt_cmd = ['salt-call', 'state.apply', '-l', 'quiet', 'firewall', 'queue=True'] - restart_wazuh_cmd = ['so-wazuh-restart'] print(f'Removing {ip} from the {role} role. This can take a few seconds...') cmd = subprocess.run(firewall_cmd) if cmd.returncode == 0: cmd = subprocess.run(salt_cmd, stdout=subprocess.DEVNULL) else: return cmd.returncode - if cmd.returncode == 0: - if wazuh_enabled and role=='analyst': - try: - rem_wl(ip) - print(f'Removed whitelist entry for {ip} from {WAZUH_CONF}', file=sys.stderr) - except Exception as e: - print(f'Failed to remove whitelist entry for {ip} from {WAZUH_CONF}', file=sys.stderr) - print(e) - return 1 - print('Restarting OSSEC Server...') - cmd = subprocess.run(restart_wazuh_cmd) - else: - return cmd.returncode - else: - print(f'Commmand \'{" ".join(salt_cmd)}\' failed.', file=sys.stderr) - return cmd.returncode - if cmd.returncode != 0: - print('Failed to restart OSSEC server.') - return cmd.returncode def main(): @@ -163,11 +92,7 @@ def main(): group.add_argument('-b', dest='roles', action='append_const', const=VALID_ROLES['b']['role'], help="Logstash Beat - 5044/tcp") group.add_argument('-e', dest='roles', action='append_const', const=VALID_ROLES['e']['role'], help="Elasticsearch REST API - 9200/tcp") group.add_argument('-f', dest='roles', action='append_const', const=VALID_ROLES['f']['role'], help="Strelka frontend - 57314/tcp") - group.add_argument('-o', dest='roles', action='append_const', const=VALID_ROLES['o']['role'], help="Osquery endpoint - 8090/tcp") group.add_argument('-s', dest='roles', action='append_const', const=VALID_ROLES['s']['role'], help="Syslog device - 514/tcp/udp") - group.add_argument('-w', dest='roles', action='append_const', const=VALID_ROLES['w']['role'], help="Wazuh agent - 1514/tcp/udp") - group.add_argument('-p', dest='roles', action='append_const', const=VALID_ROLES['p']['role'], help="Wazuh API - 55000/tcp") - group.add_argument('-r', dest='roles', action='append_const', const=VALID_ROLES['r']['role'], help="Wazuh registration service - 1515/tcp") ip_g = main_parser.add_argument_group(title='allow') ip_g.add_argument('-i', help="IP or CIDR block to disallow connections from, requires at least one role argument", metavar='', dest='ip') diff --git a/salt/common/tools/sbin/so-docker-prune b/salt/common/tools/sbin/so-docker-prune index adb22cf5f..224cbd222 100755 --- a/salt/common/tools/sbin/so-docker-prune +++ b/salt/common/tools/sbin/so-docker-prune @@ -1,19 +1,11 @@ #!/usr/bin/env python3 -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + import sys, argparse, re, docker from packaging.version import Version, InvalidVersion diff --git a/salt/common/tools/sbin/so-docker-refresh b/salt/common/tools/sbin/so-docker-refresh index 0b72edf89..45d1e2785 100755 --- a/salt/common/tools/sbin/so-docker-refresh +++ b/salt/common/tools/sbin/so-docker-refresh @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common . /usr/sbin/so-image-common diff --git a/salt/common/tools/sbin/so-elastalert-restart b/salt/common/tools/sbin/so-elastalert-restart index bfd02ce35..4f0c68bf2 100755 --- a/salt/common/tools/sbin/so-elastalert-restart +++ b/salt/common/tools/sbin/so-elastalert-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-elastalert-start b/salt/common/tools/sbin/so-elastalert-start index eeb96c16d..6c9f1abf1 100755 --- a/salt/common/tools/sbin/so-elastalert-start +++ b/salt/common/tools/sbin/so-elastalert-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-elastalert-stop b/salt/common/tools/sbin/so-elastalert-stop index ab175a153..4523ab018 100755 --- a/salt/common/tools/sbin/so-elastalert-stop +++ b/salt/common/tools/sbin/so-elastalert-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-elastic-agent-gen-installers b/salt/common/tools/sbin/so-elastic-agent-gen-installers new file mode 100644 index 000000000..837745050 --- /dev/null +++ b/salt/common/tools/sbin/so-elastic-agent-gen-installers @@ -0,0 +1,32 @@ +#!/bin/bash + +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use +# this file except in compliance with the Elastic License 2.0. + +#so-elastic-agent-gen-installers $FleetHost $EnrollmentToken + +. /usr/sbin/so-common + +ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints")) | .api_key') + +FLEETHOST=$(lookup_pillar "server:url" "elasticfleet") + +#FLEETHOST=$1 +#ENROLLMENTOKEN=$2 +CONTAINERGOOS=( "linux" "darwin" "windows" ) + +rm -rf /tmp/elastic-agent-workspace +mkdir -p /tmp/elastic-agent-workspace + +for OS in "${CONTAINERGOOS[@]}" +do + printf "\n\nGenerating $OS Installer..." + cp /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/so-elastic-agent-*-$OS-x86_64.tar.gz /tmp/elastic-agent-workspace/$OS.tar.gz + docker run -e CGO_ENABLED=0 -e GOOS=$OS \ + --mount type=bind,source=/etc/ssl/certs/,target=/workspace/files/cert/ \ + --mount type=bind,source=/tmp/elastic-agent-workspace/,target=/workspace/files/elastic-agent/ \ + --mount type=bind,source=/opt/so/conf/elastic-fleet/so_agent-installers/,target=/output/ \ + so-elastic-agent-builder go build -ldflags "-X main.fleetHost=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN" -o /output/so-elastic-agent_$OS + printf "\n $OS Installer Generated..." +done diff --git a/salt/common/tools/sbin/so-elastic-auth b/salt/common/tools/sbin/so-elastic-auth deleted file mode 100755 index fe4d04f49..000000000 --- a/salt/common/tools/sbin/so-elastic-auth +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/bash - -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -if [ -f "/usr/sbin/so-common" ]; then - . /usr/sbin/so-common -fi - -ES_AUTH_PILLAR=${ELASTIC_AUTH_PILLAR:-/opt/so/saltstack/local/pillar/elasticsearch/auth.sls} -ES_USERS_FILE=${ELASTIC_USERS_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users} - -authEnable=$1 - -if ! grep -q "enabled: " "$ES_AUTH_PILLAR"; then - echo "Elastic auth pillar file is invalid. Unable to proceed." - exit 1 -fi - -function restart() { - if [[ -z "$ELASTIC_AUTH_SKIP_HIGHSTATE" ]]; then - echo "Elasticsearch on all affected minions will now be stopped and then restarted..." - salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' cmd.run so-elastic-stop queue=True - echo "Applying highstate to all affected minions..." - salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' state.highstate queue=True - fi -} - -if [[ "$authEnable" == "true" ]]; then - if grep -q "enabled: False" "$ES_AUTH_PILLAR"; then - sed -i 's/enabled: False/enabled: True/g' "$ES_AUTH_PILLAR" - restart - echo "Elastic auth is now enabled." - if grep -q "argon" "$ES_USERS_FILE"; then - echo "" - echo "IMPORTANT: The following users will need to change their password, after logging into SOC, in order to access Kibana:" - grep argon "$ES_USERS_FILE" | cut -d ":" -f 1 - fi - else - echo "Auth is already enabled." - fi -elif [[ "$authEnable" == "false" ]]; then - if grep -q "enabled: True" "$ES_AUTH_PILLAR"; then - sed -i 's/enabled: True/enabled: False/g' "$ES_AUTH_PILLAR" - restart - echo "Elastic auth is now disabled." - else - echo "Auth is already disabled." - fi -else - echo "Usage: $0 " - echo "" - echo "Toggles Elastic authentication. Elasticsearch will be restarted on each affected minion." - echo "" -fi diff --git a/salt/common/tools/sbin/so-elastic-auth-password-reset b/salt/common/tools/sbin/so-elastic-auth-password-reset index 0dc66b056..17404e953 100644 --- a/salt/common/tools/sbin/so-elastic-auth-password-reset +++ b/salt/common/tools/sbin/so-elastic-auth-password-reset @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . source $(dirname $0)/so-common require_manager @@ -98,18 +89,18 @@ function killAllSaltJobs() { function soUserSync() { # apply this state to update /opt/so/saltstack/local/salt/elasticsearch/curl.config on the manager salt-call state.sls_id elastic_curl_config_distributed manager queue=True - salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' saltutil.kill_all_jobs + salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-heavynode' saltutil.kill_all_jobs # apply this state to get the curl.config - salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' state.sls_id elastic_curl_config common queue=True + salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-heavynode' state.sls_id elastic_curl_config common queue=True $(dirname $0)/so-user sync printf "\nApplying logstash state to the appropriate nodes.\n\n" - salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' state.apply logstash queue=True + salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-heavynode' state.apply logstash queue=True printf "\nApplying filebeat state to the appropriate nodes.\n\n" - salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode or G@role:so-sensor or G@role:so-fleet' state.apply filebeat queue=True + salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-heavynode or G@role:so-sensor or G@role:so-fleet' state.apply filebeat queue=True printf "\nApplying kibana state to the appropriate nodes.\n\n" salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch' state.apply kibana queue=True printf "\nApplying curator state to the appropriate nodes.\n\n" - salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' state.apply curator queue=True + salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-heavynode' state.apply curator queue=True } function highstateManager() { diff --git a/salt/common/tools/sbin/so-elastic-clear b/salt/common/tools/sbin/so-elastic-clear index ef4c79358..d441e4d65 100755 --- a/salt/common/tools/sbin/so-elastic-clear +++ b/salt/common/tools/sbin/so-elastic-clear @@ -1,20 +1,12 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common SKIP=0 @@ -50,7 +42,7 @@ done if [ $SKIP -ne 1 ]; then # List indices echo - {{ ELASTICCURL }} -k -L https://{{ NODEIP }}:9200/_cat/indices?v + curl -K /opt/so/conf/elasticsearch/curl.config -k -L https://{{ NODEIP }}:9200/_cat/indices?v echo # Inform user we are about to delete all data echo @@ -89,10 +81,10 @@ fi # Delete data echo "Deleting data..." -INDXS=$({{ ELASTICCURL }} -s -XGET -k -L https://{{ NODEIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }') +INDXS=$(curl -K /opt/so/conf/elasticsearch/curl.config -s -XGET -k -L https://{{ NODEIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }') for INDX in ${INDXS} do - {{ ELASTICCURL }} -XDELETE -k -L https://"{{ NODEIP }}:9200/${INDX}" > /dev/null 2>&1 + curl -K /opt/so/conf/elasticsearch/curl.config-XDELETE -k -L https://"{{ NODEIP }}:9200/${INDX}" > /dev/null 2>&1 done #Start Logstash/Filebeat diff --git a/salt/common/tools/sbin/so-elastic-diagnose b/salt/common/tools/sbin/so-elastic-diagnose index fc3c8923d..a94384fe8 100755 --- a/salt/common/tools/sbin/so-elastic-diagnose +++ b/salt/common/tools/sbin/so-elastic-diagnose @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # Source common settings . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup new file mode 100644 index 000000000..a41beb5a6 --- /dev/null +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -0,0 +1,81 @@ + +#!/bin/bash + +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use +# this file except in compliance with the Elastic License 2.0. +{% from 'vars/globals.map.jinja' import GLOBALS %} + +. /usr/sbin/so-common + + +# Create ES Token +ESTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/service_tokens" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq -r .value) +printf "ESTOKEN = $ESTOKEN \n" + +# Add SO-Manager Fleet URL +## This array replaces whatever URLs are currently configured +printf "\n" +curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/settings" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{"fleet_server_hosts":["https://{{ GLOBALS.manager_ip }}:8220"]}' +printf "\n\n" + +# Create Logstash Output payload +cp /etc/ssl/certs/intca.crt /opt/so/conf/filebeat/etc/pki/ +LOGSTASHCRT=$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt) +LOGSTASHKEY=$(openssl rsa -in /opt/so/conf/filebeat/etc/pki/filebeat.key) +LOGSTASHCA=$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/intca.crt) +JSON_STRING=$( jq -n \ + --arg LOGSTASHCRT "$LOGSTASHCRT" \ + --arg LOGSTASHKEY "$LOGSTASHKEY" \ + --arg LOGSTASHCA "$LOGSTASHCA" \ + '{"name":"so-manager_logstash","id":"so-manager_logstash","type":"logstash","hosts":["{{ GLOBALS.manager_ip }}:5055"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate": $LOGSTASHCRT,"key": $LOGSTASHKEY,"certificate_authorities":[ $LOGSTASHCA ]}}' + ) + +# Add SO-Manager Logstash Ouput +curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" +printf "\n\n" + +# Add Elastic Fleet Integrations + +# Add Elastic Fleet Server Agent Policy +#curl -vv -K /opt/so/conf/elasticsearch/curl.config -L \ +#-X POST "localhost:5601/api/fleet/agent_policies" \ +#-H 'kbn-xsrf: true' -H 'Content-Type: application/json' \ +#-d '{"name":"SO-Manager","id":"so-manager","description":"SO Manager Fleet Server Policy","namespace":"default","monitoring_enabled":["logs"],"has_fleet_server":true}' + +# Add Agent Policy - SOS Grid Nodes +#curl -vv -K /opt/so/conf/elasticsearch/curl.config -L \ +#-X POST "localhost:5601/api/fleet/agent_policies" \ +#-H 'kbn-xsrf: true' -H 'Content-Type: application/json' \ +#-d '{"name":"SO-Grid","id":"so-grid","description":"SO Grid Endpoint Policy","namespace":"default","monitoring_enabled":["logs"]}' + +# Add Agent Policy - Default endpoints +#curl -vv -K /opt/so/conf/elasticsearch/curl.config -L \ +#-X POST "localhost:5601/api/fleet/agent_policies" \ +#-H 'kbn-xsrf: true' -H 'Content-Type: application/json' \ +#-d '{"name":"Endpoints-Initalization","id":"endpoints","description":"Initial Endpoint Policy","namespace":"default","monitoring_enabled":["logs"]}' + +# Store needed data in minion pillar +pillar_file=/opt/so/saltstack/local/pillar/minions/{{ GLOBALS.minion_id }}.sls +printf '%s\n'\ + "elasticfleet:"\ + " server:"\ + " es_token: '$ESTOKEN'"\ + " url: '{{ GLOBALS.manager_ip }}'"\ + "" >> "$pillar_file" + + +# Call Elastic-Fleet Salt State +salt-call state.apply elastic-fleet + +# Temp +wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-darwin-x86_64.tar.gz +wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-linux-x86_64.tar.gz +wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-windows-x86_64.tar.gz + +git clone -b 2.4-so-elastic-agent https://github.com/Security-Onion-Solutions/securityonion-image.git +cd securityonion-image/so-elastic-agent-builder +docker build -t so-elastic-agent-builder . + +so-elastic-agent-gen-installers +/opt/so/conf/elastic-fleet/so_agent-installers/so-elastic-agent_linux \ No newline at end of file diff --git a/salt/common/tools/sbin/so-elastic-restart b/salt/common/tools/sbin/so-elastic-restart index de7a261f8..4fb8ae10b 100755 --- a/salt/common/tools/sbin/so-elastic-restart +++ b/salt/common/tools/sbin/so-elastic-restart @@ -1,24 +1,16 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common -{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node', 'so-import']%} +{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-import']%} /usr/sbin/so-restart elasticsearch $1 {%- endif %} @@ -26,15 +18,15 @@ /usr/sbin/so-restart kibana $1 {%- endif %} -{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node']%} +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%} /usr/sbin/so-restart logstash $1 {%- endif %} -{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node', 'so-sensor']%} +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-sensor']%} /usr/sbin/so-restart filebeat $1 {%- endif %} -{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node']%} +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%} /usr/sbin/so-restart curator $1 {%- endif %} diff --git a/salt/common/tools/sbin/so-elastic-start b/salt/common/tools/sbin/so-elastic-start index f1000311c..04c076662 100755 --- a/salt/common/tools/sbin/so-elastic-start +++ b/salt/common/tools/sbin/so-elastic-start @@ -1,24 +1,16 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common -{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node', 'so-import']%} +{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-import']%} /usr/sbin/so-start elasticsearch $1 {%- endif %} @@ -26,15 +18,15 @@ /usr/sbin/so-start kibana $1 {%- endif %} -{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node']%} +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%} /usr/sbin/so-start logstash $1 {%- endif %} -{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node', 'so-sensor']%} +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-sensor']%} /usr/sbin/so-start filebeat $1 {%- endif %} -{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node']%} +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%} /usr/sbin/so-start curator $1 {%- endif %} diff --git a/salt/common/tools/sbin/so-elastic-stop b/salt/common/tools/sbin/so-elastic-stop index f9f4d0d0c..45e8fd18b 100755 --- a/salt/common/tools/sbin/so-elastic-stop +++ b/salt/common/tools/sbin/so-elastic-stop @@ -1,24 +1,16 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common -{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node', 'so-import']%} +{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-import']%} /usr/sbin/so-stop elasticsearch $1 {%- endif %} @@ -26,15 +18,15 @@ /usr/sbin/so-stop kibana $1 {%- endif %} -{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node']%} +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%} /usr/sbin/so-stop logstash $1 {%- endif %} -{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node', 'so-sensor']%} +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-sensor']%} /usr/sbin/so-stop filebeat $1 {%- endif %} -{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node']%} +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%} /usr/sbin/so-stop curator $1 {%- endif %} diff --git a/salt/common/tools/sbin/so-elasticsearch-component-templates-list b/salt/common/tools/sbin/so-elasticsearch-component-templates-list index 69deb1873..f8eab884e 100755 --- a/salt/common/tools/sbin/so-elasticsearch-component-templates-list +++ b/salt/common/tools/sbin/so-elasticsearch-component-templates-list @@ -1,23 +1,15 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common if [ "$1" == "" ]; then - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_component_template | jq '.component_templates[] |.name'| sort + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_component_template | jq '.component_templates[] |.name'| sort else - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_component_template/$1 | jq + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_component_template/$1 | jq fi diff --git a/salt/common/tools/sbin/so-elasticsearch-index-templates-list b/salt/common/tools/sbin/so-elasticsearch-index-templates-list index 84fecc565..35c478f90 100755 --- a/salt/common/tools/sbin/so-elasticsearch-index-templates-list +++ b/salt/common/tools/sbin/so-elasticsearch-index-templates-list @@ -1,23 +1,15 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common if [ "$1" == "" ]; then - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_index_template | jq '.index_templates[] |.name'| sort + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_index_template | jq '.index_templates[] |.name'| sort else - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_index_template/$1 | jq + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_index_template/$1 | jq fi diff --git a/salt/common/tools/sbin/so-elasticsearch-indices-list b/salt/common/tools/sbin/so-elasticsearch-indices-list index f7662f4e2..a71f127eb 100755 --- a/salt/common/tools/sbin/so-elasticsearch-indices-list +++ b/salt/common/tools/sbin/so-elasticsearch-indices-list @@ -14,8 +14,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see -{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common -{{ ELASTICCURL }} -s -k -L "https://{{ NODEIP }}:9200/_cat/indices?pretty&v&s=index" +curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L "https://{{ NODEIP }}:9200/_cat/indices?pretty&v&s=index" diff --git a/salt/common/tools/sbin/so-elasticsearch-indices-rw b/salt/common/tools/sbin/so-elasticsearch-indices-rw index 5aa24f91a..724dd9dcf 100755 --- a/salt/common/tools/sbin/so-elasticsearch-indices-rw +++ b/salt/common/tools/sbin/so-elasticsearch-indices-rw @@ -1,23 +1,15 @@ #!/bin/bash # # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + IP={{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }} ESPORT=9200 echo "Removing read only attributes for indices..." echo -{{ ELASTICCURL }} -s -k -XPUT -H "Content-Type: application/json" -L https://$IP:9200/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute. Please ensure Elasticsearch is running.";fi; +curl -K /opt/so/conf/elasticsearch/curl.config -s -k -XPUT -H "Content-Type: application/json" -L https://$IP:9200/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute. Please ensure Elasticsearch is running.";fi; diff --git a/salt/common/tools/sbin/so-elasticsearch-pipeline-stats b/salt/common/tools/sbin/so-elasticsearch-pipeline-stats index da808d743..8f541d2ee 100755 --- a/salt/common/tools/sbin/so-elasticsearch-pipeline-stats +++ b/salt/common/tools/sbin/so-elasticsearch-pipeline-stats @@ -14,12 +14,12 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see -{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common if [ "$1" == "" ]; then - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines" + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines" else - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines.\"$1\"" + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines.\"$1\"" fi diff --git a/salt/common/tools/sbin/so-elasticsearch-pipeline-view b/salt/common/tools/sbin/so-elasticsearch-pipeline-view index 0c6648c0b..03e3c2a6a 100755 --- a/salt/common/tools/sbin/so-elasticsearch-pipeline-view +++ b/salt/common/tools/sbin/so-elasticsearch-pipeline-view @@ -14,12 +14,12 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see -{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common if [ "$1" == "" ]; then - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq . + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq . else - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq .[] + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq .[] fi diff --git a/salt/common/tools/sbin/so-elasticsearch-pipelines-list b/salt/common/tools/sbin/so-elasticsearch-pipelines-list index 4ea3bc752..3e6246e31 100755 --- a/salt/common/tools/sbin/so-elasticsearch-pipelines-list +++ b/salt/common/tools/sbin/so-elasticsearch-pipelines-list @@ -1,23 +1,15 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common if [ "$1" == "" ]; then - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq 'keys' + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq 'keys' else - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq fi diff --git a/salt/common/tools/sbin/so-elasticsearch-query b/salt/common/tools/sbin/so-elasticsearch-query index 3cc5f4602..e5d1f58e6 100755 --- a/salt/common/tools/sbin/so-elasticsearch-query +++ b/salt/common/tools/sbin/so-elasticsearch-query @@ -34,4 +34,4 @@ fi QUERYPATH=$1 shift -{{ ELASTICCURL }} -s -k -L -H "Content-Type: application/json" "https://localhost:9200/${QUERYPATH}" "$@" +curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -H "Content-Type: application/json" "https://localhost:9200/${QUERYPATH}" "$@" diff --git a/salt/common/tools/sbin/so-elasticsearch-restart b/salt/common/tools/sbin/so-elasticsearch-restart index 0e16b5181..7a770faf1 100755 --- a/salt/common/tools/sbin/so-elasticsearch-restart +++ b/salt/common/tools/sbin/so-elasticsearch-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-elasticsearch-shards-list b/salt/common/tools/sbin/so-elasticsearch-shards-list index 19d072f65..378888873 100755 --- a/salt/common/tools/sbin/so-elasticsearch-shards-list +++ b/salt/common/tools/sbin/so-elasticsearch-shards-list @@ -14,8 +14,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see -{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common -{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_cat/shards?pretty +curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_cat/shards?pretty diff --git a/salt/common/tools/sbin/so-elasticsearch-start b/salt/common/tools/sbin/so-elasticsearch-start index 1822c6837..eba1ec54a 100755 --- a/salt/common/tools/sbin/so-elasticsearch-start +++ b/salt/common/tools/sbin/so-elasticsearch-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-elasticsearch-stop b/salt/common/tools/sbin/so-elasticsearch-stop index 27272701b..3a3c4d5f5 100755 --- a/salt/common/tools/sbin/so-elasticsearch-stop +++ b/salt/common/tools/sbin/so-elasticsearch-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-elasticsearch-template-remove b/salt/common/tools/sbin/so-elasticsearch-template-remove index f037fc9c8..d69b82fc4 100755 --- a/salt/common/tools/sbin/so-elasticsearch-template-remove +++ b/salt/common/tools/sbin/so-elasticsearch-template-remove @@ -14,8 +14,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see -{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common -{{ ELASTICCURL }} -s -k -L -XDELETE https://{{ NODEIP }}:9200/_template/$1 +curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -XDELETE https://{{ NODEIP }}:9200/_template/$1 diff --git a/salt/common/tools/sbin/so-elasticsearch-template-view b/salt/common/tools/sbin/so-elasticsearch-template-view index 661e390e4..6d549d7c0 100755 --- a/salt/common/tools/sbin/so-elasticsearch-template-view +++ b/salt/common/tools/sbin/so-elasticsearch-template-view @@ -14,12 +14,12 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see -{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common if [ "$1" == "" ]; then - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_template/* | jq . + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_template/* | jq . else - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq . + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq . fi diff --git a/salt/common/tools/sbin/so-elasticsearch-templates-list b/salt/common/tools/sbin/so-elasticsearch-templates-list index 905abd713..e63c8cf54 100755 --- a/salt/common/tools/sbin/so-elasticsearch-templates-list +++ b/salt/common/tools/sbin/so-elasticsearch-templates-list @@ -1,23 +1,15 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common if [ "$1" == "" ]; then - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_template/* | jq 'keys' + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_template/* | jq 'keys' else - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq fi diff --git a/salt/common/tools/sbin/so-elasticsearch-wait b/salt/common/tools/sbin/so-elasticsearch-wait index f56aafcd3..5bb081a16 100755 --- a/salt/common/tools/sbin/so-elasticsearch-wait +++ b/salt/common/tools/sbin/so-elasticsearch-wait @@ -2,4 +2,4 @@ . /usr/sbin/so-common -wait_for_web_response "https://localhost:9200/_cat/indices/.kibana*" "green open" 300 "{{ ELASTICCURL }}" +wait_for_web_response "https://localhost:9200/_cat/indices/.kibana*" "green open" 300 "curl -K /opt/so/conf/elasticsearch/curl.config" diff --git a/salt/common/tools/sbin/so-filebeat-module-setup b/salt/common/tools/sbin/so-filebeat-module-setup index 945c3c58a..43c816087 100755 --- a/salt/common/tools/sbin/so-filebeat-module-setup +++ b/salt/common/tools/sbin/so-filebeat-module-setup @@ -1,18 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set mainint = salt['pillar.get']('host:mainint') %} {%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} @@ -31,7 +23,7 @@ echo -n "Waiting for ElasticSearch..." COUNT=0 ELASTICSEARCH_CONNECTED="no" while [[ "$COUNT" -le 240 ]]; do - {{ ELASTICCURL }} -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" + curl -K /opt/so/conf/elasticsearch/curl.config -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" if [ $? -eq 0 ]; then ELASTICSEARCH_CONNECTED="yes" echo "connected!" @@ -48,8 +40,8 @@ if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then echo fi echo "Testing to see if the pipelines are already applied" -ESVER=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" |jq .version.number |tr -d \") -PIPELINES=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"/_ingest/pipeline/filebeat-$ESVER-elasticsearch-server-pipeline | jq . | wc -c) +ESVER=$(curl -K /opt/so/conf/elasticsearch/curl.config -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" |jq .version.number |tr -d \") +PIPELINES=$(curl -K /opt/so/conf/elasticsearch/curl.config -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"/_ingest/pipeline/filebeat-$ESVER-elasticsearch-server-pipeline | jq . | wc -c) if [[ "$PIPELINES" -lt 5 ]] || [ "$2" != "--force" ]; then echo "Setting up ingest pipeline(s)" diff --git a/salt/common/tools/sbin/so-filebeat-restart b/salt/common/tools/sbin/so-filebeat-restart index 0fe2ccb0a..97ccbb0ee 100755 --- a/salt/common/tools/sbin/so-filebeat-restart +++ b/salt/common/tools/sbin/so-filebeat-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-filebeat-start b/salt/common/tools/sbin/so-filebeat-start index ae7b998ad..cf148d49a 100755 --- a/salt/common/tools/sbin/so-filebeat-start +++ b/salt/common/tools/sbin/so-filebeat-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-filebeat-stop b/salt/common/tools/sbin/so-filebeat-stop index d5b1e5711..d3c50fef0 100755 --- a/salt/common/tools/sbin/so-filebeat-stop +++ b/salt/common/tools/sbin/so-filebeat-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall index 2a394fdff..669d9597b 100755 --- a/salt/common/tools/sbin/so-firewall +++ b/salt/common/tools/sbin/so-firewall @@ -1,19 +1,10 @@ #!/usr/bin/env python3 -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + import os import re diff --git a/salt/common/tools/sbin/so-firewall-minion b/salt/common/tools/sbin/so-firewall-minion new file mode 100644 index 000000000..a732fa8ac --- /dev/null +++ b/salt/common/tools/sbin/so-firewall-minion @@ -0,0 +1,82 @@ +#!/bin/bash + +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + +. /usr/sbin/so-common + +if [[ $# -lt 1 ]]; then + echo "Usage: $0 --role= --ip=" + echo "" + echo " Example: so-firewall-minion --role=manager --ip=192.168.254.100" + echo "" + exit 1 +fi + +for i in "$@"; do + case $i in + -r=*|--role=*) + ROLE="${i#*=}" + shift + ;; + -i=*|--ip=*) + IP="${i#*=}" + shift + ;; + -*|--*) + echo "Unknown option $i" + exit 1 + ;; + *) + ;; + esac +done + +ROLE=${ROLE^^} + +if [ -z "$ROLE" ]; then + echo "Please specify a role with --role=" + exit 1 +fi +if [ -z "$IP" ]; then + echo "Please specify an IP address with --ip=" + exit 1 +fi + + case "$ROLE" in + + 'MANAGER') + so-firewall includehost manager "$IP" + so-firewall --apply includehost minion "$IP" + ;; + 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') + so-firewall includehost manager "$IP" + so-firewall includehost minion "$IP" + so-firewall includehost sensor "$IP" + so-firewall --apply includehost search_node "$IP" + ;; + 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'IDH' | 'RECEIVER') + so-firewall includehost minion "$IP" + case "$ROLE" in + 'SENSOR') + so-firewall --apply includehost sensor "$IP" + ;; + 'SEARCHNODE') + so-firewall --apply includehost search_node "$IP" + ;; + 'HEAVYNODE') + so-firewall includehost sensor "$IP" + so-firewall --apply includehost heavy_node "$IP" + ;; + 'IDH') + so-firewall --apply includehost beats_endpoint_ssl "$IP" + ;; + 'RECEIVER') + so-firewall --apply includehost receiver "$IP" + ;; + esac + ;; + esac diff --git a/salt/common/tools/sbin/so-fleet-restart b/salt/common/tools/sbin/so-fleet-restart deleted file mode 100755 index 50bfd1200..000000000 --- a/salt/common/tools/sbin/so-fleet-restart +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash - -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -. /usr/sbin/so-common - -/usr/sbin/so-restart fleet $1 diff --git a/salt/common/tools/sbin/so-fleet-setup b/salt/common/tools/sbin/so-fleet-setup deleted file mode 100755 index d3ea4dca3..000000000 --- a/salt/common/tools/sbin/so-fleet-setup +++ /dev/null @@ -1,58 +0,0 @@ -#!/bin/bash - -#so-fleet-setup $FleetEmail $FleetPassword - -. /usr/sbin/so-common - -if [[ $# -ne 2 ]] ; then - echo "Username or Password was not set - exiting now." - exit 1 -fi - -USER_EMAIL=$1 -USER_PW=$2 - -# Checking to see if required containers are started... -if [ ! "$(docker ps -q -f name=so-fleet)" ]; then - echo "Starting Docker Containers..." - salt-call state.apply mysql queue=True >> /root/fleet-setup.log - salt-call state.apply fleet queue=True >> /root/fleet-setup.log - salt-call state.apply redis queue=True >> /root/fleet-setup.log -fi - -docker exec so-fleet fleetctl config set --address https://127.0.0.1:8080 --tls-skip-verify --url-prefix /fleet -docker exec so-fleet bash -c 'while [[ "$(curl -s -o /dev/null --insecure -w ''%{http_code}'' https://127.0.0.1:8080/fleet)" != "301" ]]; do sleep 5; done' - -# Create Security Onion Fleet Service Account + Setup Fleet -FLEET_SA_EMAIL=$(lookup_pillar_secret fleet_sa_email) -FLEET_SA_PW=$(lookup_pillar_secret fleet_sa_password) -docker exec so-fleet fleetctl setup --email $FLEET_SA_EMAIL --password $FLEET_SA_PW --name SO_ServiceAccount --org-name SO - -# Create User Account -echo "$USER_PW" | so-fleet-user-add "$USER_EMAIL" - -# Import Packs & Configs -docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml -docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml -docker exec so-fleet fleetctl apply -f /packs/so/so-default.yml -docker exec so-fleet /bin/sh -c 'for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml; do fleetctl apply -f "$pack"; done' -docker exec so-fleet fleetctl apply -f /packs/osquery-config.conf - - -# Update the Enroll Secret -echo "Updating the Enroll Secret..." -salt-call state.apply fleet.event_update-enroll-secret queue=True >> /root/fleet-setup.log -salt-call state.apply nginx queue=True >> /root/fleet-setup.log - -# Generate osquery install packages -echo "Generating osquery install packages - this will take some time..." -salt-call state.apply fleet.event_gen-packages queue=True >> /root/fleet-setup.log -sleep 120 - -echo "Installing launcher via salt..." -salt-call state.apply fleet.install_package queue=True >> /root/fleet-setup.log -salt-call state.apply filebeat queue=True >> /root/fleet-setup.log -docker stop so-nginx -salt-call state.apply nginx queue=True >> /root/fleet-setup.log - -echo "Fleet Setup Complete - Login with the username and password you ran the script with." diff --git a/salt/common/tools/sbin/so-fleet-start b/salt/common/tools/sbin/so-fleet-start deleted file mode 100755 index cf51f51a6..000000000 --- a/salt/common/tools/sbin/so-fleet-start +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash - -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -. /usr/sbin/so-common - -/usr/sbin/so-start fleet $1 diff --git a/salt/common/tools/sbin/so-fleet-stop b/salt/common/tools/sbin/so-fleet-stop deleted file mode 100755 index 6ca6d9750..000000000 --- a/salt/common/tools/sbin/so-fleet-stop +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash - -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -. /usr/sbin/so-common - -/usr/sbin/so-stop fleet $1 diff --git a/salt/common/tools/sbin/so-fleet-user-add b/salt/common/tools/sbin/so-fleet-user-add deleted file mode 100755 index 4c0f2105e..000000000 --- a/salt/common/tools/sbin/so-fleet-user-add +++ /dev/null @@ -1,69 +0,0 @@ -#!/bin/bash -# -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -. /usr/sbin/so-common - -usage() { - echo "Usage: $0 " - echo "" - echo "Adds a new user to Fleet. The new password will be read from STDIN." - exit 1 -} - -if [ $# -ne 1 ]; then - usage -fi - - -USER_EMAIL=$1 -FLEET_SA_EMAIL=$(lookup_pillar_secret fleet_sa_email) -FLEET_SA_PW=$(lookup_pillar_secret fleet_sa_password) -MYSQL_PW=$(lookup_pillar_secret mysql) - -# Read password for new user from stdin -test -t 0 -if [[ $? == 0 ]]; then - echo "Enter new password:" -fi -read -rs USER_PASS - -check_password_and_exit "$USER_PASS" - -# Config fleetctl & login with the SO Service Account -CONFIG_OUTPUT=$(docker exec so-fleet fleetctl config set --address https://127.0.0.1:8080 --tls-skip-verify --url-prefix /fleet 2>&1 ) -SALOGIN_OUTPUT=$(docker exec so-fleet fleetctl login --email $FLEET_SA_EMAIL --password $FLEET_SA_PW 2>&1) - -if [[ $? -ne 0 ]]; then - echo "Unable to add user to Fleet; Fleet Service account login failed" - echo "$SALOGIN_OUTPUT" - exit 2 -fi - -# Create New User -CREATE_OUTPUT=$(docker exec so-fleet fleetctl user create --email $USER_EMAIL --name $USER_EMAIL --password $USER_PASS --global-role admin 2>&1) - -if [[ $? -eq 0 ]]; then - echo "Successfully added user to Fleet" -else - echo "Unable to add user to Fleet; user might already exist" - echo "$CREATE_OUTPUT" - exit 2 -fi - -# Disable forced password reset -MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PW fleet -e \ -"UPDATE users SET admin_forced_password_reset = 0 WHERE email = '$USER_EMAIL'" 2>&1) diff --git a/salt/common/tools/sbin/so-fleet-user-delete b/salt/common/tools/sbin/so-fleet-user-delete deleted file mode 100644 index d02bc3ab3..000000000 --- a/salt/common/tools/sbin/so-fleet-user-delete +++ /dev/null @@ -1,56 +0,0 @@ -#!/bin/bash -# -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -. /usr/sbin/so-common - -usage() { - echo "Usage: $0 " - echo "" - echo "Deletes a user in Fleet" - exit 1 -} - -if [ $# -ne 1 ]; then - usage -fi - -USER_EMAIL=$1 -FLEET_SA_EMAIL=$(lookup_pillar_secret fleet_sa_email) -FLEET_SA_PW=$(lookup_pillar_secret fleet_sa_password) - -# Config fleetctl & login with the SO Service Account -CONFIG_OUTPUT=$(docker exec so-fleet fleetctl config set --address https://127.0.0.1:8080 --tls-skip-verify --url-prefix /fleet 2>&1 ) -SALOGIN_OUTPUT=$(docker exec so-fleet fleetctl login --email $FLEET_SA_EMAIL --password $FLEET_SA_PW 2>&1) - -if [[ $? -ne 0 ]]; then - echo "Unable to delete user from Fleet; Fleet Service account login failed" - echo "$SALOGIN_OUTPUT" - exit 2 -fi - -# Delete User -DELETE_OUTPUT=$(docker exec so-fleet fleetctl user delete --email $USER_EMAIL 2>&1) - -if [[ $? -eq 0 ]]; then - echo "Successfully deleted user from Fleet" -else - echo "Unable to delete user from Fleet" - echo "$DELETE_OUTPUT" - exit 2 -fi - - diff --git a/salt/common/tools/sbin/so-fleet-user-update b/salt/common/tools/sbin/so-fleet-user-update deleted file mode 100755 index 36d4b2250..000000000 --- a/salt/common/tools/sbin/so-fleet-user-update +++ /dev/null @@ -1,75 +0,0 @@ -#!/bin/bash -# -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -. /usr/sbin/so-common - -usage() { - echo "Usage: $0 " - echo "" - echo "Update password for an existing Fleet user. The new password will be read from STDIN." - exit 1 -} - -if [ $# -ne 1 ]; then - usage -fi - -USER=$1 - -MYSQL_PASS=$(lookup_pillar_secret mysql) -FLEET_IP=$(lookup_pillar fleet_ip) -FLEET_USER=$USER - -# test existence of user -MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PASS fleet -e \ - "SELECT count(1) FROM users WHERE email='$FLEET_USER'" 2>/dev/null | tail -1) -if [[ $? -ne 0 ]] || [[ $MYSQL_OUTPUT -ne 1 ]] ; then - echo "Test for email [${FLEET_USER}] failed" - echo " expect 1 hit in users database, return $MYSQL_OUTPUT hit(s)." - echo "Unable to update Fleet user password." - exit 2 -fi - -# Read password for new user from stdin -test -t 0 -if [[ $? == 0 ]]; then - echo "Enter new password:" -fi -read -rs FLEET_PASS - -if ! check_password "$FLEET_PASS"; then - echo "Password is invalid. Please exclude single quotes, double quotes, dollar signs, and backslashes from the password." - exit 2 -fi - -FLEET_HASH=$(docker exec so-soctopus python -c "import bcrypt; print(bcrypt.hashpw('$FLEET_PASS'.encode('utf-8'), bcrypt.gensalt()).decode('utf-8'));" 2>&1) -if [[ $? -ne 0 ]]; then - echo "Failed to generate Fleet password hash" - exit 2 -fi - - -MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PASS fleet -e \ - "UPDATE users SET password='$FLEET_HASH', salt='' where email='$FLEET_USER'" 2>&1) - -if [[ $? -eq 0 ]]; then - echo "Successfully updated Fleet user password" -else - echo "Unable to update Fleet user password" - echo "$MYSQL_OUTPUT" - exit 2 -fi diff --git a/salt/common/tools/sbin/so-grafana-restart b/salt/common/tools/sbin/so-grafana-restart index e82d80ba1..f8fbcb9c1 100755 --- a/salt/common/tools/sbin/so-grafana-restart +++ b/salt/common/tools/sbin/so-grafana-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-grafana-start b/salt/common/tools/sbin/so-grafana-start index be885aafa..dfea3b8dc 100755 --- a/salt/common/tools/sbin/so-grafana-start +++ b/salt/common/tools/sbin/so-grafana-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-grafana-stop b/salt/common/tools/sbin/so-grafana-stop index 50028231b..62552f17f 100755 --- a/salt/common/tools/sbin/so-grafana-stop +++ b/salt/common/tools/sbin/so-grafana-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-idh-restart b/salt/common/tools/sbin/so-idh-restart index ce6dd9843..78d760897 100644 --- a/salt/common/tools/sbin/so-idh-restart +++ b/salt/common/tools/sbin/so-idh-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-idh-start b/salt/common/tools/sbin/so-idh-start index 2f300ba01..6d2fc4eee 100644 --- a/salt/common/tools/sbin/so-idh-start +++ b/salt/common/tools/sbin/so-idh-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-idh-stop b/salt/common/tools/sbin/so-idh-stop index 48e974be2..488c2eb0d 100644 --- a/salt/common/tools/sbin/so-idh-stop +++ b/salt/common/tools/sbin/so-idh-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-idstools-restart b/salt/common/tools/sbin/so-idstools-restart index 5a247a589..f2abbd0a5 100755 --- a/salt/common/tools/sbin/so-idstools-restart +++ b/salt/common/tools/sbin/so-idstools-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-idstools-start b/salt/common/tools/sbin/so-idstools-start index 1ee9f2e9d..e17b5e521 100755 --- a/salt/common/tools/sbin/so-idstools-start +++ b/salt/common/tools/sbin/so-idstools-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-idstools-stop b/salt/common/tools/sbin/so-idstools-stop index 546cd681a..f2d188d06 100755 --- a/salt/common/tools/sbin/so-idstools-stop +++ b/salt/common/tools/sbin/so-idstools-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index 00d4233d0..b29f4bd45 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # NOTE: This script depends on so-common IMAGEREPO=security-onion-solutions @@ -32,7 +24,6 @@ container_list() { if [ $MANAGERCHECK == 'so-import' ]; then TRUSTED_CONTAINERS=( - "so-acng" "so-elasticsearch" "so-filebeat" "so-idstools" @@ -47,13 +38,10 @@ container_list() { ) elif [ $MANAGERCHECK != 'so-helix' ]; then TRUSTED_CONTAINERS=( - "so-acng" "so-curator" "so-elastalert" "so-elasticsearch" "so-filebeat" - "so-fleet" - "so-fleet-launcher" "so-grafana" "so-idh" "so-idstools" @@ -75,7 +63,6 @@ container_list() { "so-strelka-manager" "so-suricata" "so-telegraf" - "so-wazuh" "so-zeek" ) else diff --git a/salt/common/tools/sbin/so-image-pull b/salt/common/tools/sbin/so-image-pull index 9bc87d310..915547c8e 100755 --- a/salt/common/tools/sbin/so-image-pull +++ b/salt/common/tools/sbin/so-image-pull @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common . /usr/sbin/so-image-common diff --git a/salt/common/tools/sbin/so-import-evtx b/salt/common/tools/sbin/so-import-evtx index 4737a2419..522816df7 100755 --- a/salt/common/tools/sbin/so-import-evtx +++ b/salt/common/tools/sbin/so-import-evtx @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set MANAGER = salt['grains.get']('master') %} {%- set VERSION = salt['pillar.get']('global:soversion') %} diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap index 04a177e0b..4dad845f0 100755 --- a/salt/common/tools/sbin/so-import-pcap +++ b/salt/common/tools/sbin/so-import-pcap @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set MANAGER = salt['grains.get']('master') %} {%- set VERSION = salt['pillar.get']('global:soversion') %} diff --git a/salt/common/tools/sbin/so-index-list b/salt/common/tools/sbin/so-index-list index a71c5f280..1e4595b35 100755 --- a/salt/common/tools/sbin/so-index-list +++ b/salt/common/tools/sbin/so-index-list @@ -1,18 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -{{ ELASTICCURL }} -X GET -k -L "https://localhost:9200/_cat/indices?v&s=index" + + +curl -K /opt/so/conf/elasticsearch/curl.config-X GET -k -L "https://localhost:9200/_cat/indices?v&s=index" diff --git a/salt/common/tools/sbin/so-influxdb-clean b/salt/common/tools/sbin/so-influxdb-clean index 0cbaf91d3..1b903bbe5 100755 --- a/salt/common/tools/sbin/so-influxdb-clean +++ b/salt/common/tools/sbin/so-influxdb-clean @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-influxdb-downsample b/salt/common/tools/sbin/so-influxdb-downsample index 85af5c1b4..ef44cd91d 100755 --- a/salt/common/tools/sbin/so-influxdb-downsample +++ b/salt/common/tools/sbin/so-influxdb-downsample @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set role = grains.id.split('_') | last %} {%- if role in ['manager', 'managersearch', 'eval', 'standalone'] %} {%- import_yaml 'influxdb/defaults.yaml' as default_settings %} diff --git a/salt/common/tools/sbin/so-influxdb-drop-autogen b/salt/common/tools/sbin/so-influxdb-drop-autogen index 788d166b7..5fe7b6e73 100755 --- a/salt/common/tools/sbin/so-influxdb-drop-autogen +++ b/salt/common/tools/sbin/so-influxdb-drop-autogen @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-influxdb-restart b/salt/common/tools/sbin/so-influxdb-restart index f8a2590eb..0d478e58d 100755 --- a/salt/common/tools/sbin/so-influxdb-restart +++ b/salt/common/tools/sbin/so-influxdb-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-influxdb-start b/salt/common/tools/sbin/so-influxdb-start index aba50fab5..a7b4e25e5 100755 --- a/salt/common/tools/sbin/so-influxdb-start +++ b/salt/common/tools/sbin/so-influxdb-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-influxdb-stop b/salt/common/tools/sbin/so-influxdb-stop index fa85f0bfc..53a91d9d7 100755 --- a/salt/common/tools/sbin/so-influxdb-stop +++ b/salt/common/tools/sbin/so-influxdb-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-kibana-config-export b/salt/common/tools/sbin/so-kibana-config-export index 6013dd3b7..1c15fc54c 100755 --- a/salt/common/tools/sbin/so-kibana-config-export +++ b/salt/common/tools/sbin/so-kibana-config-export @@ -5,27 +5,19 @@ # {%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', '') %} # {%- set MANAGER = salt['pillar.get']('global:url_base', '') %} # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + KIBANA_HOST={{ MANAGER }} KSO_PORT=5601 OUTFILE="saved_objects.ndjson" -SESSIONCOOKIE=$({{ ELASTICCURL }} -c - -X GET http://$KIBANA_HOST:$KSO_PORT/ | grep sid | awk '{print $7}') -{{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST -L $KIBANA_HOST:$KSO_PORT/api/saved_objects/_export -d '{ "type": [ "index-pattern", "config", "visualization", "dashboard", "search" ], "excludeExportDetails": false }' > $OUTFILE +SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://$KIBANA_HOST:$KSO_PORT/ | grep sid | awk '{print $7}') +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST -L $KIBANA_HOST:$KSO_PORT/api/saved_objects/_export -d '{ "type": [ "index-pattern", "config", "visualization", "dashboard", "search" ], "excludeExportDetails": false }' > $OUTFILE # Clean up using PLACEHOLDER sed -i "s/$KIBANA_HOST/PLACEHOLDER/g" $OUTFILE diff --git a/salt/common/tools/sbin/so-kibana-restart b/salt/common/tools/sbin/so-kibana-restart index e43bba87f..d7de55b7f 100755 --- a/salt/common/tools/sbin/so-kibana-restart +++ b/salt/common/tools/sbin/so-kibana-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-kibana-savedobjects-defaults b/salt/common/tools/sbin/so-kibana-savedobjects-defaults index b27830a29..5c218e272 100755 --- a/salt/common/tools/sbin/so-kibana-savedobjects-defaults +++ b/salt/common/tools/sbin/so-kibana-savedobjects-defaults @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-kibana-space-defaults b/salt/common/tools/sbin/so-kibana-space-defaults index b52e609dc..9175a36bc 100755 --- a/salt/common/tools/sbin/so-kibana-space-defaults +++ b/salt/common/tools/sbin/so-kibana-space-defaults @@ -1,18 +1,18 @@ #!/bin/bash . /usr/sbin/so-common {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} -wait_for_web_response "http://localhost:5601/api/spaces/space/default" "default" 300 "{{ ELASTICCURL }}" +wait_for_web_response "http://localhost:5601/api/spaces/space/default" "default" 300 "curl -K /opt/so/conf/elasticsearch/curl.config" ## This hackery will be removed if using Elastic Auth ## # Let's snag a cookie from Kibana -SESSIONCOOKIE=$({{ ELASTICCURL }} -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') +SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') # Disable certain Features from showing up in the Kibana UI echo echo "Setting up default Space:" {% if HIGHLANDER %} -{{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log {% else %} -{{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","fleet","fleetv2","securitySolutionCases"]} ' >> /opt/so/log/kibana/misc.log +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","fleet","fleetv2","securitySolutionCases"]} ' >> /opt/so/log/kibana/misc.log {% endif %} echo diff --git a/salt/common/tools/sbin/so-kibana-start b/salt/common/tools/sbin/so-kibana-start index 947d3f61a..d553ca575 100755 --- a/salt/common/tools/sbin/so-kibana-start +++ b/salt/common/tools/sbin/so-kibana-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-kibana-stop b/salt/common/tools/sbin/so-kibana-stop index 2cd20bd43..697ae95b1 100755 --- a/salt/common/tools/sbin/so-kibana-stop +++ b/salt/common/tools/sbin/so-kibana-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-learn b/salt/common/tools/sbin/so-learn index 39e384862..2b766c738 100755 --- a/salt/common/tools/sbin/so-learn +++ b/salt/common/tools/sbin/so-learn @@ -1,19 +1,11 @@ #!/usr/bin/env python3 -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + from itertools import chain from typing import List diff --git a/salt/common/tools/sbin/so-logstash-get-parsed b/salt/common/tools/sbin/so-logstash-get-parsed index 394e17007..1575010ac 100755 --- a/salt/common/tools/sbin/so-logstash-get-parsed +++ b/salt/common/tools/sbin/so-logstash-get-parsed @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-logstash-get-unparsed b/salt/common/tools/sbin/so-logstash-get-unparsed index 394e17007..1575010ac 100755 --- a/salt/common/tools/sbin/so-logstash-get-unparsed +++ b/salt/common/tools/sbin/so-logstash-get-unparsed @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-logstash-restart b/salt/common/tools/sbin/so-logstash-restart index 4ecd75471..a0f0d7923 100755 --- a/salt/common/tools/sbin/so-logstash-restart +++ b/salt/common/tools/sbin/so-logstash-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-logstash-start b/salt/common/tools/sbin/so-logstash-start index a89dc1bc7..d36a475ae 100755 --- a/salt/common/tools/sbin/so-logstash-start +++ b/salt/common/tools/sbin/so-logstash-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-logstash-stop b/salt/common/tools/sbin/so-logstash-stop index e21317fe2..efebd22bb 100755 --- a/salt/common/tools/sbin/so-logstash-stop +++ b/salt/common/tools/sbin/so-logstash-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-minion b/salt/common/tools/sbin/so-minion new file mode 100755 index 000000000..858d2706c --- /dev/null +++ b/salt/common/tools/sbin/so-minion @@ -0,0 +1,258 @@ +#!/bin/bash + +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + +. /usr/sbin/so-common + +if [[ $# -lt 1 ]]; then + echo "Usage: $0 -o= -m=[id]" + echo "" + echo " where is one of the following:" + echo "" + echo " list: Lists all keys with hashes" + echo " accept: Accepts a new key and adds the minion files" + echo " delete: Removes the key and deletes the minion files" + echo " reject: Rejects a key" + echo "" + exit 1 +fi + +for i in "$@"; do + case $i in + -o=*|--operation=*) + OPERATION="${i#*=}" + shift + ;; + -m=*|--minionid=*) + MINION_ID="${i#*=}" + shift + ;; + -e=*|--esheap=*) + ES_HEAP_SIZE="${i#*=}" + shift + ;; + -n=*|--mgmtnic=*) + MNIC="${i#*=}" + shift + ;; + -d=*|--description=*) + NODE_DESCRIPTION="${i#*=}" + shift + ;; + -a=*|--monitor=*) + INTERFACE="${i#*=}" + shift + ;; + -i=*|--ip=*) + MAINIP="${i#*=}" + shift + ;; + -*|--*) + echo "Unknown option $i" + exit 1 + ;; + *) + ;; + esac +done + +PILLARFILE=/opt/so/saltstack/local/pillar/minions/$MINION_ID.sls +ADVPILLARFILE=/opt/so/saltstack/local/pillar/minions/adv_$MINION_ID.sls + +function getinstallinfo() { + # Pull from file + INSTALLVARS=$(sudo salt "$MINION_ID" cp.get_file_str /opt/so/install.txt --out=newline_values_only) + source <(echo $INSTALLVARS) +} + +function listminions() { + salt-key list -F --out=json + exit $? +} + +function rejectminion() { + salt-key -y -r $MINION_ID + exit $? +} + +function acceptminion() { + salt-key -y -a $MINION_ID +} + +function deleteminion() { + salt-key -y -d $MINION_ID +} + +function deleteminionfiles () { + rm -f $PILLARFILE + rm -f $ADVPILLARFILE +} + +# Create the minion file +function create_minion_files() { + mkdir -p /opt/so/saltstack/local/pillar/minions + touch $ADVPILLARFILE + if [ -f "$PILLARFILE" ]; then + rm $PILLARFILE + fi +} + +# Add Elastic settings to the minion file +function add_elastic_to_minion() { + printf '%s\n'\ + "elasticsearch:"\ + " esheap: '$ES_HEAP_SIZE'"\ + " config:"\ + " node:"\ + " attr:"\ + " box_type: hot"\ + " " >> $PILLARFILE +} + +# Analyst Workstation +function add_analyst_to_minion() { + printf '%s\n'\ + "host:"\ + " mainint: '$MNIC'"\ + "workstation:"\ + " gui:"\ + " enabled: true"\ + "sensoroni:"\ + " node_description: '${NODE_DESCRIPTION//\'/''}'" >> $PILLARFILE +} + +# Add basic host info to the minion file +function add_host_to_minion() { + printf '%s\n'\ + "host:"\ + " mainip: '$MAINIP'"\ + " mainint: '$MNIC'" >> $PILLARFILE +} + +# Add sensoroni specific information - Can we pull node_adrees from the host pillar? +function add_sensoroni_to_minion() { + + printf '%s\n'\ + "sensoroni:"\ + " node_description: '${NODE_DESCRIPTION//\'/''}'"\ + " " >> $PILLARFILE +} + +# Patch pillar settings. +function add_patch_pillar_to_minion() { + + printf '%s\n'\ + "patch:"\ + " os:"\ + " source: '$source'"\ + " schedule_name: '$PATCHSCHEDULENAME'"\ + " enabled: True"\ + " splay: 300"\ + "" >> $PILLARFILE + +} + +# Sensor settings for the minion pillar +function add_sensor_to_minion() { + echo "sensor:" >> $PILLARFILE + echo " interface: '$INTERFACE'" >> $PILLARFILE + echo " zeekpin: False" >> $PILLARFILE + echo " zeekpins:" >> $PILLARFILE + echo " - 1" >> $PILLARFILE + echo " zeek_lbprocs: $CORECOUNT" >> $PILLARFILE + echo " suripin: False" >> $PILLARFILE + echo " suripins:" >> $PILLARFILE + echo " - 2" >> $PILLARFILE + echo " suriprocs: $CORECOUNT" >> $PILLARFILE + echo " mtu: 9000" >> $PILLARFILE + echo " uniqueid: $(date '+%s')" >> $PILLARFILE + echo "steno:" >> $PILLARFILE + echo " stenopin: False" >> $PILLARFILE + echo " stenopins:" >> $PILLARFILE + echo " - 3" >> $PILLARFILE + echo " enabled: True" >> $PILLARFILE + echo " disks:" >> $PILLARFILE + echo " - '/some/path'" >> $PILLARFILE +} + +function createSTANDALONE() { + add_elastic_to_minion + add_sensor_to_minion +} + +function createMASTER() { + add_elastic_to_minion +} + +function createMASTERSEARCH() { + add_elastic_to_minion +} + +function createHEAVYNODE() { + add_elastic_to_minion + add_sensor_to_minion +} + +function createEVAL() { + add_elastic_to_minion + add_sensor_to_minion +} + +function createSENSOR() { + add_sensor_to_minion +} + +function createSEARCHNODE() { + add_elastic_to_minion +} + +function createIDHNODE() { + echo "Nothing custom needed for IDH nodes" +} + +function testConnection() { + salt "$MINION_ID" test.ping + local ret=$? + if [[ $ret != 0 ]]; then + echo "The Minion has been accepted but is not online. Try again later" + exit 1 + fi +} + +if [[ "$OPERATION" = 'list' ]]; then + listminions +fi + +if [[ "$OPERATION" = 'delete' ]]; then + deleteminionfiles + deleteminion +fi + +if [[ "$OPERATION" = 'add' || "$OPERATION" = 'setup' ]]; then + # Skip this if its setup + if [ $OPERATION != 'setup' ]; then + # Accept the salt key + acceptminion + # Let the keys echange + sleep 3 + # Need logic here to try and salt ping.. If it doesn't work need to do something + testConnection + # Pull the info from the file to build what is needed + getinstallinfo + fi + # Check to see if nodetype is set + if [ -z $NODETYPE ]; then + echo "No node type specified" + exit 1 + fi + create_minion_files + add_host_to_minion + add_patch_pillar_to_minion + add_sensoroni_to_minion + create$NODETYPE + echo "Minion file created for $MINION_ID" +fi diff --git a/salt/common/tools/sbin/so-mysql-restart b/salt/common/tools/sbin/so-mysql-restart index aee13c1ef..8c0583232 100755 --- a/salt/common/tools/sbin/so-mysql-restart +++ b/salt/common/tools/sbin/so-mysql-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-mysql-start b/salt/common/tools/sbin/so-mysql-start index 67201a606..e68536809 100755 --- a/salt/common/tools/sbin/so-mysql-start +++ b/salt/common/tools/sbin/so-mysql-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-mysql-stop b/salt/common/tools/sbin/so-mysql-stop index c46212048..58f6072f2 100755 --- a/salt/common/tools/sbin/so-mysql-stop +++ b/salt/common/tools/sbin/so-mysql-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-nginx-restart b/salt/common/tools/sbin/so-nginx-restart index 9c830be0a..d17e76bd4 100755 --- a/salt/common/tools/sbin/so-nginx-restart +++ b/salt/common/tools/sbin/so-nginx-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-nginx-start b/salt/common/tools/sbin/so-nginx-start index fafcac307..d8b7c829f 100755 --- a/salt/common/tools/sbin/so-nginx-start +++ b/salt/common/tools/sbin/so-nginx-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-nginx-stop b/salt/common/tools/sbin/so-nginx-stop index 2b13fe3a3..48ca098c8 100755 --- a/salt/common/tools/sbin/so-nginx-stop +++ b/salt/common/tools/sbin/so-nginx-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-nodered-restart b/salt/common/tools/sbin/so-nodered-restart index 1c61b879f..06060b764 100755 --- a/salt/common/tools/sbin/so-nodered-restart +++ b/salt/common/tools/sbin/so-nodered-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-nodered-start b/salt/common/tools/sbin/so-nodered-start index fc7a12dee..f5ab36c80 100755 --- a/salt/common/tools/sbin/so-nodered-start +++ b/salt/common/tools/sbin/so-nodered-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-nodered-stop b/salt/common/tools/sbin/so-nodered-stop index f56559f48..0286a175c 100755 --- a/salt/common/tools/sbin/so-nodered-stop +++ b/salt/common/tools/sbin/so-nodered-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-nsm-clear b/salt/common/tools/sbin/so-nsm-clear index 1a126766a..3d9596238 100755 --- a/salt/common/tools/sbin/so-nsm-clear +++ b/salt/common/tools/sbin/so-nsm-clear @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common SKIP=0 diff --git a/salt/common/tools/sbin/so-pcap-export b/salt/common/tools/sbin/so-pcap-export index 25b89d4b7..6f13f01c5 100755 --- a/salt/common/tools/sbin/so-pcap-export +++ b/salt/common/tools/sbin/so-pcap-export @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + if [ $# -lt 2 ]; then echo "Usage: $0 Output-Filename" diff --git a/salt/common/tools/sbin/so-pcap-import b/salt/common/tools/sbin/so-pcap-import index 4b6f31ada..e69e3657b 100755 --- a/salt/common/tools/sbin/so-pcap-import +++ b/salt/common/tools/sbin/so-pcap-import @@ -1,18 +1,10 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + $(dirname $0)/so-import-pcap $@ diff --git a/salt/common/tools/sbin/so-pcap-restart b/salt/common/tools/sbin/so-pcap-restart index d9e0d1d00..a35ed5aa2 100755 --- a/salt/common/tools/sbin/so-pcap-restart +++ b/salt/common/tools/sbin/so-pcap-restart @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-pcap-start b/salt/common/tools/sbin/so-pcap-start index 4f6cc59c5..b65a35087 100755 --- a/salt/common/tools/sbin/so-pcap-start +++ b/salt/common/tools/sbin/so-pcap-start @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-pcap-stop b/salt/common/tools/sbin/so-pcap-stop index 23524e4a9..8f43841be 100755 --- a/salt/common/tools/sbin/so-pcap-stop +++ b/salt/common/tools/sbin/so-pcap-stop @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-playbook-import b/salt/common/tools/sbin/so-playbook-import index 6e4316398..d775656a1 100755 --- a/salt/common/tools/sbin/so-playbook-import +++ b/salt/common/tools/sbin/so-playbook-import @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-playbook-reset b/salt/common/tools/sbin/so-playbook-reset index 927d2ef9c..0ece18b54 100755 --- a/salt/common/tools/sbin/so-playbook-reset +++ b/salt/common/tools/sbin/so-playbook-reset @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-playbook-restart b/salt/common/tools/sbin/so-playbook-restart index b4f9aaab8..c59e7f7eb 100755 --- a/salt/common/tools/sbin/so-playbook-restart +++ b/salt/common/tools/sbin/so-playbook-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-playbook-ruleupdate b/salt/common/tools/sbin/so-playbook-ruleupdate index 1d8479e8c..cbfe72bce 100755 --- a/salt/common/tools/sbin/so-playbook-ruleupdate +++ b/salt/common/tools/sbin/so-playbook-ruleupdate @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-playbook-sigma-refresh b/salt/common/tools/sbin/so-playbook-sigma-refresh index 76873b3d5..fefd4ca68 100755 --- a/salt/common/tools/sbin/so-playbook-sigma-refresh +++ b/salt/common/tools/sbin/so-playbook-sigma-refresh @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-playbook-start b/salt/common/tools/sbin/so-playbook-start index 0075e7ae8..070bcc4f7 100755 --- a/salt/common/tools/sbin/so-playbook-start +++ b/salt/common/tools/sbin/so-playbook-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-playbook-stop b/salt/common/tools/sbin/so-playbook-stop index d1751a2aa..64ce83b2b 100755 --- a/salt/common/tools/sbin/so-playbook-stop +++ b/salt/common/tools/sbin/so-playbook-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-playbook-sync b/salt/common/tools/sbin/so-playbook-sync index c2d20766e..7f6ba4e31 100755 --- a/salt/common/tools/sbin/so-playbook-sync +++ b/salt/common/tools/sbin/so-playbook-sync @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-raid-status b/salt/common/tools/sbin/so-raid-status index 4729246dd..c5ac5fac6 100755 --- a/salt/common/tools/sbin/so-raid-status +++ b/salt/common/tools/sbin/so-raid-status @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-redis-count b/salt/common/tools/sbin/so-redis-count index fda16d95d..e90e0754e 100755 --- a/salt/common/tools/sbin/so-redis-count +++ b/salt/common/tools/sbin/so-redis-count @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-redis-restart b/salt/common/tools/sbin/so-redis-restart index 0406b8cbf..05d7d4823 100755 --- a/salt/common/tools/sbin/so-redis-restart +++ b/salt/common/tools/sbin/so-redis-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-redis-start b/salt/common/tools/sbin/so-redis-start index 2af62dd3e..249f420ae 100755 --- a/salt/common/tools/sbin/so-redis-start +++ b/salt/common/tools/sbin/so-redis-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-redis-stop b/salt/common/tools/sbin/so-redis-stop index 3041f2f2f..f355e46d1 100755 --- a/salt/common/tools/sbin/so-redis-stop +++ b/salt/common/tools/sbin/so-redis-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-restart b/salt/common/tools/sbin/so-restart index dda4baf57..3790625f7 100755 --- a/salt/common/tools/sbin/so-restart +++ b/salt/common/tools/sbin/so-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # Usage: so-restart filebeat | kibana | playbook diff --git a/salt/common/tools/sbin/so-rule b/salt/common/tools/sbin/so-rule index 603a6cae9..19618c9f5 100755 --- a/salt/common/tools/sbin/so-rule +++ b/salt/common/tools/sbin/so-rule @@ -1,19 +1,11 @@ #!/usr/bin/env python3 -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + """ Local exit codes: diff --git a/salt/common/tools/sbin/so-salt-minion-check b/salt/common/tools/sbin/so-salt-minion-check index 95d4a40ae..47d3bb7e1 100755 --- a/salt/common/tools/sbin/so-salt-minion-check +++ b/salt/common/tools/sbin/so-salt-minion-check @@ -2,20 +2,12 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # this script checks the time the file /opt/so/log/salt/state-apply-test was last modified and restarts the salt-minion service if it is outside a threshold date/time # the file is modified via file.touch using a scheduled job healthcheck.salt-minion.state-apply-test that runs a state.apply. diff --git a/salt/common/tools/sbin/so-salt-start b/salt/common/tools/sbin/so-salt-start index b332eb1c4..4d72ce923 100755 --- a/salt/common/tools/sbin/so-salt-start +++ b/salt/common/tools/sbin/so-salt-start @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-salt-stop b/salt/common/tools/sbin/so-salt-stop index 8a7cff146..6b251ecd0 100755 --- a/salt/common/tools/sbin/so-salt-stop +++ b/salt/common/tools/sbin/so-salt-stop @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-saltstack-update b/salt/common/tools/sbin/so-saltstack-update index 81b00ace5..b15fce008 100755 --- a/salt/common/tools/sbin/so-saltstack-update +++ b/salt/common/tools/sbin/so-saltstack-update @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + default_salt_dir=/opt/so/saltstack/default clone_to_tmp() { diff --git a/salt/common/tools/sbin/so-sensor-clean b/salt/common/tools/sbin/so-sensor-clean index 624ff8106..472663bb1 100755 --- a/salt/common/tools/sbin/so-sensor-clean +++ b/salt/common/tools/sbin/so-sensor-clean @@ -2,20 +2,11 @@ # Delete Zeek Logs based on defined CRIT_DISK_USAGE value -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . SENSOR_DIR='/nsm' CRIT_DISK_USAGE=90 @@ -81,23 +72,6 @@ clean() { done fi - # Clean Wazuh archives - # Slightly different code since we have 2 files to remove (.json and .log) - WAZUH_ARCHIVE='/nsm/wazuh/logs/archives' - OLDEST_WAZUH=$(find $WAZUH_ARCHIVE -type f ! -name "archives.json" -printf "%T+\t%p\n" | sort -n | awk '{print $1}' | head -n 1) - # Make sure we don't delete the current files - find $WAZUH_ARCHIVE -type f ! -name "archives.json" -printf "%T+\t%p\n" | sort -n | awk '{print $2}' | head -n 1 >/tmp/files$$ - if [[ $(wc -l >$LOG - while read -r line; do - echo "$(date) - Removing file: $line" >>$LOG - rm "$line" - done >$LOG - fi - rm /tmp/files$$ - ## Clean up extracted pcaps from Steno PCAPS='/nsm/pcapout' OLDEST_PCAP=$(find $PCAPS -type f -printf '%T+ %p\n' | sort -n | head -n 1) diff --git a/salt/common/tools/sbin/so-soc-restart b/salt/common/tools/sbin/so-soc-restart index 4e479c007..9d252e2c1 100755 --- a/salt/common/tools/sbin/so-soc-restart +++ b/salt/common/tools/sbin/so-soc-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-soc-start b/salt/common/tools/sbin/so-soc-start index 3dd9f779b..12f3287f8 100755 --- a/salt/common/tools/sbin/so-soc-start +++ b/salt/common/tools/sbin/so-soc-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-soc-stop b/salt/common/tools/sbin/so-soc-stop index 0b3d2d2c4..d4cc0d508 100755 --- a/salt/common/tools/sbin/so-soc-stop +++ b/salt/common/tools/sbin/so-soc-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-soctopus-restart b/salt/common/tools/sbin/so-soctopus-restart index 563d02609..24b3aff85 100755 --- a/salt/common/tools/sbin/so-soctopus-restart +++ b/salt/common/tools/sbin/so-soctopus-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-soctopus-start b/salt/common/tools/sbin/so-soctopus-start index b493e6f01..990ece70e 100755 --- a/salt/common/tools/sbin/so-soctopus-start +++ b/salt/common/tools/sbin/so-soctopus-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-soctopus-stop b/salt/common/tools/sbin/so-soctopus-stop index 28af78459..39efa6435 100755 --- a/salt/common/tools/sbin/so-soctopus-stop +++ b/salt/common/tools/sbin/so-soctopus-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-start b/salt/common/tools/sbin/so-start index a592388d4..6e208a6af 100755 --- a/salt/common/tools/sbin/so-start +++ b/salt/common/tools/sbin/so-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # Usage: so-start all | filebeat | kibana | playbook diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status index 61db01ada..bb68bd099 100755 --- a/salt/common/tools/sbin/so-status +++ b/salt/common/tools/sbin/so-status @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + display_help() { diff --git a/salt/common/tools/sbin/so-stop b/salt/common/tools/sbin/so-stop index 544846606..3538b2fd3 100755 --- a/salt/common/tools/sbin/so-stop +++ b/salt/common/tools/sbin/so-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # Usage: so-stop filebeat | kibana | playbook | thehive diff --git a/salt/common/tools/sbin/so-strelka-restart b/salt/common/tools/sbin/so-strelka-restart index 29da04998..b2d0ef6fa 100755 --- a/salt/common/tools/sbin/so-strelka-restart +++ b/salt/common/tools/sbin/so-strelka-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-strelka-start b/salt/common/tools/sbin/so-strelka-start index 42ba8c654..8f0e76365 100755 --- a/salt/common/tools/sbin/so-strelka-start +++ b/salt/common/tools/sbin/so-strelka-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-strelka-stop b/salt/common/tools/sbin/so-strelka-stop index e700a29d7..3f71298e7 100755 --- a/salt/common/tools/sbin/so-strelka-stop +++ b/salt/common/tools/sbin/so-strelka-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-suricata-restart b/salt/common/tools/sbin/so-suricata-restart index 85b435f52..d435b2a86 100755 --- a/salt/common/tools/sbin/so-suricata-restart +++ b/salt/common/tools/sbin/so-suricata-restart @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-suricata-start b/salt/common/tools/sbin/so-suricata-start index 98ae4bdd1..41225f75d 100755 --- a/salt/common/tools/sbin/so-suricata-start +++ b/salt/common/tools/sbin/so-suricata-start @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-suricata-stop b/salt/common/tools/sbin/so-suricata-stop index 7970c1494..7481fd4ed 100755 --- a/salt/common/tools/sbin/so-suricata-stop +++ b/salt/common/tools/sbin/so-suricata-stop @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-suricata-testrule b/salt/common/tools/sbin/so-suricata-testrule index 0e4450f75..e1f355508 100755 --- a/salt/common/tools/sbin/so-suricata-testrule +++ b/salt/common/tools/sbin/so-suricata-testrule @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set MANAGER = salt['grains.get']('master') %} {%- set VERSION = salt['pillar.get']('global:soversion') %} {%- set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} diff --git a/salt/common/tools/sbin/so-tcpreplay-restart b/salt/common/tools/sbin/so-tcpreplay-restart index 2e61dc186..2fadc707c 100755 --- a/salt/common/tools/sbin/so-tcpreplay-restart +++ b/salt/common/tools/sbin/so-tcpreplay-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-tcpreplay-stop b/salt/common/tools/sbin/so-tcpreplay-stop index 7395b90f2..269bd374c 100755 --- a/salt/common/tools/sbin/so-tcpreplay-stop +++ b/salt/common/tools/sbin/so-tcpreplay-stop @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-telegraf-restart b/salt/common/tools/sbin/so-telegraf-restart index 25fd087d9..e596bd3c8 100755 --- a/salt/common/tools/sbin/so-telegraf-restart +++ b/salt/common/tools/sbin/so-telegraf-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-telegraf-start b/salt/common/tools/sbin/so-telegraf-start index 9bc0e48d2..ada60822a 100755 --- a/salt/common/tools/sbin/so-telegraf-start +++ b/salt/common/tools/sbin/so-telegraf-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-telegraf-stop b/salt/common/tools/sbin/so-telegraf-stop index 9f6cf807d..a0e0c88ce 100755 --- a/salt/common/tools/sbin/so-telegraf-stop +++ b/salt/common/tools/sbin/so-telegraf-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-thehive-es-restart b/salt/common/tools/sbin/so-thehive-es-restart index 73745a1fc..036ab5689 100755 --- a/salt/common/tools/sbin/so-thehive-es-restart +++ b/salt/common/tools/sbin/so-thehive-es-restart @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-thehive-es-start b/salt/common/tools/sbin/so-thehive-es-start index 97b575a40..feeb5cafd 100755 --- a/salt/common/tools/sbin/so-thehive-es-start +++ b/salt/common/tools/sbin/so-thehive-es-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-thehive-es-stop b/salt/common/tools/sbin/so-thehive-es-stop index 3ebf42430..fe8193bf7 100755 --- a/salt/common/tools/sbin/so-thehive-es-stop +++ b/salt/common/tools/sbin/so-thehive-es-stop @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-thehive-restart b/salt/common/tools/sbin/so-thehive-restart index 3ebf42430..fe8193bf7 100755 --- a/salt/common/tools/sbin/so-thehive-restart +++ b/salt/common/tools/sbin/so-thehive-restart @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-thehive-start b/salt/common/tools/sbin/so-thehive-start index 97b575a40..feeb5cafd 100755 --- a/salt/common/tools/sbin/so-thehive-start +++ b/salt/common/tools/sbin/so-thehive-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-thehive-stop b/salt/common/tools/sbin/so-thehive-stop index 3ebf42430..fe8193bf7 100755 --- a/salt/common/tools/sbin/so-thehive-stop +++ b/salt/common/tools/sbin/so-thehive-stop @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-thehive-user-add b/salt/common/tools/sbin/so-thehive-user-add index 3ebf42430..fe8193bf7 100755 --- a/salt/common/tools/sbin/so-thehive-user-add +++ b/salt/common/tools/sbin/so-thehive-user-add @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-thehive-user-enable b/salt/common/tools/sbin/so-thehive-user-enable index 3ebf42430..fe8193bf7 100755 --- a/salt/common/tools/sbin/so-thehive-user-enable +++ b/salt/common/tools/sbin/so-thehive-user-enable @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-thehive-user-update b/salt/common/tools/sbin/so-thehive-user-update index 3ebf42430..fe8193bf7 100755 --- a/salt/common/tools/sbin/so-thehive-user-update +++ b/salt/common/tools/sbin/so-thehive-user-update @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index 96059968c..81bfa0d76 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . source $(dirname $0)/so-common @@ -288,7 +279,7 @@ function syncElastic() { if [[ -z "$SKIP_STATE_APPLY" ]]; then echo "Elastic state will be re-applied to affected minions. This may take several minutes..." echo "Applying elastic state to elastic minions at $(date)" >> /opt/so/log/soc/sync.log 2>&1 - salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' state.apply elasticsearch queue=True >> /opt/so/log/soc/sync.log 2>&1 + salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-heavynode' state.apply elasticsearch queue=True >> /opt/so/log/soc/sync.log 2>&1 fi else echo "Newly generated users/roles files are incomplete; aborting." diff --git a/salt/common/tools/sbin/so-wazuh-agent-manage b/salt/common/tools/sbin/so-wazuh-agent-manage deleted file mode 100755 index e754619d9..000000000 --- a/salt/common/tools/sbin/so-wazuh-agent-manage +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -if docker ps |grep so-wazuh >/dev/null 2>&1; then - docker exec -it so-wazuh /var/ossec/bin/manage_agents "$@" -else - echo "Wazuh manager is not running. Please start it with so-wazuh-start." -fi diff --git a/salt/common/tools/sbin/so-wazuh-agent-upgrade b/salt/common/tools/sbin/so-wazuh-agent-upgrade deleted file mode 100755 index aa0dcf330..000000000 --- a/salt/common/tools/sbin/so-wazuh-agent-upgrade +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -if docker ps |grep so-wazuh >/dev/null 2>&1; then - docker exec -it so-wazuh /var/ossec/bin/agent_upgrade "$@" -else - echo "Wazuh manager is not running. Please start it with so-wazuh-start." -fi diff --git a/salt/common/tools/sbin/so-wazuh-restart b/salt/common/tools/sbin/so-wazuh-restart deleted file mode 100755 index 5eebec045..000000000 --- a/salt/common/tools/sbin/so-wazuh-restart +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -. /usr/sbin/so-common - -/usr/sbin/so-restart wazuh $1 diff --git a/salt/common/tools/sbin/so-wazuh-start b/salt/common/tools/sbin/so-wazuh-start deleted file mode 100755 index 4d000fc44..000000000 --- a/salt/common/tools/sbin/so-wazuh-start +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash - -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -. /usr/sbin/so-common - -/usr/sbin/so-start wazuh $1 - diff --git a/salt/common/tools/sbin/so-wazuh-stop b/salt/common/tools/sbin/so-wazuh-stop deleted file mode 100755 index 70be6a1bb..000000000 --- a/salt/common/tools/sbin/so-wazuh-stop +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash - -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -. /usr/sbin/so-common - -/usr/sbin/so-stop wazuh $1 - diff --git a/salt/common/tools/sbin/so-wazuh-user-add b/salt/common/tools/sbin/so-wazuh-user-add deleted file mode 100755 index 5a4657878..000000000 --- a/salt/common/tools/sbin/so-wazuh-user-add +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -docker exec -it so-wazuh /usr/bin/node /var/ossec/api/configuration/auth/htpasswd /var/ossec/api/configuration/auth/user $1 diff --git a/salt/common/tools/sbin/so-wazuh-user-passwd b/salt/common/tools/sbin/so-wazuh-user-passwd deleted file mode 100755 index 5a4657878..000000000 --- a/salt/common/tools/sbin/so-wazuh-user-passwd +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -docker exec -it so-wazuh /usr/bin/node /var/ossec/api/configuration/auth/htpasswd /var/ossec/api/configuration/auth/user $1 diff --git a/salt/common/tools/sbin/so-wazuh-user-remove b/salt/common/tools/sbin/so-wazuh-user-remove deleted file mode 100755 index 75065ea2a..000000000 --- a/salt/common/tools/sbin/so-wazuh-user-remove +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -docker exec -it so-wazuh /usr/bin/node /var/ossec/api/configuration/auth/htpasswd -D /var/ossec/api/configuration/auth/user $1 diff --git a/salt/common/tools/sbin/so-yara-update b/salt/common/tools/sbin/so-yara-update index 2cf893ba5..b4e83a172 100755 --- a/salt/common/tools/sbin/so-yara-update +++ b/salt/common/tools/sbin/so-yara-update @@ -1,18 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} echo "Starting to check for yara rule updates at $(date)..." diff --git a/salt/common/tools/sbin/so-zeek-restart b/salt/common/tools/sbin/so-zeek-restart index a328da1c8..05c282e93 100755 --- a/salt/common/tools/sbin/so-zeek-restart +++ b/salt/common/tools/sbin/so-zeek-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-zeek-start b/salt/common/tools/sbin/so-zeek-start index fff333b3c..6f6305eaf 100755 --- a/salt/common/tools/sbin/so-zeek-start +++ b/salt/common/tools/sbin/so-zeek-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-zeek-stats b/salt/common/tools/sbin/so-zeek-stats index 43f39eb2f..1ca6f8a8d 100755 --- a/salt/common/tools/sbin/so-zeek-stats +++ b/salt/common/tools/sbin/so-zeek-stats @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # Show Zeek stats (capstats, netstats) diff --git a/salt/common/tools/sbin/so-zeek-stop b/salt/common/tools/sbin/so-zeek-stop index dfe55a19b..cba54eb65 100755 --- a/salt/common/tools/sbin/so-zeek-stop +++ b/salt/common/tools/sbin/so-zeek-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 527bf1fc2..43d35f875 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . . /usr/sbin/so-common @@ -371,6 +362,74 @@ clone_to_tmp() { fi } +elastalert_indices_check() { + + # Stop Elastalert to prevent Elastalert indices from being re-created + if grep -q "^so-elastalert$" /opt/so/conf/so-status/so-status.conf ; then + so-elastalert-stop || true + fi + + # Wait for ElasticSearch to initialize + echo -n "Waiting for ElasticSearch..." + COUNT=0 + ELASTICSEARCH_CONNECTED="no" + while [[ "$COUNT" -le 240 ]]; do + so-elasticsearch-query / -k --output /dev/null + if [ $? -eq 0 ]; then + ELASTICSEARCH_CONNECTED="yes" + echo "connected!" + break + else + ((COUNT+=1)) + sleep 1 + echo -n "." + fi + done + + # Unable to connect to Elasticsearch + if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then + echo + echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" + echo + exit 1 + fi + + # Check Elastalert indices + echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..." + CHECK_COUNT=0 + while [[ "$CHECK_COUNT" -le 2 ]]; do + # Delete Elastalert indices + for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do + so-elasticsearch-query $i -XDELETE; + done + + # Check to ensure Elastalert indices are deleted + COUNT=0 + ELASTALERT_INDICES_DELETED="no" + while [[ "$COUNT" -le 240 ]]; do + RESPONSE=$(so-elasticsearch-query elastalert*) + if [[ "$RESPONSE" == "{}" ]]; then + ELASTALERT_INDICES_DELETED="yes" + echo "Elastalert indices successfully deleted." + break + else + ((COUNT+=1)) + sleep 1 + echo -n "." + fi + done + ((CHECK_COUNT+=1)) + done + + # If we were unable to delete the Elastalert indices, exit the script + if [ "$ELASTALERT_INDICES_DELETED" == "no" ]; then + echo + echo -e "Unable to connect to delete Elastalert indices. Exiting." + echo + exit 1 + fi +} + enable_highstate() { echo "Enabling highstate." salt-call state.enable highstate -l info --local @@ -825,40 +884,7 @@ up_to_2.3.130() { } up_to_2.3.140() { - ## Deleting Elastalert indices to prevent issues with upgrade to Elastic 8 ## - echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..." - # Wait for ElasticSearch to initialize - echo -n "Waiting for ElasticSearch..." - COUNT=0 - ELASTICSEARCH_CONNECTED="no" - while [[ "$COUNT" -le 240 ]]; do - so-elasticsearch-query / -k --output /dev/null - if [ $? -eq 0 ]; then - ELASTICSEARCH_CONNECTED="yes" - echo "connected!" - break - else - ((COUNT+=1)) - sleep 1 - echo -n "." - fi - done - if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then - echo - echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" - echo - exit 1 - fi - - # Delete Elastalert indices - for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do so-elasticsearch-query $i -XDELETE; done - # Check to ensure Elastalert indices have been deleted - RESPONSE=$(so-elasticsearch-query elastalert*) - if [[ "$RESPONSE" == "{}" ]]; then - echo "Elastalert indices have been deleted." - else - fail "Something went wrong. Could not delete the Elastalert indices. Exiting." - fi + elastalert_indices_check ## INSTALLEDVERSION=2.3.140 } @@ -1178,6 +1204,7 @@ main() { verify_latest_update_script es_version_check es_indices_check + elastalert_indices_check echo "" set_palette check_elastic_license diff --git a/salt/curator/defaults.yaml b/salt/curator/defaults.yaml new file mode 100644 index 000000000..68c2b07d7 --- /dev/null +++ b/salt/curator/defaults.yaml @@ -0,0 +1,179 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +elasticsearch: + index_settings: + so-aws: + warm: 7 + close: 30 + delete: 365 + so-azure: + warm: 7 + close: 30 + delete: 365 + so-barracuda: + warm: 7 + close: 30 + delete: 365 + so-beats: + warm: 7 + close: 30 + delete: 365 + so-bluecoat: + warm: 7 + close: 30 + delete: 365 + so-cef: + warm: 7 + close: 30 + delete: 365 + so-checkpoint: + warm: 7 + close: 30 + delete: 365 + so-cisco: + warm: 7 + close: 30 + delete: 365 + so-cyberark: + warm: 7 + close: 30 + delete: 365 + so-cylance: + warm: 7 + close: 30 + delete: 365 + so-elasticsearch: + warm: 7 + close: 30 + delete: 365 + so-endgame: + warm: 7 + close: 30 + delete: 365 + so-f5: + warm: 7 + close: 30 + delete: 365 + so-firewall: + warm: 7 + close: 30 + delete: 365 + so-fortinet: + warm: 7 + close: 30 + delete: 365 + so-gcp: + warm: 7 + close: 30 + delete: 365 + so-google_workspace: + warm: 7 + close: 30 + delete: 365 + so-ids: + warm: 7 + close: 30 + delete: 365 + so-imperva: + warm: 7 + close: 30 + delete: 365 + so-import: + warm: 7 + close: 30 + delete: 365 + so-infoblox: + warm: 7 + close: 30 + delete: 365 + so-juniper: + warm: 7 + close: 30 + delete: 365 + so-kibana: + warm: 7 + close: 30 + delete: 365 + so-logstash: + warm: 7 + close: 30 + delete: 365 + so-microsoft: + warm: 7 + close: 30 + delete: 365 + so-misp: + warm: 7 + close: 30 + delete: 365 + so-netflow: + warm: 7 + close: 30 + delete: 365 + so-netscout: + warm: 7 + close: 30 + delete: 365 + so-o365: + warm: 7 + close: 30 + delete: 365 + so-okta: + warm: 7 + close: 30 + delete: 365 + so-osquery: + warm: 7 + close: 30 + delete: 365 + so-proofpoint: + warm: 7 + close: 30 + delete: 365 + so-radware: + warm: 7 + close: 30 + delete: 365 + so-redis: + warm: 7 + close: 30 + delete: 365 + so-snort: + warm: 7 + close: 30 + delete: 365 + so-snyk: + warm: 7 + close: 30 + delete: 365 + so-sonicwall: + warm: 7 + close: 30 + delete: 365 + so-sophos: + warm: 7 + close: 30 + delete: 365 + so-strelka: + warm: 7 + close: 30 + delete: 365 + so-syslog: + warm: 7 + close: 30 + delete: 365 + so-tomcat: + warm: 7 + close: 30 + delete: 365 + so-zeek: + warm: 7 + close: 30 + delete: 365 + so-zscaler: + warm: 7 + close: 30 + delete: 365 \ No newline at end of file diff --git a/salt/curator/files/action/delete.yml b/salt/curator/files/action/delete.yml index 6e31b03b6..1a4afaabf 100644 --- a/salt/curator/files/action/delete.yml +++ b/salt/curator/files/action/delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set log_size_limit = salt['pillar.get']('elasticsearch:log_size_limit', '') -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-aws-close.yml b/salt/curator/files/action/so-aws-close.yml index 44f0bfa97..1bf9bfe81 100644 --- a/salt/curator/files/action/so-aws-close.yml +++ b/salt/curator/files/action/so-aws-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-aws:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-aws-delete.yml b/salt/curator/files/action/so-aws-delete.yml index a67ee88b8..82d29a9f0 100644 --- a/salt/curator/files/action/so-aws-delete.yml +++ b/salt/curator/files/action/so-aws-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-aws:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-aws-warm.yml b/salt/curator/files/action/so-aws-warm.yml index 5369ed9a9..90d5e11f9 100644 --- a/salt/curator/files/action/so-aws-warm.yml +++ b/salt/curator/files/action/so-aws-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-aws:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-azure-close.yml b/salt/curator/files/action/so-azure-close.yml index 901b2c0ba..74d799c55 100644 --- a/salt/curator/files/action/so-azure-close.yml +++ b/salt/curator/files/action/so-azure-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-azure:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-azure-delete.yml b/salt/curator/files/action/so-azure-delete.yml index 102a69d3d..a736eadc0 100644 --- a/salt/curator/files/action/so-azure-delete.yml +++ b/salt/curator/files/action/so-azure-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-azure:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-azure-warm.yml b/salt/curator/files/action/so-azure-warm.yml index d6f606125..63fb42f33 100644 --- a/salt/curator/files/action/so-azure-warm.yml +++ b/salt/curator/files/action/so-azure-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-azure:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-barracuda-close.yml b/salt/curator/files/action/so-barracuda-close.yml index 496832db7..6249cdde6 100644 --- a/salt/curator/files/action/so-barracuda-close.yml +++ b/salt/curator/files/action/so-barracuda-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-barracuda-delete.yml b/salt/curator/files/action/so-barracuda-delete.yml index 49d472618..cb7231836 100644 --- a/salt/curator/files/action/so-barracuda-delete.yml +++ b/salt/curator/files/action/so-barracuda-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-barracuda-warm.yml b/salt/curator/files/action/so-barracuda-warm.yml index 334a4114a..6cb5f1641 100644 --- a/salt/curator/files/action/so-barracuda-warm.yml +++ b/salt/curator/files/action/so-barracuda-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-beats-close.yml b/salt/curator/files/action/so-beats-close.yml index 4c606d4bc..594767b28 100644 --- a/salt/curator/files/action/so-beats-close.yml +++ b/salt/curator/files/action/so-beats-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-beats:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-beats-delete.yml b/salt/curator/files/action/so-beats-delete.yml index 77931d661..88e8b8bd4 100644 --- a/salt/curator/files/action/so-beats-delete.yml +++ b/salt/curator/files/action/so-beats-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-beats:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-beats-warm.yml b/salt/curator/files/action/so-beats-warm.yml index da9f76656..9cbd49b15 100644 --- a/salt/curator/files/action/so-beats-warm.yml +++ b/salt/curator/files/action/so-beats-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-beats:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-bluecoat-close.yml b/salt/curator/files/action/so-bluecoat-close.yml index 86d9277eb..213ebd8b0 100644 --- a/salt/curator/files/action/so-bluecoat-close.yml +++ b/salt/curator/files/action/so-bluecoat-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-bluecoat-delete.yml b/salt/curator/files/action/so-bluecoat-delete.yml index 318624416..23e9724a0 100644 --- a/salt/curator/files/action/so-bluecoat-delete.yml +++ b/salt/curator/files/action/so-bluecoat-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-bluecoat-warm.yml b/salt/curator/files/action/so-bluecoat-warm.yml index 47a8d712f..a61009380 100644 --- a/salt/curator/files/action/so-bluecoat-warm.yml +++ b/salt/curator/files/action/so-bluecoat-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-cef-close.yml b/salt/curator/files/action/so-cef-close.yml index 49e07f764..994f20308 100644 --- a/salt/curator/files/action/so-cef-close.yml +++ b/salt/curator/files/action/so-cef-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cef:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-cef-delete.yml b/salt/curator/files/action/so-cef-delete.yml index 0ee7d6501..eb3038514 100644 --- a/salt/curator/files/action/so-cef-delete.yml +++ b/salt/curator/files/action/so-cef-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cef:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-cef-warm.yml b/salt/curator/files/action/so-cef-warm.yml index 0a79fd2ba..59d3c1c8d 100644 --- a/salt/curator/files/action/so-cef-warm.yml +++ b/salt/curator/files/action/so-cef-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cef:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-checkpoint-close.yml b/salt/curator/files/action/so-checkpoint-close.yml index cffdf6473..12be685f5 100644 --- a/salt/curator/files/action/so-checkpoint-close.yml +++ b/salt/curator/files/action/so-checkpoint-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-checkpoint-delete.yml b/salt/curator/files/action/so-checkpoint-delete.yml index d1ac13efe..31ce55f49 100644 --- a/salt/curator/files/action/so-checkpoint-delete.yml +++ b/salt/curator/files/action/so-checkpoint-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-checkpoint-warm.yml b/salt/curator/files/action/so-checkpoint-warm.yml index 0aaec1e19..db0754e7a 100644 --- a/salt/curator/files/action/so-checkpoint-warm.yml +++ b/salt/curator/files/action/so-checkpoint-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-cisco-close.yml b/salt/curator/files/action/so-cisco-close.yml index cd1faade1..f958d9450 100644 --- a/salt/curator/files/action/so-cisco-close.yml +++ b/salt/curator/files/action/so-cisco-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cisco:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-cisco-delete.yml b/salt/curator/files/action/so-cisco-delete.yml index bb5e06f7f..4e5697ebe 100644 --- a/salt/curator/files/action/so-cisco-delete.yml +++ b/salt/curator/files/action/so-cisco-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cisco:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-cisco-warm.yml b/salt/curator/files/action/so-cisco-warm.yml index a143a95c2..0f80f0547 100644 --- a/salt/curator/files/action/so-cisco-warm.yml +++ b/salt/curator/files/action/so-cisco-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cisco:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-cyberark-close.yml b/salt/curator/files/action/so-cyberark-close.yml index e352e8355..35bda7814 100644 --- a/salt/curator/files/action/so-cyberark-close.yml +++ b/salt/curator/files/action/so-cyberark-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-cyberark-delete.yml b/salt/curator/files/action/so-cyberark-delete.yml index 784f6881e..61b157ff6 100644 --- a/salt/curator/files/action/so-cyberark-delete.yml +++ b/salt/curator/files/action/so-cyberark-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-cyberark-warm.yml b/salt/curator/files/action/so-cyberark-warm.yml index 8eae0b542..a361a6bd9 100644 --- a/salt/curator/files/action/so-cyberark-warm.yml +++ b/salt/curator/files/action/so-cyberark-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-cylance-close.yml b/salt/curator/files/action/so-cylance-close.yml index d808569fb..c031753eb 100644 --- a/salt/curator/files/action/so-cylance-close.yml +++ b/salt/curator/files/action/so-cylance-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cylance:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-cylance-delete.yml b/salt/curator/files/action/so-cylance-delete.yml index 54cf3938b..579ec7f68 100644 --- a/salt/curator/files/action/so-cylance-delete.yml +++ b/salt/curator/files/action/so-cylance-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cylance:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-cylance-warm.yml b/salt/curator/files/action/so-cylance-warm.yml index c9da7e68a..e27185cf0 100644 --- a/salt/curator/files/action/so-cylance-warm.yml +++ b/salt/curator/files/action/so-cylance-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cylance:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-elasticsearch-close.yml b/salt/curator/files/action/so-elasticsearch-close.yml index 3c4ff0dac..3ee9372cc 100644 --- a/salt/curator/files/action/so-elasticsearch-close.yml +++ b/salt/curator/files/action/so-elasticsearch-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-elasticsearch-delete.yml b/salt/curator/files/action/so-elasticsearch-delete.yml index 05cc68abe..e2071ff3a 100644 --- a/salt/curator/files/action/so-elasticsearch-delete.yml +++ b/salt/curator/files/action/so-elasticsearch-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-elasticsearch-warm.yml b/salt/curator/files/action/so-elasticsearch-warm.yml index 9d82fc27b..05a6a5e85 100644 --- a/salt/curator/files/action/so-elasticsearch-warm.yml +++ b/salt/curator/files/action/so-elasticsearch-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-endgame-close.yml b/salt/curator/files/action/so-endgame-close.yml index 4c4d38341..248638e6c 100644 --- a/salt/curator/files/action/so-endgame-close.yml +++ b/salt/curator/files/action/so-endgame-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-endgame:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-endgame-delete.yml b/salt/curator/files/action/so-endgame-delete.yml index 53d34b6d6..ce16c4d87 100644 --- a/salt/curator/files/action/so-endgame-delete.yml +++ b/salt/curator/files/action/so-endgame-delete.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-endgame:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-endgame-warm.yml b/salt/curator/files/action/so-endgame-warm.yml index 4856a3928..d6b3c6fc2 100644 --- a/salt/curator/files/action/so-endgame-warm.yml +++ b/salt/curator/files/action/so-endgame-warm.yml @@ -1,3 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-endgame:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-f5-close.yml b/salt/curator/files/action/so-f5-close.yml index e1cdb48a1..33d856a4d 100644 --- a/salt/curator/files/action/so-f5-close.yml +++ b/salt/curator/files/action/so-f5-close.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-f5:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-f5-delete.yml b/salt/curator/files/action/so-f5-delete.yml index 06704010a..566fbfb5f 100644 --- a/salt/curator/files/action/so-f5-delete.yml +++ b/salt/curator/files/action/so-f5-delete.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-f5:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-f5-warm.yml b/salt/curator/files/action/so-f5-warm.yml index 12fbbe7ad..92e3a02f9 100644 --- a/salt/curator/files/action/so-f5-warm.yml +++ b/salt/curator/files/action/so-f5-warm.yml @@ -1,3 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-f5:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-firewall-close.yml b/salt/curator/files/action/so-firewall-close.yml index c30daa6bb..4b8dd0121 100644 --- a/salt/curator/files/action/so-firewall-close.yml +++ b/salt/curator/files/action/so-firewall-close.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-firewall:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-firewall-delete.yml b/salt/curator/files/action/so-firewall-delete.yml index 7588de437..8b6f6f45f 100644 --- a/salt/curator/files/action/so-firewall-delete.yml +++ b/salt/curator/files/action/so-firewall-delete.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-firewall-warm.yml b/salt/curator/files/action/so-firewall-warm.yml index 2e9643dc3..727983618 100644 --- a/salt/curator/files/action/so-firewall-warm.yml +++ b/salt/curator/files/action/so-firewall-warm.yml @@ -1,3 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-fortinet-close.yml b/salt/curator/files/action/so-fortinet-close.yml index e11fb86c6..067a5b412 100644 --- a/salt/curator/files/action/so-fortinet-close.yml +++ b/salt/curator/files/action/so-fortinet-close.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-fortinet-delete.yml b/salt/curator/files/action/so-fortinet-delete.yml index 9379e47c2..cf18f7513 100644 --- a/salt/curator/files/action/so-fortinet-delete.yml +++ b/salt/curator/files/action/so-fortinet-delete.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-fortinet-warm.yml b/salt/curator/files/action/so-fortinet-warm.yml index db9a6f2db..e65e9cc5b 100644 --- a/salt/curator/files/action/so-fortinet-warm.yml +++ b/salt/curator/files/action/so-fortinet-warm.yml @@ -1,3 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-gcp-close.yml b/salt/curator/files/action/so-gcp-close.yml index f9dd0af24..9dd783f63 100644 --- a/salt/curator/files/action/so-gcp-close.yml +++ b/salt/curator/files/action/so-gcp-close.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-gcp:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-gcp-delete.yml b/salt/curator/files/action/so-gcp-delete.yml index 5c8ab33d8..799d624fb 100644 --- a/salt/curator/files/action/so-gcp-delete.yml +++ b/salt/curator/files/action/so-gcp-delete.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-gcp:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-gcp-warm.yml b/salt/curator/files/action/so-gcp-warm.yml index 3bb9eee80..aba256c69 100644 --- a/salt/curator/files/action/so-gcp-warm.yml +++ b/salt/curator/files/action/so-gcp-warm.yml @@ -1,3 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-gcp:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-google_workspace-close.yml b/salt/curator/files/action/so-google_workspace-close.yml index 1ecda5893..6aac7f2e0 100644 --- a/salt/curator/files/action/so-google_workspace-close.yml +++ b/salt/curator/files/action/so-google_workspace-close.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-google_workspace-delete.yml b/salt/curator/files/action/so-google_workspace-delete.yml index 923feda8f..5d26648b8 100644 --- a/salt/curator/files/action/so-google_workspace-delete.yml +++ b/salt/curator/files/action/so-google_workspace-delete.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-google_workspace-warm.yml b/salt/curator/files/action/so-google_workspace-warm.yml index 7eb2d883f..ddb5cf58c 100644 --- a/salt/curator/files/action/so-google_workspace-warm.yml +++ b/salt/curator/files/action/so-google_workspace-warm.yml @@ -1,3 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-ids-close.yml b/salt/curator/files/action/so-ids-close.yml index 05583d853..a38acbf98 100644 --- a/salt/curator/files/action/so-ids-close.yml +++ b/salt/curator/files/action/so-ids-close.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-ids:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-ids-delete.yml b/salt/curator/files/action/so-ids-delete.yml index e5bda4e34..fd7b5c79f 100644 --- a/salt/curator/files/action/so-ids-delete.yml +++ b/salt/curator/files/action/so-ids-delete.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-ids:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-ids-warm.yml b/salt/curator/files/action/so-ids-warm.yml index 0edad5b5b..01271f226 100644 --- a/salt/curator/files/action/so-ids-warm.yml +++ b/salt/curator/files/action/so-ids-warm.yml @@ -1,3 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-ids:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-imperva-close.yml b/salt/curator/files/action/so-imperva-close.yml index 55ec2e472..420b03b29 100644 --- a/salt/curator/files/action/so-imperva-close.yml +++ b/salt/curator/files/action/so-imperva-close.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-imperva:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-imperva-delete.yml b/salt/curator/files/action/so-imperva-delete.yml index b5526e2fb..7c7fe40ac 100644 --- a/salt/curator/files/action/so-imperva-delete.yml +++ b/salt/curator/files/action/so-imperva-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-imperva:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-imperva-warm.yml b/salt/curator/files/action/so-imperva-warm.yml index 0297d5cd6..3b4130b86 100644 --- a/salt/curator/files/action/so-imperva-warm.yml +++ b/salt/curator/files/action/so-imperva-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-imperva:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-import-close.yml b/salt/curator/files/action/so-import-close.yml index d7ae725d1..9debb2928 100644 --- a/salt/curator/files/action/so-import-close.yml +++ b/salt/curator/files/action/so-import-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-import:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-import-delete.yml b/salt/curator/files/action/so-import-delete.yml index aa9808c5f..99388e7cb 100644 --- a/salt/curator/files/action/so-import-delete.yml +++ b/salt/curator/files/action/so-import-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-import:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-import-warm.yml b/salt/curator/files/action/so-import-warm.yml index 3a6fa3d3d..49e9dae3a 100644 --- a/salt/curator/files/action/so-import-warm.yml +++ b/salt/curator/files/action/so-import-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-import:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-infoblox-close.yml b/salt/curator/files/action/so-infoblox-close.yml index 9fd4c5070..cb3d0dce3 100644 --- a/salt/curator/files/action/so-infoblox-close.yml +++ b/salt/curator/files/action/so-infoblox-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-infoblox-delete.yml b/salt/curator/files/action/so-infoblox-delete.yml index 0a7fdafbe..1e0958eb1 100644 --- a/salt/curator/files/action/so-infoblox-delete.yml +++ b/salt/curator/files/action/so-infoblox-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-infoblox-warm.yml b/salt/curator/files/action/so-infoblox-warm.yml index a2f571b7a..cc757c75b 100644 --- a/salt/curator/files/action/so-infoblox-warm.yml +++ b/salt/curator/files/action/so-infoblox-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-juniper-close.yml b/salt/curator/files/action/so-juniper-close.yml index 466a51eca..0fa8b4f9c 100644 --- a/salt/curator/files/action/so-juniper-close.yml +++ b/salt/curator/files/action/so-juniper-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-juniper:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-juniper-delete.yml b/salt/curator/files/action/so-juniper-delete.yml index 18abc86ac..901c014a6 100644 --- a/salt/curator/files/action/so-juniper-delete.yml +++ b/salt/curator/files/action/so-juniper-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-juniper:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-juniper-warm.yml b/salt/curator/files/action/so-juniper-warm.yml index 5369ed9a9..90d5e11f9 100644 --- a/salt/curator/files/action/so-juniper-warm.yml +++ b/salt/curator/files/action/so-juniper-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-aws:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-kibana-close.yml b/salt/curator/files/action/so-kibana-close.yml index 7347fb01c..7c9908086 100644 --- a/salt/curator/files/action/so-kibana-close.yml +++ b/salt/curator/files/action/so-kibana-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-kibana:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-kibana-delete.yml b/salt/curator/files/action/so-kibana-delete.yml index 5a775b8de..4d227ccb9 100644 --- a/salt/curator/files/action/so-kibana-delete.yml +++ b/salt/curator/files/action/so-kibana-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kibana:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-kibana-warm.yml b/salt/curator/files/action/so-kibana-warm.yml index b5674c8c3..a5a0899ee 100644 --- a/salt/curator/files/action/so-kibana-warm.yml +++ b/salt/curator/files/action/so-kibana-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kibana:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-kratos-close.yml b/salt/curator/files/action/so-kratos-close.yml index 9a3b0c5a8..c24cc2b40 100644 --- a/salt/curator/files/action/so-kratos-close.yml +++ b/salt/curator/files/action/so-kratos-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-kratos:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-kratos-delete.yml b/salt/curator/files/action/so-kratos-delete.yml index 6b4ae8705..c5bd26651 100644 --- a/salt/curator/files/action/so-kratos-delete.yml +++ b/salt/curator/files/action/so-kratos-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kratos:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-kratos-warm.yml b/salt/curator/files/action/so-kratos-warm.yml index ace3c8db1..51b35a8f9 100644 --- a/salt/curator/files/action/so-kratos-warm.yml +++ b/salt/curator/files/action/so-kratos-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kratos:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-logstash-close.yml b/salt/curator/files/action/so-logstash-close.yml index 23787e237..63df86874 100644 --- a/salt/curator/files/action/so-logstash-close.yml +++ b/salt/curator/files/action/so-logstash-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-logstash:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-logstash-delete.yml b/salt/curator/files/action/so-logstash-delete.yml index d9ff848da..9132fbbc9 100644 --- a/salt/curator/files/action/so-logstash-delete.yml +++ b/salt/curator/files/action/so-logstash-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-logstash:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-logstash-warm.yml b/salt/curator/files/action/so-logstash-warm.yml index 826bf2975..a47ffae2a 100644 --- a/salt/curator/files/action/so-logstash-warm.yml +++ b/salt/curator/files/action/so-logstash-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-logstash:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-microsoft-close.yml b/salt/curator/files/action/so-microsoft-close.yml index f4eaf738f..7f8e1f912 100644 --- a/salt/curator/files/action/so-microsoft-close.yml +++ b/salt/curator/files/action/so-microsoft-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-microsoft-delete.yml b/salt/curator/files/action/so-microsoft-delete.yml index f1a854c83..fcf4a74b7 100644 --- a/salt/curator/files/action/so-microsoft-delete.yml +++ b/salt/curator/files/action/so-microsoft-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-microsoft-warm.yml b/salt/curator/files/action/so-microsoft-warm.yml index 551d0cb56..8b3e4716a 100644 --- a/salt/curator/files/action/so-microsoft-warm.yml +++ b/salt/curator/files/action/so-microsoft-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-misp-close.yml b/salt/curator/files/action/so-misp-close.yml index e39781353..14998cdcc 100644 --- a/salt/curator/files/action/so-misp-close.yml +++ b/salt/curator/files/action/so-misp-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-misp:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-misp-delete.yml b/salt/curator/files/action/so-misp-delete.yml index ceaa9c73d..868441932 100644 --- a/salt/curator/files/action/so-misp-delete.yml +++ b/salt/curator/files/action/so-misp-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-misp:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-misp-warm.yml b/salt/curator/files/action/so-misp-warm.yml index af29975b0..d1c7b1591 100644 --- a/salt/curator/files/action/so-misp-warm.yml +++ b/salt/curator/files/action/so-misp-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-misp:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-netflow-close.yml b/salt/curator/files/action/so-netflow-close.yml index cc9ade28d..d1e39e07e 100644 --- a/salt/curator/files/action/so-netflow-close.yml +++ b/salt/curator/files/action/so-netflow-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-netflow:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-netflow-delete.yml b/salt/curator/files/action/so-netflow-delete.yml index 5bc76ad15..19d7406de 100644 --- a/salt/curator/files/action/so-netflow-delete.yml +++ b/salt/curator/files/action/so-netflow-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netflow:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-netflow-warm.yml b/salt/curator/files/action/so-netflow-warm.yml index ea57bb72b..60d844efd 100644 --- a/salt/curator/files/action/so-netflow-warm.yml +++ b/salt/curator/files/action/so-netflow-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netflow:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-netscout-close.yml b/salt/curator/files/action/so-netscout-close.yml index d99374d2f..b15d4c30d 100644 --- a/salt/curator/files/action/so-netscout-close.yml +++ b/salt/curator/files/action/so-netscout-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-netscout:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-netscout-delete.yml b/salt/curator/files/action/so-netscout-delete.yml index 3c0e249b5..a12bb27b6 100644 --- a/salt/curator/files/action/so-netscout-delete.yml +++ b/salt/curator/files/action/so-netscout-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netscout:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-netscout-warm.yml b/salt/curator/files/action/so-netscout-warm.yml index 1b93c3118..c36846994 100644 --- a/salt/curator/files/action/so-netscout-warm.yml +++ b/salt/curator/files/action/so-netscout-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netscout:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-o365-close.yml b/salt/curator/files/action/so-o365-close.yml index 4dece060f..33ee84a20 100644 --- a/salt/curator/files/action/so-o365-close.yml +++ b/salt/curator/files/action/so-o365-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-o365:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-o365-delete.yml b/salt/curator/files/action/so-o365-delete.yml index 13c7c1344..41cc31e06 100644 --- a/salt/curator/files/action/so-o365-delete.yml +++ b/salt/curator/files/action/so-o365-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-o365:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-o365-warm.yml b/salt/curator/files/action/so-o365-warm.yml index cbb7bc24e..0c2788ead 100644 --- a/salt/curator/files/action/so-o365-warm.yml +++ b/salt/curator/files/action/so-o365-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-o365:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-okta-close.yml b/salt/curator/files/action/so-okta-close.yml index 10f7e4b60..29539551b 100644 --- a/salt/curator/files/action/so-okta-close.yml +++ b/salt/curator/files/action/so-okta-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-okta:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-okta-warm.yml b/salt/curator/files/action/so-okta-warm.yml index 75764860d..57da23031 100644 --- a/salt/curator/files/action/so-okta-warm.yml +++ b/salt/curator/files/action/so-okta-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-okta:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-okta.delete.yml b/salt/curator/files/action/so-okta.delete.yml index 1beeb0fc0..a236a9059 100644 --- a/salt/curator/files/action/so-okta.delete.yml +++ b/salt/curator/files/action/so-okta.delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-okta:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-osquery-close.yml b/salt/curator/files/action/so-osquery-close.yml index e58643175..9be61456f 100644 --- a/salt/curator/files/action/so-osquery-close.yml +++ b/salt/curator/files/action/so-osquery-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-osquery:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-osquery-delete.yml b/salt/curator/files/action/so-osquery-delete.yml index d77b1b3d1..190da5783 100644 --- a/salt/curator/files/action/so-osquery-delete.yml +++ b/salt/curator/files/action/so-osquery-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-osquery:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-osquery-warm.yml b/salt/curator/files/action/so-osquery-warm.yml index 156a83c7a..477c3bf26 100644 --- a/salt/curator/files/action/so-osquery-warm.yml +++ b/salt/curator/files/action/so-osquery-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-osquery:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-ossec-close.yml b/salt/curator/files/action/so-ossec-close.yml index 6243fabd6..85ce62967 100644 --- a/salt/curator/files/action/so-ossec-close.yml +++ b/salt/curator/files/action/so-ossec-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-ossec:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-ossec-delete.yml b/salt/curator/files/action/so-ossec-delete.yml index 7aea13e41..4c86054b3 100644 --- a/salt/curator/files/action/so-ossec-delete.yml +++ b/salt/curator/files/action/so-ossec-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-ossec:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-ossec-warm.yml b/salt/curator/files/action/so-ossec-warm.yml index 769d6cbea..c6ef1b95f 100644 --- a/salt/curator/files/action/so-ossec-warm.yml +++ b/salt/curator/files/action/so-ossec-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-ossec:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-proofpoint-close.yml b/salt/curator/files/action/so-proofpoint-close.yml index 888c9fc64..12386cb19 100644 --- a/salt/curator/files/action/so-proofpoint-close.yml +++ b/salt/curator/files/action/so-proofpoint-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-proofpoint-delete.yml b/salt/curator/files/action/so-proofpoint-delete.yml index 903dde204..7eec6bef6 100644 --- a/salt/curator/files/action/so-proofpoint-delete.yml +++ b/salt/curator/files/action/so-proofpoint-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-proofpoint-warm.yml b/salt/curator/files/action/so-proofpoint-warm.yml index 8304ae41a..78da530c0 100644 --- a/salt/curator/files/action/so-proofpoint-warm.yml +++ b/salt/curator/files/action/so-proofpoint-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-radware-close.yml b/salt/curator/files/action/so-radware-close.yml index 59a7bbafd..d4d2e404b 100644 --- a/salt/curator/files/action/so-radware-close.yml +++ b/salt/curator/files/action/so-radware-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-radware:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-radware-delete.yml b/salt/curator/files/action/so-radware-delete.yml index 1fe09cded..d482300f6 100644 --- a/salt/curator/files/action/so-radware-delete.yml +++ b/salt/curator/files/action/so-radware-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-radware:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-radware-warm.yml b/salt/curator/files/action/so-radware-warm.yml index 8d4337aaf..780a428dc 100644 --- a/salt/curator/files/action/so-radware-warm.yml +++ b/salt/curator/files/action/so-radware-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-radware:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-redis-close.yml b/salt/curator/files/action/so-redis-close.yml index b69935f21..a427b8a39 100644 --- a/salt/curator/files/action/so-redis-close.yml +++ b/salt/curator/files/action/so-redis-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-redis:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-redis-delete.yml b/salt/curator/files/action/so-redis-delete.yml index f6e73dce8..009ae9ab0 100644 --- a/salt/curator/files/action/so-redis-delete.yml +++ b/salt/curator/files/action/so-redis-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-redis:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-redis-warm.yml b/salt/curator/files/action/so-redis-warm.yml index a5b1055c3..c9ee80602 100644 --- a/salt/curator/files/action/so-redis-warm.yml +++ b/salt/curator/files/action/so-redis-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-redis:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-snort-close.yml b/salt/curator/files/action/so-snort-close.yml index 8f6209255..0dfe42438 100644 --- a/salt/curator/files/action/so-snort-close.yml +++ b/salt/curator/files/action/so-snort-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-snort:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-snort-delete.yml b/salt/curator/files/action/so-snort-delete.yml index 50f68988b..ab911c691 100644 --- a/salt/curator/files/action/so-snort-delete.yml +++ b/salt/curator/files/action/so-snort-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-snort:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-snort-warm.yml b/salt/curator/files/action/so-snort-warm.yml index 3bbc977e2..c3e96c31b 100644 --- a/salt/curator/files/action/so-snort-warm.yml +++ b/salt/curator/files/action/so-snort-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-snort:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-snyk-close.yml b/salt/curator/files/action/so-snyk-close.yml index e13d8f98d..4dfe142e0 100644 --- a/salt/curator/files/action/so-snyk-close.yml +++ b/salt/curator/files/action/so-snyk-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-snyk:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-snyk-delete.yml b/salt/curator/files/action/so-snyk-delete.yml index cec0b942f..f6e864149 100644 --- a/salt/curator/files/action/so-snyk-delete.yml +++ b/salt/curator/files/action/so-snyk-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-snyk:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-snyk-warm.yml b/salt/curator/files/action/so-snyk-warm.yml index f9b10bbdd..6aadc5048 100644 --- a/salt/curator/files/action/so-snyk-warm.yml +++ b/salt/curator/files/action/so-snyk-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-snyk:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-sonicwall-close.yml b/salt/curator/files/action/so-sonicwall-close.yml index 9cc23d3af..12fe05cd4 100644 --- a/salt/curator/files/action/so-sonicwall-close.yml +++ b/salt/curator/files/action/so-sonicwall-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-sonicwall-delete.yml b/salt/curator/files/action/so-sonicwall-delete.yml index c7d38361f..7033a6459 100644 --- a/salt/curator/files/action/so-sonicwall-delete.yml +++ b/salt/curator/files/action/so-sonicwall-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-sonicwall-warm.yml b/salt/curator/files/action/so-sonicwall-warm.yml index fa8ceb3e4..bf74418f5 100644 --- a/salt/curator/files/action/so-sonicwall-warm.yml +++ b/salt/curator/files/action/so-sonicwall-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-sophos-close.yml b/salt/curator/files/action/so-sophos-close.yml index b7574b996..ed655f19c 100644 --- a/salt/curator/files/action/so-sophos-close.yml +++ b/salt/curator/files/action/so-sophos-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-sophos:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-sophos-delete.yml b/salt/curator/files/action/so-sophos-delete.yml index 433df908a..5684cdada 100644 --- a/salt/curator/files/action/so-sophos-delete.yml +++ b/salt/curator/files/action/so-sophos-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-sophos:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-sophos-warm.yml b/salt/curator/files/action/so-sophos-warm.yml index 40cc60084..a725ec018 100644 --- a/salt/curator/files/action/so-sophos-warm.yml +++ b/salt/curator/files/action/so-sophos-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-sophos:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-strelka-close.yml b/salt/curator/files/action/so-strelka-close.yml index da0fafcbb..b7d0e3925 100644 --- a/salt/curator/files/action/so-strelka-close.yml +++ b/salt/curator/files/action/so-strelka-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-strelka:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-strelka-delete.yml b/salt/curator/files/action/so-strelka-delete.yml index 3487aeb6d..293446303 100644 --- a/salt/curator/files/action/so-strelka-delete.yml +++ b/salt/curator/files/action/so-strelka-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-strelka:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-strelka-warm.yml b/salt/curator/files/action/so-strelka-warm.yml index cfa88b0c1..4f2950dcf 100644 --- a/salt/curator/files/action/so-strelka-warm.yml +++ b/salt/curator/files/action/so-strelka-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-strelka:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-syslog-close.yml b/salt/curator/files/action/so-syslog-close.yml index 225458048..954a2eedb 100644 --- a/salt/curator/files/action/so-syslog-close.yml +++ b/salt/curator/files/action/so-syslog-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-syslog:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-syslog-delete.yml b/salt/curator/files/action/so-syslog-delete.yml index 5fe7417ad..0a9500cd2 100644 --- a/salt/curator/files/action/so-syslog-delete.yml +++ b/salt/curator/files/action/so-syslog-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-syslog:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-syslog-warm.yml b/salt/curator/files/action/so-syslog-warm.yml index e5ebb2fa6..6c04d9a9d 100644 --- a/salt/curator/files/action/so-syslog-warm.yml +++ b/salt/curator/files/action/so-syslog-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-syslog:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-tomcat-close.yml b/salt/curator/files/action/so-tomcat-close.yml index ea0d95b0a..da9b3d21d 100644 --- a/salt/curator/files/action/so-tomcat-close.yml +++ b/salt/curator/files/action/so-tomcat-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-tomcat-delete.yml b/salt/curator/files/action/so-tomcat-delete.yml index 77035613f..7062d6adb 100644 --- a/salt/curator/files/action/so-tomcat-delete.yml +++ b/salt/curator/files/action/so-tomcat-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-tomcat-warm.yml b/salt/curator/files/action/so-tomcat-warm.yml index 8fb7884c0..0213e7e5f 100644 --- a/salt/curator/files/action/so-tomcat-warm.yml +++ b/salt/curator/files/action/so-tomcat-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-zeek-close.yml b/salt/curator/files/action/so-zeek-close.yml index 7692d26eb..82041df5e 100644 --- a/salt/curator/files/action/so-zeek-close.yml +++ b/salt/curator/files/action/so-zeek-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-zeek:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-zeek-delete.yml b/salt/curator/files/action/so-zeek-delete.yml index 0694c2aed..2640136a9 100644 --- a/salt/curator/files/action/so-zeek-delete.yml +++ b/salt/curator/files/action/so-zeek-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-zeek-warm.yml b/salt/curator/files/action/so-zeek-warm.yml index 2b4b6a729..b62bf90e9 100644 --- a/salt/curator/files/action/so-zeek-warm.yml +++ b/salt/curator/files/action/so-zeek-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-zscaler-close.yml b/salt/curator/files/action/so-zscaler-close.yml index 5a008a27d..d7559097f 100644 --- a/salt/curator/files/action/so-zscaler-close.yml +++ b/salt/curator/files/action/so-zscaler-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-zscaler-delete.yml b/salt/curator/files/action/so-zscaler-delete.yml index 238fea083..8a7cffcdb 100644 --- a/salt/curator/files/action/so-zscaler-delete.yml +++ b/salt/curator/files/action/so-zscaler-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-zscaler-warm.yml b/salt/curator/files/action/so-zscaler-warm.yml index 8a7d8187a..5e34177d1 100644 --- a/salt/curator/files/action/so-zscaler-warm.yml +++ b/salt/curator/files/action/so-zscaler-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/bin/so-curator-close b/salt/curator/files/bin/so-curator-close index 5370b1135..4d6fbe602 100644 --- a/salt/curator/files/bin/so-curator-close +++ b/salt/curator/files/bin/so-curator-close @@ -1,19 +1,8 @@ #!/bin/bash -# -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. APP=close lf=/tmp/$APP-pidLockFile diff --git a/salt/curator/files/bin/so-curator-closed-delete b/salt/curator/files/bin/so-curator-closed-delete index fedb520d9..e585df406 100755 --- a/salt/curator/files/bin/so-curator-closed-delete +++ b/salt/curator/files/bin/so-curator-closed-delete @@ -1,19 +1,9 @@ #!/bin/bash -# -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + #. /usr/sbin/so-elastic-common #. /etc/nsm/securityonion.conf diff --git a/salt/curator/files/bin/so-curator-closed-delete-delete b/salt/curator/files/bin/so-curator-closed-delete-delete index b872a7aeb..70b032db5 100755 --- a/salt/curator/files/bin/so-curator-closed-delete-delete +++ b/salt/curator/files/bin/so-curator-closed-delete-delete @@ -1,29 +1,25 @@ - #!/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -{%- if grains['role'] in ['so-node', 'so-heavynode'] %} - {%- set ELASTICSEARCH_HOST = salt['pillar.get']('elasticsearch:mainip', '') -%} + +{%- if grains['role'] in ['so-searchnode', 'so-heavynode'] %} + {%- set ELASTICSEARCH_HOST = salt['pillar.get']('host:mainip', '') -%} {%- set ELASTICSEARCH_PORT = salt['pillar.get']('elasticsearch:es_port', '') -%} {%- elif grains['role'] in ['so-eval', 'so-managersearch', 'so-standalone', 'so-manager'] %} - {%- set ELASTICSEARCH_HOST = salt['pillar.get']('manager:mainip', '') -%} + {%- set ELASTICSEARCH_HOST = salt['pillar.get']('global:managerip', '') -%} {%- set ELASTICSEARCH_PORT = salt['pillar.get']('manager:es_port', '') -%} {%- endif -%} {%- set LOG_SIZE_LIMIT = salt['pillar.get']('elasticsearch:log_size_limit', '') -%} -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + LOG="/opt/so/log/curator/so-curator-closed-delete.log" @@ -35,12 +31,12 @@ overlimit() { closedindices() { # If we can't query Elasticsearch, then immediately return false. - {{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed >/dev/null 2>&1 + curl -K /opt/so/conf/elasticsearch/curl.config -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed >/dev/null 2>&1 [ $? -eq 1 ] && return false # First, get the list of closed indices using _cat/indices?h=index\&expand_wildcards=closed. # Next, filter out any so-case indices. # Finally, use grep's -q option to return true if there are any remaining logstash- or so- indices. - {{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -v "so-case" | grep -q -E "(logstash-|so-)" + curl -K /opt/so/conf/elasticsearch/curl.config -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -v "so-case" | grep -q -E "(logstash-|so-)" } # Check for 2 conditions: @@ -54,10 +50,10 @@ while overlimit && closedindices; do # Next, filter out any so-case indices and only select the remaining logstash- or so- indices. # Then, sort by date by telling sort to use hyphen as delimiter and sort on the third field. # Finally, select the first entry in that sorted list. - OLDEST_INDEX=$({{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -v "so-case" | grep -E "(logstash-|so-)" | sort -t- -k3 | head -1) + OLDEST_INDEX=$(curl -K /opt/so/conf/elasticsearch/curl.config -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -v "so-case" | grep -E "(logstash-|so-)" | sort -t- -k3 | head -1) # Now that we've determined OLDEST_INDEX, ask Elasticsearch to delete it. - {{ ELASTICCURL }} -XDELETE -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/${OLDEST_INDEX} + curl -K /opt/so/conf/elasticsearch/curl.config-XDELETE -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/${OLDEST_INDEX} # Finally, write a log entry that says we deleted it. echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT ({{LOG_SIZE_LIMIT}} GB) - Index ${OLDEST_INDEX} deleted ..." >> ${LOG} diff --git a/salt/curator/files/bin/so-curator-cluster-close b/salt/curator/files/bin/so-curator-cluster-close index ed56e965e..95d882619 100644 --- a/salt/curator/files/bin/so-curator-cluster-close +++ b/salt/curator/files/bin/so-curator-cluster-close @@ -1,19 +1,8 @@ #!/bin/bash -# -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. APP=close lf=/tmp/$APP-pidLockFile diff --git a/salt/curator/files/bin/so-curator-cluster-delete b/salt/curator/files/bin/so-curator-cluster-delete index 202ad4997..9ec5129af 100644 --- a/salt/curator/files/bin/so-curator-cluster-delete +++ b/salt/curator/files/bin/so-curator-cluster-delete @@ -1,19 +1,8 @@ #!/bin/bash -# -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. APP=delete lf=/tmp/$APP-pidLockFile diff --git a/salt/curator/files/bin/so-curator-cluster-warm b/salt/curator/files/bin/so-curator-cluster-warm index 1a03d273f..7de6dd391 100644 --- a/salt/curator/files/bin/so-curator-cluster-warm +++ b/salt/curator/files/bin/so-curator-cluster-warm @@ -1,19 +1,9 @@ #!/bin/bash -# -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + APP=warm lf=/tmp/$APP-pidLockFile diff --git a/salt/curator/files/bin/so-curator-delete b/salt/curator/files/bin/so-curator-delete index dfa5ca763..2d128bfdf 100644 --- a/salt/curator/files/bin/so-curator-delete +++ b/salt/curator/files/bin/so-curator-delete @@ -1,19 +1,9 @@ #!/bin/bash -# -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + APP=delete lf=/tmp/$APP-pidLockFile diff --git a/salt/curator/files/curator.yml b/salt/curator/files/curator.yml index 2f9b44dbc..5eaa97c73 100644 --- a/salt/curator/files/curator.yml +++ b/salt/curator/files/curator.yml @@ -1,15 +1,15 @@ -{% if grains['role'] in ['so-node', 'so-heavynode'] %} - {%- set elasticsearch = salt['pillar.get']('elasticsearch:mainip', '') -%} +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% if grains['role'] in ['so-searchnode', 'so-heavynode'] %} + {%- set elasticsearch = salt['pillar.get']('host:mainip', '') -%} {% elif grains['role'] in ['so-eval', 'so-managersearch', 'so-standalone', 'so-manager'] %} - {%- set elasticsearch = salt['pillar.get']('manager:mainip', '') -%} + {%- set elasticsearch = salt['pillar.get']('global:managerip', '') -%} {%- endif %} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} --- # Remember, leave a key empty if there is no value. None will be a string, @@ -18,10 +18,8 @@ client: hosts: - {{elasticsearch}} port: 9200 -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} username: "{{ ES_USER }}" password: "{{ ES_PASS }}" -{%- endif %} url_prefix: use_ssl: True certificate: diff --git a/salt/curator/init.sls b/salt/curator/init.sls index a01a8a292..164dece6b 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -1,15 +1,16 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} {% set REMOVECURATORCRON = False %} -{% set TRUECLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} -{% set HOTWARM = salt['pillar.get']('elasticsearch:hot_warm_enabled', False) %} -{% if grains['role'] in ['so-eval', 'so-node', 'so-managersearch', 'so-heavynode', 'so-standalone', 'so-manager'] %} - {% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %} +{% if grains['role'] in ['so-eval', 'so-managersearch', 'so-heavynode', 'so-standalone', 'so-manager'] %} {% from "curator/map.jinja" import CURATOROPTIONS with context %} # Curator # Create the group @@ -74,8 +75,6 @@ curcloseddeldel: - group: 939 - mode: 755 - template: jinja - - defaults: - ELASTICCURL: {{ ELASTICAUTH.elasticcurl }} curclose: file.managed: @@ -123,8 +122,7 @@ curclustercwarm: so-curator: docker_container.{{ CURATOROPTIONS.status }}: - {% if CURATOROPTIONS.status == 'running' %} - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-curator:{{ VERSION }} + - image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-curator:{{ GLOBALS.so_version }} - start: {{ CURATOROPTIONS.start }} - hostname: curator - name: so-curator @@ -139,70 +137,13 @@ so-curator: - file: actionconfs - file: curconf - file: curlogdir - {% else %} - - force: True - {% endif %} - {% if CURATOROPTIONS.manage_sostatus %} -append_so-curator_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-curator - - unless: grep -q so-curator /opt/so/conf/so-status/so-status.conf - - {% if not CURATOROPTIONS.start %} -so-curator_so-status.disabled: - file.comment: - - name: /opt/so/conf/so-status/so-status.conf - - regex: ^so-curator$ - - # need to remove cronjobs here since curator is disabled - {% set REMOVECURATORCRON = True %} - {% else %} -delete_so-curator_so-status.disabled: - file.uncomment: - - name: /opt/so/conf/so-status/so-status.conf - - regex: ^so-curator$ - - {% endif %} - - {% else %} -delete_so-curator_so-status: - file.line: - - name: /opt/so/conf/so-status/so-status.conf - - match: ^so-curator$ - - mode: delete - - # need to remove cronjobs here since curator is disabled - {% set REMOVECURATORCRON = True %} - - {% endif %} - - {% if REMOVECURATORCRON %} -so-curatorcloseddeletecron: - cron.absent: - - name: /usr/sbin/so-curator-closed-delete > /opt/so/log/curator/cron-closed-delete.log 2>&1 - - user: root - -so-curatorclosecron: - cron.absent: - - name: /usr/sbin/so-curator-close > /opt/so/log/curator/cron-close.log 2>&1 - - user: root - -so-curatordeletecron: - cron.absent: - - name: /usr/sbin/so-curator-delete > /opt/so/log/curator/cron-delete.log 2>&1 - - user: root - - {% else %} - - {% if TRUECLUSTER is sameas true %} so-curatorclusterclose: cron.present: - name: /usr/sbin/so-curator-cluster-close > /opt/so/log/curator/cron-close.log 2>&1 - user: root - - minute: '5' - - hour: '1' + - minute: '2' + - hour: '*/1' - daymonth: '*' - month: '*' - dayweek: '*' @@ -211,56 +152,22 @@ so-curatorclusterdelete: cron.present: - name: /usr/sbin/so-curator-cluster-delete > /opt/so/log/curator/cron-delete.log 2>&1 - user: root - - minute: '5' - - hour: '1' + - minute: '2' + - hour: '*/1' - daymonth: '*' - month: '*' - dayweek: '*' - {% if HOTWARM is sameas true %} + so-curatorclusterwarm: cron.present: - name: /usr/sbin/so-curator-cluster-warm > /opt/so/log/curator/cron-warm.log 2>&1 - user: root - - minute: '5' - - hour: '1' - - daymonth: '*' - - month: '*' - - dayweek: '*' - {% endif %} - - {% else %} -so-curatorcloseddeletecron: - cron.present: - - name: /usr/sbin/so-curator-closed-delete > /opt/so/log/curator/cron-closed-delete.log 2>&1 - - user: root - - minute: '*/5' - - hour: '*' - - daymonth: '*' - - month: '*' - - dayweek: '*' - -so-curatorclosecron: - cron.present: - - name: /usr/sbin/so-curator-close > /opt/so/log/curator/cron-close.log 2>&1 - - user: root - - minute: '*/5' - - hour: '*' - - daymonth: '*' - - month: '*' - - dayweek: '*' - -so-curatordeletecron: - cron.present: - - name: /usr/sbin/so-curator-delete > /opt/so/log/curator/cron-delete.log 2>&1 - - user: root - - minute: '*/5' - - hour: '*' + - minute: '2' + - hour: '*/1' - daymonth: '*' - month: '*' - dayweek: '*' - {% endif %} - {% endif %} {% endif %} {% else %} diff --git a/salt/deprecated-launcher/init.sls b/salt/deprecated-launcher/init.sls deleted file mode 100644 index 3805be5d7..000000000 --- a/salt/deprecated-launcher/init.sls +++ /dev/null @@ -1,12 +0,0 @@ -{%- set FLEETSETUP = salt['pillar.get']('global:fleetsetup', '0') -%} - -{%- if FLEETSETUP != 0 %} -launcherpkg: - pkg.installed: - - sources: - {% if grains['os'] == 'CentOS' %} - - launcher-final: salt://launcher/packages/launcher.rpm - {% elif grains['os'] == 'Ubuntu' %} - - launcher-final: salt://launcher/packages/launcher.deb - {% endif %} -{%- endif %} diff --git a/salt/deprecated-launcher/packages/info.txt b/salt/deprecated-launcher/packages/info.txt deleted file mode 100644 index 5529d123c..000000000 --- a/salt/deprecated-launcher/packages/info.txt +++ /dev/null @@ -1 +0,0 @@ -Fleet Packages will be copied to this folder diff --git a/salt/docker/init.sls b/salt/docker/init.sls index c01bb8e67..8b698c281 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -1,19 +1,52 @@ -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -installdocker: +dockergroup: + group.present: + - name: docker + - gid: 920 + +dockerheldpackages: pkg.installed: - - name: docker-ce + - pkgs: + - containerd.io: 1.4.4-3.1.el7 + - docker-ce: 3:20.10.5-3.el7 + - docker-ce-cli: 1:20.10.5-3.el7 + - docker-ce-rootless-extras: 20.10.5-3.el7 + - hold: True + - update_holds: True -# Make sure Docker is running! -docker: +# Make sure etc/docker exists +dockeretc: + file.directory: + - name: /etc/docker + +# Manager daemon.json +docker_daemon: + file.managed: + - source: salt://common/files/daemon.json + - name: /etc/docker/daemon.json + - template: jinja + +# Make sure Docker is always running +docker_running: service.running: + - name: docker - enable: True + - watch: + - file: docker_daemon -{% else %} +# Reserve OS ports for Docker proxy in case boot settings are not already applied/present +# 57314 = Strelka, 47760-47860 = Zeek +dockerapplyports: + cmd.run: + - name: if [ ! -s /etc/sysctl.d/99-reserved-ports.conf ]; then sysctl -w net.ipv4.ip_local_reserved_ports="57314,47760-47860"; fi -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed +# Reserve OS ports for Docker proxy +dockerreserveports: + file.managed: + - source: salt://common/files/99-reserved-ports.conf + - name: /etc/sysctl.d/99-reserved-ports.conf -{% endif %} \ No newline at end of file diff --git a/salt/docker_clean/init.sls b/salt/docker_clean/init.sls index a92d3aedd..c11af4f56 100644 --- a/salt/docker_clean/init.sls +++ b/salt/docker_clean/init.sls @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} diff --git a/salt/domainstats/init.sls b/salt/domainstats/init.sls deleted file mode 100644 index 0aa9a6507..000000000 --- a/salt/domainstats/init.sls +++ /dev/null @@ -1,69 +0,0 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} - -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} - -# Create the group -dstatsgroup: - group.present: - - name: domainstats - - gid: 936 - -# Add user -domainstats: - user.present: - - uid: 936 - - gid: 936 - - home: /opt/so/conf/domainstats - - createhome: False - -# Create the log directory -dstatslogdir: - file.directory: - - name: /opt/so/log/domainstats - - user: 936 - - group: 939 - - makedirs: True - -so-domainstatsimage: - cmd.run: - - name: docker pull {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-domainstats:{{ VERSION }} - -so-domainstats: - docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-domainstats:{{ VERSION }} - - hostname: domainstats - - name: so-domainstats - - user: domainstats - - binds: - - /opt/so/log/domainstats:/var/log/domain_stats - - require: - - file: dstatslogdir - - cmd: so-domainstatsimage - -append_so-domainstats_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-domainstats - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/elastalert/defaults.yaml b/salt/elastalert/defaults.yaml index 819a3cbbd..f21bab4c3 100644 --- a/salt/elastalert/defaults.yaml +++ b/salt/elastalert/defaults.yaml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} elastalert: @@ -11,8 +16,8 @@ elastalert: minutes: 10 old_query_limit: minutes: 5 - es_host: {{salt['pillar.get']('manager:mainip', '')}} - es_port: {{salt['pillar.get']('manager:es_port', '')}} + es_host: {{salt['pillar.get']('global:managerip', '')}} + es_port: 9200 es_conn_timeout: 55 max_query_size: 5000 #aws_region: us-east-1 @@ -21,10 +26,8 @@ elastalert: use_ssl: true verify_certs: false #es_send_get_body_as: GET -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} es_username: "{{ ES_USER }}" es_password: "{{ ES_PASS }}" -{%- endif %} writeback_index: elastalert_status alert_time_limit: days: 2 diff --git a/salt/elastalert/files/modules/so/playbook-es.py b/salt/elastalert/files/modules/so/playbook-es.py index bae967001..62afab41e 100644 --- a/salt/elastalert/files/modules/so/playbook-es.py +++ b/salt/elastalert/files/modules/so/playbook-es.py @@ -1,5 +1,11 @@ # -*- coding: utf-8 -*- +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + from time import gmtime, strftime import requests,json from elastalert.alerts import Alerter diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index ed2549a36..3184c5c5c 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -1,17 +1,6 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use +# this file except in compliance with the Elastic License 2.0. {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} @@ -23,16 +12,8 @@ {%- set MANAGER_URL = salt['pillar.get']('global:url_base', '') %} {%- set MANAGER_IP = salt['pillar.get']('global:managerip', '') %} -{% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %} - {% set esalert = salt['pillar.get']('manager:elastalert', '1') %} - {% set esip = salt['pillar.get']('manager:mainip', '') %} - {% set esport = salt['pillar.get']('manager:es_port', '') %} -{% elif grains['role'] == 'so-node' %} - {% set esalert = salt['pillar.get']('elasticsearch:elastalert', '0') %} -{% endif %} # Elastalert -{% if esalert == 1 %} # Create the group elastagroup: @@ -138,8 +119,6 @@ append_so-elastalert_so-status.conf: - name: /opt/so/conf/so-status/so-status.conf - text: so-elastalert -{% endif %} - {% else %} {{sls}}_state_not_allowed: diff --git a/salt/elastalert/soc_elastalert.yaml b/salt/elastalert/soc_elastalert.yaml new file mode 100644 index 000000000..bb7f20300 --- /dev/null +++ b/salt/elastalert/soc_elastalert.yaml @@ -0,0 +1,25 @@ +elastalert: + config: + disable_rules_on_error: false + description: Disable rules on failure. + run_every: + minutes: 3 + description: Amount of time in minutes between searches. + buffer_time: + minutes: 10 + description: Amount of time in minutes to look through. + old_query_limit: + minutes: 5 + description: Amount of time in minutes between queries to start at the most recently run query. + es_conn_timeout: 55 + description: Timeout in seconds for connecting to and reading from Elasticsearch. + max_query_size: 5000 + description: The maximum number of documents that will be downloaded from Elasticsearch in a single query. + alert_time_limit: + days: 2 + description: The retry window for failed alerts. + index_settings: + shards: 1 + description: The amount of shards to use for elastalert. + replicas: 0 + description: The amount of replicas for the Elastalert index. diff --git a/salt/elastic-fleet/init.sls b/salt/elastic-fleet/init.sls new file mode 100644 index 000000000..a4b8fbf3d --- /dev/null +++ b/salt/elastic-fleet/init.sls @@ -0,0 +1,56 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use +# this file except in compliance with the Elastic License 2.0. +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + +# These values are generated during node install and stored in minion pillar +{% set SERVICETOKEN = salt['pillar.get']('elasticfleet:server:es_token','') %} +{% set FLEETSERVERPOLICY = salt['pillar.get']('elasticfleet:server:server_policy','so-manager') %} +{% set FLEETURL = salt['pillar.get']('elasticfleet:server:url') %} + +elasticfleetdir: + file.directory: + - name: /opt/so/conf/elastic-fleet/state + - makedirs: True + +elasticagentinstallersdir: + file.directory: + - name: /opt/so/conf/elastic-fleet/so_agent-installers + - makedirs: True + + {% if SERVICETOKEN != '' %} +so-elastic-fleet: + docker_container.running: + - image: docker.elastic.co/beats/elastic-agent:8.4.1 + - name: so-elastic-fleet + - hostname: elastic-fleet-{{ GLOBALS.hostname }} + - detach: True + - user: root + - extra_hosts: + - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} + - port_bindings: + - 0.0.0.0:8220:8220 + - binds: + - /opt/so/conf/filebeat/etc/pki:/etc/pki:ro + - /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw + - environment: + - FLEET_SERVER_ENABLE=true + - FLEET_URL=https://{{ FLEETURL }}:8220 + - FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager_ip }}:9200 + - FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }} + - FLEET_SERVER_POLICY_ID={{ FLEETSERVERPOLICY }} + - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/intca.crt + - FLEET_SERVER_CERT=/etc/pki/filebeat.crt + - FLEET_SERVER_CERT_KEY=/etc/pki/filebeat.key + - FLEET_CA=/etc/pki/intca.crt + {% endif %} + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} \ No newline at end of file diff --git a/salt/elastic-fleet/install_agent_grid.sls b/salt/elastic-fleet/install_agent_grid.sls new file mode 100644 index 000000000..36249a67f --- /dev/null +++ b/salt/elastic-fleet/install_agent_grid.sls @@ -0,0 +1,13 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use +# this file except in compliance with the Elastic License 2.0. + + +{% set AGENT_STATUS = salt['service.available']('elastic-agent') %} +{% if not AGENT_STATUS %} + +run_installer: + cmd.run: + - name: salt://elastic-fleet/files/so_agent-installers/so-elastic-agent_linux + +{% endif %} diff --git a/salt/elasticsearch/auth.map.jinja b/salt/elasticsearch/auth.map.jinja deleted file mode 100644 index 3c3b42cdc..000000000 --- a/salt/elasticsearch/auth.map.jinja +++ /dev/null @@ -1,7 +0,0 @@ -{% set ELASTICAUTH = salt['pillar.filter_by']({ - True: { - 'user': salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user'), - 'pass': salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass'), - 'elasticcurl':'curl -K /opt/so/conf/elasticsearch/curl.config' }, - False: {'elasticcurl': 'curl'}, -}, pillar='elasticsearch:auth:enabled', default=False) %} diff --git a/salt/elasticsearch/auth.sls b/salt/elasticsearch/auth.sls index ad9f3df04..f3aefa6b9 100644 --- a/salt/elasticsearch/auth.sls +++ b/salt/elasticsearch/auth.sls @@ -11,8 +11,7 @@ {% set so_logstash_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', salt['random.get_str'](72, chars=CHARS)) %} {% set so_beats_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_beats_user:pass', salt['random.get_str'](72, chars=CHARS)) %} {% set so_monitor_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_monitor_user:pass', salt['random.get_str'](72, chars=CHARS)) %} - {% set auth_enabled = salt['pillar.get']('elasticsearch:auth:enabled', False) %} - + elastic_auth_pillar: file.managed: - name: /opt/so/saltstack/local/pillar/elasticsearch/auth.sls @@ -21,7 +20,6 @@ elastic_auth_pillar: - contents: | elasticsearch: auth: - enabled: {{ auth_enabled }} users: so_elastic_user: user: so_elastic diff --git a/salt/elasticsearch/config.map.jinja b/salt/elasticsearch/config.map.jinja index 9a80ce30f..86b9c47ae 100644 --- a/salt/elasticsearch/config.map.jinja +++ b/salt/elasticsearch/config.map.jinja @@ -1,36 +1,32 @@ {% import_yaml 'elasticsearch/defaults.yaml' as ESCONFIG with context %} +{% from 'logstash/map.jinja' import REDIS_NODES with context %} + {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} -{% if not salt['pillar.get']('elasticsearch:auth:enabled', False) %} - {% do ESCONFIG.elasticsearch.config.xpack.security.authc.anonymous.update({'username': 'anonymous_user', 'roles': 'superuser', 'authz_exception': 'true'}) %} -{% endif %} - -{% if salt['pillar.get']('elasticsearch:true_cluster', False) %} - {% if grains.id.split('_') | last in ['manager','managersearch'] %} - {% if salt['pillar.get']('nodestab', {}) %} - {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['master', 'data', 'remote_cluster_client']}) %} - {% if HIGHLANDER %} - {% do ESCONFIG.elasticsearch.config.node.roles.extend(['ml', 'transform']) %} - {% endif %} - {% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': [grains.master]}}) %} - {% for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} - {% do ESCONFIG.elasticsearch.config.discovery.seed_hosts.append(SN.split('_')|first) %} - {% endfor %} - {% endif %} - {% if grains.id.split('_') | last == 'manager' %} - {% do ESCONFIG.elasticsearch.config.node.attr.update({'box_type': ''}) %} - {% endif %} - {% else %} - {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['data', 'ingest']}) %} +{% if grains.id.split('_') | last in ['manager','managersearch'] %} + {% if REDIS_NODES | length > 1 %} + {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['master', 'data', 'remote_cluster_client']}) %} {% if HIGHLANDER %} - {% do ESCONFIG.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %} + {% do ESCONFIG.elasticsearch.config.node.roles.extend(['ml', 'transform']) %} {% endif %} - {% do ESCONFIG.elasticsearch.config.node.attr.update({'box_type': 'hot'}) %} {% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': [grains.master]}}) %} + {% for SN in REDIS_NODES.keys() %} + {% do ESCONFIG.elasticsearch.config.discovery.seed_hosts.append(SN) %} + {% endfor %} {% endif %} - {% if HIGHLANDER %} - {% do ESCONFIG.elasticsearch.config.xpack.ml.update({'enabled': true}) %} - {% endif %} + {% if grains.id.split('_') | last == 'manager' %} + {% do ESCONFIG.elasticsearch.config.node.attr.update({'box_type': ''}) %} + {% endif %} +{% elif grains.id.split('_') | last not in ['eval', 'standalone', 'import'] %} + {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['data', 'ingest']}) %} + {% if HIGHLANDER %} + {% do ESCONFIG.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %} + {% endif %} + {% do ESCONFIG.elasticsearch.config.node.attr.update({'box_type': 'hot'}) %} + {% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': [grains.master]}}) %} +{% endif %} +{% if HIGHLANDER %} + {% do ESCONFIG.elasticsearch.config.xpack.ml.update({'enabled': true}) %} {% endif %} {# merge with the elasticsearch pillar #} diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 1d1518b3c..bc33598f3 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -1,53 +1,27 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} include: - ssl -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} -{% set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} -{% set TRUECLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} -{% set MANAGERIP = salt['pillar.get']('global:managerip') %} - -{% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone', 'so-import'] %} - {% set esclustername = salt['pillar.get']('manager:esclustername') %} - {% set esheap = salt['pillar.get']('manager:esheap') %} - {% set ismanager = True %} -{% elif grains['role'] in ['so-node','so-heavynode'] %} - {% set esclustername = salt['pillar.get']('elasticsearch:esclustername') %} - {% set esheap = salt['pillar.get']('elasticsearch:esheap') %} - {% set ismanager = False %} -{% elif grains['role'] == 'so-helix' %} - {% set ismanager = True %} {# Solely for the sake of running so-catrust #} -{% endif %} - {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} {% set ROLES = salt['pillar.get']('elasticsearch:roles', {}) %} -{% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %} {% from 'elasticsearch/config.map.jinja' import ESCONFIG with context %} {% from 'elasticsearch/template.map.jinja' import ES_INDEX_SETTINGS without context %} +{% from 'logstash/map.jinja' import REDIS_NODES with context %} + +{% from 'vars/globals.map.jinja' import GLOBALS %} vm.max_map_count: sysctl.present: - value: 262144 -{% if ismanager %} +{% if GLOBALS.is_manager %} # We have to add the Manager CA to the CA list cascriptsync: file.managed: @@ -75,10 +49,6 @@ es_sync_scripts: - file_mode: 755 - template: jinja - source: salt://elasticsearch/tools/sbin - - defaults: - ELASTICCURL: 'curl' - - context: - ELASTICCURL: {{ ELASTICAUTH.elasticcurl }} - exclude_pat: - so-elasticsearch-pipelines # exclude this because we need to watch it for changes, we sync it in another state @@ -90,8 +60,6 @@ so-elasticsearch-pipelines-script: - group: 939 - mode: 754 - template: jinja - - defaults: - ELASTICCURL: {{ ELASTICAUTH.elasticcurl }} # Move our new CA over so Elastic and Logstash can use SSL with the internal CA catrustdir: @@ -115,7 +83,7 @@ capemz: - user: 939 - group: 939 -{% if grains['role'] != 'so-helix' %} + # Add ES Group elasticsearchgroup: @@ -315,27 +283,16 @@ auth_users_roles_inode: so-elasticsearch: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }} + - image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ GLOBALS.so_version }} - hostname: elasticsearch - name: so-elasticsearch - user: elasticsearch - - extra_hosts: - {% if ismanager %} - - {{ grains.host }}:{{ NODEIP }} - {% if salt['pillar.get']('nodestab', {}) %} - {% for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} - - {{ SN.split('_')|first }}:{{ SNDATA.ip }} - {% endfor %} - {% endif %} - {% else %} - - {{ grains.host }}:{{ NODEIP }} - - {{ MANAGER }}:{{ MANAGERIP }} - {% endif %} + - extra_hosts: {{ REDIS_NODES }} - environment: - {% if TRUECLUSTER is sameas false or (TRUECLUSTER is sameas true and not salt['pillar.get']('nodestab', {})) %} + {% if REDIS_NODES | length == 1 %} - discovery.type=single-node {% endif %} - - ES_JAVA_OPTS=-Xms{{ esheap }} -Xmx{{ esheap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true + - ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true ulimits: - memlock=-1:-1 - nofile=65536:65536 @@ -349,7 +306,7 @@ so-elasticsearch: - /nsm/elasticsearch:/usr/share/elasticsearch/data:rw - /opt/so/log/elasticsearch:/var/log/elasticsearch:rw - /opt/so/conf/ca/cacerts:/usr/share/elasticsearch/jdk/lib/security/cacerts:ro - {% if ismanager %} + {% if GLOBALS.is_manager %} - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro {% else %} - /etc/ssl/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro @@ -357,10 +314,8 @@ so-elasticsearch: - /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro - /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro - /etc/pki/elasticsearch.p12:/usr/share/elasticsearch/config/elasticsearch.p12:ro - {% if salt['pillar.get']('elasticsearch:auth:enabled', False) %} - /opt/so/conf/elasticsearch/users_roles:/usr/share/elasticsearch/config/users_roles:ro - /opt/so/conf/elasticsearch/users:/usr/share/elasticsearch/config/users:ro - {% endif %} {% if ESCONFIG.path.get('repo', False) %} {% for repo in ESCONFIG.path.repo %} - {{ repo }}:{{ repo }}:rw @@ -378,15 +333,13 @@ so-elasticsearch: - x509: /etc/pki/elasticsearch.crt - x509: /etc/pki/elasticsearch.key - file: elasticp12perms - {% if ismanager %} + {% if GLOBALS.is_manager %} - x509: pki_public_ca_crt {% else %} - x509: trusttheca {% endif %} - {% if salt['pillar.get']('elasticsearch:auth:enabled', False) %} - cmd: auth_users_roles_inode - cmd: auth_users_inode - {% endif %} append_so-elasticsearch_so-status.conf: file.append: @@ -404,7 +357,7 @@ so-elasticsearch-templates: so-elasticsearch-pipelines: cmd.run: - - name: /usr/sbin/so-elasticsearch-pipelines {{ grains.host }} + - name: /usr/sbin/so-elasticsearch-pipelines {{ GLOBALS.hostname }} - require: - docker_container: so-elasticsearch - file: so-elasticsearch-pipelines-script @@ -418,7 +371,6 @@ so-elasticsearch-roles-load: - docker_container: so-elasticsearch - file: es_sync_scripts -{% endif %} {# if grains['role'] != 'so-helix' #} {% else %} diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml new file mode 100644 index 000000000..0e8faf4a2 --- /dev/null +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -0,0 +1,104 @@ +elasticsearch: + config: + cluster: + name: + description: The name of the Security Onion Elasticsearch cluster, for identification purposes. + readonly: True + global: True + routing: + allocation: + disk: + threshold_enabled: + description: Specifies whether the Elasticsearch node will monitor the available disk space for low disk space conditions and take action to protect the cluster. + watermark: + low: + description: The lower percentage of used disk space representing a healthy node. + high: + description: The higher percentage of used disk space representing an unhealthy node. + flood_stage: + description: The max percentage of used disk space that will cause the node to take protective actions, such as blocking incoming events. + + script: + max_compilations_rate: + description: Max rate of script compilations permitted in the Elasticsearch cluster. Larger values will consume more resources. + global: True + indices: + query: + bool: + max_clause_count: + description: Max number of boolean clauses per query. + global: True + index_settings: + so-aws: &indexSettings + warm: + description: Age (in days) of this index before it will move to warm storage, if warm nodes are present. Once moved, events on this index can take longer to fetch. + global: True + close: + description: Age (in days) of this index before it will be closed. Once closed, events on this index cannot be retrieved without first re-opening the index. + global: True + delete: + description: Age (in days) of this index before it will be deleted. Once deleted, events are permanently unrecoverable. + global: True + index_sorting: + description: Sorts the index by event time, at the cost of additional processing resource consumption. + global: True + index_template: + template: + settings: + index: + mapping: + total_fields: + limit: + description: Max number of fields that can exist on a single index. Larger values will consume more resources. + global: True + refresh_interval: + description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation. + global: True + number_of_shards: + description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs. + global: True + number_of_replicas: + description: Number of replicas required for this index. Multiple replicas protects against data loss, while also increasing storage costs. + global: True + so-azure: *indexSettings + so-barracuda: *indexSettings + so-beats: *indexSettings + so-bluecoat: *indexSettings + so-cef: *indexSettings + so-checkpoint: *indexSettings + so-cisco: *indexSettings + so-cyberark: *indexSettings + so-cylance: *indexSettings + so-elasticsearch: *indexSettings + so-endgame: *indexSettings + so-f5: *indexSettings + so-firewall: *indexSettings + so-fortinet: *indexSettings + so-gcp: *indexSettings + so-google_workspace: *indexSettings + so-ids: *indexSettings + so-imperva: *indexSettings + so-import: *indexSettings + so-infoblox: *indexSettings + so-juniper: *indexSettings + so-kibana: *indexSettings + so-logstash: *indexSettings + so-microsoft: *indexSettings + so-misp: *indexSettings + so-netflow: *indexSettings + so-netscout: *indexSettings + so-o365: *indexSettings + so-okta: *indexSettings + so-osquery: *indexSettings + so-proofpoint: *indexSettings + so-radware: *indexSettings + so-redis: *indexSettings + so-snort: *indexSettings + so-snyk: *indexSettings + so-sonicwall: *indexSettings + so-sophos: *indexSettings + so-strelka: *indexSettings + so-syslog: *indexSettings + so-tomcat: *indexSettings + so-zeek: *indexSettings + so-zscaler: *indexSettings \ No newline at end of file diff --git a/salt/elasticsearch/tools/sbin/so-catrust b/salt/elasticsearch/tools/sbin/so-catrust index ac9ef8a82..253208064 100644 --- a/salt/elasticsearch/tools/sbin/so-catrust +++ b/salt/elasticsearch/tools/sbin/so-catrust @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set VERSION = salt['pillar.get']('global:soversion', '') %} {%- set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {%- set MANAGER = salt['grains.get']('master') %} diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines b/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines index 0fbfa8b4d..04cd86c23 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + RETURN_CODE=0 ELASTICSEARCH_HOST=$1 @@ -30,7 +22,7 @@ if [ ! -f /opt/so/state/espipelines.txt ]; then COUNT=0 ELASTICSEARCH_CONNECTED="no" while [[ "$COUNT" -le 240 ]]; do - {{ ELASTICCURL }} -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" + curl -K /opt/so/conf/elasticsearch/curl.config -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" if [ $? -eq 0 ]; then ELASTICSEARCH_CONNECTED="yes" echo "connected!" @@ -50,7 +42,7 @@ if [ ! -f /opt/so/state/espipelines.txt ]; then cd ${ELASTICSEARCH_INGEST_PIPELINES} echo "Loading pipelines..." - for i in *; do echo $i; RESPONSE=$({{ ELASTICCURL }} -k -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_ingest/pipeline/$i -H 'Content-Type: application/json' -d@$i 2>/dev/null); echo $RESPONSE; if [[ "$RESPONSE" == *"error"* ]]; then RETURN_CODE=1; fi; done + for i in *; do echo $i; RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -k -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_ingest/pipeline/$i -H 'Content-Type: application/json' -d@$i 2>/dev/null); echo $RESPONSE; if [[ "$RESPONSE" == *"error"* ]]; then RETURN_CODE=1; fi; done echo cd - >/dev/null diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-roles-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-roles-load index 7ce907f87..ab8e5b707 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-roles-load +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-roles-load @@ -1,18 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set mainint = salt['pillar.get']('host:mainint') %} {%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} @@ -29,7 +21,7 @@ echo -n "Waiting for ElasticSearch..." COUNT=0 ELASTICSEARCH_CONNECTED="no" while [[ "$COUNT" -le 240 ]]; do - {{ ELASTICCURL }} -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" + curl -K /opt/so/conf/elasticsearch/curl.config -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" if [ $? -eq 0 ]; then ELASTICSEARCH_CONNECTED="yes" echo "connected!" diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load old mode 100644 new mode 100755 index e776e84a0..e341c3d40 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load @@ -1,18 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set mainint = salt['pillar.get']('host:mainint') %} {%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 75b45d4e6..afcfcd27b 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -7,12 +7,9 @@ {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} {%- set HOSTNAME = salt['grains.get']('host', '') %} -{%- set ZEEKVER = salt['pillar.get']('global:mdengine', 'COMMUNITY') %} -{%- set WAZUHENABLED = salt['pillar.get']('global:wazuh', '0') %} +{%- set ZEEKVER = salt['pillar.get']('global:mdengine', '') %} {%- set STRELKAENABLED = salt['pillar.get']('strelka:enabled', '0') %} {%- set RITAENABLED = salt['pillar.get']('rita:enabled', False) -%} -{%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) -%} -{%- set FLEETNODE = salt['pillar.get']('global:fleet_node', False) -%} {%- set FBMEMEVENTS = salt['pillar.get']('filebeat:mem_events', 2048) -%} {%- set FBMEMFLUSHMINEVENTS = salt['pillar.get']('filebeat:mem_flush_min_events', 2048) -%} {%- set FBLSWORKERS = salt['pillar.get']('filebeat:ls_workers', 1) -%} @@ -236,46 +233,6 @@ filebeat.inputs: {%- endif %} {%- endif %} -{%- if WAZUHENABLED == 1 %} - -- type: filestream - id: wazuh - paths: - - /wazuh/archives/archives.json - fields: - module: ossec - category: host - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - pipeline: "ossec" - fields_under_root: true - clean_removed: false - close_removed: false - -{%- endif %} - -{%- if FLEETMANAGER or FLEETNODE %} - -- type: filestream - id: osquery - paths: - - /nsm/osquery/fleet/result.log - fields: - module: osquery - dataset: query_result - category: host - - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - - fields_under_root: true - clean_removed: false - close_removed: false - -{%- endif %} - {%- if RITAENABLED %} - type: filestream id: rita-beacon @@ -420,10 +377,8 @@ output.{{ type }}: output.elasticsearch: enabled: true hosts: ["https://{{ MANAGER }}:9200"] -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} username: "{{ ES_USER }}" password: "{{ ES_PASS }}" -{%- endif %} ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"] pipelines: - pipeline: "%{[module]}.%{[dataset]}" @@ -472,7 +427,7 @@ output.logstash: {% else -%} {% set dmz_nodes = [] -%} {% endif -%} -{%- if grains.role in ['so-sensor', 'so-fleet', 'so-node', 'so-idh'] %} +{%- if grains.role in ['so-sensor', 'so-fleet', 'so-searchnode', 'so-idh'] %} {%- set LOGSTASH = namespace() %} {%- set LOGSTASH.count = 0 %} {%- set LOGSTASH.loadbalance = false %} diff --git a/salt/filebeat/etc/module-setup.yml b/salt/filebeat/etc/module-setup.yml index 6c2f91d18..d0ecd5d22 100644 --- a/salt/filebeat/etc/module-setup.yml +++ b/salt/filebeat/etc/module-setup.yml @@ -1,16 +1,10 @@ -{%- if grains['role'] in ['so-managersearch', 'so-heavynode', 'so-node'] %} -{%- set MANAGER = salt['grains.get']('host' '') %} -{%- else %} -{%- set MANAGER = salt['grains.get']('master') %} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output.elasticsearch: enabled: true - hosts: ["https://{{ MANAGER }}:9200"] -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} + hosts: ["https://{{ ES }}:9200"] username: "{{ ES_USER }}" password: "{{ ES_PASS }}" -{% endif %} ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"] diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 24a26bd39..dd30d4205 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -21,7 +21,7 @@ {% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} {% from 'filebeat/modules.map.jinja' import MODULESENABLED with context %} {% from 'filebeat/map.jinja' import FILEBEAT_EXTRA_HOSTS with context %} -{% set ES_INCLUDED_NODES = ['so-eval', 'so-standalone', 'so-managersearch', 'so-node', 'so-heavynode', 'so-import'] %} +{% set ES_INCLUDED_NODES = ['so-eval', 'so-standalone', 'so-managersearch', 'so-searchnode', 'so-heavynode', 'so-import'] %} include: - ssl diff --git a/salt/filebeat/map.jinja b/salt/filebeat/map.jinja index a93eedce0..47537ca41 100644 --- a/salt/filebeat/map.jinja +++ b/salt/filebeat/map.jinja @@ -2,7 +2,7 @@ {% set FILEBEAT_EXTRA_HOSTS = [] %} {% set mainint = salt['pillar.get']('host:mainint') %} {% set localhostip = salt['grains.get']('ip_interfaces').get(mainint)[0] %} -{% if role in ['so-sensor', 'so-fleet', 'so-node', 'so-idh'] %} +{% if role in ['so-sensor', 'so-fleet', 'so-searchnode', 'so-idh'] %} {% set node_data = salt['pillar.get']('logstash:nodes') %} {% for node_type, node_details in node_data.items() | sort %} {% if node_type in ['manager', 'managersearch', 'standalone', 'receiver' ] %} diff --git a/salt/filebeat/securityoniondefaults.yaml b/salt/filebeat/securityoniondefaults.yaml index be4f81bd1..56b0a386e 100644 --- a/salt/filebeat/securityoniondefaults.yaml +++ b/salt/filebeat/securityoniondefaults.yaml @@ -4,7 +4,7 @@ } %} securityonion_filebeat: modules: - {%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone','so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode'] %} + {%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone','so-searchnode', 'so-hotnode', 'so-warmnode', 'so-heavynode'] %} elasticsearch: server: enabled: true diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 257c45808..7f8c01910 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -10,16 +10,12 @@ role: hostgroups: manager: portgroups: - - {{ portgroups.wazuh_agent }} - - {{ portgroups.wazuh_api }} - - {{ portgroups.wazuh_authd }} - {{ portgroups.playbook }} - {{ portgroups.mysql }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - {{ portgroups.minio }} - {{ portgroups.influxdb }} - - {{ portgroups.fleet_api }} - {{ portgroups.cortex }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} @@ -29,10 +25,7 @@ role: portgroups: - {{ portgroups.acng }} - {{ portgroups.docker_registry }} - - {{ portgroups.osquery_8080 }} - {{ portgroups.influxdb }} - - {{ portgroups.wazuh_api }} - - {{ portgroups.fleet_api }} - {{ portgroups.sensoroni }} sensor: portgroups: @@ -60,24 +53,16 @@ role: elasticsearch_rest: portgroups: - {{ portgroups.elasticsearch_rest }} - osquery_endpoint: + elastic_agent_endpoint: portgroups: - - {{ portgroups.fleet_api }} + - {{ portgroups.elastic_agent_control }} + - {{ portgroups.elastic_agent_data }} strelka_frontend: portgroups: - {{ portgroups.strelka_frontend }} syslog: portgroups: - {{ portgroups.syslog }} - wazuh_agent: - portgroups: - - {{ portgroups.wazuh_agent }} - wazuh_api: - portgroups: - - {{ portgroups.wazuh_api }} - wazuh_authd: - portgroups: - - {{ portgroups.wazuh_authd }} analyst: portgroups: - {{ portgroups.nginx }} @@ -101,16 +86,12 @@ role: hostgroups: manager: portgroups: - - {{ portgroups.wazuh_agent }} - - {{ portgroups.wazuh_api }} - - {{ portgroups.wazuh_authd }} - {{ portgroups.playbook }} - {{ portgroups.mysql }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - {{ portgroups.minio }} - {{ portgroups.influxdb }} - - {{ portgroups.fleet_api }} - {{ portgroups.cortex }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} @@ -123,10 +104,7 @@ role: portgroups: - {{ portgroups.acng }} - {{ portgroups.docker_registry }} - - {{ portgroups.osquery_8080 }} - {{ portgroups.influxdb }} - - {{ portgroups.wazuh_api }} - - {{ portgroups.fleet_api }} - {{ portgroups.sensoroni }} {% if ISAIRGAP is sameas true %} - {{ portgroups.yum }} @@ -165,18 +143,6 @@ role: endgame: portgroups: - {{ portgroups.endgame }} - osquery_endpoint: - portgroups: - - {{ portgroups.fleet_api }} - wazuh_agent: - portgroups: - - {{ portgroups.wazuh_agent }} - wazuh_api: - portgroups: - - {{ portgroups.wazuh_api }} - wazuh_authd: - portgroups: - - {{ portgroups.wazuh_authd }} analyst: portgroups: - {{ portgroups.nginx }} @@ -200,16 +166,12 @@ role: hostgroups: manager: portgroups: - - {{ portgroups.wazuh_agent }} - - {{ portgroups.wazuh_api }} - - {{ portgroups.wazuh_authd }} - {{ portgroups.playbook }} - {{ portgroups.mysql }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - {{ portgroups.minio }} - {{ portgroups.influxdb }} - - {{ portgroups.fleet_api }} - {{ portgroups.cortex }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} @@ -219,10 +181,7 @@ role: portgroups: - {{ portgroups.acng }} - {{ portgroups.docker_registry }} - - {{ portgroups.osquery_8080 }} - {{ portgroups.influxdb }} - - {{ portgroups.wazuh_api }} - - {{ portgroups.fleet_api }} - {{ portgroups.sensoroni }} - {{ portgroups.yum }} sensor: @@ -251,24 +210,16 @@ role: elasticsearch_rest: portgroups: - {{ portgroups.elasticsearch_rest }} + elastic_agent_endpoint: + portgroups: + - {{ portgroups.elastic_agent_control }} + - {{ portgroups.elastic_agent_data }} endgame: portgroups: - {{ portgroups.endgame }} - osquery_endpoint: - portgroups: - - {{ portgroups.fleet_api }} syslog: portgroups: - {{ portgroups.syslog }} - wazuh_agent: - portgroups: - - {{ portgroups.wazuh_agent }} - wazuh_api: - portgroups: - - {{ portgroups.wazuh_api }} - wazuh_authd: - portgroups: - - {{ portgroups.wazuh_authd }} analyst: portgroups: - {{ portgroups.nginx }} @@ -292,16 +243,12 @@ role: hostgroups: manager: portgroups: - - {{ portgroups.wazuh_agent }} - - {{ portgroups.wazuh_api }} - - {{ portgroups.wazuh_authd }} - {{ portgroups.playbook }} - {{ portgroups.mysql }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - {{ portgroups.minio }} - {{ portgroups.influxdb }} - - {{ portgroups.fleet_api }} - {{ portgroups.cortex }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} @@ -311,10 +258,7 @@ role: portgroups: - {{ portgroups.acng }} - {{ portgroups.docker_registry }} - - {{ portgroups.osquery_8080 }} - {{ portgroups.influxdb }} - - {{ portgroups.wazuh_api }} - - {{ portgroups.fleet_api }} - {{ portgroups.sensoroni }} - {{ portgroups.yum }} sensor: @@ -343,27 +287,19 @@ role: elasticsearch_rest: portgroups: - {{ portgroups.elasticsearch_rest }} + elastic_agent_endpoint: + portgroups: + - {{ portgroups.elastic_agent_control }} + - {{ portgroups.elastic_agent_data }} endgame: portgroups: - {{ portgroups.endgame }} - osquery_endpoint: - portgroups: - - {{ portgroups.fleet_api }} strelka_frontend: portgroups: - {{ portgroups.strelka_frontend }} syslog: portgroups: - {{ portgroups.syslog }} - wazuh_agent: - portgroups: - - {{ portgroups.wazuh_agent }} - wazuh_api: - portgroups: - - {{ portgroups.wazuh_api }} - wazuh_authd: - portgroups: - - {{ portgroups.wazuh_authd }} analyst: portgroups: - {{ portgroups.nginx }} @@ -387,13 +323,11 @@ role: hostgroups: manager: portgroups: - - {{ portgroups.wazuh_agent }} - {{ portgroups.playbook }} - {{ portgroups.mysql }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - {{ portgroups.influxdb }} - - {{ portgroups.fleet_api }} - {{ portgroups.cortex }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} @@ -403,9 +337,7 @@ role: portgroups: - {{ portgroups.acng }} - {{ portgroups.docker_registry }} - - {{ portgroups.osquery_8080 }} - {{ portgroups.influxdb }} - - {{ portgroups.wazuh_api }} - {{ portgroups.sensoroni }} sensor: portgroups: @@ -421,12 +353,6 @@ role: beats_endpoint: portgroups: - {{ portgroups.beats_5044 }} - osquery_endpoint: - portgroups: - - {{ portgroups.fleet_api }} - wazuh_agent: - portgroups: - - {{ portgroups.wazuh_agent }} analyst: portgroups: - {{ portgroups.nginx }} @@ -531,39 +457,6 @@ role: localhost: portgroups: - {{ portgroups.all }} - fleet: - chain: - DOCKER-USER: - hostgroups: - self: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.mysql }} - - {{ portgroups.osquery_8080 }} - localhost: - portgroups: - - {{ portgroups.mysql }} - - {{ portgroups.osquery_8080 }} - analyst: - portgroups: - - {{ portgroups.fleet_webui }} - minion: - portgroups: - - {{ portgroups.fleet_api }} - osquery_endpoint: - portgroups: - - {{ portgroups.fleet_api}} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} import: chain: DOCKER-USER: @@ -642,15 +535,6 @@ role: endgame: portgroups: - {{ portgroups.endgame }} - wazuh_agent: - portgroups: - - {{ portgroups.wazuh_agent }} - wazuh_api: - portgroups: - - {{ portgroups.wazuh_api }} - wazuh_authd: - portgroups: - - {{ portgroups.wazuh_authd }} INPUT: hostgroups: anywhere: diff --git a/salt/firewall/portgroups.yaml b/salt/firewall/portgroups.yaml index 1a183a178..a2780270d 100644 --- a/salt/firewall/portgroups.yaml +++ b/salt/firewall/portgroups.yaml @@ -48,15 +48,15 @@ firewall: elasticsearch_rest: tcp: - 9200 + elastic_agent_control: + tcp: + - 8220 + elastic_agent_data: + tcp: + - 5055 endgame: tcp: - 3765 - fleet_api: - tcp: - - 8090 - fleet_webui: - tcp: - - 443 influxdb: tcp: - 8086 @@ -73,9 +73,6 @@ firewall: tcp: - 80 - 443 - osquery_8080: - tcp: - - 8080 playbook: tcp: - 3200 @@ -101,17 +98,6 @@ firewall: - 514 udp: - 514 - wazuh_agent: - tcp: - - 1514 - udp: - - 1514 - wazuh_api: - tcp: - - 55000 - wazuh_authd: - tcp: - - 1515 yum: tcp: - 443 diff --git a/salt/fleet/event_enable-fleet.sls b/salt/fleet/event_enable-fleet.sls deleted file mode 100644 index 52a15269c..000000000 --- a/salt/fleet/event_enable-fleet.sls +++ /dev/null @@ -1,10 +0,0 @@ -{% set MAININT = salt['pillar.get']('host:mainint') %} -{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} - -so/fleet: - event.send: - - data: - action: 'enablefleet' - hostname: {{ grains.host }} - mainip: {{ MAINIP }} - role: {{ grains.role }} \ No newline at end of file diff --git a/salt/fleet/event_gen-packages.sls b/salt/fleet/event_gen-packages.sls deleted file mode 100644 index 7506763dd..000000000 --- a/salt/fleet/event_gen-packages.sls +++ /dev/null @@ -1,28 +0,0 @@ -{% set MANAGER = salt['grains.get']('master') %} -{% set ENROLLSECRET = salt['pillar.get']('secrets:fleet_enroll-secret') %} -{% set CURRENTPACKAGEVERSION = salt['pillar.get']('global:fleet_packages-version') %} -{% set VERSION = salt['pillar.get']('global:soversion') %} -{% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('global:fleet_custom_hostname', None) %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{%- set FLEETNODE = salt['pillar.get']('global:fleet_node') -%} - -{% if CUSTOM_FLEET_HOSTNAME != None and CUSTOM_FLEET_HOSTNAME != '' %} - {% set HOSTNAME = CUSTOM_FLEET_HOSTNAME %} -{% elif FLEETNODE %} - {% set HOSTNAME = grains.host %} -{% else %} - {% set HOSTNAME = salt['pillar.get']('global:url_base') %} -{% endif %} - -so/fleet: - event.send: - - data: - action: 'genpackages' - package-hostname: {{ HOSTNAME }} - role: {{ grains.role }} - mainip: {{ grains.host }} - enroll-secret: {{ ENROLLSECRET }} - current-package-version: {{ CURRENTPACKAGEVERSION }} - manager: {{ MANAGER }} - version: {{ VERSION }} - imagerepo: {{ IMAGEREPO }} \ No newline at end of file diff --git a/salt/fleet/event_update-custom-hostname.sls b/salt/fleet/event_update-custom-hostname.sls deleted file mode 100644 index b404b2828..000000000 --- a/salt/fleet/event_update-custom-hostname.sls +++ /dev/null @@ -1,9 +0,0 @@ -{% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('global:fleet_custom_hostname', None) %} - -so/fleet: - event.send: - - data: - action: 'update_custom_hostname' - custom_hostname: {{ CUSTOM_FLEET_HOSTNAME }} - role: {{ grains.role }} - \ No newline at end of file diff --git a/salt/fleet/event_update-enroll-secret.sls b/salt/fleet/event_update-enroll-secret.sls deleted file mode 100644 index 475c3e968..000000000 --- a/salt/fleet/event_update-enroll-secret.sls +++ /dev/null @@ -1,7 +0,0 @@ -{% set ENROLLSECRET = salt['cmd.shell']('docker exec so-fleet fleetctl get enroll-secret --json | jq -r ".spec.secrets[].secret"') %} - -so/fleet: - event.send: - - data: - action: 'update-enrollsecret' - enroll-secret: {{ ENROLLSECRET }} \ No newline at end of file diff --git a/salt/fleet/files/packs/osquery-config.conf b/salt/fleet/files/packs/osquery-config.conf deleted file mode 100644 index 04659f3de..000000000 --- a/salt/fleet/files/packs/osquery-config.conf +++ /dev/null @@ -1,36 +0,0 @@ ---- -apiVersion: v1 -kind: config -spec: - agent_options: - config: - decorators: - always: - - SELECT codename FROM os_version; - - SELECT uuid AS live_query FROM system_info; - - SELECT address AS endpoint_ip1 FROM interface_addresses where address not - like '%:%' and address not like '127%' and address not like '169%' order by - interface desc limit 1; - - SELECT address AS endpoint_ip2 FROM interface_addresses where address not - like '%:%' and address not like '127%' and address not like '169%' order by - interface asc limit 1; - - SELECT hardware_serial FROM system_info; - - SELECT hostname AS hostname FROM system_info; - options: - decorations_top_level: true - disable_distributed: false - distributed_interval: 10 - distributed_plugin: tls - distributed_tls_max_attempts: 3 - distributed_tls_read_endpoint: /api/v1/osquery/distributed/read - distributed_tls_write_endpoint: /api/v1/osquery/distributed/write - enable_windows_events_publisher: true - enable_windows_events_subscriber: true - logger_plugin: tls - logger_tls_endpoint: /api/v1/osquery/log - logger_tls_period: 10 - pack_delimiter: _ - host_settings: - enable_software_inventory: false - server_settings: - enable_analytics: false \ No newline at end of file diff --git a/salt/fleet/files/packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml b/salt/fleet/files/packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml deleted file mode 100644 index 4f1aa0348..000000000 --- a/salt/fleet/files/packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml +++ /dev/null @@ -1,706 +0,0 @@ ---- -apiVersion: v1 -kind: pack -spec: - name: mac-pack - queries: - - description: 'Query to monitor files for changes inside of /etc/emon.d/ or /private/var/db/emondClients/ - which can be used for persistence: (https://www.xorrior.com/emond-persistence/)' - interval: 3600 - name: emond - platform: darwin - query: emond - - description: 'Snapshot query to monitor files for changes inside of /etc/emon.d/ - or /private/var/db/emondClients/ which can be used for persistence: (https://www.xorrior.com/emond-persistence/)' - interval: 28800 - name: emond_snapshot - platform: darwin - query: emond_snapshot - snapshot: true - - description: Track time/action changes to files specified in configuration data. - interval: 300 - name: file_events - platform: darwin - query: file_events - removed: false - - description: The installed homebrew package database. - interval: 28800 - name: homebrew_packages_snapshot - platform: darwin - query: homebrew_packages_snapshot - snapshot: true - - description: List kernel extensions, their signing status, and their hashes (excluding - extensions signed by Apple) - interval: 3600 - name: macosx_kextstat - platform: darwin - query: macosx_kextstat - - description: Checks the MD5 hash of /etc/rc.common and records the results if - the hash differs from the default value. /etc/rc.common can be used for persistence. - interval: 3600 - name: rc.common - platform: darwin - query: rc.common - - description: Returns information about installed event taps. Can be used to detect - keyloggers - interval: 300 - name: event_taps - platform: darwin - query: event_taps - - description: LaunchAgents and LaunchDaemons from default search paths. - interval: 3600 - name: launchd - platform: darwin - query: launchd - - description: Snapshot query for launchd - interval: 28800 - name: launchd_snapshot - platform: darwin - query: launchd_snapshot - snapshot: true - - description: Detect the presence of the LD_PRELOAD environment variable - interval: 60 - name: ld_preload - platform: darwin - query: ld_preload - removed: false - - description: USB devices that are actively plugged into the host system. - interval: 300 - name: usb_devices - platform: darwin - query: usb_devices - - description: System mounted devices and filesystems (not process specific). - interval: 3600 - name: mounts - platform: darwin - query: mounts - removed: false - - description: Apple NVRAM variable listing. - interval: 3600 - name: nvram - platform: darwin - query: nvram - removed: false - - description: Line parsed values from system and user cron/tab. - interval: 3600 - name: crontab - platform: darwin - query: crontab - - description: Hardware (PCI/USB/HID) events from UDEV or IOKit. - interval: 300 - name: hardware_events - platform: darwin - query: hardware_events - removed: false - - description: The installed homebrew package database. - interval: 3600 - name: homebrew_packages - platform: darwin - query: homebrew_packages - - description: OS X applications installed in known search paths (e.g., /Applications). - interval: 3600 - name: installed_applications - platform: darwin - query: installed_applications - - description: System logins and logouts. - interval: 3600 - name: last - platform: darwin - query: last - removed: false - - description: Snapshot query for macosx_kextstat - interval: 28800 - name: macosx_kextstat_snapshot - platform: darwin - query: macosx_kextstat_snapshot - snapshot: true - - description: Checks the MD5 hash of /etc/rc.common and records the results if - the hash differs from the default value. /etc/rc.common can be used for persistence. - interval: 28800 - name: rc.common_snapshot - platform: darwin - query: rc.common_snapshot - snapshot: true - - description: Safari browser extension details for all users. - interval: 3600 - name: safari_extensions - platform: darwin - query: safari_extensions - - description: suid binaries in common locations. - interval: 28800 - name: suid_bin - platform: darwin - query: suid_bin - removed: false - - description: Local system users. - interval: 28800 - name: users - platform: darwin - query: users - - description: List authorized_keys for each user on the system - interval: 28800 - name: authorized_keys - platform: darwin - query: authorized_keys - - description: Application, System, and Mobile App crash logs. - interval: 3600 - name: crashes - platform: darwin - query: crashes - removed: false - - description: Displays the percentage of free space available on the primary disk - partition - interval: 3600 - name: disk_free_space_pct - platform: darwin - query: disk_free_space_pct - snapshot: true - - description: Retrieve the interface name, IP address, and MAC address for all - interfaces on the host. - interval: 600 - name: network_interfaces_snapshot - platform: darwin - query: network_interfaces_snapshot - snapshot: true - - description: Information about EFI/UEFI/ROM and platform/boot. - interval: 28800 - name: platform_info - platform: darwin - query: platform_info - removed: false - - description: System uptime - interval: 1800 - name: uptime - platform: darwin - query: uptime - snapshot: true - - description: MD5 hash of boot.efi - interval: 28800 - name: boot_efi_hash - platform: darwin - query: boot_efi_hash - - description: Snapshot query for Chrome extensions - interval: 28800 - name: chrome_extensions_snapshot - platform: darwin - query: chrome_extensions_snapshot - - description: Snapshot query for installed_applications - interval: 28800 - name: installed_applications_snapshot - platform: darwin - query: installed_applications_snapshot - snapshot: true - - description: NFS shares exported by the host. - interval: 3600 - name: nfs_shares - platform: darwin - query: nfs_shares - removed: false - - description: List the version of the resident operating system - interval: 28800 - name: os_version - platform: darwin - query: os_version - - description: Applications and binaries set as user/login startup items. - interval: 3600 - name: startup_items - platform: darwin - query: startup_items - - description: All C/NPAPI browser plugin details for all users. - interval: 3600 - name: browser_plugins - platform: darwin - query: browser_plugins - - description: List installed Firefox addons for all users - interval: 3600 - name: firefox_addons - platform: darwin - query: firefox_addons - - description: Discover hosts that have IP forwarding enabled - interval: 28800 - name: ip_forwarding_enabled - platform: darwin - query: ip_forwarding_enabled - removed: false - - description: Platform info snapshot query - interval: 28800 - name: platform_info_snapshot - platform: darwin - query: platform_info_snapshot - - description: Python packages installed in a system. - interval: 3600 - name: python_packages - platform: darwin - query: python_packages - - description: List installed Chrome Extensions for all users - interval: 3600 - name: chrome_extensions - platform: darwin - query: chrome_extensions - - description: Disk encryption status and information. - interval: 3600 - name: disk_encryption_snapshot - platform: darwin - query: disk_encryption_snapshot - snapshot: true - - description: Local system users. - interval: 28800 - name: users_snapshot - platform: darwin - query: users_snapshot - - description: OS X known/remembered Wi-Fi networks list. - interval: 28800 - name: wireless_networks - platform: darwin - query: wireless_networks - removed: false - - description: Determine if the host is running the expected EFI firmware version - given their Mac hardware and OS build version (https://github.com/duo-labs/EFIgy) - interval: 28800 - name: efigy - platform: darwin - query: efigy - snapshot: true - - description: List the contents of /etc/hosts - interval: 28800 - name: etc_hosts - platform: darwin - query: etc_hosts - - description: Operating system version snapshot query - interval: 28800 - name: os_version_snapshot - platform: darwin - query: os_version_snapshot - snapshot: true - - description: Information about the resident osquery process - interval: 28800 - name: osquery_info - platform: darwin - query: osquery_info - snapshot: true - - description: Apple's System Integrity Protection (rootless) status. - interval: 3600 - name: sip_config - platform: darwin - query: sip_config - - description: Shows information about the wifi network that a host is currently connected to. - interval: 28800 - name: wifi_status_snapshot - platform: darwin - query: wifi_status_snapshot - snapshot: true - - description: Returns the private keys in the users ~/.ssh directory and whether - or not they are encrypted. - interval: 3600 - name: user_ssh_keys - platform: darwin - query: user_ssh_keys - removed: false - targets: - labels: - - macOS ---- -apiVersion: v1 -kind: query -spec: - description: 'Query to monitor files for changes inside of /etc/emon.d/ or /private/var/db/emondClients/ - which can be used for persistence: (https://www.xorrior.com/emond-persistence/)' - name: emond - query: SELECT * FROM file JOIN hash USING (path) WHERE (path LIKE '/etc/emond.d/%%' - AND sha256!='f19f881084f599fa261243918d922373eab14623e78d23c41fcc031aa21ca7b6' - AND sha256!='20909c75c14c9f5360a48c889d06a0d6cfbfa28080348940fc077761744f2aa5' - AND sha256!='36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068'AND - sha256!='2aafb4238cbdd40c66591c01798da942f62c7f06bb84c9328a40581fc22c4af8'AND - sha256!='590192452963fdddc1990cd42c3bf77b3532b3e4a2c13e14e42c0d6a4c881ac4'AND - sha256!='69f416293592c0a96733498788b79d6516ed1ad5327ac7cafd6d12e8b231519f'AND - sha256!='') OR (path LIKE '/private/var/db/emondClients/%'); ---- -apiVersion: v1 -kind: query -spec: - description: 'Snapshot query to monitor files for changes inside of /etc/emon.d/ - or /private/var/db/emondClients/ which can be used for persistence: (https://www.xorrior.com/emond-persistence/)' - name: emond_snapshot - query: SELECT * FROM file JOIN hash USING (path) WHERE (path LIKE '/etc/emond.d/%%' - AND sha256!='f19f881084f599fa261243918d922373eab14623e78d23c41fcc031aa21ca7b6' - AND sha256!='20909c75c14c9f5360a48c889d06a0d6cfbfa28080348940fc077761744f2aa5' - AND sha256!='36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068'AND - sha256!='2aafb4238cbdd40c66591c01798da942f62c7f06bb84c9328a40581fc22c4af8'AND - sha256!='590192452963fdddc1990cd42c3bf77b3532b3e4a2c13e14e42c0d6a4c881ac4'AND - sha256!='69f416293592c0a96733498788b79d6516ed1ad5327ac7cafd6d12e8b231519f'AND - sha256!='') OR (path LIKE '/private/var/db/emondClients/%'); ---- -apiVersion: v1 -kind: query -spec: - description: Track time/action changes to files specified in configuration data. - name: file_events - query: SELECT * FROM file_events; ---- -apiVersion: v1 -kind: query -spec: - description: The installed homebrew package database. - name: homebrew_packages_snapshot - query: SELECT name, version FROM homebrew_packages; ---- -apiVersion: v1 -kind: query -spec: - description: List kernel extensions, their signing status, and their hashes (excluding - extensions signed by Apple) - name: macosx_kextstat - query: SELECT kernel_extensions.idx, kernel_extensions.refs, kernel_extensions.size, - kernel_extensions.name, kernel_extensions.version, kernel_extensions.linked_against, - kernel_extensions.path, signature.signed, signature.identifier, signature.cdhash, - signature.team_identifier, signature.authority, hash.md5 FROM hash JOIN kernel_extensions - ON hash.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) JOIN signature - ON signature.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) WHERE - signature.authority!='Software Signing'; ---- -apiVersion: v1 -kind: query -spec: - description: Checks the MD5 hash of /etc/rc.common and records the results if the - hash differs from the default value. /etc/rc.common can be used for persistence. - name: rc.common - query: SELECT * FROM hash WHERE path='/etc/rc.common' AND md5!='28ce428faefe6168618867f3ff5527f9' - and md5!=''; ---- -apiVersion: v1 -kind: query -spec: - description: Returns information about installed event taps. Can be used to detect - keyloggers - name: event_taps - query: SELECT * FROM event_taps INNER JOIN processes ON event_taps.tapping_process = processes.pid - WHERE event_tapped NOT LIKE '%mouse%' AND processes.path NOT IN ('/usr/libexec/airportd', - '/usr/sbin/universalaccessd') AND processes.path NOT LIKE '/System/Library/%' AND processes.path - NOT LIKE '%/steamapps/%' AND processes.path NOT LIKE '%.app%' AND event_taps.enabled=1; ---- -apiVersion: v1 -kind: query -spec: - description: LaunchAgents and LaunchDaemons from default search paths. - name: launchd - query: SELECT * FROM launchd; ---- -apiVersion: v1 -kind: query -spec: - description: Snapshot query for launchd - name: launchd_snapshot - query: SELECT path, name, label, program, run_at_load, program_arguments FROM launchd - WHERE run_at_load=1; ---- -apiVersion: v1 -kind: query -spec: - description: Detect the presence of the LD_PRELOAD environment variable - name: ld_preload - query: SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name, - processes.path, processes.cmdline, processes.cwd FROM process_envs join processes - USING (pid) WHERE key = 'LD_PRELOAD'; ---- -apiVersion: v1 -kind: query -spec: - description: USB devices that are actively plugged into the host system. - name: usb_devices - query: SELECT * FROM usb_devices; ---- -apiVersion: v1 -kind: query -spec: - description: System mounted devices and filesystems (not process specific). - name: mounts - query: SELECT device, device_alias, path, type, blocks_size FROM mounts; ---- -apiVersion: v1 -kind: query -spec: - description: Apple NVRAM variable listing. - name: nvram - query: SELECT * FROM nvram; ---- -apiVersion: v1 -kind: query -spec: - description: Line parsed values from system and user cron/tab. - name: crontab - query: SELECT * FROM crontab; ---- -apiVersion: v1 -kind: query -spec: - description: Hardware (PCI/USB/HID) events from UDEV or IOKit. - name: hardware_events - query: SELECT * FROM hardware_events; ---- -apiVersion: v1 -kind: query -spec: - description: The installed homebrew package database. - name: homebrew_packages - query: SELECT * FROM homebrew_packages; ---- -apiVersion: v1 -kind: query -spec: - description: OS X applications installed in known search paths (e.g., /Applications). - name: installed_applications - query: SELECT * FROM apps; ---- -apiVersion: v1 -kind: query -spec: - description: System logins and logouts. - name: last - query: SELECT * FROM last; ---- -apiVersion: v1 -kind: query -spec: - description: Shows information about the wifi network that a host is currently connected to. - name: wifi_status_snapshot - query: SELECT * FROM wifi_status; ---- -apiVersion: v1 -kind: query -spec: - description: Snapshot query for macosx_kextstat - name: macosx_kextstat_snapshot - query: SELECT kernel_extensions.name, kernel_extensions.version, kernel_extensions.path, - signature.signed, signature.identifier, signature.cdhash, signature.team_identifier, - signature.authority, hash.md5 FROM hash JOIN kernel_extensions ON hash.path LIKE - printf('%s/Contents/MacOS/%', kernel_extensions.path) JOIN signature ON signature.path - LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) WHERE signature.authority!='Software - Signing'; ---- -apiVersion: v1 -kind: query -spec: - description: Checks the MD5 hash of /etc/rc.common and records the results if the - hash differs from the default value. /etc/rc.common can be used for persistence. - name: rc.common_snapshot - query: SELECT * FROM hash WHERE path='/etc/rc.common' AND md5!='28ce428faefe6168618867f3ff5527f9' - and md5!=''; ---- -apiVersion: v1 -kind: query -spec: - description: Safari browser extension details for all users. - name: safari_extensions - query: SELECT * FROM users CROSS JOIN safari_extensions USING (uid); ---- -apiVersion: v1 -kind: query -spec: - description: suid binaries in common locations. - name: suid_bin - query: SELECT * FROM suid_bin; ---- -apiVersion: v1 -kind: query -spec: - description: Local system users. - name: users - query: SELECT * FROM users; ---- -apiVersion: v1 -kind: query -spec: - description: List authorized_keys for each user on the system - name: authorized_keys - query: SELECT * FROM users CROSS JOIN authorized_keys USING (uid); ---- -apiVersion: v1 -kind: query -spec: - description: Application, System, and Mobile App crash logs. - name: crashes - query: SELECT uid, datetime, responsible, exception_type, identifier, version, crash_path - FROM users CROSS JOIN crashes USING (uid); ---- -apiVersion: v1 -kind: query -spec: - description: Displays the percentage of free space available on the primary disk - partition - name: disk_free_space_pct - query: SELECT (blocks_available * 100 / blocks) AS pct FROM mounts WHERE device='/dev/disk1s1'; ---- -apiVersion: v1 -kind: query -spec: - description: Retrieve the interface name, IP address, and MAC address for all interfaces - on the host. - name: network_interfaces_snapshot - query: SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details - d USING (interface); ---- -apiVersion: v1 -kind: query -spec: - description: Information about EFI/UEFI/ROM and platform/boot. - name: platform_info - query: SELECT * FROM platform_info; ---- -apiVersion: v1 -kind: query -spec: - description: System uptime - name: uptime - query: SELECT * FROM uptime; ---- -apiVersion: v1 -kind: query -spec: - description: MD5 hash of boot.efi - name: boot_efi_hash - query: SELECT path, md5 FROM hash WHERE path='/System/Library/CoreServices/boot.efi'; ---- -apiVersion: v1 -kind: query -spec: - description: Snapshot query for Chrome extensions - name: chrome_extensions_snapshot - query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid); ---- -apiVersion: v1 -kind: query -spec: - description: Snapshot query for installed_applications - name: installed_applications_snapshot - query: SELECT name, path, bundle_short_version, bundle_version, display_name FROM - apps; ---- -apiVersion: v1 -kind: query -spec: - description: NFS shares exported by the host. - name: nfs_shares - query: SELECT * FROM nfs_shares; ---- -apiVersion: v1 -kind: query -spec: - description: List the version of the resident operating system - name: os_version - query: SELECT * FROM os_version; ---- -apiVersion: v1 -kind: query -spec: - description: Applications and binaries set as user/login startup items. - name: startup_items - query: SELECT * FROM startup_items; ---- -apiVersion: v1 -kind: query -spec: - description: All C/NPAPI browser plugin details for all users. - name: browser_plugins - query: SELECT * FROM users CROSS JOIN browser_plugins USING (uid); ---- -apiVersion: v1 -kind: query -spec: - description: List installed Firefox addons for all users - name: firefox_addons - query: SELECT * FROM users CROSS JOIN firefox_addons USING (uid); ---- -apiVersion: v1 -kind: query -spec: - description: Discover hosts that have IP forwarding enabled - name: ip_forwarding_enabled - query: SELECT * FROM system_controls WHERE name LIKE '%forwarding%' AND name LIKE - '%ip%' AND current_value=1; ---- -apiVersion: v1 -kind: query -spec: - description: Platform info snapshot query - name: platform_info_snapshot - query: SELECT vendor, version, date, revision from platform_info; ---- -apiVersion: v1 -kind: query -spec: - description: Python packages installed in a system. - name: python_packages - query: SELECT * FROM python_packages; ---- -apiVersion: v1 -kind: query -spec: - description: List installed Chrome Extensions for all users - name: chrome_extensions - query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid); ---- -apiVersion: v1 -kind: query -spec: - description: Disk encryption status and information. - name: disk_encryption_snapshot - query: SELECT * FROM disk_encryption; ---- -apiVersion: v1 -kind: query -spec: - description: Local system users. - name: users_snapshot - query: SELECT * FROM users; ---- -apiVersion: v1 -kind: query -spec: - description: OS X known/remembered Wi-Fi networks list. - name: wireless_networks - query: SELECT ssid, network_name, security_type, last_connected, captive_portal, - possibly_hidden, roaming, roaming_profile FROM wifi_networks; ---- -apiVersion: v1 -kind: query -spec: - description: Determine if the host is running the expected EFI firmware version - given their Mac hardware and OS build version (https://github.com/duo-labs/EFIgy) - name: efigy - query: SELECT * FROM efigy; ---- -apiVersion: v1 -kind: query -spec: - description: List the contents of /etc/hosts - name: etc_hosts - query: SELECT * FROM etc_hosts; ---- -apiVersion: v1 -kind: query -spec: - description: Operating system version snapshot query - name: os_version_snapshot - query: SELECT * FROM os_version; ---- -apiVersion: v1 -kind: query -spec: - description: Information about the resident osquery process - name: osquery_info - query: SELECT * FROM osquery_info; ---- -apiVersion: v1 -kind: query -spec: - description: Apple's System Integrity Protection (rootless) status. - name: sip_config - query: SELECT * FROM sip_config; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the private keys in the users ~/.ssh directory and whether - or not they are encrypted. - name: user_ssh_keys - query: SELECT * FROM users CROSS JOIN user_ssh_keys USING (uid); diff --git a/salt/fleet/files/packs/palantir/Fleet/Endpoints/Windows/osquery.yaml b/salt/fleet/files/packs/palantir/Fleet/Endpoints/Windows/osquery.yaml deleted file mode 100644 index 3aa9da280..000000000 --- a/salt/fleet/files/packs/palantir/Fleet/Endpoints/Windows/osquery.yaml +++ /dev/null @@ -1,538 +0,0 @@ ---- -apiVersion: v1 -kind: pack -spec: - name: windows-pack - queries: - - description: System info snapshot query - interval: 28800 - name: system_info_snapshot - platform: windows - query: system_info_snapshot - snapshot: true - - description: List in-use Windows drivers - interval: 3600 - name: drivers - platform: windows - query: drivers - - description: Displays shared resources on a computer system running Windows. This - may be a disk drive, printer, interprocess communication, or other sharable - device. - interval: 3600 - name: shared_resources - platform: windows - query: shared_resources - - description: Lists all the patches applied - interval: 3600 - name: patches - platform: windows - query: patches - removed: false - - description: Pipes snapshot query - interval: 28800 - name: pipes_snapshot - platform: windows - query: pipes_snapshot - snapshot: true - - description: Programs snapshot query - interval: 28800 - name: programs_snapshot - platform: windows - query: programs_snapshot - snapshot: true - - description: Services snapshot query - interval: 28800 - name: services_snapshot - platform: windows - query: services_snapshot - snapshot: true - - description: WMI CommandLineEventConsumer, which can be used for persistence on - Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf - for more details. - interval: 3600 - name: wmi_cli_event_consumers - platform: windows - query: wmi_cli_event_consumers - - description: Lists the relationship between event consumers and filters. - interval: 3600 - name: wmi_filter_consumer_binding - platform: windows - query: wmi_filter_consumer_binding - - description: Snapshot query for Chrome extensions - interval: 3600 - name: chrome_extensions_snapshot - platform: windows - query: chrome_extensions_snapshot - - description: Retrieve the interface name, IP address, and MAC address for all - interfaces on the host. - interval: 600 - name: network_interfaces_snapshot - platform: windows - query: network_interfaces_snapshot - snapshot: true - - description: Local system users. - interval: 3600 - name: users - platform: windows - query: users - - description: Snapshot query for WMI event consumers. - interval: 28800 - name: wmi_cli_event_consumers_snapshot - platform: windows - query: wmi_cli_event_consumers_snapshot - snapshot: true - - description: List all certificates in the trust store - interval: 3600 - name: certificates - platform: windows - query: certificates - removed: false - - description: Drivers snapshot query - interval: 28800 - name: drivers_snapshot - platform: windows - query: drivers_snapshot - snapshot: true - - description: Lists WMI event filters. - interval: 3600 - name: wmi_event_filters - platform: windows - query: wmi_event_filters - - description: List installed Internet Explorer extensions - interval: 3600 - name: ie_extensions - platform: windows - query: ie_extensions - - description: List the kernel path, version, etc. - interval: 3600 - name: kernel_info - platform: windows - query: kernel_info - - description: List the version of the resident operating system - interval: 3600 - name: os_version - platform: windows - query: os_version - - description: Patches snapshot query - interval: 28800 - name: patches_snapshot - platform: windows - query: patches_snapshot - snapshot: true - - description: Named and Anonymous pipes. - interval: 3600 - name: pipes - platform: windows - query: pipes - removed: false - - description: Lists installed programs - interval: 0 - name: programs - platform: windows - query: programs - - description: List all certificates in the trust store (snapshot query) - interval: 0 - name: certificates_snapshot - platform: windows - query: certificates_snapshot - snapshot: true - - description: List the contents of the Windows hosts file - interval: 3600 - name: etc_hosts - platform: windows - query: etc_hosts - - description: Lists all of the tasks in the Windows task scheduler - interval: 3600 - name: scheduled_tasks - platform: windows - query: scheduled_tasks - - description: Extracted information from Windows crash logs (Minidumps). - interval: 3600 - name: windows_crashes - platform: windows - query: windows_crashes - removed: false - - description: System uptime - interval: 3600 - name: uptime - platform: windows - query: uptime - snapshot: true - - description: Snapshot query for WMI script event consumers. - interval: 3600 - name: wmi_script_event_consumers - platform: windows - query: wmi_script_event_consumers - snapshot: true - - description: List installed Chocolatey packages - interval: 3600 - name: chocolatey_packages - platform: windows - query: chocolatey_packages - - description: Shared resources snapshot query - interval: 28800 - name: shared_resources_snapshot - platform: windows - query: shared_resources_snapshot - snapshot: true - - description: Lists all installed services configured to start automatically at - boot - interval: 3600 - name: services - platform: windows - query: services - - description: Users snapshot query - interval: 28800 - name: users_snapshot - platform: windows - query: users_snapshot - snapshot: true - - description: List installed Chrome Extensions for all users - interval: 3600 - name: chrome_extensions - platform: windows - query: chrome_extensions - - description: Operating system version snapshot query - interval: 28800 - name: os_version_snapshot - platform: windows - query: os_version_snapshot - snapshot: true - - description: System information for identification. - interval: 3600 - name: system_info - platform: windows - query: system_info - - description: Snapshot query for WMI event filters. - interval: 28800 - name: wmi_event_filters_snapshot - platform: windows - query: wmi_event_filters_snapshot - snapshot: true - - description: Snapshot query for WMI filter consumer bindings. - interval: 28800 - name: wmi_filter_consumer_binding_snapshot - platform: windows - query: wmi_filter_consumer_binding_snapshot - snapshot: true - - description: Information about the resident osquery process - interval: 28800 - name: osquery_info - platform: windows - query: osquery_info - snapshot: true - - description: Scheduled Tasks snapshot query - interval: 28800 - name: scheduled_tasks_snapshot - platform: windows - query: scheduled_tasks_snapshot - snapshot: true - - description: Appcompat shims (.sdb files) installed on Windows hosts. - interval: 3600 - name: appcompat_shims - platform: windows - query: appcompat_shims - - description: Disk encryption status and information snapshot query. - interval: 28800 - name: bitlocker_info_snapshot - platform: windows - query: bitlocker_info_snapshot - snapshot: true - targets: - labels: - - MS Windows ---- -apiVersion: v1 -kind: query -spec: - description: Appcompat shims (.sdb files) installed on Windows hosts. - name: appcompat_shims - query: SELECT * FROM appcompat_shims WHERE description!='EMET_Database' AND - executable NOT IN ('setuphost.exe','setupprep.exe','iisexpress.exe'); ---- -apiVersion: v1 -kind: query -spec: - description: Disk encryption status and information snapshot query. - name: bitlocker_info_snapshot - query: SELECT * FROM bitlocker_info; ---- -apiVersion: v1 -kind: query -spec: - description: System info snapshot query - name: system_info_snapshot - query: SELECT * FROM system_info; ---- -apiVersion: v1 -kind: query -spec: - description: List in-use Windows drivers - name: drivers - query: SELECT * FROM drivers; ---- -apiVersion: v1 -kind: query -spec: - description: Displays shared resources on a computer system running Windows. This - may be a disk drive, printer, interprocess communication, or other sharable device. - name: shared_resources - query: SELECT * FROM shared_resources; ---- -apiVersion: v1 -kind: query -spec: - description: Lists all the patches applied - name: patches - query: SELECT * FROM patches; ---- -apiVersion: v1 -kind: query -spec: - description: Pipes snapshot query - name: pipes_snapshot - query: SELECT processes.path, processes.cmdline, processes.uid, processes.on_disk, - pipes.name, pid FROM pipes JOIN processes USING (pid); ---- -apiVersion: v1 -kind: query -spec: - description: Programs snapshot query - name: programs_snapshot - query: SELECT * FROM programs; ---- -apiVersion: v1 -kind: query -spec: - description: Services snapshot query - name: services_snapshot - query: SELECT * FROM services; ---- -apiVersion: v1 -kind: query -spec: - description: WMI CommandLineEventConsumer, which can be used for persistence on - Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf - for more details. - name: wmi_cli_event_consumers - query: SELECT * FROM wmi_cli_event_consumers; ---- -apiVersion: v1 -kind: query -spec: - description: Lists the relationship between event consumers and filters. - name: wmi_filter_consumer_binding - query: SELECT * FROM wmi_filter_consumer_binding; ---- -apiVersion: v1 -kind: query -spec: - description: Snapshot query for Chrome extensions - name: chrome_extensions_snapshot - query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid); ---- -apiVersion: v1 -kind: query -spec: - description: Retrieve the interface name, IP address, and MAC address for all interfaces - on the host. - name: network_interfaces_snapshot - query: SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details - d USING (interface); ---- -apiVersion: v1 -kind: query -spec: - description: Local system users. - name: users - query: SELECT * FROM users; ---- -apiVersion: v1 -kind: query -spec: - description: Snapshot query for WMI event consumers. - name: wmi_cli_event_consumers_snapshot - query: SELECT * FROM wmi_cli_event_consumers; ---- -apiVersion: v1 -kind: query -spec: - description: List all certificates in the trust store - name: certificates - query: SELECT * FROM certificates WHERE path != 'Other People'; ---- -apiVersion: v1 -kind: query -spec: - description: Drivers snapshot query - name: drivers_snapshot - query: SELECT * FROM drivers; ---- -apiVersion: v1 -kind: query -spec: - description: Lists WMI event filters. - name: wmi_event_filters - query: SELECT * FROM wmi_event_filters; ---- -apiVersion: v1 -kind: query -spec: - description: List installed Internet Explorer extensions - name: ie_extensions - query: SELECT * FROM ie_extensions; ---- -apiVersion: v1 -kind: query -spec: - description: List the kernel path, version, etc. - name: kernel_info - query: SELECT * FROM kernel_info; ---- -apiVersion: v1 -kind: query -spec: - description: List the version of the resident operating system - name: os_version - query: SELECT * FROM os_version; ---- -apiVersion: v1 -kind: query -spec: - description: Patches snapshot query - name: patches_snapshot - query: SELECT * FROM patches; ---- -apiVersion: v1 -kind: query -spec: - description: Named and Anonymous pipes. - name: pipes - query: SELECT processes.path, processes.cmdline, processes.uid, processes.on_disk, - pipes.name, pid FROM pipes JOIN processes USING (pid); ---- -apiVersion: v1 -kind: query -spec: - description: Lists installed programs - name: programs - query: SELECT * FROM programs; ---- -apiVersion: v1 -kind: query -spec: - description: List all certificates in the trust store (snapshot query) - name: certificates_snapshot - query: SELECT * FROM certificates WHERE path != 'Other People'; ---- -apiVersion: v1 -kind: query -spec: - description: List the contents of the Windows hosts file - name: etc_hosts - query: SELECT * FROM etc_hosts; ---- -apiVersion: v1 -kind: query -spec: - description: Lists all of the tasks in the Windows task scheduler - name: scheduled_tasks - query: SELECT * FROM scheduled_tasks; ---- -apiVersion: v1 -kind: query -spec: - description: Extracted information from Windows crash logs (Minidumps). - name: windows_crashes - query: SELECT * FROM windows_crashes; ---- -apiVersion: v1 -kind: query -spec: - description: System uptime - name: uptime - query: SELECT * FROM uptime; ---- -apiVersion: v1 -kind: query -spec: - description: Snapshot query for WMI script event consumers. - name: wmi_script_event_consumers - query: SELECT * FROM wmi_script_event_consumers; ---- -apiVersion: v1 -kind: query -spec: - description: List installed Chocolatey packages - name: chocolatey_packages - query: SELECT * FROM chocolatey_packages; ---- -apiVersion: v1 -kind: query -spec: - description: Shared resources snapshot query - name: shared_resources_snapshot - query: SELECT * FROM shared_resources; ---- -apiVersion: v1 -kind: query -spec: - description: Lists all installed services configured to start automatically at boot - name: services - query: SELECT * FROM services WHERE start_type='DEMAND_START' OR start_type='AUTO_START'; ---- -apiVersion: v1 -kind: query -spec: - description: Users snapshot query - name: users_snapshot - query: SELECT * FROM users; ---- -apiVersion: v1 -kind: query -spec: - description: List installed Chrome Extensions for all users - name: chrome_extensions - query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid); ---- -apiVersion: v1 -kind: query -spec: - description: Operating system version snapshot query - name: os_version_snapshot - query: SELECT * FROM os_version; ---- -apiVersion: v1 -kind: query -spec: - description: System information for identification. - name: system_info - query: SELECT * FROM system_info; ---- -apiVersion: v1 -kind: query -spec: - description: Snapshot query for WMI event filters. - name: wmi_event_filters_snapshot - query: SELECT * FROM wmi_event_filters; ---- -apiVersion: v1 -kind: query -spec: - description: Snapshot query for WMI filter consumer bindings. - name: wmi_filter_consumer_binding_snapshot - query: SELECT * FROM wmi_filter_consumer_binding; ---- -apiVersion: v1 -kind: query -spec: - description: Information about the resident osquery process - name: osquery_info - query: SELECT * FROM osquery_info; ---- -apiVersion: v1 -kind: query -spec: - description: Scheduled Tasks snapshot query - name: scheduled_tasks_snapshot - query: SELECT * FROM scheduled_tasks; diff --git a/salt/fleet/files/packs/palantir/Fleet/Endpoints/options.yaml b/salt/fleet/files/packs/palantir/Fleet/Endpoints/options.yaml deleted file mode 100644 index f2bb85d8c..000000000 --- a/salt/fleet/files/packs/palantir/Fleet/Endpoints/options.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: options -spec: - config: - decorators: - load: - - SELECT uuid AS host_uuid FROM system_info; - - SELECT hostname AS hostname FROM system_info; - file_paths: - binaries: - - /usr/bin/%% - - /usr/sbin/%% - - /bin/%% - - /sbin/%% - - /usr/local/bin/%% - - /usr/local/sbin/%% - - /opt/bin/%% - - /opt/sbin/%% - configuration: - - /etc/%% - efi: - - /System/Library/CoreServices/boot.efi - options: - disable_distributed: false - disable_tables: windows_events - distributed_interval: 10 - distributed_plugin: tls - distributed_tls_max_attempts: 3 - distributed_tls_read_endpoint: /api/v1/osquery/distributed/read - distributed_tls_write_endpoint: /api/v1/osquery/distributed/write - logger_plugin: tls - logger_snapshot_event_type: true - logger_tls_endpoint: /api/v1/osquery/log - logger_tls_period: 10 - pack_delimiter: / - schedule_splay_percent: 10 - overrides: {} diff --git a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/performance-metrics.yaml b/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/performance-metrics.yaml deleted file mode 100644 index e8116bbb1..000000000 --- a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/performance-metrics.yaml +++ /dev/null @@ -1,71 +0,0 @@ ---- -apiVersion: v1 -kind: pack -spec: - name: performance-metrics - queries: - - description: Records the CPU time and memory usage for each individual query. - Helpful for identifying queries that may impact performance. - interval: 1800 - name: per_query_perf - query: per_query_perf - snapshot: true - - description: Track the amount of CPU time used by osquery. - interval: 1800 - name: runtime_perf - query: runtime_perf - snapshot: true - - description: Track the percentage of total CPU time utilized by $endpoint_security_tool - interval: 1800 - name: endpoint_security_tool_perf - query: endpoint_security_tool_perf - snapshot: true - - description: Track the percentage of total CPU time utilized by $backup_tool - interval: 1800 - name: backup_tool_perf - query: backup_tool_perf - snapshot: true - targets: - labels: - - MS Windows - - macOS ---- -apiVersion: v1 -kind: query -spec: - description: Records the CPU time and memory usage for each individual query. Helpful - for identifying queries that may impact performance. - name: per_query_perf - query: SELECT name, interval, executions, output_size, wall_time, (user_time/executions) - AS avg_user_time, (system_time/executions) AS avg_system_time, average_memory - FROM osquery_schedule; ---- -apiVersion: v1 -kind: query -spec: - description: Track the amount of CPU time used by osquery. - name: runtime_perf - query: SELECT ov.version AS os_version, ov.platform AS os_platform, ov.codename - AS os_codename, i.*, p.resident_size, p.user_time, p.system_time, time.minutes - AS counter, db.db_size_mb AS database_size FROM osquery_info i, os_version ov, - processes p, time, (SELECT (sum(size) / 1024) / 1024.0 AS db_size_mb FROM (SELECT - value FROM osquery_flags WHERE name = 'database_path' LIMIT 1) flags, file WHERE - path LIKE flags.value || '%%' AND type = 'regular') db WHERE p.pid = i.pid; ---- -apiVersion: v1 -kind: query -spec: - description: Track the percentage of total CPU time utilized by $endpoint_security_tool - name: endpoint_security_tool_perf - query: SELECT ((tool_time*100)/(SUM(system_time) + SUM(user_time))) AS pct FROM - processes, (SELECT (SUM(processes.system_time)+SUM(processes.user_time)) AS tool_time - FROM processes WHERE name='endpoint_security_tool'); ---- -apiVersion: v1 -kind: query -spec: - description: Track the percentage of total CPU time utilized by $backup_tool - name: backup_tool_perf - query: SELECT ((backuptool_time*100)/(SUM(system_time) + SUM(user_time))) AS pct - FROM processes, (SELECT (SUM(processes.system_time)+SUM(processes.user_time)) - AS backuptool_time FROM processes WHERE name='backup_tool'); diff --git a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/security-tooling-checks.yaml b/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/security-tooling-checks.yaml deleted file mode 100644 index 79172d46a..000000000 --- a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/security-tooling-checks.yaml +++ /dev/null @@ -1,61 +0,0 @@ ---- -apiVersion: v1 -kind: pack -spec: - name: security-tooling-checks - queries: - - description: Returns an event if a EndpointSecurityTool process is not found running - from /Applications/EndpointSecurityTool' (OSX) or 'c:\endpointsecuritytool.exe' - (Windows) - interval: 28800 - name: endpoint_security_tool_not_running - platform: windows,darwin - query: endpoint_security_tool_not_running - snapshot: true - - description: "Returns an event if a BackupTool process is not found running from - '/Applications/BackupTool' (OSX) or 'c:\backuptool.exe' (Windows)" - interval: 28800 - name: backup_tool_not_running - platform: windows,darwin - query: backup_tool_not_running - snapshot: true - - description: Returns the content of the key if the backend server does not match - the expected value - interval: 3600 - name: endpoint_security_tool_backend_server_registry_misconfigured - platform: windows - query: endpoint_security_tool_backend_server_registry_misconfigured - targets: - labels: - - MS Windows - - macOS ---- -apiVersion: v1 -kind: query -spec: - description: Returns an event if a EndpointSecurityTool process is not found running - from /Applications/EndpointSecurityTool' (OSX) or 'c:\endpointsecuritytool.exe' - (Windows) - name: endpoint_security_tool_not_running - query: SELECT IFNULL(process_count,0) as process_exists FROM (SELECT count(*) as - process_count from processes where path='/Applications/EndpointSecurityTool' OR - lower(path)='c:\endpointsecuritytool.exe') where process_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - description: "Returns an event if a BackupTool process is not found running from - '/Applications/BackupTool' (OSX) or 'c:\backuptool.exe' (Windows)" - name: backup_tool_not_running - query: SELECT IFNULL(process_count,0) as process_exists FROM (SELECT count(*) as - process_count from processes where path='/Applications/BackupTool' OR lower(path) - LIKE 'c:\backuptool.exe') where process_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of the key if the backend server does not match - the expected value - name: endpoint_security_tool_backend_server_registry_misconfigured - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\EndpointSecurityTool\BackendServerLocation' - AND data!='https://expected_endpoint.local'; diff --git a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-application-security.yaml b/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-application-security.yaml deleted file mode 100644 index d1008e3cd..000000000 --- a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-application-security.yaml +++ /dev/null @@ -1,94 +0,0 @@ ---- -apiVersion: v1 -kind: pack -spec: - name: windows-application-security - queries: - - description: Controls Bitlocker full-disk encryption settings. - interval: 3600 - name: bitlocker_autoencrypt_settings_registry - platform: windows - query: bitlocker_autoencrypt_settings_registry - - description: Controls Bitlocker full-disk encryption settings. - interval: 3600 - name: bitlocker_fde_settings_registry - platform: windows - query: bitlocker_fde_settings_registry - - description: Controls Google Chrome plugins that are forcibly installed. - interval: 3600 - name: chrome_extension_force_list_registry - platform: windows - query: chrome_extension_force_list_registry - - description: Controls EMET-protected applications and system settings. - interval: 3600 - name: emet_settings_registry - platform: windows - query: emet_settings_registry - - description: Controls Local Administrative Password Solution (LAPS) settings. - interval: 3600 - name: microsoft_laps_settings_registry - platform: windows - query: microsoft_laps_settings_registry - - description: Controls Windows Passport for Work (Hello) settings. - interval: 3600 - name: passport_for_work_settings_registry - platform: windows - query: passport_for_work_settings_registry - - description: Controls UAC. A setting of 0 indicates that UAC is disabled. - interval: 3600 - name: uac_settings_registry - platform: windows - query: uac_settings_registry - targets: - labels: - - MS Windows ---- -apiVersion: v1 -kind: query -spec: - description: Controls Bitlocker full-disk encryption settings. - name: bitlocker_autoencrypt_settings_registry - query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Bitlocker\%%'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls Bitlocker full-disk encryption settings. - name: bitlocker_fde_settings_registry - query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\%%'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls Google Chrome plugins that are forcibly installed. - name: chrome_extension_force_list_registry - query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallForcelist'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls EMET-protected applications and system settings. - name: emet_settings_registry - query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\%%'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls Local Administrative Password Solution (LAPS) settings. - name: microsoft_laps_settings_registry - query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft - Services\AdmPwd'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls Windows Passport for Work (Hello) settings. - name: passport_for_work_settings_registry - query: SELECT * FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PassportForWork\%%'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls UAC. A setting of 0 indicates that UAC is disabled. - name: uac_settings_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA'; diff --git a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-compliance.yaml b/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-compliance.yaml deleted file mode 100644 index 38ff4857e..000000000 --- a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-compliance.yaml +++ /dev/null @@ -1,322 +0,0 @@ ---- -apiVersion: v1 -kind: pack -spec: - name: windows-compliance - queries: - - description: 'This key does not exist by default and controls enabling/disabling - error reporting display. Some malware creates this key and sets the value to - 0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' - interval: 3600 - name: error_display_ui_registry - platform: windows - query: error_display_ui_registry - - description: Entries for the FileRenameOperation support the MoveFileEx delayed-rename - and delayed-delete capabilities. Sometimes used as a self-deletion technique - for malware. - interval: 3600 - name: filerenameoperations_registry - platform: windows - query: filerenameoperations_registry - - description: Controls which security packages store credentials in LSA memory, - secure boot, etc. - interval: 3600 - name: local_security_authority_registry - platform: windows - query: local_security_authority_registry - - description: 'This key exists by default and has a default value of 1. Setting - this key to 0 disables logging errors/crashes to the System event channel. Some - malware sets this value to 0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' - interval: 3600 - name: log_errors_registry - platform: windows - query: log_errors_registry - - description: Controls Windows security provider configurations - interval: 3600 - name: security_providers_registry - platform: windows - query: security_providers_registry - - description: Controls Windows Update server location and installation behavior. - interval: 3600 - name: windows_update_settings_registry - platform: windows - query: windows_update_settings_registry - - description: 'Controls enabling/disabling crash dumps. This key has a default - value of 7, but some malware sets this value to 0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' - interval: 3600 - name: crash_dump_registry - platform: windows - query: crash_dump_registry - - description: 'This registry key specifies the path to a DLL to be loaded by a - Windows DNS server. This key does not exist by default. Can allow privesc: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83' - interval: 3600 - name: dns_plugin_dll_registry - platform: windows - query: dns_plugin_dll_registry - - description: The KnownDlls key defines the set of DLLs that are first searched - during system startup. - interval: 3600 - name: knowndlls_registry - platform: windows - query: knowndlls_registry - - description: This key exists by default and has a default value of 1. Terminal - service connections are allowed to the host when the key value is set to 0 - interval: 3600 - name: terminal_service_deny_registry - platform: windows - query: terminal_service_deny_registry - - description: Controls Windows command-line auditing - interval: 3600 - name: command_line_auditing_registry - platform: windows - query: command_line_auditing_registry - - description: 'This key (and subkeys) exist by default and are required to allow - post-mortem debuggers like Dr. Watson. Some malware deletes this key. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' - interval: 3600 - name: dr_watson_registry - platform: windows - query: dr_watson_registry - - description: Controls how many simultaneous terminal services sessions can use - the same account - interval: 3600 - name: per_user_ts_session_registry - platform: windows - query: per_user_ts_session_registry - - description: Controls Powershell execution policy, script execution, logging, - and more. - interval: 3600 - name: powershell_settings_registry - platform: windows - query: powershell_settings_registry - - description: Controls enabling/disabling SMBv1. Setting this key to 0 disables - the SMBv1 protocol on the host. - interval: 3600 - name: smbv1_registry - platform: windows - query: smbv1_registry - - description: Lists information about SecureBoot status. - interval: 3600 - name: secure_boot_registry - platform: windows - query: secure_boot_registry - - description: This key does not exist by default and controls enabling/disabling - error reporting. Some malware creates this key sets the value to 0 (disables - error reports). See https://msdn.microsoft.com/en-us/library/aa939342(v=winembedded.5).aspx - and https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html - interval: 3600 - name: error_report_registry - platform: windows - query: error_report_registry - - description: Controls behavior, size, and rotation strategy for primary windows - event log files. - interval: 3600 - name: event_log_settings_registry - platform: windows - query: event_log_settings_registry - - description: Controls system TPM settings - interval: 3600 - name: tpm_registry - platform: windows - query: tpm_registry - - description: Controls local WinRM client configuration and security. - interval: 3600 - name: winrm_settings_registry - platform: windows - query: winrm_settings_registry - - description: 'Controls the suppression of error dialog boxes. The default value - is 0 (all messages are visible), but some malware sets this value to 2 (all - messages are invisible). See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' - interval: 3600 - name: error_mode_registry - platform: windows - query: error_mode_registry - - description: Controls sending administrative notifications after a crash. Some - malware sets this value to 0 - interval: 3600 - name: send_error_alert_registry - platform: windows - query: send_error_alert_registry - targets: - labels: - - MS Windows ---- -apiVersion: v1 -kind: query -spec: - description: 'This key does not exist by default and controls enabling/disabling - error reporting display. Some malware creates this key and sets the value to 0. - See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' - name: error_display_ui_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting\ShowUI'; ---- -apiVersion: v1 -kind: query -spec: - description: Entries for the FileRenameOperation support the MoveFileEx delayed-rename - and delayed-delete capabilities. Sometimes used as a self-deletion technique for - malware. - name: filerenameoperations_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session - Manager\FileRenameOperations'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls which security packages store credentials in LSA memory, secure - boot, etc. - name: local_security_authority_registry - query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\%%'; ---- -apiVersion: v1 -kind: query -spec: - description: 'This key exists by default and has a default value of 1. Setting this - key to 0 disables logging errors/crashes to the System event channel. Some malware - sets this value to 0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' - name: log_errors_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\LogEvent'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls Windows security provider configurations - name: security_providers_registry - query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\%%'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls Windows Update server location and installation behavior. - name: windows_update_settings_registry - query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\%%'; ---- -apiVersion: v1 -kind: query -spec: - description: 'Controls enabling/disabling crash dumps. This key has a default value - of 7, but some malware sets this value to 0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' - name: crash_dump_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled'; ---- -apiVersion: v1 -kind: query -spec: - description: 'This registry key specifies the path to a DLL to be loaded by a Windows - DNS server. This key does not exist by default. Can allow privesc: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83' - name: dns_plugin_dll_registry - query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters\ServerLevelPluginDll'; ---- -apiVersion: v1 -kind: query -spec: - description: The KnownDlls key defines the set of DLLs that are first searched during - system startup. - name: knowndlls_registry - query: SELECT * FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session - Manager\KnownDLLs\%%'; ---- -apiVersion: v1 -kind: query -spec: - description: This key exists by default and has a default value of 1. Terminal service - connections are allowed to the host when the key value is set to 0 - name: terminal_service_deny_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal - Server\fDenyTSConnections'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls Windows command-line auditing - name: command_line_auditing_registry - query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit'; ---- -apiVersion: v1 -kind: query -spec: - description: 'This key (and subkeys) exist by default and are required to allow - post-mortem debuggers like Dr. Watson. Some malware deletes this key. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' - name: dr_watson_registry - query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows - NT\CurrentVersion\AeDebug'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls how many simultaneous terminal services sessions can use the - same account - name: per_user_ts_session_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal - Server\fSingleSessionPerUser'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls Powershell execution policy, script execution, logging, and - more. - name: powershell_settings_registry - query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\%%'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls enabling/disabling SMBv1. Setting this key to 0 disables the - SMBv1 protocol on the host. - name: smbv1_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1'; ---- -apiVersion: v1 -kind: query -spec: - description: Lists information about SecureBoot status. - name: secure_boot_registry - query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot'; ---- -apiVersion: v1 -kind: query -spec: - description: This key does not exist by default and controls enabling/disabling - error reporting. Some malware creates this key sets the value to 0 (disables error - reports). See https://msdn.microsoft.com/en-us/library/aa939342(v=winembedded.5).aspx - and https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html - name: error_report_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting\DoReport'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls behavior, size, and rotation strategy for primary windows - event log files. - name: event_log_settings_registry - query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\%%'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls system TPM settings - name: tpm_registry - query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\TPM'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls local WinRM client configuration and security. - name: winrm_settings_registry - query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\%%'; ---- -apiVersion: v1 -kind: query -spec: - description: 'Controls the suppression of error dialog boxes. The default value - is 0 (all messages are visible), but some malware sets this value to 2 (all messages - are invisible). See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' - name: error_mode_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows\ErrorMode'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls sending administrative notifications after a crash. Some malware - sets this value to 0 - name: send_error_alert_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\SendAlert'; diff --git a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-registry-monitoring.yaml b/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-registry-monitoring.yaml deleted file mode 100644 index 89f01494b..000000000 --- a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-registry-monitoring.yaml +++ /dev/null @@ -1,476 +0,0 @@ ---- -apiVersion: v1 -kind: pack -spec: - name: windows-registry-monitoring - queries: - - description: Technique used by attackers to prevent computer accounts from changing - their password, thus extending the life of Kerberos silver tickets (https://adsecurity.org/?p=2011) - interval: 3600 - name: computer_password_change_disabled_registry - platform: windows - query: computer_password_change_disabled_registry - - description: Returns 0 as a result if the registry key does not exist - interval: 3600 - name: error_mode_registry_missing - platform: windows - query: error_mode_registry_missing - - description: Returns 0 as a result if the registry key does not exist - interval: 3600 - name: per_user_ts_session_registry_missing - platform: windows - query: per_user_ts_session_registry_missing - - description: Returns 0 as a result if the registry key does not exist - interval: 3600 - name: powershell_invocationheader_registry_missing - platform: windows - query: powershell_invocationheader_registry_missing - - description: Returns the content of the key if it does not match the expected - value - interval: 3600 - name: bitlocker_encryption_settings_registry_misconfigured - platform: windows - query: bitlocker_encryption_settings_registry_misconfigured - - description: Returns the content of the key if it does not match the expected - value - interval: 3600 - name: bitlocker_mbam_registry_misconfigured - platform: windows - query: bitlocker_mbam_registry_misconfigured - - description: Returns the content of this key if it exists, which it shouldn't - by default - interval: 3600 - name: dns_plugin_dll_registry_exists - platform: windows - query: dns_plugin_dll_registry_exists - - description: Returns the content of this key if it exists, which it shouldn't - by default - interval: 3600 - name: error_display_ui_registry_exists - platform: windows - query: error_display_ui_registry_exists - - description: Returns the content of the key if it does not match the expected - value - interval: 3600 - name: log_errors_registry_misconfigured - platform: windows - query: log_errors_registry_misconfigured - - description: Returns the content of the key if it does not match the expected - value - interval: 3600 - name: subscription_manager_registry_misconfigured - platform: windows - query: subscription_manager_registry_misconfigured - - description: Returns 0 as a result if the registry key does not exist - interval: 3600 - name: subscription_manager_registry_missing - platform: windows - query: subscription_manager_registry_missing - - description: Returns the content of the key if it does not match the expected - value - interval: 3600 - name: command_line_auditing_registry_misconfigured - platform: windows - query: command_line_auditing_registry_misconfigured - - description: Returns 0 as a result if the registry key does not exist - interval: 3600 - name: crash_dump_registry_missing - platform: windows - query: crash_dump_registry_missing - - description: Returns the content of the key if it does not match the expected - value - interval: 3600 - name: error_mode_registry_misconfigured - platform: windows - query: error_mode_registry_misconfigured - - description: Returns 0 as a result if the registry key does not exist - interval: 3600 - name: log_errors_registry_missing - platform: windows - query: log_errors_registry_missing - - description: Returns the content of the key if it does not match the expected - value - interval: 3600 - name: winrm_settings_registry_misconfigured - platform: windows - query: winrm_settings_registry_misconfigured - - description: Returns the content of the key if it does not match the expected - value - interval: 3600 - name: crash_dump_registry_misconfigured - platform: windows - query: crash_dump_registry_misconfigured - - description: Detect a registry based persistence mechanism that allows an attacker - to specify a DLL to be loaded when cryptographic libraries are called (https://twitter.com/PsiDragon/status/978367732793135105) - interval: 3600 - name: physicalstore_dll_registry_persistence - platform: windows - query: physicalstore_dll_registry_persistence - - description: Returns the content of the key if it does not match the expected - value - interval: 3600 - name: powershell_logging_registry_misconfigured - platform: windows - query: powershell_logging_registry_misconfigured - - description: 'A registry key can be created to disable AMSI on Windows: (https://twitter.com/Moriarty_Meng/status/1011568060883333120)' - interval: 3600 - name: amsi_disabled_registry - platform: windows - query: amsi_disabled_registry - - description: Controls how often to rotate the local computer password (defaults - to 30 days). A modification of this value may be an indicator of attacker activity. - interval: 3600 - name: computer_maximum_password_age_changed_registry - platform: windows - query: computer_maximum_password_age_changed_registry - - description: Returns 0 as a result if the registry key does not exist - interval: 3600 - name: dr_watson_registry_missing - platform: windows - query: dr_watson_registry_missing - - description: Returns the content of the key if it does not match the expected - value - interval: 3600 - name: per_user_ts_session_registry_misconfigured - platform: windows - query: per_user_ts_session_registry_misconfigured - - description: Registry based persistence mechanism to load DLLs at reboot time - and avoids detection by Autoruns (https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/). - Subkeys will be deleted after they run, thus (RunOnce). The RunOnceEx key will - remain. - interval: 3600 - name: runonceex_persistence_registry - platform: windows - query: runonceex_persistence_registry - - description: Returns 0 as a result if the registry key does not exist - interval: 3600 - name: smbv1_registry_missing - platform: windows - query: smbv1_registry_missing - - description: Returns 0 as a result if the registry key does not exist - interval: 3600 - name: powershell_transcription_logging_registry_missing - platform: windows - query: powershell_transcription_logging_registry_missing - - description: Returns 0 as a result if the registry key does not exist - interval: 3600 - name: powershell_module_logging_registry_missing - platform: windows - query: powershell_module_logging_registry_missing - - description: Returns 0 as a result if the registry key does not exist - interval: 3600 - name: powershell_scriptblock_logging_registry_missing - platform: windows - query: powershell_scriptblock_logging_registry_missing - - description: Returns the content of the key if it does not match the expected - value - interval: 3600 - name: bitlocker_mbam_endpoint_registry_misconfigured - platform: windows - query: bitlocker_mbam_endpoint_registry_misconfigured - - description: Returns 0 as a result if the registry key does not exist - interval: 3600 - name: command_line_auditing_registry_missing - platform: windows - query: command_line_auditing_registry_missing - - description: "" - interval: 3600 - name: smbv1_registry_misconfigured - platform: windows - query: smbv1_registry_misconfigured - - description: Returns the content of this key if it exists, which it shouldn't - by default - interval: 3600 - name: send_error_alert_registry_exists - platform: windows - query: send_error_alert_registry_exists - targets: - labels: - - MS Windows ---- -apiVersion: v1 -kind: query -spec: - description: Technique used by attackers to prevent computer accounts from changing - their password, thus extending the life of Kerberos silver tickets (https://adsecurity.org/?p=2011) - name: computer_password_change_disabled_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange' - AND data!=0; ---- -apiVersion: v1 -kind: query -spec: - description: Returns 0 as a result if the registry key does not exist - name: error_mode_registry_missing - query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count - FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows\ErrorMode') - WHERE key_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns 0 as a result if the registry key does not exist - name: per_user_ts_session_registry_missing - query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count - FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal - Server\fSingleSessionPerUser') WHERE key_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns 0 as a result if the registry key does not exist - name: powershell_invocationheader_registry_missing - query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count - FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\Transcription\EnableInvocationHeader') - WHERE key_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of the key if it does not match the expected value - name: bitlocker_encryption_settings_registry_misconfigured - query: SELECT * FROM registry WHERE (path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement\ShouldEncryptOSDrive' - OR path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement\OSDriveProtector') - AND data!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of the key if it does not match the expected value - name: bitlocker_mbam_registry_misconfigured - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement\UseMBAMServices' - AND data!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of this key if it exists, which it shouldn't by - default - name: dns_plugin_dll_registry_exists - query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters\ServerLevelPluginDll'; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of this key if it exists, which it shouldn't by - default - name: error_display_ui_registry_exists - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting\ShowUI'; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of the key if it does not match the expected value - name: log_errors_registry_misconfigured - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\LogEvent' - AND data!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of the key if it does not match the expected value - name: subscription_manager_registry_misconfigured - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager\1' - AND (data!='Server=http://subdomain.domain.com:5985/wsman/SubscriptionManager/WEC' - AND data!='Server=http://subdomain.domain.com:5985/wsman/SubscriptionManager/WEC'); ---- -apiVersion: v1 -kind: query -spec: - description: Returns 0 as a result if the registry key does not exist - name: subscription_manager_registry_missing - query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count - FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager\1') - WHERE key_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of the key if it does not match the expected value - name: command_line_auditing_registry_misconfigured - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ProcessCreationIncludeCmdLine_Enabled' - AND data!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns 0 as a result if the registry key does not exist - name: crash_dump_registry_missing - query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count - FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled') - WHERE key_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of the key if it does not match the expected value - name: error_mode_registry_misconfigured - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows\ErrorMode' - AND data=2; ---- -apiVersion: v1 -kind: query -spec: - description: Returns 0 as a result if the registry key does not exist - name: log_errors_registry_missing - query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count - FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\LogEvent') - WHERE key_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of the key if it does not match the expected value - name: winrm_settings_registry_misconfigured - query: 'SELECT * FROM registry WHERE (path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client\AllowBasic'' - OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client\AllowCredSSP'' - OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client\AllowUnencryptedTraffic'' - OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client\AllowDigest'' - OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\AllowBasic'' - OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\AllowCredSSP'' - OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic'' - OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS\AllowRemoteShellAccess'') - AND data!=0; ' ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of the key if it does not match the expected value - name: crash_dump_registry_misconfigured - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled' - AND data=0; ---- -apiVersion: v1 -kind: query -spec: - description: Detect a registry based persistence mechanism that allows an attacker - to specify a DLL to be loaded when cryptographic libraries are called (https://twitter.com/PsiDragon/status/978367732793135105) - name: physicalstore_dll_registry_persistence - query: SELECT key, path, name, mtime, username FROM registry r, users WHERE path - LIKE 'HKEY_USERS\'||uuid||'\Software\Microsoft\SystemCertificates\CA\PhysicalStores\%%' - OR path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType - 0\CertDllOpenStoreProv\%%' AND name!='#16' AND name!='Ldap'; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of the key if it does not match the expected value - name: powershell_logging_registry_misconfigured - query: SELECT * FROM registry WHERE (path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\ModuleLogging\EnableModuleLogging' - OR path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging\EnableScriptBlockLogging' - OR path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\Transcription\EnableTranscripting' - OR path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\Transcription\EnableInvocationHeader') - AND data!=1; ---- -apiVersion: v1 -kind: query -spec: - description: 'A registry key can be created to disable AMSI on Windows: (https://twitter.com/Moriarty_Meng/status/1011568060883333120)' - name: amsi_disabled_registry - query: SELECT key, r.path, r.name, r.mtime, r.data, username from registry r, users - WHERE path = 'HKEY_USERS\'||uuid||'\Software\Microsoft\Windows Script\Settings\AmsiEnable' - AND data=0; ---- -apiVersion: v1 -kind: query -spec: - description: Controls how often to rotate the local computer password (defaults - to 30 days). A modification of this value may be an indicator of attacker activity. - name: computer_maximum_password_age_changed_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge' - and data!=30; ---- -apiVersion: v1 -kind: query -spec: - description: Returns 0 as a result if the registry key does not exist - name: dr_watson_registry_missing - query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count - FROM registry where key='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug') - WHERE key_exists!=2; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of the key if it does not match the expected value - name: per_user_ts_session_registry_misconfigured - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal - Server\fSingleSessionPerUser' AND data!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Registry based persistence mechanism to load DLLs at reboot time and - avoids detection by Autoruns (https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/). - Subkeys will be deleted after they run, thus (RunOnce). The RunOnceEx key will - remain. - name: runonceex_persistence_registry - query: SELECT * FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx'; ---- -apiVersion: v1 -kind: query -spec: - description: Returns 0 as a result if the registry key does not exist - name: smbv1_registry_missing - query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count - FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1') - WHERE key_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns 0 as a result if the registry key does not exist - name: powershell_transcription_logging_registry_missing - query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count - FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\Transcription\EnableTranscripting') - WHERE key_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns 0 as a result if the registry key does not exist - name: powershell_module_logging_registry_missing - query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count - FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\ModuleLogging\EnableModuleLogging') - WHERE key_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns 0 as a result if the registry key does not exist - name: powershell_scriptblock_logging_registry_missing - query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count - FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging\EnableScriptBlockLogging') - WHERE key_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of the key if it does not match the expected value - name: bitlocker_mbam_endpoint_registry_misconfigured - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement\KeyRecoveryServiceEndPoint' - AND data!='https://mbam.server.com/MBAMRecoveryAndHardwareService/CoreService.svc'; ---- -apiVersion: v1 -kind: query -spec: - description: Returns 0 as a result if the registry key does not exist - name: command_line_auditing_registry_missing - query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count - FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ProcessCreationIncludeCmdLine_Enabled') - WHERE key_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - name: smbv1_registry_misconfigured - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1' - AND data!=0; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of this key if it exists, which it shouldn't by - default - name: send_error_alert_registry_exists - query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\SendAlert'; diff --git a/salt/fleet/files/packs/palantir/Fleet/Servers/Linux/osquery.yaml b/salt/fleet/files/packs/palantir/Fleet/Servers/Linux/osquery.yaml deleted file mode 100644 index 62ae6d458..000000000 --- a/salt/fleet/files/packs/palantir/Fleet/Servers/Linux/osquery.yaml +++ /dev/null @@ -1,580 +0,0 @@ ---- -apiVersion: v1 -kind: pack -spec: - name: LinuxPack - queries: - - description: Retrieves all the jobs scheduled in crontab in the target system. - interval: 86400 - name: crontab_snapshot - platform: linux - query: crontab_snapshot - snapshot: true - - description: Various Linux kernel integrity checked attributes. - interval: 86400 - name: kernel_integrity - platform: linux - query: kernel_integrity - - description: Linux kernel modules both loaded and within the load search path. - interval: 3600 - name: kernel_modules - platform: linux - query: kernel_modules - - description: Retrieves the current list of mounted drives in the target system. - interval: 86400 - name: mounts - platform: linux - query: mounts - - description: Socket events collected from the audit framework - interval: 10 - name: socket_events - platform: linux - query: socket_events - - description: Record the network interfaces and their associated IP and MAC addresses - interval: 600 - name: network_interfaces_snapshot - platform: linux - query: network_interfaces_snapshot - snapshot: true - - description: Information about the running osquery configuration - interval: 86400 - name: osquery_info - platform: linux - query: osquery_info - snapshot: true - - description: Display all installed RPM packages - interval: 86400 - name: rpm_packages - platform: centos - query: rpm_packages - snapshot: true - - description: Record shell history for all users on system (instead of just root) - interval: 3600 - name: shell_history - platform: linux - query: shell_history - - description: File events collected from file integrity monitoring - interval: 10 - name: file_events - platform: linux - query: file_events - removed: false - - description: Retrieve the EC2 metadata for this endpoint - interval: 3600 - name: ec2_instance_metadata - platform: linux - query: ec2_instance_metadata - - description: Retrieve the EC2 tags for this endpoint - interval: 3600 - name: ec2_instance_tags - platform: linux - query: ec2_instance_tags - - description: Snapshot query to retrieve the EC2 tags for this instance - interval: 86400 - name: ec2_instance_tags_snapshot - platform: linux - query: ec2_instance_tags_snapshot - snapshot: true - - description: Retrieves the current filters and chains per filter in the target - system. - interval: 86400 - name: iptables - platform: linux - query: iptables - - description: Display any SUID binaries that are owned by root - interval: 86400 - name: suid_bin - platform: linux - query: suid_bin - - description: Display all installed DEB packages - interval: 86400 - name: deb_packages - platform: ubuntu - query: deb_packages - snapshot: true - - description: Find shell processes that have open sockets - interval: 600 - name: behavioral_reverse_shell - platform: linux - query: behavioral_reverse_shell - - description: Retrieves all the jobs scheduled in crontab in the target system. - interval: 3600 - name: crontab - platform: linux - query: crontab - - description: Local system users. - interval: 86400 - name: users - platform: linux - query: users - - description: Process events collected from the audit framework - interval: 10 - name: process_events - platform: linux - query: process_events - - description: Retrieves the list of the latest logins with PID, username and timestamp. - interval: 3600 - name: last - platform: linux - query: last - - description: Any processes that run with an LD_PRELOAD environment variable - interval: 60 - name: ld_preload - platform: linux - query: ld_preload - snapshot: true - - description: Information about the system hardware and name - interval: 86400 - name: system_info - platform: linux - query: system_info - snapshot: true - - description: Returns the private keys in the users ~/.ssh directory and whether - or not they are encrypted - interval: 86400 - name: user_ssh_keys - platform: linux - query: user_ssh_keys - - description: Local system users. - interval: 86400 - name: users_snapshot - platform: linux - query: users_snapshot - snapshot: true - - description: DNS resolvers used by the host - interval: 3600 - name: dns_resolvers - platform: linux - query: dns_resolvers - - description: Retrieves information from the current kernel in the target system. - interval: 86400 - name: kernel_info - platform: linux - query: kernel_info - snapshot: true - - description: Linux kernel modules both loaded and within the load search path. - interval: 86400 - name: kernel_modules_snapshot - platform: linux - query: kernel_modules_snapshot - snapshot: true - - description: Generates an event if ld.so.preload is present - used by rootkits - such as Jynx - interval: 3600 - name: ld_so_preload_exists - platform: linux - query: ld_so_preload_exists - snapshot: true - - description: Records system/user time, db size, and many other system metrics - interval: 1800 - name: runtime_perf - platform: linux - query: runtime_perf - - description: Retrieves all the entries in the target system /etc/hosts file. - interval: 86400 - name: etc_hosts_snapshot - platform: linux - query: etc_hosts_snapshot - snapshot: true - - description: Snapshot query to retrieve the EC2 metadata for this endpoint - interval: 86400 - name: ec2_instance_metadata_snapshot - platform: linux - query: ec2_instance_metadata_snapshot - snapshot: true - - description: "" - interval: 10 - name: hardware_events - platform: linux - query: hardware_events - removed: false - - description: Information about memory usage on the system - interval: 3600 - name: memory_info - platform: linux - query: memory_info - - description: Displays information from /proc/stat file about the time the CPU - cores spent in different parts of the system - interval: 3600 - name: cpu_time - platform: linux - query: cpu_time - - description: Retrieves all the entries in the target system /etc/hosts file. - interval: 3600 - name: etc_hosts - platform: linux - query: etc_hosts - - description: Retrieves information from the Operating System where osquery is - currently running. - interval: 86400 - name: os_version - platform: linux - query: os_version - snapshot: true - - description: A snapshot of all processes running on the host. Useful for outlier - analysis. - interval: 86400 - name: processes_snapshot - platform: linux - query: processes_snapshot - snapshot: true - - description: Retrieves the current list of USB devices in the target system. - interval: 120 - name: usb_devices - platform: linux - query: usb_devices - - description: A line-delimited authorized_keys table. - interval: 86400 - name: authorized_keys - platform: linux - query: authorized_keys - - description: Display apt package manager sources. - interval: 86400 - name: apt_sources - platform: ubuntu - query: apt_sources - snapshot: true - - description: Gather information about processes that are listening on a socket. - interval: 86400 - name: listening_ports - platform: linux - query: listening_ports - snapshot: true - - description: Display yum package manager sources. - interval: 86400 - name: yum_sources - platform: centos - query: yum_sources - snapshot: true - targets: - labels: - - Ubuntu Linux - - CentOS Linux ---- -apiVersion: v1 -kind: query -spec: - description: Retrieves all the jobs scheduled in crontab in the target system. - name: crontab_snapshot - query: SELECT * FROM crontab; ---- -apiVersion: v1 -kind: query -spec: - description: Various Linux kernel integrity checked attributes. - name: kernel_integrity - query: SELECT * FROM kernel_integrity; ---- -apiVersion: v1 -kind: query -spec: - description: Linux kernel modules both loaded and within the load search path. - name: kernel_modules - query: SELECT * FROM kernel_modules; ---- -apiVersion: v1 -kind: query -spec: - description: Retrieves the current list of mounted drives in the target system. - name: mounts - query: SELECT device, device_alias, path, type, blocks_size, flags FROM mounts; ---- -apiVersion: v1 -kind: query -spec: - description: Socket events collected from the audit framework - name: socket_events - query: SELECT action, auid, family, local_address, local_port, path, pid, remote_address, - remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN - ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', - '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', - 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000'); ---- -apiVersion: v1 -kind: query -spec: - description: Record the network interfaces and their associated IP and MAC addresses - name: network_interfaces_snapshot - query: SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details - d USING (interface); ---- -apiVersion: v1 -kind: query -spec: - description: Information about the running osquery configuration - name: osquery_info - query: SELECT * FROM osquery_info; ---- -apiVersion: v1 -kind: query -spec: - description: Display all installed RPM packages - name: rpm_packages - query: SELECT name, version, release, arch FROM rpm_packages; ---- -apiVersion: v1 -kind: query -spec: - description: Record shell history for all users on system (instead of just root) - name: shell_history - query: SELECT * FROM users CROSS JOIN shell_history USING (uid); ---- -apiVersion: v1 -kind: query -spec: - description: File events collected from file integrity monitoring - name: file_events - query: SELECT * FROM file_events; ---- -apiVersion: v1 -kind: query -spec: - description: Retrieve the EC2 metadata for this endpoint - name: ec2_instance_metadata - query: SELECT * FROM ec2_instance_metadata; ---- -apiVersion: v1 -kind: query -spec: - description: Retrieve the EC2 tags for this endpoint - name: ec2_instance_tags - query: SELECT * FROM ec2_instance_tags; ---- -apiVersion: v1 -kind: query -spec: - description: Snapshot query to retrieve the EC2 tags for this instance - name: ec2_instance_tags_snapshot - query: SELECT * FROM ec2_instance_tags; ---- -apiVersion: v1 -kind: query -spec: - description: Retrieves the current filters and chains per filter in the target system. - name: iptables - query: SELECT * FROM iptables; ---- -apiVersion: v1 -kind: query -spec: - description: Display any SUID binaries that are owned by root - name: suid_bin - query: SELECT * FROM suid_bin; ---- -apiVersion: v1 -kind: query -spec: - description: Display all installed DEB packages - name: deb_packages - query: SELECT * FROM deb_packages; ---- -apiVersion: v1 -kind: query -spec: - description: Find shell processes that have open sockets - name: behavioral_reverse_shell - query: SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path, - processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, - processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port, - (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS - parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER - JOIN process_open_files ON processes.pid = process_open_files.pid WHERE (name='sh' - OR name='bash') AND remote_address NOT IN ('0.0.0.0', '::', '') AND remote_address - NOT LIKE '10.%' AND remote_address NOT LIKE '192.168.%'; ---- -apiVersion: v1 -kind: query -spec: - description: Retrieves all the jobs scheduled in crontab in the target system. - name: crontab - query: SELECT * FROM crontab; ---- -apiVersion: v1 -kind: query -spec: - description: Local system users. - name: users - query: SELECT * FROM users; ---- -apiVersion: v1 -kind: query -spec: - description: Process events collected from the audit framework - name: process_events - query: SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, - uid FROM process_events WHERE path NOT IN ('/bin/sed', '/usr/bin/tr', '/bin/gawk', - '/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/usr/bin/jq', - '/bin/cut', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline - NOT LIKE '%secret%'; ---- -apiVersion: v1 -kind: query -spec: - description: Retrieves the list of the latest logins with PID, username and timestamp. - name: last - query: SELECT * FROM last; ---- -apiVersion: v1 -kind: query -spec: - description: Any processes that run with an LD_PRELOAD environment variable - name: ld_preload - query: SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name, - processes.path, processes.cmdline, processes.cwd FROM process_envs join processes - USING (pid) WHERE key = 'LD_PRELOAD'; ---- -apiVersion: v1 -kind: query -spec: - description: Information about the system hardware and name - name: system_info - query: SELECT * FROM system_info; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the private keys in the users ~/.ssh directory and whether - or not they are encrypted - name: user_ssh_keys - query: SELECT * FROM users CROSS JOIN user_ssh_keys USING (uid); ---- -apiVersion: v1 -kind: query -spec: - description: Local system users. - name: users_snapshot - query: SELECT * FROM users; ---- -apiVersion: v1 -kind: query -spec: - description: DNS resolvers used by the host - name: dns_resolvers - query: SELECT * FROM dns_resolvers; ---- -apiVersion: v1 -kind: query -spec: - description: Retrieves information from the current kernel in the target system. - name: kernel_info - query: SELECT * FROM kernel_info; ---- -apiVersion: v1 -kind: query -spec: - description: Linux kernel modules both loaded and within the load search path. - name: kernel_modules_snapshot - query: SELECT * FROM kernel_modules; ---- -apiVersion: v1 -kind: query -spec: - description: Generates an event if ld.so.preload is present - used by rootkits such - as Jynx - name: ld_so_preload_exists - query: SELECT * FROM file WHERE path='/etc/ld.so.preload' AND path!=''; ---- -apiVersion: v1 -kind: query -spec: - description: Records system/user time, db size, and many other system metrics - name: runtime_perf - query: SELECT ov.version AS os_version, ov.platform AS os_platform, ov.codename - AS os_codename, i.*, p.resident_size, p.user_time, p.system_time, time.minutes - AS counter, db.db_size_mb AS database_size from osquery_info i, os_version ov, - processes p, time, (SELECT (SUM(size) / 1024) / 1024.0 AS db_size_mb FROM (SELECT - value FROM osquery_flags WHERE name = 'database_path' LIMIT 1) flags, file WHERE - path LIKE flags.value || '%%' AND type = 'regular') db WHERE p.pid = i.pid; ---- -apiVersion: v1 -kind: query -spec: - description: Retrieves all the entries in the target system /etc/hosts file. - name: etc_hosts_snapshot - query: SELECT * FROM etc_hosts; ---- -apiVersion: v1 -kind: query -spec: - description: Snapshot query to retrieve the EC2 metadata for this endpoint - name: ec2_instance_metadata_snapshot - query: SELECT * FROM ec2_instance_metadata; ---- -apiVersion: v1 -kind: query -spec: - name: hardware_events - query: SELECT * FROM hardware_events; ---- -apiVersion: v1 -kind: query -spec: - description: Information about memory usage on the system - name: memory_info - query: SELECT * FROM memory_info; ---- -apiVersion: v1 -kind: query -spec: - description: Displays information from /proc/stat file about the time the CPU cores - spent in different parts of the system - name: cpu_time - query: SELECT * FROM cpu_time; ---- -apiVersion: v1 -kind: query -spec: - description: Retrieves all the entries in the target system /etc/hosts file. - name: etc_hosts - query: SELECT * FROM etc_hosts; ---- -apiVersion: v1 -kind: query -spec: - description: Retrieves information from the Operating System where osquery is currently - running. - name: os_version - query: SELECT * FROM os_version; ---- -apiVersion: v1 -kind: query -spec: - description: A snapshot of all processes running on the host. Useful for outlier - analysis. - name: processes_snapshot - query: select name, path, cmdline, cwd, on_disk from processes; ---- -apiVersion: v1 -kind: query -spec: - description: Retrieves the current list of USB devices in the target system. - name: usb_devices - query: SELECT * FROM usb_devices; ---- -apiVersion: v1 -kind: query -spec: - description: A line-delimited authorized_keys table. - name: authorized_keys - query: SELECT * FROM users CROSS JOIN authorized_keys USING (uid); ---- -apiVersion: v1 -kind: query -spec: - description: Display apt package manager sources. - name: apt_sources - query: SELECT * FROM apt_sources; ---- -apiVersion: v1 -kind: query -spec: - description: Gather information about processes that are listening on a socket. - name: listening_ports - query: SELECT pid, port, processes.path, cmdline, cwd FROM listening_ports JOIN processes USING (pid) WHERE port!=0; ---- -apiVersion: v1 -kind: query -spec: - description: Display yum package manager sources. - name: yum_sources - query: SELECT name, baseurl, enabled, gpgcheck FROM yum_sources; diff --git a/salt/fleet/files/packs/palantir/Fleet/Servers/options.yaml b/salt/fleet/files/packs/palantir/Fleet/Servers/options.yaml deleted file mode 100644 index 2329f085f..000000000 --- a/salt/fleet/files/packs/palantir/Fleet/Servers/options.yaml +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: v1 -kind: options -spec: - config: - decorators: - load: - - SELECT uuid AS host_uuid FROM system_info; - - SELECT hostname AS hostname FROM system_info; - file_paths: - binaries: - - /usr/bin/%% - - /usr/sbin/%% - - /bin/%% - - /sbin/%% - - /usr/local/bin/%% - - /usr/local/sbin/%% - configuration: - - /etc/passwd - - /etc/shadow - - /etc/ld.so.preload - - /etc/ld.so.conf - - /etc/ld.so.conf.d/%% - - /etc/pam.d/%% - - /etc/resolv.conf - - /etc/rc%/%% - - /etc/my.cnf - - /etc/modules - - /etc/hosts - - /etc/hostname - - /etc/fstab - - /etc/crontab - - /etc/cron%/%% - - /etc/init/%% - - /etc/rsyslog.conf - options: - audit_allow_config: true - audit_allow_sockets: true - audit_persist: true - disable_audit: false - events_expiry: 1 - events_max: 500000 - disable_distributed: false - disable_subscribers: user_events - distributed_interval: 10 - distributed_plugin: tls - distributed_tls_max_attempts: 3 - distributed_tls_read_endpoint: /api/v1/osquery/distributed/read - distributed_tls_write_endpoint: /api/v1/osquery/distributed/write - logger_min_status: 1 - logger_plugin: tls - logger_snapshot_event_type: true - logger_tls_endpoint: /api/v1/osquery/log - logger_tls_period: 10 - pack_delimiter: / - schedule_splay_percent: 10 - watchdog_memory_limit: 350 - watchdog_utilization_limit: 130 - overrides: {} diff --git a/salt/fleet/files/packs/palantir/LICENSE.md b/salt/fleet/files/packs/palantir/LICENSE.md deleted file mode 100755 index e9a9bab22..000000000 --- a/salt/fleet/files/packs/palantir/LICENSE.md +++ /dev/null @@ -1,22 +0,0 @@ -# License -MIT License - -Copyright (c) 2017 Palantir Technologies Inc. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. diff --git a/salt/fleet/files/packs/palantir/README.md b/salt/fleet/files/packs/palantir/README.md deleted file mode 100755 index a7ea61a37..000000000 --- a/salt/fleet/files/packs/palantir/README.md +++ /dev/null @@ -1,164 +0,0 @@ -# Palantir osquery Configuration - -## About This Repository -This repository is the companion to the [osquery Across the Enterprise](https://medium.com/@palantir/osquery-across-the-enterprise-3c3c9d13ec55) blog post. - -The goal of this project is to provide a baseline template for any organization considering a deployment of osquery in a production environment. It is -our belief that queries which are likely to have a high level of utility for a large percentage of users should be committed directly to the osquery project, which is -exactly what we have done with our [unwanted-chrome-extensions](https://github.com/facebook/osquery/pull/3889) query pack and [additions](https://github.com/facebook/osquery/pull/3922) to the windows-attacks pack. - -However, we have included additional query packs -that are more tailored to our specific environment that may be useful to some or at least serve as a reference to other organizations. osquery operates best when -operators have carefully considered the datasets to be collected and the potential use-cases for that data. -* [performance-metrics.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/performance-metrics.conf) -* [security-tooling-checks.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/security-tooling-checks.conf) -* [windows-application-security.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/windows-application-security.conf) -* [windows-compliance.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/windows-compliance.conf) -* [windows-registry-monitoring.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/windows-registry-monitoring.conf) - - -**Note**: We also utilize packs that are maintained in the official osquery project. In order to ensure you receive the most up to date version of the pack, please view them using the links below: -* [ossec-rootkit.conf](https://github.com/facebook/osquery/blob/master/packs/ossec-rootkit.conf) -* [osx-attacks.conf](https://github.com/facebook/osquery/blob/master/packs/osx-attacks.conf) -* [unwanted-chrome-extensions.conf](https://github.com/facebook/osquery/blob/master/packs/unwanted-chrome-extensions.conf) -* [windows-attacks.conf](https://github.com/facebook/osquery/blob/master/packs/windows-attacks.conf) - -## Repository Layout -This repository is organized as follows: -* At the top level, there are two directories titled "Classic" and "Fleet" - * The [Classic](./Classic/) directory contains configuration files for a standard osquery deployment - * The [Fleet](./Fleet/) directory contains YAML files to be imported into Kolide's [Fleet](https://github.com/kolide/fleet) osquery management tool - -Within each of those folders, you will find the following subdirectories: -* **Endpoints**: The contents of this folder are tailored towards monitoring MacOS and Windows endpoints that are not expected to be online at all times. You may notice the interval of many queries in this folder set to 28800. We purposely set the interval to this value because the interval timer only moves forward when a host is online and we would only expect an endpoint to be online for about 8 hours, or 28800 seconds, per day. -* **Servers**: The contents of this folder are tailored towards monitoring Linux servers. This configuration has process and network auditing enabled, so expect an exponentially higher volume of logs to be returned from the agent. - - -## Using This Repository -**Note**: We recommend that you spin up a lab environment before deploying any of these configurations to a production -environment. - -**Endpoints Configuration Overview** -* The configurations in this folder are meant for MacOS and Windows and the interval timings assume that these hosts are only online for ~8 hours per day -* The flags included in this configuration enable TLS client mode in osquery and assume it will be connected to a TLS server. We have also included non-TLS flagfiles for local testing. -* File integrity monitoring on MacOS is enabled for specific files and directories defined in [osquery.conf](./Classic/Endpoints/MacOS/osquery.conf) -* Events are disabled on Windows via the `--disable_events` flag in [osquery.flags](./Classic/Endpoints/Windows/osquery.flags). We use [Windows Event Forwarding](https://github.com/palantir/windows-event-forwarding) and don't have a need for osquery to process Windows event logs. -* These configuration files utilize packs within the [packs](./Classic/Endpoints/packs) folder and may generate errors if started without them - -**Servers Configuration Overview** -* This configuration assumes the destination operating system is Linux-based and that the hosts are online at all times -* Auditing mode is enabled for processes and network events. Ensure auditd is disabled or removed from the system where this will be running as it may conflict with osqueryd. -* File integrity monitoring is enabled for specific files and directories defined in [osquery.conf](./Classic/Servers/Linux/osquery.conf) -* Requires the [ossec-rootkit.conf](./Classic/Servers/Linux/packs/ossec-rootkit.conf) pack found to be located at `/etc/osquery/packs/ossec-rootkit.conf` -* The subscriber for `user_events` is disabled - -## Quickstart - Classic -1. [Install osquery](https://osquery.io/downloads/) -2. Copy the osquery.conf and osquery.flags files from this repository onto the system and match the directory structure shown below -3. Start osquery via `sudo osqueryctl start` on Linux/MacOS or `Start-Process osqueryd` on Windows -4. Logs are located in `/var/log/osquery` (Linux/MacOS) and `c:\ProgramData\osquery\logs` (Windows) - -## Quickstart - Fleet -Install Fleet version 2.0.0 or higher -2. [Enroll hosts to your Fleet server](https://github.com/kolide/fleet/blob/master/docs/infrastructure/adding-hosts-to-fleet.md) by configuring the appropriate [flags] -3. [Configure the fleetctl utility](https://github.com/kolide/fleet/blob/master/docs/cli/setup-guide.md#fleetctl-setup) to communicate with your Fleet server -4. Assuming you'd like to use the endpoint configs, you can use the commands below to apply them: - -``` -git clone https://github.com/palantir/osquery-configuration.git -fleetctl apply -f osquery-configuration/Fleet/Endpoints/options.yaml -fleetctl apply -f osquery-configuration/Fleet/Endpoints/MacOS/osquery.yaml -fleetctl apply -f osquery-configuration/Fleet/Endpoints/Windows/osquery.yaml -for pack in osquery-configuration/Fleet/Endpoints/packs/*.yaml; - do fleetctl apply -f "$pack" -done -``` - -The desired osquery directory structure for Linux, MacOS, and Windows is outlined below: - -**Linux** -``` -$ git clone https://github.com/palantir/osquery-configuration.git -$ cp -R osquery-configuration/Fleet/Servers/Linux/* /etc/osquery -$ sudo osqueryctl start - -/etc/osquery -├── osquery.conf -├── osquery.db -├── osquery.flags -└── packs - └── ossec-rootkit.conf - -``` -**MacOS** -``` -$ git clone https://github.com/palantir/osquery-configuration.git -$ cp osquery-configuration/Fleet/Endpoints/MacOS/* /var/osquery -$ cp osquery-configuration/Fleet/Endpoints/packs/* /var/osquery/packs -$ mv /var/osquery/osquery_no_tls.flags /var/osquery/osquery.flags ## Non-TLS server testing -$ sudo osqueryctl start - -/var/osquery -├── certfile.crt [if using TLS endpoint] -├── osquery.conf -├── osquery.db -├── osquery.flags -└── packs - ├── performance-metrics.conf - ├── security-tooling-checks.conf - ├── unwanted-chrome-extensions.conf - └── osx-attacks.conf -``` - -**Windows** -``` -PS> git clone https://github.com/palantir/osquery-configuration.git -PS> copy-item osquery-configuration/Fleet/Endpoints/Windows/* c:\ProgramData\osquery -PS> copy-item osquery-configuration/Fleet/Endpoints/packs/* c:\ProgramData\osquery\packs -PS> copy-item c:\ProgramData\osquery\osquery_no_tls.flags c:\ProgramData\osquery\osquery.flags -force ## Non-TLS server testing -PS> start-service osqueryd - -c:\ProgramData\osquery -├── certfile.crt [if using TLS endpoint] -├── log -├── osquery.conf -├── osquery.db -├── osquery.flags -├── osqueryi.exe -├─── osqueryd -| └── osqueryd.exe -└── packs - ├── performance-metrics.conf - ├── security-tooling-checks.conf - ├── unwanted-chrome-extensions.conf - ├── windows-application-security.conf - ├── windows-compliance.conf - ├── windows-registry-monitoring.conf - └── windows-attacks.conf -``` - -## Contributing -Contributions, fixes, and improvements can be submitted directly against this project as a GitHub issue or pull request. - -## License -MIT License - -Copyright (c) 2017 Palantir Technologies Inc. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. diff --git a/salt/fleet/files/packs/so/so-default.yml b/salt/fleet/files/packs/so/so-default.yml deleted file mode 100644 index b0a9d97b1..000000000 --- a/salt/fleet/files/packs/so/so-default.yml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: v1 -kind: query -spec: - name: users - description: Users on the system - query: select * from users; ---- -apiVersion: v1 -kind: query -spec: - name: chrome-extensions - description: Chrome extensions for all users on the system - query: select users.username,chrome_extensions.*,chrome_extensions.path from users cross join chrome_extensions using (uid) where identifier not in ('aapocclcgogkmnckokdopfmhonfmgoek', 'aohghmighlieiainnegkcijnfilokake', 'apdfllckaahabafndbhieahigkjlhalf','felcaaldnbdncclmgdcncolpebgiejap','pjkljhegncpnkpknbcohdijeoejaedia','pkedcjkdefgpdelpbcmbmeomcjbeemfm','blpcfgokakmgnkcojhhkbfbldkacnbeo','ghbmnnjooekpmoecnnnilnnbdlolhkhi','nmmhkkegccagdldgiimedpiccmgmieda'); ---- -apiVersion: v1 -kind: pack -spec: - name: examples - targets: - labels: - - All Hosts - queries: - - query: users - interval: 180 - removed: false - - query: chrome-extensions - interval: 180 - removed: false diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls deleted file mode 100644 index bfdb42efa..000000000 --- a/salt/fleet/init.sls +++ /dev/null @@ -1,149 +0,0 @@ -{# this state can run regardless if in allowed_states or not #} -{%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%} -{%- set FLEETPASS = salt['pillar.get']('secrets:fleet', None) -%} -{%- set FLEETJWT = salt['pillar.get']('secrets:fleet_jwt', None) -%} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} -{% set FLEETARCH = salt['grains.get']('role') %} - -{% if FLEETARCH == "so-fleet" %} - {% set MAININT = salt['pillar.get']('host:mainint') %} - {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} -{% else %} - {% set MAINIP = salt['pillar.get']('global:managerip') %} -{% endif %} -{% set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %} - - -include: - - ssl - - mysql - -# Fleet Setup -fleetcdir: - file.directory: - - name: /opt/so/conf/fleet/etc - - user: 939 - - group: 939 - - makedirs: True - -fleetpackcdir: - file.directory: - - name: /opt/so/conf/fleet/packs - - user: 939 - - group: 939 - - makedirs: True - -fleetnsmdir: - file.directory: - - name: /nsm/osquery/fleet - - user: 939 - - group: 939 - - makedirs: True - -fleetpacksync: - file.recurse: - - name: /opt/so/conf/fleet/packs - - source: salt://fleet/files/packs - - user: 939 - - group: 939 - -fleetpackagessync: - file.recurse: - - name: /opt/so/conf/fleet/packages - - source: salt://fleet/packages/ - - user: 939 - - group: 939 - -fleetlogdir: - file.directory: - - name: /opt/so/log/fleet - - user: 939 - - group: 939 - - makedirs: True - -fleetdb: - mysql_database.present: - - name: fleet - - connection_host: {{ MAINIP }} - - connection_port: 3306 - - connection_user: root - - connection_pass: {{ MYSQLPASS }} - - require: - - sls: mysql - -fleetdbuser: - mysql_user.present: - - host: {{ DNET }}/255.255.255.0 - - password: {{ FLEETPASS }} - - connection_host: {{ MAINIP }} - - connection_port: 3306 - - connection_user: root - - connection_pass: {{ MYSQLPASS }} - - require: - - fleetdb - -fleetdbpriv: - mysql_grants.present: - - grant: all privileges - - database: fleet.* - - user: fleetdbuser - - host: {{ DNET }}/255.255.255.0 - - connection_host: {{ MAINIP }} - - connection_port: 3306 - - connection_user: root - - connection_pass: {{ MYSQLPASS }} - - require: - - fleetdb - - -{% if FLEETPASS == None or FLEETJWT == None %} - -fleet_password_none: - test.configurable_test_state: - - changes: False - - result: False - - comment: "Fleet MySQL Password or JWT Key Error - Not Starting Fleet" - -{% else %} - -so-fleet: - docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-fleet:{{ VERSION }} - - hostname: so-fleet - - port_bindings: - - 0.0.0.0:8080:8080 - - environment: - - FLEET_MYSQL_ADDRESS={{ MAINIP }}:3306 - - FLEET_REDIS_ADDRESS={{ MAINIP }}:6379 - - FLEET_MYSQL_DATABASE=fleet - - FLEET_MYSQL_USERNAME=fleetdbuser - - FLEET_MYSQL_PASSWORD={{ FLEETPASS }} - - FLEET_SERVER_CERT=/ssl/server.cert - - FLEET_SERVER_KEY=/ssl/server.key - - FLEET_LOGGING_JSON=true - - FLEET_AUTH_JWT_KEY= {{ FLEETJWT }} - - FLEET_FILESYSTEM_STATUS_LOG_FILE=/var/log/fleet/status.log - - FLEET_FILESYSTEM_RESULT_LOG_FILE=/var/log/osquery/result.log - - FLEET_SERVER_URL_PREFIX=/fleet - - FLEET_FILESYSTEM_ENABLE_LOG_ROTATION=true - - FLEET_FILESYSTEM_ENABLE_LOG_COMPRESSION=true - - binds: - - /etc/pki/fleet.key:/ssl/server.key:ro - - /etc/pki/fleet.crt:/ssl/server.cert:ro - - /opt/so/log/fleet:/var/log/fleet - - /nsm/osquery/fleet:/var/log/osquery - - /opt/so/conf/fleet/packs:/packs - - watch: - - /opt/so/conf/fleet/etc - - require: - - x509: fleet_key - - x509: fleet_crt - -append_so-fleet_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-fleet - -{% endif %} diff --git a/salt/fleet/install_package.sls b/salt/fleet/install_package.sls deleted file mode 100644 index 9063464d8..000000000 --- a/salt/fleet/install_package.sls +++ /dev/null @@ -1,30 +0,0 @@ -{%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) -%} -{%- set FLEETNODE = salt['pillar.get']('global:fleet_node', False) -%} -{%- set FLEETHOSTNAME = salt['pillar.get']('global:fleet_hostname', False) -%} -{%- set FLEETIP = salt['pillar.get']('global:fleet_ip', False) -%} -{% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('global:fleet_custom_hostname', None) %} - -{% if CUSTOM_FLEET_HOSTNAME != (None and '') %} - -{{ CUSTOM_FLEET_HOSTNAME }}: - host.present: - - ip: {{ FLEETIP }} - - clean: True - -{% elif FLEETNODE and grains['role'] != 'so-fleet' %} - -{{ FLEETHOSTNAME }}: - host.present: - - ip: {{ FLEETIP }} - - clean: True - -{% endif %} - -launcherpkg: - pkg.installed: - - sources: - {% if grains['os'] == 'CentOS' %} - - launcher-final: salt://fleet/packages/launcher.rpm - {% elif grains['os'] == 'Ubuntu' %} - - launcher-final: salt://fleet/packages/launcher.deb - {% endif %} diff --git a/salt/fleet/packages/info.txt b/salt/fleet/packages/info.txt deleted file mode 100644 index 726dcf0d7..000000000 --- a/salt/fleet/packages/info.txt +++ /dev/null @@ -1 +0,0 @@ -Osquery Packages will be copied to this folder \ No newline at end of file diff --git a/salt/freqserver/init.sls b/salt/freqserver/init.sls deleted file mode 100644 index c550e7ce6..000000000 --- a/salt/freqserver/init.sls +++ /dev/null @@ -1,69 +0,0 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} - -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} - -# Create the user -fservergroup: - group.present: - - name: freqserver - - gid: 935 - -# Add ES user -freqserver: - user.present: - - uid: 935 - - gid: 935 - - home: /opt/so/conf/freqserver - - createhome: False - -# Create the log directory -freqlogdir: - file.directory: - - name: /opt/so/log/freq_server - - user: 935 - - group: 935 - - makedirs: True - -so-freqimage: - cmd.run: - - name: docker pull {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-freqserver:{{ VERSION }} - -so-freq: - docker_container.running: - - require: - - so-freqimage - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-freqserver:{{ VERSION }} - - hostname: freqserver - - name: so-freqserver - - user: freqserver - - binds: - - /opt/so/log/freq_server:/var/log/freq_server:rw - -append_so-freq_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-freq - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} - diff --git a/salt/grafana/defaults.yaml b/salt/grafana/grafana_defaults.yaml similarity index 100% rename from salt/grafana/defaults.yaml rename to salt/grafana/grafana_defaults.yaml diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index 667d2052b..f71bc3acb 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -7,7 +7,7 @@ {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set ADMINPASS = salt['pillar.get']('secrets:grafana_admin') %} -{% import_yaml 'grafana/defaults.yaml' as default_settings %} +{% import_yaml 'grafana/grafana_defaults.yaml' as default_settings %} {% set GRAFANA_SETTINGS = salt['grains.filter_by'](default_settings, default='grafana', merge=salt['pillar.get']('grafana', {})) %} {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] or (grains.role == 'so-eval' and GRAFANA == 1) %} diff --git a/salt/idh/init.sls b/salt/idh/init.sls index 70a5d370d..bcde7212a 100644 --- a/salt/idh/init.sls +++ b/salt/idh/init.sls @@ -16,7 +16,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} +{% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% set MAININT = salt['pillar.get']('host:mainint') %} diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index a8d4c622c..fa08125f5 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -1,24 +1,15 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} +{% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} -{% set ENGINE = salt['pillar.get']('global:mdengine', '') %} +{% set ENGINE = salt['pillar.get']('global:mdengine') %} {% set proxy = salt['pillar.get']('manager:proxy') %} include: diff --git a/salt/idstools/soc_idstools.yaml b/salt/idstools/soc_idstools.yaml new file mode 100644 index 000000000..9b062c300 --- /dev/null +++ b/salt/idstools/soc_idstools.yaml @@ -0,0 +1,21 @@ +idstools: + config: + oinkcode: + description: Enter your registration code for paid rulesets. + global: True + ruleset: + description: Define the ruleset you want to run. Options are ETOPEN or ETPRO. + global: True + urls: + description: This is a list of additional rule download locations. + global: True + sids: + disabled: + description: List of disables SIDS. + global: True + enabled: + description: List of SIDS that are disabled by the rule source that you want to enable. + global: True + modify: + description: List of SIDS that are modified. + global: True \ No newline at end of file diff --git a/salt/idstools/sync_files.sls b/salt/idstools/sync_files.sls index c74f5a19b..dee7dd01f 100644 --- a/salt/idstools/sync_files.sls +++ b/salt/idstools/sync_files.sls @@ -1,17 +1,8 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . idstoolsdir: file.directory: diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index f2bdc1a1a..637be9054 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -6,7 +6,7 @@ {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] or (grains.role == 'so-eval' and GRAFANA == 1) %} {% set MANAGER = salt['grains.get']('master') %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} +{% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% import_yaml 'influxdb/defaults.yaml' as default_settings %} {% set influxdb = salt['grains.filter_by'](default_settings, default='influxdb', merge=salt['pillar.get']('influxdb', {})) %} diff --git a/salt/influxdb/soc_influxdb.yaml b/salt/influxdb/soc_influxdb.yaml new file mode 100644 index 000000000..5dc8ef763 --- /dev/null +++ b/salt/influxdb/soc_influxdb.yaml @@ -0,0 +1,16 @@ +influxdb: + retention_policies: + so_short_term: + duration: 30d + description: Amount of time to keep short term data. + shard_duration: 1d + description: Time range + so_long_term: + duration: 0d + description: Amount of time to keep long term downsampled data. + shard_duration: 7d + description: Amount of the time range covered by the shard group. + downsample: + so_long_term: + resolution: 5m + description: Amount of time to turn into a single data point. \ No newline at end of file diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index e19f25439..a642e9e55 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -1,4 +1,9 @@ #!/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set MANAGER = salt['pillar.get']('global:url_base', '') %} {%- set ENDGAMEHOST = salt['pillar.get']('soc:endgamehost', 'ENDGAMEHOST') %} . /usr/sbin/so-common @@ -34,13 +39,13 @@ import() { sed -i "s/ENDGAMEHOST/{{ ENDGAMEHOST }}/g" "$ndjson_file" fi - wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" 300 "{{ ELASTICCURL }}" + wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" 300 "curl -K /opt/so/conf/elasticsearch/curl.config" RETURN_CODE=$? - SESSIONCOOKIE=$({{ ELASTICCURL }} -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') + SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') # Load saved objects - RESPONSE=$({{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/saved_objects/_import?overwrite=true" -H "kbn-xsrf: true" --form file=@"$ndjson_file") + RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/saved_objects/_import?overwrite=true" -H "kbn-xsrf: true" --form file=@"$ndjson_file") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi if [[ "$RETURN_CODE" != "1" ]]; then @@ -54,12 +59,12 @@ import() { update() { local BASENAME=$(basename $1 | cut -d'.' -f1) if [ ! -f "/opt/so/state/kibana_$BASENAME.txt" ]; then - wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" 300 "{{ ELASTICCURL }}" + wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" 300 "curl -K /opt/so/conf/elasticsearch/curl.config" RETURN_CODE=$? IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.3.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config-X PUT "localhost:5601/api/saved_objects/config/8.4.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done diff --git a/salt/kibana/config.map.jinja b/salt/kibana/config.map.jinja index cadfcab4e..32768a5eb 100644 --- a/salt/kibana/config.map.jinja +++ b/salt/kibana/config.map.jinja @@ -1,11 +1,7 @@ {% import_yaml 'kibana/defaults.yaml' as KIBANACONFIG with context %} {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} -{% if salt['pillar.get']('elasticsearch:auth:enabled', False) %} - {% do KIBANACONFIG.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass')}) %} -{% else %} - {% do KIBANACONFIG.kibana.config.xpack.update({'security': {'authc': {'providers': {'anonymous': {'anonymous1': {'order': 0, 'credentials': 'elasticsearch_anonymous_user'}}}}}}) %} -{% endif %} +{% do KIBANACONFIG.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass')}) %} {% if salt['pillar.get']('kibana:secrets') %} {% do KIBANACONFIG.kibana.config.xpack.update({'encryptedSavedObjects': {'encryptionKey': pillar['kibana']['secrets']['encryptedSavedObjects']['encryptionKey']}}) %} diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index de78fc12c..6480c9e55 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -8,7 +8,7 @@ kibana: publicBaseUrl: https://{{salt['pillar.get']('global:url_base')}}/kibana elasticsearch: hosts: - - https://{{salt['pillar.get']('manager:mainip')}}:9200 + - https://{{salt['pillar.get']('global:managerip')}}:9200 ssl: verificationMode: none requestTimeout: 90000 @@ -33,3 +33,60 @@ kibana: reporting: kibanaServer: hostname: localhost + fleet: + packages: + - name: fleet_server + version: latest + - name: osquery_manager + version: latest + - name: system + version: latest + - name: windows + version: latest + agentPolicies: + - name: SO-Manager + id: so-manager + description: "SO Manager Fleet Server Policy" + namespace: default + is_default_fleet_server: true + monitoring_enabled: ['logs'] + package_policies: + - name: fleet-server_manager + package: + name: fleet_server + - name: SO-Grid-Nodes + id: so-grid-nodes + description: "SO Grid Node Policy" + namespace: default + monitoring_enabled: ['logs'] + package_policies: + - name: osquery-grid-nodes + package: + name: osquery_manager + - name: system-grid-nodes + package: + name: system + inputs: + - type: system/metrics + enabled: false + - name: Endpoints-Initial + id: endpoints + description: "Initial Endpoint Policy" + namespace: default + monitoring_enabled: ['logs'] + package_policies: + - name: system-endpoints + package: + name: system + inputs: + - type: system/metrics + enabled: false + - name: osquery-endpoints + package: + name: osquery_manager + - name: windows-endpoints + package: + name: windows + inputs: + - type: windows/metrics + enabled: false \ No newline at end of file diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index 4ec8f9ca7..68beb2dab 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.3.2","id": "8.3.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.4.1","id": "8.4.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index ff88b731a..11361cb5c 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -1,10 +1,12 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} -{% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %} {% import_yaml 'kibana/defaults.yaml' as default_settings %} {% set KIBANA_SETTINGS = salt['grains.filter_by'](default_settings, default='kibana', merge=salt['pillar.get']('kibana', {})) %} @@ -73,19 +75,17 @@ kibanabin: - source: salt://kibana/bin/so-kibana-config-load - mode: 755 - template: jinja - - defaults: - ELASTICCURL: {{ ELASTICAUTH.elasticcurl }} # Start the kibana docker so-kibana: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-kibana:{{ VERSION }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kibana:{{ GLOBALS.so_version }} - hostname: kibana - user: kibana - environment: - - ELASTICSEARCH_HOST={{ MANAGER }} + - ELASTICSEARCH_HOST={{ GLOBALS.manager }} - ELASTICSEARCH_PORT=9200 - - MANAGER={{ MANAGER }} + - MANAGER={{ GLOBALS.manager }} - binds: - /opt/so/conf/kibana/etc:/usr/share/kibana/config:rw - /opt/so/log/kibana:/var/log/kibana:rw diff --git a/salt/kibana/secrets.sls b/salt/kibana/secrets.sls index 16438f528..f97aa4d59 100644 --- a/salt/kibana/secrets.sls +++ b/salt/kibana/secrets.sls @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} diff --git a/salt/kibana/so_config_load.sls b/salt/kibana/so_config_load.sls index 9730882fc..ea9655688 100644 --- a/salt/kibana/so_config_load.sls +++ b/salt/kibana/so_config_load.sls @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + include: - kibana diff --git a/salt/kibana/so_dashboard_load.sls b/salt/kibana/so_dashboard_load.sls index 9245ff94d..26cc13f83 100644 --- a/salt/kibana/so_dashboard_load.sls +++ b/salt/kibana/so_dashboard_load.sls @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} include: - kibana diff --git a/salt/kibana/so_savedobjects_defaults.sls b/salt/kibana/so_savedobjects_defaults.sls index 4cf6cef34..135053c68 100644 --- a/salt/kibana/so_savedobjects_defaults.sls +++ b/salt/kibana/so_savedobjects_defaults.sls @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + include: - kibana - kibana.so_config_load diff --git a/salt/kibana/so_securitySolution_load.sls b/salt/kibana/so_securitySolution_load.sls index 0a92c749b..0f72adcda 100644 --- a/salt/kibana/so_securitySolution_load.sls +++ b/salt/kibana/so_securitySolution_load.sls @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + include: - kibana diff --git a/salt/kibana/soc_kibana.yaml b/salt/kibana/soc_kibana.yaml new file mode 100644 index 000000000..80e15df85 --- /dev/null +++ b/salt/kibana/soc_kibana.yaml @@ -0,0 +1,5 @@ +kibana: + config: + elasticsearch: + requestTimeout: 90000 + description: Request timeout length. diff --git a/salt/kratos/files/kratos.yaml b/salt/kratos/files/kratos.yaml index b300eac48..b9561b4fd 100644 --- a/salt/kratos/files/kratos.yaml +++ b/salt/kratos/files/kratos.yaml @@ -1,7 +1,7 @@ {%- set WEBACCESS = salt['pillar.get']('global:url_base', '') -%} {%- set KRATOSKEY = salt['pillar.get']('kratos:kratoskey', '') -%} -{%- set SESSIONTIMEOUT = salt['pillar.get']('kratos:sessiontimeout', '24h') -%} -{%- set MFA_ISSUER = salt['pillar.get']('kratos:mfa_issuer', 'Security Onion') -%} +{%- set SESSIONTIMEOUT = salt['pillar.get']('kratos:sessiontimeout', '') -%} +{%- set MFA_ISSUER = salt['pillar.get']('kratos:mfa_issuer', '') -%} session: lifespan: {{ SESSIONTIMEOUT }} diff --git a/salt/kratos/init.sls b/salt/kratos/init.sls index e44c09b63..40e2d4fdd 100644 --- a/salt/kratos/init.sls +++ b/salt/kratos/init.sls @@ -1,9 +1,11 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} - -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} +{% from 'vars/globals.map.jinja' import GLOBALS %} # Add Kratos Group kratosgroup: @@ -51,7 +53,7 @@ kratos_yaml: so-kratos: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-kratos:{{ VERSION }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kratos:{{ GLOBALS.so_version }} - hostname: kratos - name: so-kratos - binds: @@ -78,7 +80,7 @@ append_so-kratos_so-status.conf: wait_for_kratos: http.wait_for_successful_query: - - name: 'http://{{ MANAGER }}:4434/' + - name: 'http://{{ GLOBALS.manager }}:4434/' - ssl: True - verify_ssl: False - status: diff --git a/salt/logstash/dmz_nodes.yaml b/salt/logstash/dmz_nodes.yaml index 982f72080..460088a7d 100644 --- a/salt/logstash/dmz_nodes.yaml +++ b/salt/logstash/dmz_nodes.yaml @@ -1,3 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # Do not edit this file. Copy it to /opt/so/saltstack/local/salt/logstash/ and make changes there. It should be formatted as a list. # logstash: # dmz_nodes: @@ -6,4 +12,4 @@ # - mydmznodehostname3 logstash: - dmz_nodes: + dmz_nodes: \ No newline at end of file diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index fc397938c..cb94d60b2 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -1,48 +1,30 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} - {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} - {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} - {% set MANAGER = salt['grains.get']('master') %} - {% set MANAGERIP = salt['pillar.get']('global:managerip') %} + {% from 'logstash/map.jinja' import REDIS_NODES with context %} + {% from 'vars/globals.map.jinja' import GLOBALS %} # Logstash Section - Decide which pillar to use - {% set lsheap = salt['pillar.get']('logstash_settings:lsheap', '') %} - {% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %} - {% set freq = salt['pillar.get']('manager:freq', '0') %} - {% set dstats = salt['pillar.get']('manager:domainstats', '0') %} - {% set nodetype = salt['grains.get']('role', '') %} - {% elif grains['role'] == 'so-helix' %} - {% set freq = salt['pillar.get']('manager:freq', '0') %} - {% set dstats = salt['pillar.get']('manager:domainstats', '0') %} - {% set nodetype = salt['grains.get']('role', '') %} + {% set lsheap = salt['pillar.get']('logstash_settings:lsheap') %} + {% if GLOBALS.role in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %} + {% set nodetype = GLOBALS.role %} {% endif %} {% set PIPELINES = salt['pillar.get']('logstash:pipelines', {}) %} {% set DOCKER_OPTIONS = salt['pillar.get']('logstash:docker_options', {}) %} {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} - {% from 'logstash/map.jinja' import REDIS_NODES with context %} - include: - ssl -{% if grains.role not in ['so-receiver'] %} + {% if GLOBALS.role not in ['so-receiver'] %} - elasticsearch -{% endif %} + {% endif %} # Create the logstash group logstashgroup: @@ -150,7 +132,7 @@ lslogdir: so-logstash: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-logstash:{{ VERSION }} + - image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-logstash:{{ GLOBALS.so_version }} - hostname: so-logstash - name: so-logstash - user: logstash @@ -171,24 +153,22 @@ so-logstash: - /opt/so/log/logstash:/var/log/logstash:rw - /sys/fs/cgroup:/sys/fs/cgroup:ro - /opt/so/conf/logstash/etc/certs:/usr/share/logstash/certs:ro - {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %} + {% if GLOBALS.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %} - /etc/pki/filebeat.crt:/usr/share/logstash/filebeat.crt:ro - /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.key:ro {% endif %} - {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %} + {% if GLOBALS.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %} - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro {% else %} - /etc/ssl/certs/intca.crt:/usr/share/filebeat/ca.crt:ro {% endif %} - {% if grains.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-node'] %} + {% if GLOBALS.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-searchnode'] %} - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro - /opt/so/conf/ca/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro {% endif %} - {%- if grains['role'] == 'so-eval' %} + {%- if GLOBALS.role == 'so-eval' %} - /nsm/zeek:/nsm/zeek:ro - /nsm/suricata:/suricata:ro - - /nsm/wazuh/logs/alerts:/wazuh/alerts:ro - - /nsm/wazuh/logs/archives:/wazuh/archives:ro - /opt/so/log/fleet/:/osquery/logs:ro - /opt/so/log/strelka:/strelka:ro {%- endif %} diff --git a/salt/logstash/map.jinja b/salt/logstash/map.jinja index 5f27a17e2..d921615c7 100644 --- a/salt/logstash/map.jinja +++ b/salt/logstash/map.jinja @@ -2,7 +2,7 @@ {% set REDIS_NODES = [] %} {% set mainint = salt['pillar.get']('host:mainint') %} {% set localhostip = salt['grains.get']('ip_interfaces').get(mainint)[0] %} -{% if role in ['so-node', 'so-standalone', 'so-managersearch'] %} +{% if role in ['so-searchnode', 'so-standalone', 'so-managersearch'] %} {% set node_data = salt['pillar.get']('logstash:nodes') %} {% for node_type, node_details in node_data.items() | sort %} {% if node_type in ['manager', 'managersearch', 'standalone', 'receiver' ] %} diff --git a/salt/logstash/pipelines/config/so/0008_input_fleet_livequery.conf.jinja b/salt/logstash/pipelines/config/so/0008_input_fleet_livequery.conf.jinja deleted file mode 100644 index 83aa0c02d..000000000 --- a/salt/logstash/pipelines/config/so/0008_input_fleet_livequery.conf.jinja +++ /dev/null @@ -1,19 +0,0 @@ -{%- set MANAGER = salt['grains.get']('master') %} -{%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %} -{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} - -input { - redis { - host => '{{ MANAGER }}' - port => 6379 - data_type => 'pattern_channel' - key => 'results_*' - type => 'live_query' - add_field => { - "module" => "osquery" - "dataset" => "live_query" - } - threads => {{ THREADS }} - batch_count => {{ BATCH }} - } -} diff --git a/salt/logstash/pipelines/config/so/0012_input_elastic_agent.conf b/salt/logstash/pipelines/config/so/0012_input_elastic_agent.conf new file mode 100644 index 000000000..ba89001b6 --- /dev/null +++ b/salt/logstash/pipelines/config/so/0012_input_elastic_agent.conf @@ -0,0 +1,12 @@ +input { + elastic_agent { + port => 5055 + tags => [ "elastic-agent" ] + ssl => true + ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"] + ssl_certificate => "/usr/share/logstash/filebeat.crt" + ssl_key => "/usr/share/logstash/filebeat.key" + ssl_verify_mode => "force_peer" + ecs_compatibility => v8 + } +} diff --git a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja index 772a97e17..f0aa95aeb 100644 --- a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja +++ b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja @@ -1,8 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { @@ -10,10 +6,8 @@ output { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-zeek" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja index 58a78c08a..3e34648f8 100644 --- a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja +++ b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja @@ -1,8 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { @@ -10,10 +6,8 @@ output { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-import" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja index 88fe0d2b7..58505e285 100644 --- a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja +++ b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja @@ -1,18 +1,12 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if [event_type] == "sflow" { elasticsearch { hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-flow" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja index 5ce7ee343..b5ef19d65 100644 --- a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja +++ b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja @@ -1,18 +1,12 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if [event_type] == "ids" and "import" not in [tags] { elasticsearch { hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-ids" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja index b222ec2e1..cce5cbc7e 100644 --- a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja +++ b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja @@ -1,8 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { @@ -10,10 +6,8 @@ output { elasticsearch { pipeline => "%{module}" hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-syslog" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja b/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja index ef460d463..1fa0967f5 100644 --- a/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja +++ b/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja @@ -1,8 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { @@ -11,10 +7,8 @@ output { id => "filebeat_modules_metadata_pipeline" pipeline => "%{[metadata][pipeline]}" hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-%{[event][module]}-%{+YYYY.MM.dd}" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja index 745ebeb19..ef55e2441 100644 --- a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja @@ -1,8 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { @@ -10,10 +6,8 @@ output { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-osquery" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja b/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja index aa4af89fd..8d661b8cc 100644 --- a/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja @@ -1,9 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} -{%- set FEATURES = salt['pillar.get']('elastic:features', False) %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} @@ -32,10 +27,8 @@ output { elasticsearch { pipeline => "osquery.live_query" hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-osquery" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja index f6b8d4098..8738a81c8 100644 --- a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja +++ b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja @@ -1,18 +1,12 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if [dataset] =~ "firewall" { elasticsearch { hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-firewall" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja index 598e9c741..b2a9cccc5 100644 --- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja +++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja @@ -1,8 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { @@ -10,10 +6,8 @@ output { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-ids" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja index 03326a320..84e9e10e8 100644 --- a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja +++ b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja @@ -1,8 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { @@ -11,10 +7,8 @@ output { elasticsearch { pipeline => "beats.common" hosts => "{{ ES }}" - {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" - {% endif %} index => "so-beats" ssl => true ssl_certificate_verification => false @@ -24,10 +18,8 @@ output { elasticsearch { pipeline => "beats.common" hosts => "{{ ES }}" - {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" - {% endif %} index => "so-beats" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja index 4555fb8bb..fa9726f1f 100644 --- a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja +++ b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja @@ -1,8 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { @@ -10,10 +6,8 @@ output { elasticsearch { pipeline => "%{module}" hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-ossec" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja index 09a677d1f..3eb8a164a 100644 --- a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja +++ b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja @@ -1,8 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { @@ -10,10 +6,8 @@ output { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-strelka" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja b/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja index 8bfa166c4..0e633a1b8 100644 --- a/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja +++ b/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja @@ -1,8 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} @@ -12,10 +8,8 @@ output { id => "logscan_pipeline" pipeline => "logscan.alert" hosts => "{{ ES }}" - {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" - {% endif %} index => "so-logscan" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9801_output_rita.conf.jinja b/salt/logstash/pipelines/config/so/9801_output_rita.conf.jinja index 40c6ad33c..fcbba67e6 100644 --- a/salt/logstash/pipelines/config/so/9801_output_rita.conf.jinja +++ b/salt/logstash/pipelines/config/so/9801_output_rita.conf.jinja @@ -1,8 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { @@ -10,10 +6,8 @@ output { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-rita" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9802_output_kratos.conf.jinja b/salt/logstash/pipelines/config/so/9802_output_kratos.conf.jinja deleted file mode 100644 index c57b16055..000000000 --- a/salt/logstash/pipelines/config/so/9802_output_kratos.conf.jinja +++ /dev/null @@ -1,22 +0,0 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -output { - if [module] =~ "kratos" and "import" not in [tags] { - elasticsearch { - pipeline => "kratos" - hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} - user => "{{ ES_USER }}" - password => "{{ ES_PASS }}" -{% endif %} - index => "so-kratos" - ssl => true - ssl_certificate_verification => false - } - } -} diff --git a/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja b/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja new file mode 100644 index 000000000..ae5de7f54 --- /dev/null +++ b/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja @@ -0,0 +1,17 @@ +{%- set ES = salt['grains.get']('master') -%} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} +output { + if "elastic-agent" in [tags] and "import" not in [tags] { + elasticsearch { + hosts => "{{ ES }}" + ecs_compatibility => v8 + data_stream => true + user => "{{ ES_USER }}" + password => "{{ ES_PASS }}" + ssl => true + ssl_certificate_verification => false + } + } +} + diff --git a/salt/logstash/pipelines/config/so/9900_output_endgame.conf.jinja b/salt/logstash/pipelines/config/so/9900_output_endgame.conf.jinja index b5920fe40..6f7dc4b34 100644 --- a/salt/logstash/pipelines/config/so/9900_output_endgame.conf.jinja +++ b/salt/logstash/pipelines/config/so/9900_output_endgame.conf.jinja @@ -1,8 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} filter { @@ -17,10 +13,8 @@ output { elasticsearch { id => "endgame_es_output" hosts => "{{ ES }}" - {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" - {% endif %} index => "endgame-%{+YYYY.MM.dd}" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9997_output_helix.conf.jinja b/salt/logstash/pipelines/config/so/9997_output_helix.conf.jinja deleted file mode 100644 index aa586d3b6..000000000 --- a/salt/logstash/pipelines/config/so/9997_output_helix.conf.jinja +++ /dev/null @@ -1,160 +0,0 @@ -{% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %} -{% set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %} -{% set CBNAME = grains.host %} - -filter { - if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509|suricata$/ { - grok { - match => [ - "source_ip", "^%{IPV4:srcipv4}$", - "source_ip", "(?^([0-9A-Fa-f]{0,4}:){2,7}([0-9A-Fa-f]{1,4}$|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4})$)" - ] - } - grok { - match => [ - "destination_ip", "(?^([0-9A-Fa-f]{0,4}:){2,7}([0-9A-Fa-f]{1,4}$|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4})$)", - "destination_ip", "^%{IPV4:dstipv4}$" - ] - } - - #geoip { - # source => "[source_ip]" - # target => "source_geo" - #} - #geoip { - # source => "[destination_ip]" - # target => "destination_geo" - #} - mutate { - rename => { "[beat_host][name]" => "sensor" } - copy => { "sensor" => "rawmsghostname" } - rename => { "message" => "rawmsg" } - copy => { "type" => "class" } - copy => { "class" => "program"} - rename => { "source_port" => "srcport" } - rename => { "destination_port" => "dstport" } - rename => { "[log][file][path]" => "filepath" } - add_field => { "meta_cbid" => "{{ UNIQUEID }}" } - add_field => { "meta_cbname" => "{{ CBNAME }}" } - remove_field => ["source_ip", "destination_ip", "syslog-host_from"] - remove_field => ["beat_host", "timestamp", "type", "log", "@version", "@timestamp"] - remove_field => ["sensorname", "sensor_name", "service", "source", "tags", "syslog-host"] - remove_field => ["sensor_name", "source_ips", "ips", "destination_ips", "syslog-priority", "syslog-file_name", "syslog-facility"] - } - if "bro_conn" in [class] { - mutate { - #add_field => { "metaclass" => "connection" } - rename => { "original_bytes" => "sentbytes" } - rename => { "respond_bytes" => "rcvdbytes" } - rename => { "connection_state" => "connstate" } - rename => { "uid" => "connectionid" } - rename => { "respond_packets" => "rcvdpackets" } - rename => { "original_packets" => "sentpackets" } - rename => { "respond_ip_bytes" => "rcvdipbytes" } - rename => { "original_ip_bytes" => "sentipbytes" } - rename => { "local_respond" => "local_resp" } - rename => { "local_orig" => "localorig" } - rename => { "missed_bytes" => "missingbytes" } - rename => { "connection_state_description" => "description" } - } - } - if "bro_dns" in [class] { - mutate{ - #add_field = { "metaclass" => "dns"} - rename => { "answers" => "answer" } - rename => { "query" => "domain" } - rename => { "query_class" => "queryclass" } - rename => { "query_class_name" => "queryclassname" } - rename => { "query_type" => "querytype" } - rename => { "query_type_name" => "querytypename" } - rename => { "ra" => "recursionavailable" } - rename => { "rd" => "recursiondesired" } - rename => { "uid" => "connectionid" } - rename => { "ttls" => "ttl" } - rename => { "transaction_id" => "transactionid" } - } - } - if "bro_dhcp" in [class] { - mutate{ - #add_field = { "metaclass" => "dhcp"} - rename => { "message_types" => "direction" } - rename => { "uid" => "connectionid" } - rename => { "lease_time" => "duration" } - } - } - if "bro_files" in [class] { - mutate{ - #add_field = { "metaclass" => "dns"} - rename => { "missing_bytes" => "missingbytes" } - rename => { "seen_bytes" => "seenbytes" } - rename => { "overflow_bytes" => "overflowbytes" } - rename => { "fuid" => "fileid" } - rename => { "conn_uids" => "connectionid" } - rename => { "is_orig" => "isorig" } - rename => { "timed_out" => "timedout" } - rename => { "local_orig" => "localorig" } - rename => { "file_ip" => "tx_host" } - } - } - if "bro_http" in [class] { - mutate{ - #add_field = { "metaclass" => "dns"} - rename => { "virtual_host" => "hostname" } - rename => { "status_code" => "statuscode" } - rename => { "status_message" => "statusmsg" } - rename => { "resp_mime_types" => "rcvdmimetype" } - rename => { "resp_fuids" => "rcvdfileid" } - rename => { "response_body_len" => "rcvdbodybytes" } - rename => { "request_body_len" => "sentbodybytes" } - rename => { "uid" => "connectionid" } - rename => { "ts"=> "eventtime" } - rename => { "@timestamp"=> "eventtime" } - rename => { "trans_depth" => "depth" } - rename => { "request_body_length" => "sentbodybytes" } - rename => { "response_body_length" => "rcvdbodybytes" } - } - } - if "bro_ssl" in [class] { - mutate{ - #add_field = { "metaclass" => "dns"} - rename => { "status_code" => "statuscode" } - rename => { "status_message" => "statusmsg" } - rename => { "resp_mime_types" => "rcvdmimetype" } - rename => { "resp_fuids" => "rcvdfileid" } - rename => { "response_body_len" => "rcvdbodybytes" } - rename => { "request_body_len" => "sentbodybytes" } - rename => { "uid" => "connectionid" } - } - } - if "bro_weird" in [class] { - mutate{ - #add_field = { "metaclass" => "dns"} - rename => { "name" => "eventname" } - } - } - if "bro_x509" in [class] { - mutate{ - #add_field = { "metaclass" => "dns"} - rename => { "certificate_common_name" => "certname" } - rename => { "certificate_subject" => "certsubject" } - rename => { "issuer_common_name" => "issuer" } - rename => { "certificate_issuer" => "issuersubject" } - rename => { "certificate_not_valid_before" => "issuetime" } - rename => { "certificate_key_type" => "cert_type" } - } - } - } -} - -output { - if [class] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509|suricata$/ { - http { - url => "https://helix-integrations.cloud.aws.apps.fireeye.com/api/upload" - http_method => post - http_compression => true - socket_timeout => 60 - headers => ["Authorization","{{ HELIX_API_KEY }}"] - format => json_batch - } - } -} diff --git a/salt/logstash/pipelines/config/so/9998_output_minio.conf.jinja b/salt/logstash/pipelines/config/so/9998_output_minio.conf.jinja deleted file mode 100644 index a38d2cd44..000000000 --- a/salt/logstash/pipelines/config/so/9998_output_minio.conf.jinja +++ /dev/null @@ -1,25 +0,0 @@ -{%- set MANAGER = salt['grains.get']('master') %} -{%- set access_key = salt['pillar.get']('minio:access_key', '') %} -{%- set access_secret = salt['pillar.get']('minio:access_secret', '') %} -{%- set SIZE_FILE = salt['pillar.get']('s3_settings:size_file', 2048) %} -{%- set TIME_FILE = salt['pillar.get']('s3_settings:time_file', 1) %} -{%- set UPLOAD_QUEUE_SIZE = salt['pillar.get']('s3_settings:upload_queue_size', 4) %} -{%- set ENCODING = salt['pillar.get']('s3_settings:encoding', 'gzip') %} -output { - s3 { - access_key_id => "{{ access_key }}" - secret_access_key => "{{ access_secret}}" - endpoint => "https://{{ MANAGER }}:9595" - bucket => "logstash" - size_file => {{ SIZE_FILE }} - time_file => {{ TIME_FILE }} - codec => json - encoding => {{ ENCODING }} - upload_queue_size => {{ UPLOAD_QUEUE_SIZE }} - temporary_directory => "/usr/share/logstash/data/tmp" - validate_credentials_on_root_bucket => false - additional_settings => { - "force_path_style" => true - } - } -} diff --git a/salt/manager/elasticsearch.sls b/salt/manager/elasticsearch.sls index 24c509fb4..df93217b8 100644 --- a/salt/manager/elasticsearch.sls +++ b/salt/manager/elasticsearch.sls @@ -1,4 +1,3 @@ -{% if salt['pillar.get']('elasticsearch:auth:enabled', False) %} elastic_curl_config_distributed: file.managed: - name: /opt/so/saltstack/local/salt/elasticsearch/curl.config @@ -6,4 +5,3 @@ elastic_curl_config_distributed: - template: jinja - mode: 600 - show_changes: False -{% endif %} diff --git a/salt/manager/files/so-api.py b/salt/manager/files/so-api.py new file mode 100644 index 000000000..e69de29bb diff --git a/salt/manager/glue.py b/salt/manager/glue.py new file mode 100644 index 000000000..e69de29bb diff --git a/salt/manager/init.sls b/salt/manager/init.sls index e38079b7b..c1062e8ae 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -1,25 +1,10 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} - -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} -{% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %} - include: - salt.minion - kibana.secrets @@ -35,74 +20,6 @@ socore_own_saltstack: - user - group -/opt/so/saltstack/default/pillar/data/addtotab.sh: - file.managed: - - mode: 750 - - replace: False - -# Create the directories for apt-cacher-ng -aptcacherconfdir: - file.directory: - - name: /opt/so/conf/aptcacher-ng/etc - - user: 939 - - group: 939 - - makedirs: True - -aptcachercachedir: - file.directory: - - name: /opt/so/conf/aptcacher-ng/cache - - user: 939 - - group: 939 - - makedirs: True - -aptcacherlogdir: - file.directory: - - name: /opt/so/log/aptcacher-ng - - user: 939 - - group: 939 - - makedirs: true - -acngconf: - file.managed: - - name: /opt/so/conf/aptcacher-ng/etc/acng.conf - - source: salt://manager/files/acng/acng.conf - - template: jinja - - show_changes: False - -# Install the apt-cacher-ng container -so-aptcacherng: - docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-acng:{{ VERSION }} - - hostname: so-acng - - restart_policy: always - - port_bindings: - - 0.0.0.0:3142:3142 - - binds: - - /opt/so/conf/aptcacher-ng/cache:/var/cache/apt-cacher-ng:rw - - /opt/so/log/aptcacher-ng:/var/log/apt-cacher-ng:rw - - /opt/so/conf/aptcacher-ng/etc/acng.conf:/etc/apt-cacher-ng/acng.conf:ro - - require: - - file: acngconf - -append_so-aptcacherng_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-aptcacherng - -strelka_yara_update_old_1: - cron.absent: - - user: root - - name: '[ -d /opt/so/saltstack/default/salt/strelka/rules/ ] && /usr/sbin/so-yara-update > /dev/null 2>&1' - - hour: '7' - - minute: '1' - -strelka_yara_update_old_2: - cron.absent: - - user: root - - name: '/usr/sbin/so-yara-update > /dev/null 2>&1' - - hour: '7' - - minute: '1' - strelka_yara_update: cron.present: - user: root diff --git a/salt/minio/init.sls b/salt/minio/init.sls deleted file mode 100644 index d0c135bd9..000000000 --- a/salt/minio/init.sls +++ /dev/null @@ -1,80 +0,0 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} - -{% set access_key = salt['pillar.get']('minio:access_key', '') %} -{% set access_secret = salt['pillar.get']('minio:access_secret', '') %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} - -include: - - ssl - -# Minio Setup -minioconfdir: - file.directory: - - name: /opt/so/conf/minio/etc/certs - - user: 939 - - group: 939 - - makedirs: True - -miniodatadir: - file.directory: - - name: /nsm/minio/data/ - - user: 939 - - group: 939 - - makedirs: True - -logstashbucket: - file.directory: - - name: /nsm/minio/data/logstash - - user: 939 - - group: 939 - - makedirs: True - -so-minio: - docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-minio:{{ VERSION }} - - hostname: so-minio - - user: socore - - port_bindings: - - 0.0.0.0:9595:9595 - - environment: - - MINIO_ACCESS_KEY: {{ access_key }} - - MINIO_SECRET_KEY: {{ access_secret }} - - binds: - - /nsm/minio/data:/data:rw - - /opt/so/conf/minio/etc:/.minio:rw - - /etc/pki/minio.key:/.minio/certs/private.key:ro - - /etc/pki/minio.crt:/.minio/certs/public.crt:ro - - entrypoint: "/usr/bin/docker-entrypoint.sh server --certs-dir /.minio/certs --address :9595 /data" - - require: - - file: minio_key - - file: minio_crt - -append_so-minio_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-minio - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index cb9586984..04ab5b140 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -1,20 +1,13 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} -{%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) %} -{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} -{% set MAINIP = salt['pillar.get']('elasticsearch:mainip') %} -{% set FLEETARCH = salt['grains.get']('role') %} - -{% if FLEETARCH == "so-fleet" %} - {% set MAININT = salt['pillar.get']('host:mainint') %} - {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} -{% else %} - {% set MAINIP = salt['pillar.get']('global:managerip') %} -{% endif %} +{%- set MYSQLPASS = salt['pillar.get']('secrets:mysql') %} # MySQL Setup mysqlpkgs: @@ -88,13 +81,13 @@ mysql_password_none: so-mysql: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-mysql:{{ VERSION }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-mysql:{{ GLOBALS.so_version }} - hostname: so-mysql - user: socore - port_bindings: - 0.0.0.0:3306:3306 - environment: - - MYSQL_ROOT_HOST={{ MAINIP }} + - MYSQL_ROOT_HOST={{ GLOBALS.manager_ip }} - MYSQL_ROOT_PASSWORD=/etc/mypass - binds: - /opt/so/conf/mysql/etc/my.cnf:/etc/my.cnf:ro @@ -107,7 +100,7 @@ so-mysql: - file: mysqlcnf - file: mysqlpass cmd.run: - - name: until nc -z {{ MAINIP }} 3306; do sleep 1; done + - name: until nc -z {{ GLOBALS.manager_ip }} 3306; do sleep 1; done - timeout: 600 - onchanges: - docker_container: so-mysql diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index f82d63c1a..8979535e8 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -1,15 +1,8 @@ {%- set role = grains.id.split('_') | last %} -{%- if role == 'fleet' %} - {% set mainint = salt['pillar.get']('host:mainint') %} - {% set main_ip = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} -{%- endif %} -{%- set manager_ip = salt['pillar.get']('manager:mainip', '') %} +{%- set manager_ip = salt['pillar.get']('global:managerip', '') %} {%- set url_base = salt['pillar.get']('global:url_base') %} -{%- set fleet_manager = salt['pillar.get']('global:fleet_manager') %} -{%- set fleet_node = salt['pillar.get']('global:fleet_node') %} -{%- set fleet_ip = salt['pillar.get']('global:fleet_ip', None) %} {%- set airgap = salt['pillar.get']('global:airgap', 'False') %} @@ -44,45 +37,7 @@ http { include /etc/nginx/conf.d/*.conf; - {%- if role in ['eval', 'managersearch', 'manager', 'standalone', 'fleet', 'import'] %} - - {%- if (fleet_manager or role == 'fleet') and role != 'import' %} - server { - listen 8090 ssl http2 default_server; - server_name {{ url_base }}; - root /opt/socore/html; - index blank.html; - - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; - - location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { - {%- if role == 'fleet' %} - grpc_pass grpcs://{{ main_ip }}:8080; - {%- else %} - grpc_pass grpcs://{{ manager_ip }}:8080; - {%- endif %} - grpc_set_header Host $host; - grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_buffering off; - } - - location ~ ^/kolide.launcher.QueryTarget/GetTargets$ { - {%- if role == 'fleet' %} - grpc_pass grpcs://{{ main_ip }}:8080; - {%- else %} - grpc_pass grpcs://{{ manager_ip }}:8080; - {%- endif %} - grpc_set_header Host $host; - grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_buffering off; - } - } - {%- endif %} + {%- if role in ['eval', 'managersearch', 'manager', 'standalone', 'import'] %} server { listen 80 default_server; @@ -106,40 +61,8 @@ http { {%- endif %} - {%- if role == 'fleet' %} - server { - listen 443 ssl http2; - server_name {{ main_ip }}; - root /opt/socore/html; - index index.html; + {%- if role in ['eval', 'managersearch', 'manager', 'standalone', 'import'] %} - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; - ssl_protocols TLSv1.2; - - location /fleet/ { - proxy_pass https://{{ main_ip }}:8080; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - } - error_page 500 502 503 504 /50x.html; - location = /usr/share/nginx/html/50x.html { - } - } - {%- elif role in ['eval', 'managersearch', 'manager', 'standalone', 'import'] %} - - {%- if airgap is sameas true %} server { listen 7788; server_name {{ url_base }}; @@ -154,8 +77,7 @@ http { autoindex_localtime on; } } - {%- endif %} - + server { listen 443 ssl http2; server_name {{ url_base }}; @@ -252,7 +174,6 @@ http { proxy_set_header X-Forwarded-Proto $scheme; } - {%- if airgap is sameas true %} location /repo/ { allow all; sendfile on; @@ -262,7 +183,6 @@ http { autoindex_format html; autoindex_localtime on; } - {%- endif %} location /grafana/ { auth_request /auth/sessions/whoami; @@ -316,29 +236,7 @@ http { proxy_set_header X-Forwarded-Proto $scheme; } - {%- if fleet_node %} - - location /fleet/ { - return 307 https://{{ fleet_ip }}/fleet; - } - - {%- else %} - - location /fleet/ { - proxy_pass https://{{ manager_ip }}:8080; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - } - - {%- endif %} - + location /soctopus/ { auth_request /auth/sessions/whoami; proxy_pass http://{{ manager_ip }}:7000/; @@ -355,10 +253,6 @@ http { rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent; } - location /kibana/app/fleet/ { - rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent; - } - location /kibana/app/soctopus/ { rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent; } diff --git a/salt/nginx/files/nav_layer_playbook.json b/salt/nginx/files/nav_layer_playbook.json index a26f26542..69db796e8 100644 --- a/salt/nginx/files/nav_layer_playbook.json +++ b/salt/nginx/files/nav_layer_playbook.json @@ -1,52 +1,27 @@ { - "name": "Playbook Coverage", - "versions": { - "attack": "11", - "navigator": "4.6.4", - "layer": "4.3" - }, - "domain": "enterprise-attack", - "description": "", + "name": "Playbook", + "version": "3.0", + "domain": "mitre-enterprise", + "description": "Current Coverage of Playbook", "filters": { + "stages": ["act"], "platforms": [ - "Linux", - "macOS", - "Windows", - "Azure AD", - "Office 365", - "SaaS", - "IaaS", - "Google Workspace", - "PRE", - "Network", - "Containers" + "windows", + "linux", + "mac" ] }, "sorting": 0, - "layout": { - "layout": "side", - "aggregateFunction": "average", - "showID": false, - "showName": true, - "showAggregateScores": false, - "countUnscored": false - }, + "viewMode": 0, "hideDisabled": false, "techniques": [], "gradient": { - "colors": [ - "#ff6666ff", - "#ffe766ff", - "#8ec843ff" - ], + "colors": ["#ff6666", "#ffe766", "#8ec843"], "minValue": 0, "maxValue": 100 }, - "legendItems": [], "metadata": [], - "links": [], "showTacticRowBackground": false, "tacticRowBackground": "#dddddd", - "selectTechniquesAcrossTactics": true, - "selectSubtechniquesWithParent": false -} \ No newline at end of file + "selectTechniquesAcrossTactics": true +} diff --git a/salt/nginx/files/navigator_config.json b/salt/nginx/files/navigator_config.json index 2f4672b48..3fd87139b 100644 --- a/salt/nginx/files/navigator_config.json +++ b/salt/nginx/files/navigator_config.json @@ -1,62 +1,58 @@ {%- set URL_BASE = salt['pillar.get']('global:url_base', '') %} { - "versions": [ - { - "name": "ATT&CK v11", - "version": "11", - "domains": [ - { - "name": "Enterprise", - "identifier": "enterprise-attack", - "data": ["assets/so/enterprise-attack.json"] - } - ] + "enterprise_attack_url": "assets/enterprise-attack.json", + "pre_attack_url": "assets/pre-attack.json", + "mobile_data_url": "assets/mobile-attack.json", + "taxii_server": { + "enabled": false, + "url": "https://cti-taxii.mitre.org/", + "collections": { + "enterprise_attack": "95ecc380-afe9-11e4-9b6c-751b66dd541e", + "pre_attack": "062767bd-02d2-4b72-84ba-56caef0f8658", + "mobile_attack": "2f669986-b40b-4423-b720-4396ca6a462b" } - ], - - "custom_context_menu_items": [ {"label": "view related plays","url": " https://{{URL_BASE}}/playbook/projects/detection-playbooks/issues?utf8=%E2%9C%93&set_filter=1&sort=id%3Adesc&f%5B%5D=cf_15&op%5Bcf_15%5D=%3D&f%5B%5D=&c%5B%5D=status&c%5B%5D=cf_10&c%5B%5D=cf_13&c%5B%5D=cf_18&c%5B%5D=cf_19&c%5B%5D=cf_1&c%5B%5D=updated_on&v%5Bcf_15%5D%5B%5D=~Technique_ID~"}], - - "default_layers": { - "enabled": true, - "urls": ["assets/so/nav_layer_playbook.json"] }, + "domain": "mitre-enterprise", + + "custom_context_menu_items": [ {"label": "view related plays","url": " https://{{URL_BASE}}/playbook/projects/detection-playbooks/issues?utf8=%E2%9C%93&set_filter=1&sort=id%3Adesc&f%5B%5D=cf_15&op%5Bcf_15%5D=%3D&f%5B%5D=&c%5B%5D=status&c%5B%5D=cf_10&c%5B%5D=cf_13&c%5B%5D=cf_18&c%5B%5D=cf_19&c%5B%5D=cf_1&c%5B%5D=updated_on&v%5Bcf_15%5D%5B%5D=~Technique_ID~"}], + +"default_layers": { + "enabled": true, + "urls": [ + "assets/playbook.json" + ] + }, + "comment_color": "yellow", - "link_color": "blue", - "banner": "", + "features": [ - {"name": "leave_site_dialog", "enabled": true, "description": "Disable to remove the dialog prompt when leaving site."}, {"name": "tabs", "enabled": true, "description": "Disable to remove the ability to open new tabs."}, {"name": "selecting_techniques", "enabled": true, "description": "Disable to remove the ability to select techniques."}, {"name": "header", "enabled": true, "description": "Disable to remove the header containing 'MITRE ATT&CK Navigator' and the link to the help page. The help page can still be accessed from the new tab menu."}, - {"name": "subtechniques", "enabled": true, "description": "Disable to remove all sub-technique features from the interface."}, {"name": "selection_controls", "enabled": true, "description": "Disable to to disable all subfeatures", "subfeatures": [ {"name": "search", "enabled": true, "description": "Disable to remove the technique search panel from the interface."}, {"name": "multiselect", "enabled": true, "description": "Disable to remove the multiselect panel from interface."}, {"name": "deselect_all", "enabled": true, "description": "Disable to remove the deselect all button from the interface."} ]}, - {"name": "layer_controls", "enabled": true, "description": "Disable to disable all subfeatures", "subfeatures": [ - {"name": "layer_info", "enabled": true, "description": "Disable to remove the layer info (name, description and layer metadata) panel from the interface. Note that the layer can still be renamed in the tab."}, + {"name": "layer_controls", "enabled": true, "description": "Disable to to disable all subfeatures", "subfeatures": [ + {"name": "layer_info", "enabled": true, "description": "Disable to remove the layer info (name, description and metadata) panel from the interface. Note that the layer can still be renamed in the tab."}, {"name": "download_layer", "enabled": true, "description": "Disable to remove the button to download the layer."}, - {"name": "export_render", "enabled": true, "description": "Disable to remove the button to render the current layer."}, - {"name": "export_excel", "enabled": true, "description": "Disable to remove the button to export the current layer to MS Excel (.xlsx) format."}, - {"name": "filters", "enabled": true, "description": "Disable to remove the filters panel from interface."}, - {"name": "sorting", "enabled": true, "description": "Disable to remove the sorting button from the interface."}, - {"name": "color_setup", "enabled": true, "description": "Disable to remove the color setup panel from interface, containing customization controls for scoring gradient and tactic row color."}, - {"name": "toggle_hide_disabled", "enabled": true, "description": "Disable to remove the hide disabled techniques button from the interface."}, - {"name": "layout_controls", "enabled": true, "description": "Disable to remove the ability to change the current matrix layout."}, - {"name": "legend", "enabled": true, "description": "Disable to remove the legend panel from the interface."} + {"name": "export_render", "enabled": true, "description": "Disable to the remove the button to render the current layer."}, + {"name": "export_excel", "enabled": true, "description": "Disable to the remove the button to export the current layer to MS Excel (.xlsx) format."}, + {"name": "filters", "enabled": true, "description": "Disable to the remove the filters panel from interface."}, + {"name": "sorting", "enabled": true, "description": "Disable to the remove the sorting button from the interface."}, + {"name": "color_setup", "enabled": true, "description": "Disable to the remove the color setup panel from interface, containing customization controls for scoring gradient and tactic row color."}, + {"name": "toggle_hide_disabled", "enabled": true, "description": "Disable to the remove the hide disabled techniques button from the interface."}, + {"name": "toggle_view_mode", "enabled": true, "description": "Disable to the remove the toggle view mode button from interface."}, + {"name": "legend", "enabled": true, "description": "Disable to the remove the legend panel from the interface."} ]}, - {"name": "technique_controls", "enabled": true, "description": "Disable to disable all subfeatures", "subfeatures": [ - {"name": "disable_techniques", "enabled": true, "description": "Disable to remove the ability to disable techniques."}, - {"name": "manual_color", "enabled": true, "description": "Disable to remove the ability to assign manual colors to techniques."}, - {"name": "scoring", "enabled": true, "description": "Disable to remove the ability to score techniques."}, - {"name": "comments", "enabled": true, "description": "Disable to remove the ability to add comments to techniques."}, - {"name": "comment_underline", "enabled": true, "description": "Disable to remove the comment underline effect on techniques."}, - {"name": "links", "enabled": true, "description": "Disable to remove the ability to assign hyperlinks to techniques."}, - {"name": "link_underline", "enabled": true, "description": "Disable to remove the hyperlink underline effect on techniques."}, - {"name": "metadata", "enabled": true, "description": "Disable to remove the ability to add metadata to techniques."}, + {"name": "technique_controls", "enabled": true, "description": "Disable to to disable all subfeatures", "subfeatures": [ + {"name": "disable_techniques", "enabled": true, "description": "Disable to the remove the ability to disable techniques."}, + {"name": "manual_color", "enabled": true, "description": "Disable to the remove the ability to assign manual colors to techniques."}, + {"name": "scoring", "enabled": true, "description": "Disable to the remove the ability to score techniques."}, + {"name": "comments", "enabled": true, "description": "Disable to the remove the ability to add comments to techniques."}, {"name": "clear_annotations", "enabled": true, "description": "Disable to remove the button to clear all annotations on the selected techniques."} ]} ] diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index cad20996e..72386561b 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -1,10 +1,8 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} -{% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %} {% set MANAGER = salt['grains.get']('master') %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} +{% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set ISAIRGAP = salt['pillar.get']('global:airgap') %} @@ -50,7 +48,7 @@ nginxtmp: navigatorconfig: file.managed: - - name: /opt/so/conf/navigator/config.json + - name: /opt/so/conf/navigator/navigator_config.json - source: salt://nginx/files/navigator_config.json - user: 939 - group: 939 @@ -59,7 +57,7 @@ navigatorconfig: navigatordefaultlayer: file.managed: - - name: /opt/so/conf/navigator/layers/nav_layer_playbook.json + - name: /opt/so/conf/navigator/nav_layer_playbook.json - source: salt://nginx/files/nav_layer_playbook.json - user: 939 - group: 939 @@ -69,7 +67,7 @@ navigatordefaultlayer: navigatorpreattack: file.managed: - - name: /opt/so/conf/navigator/layers/pre-attack.json + - name: /opt/so/conf/navigator/pre-attack.json - source: salt://nginx/files/pre-attack.json - user: 939 - group: 939 @@ -78,7 +76,7 @@ navigatorpreattack: navigatorenterpriseattack: file.managed: - - name: /opt/so/conf/navigator/layers/enterprise-attack.json + - name: /opt/so/conf/navigator/enterprise-attack.json - source: salt://nginx/files/enterprise-attack.json - user: 939 - group: 939 @@ -94,16 +92,17 @@ so-nginx: - /opt/so/log/nginx/:/var/log/nginx:rw - /opt/so/tmp/nginx/:/var/lib/nginx:rw - /opt/so/tmp/nginx/:/run:rw - - /opt/so/conf/fleet/packages:/opt/socore/html/packages - {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import', 'so-fleet'] %} + - /opt/so/conf/elastic-fleet/so_agent-installers:/opt/socore/html/packages + {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %} - /etc/pki/managerssl.crt:/etc/pki/nginx/server.crt:ro - /etc/pki/managerssl.key:/etc/pki/nginx/server.key:ro # ATT&CK Navigator binds - - /opt/so/conf/navigator/layers/:/opt/socore/html/navigator/assets/so:ro - - /opt/so/conf/navigator/config.json:/opt/socore/html/navigator/assets/config.json:ro - {% endif %} - {% if ISAIRGAP is sameas true %} + - /opt/so/conf/navigator/navigator_config.json:/opt/socore/html/navigator/assets/config.json:ro + - /opt/so/conf/navigator/nav_layer_playbook.json:/opt/socore/html/navigator/assets/playbook.json:ro + - /opt/so/conf/navigator/enterprise-attack.json:/opt/socore/html/navigator/assets/enterprise-attack.json:ro + - /opt/so/conf/navigator/pre-attack.json:/opt/socore/html/navigator/assets/pre-attack.json:ro - /nsm/repo:/opt/socore/html/repo:ro + {% endif %} - cap_add: NET_BIND_SERVICE - port_bindings: @@ -112,15 +111,12 @@ so-nginx: {% if ISAIRGAP is sameas true %} - 7788:7788 {% endif %} - {%- if FLEETMANAGER or FLEETNODE %} - - 8090:8090 - {%- endif %} - watch: - file: nginxconf - file: nginxconfdir - require: - file: nginxconf - {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import', 'so-fleet'] %} + {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %} - x509: managerssl_key - x509: managerssl_crt - file: navigatorconfig diff --git a/salt/nodered/files/nodered_load_flows b/salt/nodered/files/nodered_load_flows deleted file mode 100644 index 3d6ed2a8c..000000000 --- a/salt/nodered/files/nodered_load_flows +++ /dev/null @@ -1,12 +0,0 @@ -{%- set ip = salt['pillar.get']('global:managerip', '') -%} -#!/bin/bash -default_salt_dir=/opt/so/saltstack/default - -echo "Waiting for connection" -until $(curl --output /dev/null --silent --head -L http://{{ ip }}:1880); do - echo '.' - sleep 1 -done -echo "Loading flows..." -curl -XPOST -v -H "Content-Type: application/json" -d @$default_salt_dir/salt/nodered/so_flows.json -L {{ ip }}:1880/flows -echo "Done loading..." diff --git a/salt/nodered/files/so_flows.json b/salt/nodered/files/so_flows.json deleted file mode 100644 index 6a0dea7cf..000000000 --- a/salt/nodered/files/so_flows.json +++ /dev/null @@ -1,4 +0,0 @@ -{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') -%} -{%- set HIVEKEY = salt['pillar.get']('global:hivekey', '') -%} -{%- set CORTEXKEY = salt['pillar.get']('global:cortexorgusekey', '') -%} -[{"id":"dca608c3.7d8af8","type":"tab","label":"TheHive - Webhook Events","disabled":false,"info":""},{"id":"4db74fa6.2556d","type":"tls-config","z":"","name":"","cert":"","key":"","ca":"","certname":"","keyname":"","caname":"","servername":"","verifyservercert":false},{"id":"aa6cf50d.a02fc8","type":"http in","z":"dca608c3.7d8af8","name":"TheHive Listener","url":"/thehive","method":"post","upload":false,"swaggerDoc":"","x":120,"y":780,"wires":[["2b92aebb.853dc2","2fce29bb.1b1376","82ad0f08.7a53f"]]},{"id":"2b92aebb.853dc2","type":"debug","z":"dca608c3.7d8af8","name":"","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"payload","targetType":"msg","x":470,"y":940,"wires":[]},{"id":"a4ecb84a.805958","type":"switch","z":"dca608c3.7d8af8","name":"Operation","property":"payload.operation","propertyType":"msg","rules":[{"t":"eq","v":"Creation","vt":"str"},{"t":"eq","v":"Update","vt":"str"},{"t":"eq","v":"Delete","vt":"str"}],"checkall":"false","repair":false,"outputs":3,"x":580,"y":780,"wires":[["f1e954fd.3c21d8"],["65928861.c90a48"],["a259a26c.a21"]],"outputLabels":["Creation","Update","Delete"]},{"id":"f1e954fd.3c21d8","type":"switch","z":"dca608c3.7d8af8","name":"Creation","property":"payload.objectType","propertyType":"msg","rules":[{"t":"eq","v":"case","vt":"str"},{"t":"eq","v":"case_artifact","vt":"str"},{"t":"eq","v":"case_task","vt":"str"},{"t":"eq","v":"case_task_log","vt":"str"},{"t":"eq","v":"case_artifact_job","vt":"str"},{"t":"eq","v":"alert","vt":"str"},{"t":"eq","v":"user","vt":"str"}],"checkall":"false","repair":false,"outputs":7,"x":900,"y":480,"wires":[["e88b4cc2.f6afe"],["8c54e39.a1b4f2"],["64203fe8.e0ad5"],["3511de51.889a02"],["14544a8b.b6b2f5"],["44c595a4.45d45c"],["3eb4bedf.6e20a2"]],"inputLabels":["Operation"],"outputLabels":["case","case_artifact","case_task","case_task_log","action","alert","user"],"info":"No webhook data is received for the following events:\n\n- Creation of Dashboard\n- Creation of Case Templates\n"},{"id":"65928861.c90a48","type":"switch","z":"dca608c3.7d8af8","name":"Update","property":"payload.objectType","propertyType":"msg","rules":[{"t":"eq","v":"case","vt":"str"},{"t":"eq","v":"case_artifact","vt":"str"},{"t":"eq","v":"case_artifact_job","vt":"str"},{"t":"eq","v":"case_task","vt":"str"},{"t":"eq","v":"case_task_log","vt":"str"},{"t":"eq","v":"alert","vt":"str"},{"t":"eq","v":"user","vt":"str"}],"checkall":"false","repair":false,"outputs":7,"x":900,"y":860,"wires":[["eebe1748.1cd348"],["d703adc0.12fd1"],["2b738415.408d4c"],["6d97371a.406348"],["4ae621e1.9ae6"],["5786cee2.98109"],["54077728.447648"]],"inputLabels":["Operation"],"outputLabels":["case","case_artifact",null,"case_task","case_task_log","alert","user"]},{"id":"a259a26c.a21","type":"switch","z":"dca608c3.7d8af8","name":"Delete","property":"payload.objectType","propertyType":"msg","rules":[{"t":"eq","v":"case","vt":"str"},{"t":"eq","v":"case_artifact","vt":"str"},{"t":"eq","v":"case_task_log","vt":"str"}],"checkall":"false","repair":false,"outputs":3,"x":890,"y":1200,"wires":[["60c8bcfb.eff1f4"],["df708bab.348308"],["e9a8650c.e20cc8"]],"outputLabels":["case","case_artifact",""],"info":"Deleting a case task doesnt actually trigger a delete event. It triggers an `update` event where the status = cancelled"},{"id":"54077728.447648","type":"switch","z":"dca608c3.7d8af8","name":"User","property":"payload.object.status","propertyType":"msg","rules":[{"t":"eq","v":"Locked","vt":"str"},{"t":"eq","v":"Ok","vt":"str"}],"checkall":"false","repair":false,"outputs":2,"x":1130,"y":980,"wires":[["9429d6c5.5ac788"],["4e3e091c.d35388"]]},{"id":"9429d6c5.5ac788","type":"function","z":"dca608c3.7d8af8","name":"status: Locked","func":"msg.topic = \"[The Hive] A user account was locked\";\nmsg.from = \"from@example.com\";\nmsg.to = \"to@example.com\";\nreturn msg;","outputs":1,"noerr":0,"x":1380,"y":972,"wires":[[]],"info":"- User account was locked"},{"id":"4e3e091c.d35388","type":"function","z":"dca608c3.7d8af8","name":"status: Ok","func":"msg.topic = \"[The Hive] A user account was changed\";\nmsg.from = \"from@example.com\";\nmsg.to = \"to@example.com\";\nreturn msg;","outputs":1,"noerr":0,"x":1360,"y":1020,"wires":[[]],"info":"- User account was unlocked\n- User description was changed\n- User role was changed\n- User API key was added\n- User API key was revoked\n"},{"id":"485f3be.1ffcfc4","type":"function","z":"dca608c3.7d8af8","name":"status: Open","func":"// Fires when a Case is updated AND status = open\n// This can include things like TLP/PAP changes\n\nreturn msg;","outputs":1,"noerr":0,"x":1370,"y":660,"wires":[[]]},{"id":"eebe1748.1cd348","type":"switch","z":"dca608c3.7d8af8","name":"case","property":"payload.object.status","propertyType":"msg","rules":[{"t":"eq","v":"Open","vt":"str"}],"checkall":"true","repair":false,"outputs":1,"x":1130,"y":740,"wires":[["485f3be.1ffcfc4","e4b7b4bf.2fb828"]],"info":"- A case was modified"},{"id":"8c54e39.a1b4f2","type":"switch","z":"dca608c3.7d8af8","name":"case_artifact: Run Analyzer","property":"payload.object.dataType","propertyType":"msg","rules":[{"t":"eq","v":"ip","vt":"str"},{"t":"eq","v":"domain","vt":"str"}],"checkall":"true","repair":false,"outputs":2,"x":1600,"y":340,"wires":[["eb8cfeb7.a7118","a5dd8a8a.065b88"],["eb8cfeb7.a7118","a5dd8a8a.065b88"]],"info":"# References\n\n\n"},{"id":"2fce29bb.1b1376","type":"function","z":"dca608c3.7d8af8","name":"Add headers","func":"msg.thehive_url = 'https://{{ MANAGERIP }}/thehive';\nmsg.cortex_url = 'https://{{ MANAGERIP }}/cortex';\nmsg.cortex_id = 'CORTEX-SERVER-ID';\nreturn msg;","outputs":1,"noerr":0,"x":350,"y":780,"wires":[["a4ecb84a.805958"]]},{"id":"e4b7b4bf.2fb828","type":"function","z":"dca608c3.7d8af8","name":"status: Resolved","func":"// Fires when a case is closed (resolved)\n\nreturn msg;","outputs":1,"noerr":0,"x":1390,"y":720,"wires":[[]]},{"id":"e88b4cc2.f6afe","type":"function","z":"dca608c3.7d8af8","name":"case","func":"// Fires when a case is created\n// or when a responder is generated against a case\n\nreturn msg;","outputs":1,"noerr":0,"x":1130,"y":320,"wires":[[]]},{"id":"64203fe8.e0ad5","type":"function","z":"dca608c3.7d8af8","name":"case_task","func":"// Fires when a case task is created\nreturn msg;","outputs":1,"noerr":0,"x":1140,"y":400,"wires":[[]]},{"id":"3511de51.889a02","type":"function","z":"dca608c3.7d8af8","name":"case_task_log","func":"// Fires when a case task log is created\n\nreturn msg;","outputs":1,"noerr":0,"x":1163,"y":440,"wires":[[]]},{"id":"14544a8b.b6b2f5","type":"function","z":"dca608c3.7d8af8","name":"case_artifact_job","func":"// Fires when a Responder or Analyzser is Run on an existing observable\n\nreturn msg;","outputs":1,"noerr":0,"x":1173,"y":480,"wires":[[]]},{"id":"2b738415.408d4c","type":"function","z":"dca608c3.7d8af8","name":"case_artifact_job","func":"\nreturn msg;","outputs":1,"noerr":0,"x":1170,"y":820,"wires":[[]]},{"id":"3eb4bedf.6e20a2","type":"function","z":"dca608c3.7d8af8","name":"user","func":"// Fires when a user is created\n\nreturn msg;","outputs":1,"noerr":0,"x":1133,"y":560,"wires":[[]]},{"id":"d703adc0.12fd1","type":"function","z":"dca608c3.7d8af8","name":"case_artifact","func":"// Fires when an artifact is updated\nreturn msg;","outputs":1,"noerr":0,"x":1150,"y":780,"wires":[[]]},{"id":"6d97371a.406348","type":"function","z":"dca608c3.7d8af8","name":"case_task","func":"// Fires when a case task is updated\nreturn msg;","outputs":1,"noerr":0,"x":1140,"y":860,"wires":[[]]},{"id":"4ae621e1.9ae6","type":"function","z":"dca608c3.7d8af8","name":"case_task_log","func":"//Fires when a case_task_log is updated\n\nreturn msg;","outputs":1,"noerr":0,"x":1160,"y":900,"wires":[[]]},{"id":"60c8bcfb.eff1f4","type":"function","z":"dca608c3.7d8af8","name":"case","func":"//Fires when a case is deleted\nreturn msg;","outputs":1,"noerr":0,"x":1130,"y":1160,"wires":[[]]},{"id":"df708bab.348308","type":"function","z":"dca608c3.7d8af8","name":"case_artifact","func":"//Fires when a case_artifact is deleted\nreturn msg;","outputs":1,"noerr":0,"x":1150,"y":1200,"wires":[[]]},{"id":"e9a8650c.e20cc8","type":"function","z":"dca608c3.7d8af8","name":"case_task_log","func":"//Fires when a case_task_log is deleted\nreturn msg;","outputs":1,"noerr":0,"x":1160,"y":1240,"wires":[[]]},{"id":"5786cee2.98109","type":"function","z":"dca608c3.7d8af8","name":"alert","func":"//Fires when an alert is updated\nreturn msg;","outputs":1,"noerr":0,"x":1130,"y":940,"wires":[[]]},{"id":"44c595a4.45d45c","type":"change","z":"dca608c3.7d8af8","d":true,"name":"Convert Alert Msg to Artifacts","rules":[{"t":"move","p":"payload.object.artifacts","pt":"msg","to":"payload","tot":"msg"}],"action":"","property":"","from":"","to":"","reg":false,"x":1200,"y":520,"wires":[["6dcca25e.04bd2c"]]},{"id":"6dcca25e.04bd2c","type":"split","z":"dca608c3.7d8af8","name":"Split Artifacts","splt":"\\n","spltType":"str","arraySplt":1,"arraySpltType":"len","stream":false,"addname":"","x":1430,"y":520,"wires":[["767c84f2.c9ba2c"]]},{"id":"767c84f2.c9ba2c","type":"switch","z":"dca608c3.7d8af8","name":"alert: Run Analyzer","property":"payload.dataType","propertyType":"msg","rules":[{"t":"eq","v":"ip","vt":"str"},{"t":"eq","v":"domain","vt":"str"}],"checkall":"true","repair":false,"outputs":2,"x":1630,"y":400,"wires":[["eb8cfeb7.a7118","a5dd8a8a.065b88"],["a5dd8a8a.065b88","eb8cfeb7.a7118"]],"info":"# References\n\n\n"},{"id":"82ad0f08.7a53f","type":"http response","z":"dca608c3.7d8af8","name":"Ack Event Receipt","statusCode":"200","headers":{},"x":250,"y":940,"wires":[]},{"id":"a5dd8a8a.065b88","type":"function","z":"dca608c3.7d8af8","name":"Run Analyzer: CERT DNS","func":"msg.analyzer_id = \"4f28afc20d78f98df425e36e561af33f\";\n\nif (msg.payload.objectId) {\n msg.tag = \"case_artifact\"\n msg.artifact_id = msg.payload.objectId\n msg.url = msg.thehive_url + '/api/connector/cortex/job';\n msg.payload = {\n 'cortexId' : msg.cortex_id,\n 'artifactId': msg.artifact_id,\n 'analyzerId': msg.analyzer_id\n };\n}\nelse {\n msg.tag = \"observable\"\n msg.observable = msg.payload.data\n msg.dataType = msg.payload.dataType\n\n msg.url = msg.cortex_url + '/api/analyzer/' + msg.analyzer_id + '/run';\n msg.payload = {\n 'data' : msg.observable,\n 'dataType': msg.dataType \n };\n}\nreturn msg;","outputs":1,"noerr":0,"x":1930,"y":420,"wires":[["f050a09f.b2201"]]},{"id":"eb8cfeb7.a7118","type":"function","z":"dca608c3.7d8af8","name":"Run Analyzer: Urlscan","func":"msg.analyzer_id = \"54e51b62c6c8ddc3cbc3cbdd889a0557\";\n\nif (msg.payload.objectId) {\n msg.tag = \"case_artifact\"\n msg.artifact_id = msg.payload.objectId\n msg.url = msg.thehive_url + '/api/connector/cortex/job';\n msg.payload = {\n 'cortexId' : msg.cortex_id,\n 'artifactId': msg.artifact_id,\n 'analyzerId': msg.analyzer_id\n };\n}\nelse {\n msg.tag = \"observable\"\n msg.observable = msg.payload.data\n msg.dataType = msg.payload.dataType\n\n msg.url = msg.cortex_url + '/api/analyzer/' + msg.analyzer_id + '/run';\n msg.payload = {\n 'data' : msg.observable,\n 'dataType': msg.dataType \n };\n}\nreturn msg;","outputs":1,"noerr":0,"x":1920,"y":320,"wires":[["f050a09f.b2201"]]},{"id":"1c448528.3032fb","type":"http request","z":"dca608c3.7d8af8","name":"Submit to Cortex","method":"POST","ret":"obj","paytoqs":false,"url":"","tls":"4db74fa6.2556d","persist":false,"proxy":"","authType":"bearer","credentials": {"user": "", "password": "{{ CORTEXKEY }}"},"x":2450,"y":420,"wires":[["ea6614fb.752a78"]]},{"id":"ea6614fb.752a78","type":"debug","z":"dca608c3.7d8af8","name":"Debug","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"true","targetType":"full","x":2670,"y":360,"wires":[]},{"id":"f050a09f.b2201","type":"switch","z":"dca608c3.7d8af8","name":"Cases vs Alerts","property":"tag","propertyType":"msg","rules":[{"t":"eq","v":"case_artifact","vt":"str"},{"t":"eq","v":"observable","vt":"str"}],"checkall":"true","repair":false,"outputs":2,"x":2200,"y":360,"wires":[["f7fca977.a73b28"],["1c448528.3032fb"]],"inputLabels":["Data"],"outputLabels":["Cases","Alerts"]},{"id":"f7fca977.a73b28","type":"http request","z":"dca608c3.7d8af8","name":"Submit to TheHive","method":"POST","ret":"obj","paytoqs":false,"url":"","tls":"4db74fa6.2556d","persist":false,"proxy":"","authType":"bearer","credentials": {"user": "", "password": "{{ HIVEKEY }}"},"x":2450,"y":280,"wires":[["ea6614fb.752a78"]]}] diff --git a/salt/nodered/init.sls b/salt/nodered/init.sls deleted file mode 100644 index 8029dbaf1..000000000 --- a/salt/nodered/init.sls +++ /dev/null @@ -1,91 +0,0 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} - -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} - -# Create the nodered group -noderedgroup: - group.present: - - name: nodered - - gid: 947 - -# Add the nodered user -nodered: - user.present: - - uid: 947 - - gid: 947 - - home: /opt/so/conf/nodered - -#noderedconfdir: -# file.directory: -# - name: /opt/so/conf/nodered -# - user: 947 -# - group: 939 -# - mode: 775 -# - makedirs: True - -noderedflows: - file.recurse: - - name: /opt/so/saltstack/default/salt/nodered/ - - source: salt://nodered/files - - user: 947 - - group: 939 - - template: jinja - -noderedflowsload: - file.managed: - - name: /usr/sbin/so-nodered-load-flows - - source: salt://nodered/files/nodered_load_flows - - user: root - - group: root - - mode: 755 - - template: jinja - -noderedlog: - file.directory: - - name: /opt/so/log/nodered - - user: 947 - - group: 939 - - mode: 755 - - makedirs: True - -so-nodered: - docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-nodered:{{ VERSION }} - - interactive: True - - binds: - - /opt/so/conf/nodered/:/data:rw - - port_bindings: - - 0.0.0.0:1880:1880 - -append_so-nodered_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-nodered - -so-nodered-flows: - cmd.run: - - name: /usr/sbin/so-nodered-load-flows - - cwd: / - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index ccaf84f52..2d047e731 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -1,23 +1,14 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} {% from "pcap/map.jinja" import STENOOPTIONS with context %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} +{% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %} diff --git a/salt/pcap/soc_pcap.yaml b/salt/pcap/soc_pcap.yaml new file mode 100644 index 000000000..515dd346b --- /dev/null +++ b/salt/pcap/soc_pcap.yaml @@ -0,0 +1,12 @@ +pcap: + config: + enabled: + description: Enable or Disable Stenographer on all sensors or a single sensor + maxfiles: + description: The maximum number of packet/index files to create before cleaning old ones up. + diskfreepercentage: + description: The disk space percent to always keep free for pcap + blocks: + description: The number of 1MB packet blocks used by AF_PACKET to store packets in memory, per thread. You shouldn't need to change this. + preallocate_file_mb: + description: File size to pre-allocate for individual pcap files. You shouldn't need to change this. diff --git a/salt/playbook/OLD_db_init.sls b/salt/playbook/OLD_db_init.sls deleted file mode 100644 index 02d5310b0..000000000 --- a/salt/playbook/OLD_db_init.sls +++ /dev/null @@ -1,14 +0,0 @@ - -# This state will import the initial default playbook database. -# If there is an existing playbook database, it will be overwritten - no backups are made. - -include: - - mysql - -salt://playbook/files/OLD_playbook_db_init.sh: - cmd.script: - - cwd: /root - - template: jinja - -'sleep 5': - cmd.run \ No newline at end of file diff --git a/salt/playbook/automation_user_create.sls b/salt/playbook/automation_user_create.sls index e333a4a99..61662677f 100644 --- a/salt/playbook/automation_user_create.sls +++ b/salt/playbook/automation_user_create.sls @@ -1,4 +1,4 @@ -{% set MAINIP = salt['pillar.get']('global:managerip') %} +{% from 'vars/globals.map.jinja' import GLOBALS %} # This state will create the SecOps Automation user within Playbook @@ -7,7 +7,7 @@ include: wait_for_playbook: cmd.run: - - name: until nc -z {{ MAINIP }} 3200; do sleep 1; done + - name: until nc -z {{ GLOBALS.manager_ip }} 3200; do sleep 1; done - timeout: 300 create_user: diff --git a/salt/playbook/files/OLD_playbook_db_init.sh b/salt/playbook/files/OLD_playbook_db_init.sh deleted file mode 100644 index 22428780c..000000000 --- a/salt/playbook/files/OLD_playbook_db_init.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -# {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) %} - -default_salt_dir=/opt/so/saltstack/default - -docker cp $default_salt_dir/salt/playbook/files/OLD_playbook_db_init.sql so-mysql:/tmp/playbook_db_init.sql -docker exec so-mysql /bin/bash -c "/usr/bin/mysql -b -uroot -p{{MYSQLPASS}} < /tmp/playbook_db_init.sql" \ No newline at end of file diff --git a/salt/playbook/files/OLD_playbook_db_init.sql b/salt/playbook/files/OLD_playbook_db_init.sql deleted file mode 100644 index d48f656b9..000000000 --- a/salt/playbook/files/OLD_playbook_db_init.sql +++ /dev/null @@ -1,1767 +0,0 @@ --- MySQL dump 10.13 Distrib 5.7.24, for Linux (x86_64) --- --- Host: localhost Database: playbook --- ------------------------------------------------------ --- Server version 5.7.24 - -/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; -/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; -/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */; -/*!40101 SET NAMES utf8 */; -/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */; -/*!40103 SET TIME_ZONE='+00:00' */; -/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */; -/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */; -/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */; -/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */; - --- --- Current Database: `playbook` --- - -CREATE DATABASE /*!32312 IF NOT EXISTS*/ `playbook` /*!40100 DEFAULT CHARACTER SET latin1 */; - -USE `playbook`; - --- --- Table structure for table `ar_internal_metadata` --- - -DROP TABLE IF EXISTS `ar_internal_metadata`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `ar_internal_metadata` ( - `key` varchar(255) NOT NULL, - `value` varchar(255) DEFAULT NULL, - `created_at` datetime NOT NULL, - `updated_at` datetime NOT NULL, - PRIMARY KEY (`key`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `ar_internal_metadata` --- - -LOCK TABLES `ar_internal_metadata` WRITE; -/*!40000 ALTER TABLE `ar_internal_metadata` DISABLE KEYS */; -INSERT INTO `ar_internal_metadata` VALUES ('environment','production','2020-04-26 13:08:38','2020-04-26 13:08:38'); -/*!40000 ALTER TABLE `ar_internal_metadata` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `attachments` --- - -DROP TABLE IF EXISTS `attachments`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `attachments` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `container_id` int(11) DEFAULT NULL, - `container_type` varchar(30) DEFAULT NULL, - `filename` varchar(255) NOT NULL DEFAULT '', - `disk_filename` varchar(255) NOT NULL DEFAULT '', - `filesize` bigint(20) NOT NULL DEFAULT '0', - `content_type` varchar(255) DEFAULT '', - `digest` varchar(64) NOT NULL DEFAULT '', - `downloads` int(11) NOT NULL DEFAULT '0', - `author_id` int(11) NOT NULL DEFAULT '0', - `created_on` timestamp NULL DEFAULT NULL, - `description` varchar(255) DEFAULT NULL, - `disk_directory` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_attachments_on_author_id` (`author_id`), - KEY `index_attachments_on_created_on` (`created_on`), - KEY `index_attachments_on_container_id_and_container_type` (`container_id`,`container_type`), - KEY `index_attachments_on_disk_filename` (`disk_filename`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `attachments` --- - -LOCK TABLES `attachments` WRITE; -/*!40000 ALTER TABLE `attachments` DISABLE KEYS */; -/*!40000 ALTER TABLE `attachments` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `auth_sources` --- - -DROP TABLE IF EXISTS `auth_sources`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `auth_sources` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `type` varchar(30) NOT NULL DEFAULT '', - `name` varchar(60) NOT NULL DEFAULT '', - `host` varchar(60) DEFAULT NULL, - `port` int(11) DEFAULT NULL, - `account` varchar(255) DEFAULT NULL, - `account_password` varchar(255) DEFAULT '', - `base_dn` varchar(255) DEFAULT NULL, - `attr_login` varchar(30) DEFAULT NULL, - `attr_firstname` varchar(30) DEFAULT NULL, - `attr_lastname` varchar(30) DEFAULT NULL, - `attr_mail` varchar(30) DEFAULT NULL, - `onthefly_register` tinyint(1) NOT NULL DEFAULT '0', - `tls` tinyint(1) NOT NULL DEFAULT '0', - `filter` text, - `timeout` int(11) DEFAULT NULL, - `verify_peer` tinyint(1) NOT NULL DEFAULT '1', - PRIMARY KEY (`id`), - KEY `index_auth_sources_on_id_and_type` (`id`,`type`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `auth_sources` --- - -LOCK TABLES `auth_sources` WRITE; -/*!40000 ALTER TABLE `auth_sources` DISABLE KEYS */; -/*!40000 ALTER TABLE `auth_sources` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `boards` --- - -DROP TABLE IF EXISTS `boards`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `boards` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL, - `name` varchar(255) NOT NULL DEFAULT '', - `description` varchar(255) DEFAULT NULL, - `position` int(11) DEFAULT NULL, - `topics_count` int(11) NOT NULL DEFAULT '0', - `messages_count` int(11) NOT NULL DEFAULT '0', - `last_message_id` int(11) DEFAULT NULL, - `parent_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `boards_project_id` (`project_id`), - KEY `index_boards_on_last_message_id` (`last_message_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `boards` --- - -LOCK TABLES `boards` WRITE; -/*!40000 ALTER TABLE `boards` DISABLE KEYS */; -/*!40000 ALTER TABLE `boards` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `changes` --- - -DROP TABLE IF EXISTS `changes`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `changes` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `changeset_id` int(11) NOT NULL, - `action` varchar(1) NOT NULL DEFAULT '', - `path` text NOT NULL, - `from_path` text, - `from_revision` varchar(255) DEFAULT NULL, - `revision` varchar(255) DEFAULT NULL, - `branch` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `changesets_changeset_id` (`changeset_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `changes` --- - -LOCK TABLES `changes` WRITE; -/*!40000 ALTER TABLE `changes` DISABLE KEYS */; -/*!40000 ALTER TABLE `changes` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `changeset_parents` --- - -DROP TABLE IF EXISTS `changeset_parents`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `changeset_parents` ( - `changeset_id` int(11) NOT NULL, - `parent_id` int(11) NOT NULL, - KEY `changeset_parents_changeset_ids` (`changeset_id`), - KEY `changeset_parents_parent_ids` (`parent_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `changeset_parents` --- - -LOCK TABLES `changeset_parents` WRITE; -/*!40000 ALTER TABLE `changeset_parents` DISABLE KEYS */; -/*!40000 ALTER TABLE `changeset_parents` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `changesets` --- - -DROP TABLE IF EXISTS `changesets`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `changesets` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `repository_id` int(11) NOT NULL, - `revision` varchar(255) NOT NULL, - `committer` varchar(255) DEFAULT NULL, - `committed_on` datetime NOT NULL, - `comments` longtext, - `commit_date` date DEFAULT NULL, - `scmid` varchar(255) DEFAULT NULL, - `user_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `changesets_repos_rev` (`repository_id`,`revision`), - KEY `index_changesets_on_user_id` (`user_id`), - KEY `index_changesets_on_repository_id` (`repository_id`), - KEY `index_changesets_on_committed_on` (`committed_on`), - KEY `changesets_repos_scmid` (`repository_id`,`scmid`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `changesets` --- - -LOCK TABLES `changesets` WRITE; -/*!40000 ALTER TABLE `changesets` DISABLE KEYS */; -/*!40000 ALTER TABLE `changesets` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `changesets_issues` --- - -DROP TABLE IF EXISTS `changesets_issues`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `changesets_issues` ( - `changeset_id` int(11) NOT NULL, - `issue_id` int(11) NOT NULL, - UNIQUE KEY `changesets_issues_ids` (`changeset_id`,`issue_id`), - KEY `index_changesets_issues_on_issue_id` (`issue_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `changesets_issues` --- - -LOCK TABLES `changesets_issues` WRITE; -/*!40000 ALTER TABLE `changesets_issues` DISABLE KEYS */; -/*!40000 ALTER TABLE `changesets_issues` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `comments` --- - -DROP TABLE IF EXISTS `comments`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `comments` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `commented_type` varchar(30) NOT NULL DEFAULT '', - `commented_id` int(11) NOT NULL DEFAULT '0', - `author_id` int(11) NOT NULL DEFAULT '0', - `content` text, - `created_on` datetime NOT NULL, - `updated_on` datetime NOT NULL, - PRIMARY KEY (`id`), - KEY `index_comments_on_commented_id_and_commented_type` (`commented_id`,`commented_type`), - KEY `index_comments_on_author_id` (`author_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `comments` --- - -LOCK TABLES `comments` WRITE; -/*!40000 ALTER TABLE `comments` DISABLE KEYS */; -/*!40000 ALTER TABLE `comments` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `custom_field_enumerations` --- - -DROP TABLE IF EXISTS `custom_field_enumerations`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_field_enumerations` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `custom_field_id` int(11) NOT NULL, - `name` varchar(255) NOT NULL, - `active` tinyint(1) NOT NULL DEFAULT '1', - `position` int(11) NOT NULL DEFAULT '1', - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `custom_field_enumerations` --- - -LOCK TABLES `custom_field_enumerations` WRITE; -/*!40000 ALTER TABLE `custom_field_enumerations` DISABLE KEYS */; -/*!40000 ALTER TABLE `custom_field_enumerations` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `custom_fields` --- - -DROP TABLE IF EXISTS `custom_fields`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_fields` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `type` varchar(30) NOT NULL DEFAULT '', - `name` varchar(30) NOT NULL DEFAULT '', - `field_format` varchar(30) NOT NULL DEFAULT '', - `possible_values` text, - `regexp` varchar(255) DEFAULT '', - `min_length` int(11) DEFAULT NULL, - `max_length` int(11) DEFAULT NULL, - `is_required` tinyint(1) NOT NULL DEFAULT '0', - `is_for_all` tinyint(1) NOT NULL DEFAULT '0', - `is_filter` tinyint(1) NOT NULL DEFAULT '0', - `position` int(11) DEFAULT NULL, - `searchable` tinyint(1) DEFAULT '0', - `default_value` text, - `editable` tinyint(1) DEFAULT '1', - `visible` tinyint(1) NOT NULL DEFAULT '1', - `multiple` tinyint(1) DEFAULT '0', - `format_store` text, - `description` text, - PRIMARY KEY (`id`), - KEY `index_custom_fields_on_id_and_type` (`id`,`type`) -) ENGINE=InnoDB AUTO_INCREMENT=27 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `custom_fields` --- - -LOCK TABLES `custom_fields` WRITE; -/*!40000 ALTER TABLE `custom_fields` DISABLE KEYS */; -INSERT INTO `custom_fields` VALUES (1,'IssueCustomField','Title','string',NULL,'',NULL,NULL,0,1,1,1,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(2,'IssueCustomField','Author','string',NULL,'',NULL,NULL,0,1,1,2,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(3,'IssueCustomField','Objective','text',NULL,'',NULL,NULL,0,1,1,14,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nfull_width_layout: \'1\'\n',''),(4,'IssueCustomField','Operational Notes','text',NULL,'',NULL,NULL,0,1,0,15,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(5,'IssueCustomField','Result Analysis','text',NULL,'',NULL,NULL,0,1,0,16,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(6,'IssueCustomField','ElastAlert Config','text',NULL,'',NULL,NULL,0,1,0,17,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(7,'IssueCustomField','HiveID','string',NULL,'',NULL,NULL,0,1,1,13,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(8,'IssueCustomField','References','text',NULL,'',NULL,NULL,0,1,0,6,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'0\'\n',''),(9,'IssueCustomField','Sigma','text',NULL,'',NULL,NULL,0,1,0,18,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(10,'IssueCustomField','Level','list','---\n- low\n- medium\n- high\n- critical\n','',NULL,NULL,0,1,1,3,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(11,'IssueCustomField','PlayID','string',NULL,'',NULL,NULL,0,1,1,8,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(12,'IssueCustomField','Rule ID','string',NULL,'',NULL,NULL,0,1,1,9,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(13,'IssueCustomField','Playbook','list','---\n- Internal\n- imported\n- community\n','',NULL,NULL,0,1,1,4,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(15,'IssueCustomField','ATT&CK Technique','list','---\n- T1001\n- T1002\n- T1003\n- T1004\n- T1005\n- T1006\n- T1007\n- T1008\n- T1009\n- T1010\n- T1011\n- T1012\n- T1013\n- T1014\n- T1015\n- T1016\n- T1017\n- T1018\n- T1019\n- T1020\n- T1021\n- T1022\n- T1023\n- T1024\n- T1025\n- T1026\n- T1027\n- T1028\n- T1029\n- T1030\n- T1031\n- T1032\n- T1033\n- T1034\n- T1035\n- T1036\n- T1037\n- T1038\n- T1039\n- T1040\n- T1041\n- T1042\n- T1043\n- T1044\n- T1045\n- T1046\n- T1047\n- T1048\n- T1049\n- T1050\n- T1051\n- T1052\n- T1053\n- T1054\n- T1055\n- T1056\n- T1057\n- T1058\n- T1059\n- T1060\n- T1061\n- T1062\n- T1063\n- T1064\n- T1065\n- T1066\n- T1067\n- T1068\n- T1069\n- T1070\n- T1071\n- T1072\n- T1073\n- T1074\n- T1075\n- T1076\n- T1077\n- T1078\n- T1079\n- T1080\n- T1081\n- T1082\n- T1083\n- T1084\n- T1085\n- T1086\n- T1087\n- T1088\n- T1089\n- T1090\n- T1091\n- T1092\n- T1093\n- T1094\n- T1095\n- T1096\n- T1097\n- T1098\n- T1099\n- T1100\n- T1101\n- T1102\n- T1103\n- T1104\n- T1105\n- T1106\n- T1107\n- T1108\n- T1109\n- T1110\n- T1111\n- T1112\n- T1113\n- T1114\n- T1115\n- T1116\n- T1117\n- T1118\n- T1119\n- T1120\n- T1121\n- T1122\n- T1123\n- T1124\n- T1125\n- T1126\n- T1127\n- T1128\n- T1129\n- T1130\n- T1131\n- T1132\n- T1133\n- T1134\n- T1135\n- T1136\n- T1137\n- T1138\n- T1139\n- T1140\n- T1141\n- T1142\n- T1143\n- T1144\n- T1145\n- T1146\n- T1147\n- T1148\n- T1149\n- T1150\n- T1151\n- T1152\n- T1153\n- T1154\n- T1155\n- T1156\n- T1157\n- T1158\n- T1159\n- T1160\n- T1161\n- T1162\n- T1163\n- T1164\n- T1165\n- T1166\n- T1167\n- T1168\n- T1169\n- T1170\n- T1171\n- T1172\n- T1173\n- T1174\n- T1175\n- T1176\n- T1177\n- T1178\n- T1179\n- T1180\n- T1181\n- T1182\n- T1183\n- T1184\n- T1185\n- T1186\n- T1187\n- T1188\n- T1189\n- T1190\n- T1191\n- T1192\n- T1193\n- T1194\n- T1195\n- T1196\n- T1197\n- T1198\n- T1199\n- T1200\n- T1201\n- T1202\n- T1203\n- T1204\n- T1205\n- T1206\n- T1207\n- T1208\n- T1209\n- T1210\n- T1211\n- T1212\n- T1213\n- T1214\n- T1215\n- T1216\n- T1217\n- T1218\n- T1219\n- T1220\n- T1221\n- T1222\n- T1223\n- T1480\n- T1482\n- T1483\n- T1484\n- T1485\n- T1486\n- T1487\n- T1488\n- T1489\n- T1490\n- T1491\n- T1492\n- T1493\n- T1494\n- T1495\n- T1496\n- T1497\n- T1498\n- T1499\n- T1500\n- T1501\n- T1502\n- T1503\n- T1504\n- T1505\n- T1506\n- T1514\n- T1518\n- T1519\n- T1522\n- T1525\n- T1526\n- T1527\n- T1528\n- T1529\n- T1530\n- T1531\n- T1534\n- T1535\n- T1536\n- T1537\n- T1538\n- T1539\n- T1540\n- T1541\n- T1542\n- T1543\n- T1544\n- T1545\n- T1546\n- T1547\n- T1548\n- T1549\n- T1550\n- T1551\n- T1552\n- T1553\n- T1554\n- T1555\n- T1556\n- T1557\n- T1558\n- T1559\n- T1560\n- T1561\n- T1562\n- T1563\n- T1564\n- T1565\n- T1566\n- T1567\n- T1568\n- T1569\n- T1570\n- T1571\n- T1572\n- T1573\n- T1574\n- T1575\n- T1576\n- T1577\n- T1578\n- T1579\n- T1580\n- T1581\n- T1582\n- T1583\n- T1584\n- T1585\n- T1586\n- T1587\n- T1588\n- T1589\n- T1590\n- T1591\n- T1592\n- T1593\n- T1594\n- T1595\n- T1596\n- T1597\n- T1598\n- T1599\n- T1600\n- T1601\n- T1602\n- T1603\n- T1604\n- T1605\n- T1606\n- T1607\n- T1608\n- T1609\n- T1610\n- T1611\n- T1612\n- T1613\n- T1614\n- T1615\n- T1616\n- T1617\n- T1618\n- T1619\n- T1620\n- T1621\n- T1622\n- T1623\n- T1624\n- T1625\n- T1626\n- T1627\n- T1628\n- T1629\n- T1630\n- T1631\n- T1632\n- T1633\n- T1634\n- T1635\n- T1636\n- T1637\n- T1638\n- T1639\n- T1640\n- T1641\n- T1642\n- T1643\n- T1644\n- T1645\n- T1646\n- T1647\n- T1648\n- T1649\n- T1650\n- T1651\n- T1652\n- T1653\n- T1654\n- T1655\n- T1656\n- T1657\n- T1658\n- T1659\n- T1660\n- T1661\n- T1662\n- T1663\n- T1664\n- T1665\n- T1666\n- T1667\n- T1668\n- T1669\n- T1670\n- T1671\n- T1672\n- T1673\n- T1674\n- T1675\n- T1676\n- T1677\n- T1678\n- T1679\n- T1680\n- T1681\n- T1682\n- T1683\n- T1684\n- T1685\n- T1686\n- T1687\n- T1688\n- T1689\n- T1690\n- T1691\n- T1692\n- T1693\n- T1694\n- T1695\n- T1696\n- T1697\n- T1698\n- T1699\n- T1700\n- T1701\n- T1702\n- T1703\n- T1704\n- T1705\n- T1706\n- T1707\n- T1708\n- T1709\n- T1710\n- T1711\n- T1712\n- T1713\n- T1714\n- T1715\n- T1716\n- T1717\n- T1718\n- T1719\n- T1720\n- T1721\n- T1722\n- T1723\n- T1724\n- T1725\n- T1726\n- T1727\n- T1728\n- T1729\n- T1730\n- T1731\n- T1732\n- T1733\n- T1734\n- T1735\n- T1736\n- T1737\n- T1738\n- T1739\n- T1740\n- T1741\n- T1742\n- T1743\n- T1744\n- T1745\n- T1746\n- T1747\n- T1748\n- T1749\n- T1750\n- T1751\n- T1752\n','',NULL,NULL,0,1,1,7,0,'',1,1,1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: https://attack.mitre.org/techniques/%value%\nedit_tag_style: \'\'\n',''),(17,'IssueCustomField','Case Analyzers','list','---\n- Urlscan_io_Search - ip,domain,hash,url\n- CERTatPassiveDNS - domain,fqdn,ip\n','',NULL,NULL,0,1,1,12,1,'',1,1,1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(18,'IssueCustomField','Ruleset','string',NULL,'',NULL,NULL,0,1,1,10,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(19,'IssueCustomField','Group','string',NULL,'',NULL,NULL,0,1,1,11,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(20,'IssueCustomField','Product','string',NULL,'',NULL,NULL,0,1,1,5,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(21,'IssueCustomField','Target Log','text',NULL,'',NULL,NULL,0,1,0,19,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(22,'IssueCustomField','Unit Test','list','---\n- Passed\n- Failed\n','',NULL,NULL,0,1,1,20,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(26,'IssueCustomField','License','list','---\n- Apache-2.0\n- BSD-2-Clause\n- BSD-3-Clause\n- CC0-1.0\n- CC-PDDC\n- DRL-1.0\n- LGPL-3.0-only\n- MIT License\n- GPL-2.0-only\n- GPL-3.0-only\n','',NULL,NULL,0,1,0,21,0,'',1,1,1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: https://spdx.org/licenses/%value%.html\nedit_tag_style: \'\'\n',''); -/*!40000 ALTER TABLE `custom_fields` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `custom_fields_projects` --- - -DROP TABLE IF EXISTS `custom_fields_projects`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_fields_projects` ( - `custom_field_id` int(11) NOT NULL DEFAULT '0', - `project_id` int(11) NOT NULL DEFAULT '0', - UNIQUE KEY `index_custom_fields_projects_on_custom_field_id_and_project_id` (`custom_field_id`,`project_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `custom_fields_projects` --- - -LOCK TABLES `custom_fields_projects` WRITE; -/*!40000 ALTER TABLE `custom_fields_projects` DISABLE KEYS */; -/*!40000 ALTER TABLE `custom_fields_projects` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `custom_fields_roles` --- - -DROP TABLE IF EXISTS `custom_fields_roles`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_fields_roles` ( - `custom_field_id` int(11) NOT NULL, - `role_id` int(11) NOT NULL, - UNIQUE KEY `custom_fields_roles_ids` (`custom_field_id`,`role_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `custom_fields_roles` --- - -LOCK TABLES `custom_fields_roles` WRITE; -/*!40000 ALTER TABLE `custom_fields_roles` DISABLE KEYS */; -/*!40000 ALTER TABLE `custom_fields_roles` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `custom_fields_trackers` --- - -DROP TABLE IF EXISTS `custom_fields_trackers`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_fields_trackers` ( - `custom_field_id` int(11) NOT NULL DEFAULT '0', - `tracker_id` int(11) NOT NULL DEFAULT '0', - UNIQUE KEY `index_custom_fields_trackers_on_custom_field_id_and_tracker_id` (`custom_field_id`,`tracker_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `custom_fields_trackers` --- - -LOCK TABLES `custom_fields_trackers` WRITE; -/*!40000 ALTER TABLE `custom_fields_trackers` DISABLE KEYS */; -INSERT INTO `custom_fields_trackers` VALUES (1,1),(2,1),(3,1),(4,1),(5,1),(6,1),(7,1),(8,1),(9,1),(10,1),(11,1),(12,1),(13,1),(15,1),(17,1),(18,1),(19,1),(20,1),(21,1),(22,1),(26,1); -/*!40000 ALTER TABLE `custom_fields_trackers` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `custom_values` --- - -DROP TABLE IF EXISTS `custom_values`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_values` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `customized_type` varchar(30) NOT NULL DEFAULT '', - `customized_id` int(11) NOT NULL DEFAULT '0', - `custom_field_id` int(11) NOT NULL DEFAULT '0', - `value` longtext, - PRIMARY KEY (`id`), - KEY `custom_values_customized` (`customized_type`,`customized_id`), - KEY `index_custom_values_on_custom_field_id` (`custom_field_id`) -) ENGINE=InnoDB AUTO_INCREMENT=145325 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `custom_values` --- - -LOCK TABLES `custom_values` WRITE; -/*!40000 ALTER TABLE `custom_values` DISABLE KEYS */; -/*!40000 ALTER TABLE `custom_values` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `documents` --- - -DROP TABLE IF EXISTS `documents`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `documents` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL DEFAULT '0', - `category_id` int(11) NOT NULL DEFAULT '0', - `title` varchar(255) NOT NULL DEFAULT '', - `description` text, - `created_on` timestamp NULL DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `documents_project_id` (`project_id`), - KEY `index_documents_on_category_id` (`category_id`), - KEY `index_documents_on_created_on` (`created_on`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `documents` --- - -LOCK TABLES `documents` WRITE; -/*!40000 ALTER TABLE `documents` DISABLE KEYS */; -/*!40000 ALTER TABLE `documents` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `email_addresses` --- - -DROP TABLE IF EXISTS `email_addresses`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `email_addresses` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `user_id` int(11) NOT NULL, - `address` varchar(255) NOT NULL, - `is_default` tinyint(1) NOT NULL DEFAULT '0', - `notify` tinyint(1) NOT NULL DEFAULT '1', - `created_on` datetime NOT NULL, - `updated_on` datetime NOT NULL, - PRIMARY KEY (`id`), - KEY `index_email_addresses_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `email_addresses` --- - -LOCK TABLES `email_addresses` WRITE; -/*!40000 ALTER TABLE `email_addresses` DISABLE KEYS */; -INSERT INTO `email_addresses` VALUES (1,1,'admin@example.net',1,1,'2020-04-26 13:08:38','2020-04-26 13:08:38'),(3,9,'automation@localhost.local',1,1,'2020-04-26 18:47:46','2020-04-26 18:47:46'); -/*!40000 ALTER TABLE `email_addresses` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `enabled_modules` --- - -DROP TABLE IF EXISTS `enabled_modules`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `enabled_modules` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) DEFAULT NULL, - `name` varchar(255) NOT NULL, - PRIMARY KEY (`id`), - KEY `enabled_modules_project_id` (`project_id`) -) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `enabled_modules` --- - -LOCK TABLES `enabled_modules` WRITE; -/*!40000 ALTER TABLE `enabled_modules` DISABLE KEYS */; -INSERT INTO `enabled_modules` VALUES (1,1,'sigma_editor'),(2,1,'issue_tracking'); -/*!40000 ALTER TABLE `enabled_modules` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `enumerations` --- - -DROP TABLE IF EXISTS `enumerations`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `enumerations` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(30) NOT NULL DEFAULT '', - `position` int(11) DEFAULT NULL, - `is_default` tinyint(1) NOT NULL DEFAULT '0', - `type` varchar(255) DEFAULT NULL, - `active` tinyint(1) NOT NULL DEFAULT '1', - `project_id` int(11) DEFAULT NULL, - `parent_id` int(11) DEFAULT NULL, - `position_name` varchar(30) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_enumerations_on_project_id` (`project_id`), - KEY `index_enumerations_on_id_and_type` (`id`,`type`) -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `enumerations` --- - -LOCK TABLES `enumerations` WRITE; -/*!40000 ALTER TABLE `enumerations` DISABLE KEYS */; -INSERT INTO `enumerations` VALUES (1,'Normal',1,1,'IssuePriority',1,NULL,NULL,'default'); -/*!40000 ALTER TABLE `enumerations` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `groups_users` --- - -DROP TABLE IF EXISTS `groups_users`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `groups_users` ( - `group_id` int(11) NOT NULL, - `user_id` int(11) NOT NULL, - UNIQUE KEY `groups_users_ids` (`group_id`,`user_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `groups_users` --- - -LOCK TABLES `groups_users` WRITE; -/*!40000 ALTER TABLE `groups_users` DISABLE KEYS */; -INSERT INTO `groups_users` VALUES (6,9),(7,1); -/*!40000 ALTER TABLE `groups_users` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `import_items` --- - -DROP TABLE IF EXISTS `import_items`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `import_items` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `import_id` int(11) NOT NULL, - `position` int(11) NOT NULL, - `obj_id` int(11) DEFAULT NULL, - `message` text, - `unique_id` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_import_items_on_import_id_and_unique_id` (`import_id`,`unique_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `import_items` --- - -LOCK TABLES `import_items` WRITE; -/*!40000 ALTER TABLE `import_items` DISABLE KEYS */; -/*!40000 ALTER TABLE `import_items` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `imports` --- - -DROP TABLE IF EXISTS `imports`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `imports` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `type` varchar(255) DEFAULT NULL, - `user_id` int(11) NOT NULL, - `filename` varchar(255) DEFAULT NULL, - `settings` text, - `total_items` int(11) DEFAULT NULL, - `finished` tinyint(1) NOT NULL DEFAULT '0', - `created_at` datetime NOT NULL, - `updated_at` datetime NOT NULL, - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `imports` --- - -LOCK TABLES `imports` WRITE; -/*!40000 ALTER TABLE `imports` DISABLE KEYS */; -/*!40000 ALTER TABLE `imports` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `issue_categories` --- - -DROP TABLE IF EXISTS `issue_categories`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `issue_categories` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL DEFAULT '0', - `name` varchar(60) NOT NULL DEFAULT '', - `assigned_to_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `issue_categories_project_id` (`project_id`), - KEY `index_issue_categories_on_assigned_to_id` (`assigned_to_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `issue_categories` --- - -LOCK TABLES `issue_categories` WRITE; -/*!40000 ALTER TABLE `issue_categories` DISABLE KEYS */; -/*!40000 ALTER TABLE `issue_categories` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `issue_relations` --- - -DROP TABLE IF EXISTS `issue_relations`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `issue_relations` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `issue_from_id` int(11) NOT NULL, - `issue_to_id` int(11) NOT NULL, - `relation_type` varchar(255) NOT NULL DEFAULT '', - `delay` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `index_issue_relations_on_issue_from_id_and_issue_to_id` (`issue_from_id`,`issue_to_id`), - KEY `index_issue_relations_on_issue_from_id` (`issue_from_id`), - KEY `index_issue_relations_on_issue_to_id` (`issue_to_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `issue_relations` --- - -LOCK TABLES `issue_relations` WRITE; -/*!40000 ALTER TABLE `issue_relations` DISABLE KEYS */; -/*!40000 ALTER TABLE `issue_relations` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `issue_statuses` --- - -DROP TABLE IF EXISTS `issue_statuses`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `issue_statuses` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(30) NOT NULL DEFAULT '', - `is_closed` tinyint(1) NOT NULL DEFAULT '0', - `position` int(11) DEFAULT NULL, - `default_done_ratio` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_issue_statuses_on_position` (`position`), - KEY `index_issue_statuses_on_is_closed` (`is_closed`) -) ENGINE=InnoDB AUTO_INCREMENT=7 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `issue_statuses` --- - -LOCK TABLES `issue_statuses` WRITE; -/*!40000 ALTER TABLE `issue_statuses` DISABLE KEYS */; -INSERT INTO `issue_statuses` VALUES (2,'Draft',0,1,NULL),(3,'Active',0,2,NULL),(4,'Inactive',0,3,NULL),(5,'Archived',0,4,NULL),(6,'Disabled',0,5,NULL); -/*!40000 ALTER TABLE `issue_statuses` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `issues` --- - -DROP TABLE IF EXISTS `issues`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `issues` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `tracker_id` int(11) NOT NULL, - `project_id` int(11) NOT NULL, - `subject` varchar(255) NOT NULL DEFAULT '', - `description` longtext, - `due_date` date DEFAULT NULL, - `category_id` int(11) DEFAULT NULL, - `status_id` int(11) NOT NULL, - `assigned_to_id` int(11) DEFAULT NULL, - `priority_id` int(11) NOT NULL, - `fixed_version_id` int(11) DEFAULT NULL, - `author_id` int(11) NOT NULL, - `lock_version` int(11) NOT NULL DEFAULT '0', - `created_on` timestamp NULL DEFAULT NULL, - `updated_on` timestamp NULL DEFAULT NULL, - `start_date` date DEFAULT NULL, - `done_ratio` int(11) NOT NULL DEFAULT '0', - `estimated_hours` float DEFAULT NULL, - `parent_id` int(11) DEFAULT NULL, - `root_id` int(11) DEFAULT NULL, - `lft` int(11) DEFAULT NULL, - `rgt` int(11) DEFAULT NULL, - `is_private` tinyint(1) NOT NULL DEFAULT '0', - `closed_on` datetime DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `issues_project_id` (`project_id`), - KEY `index_issues_on_status_id` (`status_id`), - KEY `index_issues_on_category_id` (`category_id`), - KEY `index_issues_on_assigned_to_id` (`assigned_to_id`), - KEY `index_issues_on_fixed_version_id` (`fixed_version_id`), - KEY `index_issues_on_tracker_id` (`tracker_id`), - KEY `index_issues_on_priority_id` (`priority_id`), - KEY `index_issues_on_author_id` (`author_id`), - KEY `index_issues_on_created_on` (`created_on`), - KEY `index_issues_on_root_id_and_lft_and_rgt` (`root_id`,`lft`,`rgt`), - KEY `index_issues_on_parent_id` (`parent_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `issues` --- - -LOCK TABLES `issues` WRITE; -/*!40000 ALTER TABLE `issues` DISABLE KEYS */; -/*!40000 ALTER TABLE `issues` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `journal_details` --- - -DROP TABLE IF EXISTS `journal_details`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `journal_details` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `journal_id` int(11) NOT NULL DEFAULT '0', - `property` varchar(30) NOT NULL DEFAULT '', - `prop_key` varchar(30) NOT NULL DEFAULT '', - `old_value` longtext, - `value` longtext, - PRIMARY KEY (`id`), - KEY `journal_details_journal_id` (`journal_id`) -) ENGINE=InnoDB AUTO_INCREMENT=792 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `journal_details` --- - -LOCK TABLES `journal_details` WRITE; -/*!40000 ALTER TABLE `journal_details` DISABLE KEYS */; -/*!40000 ALTER TABLE `journal_details` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `journals` --- - -DROP TABLE IF EXISTS `journals`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `journals` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `journalized_id` int(11) NOT NULL DEFAULT '0', - `journalized_type` varchar(30) NOT NULL DEFAULT '', - `user_id` int(11) NOT NULL DEFAULT '0', - `notes` longtext, - `created_on` datetime NOT NULL, - `private_notes` tinyint(1) NOT NULL DEFAULT '0', - PRIMARY KEY (`id`), - KEY `journals_journalized_id` (`journalized_id`,`journalized_type`), - KEY `index_journals_on_user_id` (`user_id`), - KEY `index_journals_on_journalized_id` (`journalized_id`), - KEY `index_journals_on_created_on` (`created_on`) -) ENGINE=InnoDB AUTO_INCREMENT=9502 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `journals` --- - -LOCK TABLES `journals` WRITE; -/*!40000 ALTER TABLE `journals` DISABLE KEYS */; -/*!40000 ALTER TABLE `journals` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `member_roles` --- - -DROP TABLE IF EXISTS `member_roles`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `member_roles` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `member_id` int(11) NOT NULL, - `role_id` int(11) NOT NULL, - `inherited_from` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_member_roles_on_member_id` (`member_id`), - KEY `index_member_roles_on_role_id` (`role_id`), - KEY `index_member_roles_on_inherited_from` (`inherited_from`) -) ENGINE=InnoDB AUTO_INCREMENT=8 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `member_roles` --- - -LOCK TABLES `member_roles` WRITE; -/*!40000 ALTER TABLE `member_roles` DISABLE KEYS */; -INSERT INTO `member_roles` VALUES (1,1,5,NULL),(2,2,3,NULL),(3,3,4,NULL),(4,4,5,1),(7,7,4,3); -/*!40000 ALTER TABLE `member_roles` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `members` --- - -DROP TABLE IF EXISTS `members`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `members` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `user_id` int(11) NOT NULL DEFAULT '0', - `project_id` int(11) NOT NULL DEFAULT '0', - `created_on` timestamp NULL DEFAULT NULL, - `mail_notification` tinyint(1) NOT NULL DEFAULT '0', - PRIMARY KEY (`id`), - UNIQUE KEY `index_members_on_user_id_and_project_id` (`user_id`,`project_id`), - KEY `index_members_on_user_id` (`user_id`), - KEY `index_members_on_project_id` (`project_id`) -) ENGINE=InnoDB AUTO_INCREMENT=8 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `members` --- - -LOCK TABLES `members` WRITE; -/*!40000 ALTER TABLE `members` DISABLE KEYS */; -INSERT INTO `members` VALUES (1,6,1,'2020-04-26 18:44:14',0),(2,5,1,'2020-04-26 18:44:23',0),(3,7,1,'2020-04-26 18:45:27',0),(4,9,1,'2020-04-26 18:47:51',0),(7,1,1,'2020-05-01 16:42:56',0); -/*!40000 ALTER TABLE `members` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `messages` --- - -DROP TABLE IF EXISTS `messages`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `messages` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `board_id` int(11) NOT NULL, - `parent_id` int(11) DEFAULT NULL, - `subject` varchar(255) NOT NULL DEFAULT '', - `content` text, - `author_id` int(11) DEFAULT NULL, - `replies_count` int(11) NOT NULL DEFAULT '0', - `last_reply_id` int(11) DEFAULT NULL, - `created_on` datetime NOT NULL, - `updated_on` datetime NOT NULL, - `locked` tinyint(1) DEFAULT '0', - `sticky` int(11) DEFAULT '0', - PRIMARY KEY (`id`), - KEY `messages_board_id` (`board_id`), - KEY `messages_parent_id` (`parent_id`), - KEY `index_messages_on_last_reply_id` (`last_reply_id`), - KEY `index_messages_on_author_id` (`author_id`), - KEY `index_messages_on_created_on` (`created_on`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `messages` --- - -LOCK TABLES `messages` WRITE; -/*!40000 ALTER TABLE `messages` DISABLE KEYS */; -/*!40000 ALTER TABLE `messages` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `news` --- - -DROP TABLE IF EXISTS `news`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `news` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) DEFAULT NULL, - `title` varchar(60) NOT NULL DEFAULT '', - `summary` varchar(255) DEFAULT '', - `description` text, - `author_id` int(11) NOT NULL DEFAULT '0', - `created_on` timestamp NULL DEFAULT NULL, - `comments_count` int(11) NOT NULL DEFAULT '0', - PRIMARY KEY (`id`), - KEY `news_project_id` (`project_id`), - KEY `index_news_on_author_id` (`author_id`), - KEY `index_news_on_created_on` (`created_on`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `news` --- - -LOCK TABLES `news` WRITE; -/*!40000 ALTER TABLE `news` DISABLE KEYS */; -/*!40000 ALTER TABLE `news` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `open_id_authentication_associations` --- - -DROP TABLE IF EXISTS `open_id_authentication_associations`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `open_id_authentication_associations` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `issued` int(11) DEFAULT NULL, - `lifetime` int(11) DEFAULT NULL, - `handle` varchar(255) DEFAULT NULL, - `assoc_type` varchar(255) DEFAULT NULL, - `server_url` blob, - `secret` blob, - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `open_id_authentication_associations` --- - -LOCK TABLES `open_id_authentication_associations` WRITE; -/*!40000 ALTER TABLE `open_id_authentication_associations` DISABLE KEYS */; -/*!40000 ALTER TABLE `open_id_authentication_associations` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `open_id_authentication_nonces` --- - -DROP TABLE IF EXISTS `open_id_authentication_nonces`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `open_id_authentication_nonces` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `timestamp` int(11) NOT NULL, - `server_url` varchar(255) DEFAULT NULL, - `salt` varchar(255) NOT NULL, - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `open_id_authentication_nonces` --- - -LOCK TABLES `open_id_authentication_nonces` WRITE; -/*!40000 ALTER TABLE `open_id_authentication_nonces` DISABLE KEYS */; -/*!40000 ALTER TABLE `open_id_authentication_nonces` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `projects` --- - -DROP TABLE IF EXISTS `projects`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `projects` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(255) NOT NULL DEFAULT '', - `description` text, - `homepage` varchar(255) DEFAULT '', - `is_public` tinyint(1) NOT NULL DEFAULT '1', - `parent_id` int(11) DEFAULT NULL, - `created_on` timestamp NULL DEFAULT NULL, - `updated_on` timestamp NULL DEFAULT NULL, - `identifier` varchar(255) DEFAULT NULL, - `status` int(11) NOT NULL DEFAULT '1', - `lft` int(11) DEFAULT NULL, - `rgt` int(11) DEFAULT NULL, - `inherit_members` tinyint(1) NOT NULL DEFAULT '0', - `default_version_id` int(11) DEFAULT NULL, - `default_assigned_to_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_projects_on_lft` (`lft`), - KEY `index_projects_on_rgt` (`rgt`) -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `projects` --- - -LOCK TABLES `projects` WRITE; -/*!40000 ALTER TABLE `projects` DISABLE KEYS */; -INSERT INTO `projects` VALUES (1,'Detection Playbooks','','',1,NULL,'2020-04-26 13:13:01','2020-07-10 19:33:53','detection-playbooks',1,1,2,0,NULL,NULL); -/*!40000 ALTER TABLE `projects` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `projects_trackers` --- - -DROP TABLE IF EXISTS `projects_trackers`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `projects_trackers` ( - `project_id` int(11) NOT NULL DEFAULT '0', - `tracker_id` int(11) NOT NULL DEFAULT '0', - UNIQUE KEY `projects_trackers_unique` (`project_id`,`tracker_id`), - KEY `projects_trackers_project_id` (`project_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `projects_trackers` --- - -LOCK TABLES `projects_trackers` WRITE; -/*!40000 ALTER TABLE `projects_trackers` DISABLE KEYS */; -INSERT INTO `projects_trackers` VALUES (1,1); -/*!40000 ALTER TABLE `projects_trackers` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `queries` --- - -DROP TABLE IF EXISTS `queries`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `queries` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) DEFAULT NULL, - `name` varchar(255) NOT NULL DEFAULT '', - `filters` text, - `user_id` int(11) NOT NULL DEFAULT '0', - `column_names` text, - `sort_criteria` text, - `group_by` varchar(255) DEFAULT NULL, - `type` varchar(255) DEFAULT NULL, - `visibility` int(11) DEFAULT '0', - `options` text, - PRIMARY KEY (`id`), - KEY `index_queries_on_project_id` (`project_id`), - KEY `index_queries_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=10 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `queries` --- - -LOCK TABLES `queries` WRITE; -/*!40000 ALTER TABLE `queries` DISABLE KEYS */; -INSERT INTO `queries` VALUES (3,1,'All Plays','---\ntracker_id:\n :operator: \"=\"\n :values:\n - \'1\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(4,NULL,'Inactive Plays','---\nstatus_id:\n :operator: \"=\"\n :values:\n - \'4\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(5,NULL,'Draft Plays','---\nstatus_id:\n :operator: \"=\"\n :values:\n - \'2\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(6,NULL,'Playbook - Community Sigma','---\ncf_13:\n :operator: \"=\"\n :values:\n - community\n',1,'---\n- :status\n- :cf_10\n- :cf_18\n- :cf_19\n- :cf_20\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(8,NULL,'Playbook - Internal','---\ncf_13:\n :operator: \"=\"\n :values:\n - Internal\n',1,'---\n- :status\n- :cf_10\n- :cf_14\n- :cf_16\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(9,NULL,'Active Plays','---\ntracker_id:\n :operator: \"=\"\n :values:\n - \'1\'\nstatus_id:\n :operator: \"=\"\n :values:\n - \'3\'\n',1,'---\n- :status\n- :cf_10\n- :cf_13\n- :cf_18\n- :cf_19\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'); -/*!40000 ALTER TABLE `queries` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `queries_roles` --- - -DROP TABLE IF EXISTS `queries_roles`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `queries_roles` ( - `query_id` int(11) NOT NULL, - `role_id` int(11) NOT NULL, - UNIQUE KEY `queries_roles_ids` (`query_id`,`role_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `queries_roles` --- - -LOCK TABLES `queries_roles` WRITE; -/*!40000 ALTER TABLE `queries_roles` DISABLE KEYS */; -/*!40000 ALTER TABLE `queries_roles` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `repositories` --- - -DROP TABLE IF EXISTS `repositories`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `repositories` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL DEFAULT '0', - `url` varchar(255) NOT NULL DEFAULT '', - `login` varchar(60) DEFAULT '', - `password` varchar(255) DEFAULT '', - `root_url` varchar(255) DEFAULT '', - `type` varchar(255) DEFAULT NULL, - `path_encoding` varchar(64) DEFAULT NULL, - `log_encoding` varchar(64) DEFAULT NULL, - `extra_info` longtext, - `identifier` varchar(255) DEFAULT NULL, - `is_default` tinyint(1) DEFAULT '0', - `created_on` timestamp NULL DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_repositories_on_project_id` (`project_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `repositories` --- - -LOCK TABLES `repositories` WRITE; -/*!40000 ALTER TABLE `repositories` DISABLE KEYS */; -/*!40000 ALTER TABLE `repositories` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `roles` --- - -DROP TABLE IF EXISTS `roles`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `roles` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(255) NOT NULL DEFAULT '', - `position` int(11) DEFAULT NULL, - `assignable` tinyint(1) DEFAULT '1', - `builtin` int(11) NOT NULL DEFAULT '0', - `permissions` text, - `issues_visibility` varchar(30) NOT NULL DEFAULT 'default', - `users_visibility` varchar(30) NOT NULL DEFAULT 'all', - `time_entries_visibility` varchar(30) NOT NULL DEFAULT 'all', - `all_roles_managed` tinyint(1) NOT NULL DEFAULT '1', - `settings` text, - PRIMARY KEY (`id`) -) ENGINE=InnoDB AUTO_INCREMENT=6 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `roles` --- - -LOCK TABLES `roles` WRITE; -/*!40000 ALTER TABLE `roles` DISABLE KEYS */; -INSERT INTO `roles` VALUES (1,'Non member',0,1,1,NULL,'default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'0\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n'),(2,'Anonymous',0,1,2,'---\n- :view_issues\n- :edit_issues\n- :add_issue_notes\n- :sigma_editor\n','default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n'),(3,'Security-Analyst',1,0,0,'---\n- :save_queries\n- :view_issues\n- :edit_issues\n- :add_issue_notes\n- :edit_issue_notes\n- :sigma_editor\n','all','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\n delete_issues: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n delete_issues: []\n'),(4,'SuperAdmin',2,0,0,'---\n- :add_project\n- :edit_project\n- :close_project\n- :select_project_modules\n- :manage_members\n- :manage_versions\n- :add_subprojects\n- :manage_public_queries\n- :save_queries\n- :manage_hook\n- :view_messages\n- :add_messages\n- :edit_messages\n- :edit_own_messages\n- :delete_messages\n- :delete_own_messages\n- :manage_boards\n- :view_calendar\n- :view_documents\n- :add_documents\n- :edit_documents\n- :delete_documents\n- :view_files\n- :manage_files\n- :view_gantt\n- :view_issues\n- :edit_issues\n- :edit_own_issues\n- :copy_issues\n- :manage_issue_relations\n- :manage_subtasks\n- :set_issues_private\n- :set_own_issues_private\n- :add_issue_notes\n- :edit_issue_notes\n- :edit_own_issue_notes\n- :view_private_notes\n- :set_notes_private\n- :delete_issues\n- :view_issue_watchers\n- :add_issue_watchers\n- :delete_issue_watchers\n- :import_issues\n- :manage_categories\n- :view_news\n- :manage_news\n- :comment_news\n- :view_changesets\n- :browse_repository\n- :commit_access\n- :manage_related_issues\n- :manage_repository\n- :sigma_editor\n- :view_time_entries\n- :log_time\n- :edit_time_entries\n- :edit_own_time_entries\n- :manage_project_activities\n- :log_time_for_other_users\n- :import_time_entries\n- :view_wiki_pages\n- :view_wiki_edits\n- :export_wiki_pages\n- :edit_wiki_pages\n- :rename_wiki_pages\n- :delete_wiki_pages\n- :delete_wiki_pages_attachments\n- :protect_wiki_pages\n- :manage_wiki\n','default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\n delete_issues: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n delete_issues: []\n'),(5,'Automation',3,0,0,'---\n- :view_issues\n- :add_issues\n- :edit_issues\n- :add_issue_notes\n- :edit_issue_notes\n- :import_issues\n- :sigma_editor\n','default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\n delete_issues: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n delete_issues: []\n'); -/*!40000 ALTER TABLE `roles` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `roles_managed_roles` --- - -DROP TABLE IF EXISTS `roles_managed_roles`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `roles_managed_roles` ( - `role_id` int(11) NOT NULL, - `managed_role_id` int(11) NOT NULL, - UNIQUE KEY `index_roles_managed_roles_on_role_id_and_managed_role_id` (`role_id`,`managed_role_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `roles_managed_roles` --- - -LOCK TABLES `roles_managed_roles` WRITE; -/*!40000 ALTER TABLE `roles_managed_roles` DISABLE KEYS */; -/*!40000 ALTER TABLE `roles_managed_roles` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `schema_migrations` --- - -DROP TABLE IF EXISTS `schema_migrations`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `schema_migrations` ( - `version` varchar(255) NOT NULL, - PRIMARY KEY (`version`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `schema_migrations` --- - -LOCK TABLES `schema_migrations` WRITE; -/*!40000 ALTER TABLE `schema_migrations` DISABLE KEYS */; -INSERT INTO `schema_migrations` VALUES ('1'),('1-redmine_webhook'),('10'),('100'),('101'),('102'),('103'),('104'),('105'),('106'),('107'),('108'),('11'),('12'),('13'),('14'),('15'),('16'),('17'),('18'),('19'),('2'),('20'),('20090214190337'),('20090312172426'),('20090312194159'),('20090318181151'),('20090323224724'),('20090401221305'),('20090401231134'),('20090403001910'),('20090406161854'),('20090425161243'),('20090503121501'),('20090503121505'),('20090503121510'),('20090614091200'),('20090704172350'),('20090704172355'),('20090704172358'),('20091010093521'),('20091017212227'),('20091017212457'),('20091017212644'),('20091017212938'),('20091017213027'),('20091017213113'),('20091017213151'),('20091017213228'),('20091017213257'),('20091017213332'),('20091017213444'),('20091017213536'),('20091017213642'),('20091017213716'),('20091017213757'),('20091017213835'),('20091017213910'),('20091017214015'),('20091017214107'),('20091017214136'),('20091017214236'),('20091017214308'),('20091017214336'),('20091017214406'),('20091017214440'),('20091017214519'),('20091017214611'),('20091017214644'),('20091017214720'),('20091017214750'),('20091025163651'),('20091108092559'),('20091114105931'),('20091123212029'),('20091205124427'),('20091220183509'),('20091220183727'),('20091220184736'),('20091225164732'),('20091227112908'),('20100129193402'),('20100129193813'),('20100221100219'),('20100313132032'),('20100313171051'),('20100705164950'),('20100819172912'),('20101104182107'),('20101107130441'),('20101114115114'),('20101114115359'),('20110220160626'),('20110223180944'),('20110223180953'),('20110224000000'),('20110226120112'),('20110226120132'),('20110227125750'),('20110228000000'),('20110228000100'),('20110401192910'),('20110408103312'),('20110412065600'),('20110511000000'),('20110902000000'),('20111201201315'),('20120115143024'),('20120115143100'),('20120115143126'),('20120127174243'),('20120205111326'),('20120223110929'),('20120301153455'),('20120422150750'),('20120705074331'),('20120707064544'),('20120714122000'),('20120714122100'),('20120714122200'),('20120731164049'),('20120930112914'),('20121026002032'),('20121026003537'),('20121209123234'),('20121209123358'),('20121213084931'),('20130110122628'),('20130201184705'),('20130202090625'),('20130207175206'),('20130207181455'),('20130215073721'),('20130215111127'),('20130215111141'),('20130217094251'),('20130602092539'),('20130710182539'),('20130713104233'),('20130713111657'),('20130729070143'),('20130911193200'),('20131004113137'),('20131005100610'),('20131124175346'),('20131210180802'),('20131214094309'),('20131215104612'),('20131218183023'),('20140228130325'),('20140903143914'),('20140920094058'),('20141029181752'),('20141029181824'),('20141109112308'),('20141122124142'),('20150113194759'),('20150113211532'),('20150113213922'),('20150113213955'),('20150208105930'),('20150510083747'),('20150525103953'),('20150526183158'),('20150528084820'),('20150528092912'),('20150528093249'),('20150725112753'),('20150730122707'),('20150730122735'),('20150921204850'),('20150921210243'),('20151020182334'),('20151020182731'),('20151021184614'),('20151021185456'),('20151021190616'),('20151024082034'),('20151025072118'),('20151031095005'),('20160404080304'),('20160416072926'),('20160529063352'),('20161001122012'),('20161002133421'),('20161010081301'),('20161010081528'),('20161010081600'),('20161126094932'),('20161220091118'),('20170207050700'),('20170302015225'),('20170309214320'),('20170320051650'),('20170418090031'),('20170419144536'),('20170723112801'),('20180501132547'),('20180913072918'),('20180923082945'),('20180923091603'),('20190315094151'),('20190315102101'),('20190510070108'),('20190620135549'),('21'),('22'),('23'),('24'),('25'),('26'),('27'),('28'),('29'),('3'),('30'),('31'),('32'),('33'),('34'),('35'),('36'),('37'),('38'),('39'),('4'),('40'),('41'),('42'),('43'),('44'),('45'),('46'),('47'),('48'),('49'),('5'),('50'),('51'),('52'),('53'),('54'),('55'),('56'),('57'),('58'),('59'),('6'),('60'),('61'),('62'),('63'),('64'),('65'),('66'),('67'),('68'),('69'),('7'),('70'),('71'),('72'),('73'),('74'),('75'),('76'),('77'),('78'),('79'),('8'),('80'),('81'),('82'),('83'),('84'),('85'),('86'),('87'),('88'),('89'),('9'),('90'),('91'),('92'),('93'),('94'),('95'),('96'),('97'),('98'),('99'); -/*!40000 ALTER TABLE `schema_migrations` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `settings` --- - -DROP TABLE IF EXISTS `settings`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `settings` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(255) NOT NULL DEFAULT '', - `value` text, - `updated_on` timestamp NULL DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_settings_on_name` (`name`) -) ENGINE=InnoDB AUTO_INCREMENT=71 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `settings` --- - -LOCK TABLES `settings` WRITE; -/*!40000 ALTER TABLE `settings` DISABLE KEYS */; -INSERT INTO `settings` VALUES (1,'ui_theme','circle','2020-04-26 13:11:26'),(2,'default_language','en','2020-04-26 13:11:26'),(3,'force_default_language_for_anonymous','0','2020-04-26 13:11:26'),(4,'force_default_language_for_loggedin','0','2020-04-26 13:11:26'),(5,'start_of_week','','2020-04-26 13:11:26'),(6,'date_format','','2020-04-26 13:11:26'),(7,'time_format','','2020-04-26 13:11:26'),(8,'timespan_format','decimal','2020-04-26 13:11:26'),(9,'user_format','firstname_lastname','2020-05-02 12:45:00'),(10,'gravatar_enabled','1','2020-05-02 12:41:07'),(11,'thumbnails_enabled','1','2020-04-26 13:11:26'),(12,'thumbnails_size','100','2020-04-26 13:11:26'),(13,'new_item_menu_tab','0','2020-04-26 13:11:30'),(14,'login_required','0','2020-07-10 19:32:45'),(15,'autologin','0','2020-04-26 13:11:54'),(16,'self_registration','0','2020-04-26 13:11:54'),(17,'show_custom_fields_on_registration','0','2020-04-26 13:11:54'),(18,'password_min_length','8','2020-04-26 13:11:54'),(19,'password_required_char_classes','--- []\n','2020-04-26 13:11:54'),(20,'password_max_age','0','2020-04-26 13:11:54'),(21,'lost_password','1','2020-04-26 13:11:54'),(22,'openid','0','2020-04-26 13:11:55'),(23,'session_lifetime','0','2020-04-26 13:11:55'),(24,'session_timeout','0','2020-04-26 13:11:55'),(25,'rest_api_enabled','1','2020-04-26 13:11:58'),(26,'jsonp_enabled','0','2020-04-26 13:11:58'),(27,'default_projects_public','0','2020-04-26 13:12:21'),(28,'default_projects_modules','---\n- sigma_editor\n','2020-04-26 13:12:21'),(29,'default_projects_tracker_ids','--- []\n','2020-04-26 13:12:21'),(30,'sequential_project_identifiers','0','2020-04-26 13:12:21'),(31,'project_list_defaults','---\n:column_names:\n- name\n- identifier\n- short_description\n','2020-04-26 13:12:21'),(32,'app_title','Playbook','2020-04-26 18:17:51'),(33,'welcome_text','','2020-04-26 18:17:51'),(34,'per_page_options','25,75,150','2020-05-02 12:41:38'),(35,'search_results_per_page','10','2020-04-26 18:17:51'),(36,'activity_days_default','30','2020-04-26 18:17:51'),(37,'host_name','localhost:3000','2020-04-26 18:17:51'),(38,'protocol','http','2020-04-26 18:17:51'),(39,'text_formatting','textile','2020-04-26 18:17:51'),(40,'cache_formatted_text','0','2020-04-26 18:17:51'),(41,'wiki_compression','','2020-04-26 18:17:51'),(42,'feeds_limit','15','2020-04-26 18:17:51'),(43,'plugin_redmine_playbook','--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nproject: \'1\'\nconvert_url: http://10.66.166.135:7000/playbook/sigmac\ncreate_url: http://10.66.166.135:7000/playbook/play','2020-05-02 12:39:20'),(44,'cross_project_issue_relations','0','2020-05-01 16:27:33'),(45,'link_copied_issue','no','2020-05-01 16:27:33'),(46,'cross_project_subtasks','','2020-05-01 16:27:33'),(47,'close_duplicate_issues','0','2020-05-01 16:27:33'),(48,'issue_group_assignment','0','2020-05-01 16:27:33'),(49,'default_issue_start_date_to_creation_date','1','2020-05-01 16:27:33'),(50,'display_subprojects_issues','0','2020-05-01 16:27:33'),(51,'issue_done_ratio','issue_field','2020-05-01 16:27:33'),(52,'non_working_week_days','---\n- \'6\'\n- \'7\'\n','2020-05-01 16:27:33'),(53,'issues_export_limit','500','2020-05-01 16:27:33'),(54,'gantt_items_limit','500','2020-05-01 16:27:33'),(55,'gantt_months_limit','24','2020-05-01 16:27:33'),(56,'parent_issue_dates','derived','2020-05-01 16:27:33'),(57,'parent_issue_priority','derived','2020-05-01 16:27:33'),(58,'parent_issue_done_ratio','derived','2020-05-01 16:27:33'),(59,'issue_list_default_columns','---\n- status\n- cf_10\n- cf_13\n- cf_14\n- cf_1\n- updated_on\n','2020-05-01 19:32:13'),(60,'issue_list_default_totals','--- []\n','2020-05-01 16:27:33'),(61,'enabled_scm','--- []\n','2020-05-01 16:27:47'),(62,'autofetch_changesets','0','2020-05-01 16:27:47'),(63,'sys_api_enabled','0','2020-05-01 16:27:47'),(64,'repository_log_display_limit','100','2020-05-01 16:27:47'),(65,'commit_logs_formatting','1','2020-05-01 16:27:47'),(66,'commit_ref_keywords','refs,references,IssueID','2020-05-01 16:27:47'),(67,'commit_cross_project_ref','0','2020-05-01 16:27:47'),(68,'commit_logtime_enabled','0','2020-05-01 16:27:47'),(69,'commit_update_keywords','--- []\n','2020-05-01 16:27:47'),(70,'gravatar_default','','2020-05-02 12:41:07'); -/*!40000 ALTER TABLE `settings` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `time_entries` --- - -DROP TABLE IF EXISTS `time_entries`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `time_entries` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL, - `author_id` int(11) DEFAULT NULL, - `user_id` int(11) NOT NULL, - `issue_id` int(11) DEFAULT NULL, - `hours` float NOT NULL, - `comments` varchar(1024) DEFAULT NULL, - `activity_id` int(11) NOT NULL, - `spent_on` date NOT NULL, - `tyear` int(11) NOT NULL, - `tmonth` int(11) NOT NULL, - `tweek` int(11) NOT NULL, - `created_on` datetime NOT NULL, - `updated_on` datetime NOT NULL, - PRIMARY KEY (`id`), - KEY `time_entries_project_id` (`project_id`), - KEY `time_entries_issue_id` (`issue_id`), - KEY `index_time_entries_on_activity_id` (`activity_id`), - KEY `index_time_entries_on_user_id` (`user_id`), - KEY `index_time_entries_on_created_on` (`created_on`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `time_entries` --- - -LOCK TABLES `time_entries` WRITE; -/*!40000 ALTER TABLE `time_entries` DISABLE KEYS */; -/*!40000 ALTER TABLE `time_entries` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `tokens` --- - -DROP TABLE IF EXISTS `tokens`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `tokens` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `user_id` int(11) NOT NULL DEFAULT '0', - `action` varchar(30) NOT NULL DEFAULT '', - `value` varchar(40) NOT NULL DEFAULT '', - `created_on` datetime NOT NULL, - `updated_on` timestamp NULL DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `tokens_value` (`value`), - KEY `index_tokens_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=67 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `tokens` --- - -LOCK TABLES `tokens` WRITE; -/*!40000 ALTER TABLE `tokens` DISABLE KEYS */; -INSERT INTO `tokens` VALUES (3,1,'feeds','6e5575602e1227c188cd85ef6d12608bb8701193','2020-04-26 13:10:46','2020-04-26 13:10:46'),(4,1,'session','999412fa9badda7423c6c654d6364c32c20b3eac','2020-04-26 18:07:03','2020-04-26 18:12:02'),(5,1,'session','124ad4acbf87a942426350e7ad028c1d119c3851','2020-04-26 18:17:11','2020-04-26 18:19:24'),(9,1,'session','2890c663e0552f26ddb92acad6ab3b6d05b92915','2020-04-26 18:51:15','2020-04-26 18:51:15'),(19,1,'session','b7ffb106ea0b34650dd9c1770f74c2b0ffe166b2','2020-05-01 16:52:33','2020-05-01 18:02:30'),(20,1,'session','f44cfcf918eef59ffda47991c431d9c2b2ac6113','2020-05-01 18:05:56','2020-05-01 18:05:56'),(23,9,'feeds','211918c9d7168979b5dc19bebb14573b928a5067','2020-05-01 18:26:17','2020-05-01 18:26:17'),(25,9,'api','de6639318502476f2fa5aa06f43f51fb389a3d7f','2020-05-01 18:26:31','2020-05-01 18:26:31'),(46,1,'session','2d0c8f8ae641c06d8c2362746846440d465d53c0','2020-05-06 20:48:01','2020-05-06 20:48:07'),(59,1,'session','2afe6590653d59a697d1436729c64f322a2eff82','2020-07-01 18:11:07','2020-07-01 20:30:43'),(61,1,'session','b01f95709ca1ab086a049cf9c5afd81ca9d4526e','2020-07-15 16:30:42','2020-07-15 16:31:40'),(62,1,'session','d29acdcd0b8e4ebf78ef8f696d3e76df7e2ab2ac','2020-08-17 14:51:59','2020-08-17 14:53:22'); -/*!40000 ALTER TABLE `tokens` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `trackers` --- - -DROP TABLE IF EXISTS `trackers`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `trackers` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(30) NOT NULL DEFAULT '', - `description` varchar(255) DEFAULT NULL, - `is_in_chlog` tinyint(1) NOT NULL DEFAULT '0', - `position` int(11) DEFAULT NULL, - `is_in_roadmap` tinyint(1) NOT NULL DEFAULT '1', - `fields_bits` int(11) DEFAULT '0', - `default_status_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`) -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `trackers` --- - -LOCK TABLES `trackers` WRITE; -/*!40000 ALTER TABLE `trackers` DISABLE KEYS */; -INSERT INTO `trackers` VALUES (1,'Play','',0,1,0,255,2); -/*!40000 ALTER TABLE `trackers` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `user_preferences` --- - -DROP TABLE IF EXISTS `user_preferences`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `user_preferences` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `user_id` int(11) NOT NULL DEFAULT '0', - `others` text, - `hide_mail` tinyint(1) DEFAULT '1', - `time_zone` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_user_preferences_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `user_preferences` --- - -LOCK TABLES `user_preferences` WRITE; -/*!40000 ALTER TABLE `user_preferences` DISABLE KEYS */; -INSERT INTO `user_preferences` VALUES (1,1,'---\n:no_self_notified: \'1\'\n:my_page_layout:\n left:\n - issuesassignedtome\n right:\n - issuesreportedbyme\n:my_page_settings: {}\n:comments_sorting: asc\n:warn_on_leaving_unsaved: \'1\'\n:textarea_font: \'\'\n:recently_used_projects: 3\n:history_default_tab: notes\n:recently_used_project_ids: \'1\'\n',1,''),(3,9,'---\n:no_self_notified: \'1\'\n:comments_sorting: asc\n:warn_on_leaving_unsaved: \'1\'\n:textarea_font: \'\'\n:recently_used_projects: 3\n:history_default_tab: notes\n:my_page_layout:\n left:\n - issuesassignedtome\n right:\n - issuesreportedbyme\n:my_page_settings: {}\n:recently_used_project_ids: \'1\'\n',1,''); -/*!40000 ALTER TABLE `user_preferences` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `users` --- - -DROP TABLE IF EXISTS `users`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `users` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `login` varchar(255) NOT NULL DEFAULT '', - `hashed_password` varchar(40) NOT NULL DEFAULT '', - `firstname` varchar(30) NOT NULL DEFAULT '', - `lastname` varchar(255) NOT NULL DEFAULT '', - `admin` tinyint(1) NOT NULL DEFAULT '0', - `status` int(11) NOT NULL DEFAULT '1', - `last_login_on` datetime DEFAULT NULL, - `language` varchar(5) DEFAULT '', - `auth_source_id` int(11) DEFAULT NULL, - `created_on` timestamp NULL DEFAULT NULL, - `updated_on` timestamp NULL DEFAULT NULL, - `type` varchar(255) DEFAULT NULL, - `identity_url` varchar(255) DEFAULT NULL, - `mail_notification` varchar(255) NOT NULL DEFAULT '', - `salt` varchar(64) DEFAULT NULL, - `must_change_passwd` tinyint(1) NOT NULL DEFAULT '0', - `passwd_changed_on` datetime DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_users_on_id_and_type` (`id`,`type`), - KEY `index_users_on_auth_source_id` (`auth_source_id`), - KEY `index_users_on_type` (`type`) -) ENGINE=InnoDB AUTO_INCREMENT=10 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `users` --- - -LOCK TABLES `users` WRITE; -/*!40000 ALTER TABLE `users` DISABLE KEYS */; -INSERT INTO `users` VALUES (1,'admin','95535e9f7a386c412f20134ebb869c00cf346477','Admin','Admin',1,1,'2020-08-17 18:03:20','',NULL,'2020-04-26 13:08:34','2020-04-26 13:10:45','User',NULL,'all','5ceb2c95ce1593d4ba034d385ceefb2f',0,'2020-04-26 13:10:27'),(2,'','','','Anonymous users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupAnonymous',NULL,'',NULL,0,NULL),(3,'','','','Non member users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupNonMember',NULL,'',NULL,0,NULL),(4,'','','','Anonymous',0,0,NULL,'',NULL,'2020-04-26 13:09:44','2020-04-26 13:09:44','AnonymousUser',NULL,'only_my_events',NULL,0,NULL),(5,'','','','Analysts',0,1,NULL,'',NULL,'2020-04-26 18:43:40','2020-04-26 18:43:40','Group',NULL,'',NULL,0,NULL),(6,'','','','Automation',0,1,NULL,'',NULL,'2020-04-26 18:43:47','2020-04-26 18:43:47','Group',NULL,'',NULL,0,NULL),(7,'','','','Admins',0,1,NULL,'',NULL,'2020-04-26 18:43:58','2020-04-26 18:43:58','Group',NULL,'',NULL,0,NULL),(9,'automation','d2e7d78af1f0c0637765ae8cf1a359c4a30034c9','SecOps','Automation',0,1,'2020-05-01 18:26:17','en',NULL,'2020-04-26 18:47:46','2020-05-01 18:26:10','User',NULL,'none','41043e596f70e327e34fc99c861f5b31',0,'2020-05-01 18:26:10'); -/*!40000 ALTER TABLE `users` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `versions` --- - -DROP TABLE IF EXISTS `versions`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `versions` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL DEFAULT '0', - `name` varchar(255) NOT NULL DEFAULT '', - `description` varchar(255) DEFAULT '', - `effective_date` date DEFAULT NULL, - `created_on` timestamp NULL DEFAULT NULL, - `updated_on` timestamp NULL DEFAULT NULL, - `wiki_page_title` varchar(255) DEFAULT NULL, - `status` varchar(255) DEFAULT 'open', - `sharing` varchar(255) NOT NULL DEFAULT 'none', - PRIMARY KEY (`id`), - KEY `versions_project_id` (`project_id`), - KEY `index_versions_on_sharing` (`sharing`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `versions` --- - -LOCK TABLES `versions` WRITE; -/*!40000 ALTER TABLE `versions` DISABLE KEYS */; -/*!40000 ALTER TABLE `versions` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `watchers` --- - -DROP TABLE IF EXISTS `watchers`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `watchers` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `watchable_type` varchar(255) NOT NULL DEFAULT '', - `watchable_id` int(11) NOT NULL DEFAULT '0', - `user_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `watchers_user_id_type` (`user_id`,`watchable_type`), - KEY `index_watchers_on_user_id` (`user_id`), - KEY `index_watchers_on_watchable_id_and_watchable_type` (`watchable_id`,`watchable_type`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `watchers` --- - -LOCK TABLES `watchers` WRITE; -/*!40000 ALTER TABLE `watchers` DISABLE KEYS */; -/*!40000 ALTER TABLE `watchers` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `webhooks` --- - -DROP TABLE IF EXISTS `webhooks`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `webhooks` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `url` varchar(255) DEFAULT NULL, - `project_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`) -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `webhooks` --- - -LOCK TABLES `webhooks` WRITE; -/*!40000 ALTER TABLE `webhooks` DISABLE KEYS */; -INSERT INTO `webhooks` VALUES (1,'http://10.66.166.135:7000/playbook/webhook',1); -/*!40000 ALTER TABLE `webhooks` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `wiki_content_versions` --- - -DROP TABLE IF EXISTS `wiki_content_versions`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `wiki_content_versions` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `wiki_content_id` int(11) NOT NULL, - `page_id` int(11) NOT NULL, - `author_id` int(11) DEFAULT NULL, - `data` longblob, - `compression` varchar(6) DEFAULT '', - `comments` varchar(1024) DEFAULT '', - `updated_on` datetime NOT NULL, - `version` int(11) NOT NULL, - PRIMARY KEY (`id`), - KEY `wiki_content_versions_wcid` (`wiki_content_id`), - KEY `index_wiki_content_versions_on_updated_on` (`updated_on`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `wiki_content_versions` --- - -LOCK TABLES `wiki_content_versions` WRITE; -/*!40000 ALTER TABLE `wiki_content_versions` DISABLE KEYS */; -/*!40000 ALTER TABLE `wiki_content_versions` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `wiki_contents` --- - -DROP TABLE IF EXISTS `wiki_contents`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `wiki_contents` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `page_id` int(11) NOT NULL, - `author_id` int(11) DEFAULT NULL, - `text` longtext, - `comments` varchar(1024) DEFAULT '', - `updated_on` datetime NOT NULL, - `version` int(11) NOT NULL, - PRIMARY KEY (`id`), - KEY `wiki_contents_page_id` (`page_id`), - KEY `index_wiki_contents_on_author_id` (`author_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `wiki_contents` --- - -LOCK TABLES `wiki_contents` WRITE; -/*!40000 ALTER TABLE `wiki_contents` DISABLE KEYS */; -/*!40000 ALTER TABLE `wiki_contents` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `wiki_pages` --- - -DROP TABLE IF EXISTS `wiki_pages`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `wiki_pages` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `wiki_id` int(11) NOT NULL, - `title` varchar(255) NOT NULL, - `created_on` datetime NOT NULL, - `protected` tinyint(1) NOT NULL DEFAULT '0', - `parent_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `wiki_pages_wiki_id_title` (`wiki_id`,`title`), - KEY `index_wiki_pages_on_wiki_id` (`wiki_id`), - KEY `index_wiki_pages_on_parent_id` (`parent_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `wiki_pages` --- - -LOCK TABLES `wiki_pages` WRITE; -/*!40000 ALTER TABLE `wiki_pages` DISABLE KEYS */; -/*!40000 ALTER TABLE `wiki_pages` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `wiki_redirects` --- - -DROP TABLE IF EXISTS `wiki_redirects`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `wiki_redirects` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `wiki_id` int(11) NOT NULL, - `title` varchar(255) DEFAULT NULL, - `redirects_to` varchar(255) DEFAULT NULL, - `created_on` datetime NOT NULL, - `redirects_to_wiki_id` int(11) NOT NULL, - PRIMARY KEY (`id`), - KEY `wiki_redirects_wiki_id_title` (`wiki_id`,`title`), - KEY `index_wiki_redirects_on_wiki_id` (`wiki_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `wiki_redirects` --- - -LOCK TABLES `wiki_redirects` WRITE; -/*!40000 ALTER TABLE `wiki_redirects` DISABLE KEYS */; -/*!40000 ALTER TABLE `wiki_redirects` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `wikis` --- - -DROP TABLE IF EXISTS `wikis`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `wikis` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL, - `start_page` varchar(255) NOT NULL, - `status` int(11) NOT NULL DEFAULT '1', - PRIMARY KEY (`id`), - KEY `wikis_project_id` (`project_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `wikis` --- - -LOCK TABLES `wikis` WRITE; -/*!40000 ALTER TABLE `wikis` DISABLE KEYS */; -/*!40000 ALTER TABLE `wikis` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `workflows` --- - -DROP TABLE IF EXISTS `workflows`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `workflows` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `tracker_id` int(11) NOT NULL DEFAULT '0', - `old_status_id` int(11) NOT NULL DEFAULT '0', - `new_status_id` int(11) NOT NULL DEFAULT '0', - `role_id` int(11) NOT NULL DEFAULT '0', - `assignee` tinyint(1) NOT NULL DEFAULT '0', - `author` tinyint(1) NOT NULL DEFAULT '0', - `type` varchar(30) DEFAULT NULL, - `field_name` varchar(30) DEFAULT NULL, - `rule` varchar(30) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `wkfs_role_tracker_old_status` (`role_id`,`tracker_id`,`old_status_id`), - KEY `index_workflows_on_old_status_id` (`old_status_id`), - KEY `index_workflows_on_role_id` (`role_id`), - KEY `index_workflows_on_new_status_id` (`new_status_id`), - KEY `index_workflows_on_tracker_id` (`tracker_id`) -) ENGINE=InnoDB AUTO_INCREMENT=652 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `workflows` --- - -LOCK TABLES `workflows` WRITE; -/*!40000 ALTER TABLE `workflows` DISABLE KEYS */; -INSERT INTO `workflows` VALUES (132,1,2,0,3,0,0,'WorkflowPermission','14','readonly'),(134,1,2,0,3,0,0,'WorkflowPermission','16','readonly'),(151,1,3,0,3,0,0,'WorkflowPermission','14','readonly'),(153,1,3,0,3,0,0,'WorkflowPermission','16','readonly'),(170,1,4,0,3,0,0,'WorkflowPermission','14','readonly'),(172,1,4,0,3,0,0,'WorkflowPermission','16','readonly'),(189,1,5,0,3,0,0,'WorkflowPermission','14','readonly'),(191,1,5,0,3,0,0,'WorkflowPermission','16','readonly'),(208,1,6,0,3,0,0,'WorkflowPermission','14','readonly'),(210,1,6,0,3,0,0,'WorkflowPermission','16','readonly'),(220,1,2,3,3,0,0,'WorkflowTransition',NULL,NULL),(221,1,2,3,4,0,0,'WorkflowTransition',NULL,NULL),(222,1,2,3,5,0,0,'WorkflowTransition',NULL,NULL),(226,1,3,4,3,0,0,'WorkflowTransition',NULL,NULL),(227,1,3,4,4,0,0,'WorkflowTransition',NULL,NULL),(228,1,3,4,5,0,0,'WorkflowTransition',NULL,NULL),(229,1,4,5,3,0,0,'WorkflowTransition',NULL,NULL),(230,1,4,5,4,0,0,'WorkflowTransition',NULL,NULL),(231,1,4,5,5,0,0,'WorkflowTransition',NULL,NULL),(232,1,4,6,3,0,0,'WorkflowTransition',NULL,NULL),(233,1,4,6,4,0,0,'WorkflowTransition',NULL,NULL),(234,1,4,6,5,0,0,'WorkflowTransition',NULL,NULL),(239,1,2,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(240,1,3,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(241,1,4,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(242,1,5,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(243,1,6,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(244,1,0,2,5,0,0,'WorkflowTransition',NULL,NULL),(245,1,0,2,4,0,0,'WorkflowTransition',NULL,NULL),(246,1,0,6,5,0,0,'WorkflowTransition',NULL,NULL),(352,1,2,0,3,0,0,'WorkflowPermission','project_id','readonly'),(353,1,2,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(354,1,2,0,3,0,0,'WorkflowPermission','subject','readonly'),(355,1,2,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(356,1,2,0,3,0,0,'WorkflowPermission','is_private','readonly'),(357,1,2,0,3,0,0,'WorkflowPermission','description','readonly'),(358,1,2,0,3,0,0,'WorkflowPermission','1','readonly'),(359,1,2,0,3,0,0,'WorkflowPermission','2','readonly'),(360,1,2,0,3,0,0,'WorkflowPermission','10','readonly'),(361,1,2,0,3,0,0,'WorkflowPermission','20','readonly'),(362,1,2,0,3,0,0,'WorkflowPermission','8','readonly'),(363,1,2,0,3,0,0,'WorkflowPermission','15','readonly'),(364,1,2,0,3,0,0,'WorkflowPermission','11','readonly'),(365,1,2,0,3,0,0,'WorkflowPermission','12','readonly'),(366,1,2,0,3,0,0,'WorkflowPermission','19','readonly'),(367,1,2,0,3,0,0,'WorkflowPermission','7','readonly'),(368,1,2,0,3,0,0,'WorkflowPermission','3','readonly'),(369,1,2,0,3,0,0,'WorkflowPermission','5','readonly'),(370,1,2,0,3,0,0,'WorkflowPermission','6','readonly'),(371,1,2,0,3,0,0,'WorkflowPermission','22','readonly'),(372,1,3,0,3,0,0,'WorkflowPermission','project_id','readonly'),(373,1,3,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(374,1,3,0,3,0,0,'WorkflowPermission','subject','readonly'),(375,1,3,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(376,1,3,0,3,0,0,'WorkflowPermission','is_private','readonly'),(377,1,3,0,3,0,0,'WorkflowPermission','description','readonly'),(378,1,3,0,3,0,0,'WorkflowPermission','1','readonly'),(379,1,3,0,3,0,0,'WorkflowPermission','2','readonly'),(380,1,3,0,3,0,0,'WorkflowPermission','10','readonly'),(381,1,3,0,3,0,0,'WorkflowPermission','20','readonly'),(382,1,3,0,3,0,0,'WorkflowPermission','8','readonly'),(383,1,3,0,3,0,0,'WorkflowPermission','15','readonly'),(384,1,3,0,3,0,0,'WorkflowPermission','11','readonly'),(385,1,3,0,3,0,0,'WorkflowPermission','12','readonly'),(386,1,3,0,3,0,0,'WorkflowPermission','19','readonly'),(387,1,3,0,3,0,0,'WorkflowPermission','7','readonly'),(388,1,3,0,3,0,0,'WorkflowPermission','3','readonly'),(389,1,3,0,3,0,0,'WorkflowPermission','5','readonly'),(390,1,3,0,3,0,0,'WorkflowPermission','6','readonly'),(391,1,3,0,3,0,0,'WorkflowPermission','22','readonly'),(392,1,4,0,3,0,0,'WorkflowPermission','project_id','readonly'),(393,1,4,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(394,1,4,0,3,0,0,'WorkflowPermission','subject','readonly'),(395,1,4,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(396,1,4,0,3,0,0,'WorkflowPermission','is_private','readonly'),(397,1,4,0,3,0,0,'WorkflowPermission','description','readonly'),(398,1,4,0,3,0,0,'WorkflowPermission','1','readonly'),(399,1,4,0,3,0,0,'WorkflowPermission','2','readonly'),(400,1,4,0,3,0,0,'WorkflowPermission','10','readonly'),(401,1,4,0,3,0,0,'WorkflowPermission','20','readonly'),(402,1,4,0,3,0,0,'WorkflowPermission','8','readonly'),(403,1,4,0,3,0,0,'WorkflowPermission','15','readonly'),(404,1,4,0,3,0,0,'WorkflowPermission','11','readonly'),(405,1,4,0,3,0,0,'WorkflowPermission','12','readonly'),(406,1,4,0,3,0,0,'WorkflowPermission','19','readonly'),(407,1,4,0,3,0,0,'WorkflowPermission','7','readonly'),(408,1,4,0,3,0,0,'WorkflowPermission','3','readonly'),(409,1,4,0,3,0,0,'WorkflowPermission','5','readonly'),(410,1,4,0,3,0,0,'WorkflowPermission','6','readonly'),(411,1,4,0,3,0,0,'WorkflowPermission','22','readonly'),(412,1,5,0,3,0,0,'WorkflowPermission','project_id','readonly'),(413,1,5,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(414,1,5,0,3,0,0,'WorkflowPermission','subject','readonly'),(415,1,5,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(416,1,5,0,3,0,0,'WorkflowPermission','is_private','readonly'),(417,1,5,0,3,0,0,'WorkflowPermission','description','readonly'),(418,1,5,0,3,0,0,'WorkflowPermission','1','readonly'),(419,1,5,0,3,0,0,'WorkflowPermission','2','readonly'),(420,1,5,0,3,0,0,'WorkflowPermission','10','readonly'),(421,1,5,0,3,0,0,'WorkflowPermission','20','readonly'),(422,1,5,0,3,0,0,'WorkflowPermission','8','readonly'),(423,1,5,0,3,0,0,'WorkflowPermission','15','readonly'),(424,1,5,0,3,0,0,'WorkflowPermission','11','readonly'),(425,1,5,0,3,0,0,'WorkflowPermission','12','readonly'),(426,1,5,0,3,0,0,'WorkflowPermission','19','readonly'),(427,1,5,0,3,0,0,'WorkflowPermission','7','readonly'),(428,1,5,0,3,0,0,'WorkflowPermission','3','readonly'),(429,1,5,0,3,0,0,'WorkflowPermission','5','readonly'),(430,1,5,0,3,0,0,'WorkflowPermission','6','readonly'),(431,1,5,0,3,0,0,'WorkflowPermission','22','readonly'),(432,1,6,0,3,0,0,'WorkflowPermission','project_id','readonly'),(433,1,6,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(434,1,6,0,3,0,0,'WorkflowPermission','subject','readonly'),(435,1,6,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(436,1,6,0,3,0,0,'WorkflowPermission','is_private','readonly'),(437,1,6,0,3,0,0,'WorkflowPermission','description','readonly'),(438,1,6,0,3,0,0,'WorkflowPermission','1','readonly'),(439,1,6,0,3,0,0,'WorkflowPermission','2','readonly'),(440,1,6,0,3,0,0,'WorkflowPermission','10','readonly'),(441,1,6,0,3,0,0,'WorkflowPermission','20','readonly'),(442,1,6,0,3,0,0,'WorkflowPermission','8','readonly'),(443,1,6,0,3,0,0,'WorkflowPermission','15','readonly'),(444,1,6,0,3,0,0,'WorkflowPermission','11','readonly'),(445,1,6,0,3,0,0,'WorkflowPermission','12','readonly'),(446,1,6,0,3,0,0,'WorkflowPermission','19','readonly'),(447,1,6,0,3,0,0,'WorkflowPermission','7','readonly'),(448,1,6,0,3,0,0,'WorkflowPermission','3','readonly'),(449,1,6,0,3,0,0,'WorkflowPermission','5','readonly'),(450,1,6,0,3,0,0,'WorkflowPermission','6','readonly'),(451,1,6,0,3,0,0,'WorkflowPermission','22','readonly'),(537,1,2,0,2,0,0,'WorkflowPermission','project_id','readonly'),(538,1,2,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(539,1,2,0,2,0,0,'WorkflowPermission','subject','readonly'),(540,1,2,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(541,1,2,0,2,0,0,'WorkflowPermission','is_private','readonly'),(542,1,2,0,2,0,0,'WorkflowPermission','description','readonly'),(543,1,2,0,2,0,0,'WorkflowPermission','1','readonly'),(544,1,2,0,2,0,0,'WorkflowPermission','2','readonly'),(545,1,2,0,2,0,0,'WorkflowPermission','10','readonly'),(546,1,2,0,2,0,0,'WorkflowPermission','20','readonly'),(547,1,2,0,2,0,0,'WorkflowPermission','8','readonly'),(548,1,2,0,2,0,0,'WorkflowPermission','15','readonly'),(549,1,2,0,2,0,0,'WorkflowPermission','11','readonly'),(550,1,2,0,2,0,0,'WorkflowPermission','12','readonly'),(551,1,2,0,2,0,0,'WorkflowPermission','19','readonly'),(552,1,2,0,2,0,0,'WorkflowPermission','17','readonly'),(553,1,2,0,2,0,0,'WorkflowPermission','7','readonly'),(554,1,2,0,2,0,0,'WorkflowPermission','3','readonly'),(555,1,2,0,2,0,0,'WorkflowPermission','5','readonly'),(556,1,2,0,2,0,0,'WorkflowPermission','6','readonly'),(557,1,2,0,2,0,0,'WorkflowPermission','22','readonly'),(558,1,3,0,2,0,0,'WorkflowPermission','project_id','readonly'),(559,1,3,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(560,1,3,0,2,0,0,'WorkflowPermission','subject','readonly'),(561,1,3,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(562,1,3,0,2,0,0,'WorkflowPermission','is_private','readonly'),(563,1,3,0,2,0,0,'WorkflowPermission','description','readonly'),(564,1,3,0,2,0,0,'WorkflowPermission','1','readonly'),(565,1,3,0,2,0,0,'WorkflowPermission','2','readonly'),(566,1,3,0,2,0,0,'WorkflowPermission','10','readonly'),(567,1,3,0,2,0,0,'WorkflowPermission','20','readonly'),(568,1,3,0,2,0,0,'WorkflowPermission','8','readonly'),(569,1,3,0,2,0,0,'WorkflowPermission','15','readonly'),(570,1,3,0,2,0,0,'WorkflowPermission','11','readonly'),(571,1,3,0,2,0,0,'WorkflowPermission','12','readonly'),(572,1,3,0,2,0,0,'WorkflowPermission','19','readonly'),(573,1,3,0,2,0,0,'WorkflowPermission','17','readonly'),(574,1,3,0,2,0,0,'WorkflowPermission','7','readonly'),(575,1,3,0,2,0,0,'WorkflowPermission','3','readonly'),(576,1,3,0,2,0,0,'WorkflowPermission','5','readonly'),(577,1,3,0,2,0,0,'WorkflowPermission','6','readonly'),(578,1,3,0,2,0,0,'WorkflowPermission','22','readonly'),(579,1,4,0,2,0,0,'WorkflowPermission','project_id','readonly'),(580,1,4,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(581,1,4,0,2,0,0,'WorkflowPermission','subject','readonly'),(582,1,4,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(583,1,4,0,2,0,0,'WorkflowPermission','is_private','readonly'),(584,1,4,0,2,0,0,'WorkflowPermission','description','readonly'),(585,1,4,0,2,0,0,'WorkflowPermission','1','readonly'),(586,1,4,0,2,0,0,'WorkflowPermission','2','readonly'),(587,1,4,0,2,0,0,'WorkflowPermission','10','readonly'),(588,1,4,0,2,0,0,'WorkflowPermission','20','readonly'),(589,1,4,0,2,0,0,'WorkflowPermission','8','readonly'),(590,1,4,0,2,0,0,'WorkflowPermission','15','readonly'),(591,1,4,0,2,0,0,'WorkflowPermission','11','readonly'),(592,1,4,0,2,0,0,'WorkflowPermission','12','readonly'),(593,1,4,0,2,0,0,'WorkflowPermission','19','readonly'),(594,1,4,0,2,0,0,'WorkflowPermission','17','readonly'),(595,1,4,0,2,0,0,'WorkflowPermission','7','readonly'),(596,1,4,0,2,0,0,'WorkflowPermission','3','readonly'),(597,1,4,0,2,0,0,'WorkflowPermission','5','readonly'),(598,1,4,0,2,0,0,'WorkflowPermission','6','readonly'),(599,1,4,0,2,0,0,'WorkflowPermission','22','readonly'),(600,1,5,0,2,0,0,'WorkflowPermission','project_id','readonly'),(601,1,5,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(602,1,5,0,2,0,0,'WorkflowPermission','subject','readonly'),(603,1,5,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(604,1,5,0,2,0,0,'WorkflowPermission','is_private','readonly'),(605,1,5,0,2,0,0,'WorkflowPermission','description','readonly'),(606,1,5,0,2,0,0,'WorkflowPermission','1','readonly'),(607,1,5,0,2,0,0,'WorkflowPermission','2','readonly'),(608,1,5,0,2,0,0,'WorkflowPermission','10','readonly'),(609,1,5,0,2,0,0,'WorkflowPermission','20','readonly'),(610,1,5,0,2,0,0,'WorkflowPermission','8','readonly'),(611,1,5,0,2,0,0,'WorkflowPermission','15','readonly'),(612,1,5,0,2,0,0,'WorkflowPermission','11','readonly'),(613,1,5,0,2,0,0,'WorkflowPermission','12','readonly'),(614,1,5,0,2,0,0,'WorkflowPermission','19','readonly'),(615,1,5,0,2,0,0,'WorkflowPermission','17','readonly'),(616,1,5,0,2,0,0,'WorkflowPermission','7','readonly'),(617,1,5,0,2,0,0,'WorkflowPermission','3','readonly'),(618,1,5,0,2,0,0,'WorkflowPermission','5','readonly'),(619,1,5,0,2,0,0,'WorkflowPermission','6','readonly'),(620,1,5,0,2,0,0,'WorkflowPermission','22','readonly'),(621,1,6,0,2,0,0,'WorkflowPermission','project_id','readonly'),(622,1,6,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(623,1,6,0,2,0,0,'WorkflowPermission','subject','readonly'),(624,1,6,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(625,1,6,0,2,0,0,'WorkflowPermission','is_private','readonly'),(626,1,6,0,2,0,0,'WorkflowPermission','description','readonly'),(627,1,6,0,2,0,0,'WorkflowPermission','1','readonly'),(628,1,6,0,2,0,0,'WorkflowPermission','2','readonly'),(629,1,6,0,2,0,0,'WorkflowPermission','10','readonly'),(630,1,6,0,2,0,0,'WorkflowPermission','20','readonly'),(631,1,6,0,2,0,0,'WorkflowPermission','8','readonly'),(632,1,6,0,2,0,0,'WorkflowPermission','15','readonly'),(633,1,6,0,2,0,0,'WorkflowPermission','11','readonly'),(634,1,6,0,2,0,0,'WorkflowPermission','12','readonly'),(635,1,6,0,2,0,0,'WorkflowPermission','19','readonly'),(636,1,6,0,2,0,0,'WorkflowPermission','17','readonly'),(637,1,6,0,2,0,0,'WorkflowPermission','7','readonly'),(638,1,6,0,2,0,0,'WorkflowPermission','3','readonly'),(639,1,6,0,2,0,0,'WorkflowPermission','5','readonly'),(640,1,6,0,2,0,0,'WorkflowPermission','6','readonly'),(641,1,6,0,2,0,0,'WorkflowPermission','22','readonly'),(642,1,2,3,2,0,0,'WorkflowTransition',NULL,NULL),(644,1,3,4,2,0,0,'WorkflowTransition',NULL,NULL),(645,1,4,5,2,0,0,'WorkflowTransition',NULL,NULL),(646,1,4,6,2,0,0,'WorkflowTransition',NULL,NULL),(648,1,4,3,2,0,0,'WorkflowTransition',NULL,NULL),(649,1,4,3,3,0,0,'WorkflowTransition',NULL,NULL),(650,1,4,3,4,0,0,'WorkflowTransition',NULL,NULL),(651,1,4,3,5,0,0,'WorkflowTransition',NULL,NULL); -/*!40000 ALTER TABLE `workflows` ENABLE KEYS */; -UNLOCK TABLES; -/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */; - -/*!40101 SET SQL_MODE=@OLD_SQL_MODE */; -/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */; -/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */; -/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; -/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */; -/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; -/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; - --- Dump completed on 2020-08-17 18:06:56 \ No newline at end of file diff --git a/salt/playbook/files/automation_user_create.sh b/salt/playbook/files/automation_user_create.sh index 86f279378..bc827fda6 100644 --- a/salt/playbook/files/automation_user_create.sh +++ b/salt/playbook/files/automation_user_create.sh @@ -37,15 +37,8 @@ while [[ $try_count -le 6 ]]; do \"user_id\" : ${automation_user_id} }" - # Search for the needed keys in the global pillar file, if missing then add them - if (grep -Pzq 'playbook:\n api_key:.*' $local_salt_dir/pillar/global.sls); then - sed -e '1h;2,$H;$!d;g' -e "s/playbook:\n api_key:.*/playbook:\n api_key: ${automation_api_key}/m" -i $local_salt_dir/pillar/global.sls - else - { - echo "playbook:" - echo " api_key: ${automation_api_key}" - } >> $local_salt_dir/pillar/global.sls - fi + # Update the Automation API key in the secrets pillar + sed "s/playbook_automation_api_key:/playbook_automation_api_key: ${automation_api_key}/g" -i $local_salt_dir/pillar/secrets.sls exit 0 fi ((try_count++)) diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 57195c21c..75b6b5b2e 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -1,14 +1,14 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} -{% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} -{% set MAINIP = salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] %} -{%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%} -{%- set PLAYBOOKPASS = salt['pillar.get']('secrets:playbook_db', None) -%} -{%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %} +{%- set MYSQLPASS = salt['pillar.get']('secrets:mysql') -%} +{%- set PLAYBOOKPASS = salt['pillar.get']('secrets:playbook_db') -%} include: @@ -18,8 +18,8 @@ create_playbookdbuser: mysql_user.present: - name: playbookdbuser - password: {{ PLAYBOOKPASS }} - - host: {{ DNET }}/255.255.255.0 - - connection_host: {{ MAINIP }} + - host: "{{ GLOBALS.docker_range.split('/')[0] }}/255.255.255.0" + - connection_host: {{ GLOBALS.manager_ip }} - connection_port: 3306 - connection_user: root - connection_pass: {{ MYSQLPASS }} @@ -27,8 +27,8 @@ create_playbookdbuser: query_playbookdbuser_grants: mysql_query.run: - database: playbook - - query: "GRANT ALL ON playbook.* TO 'playbookdbuser'@'{{ DNET }}/255.255.255.0';" - - connection_host: {{ MAINIP }} + - query: "GRANT ALL ON playbook.* TO 'playbookdbuser'@'{{ GLOBALS.docker_range.split('/')[0] }}/255.255.255.0';" + - connection_host: {{ GLOBALS.manager_ip }} - connection_port: 3306 - connection_user: root - connection_pass: {{ MYSQLPASS }} @@ -36,21 +36,12 @@ query_playbookdbuser_grants: query_updatwebhooks: mysql_query.run: - database: playbook - - query: "update webhooks set url = 'http://{{MANAGERIP}}:7000/playbook/webhook' where project_id = 1" - - connection_host: {{ MAINIP }} + - query: "update webhooks set url = 'http://{{ GLOBALS.manager_ip }}:7000/playbook/webhook' where project_id = 1" + - connection_host: {{ GLOBALS.manager_ip }} - connection_port: 3306 - connection_user: root - connection_pass: {{ MYSQLPASS }} -query_updatename: - mysql_query.run: - - database: playbook - - query: "update custom_fields set name = 'Custom Filter' where id = 21;" - - connection_host: {{ MAINIP }} - - connection_port: 3306 - - connection_user: root - - connection_pass: {{ MYSQLPASS }} - query_updatepluginurls: mysql_query.run: - database: playbook @@ -58,10 +49,10 @@ query_updatepluginurls: update settings set value = "--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess project: '1' - convert_url: http://{{MANAGERIP}}:7000/playbook/sigmac - create_url: http://{{MANAGERIP}}:7000/playbook/play" + convert_url: http://{{ GLOBALS.manager_ip }}:7000/playbook/sigmac + create_url: http://{{ GLOBALS.manager_ip }}:7000/playbook/play" where id = 43 - - connection_host: {{ MAINIP }} + - connection_host: {{ GLOBALS.manager_ip }} - connection_port: 3306 - connection_user: root - connection_pass: {{ MYSQLPASS }} @@ -86,13 +77,13 @@ playbook_password_none: so-playbook: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-playbook:{{ VERSION }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-playbook:{{ GLOBALS.so_version }} - hostname: playbook - name: so-playbook - binds: - /opt/so/log/playbook:/playbook/log:rw - environment: - - REDMINE_DB_MYSQL={{ MANAGERIP }} + - REDMINE_DB_MYSQL={{ GLOBALS.manager_ip }} - REDMINE_DB_DATABASE=playbook - REDMINE_DB_USERNAME=playbookdbuser - REDMINE_DB_PASSWORD={{ PLAYBOOKPASS }} diff --git a/salt/reactor/fleet.sls b/salt/reactor/fleet.sls deleted file mode 100644 index cd548e689..000000000 --- a/salt/reactor/fleet.sls +++ /dev/null @@ -1,95 +0,0 @@ -#!py - -from time import gmtime, strftime -import fileinput -import logging -import re -import subprocess - -def run(): - MINIONID = data['id'] - ACTION = data['data']['action'] - LOCAL_SALT_DIR = "/opt/so/saltstack/local" - STATICFILE = f"{LOCAL_SALT_DIR}/pillar/global.sls" - SECRETSFILE = f"{LOCAL_SALT_DIR}/pillar/secrets.sls" - - if MINIONID.split('_')[-1] in ['manager','eval','fleet','managersearch','standalone']: - if ACTION == 'enablefleet': - logging.info('so/fleet enablefleet reactor') - - MAINIP = data['data']['mainip'] - ROLE = data['data']['role'] - HOSTNAME = data['data']['hostname'] - - # Enable Fleet - for line in fileinput.input(STATICFILE, inplace=True): - if ROLE == 'so-fleet': - line = re.sub(r'fleet_node: \S*', f"fleet_node: True", line.rstrip()) - else: - line = re.sub(r'fleet_manager: \S*', f"fleet_manager: True", line.rstrip()) - print(line) - - # Update the Fleet host in the static pillar - for line in fileinput.input(STATICFILE, inplace=True): - line = re.sub(r'fleet_hostname: \S*', f"fleet_hostname: '{HOSTNAME}'", line.rstrip()) - print(line) - - # Update the Fleet IP in the static pillar - for line in fileinput.input(STATICFILE, inplace=True): - line = re.sub(r'fleet_ip: \S*', f"fleet_ip: '{MAINIP}'", line.rstrip()) - print(line) - - if ACTION == 'update-enrollsecret': - logging.info('so/fleet update-enrollsecret reactor') - - ESECRET = data['data']['enroll-secret'] - - # Update the enroll secret in the secrets pillar - if ESECRET != "": - for line in fileinput.input(SECRETSFILE, inplace=True): - line = re.sub(r'fleet_enroll-secret: \S*', f"fleet_enroll-secret: {ESECRET}", line.rstrip()) - print(line) - - - if ACTION == 'genpackages': - logging.info('so/fleet genpackages reactor') - - PACKAGEVERSION = data['data']['current-package-version'] - PACKAGEHOSTNAME = data['data']['package-hostname'] - MANAGER = data['data']['manager'] - VERSION = data['data']['version'] - ESECRET = data['data']['enroll-secret'] - IMAGEREPO = data['data']['imagerepo'] - - # Increment the package version by 1 - PACKAGEVERSION += 1 - - # Run Docker container that will build the packages - gen_packages = subprocess.run(["docker", "run","--rm", "--mount", f"type=bind,source={LOCAL_SALT_DIR}/salt/fleet/packages,target=/output", \ - "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MANAGER }:5000/{ IMAGEREPO }/so-fleet-launcher:{ VERSION }", \ - f"{ESECRET}", f"{PACKAGEHOSTNAME}:8090", f"{PACKAGEVERSION}.1.1"], stdout=subprocess.PIPE, encoding='ascii') - - # Update the 'packages-built' timestamp on the webpage (stored in the static pillar) - for line in fileinput.input(STATICFILE, inplace=True): - line = re.sub(r'fleet_packages-timestamp: \S*', f"fleet_packages-timestamp: '{strftime('%Y-%m-%d-%H:%M', gmtime())}'", line.rstrip()) - print(line) - - # Update the Fleet Osquery package version in the static pillar - for line in fileinput.input(STATICFILE, inplace=True): - line = re.sub(r'fleet_packages-version: \S*', f"fleet_packages-version: {PACKAGEVERSION}", line.rstrip()) - print(line) - - # Copy over newly-built packages - copy_packages = subprocess.run(["salt-call", "state.apply","fleet"], stdout=subprocess.PIPE, encoding='ascii') - - if ACTION == 'update_custom_hostname': - logging.info('so/fleet update_custom_hostname reactor') - - CUSTOMHOSTNAME = data['data']['custom_hostname'] - - # Update the Fleet host in the static pillar - for line in fileinput.input(STATICFILE, inplace=True): - line = re.sub(r'fleet_custom_hostname:.*$', f"fleet_custom_hostname: {CUSTOMHOSTNAME}", line.rstrip()) - print(line) - - return {} diff --git a/salt/redis/init.sls b/salt/redis/init.sls index 20cf49da2..e80ee1218 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -1,21 +1,12 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} +{% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} diff --git a/salt/repo/client/centos.sls b/salt/repo/client/centos.sls index 160782267..39ced9ea8 100644 --- a/salt/repo/client/centos.sls +++ b/salt/repo/client/centos.sls @@ -1,27 +1,15 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {% from 'repo/client/map.jinja' import ABSENTFILES with context %} {% from 'repo/client/map.jinja' import REPOPATH with context %} -{% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %} -{% set managerupdates = salt['pillar.get']('global:managerupdate', 0) %} {% set role = grains.id.split('_') | last %} - -# from airgap state -{% if ISAIRGAP and grains.os == 'CentOS' %} {% set MANAGER = salt['grains.get']('master') %} -airgapyum: - file.managed: - - name: /etc/yum/yum.conf - - source: salt://repo/client/files/centos/airgap/yum.conf +{% if grains['os'] == 'CentOS' %} -airgap_repo: - pkgrepo.managed: - - humanname: Airgap Repo - - baseurl: https://{{ MANAGER }}/repo - - gpgcheck: 0 - - sslverify: 0 - -{% endif %} - -# from airgap and common {% if ABSENTFILES|length > 0%} {% for file in ABSENTFILES %} {{ file }}: @@ -32,9 +20,20 @@ airgap_repo: {% endfor %} {% endif %} -# from common state -# Remove default Repos -{% if grains['os'] == 'CentOS' %} +cleanyum: + cmd.run: + - name: 'yum clean all' + - onchanges: + - so_repo + +yumconf: + file.managed: + - name: /etc/yum.conf + - source: salt://repo/client/files/centos/yum.conf.jinja + - mode: 644 + - template: jinja + - show_changes: False + repair_yumdb: cmd.run: - name: 'mv -f /var/lib/rpm/__db* /tmp && yum clean all' @@ -46,53 +45,35 @@ crsynckeys: - name: /etc/pki/rpm_gpg - source: salt://repo/client/files/centos/keys/ -{% if not ISAIRGAP %} - {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %} -remove_securityonionrepocache: - file.absent: - - name: /etc/yum.repos.d/securityonioncache.repo - {% endif %} - {% if role not in ['eval', 'standalone', 'import', 'manager', 'managersearch'] and managerupdates == 1 %} -remove_securityonionrepo: - file.absent: - - name: /etc/yum.repos.d/securityonion.repo - {% endif %} + {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] %} +so_repo: + pkgrepo.managed: + - name: securityonion + - humanname: Security Onion Repo + - baseurl: file:///nsm/repo/ + - enabled: 1 + - gpgcheck: 1 -crsecurityonionrepo: - file.managed: - {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %} - - name: /etc/yum.repos.d/securityonion.repo - - source: salt://repo/client/files/centos/securityonion.repo - {% else %} - - name: /etc/yum.repos.d/securityonioncache.repo - - source: salt://repo/client/files/centos/securityonioncache.repo - {% endif %} - - mode: 644 + {% else %} +so_repo: + pkgrepo.managed: + - name: securityonion + - humanname: Security Onion Repo + - baseurl: https://{{ MANAGER }}/repo + - enabled: 1 + - gpgcheck: 1 -yumconf: - file.managed: - - name: /etc/yum.conf - - source: salt://repo/client/files/centos/yum.conf.jinja - - mode: 644 - - template: jinja - - show_changes: False - -cleanairgap: - file.absent: - - name: /etc/yum.repos.d/airgap_repo.repo -{% endif %} - -cleanyum: - cmd.run: - - name: 'yum clean metadata' - - onchanges: -{% if ISAIRGAP %} - - file: airgapyum - - pkgrepo: airgap_repo -{% else %} - - file: crsecurityonionrepo - - file: yumconf -{% endif %} + {% endif %} {% endif %} + +# TODO: Add a pillar entry for custom repos + + + + + + + + diff --git a/salt/repo/client/files/centos/airgap/yum.conf b/salt/repo/client/files/centos/airgap/yum.conf deleted file mode 100644 index cbab7607d..000000000 --- a/salt/repo/client/files/centos/airgap/yum.conf +++ /dev/null @@ -1,12 +0,0 @@ -[main] -cachedir=/var/cache/yum/$basearch/$releasever -keepcache=0 -debuglevel=2 -logfile=/var/log/yum.log -exactarch=1 -obsoletes=1 -gpgcheck=1 -plugins=1 -installonly_limit=2 -bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum -distroverpkg=centos-release \ No newline at end of file diff --git a/salt/repo/client/files/centos/keys/GPG-KEY-WAZUH b/salt/repo/client/files/centos/keys/GPG-KEY-WAZUH deleted file mode 100644 index b424ccfae..000000000 --- a/salt/repo/client/files/centos/keys/GPG-KEY-WAZUH +++ /dev/null @@ -1,52 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v2.0.22 (GNU/Linux) - -mQINBFeeyYwBEACyf4VwV8c2++J5BmCl6ofLCtSIW3UoVrF4F+P19k/0ngnSfjWb -8pSWB11HjZ3Mr4YQeiD7yY06UZkrCXk+KXDlUjMK3VOY7oNPkqzNaP6+8bDwj4UA -hADMkaXBvWooGizhCoBtDb1bSbHKcAnQ3PTdiuaqF5bcyKk8hv939CHulL2xH+BP -mmTBi+PM83pwvR+VRTOT7QSzf29lW1jD79v4rtXHJs4KCz/amT/nUm/tBpv3q0sT -9M9rH7MTQPdqvzMl122JcZST75GzFJFl0XdSHd5PAh2mV8qYak5NYNnwA41UQVIa -+xqhSu44liSeZWUfRdhrQ/Nb01KV8lLAs11Sz787xkdF4ad25V/Rtg/s4UXt35K3 -klGOBwDnzPgHK/OK2PescI5Ve1z4x1C2bkGze+gk/3IcfGJwKZDfKzTtqkZ0MgpN -7RGghjkH4wpFmuswFFZRyV+s7jXYpxAesElDSmPJ0O07O4lQXQMROE+a2OCcm0eF -3+Cr6qxGtOp1oYMOVH0vOLYTpwOkAM12/qm7/fYuVPBQtVpTojjV5GDl2uGq7p0o -h9hyWnLeNRbAha0px6rXcF9wLwU5n7mH75mq5clps3sP1q1/VtP/Fr84Lm7OGke4 -9eD+tPNCdRx78RNWzhkdQxHk/b22LCn1v6p1Q0qBco9vw6eawEkz1qwAjQARAQAB -tDFXYXp1aC5jb20gKFdhenVoIFNpZ25pbmcgS2V5KSA8c3VwcG9ydEB3YXp1aC5j -b20+iQI9BBMBCAAnAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheABQJZHNOBBQkU -SgzvAAoJEJaz7l8pERFF6xUP/3SbcmrI/u7a2EqZ0GxwQ/LRkPzWkJRnozCtNYHD -ZjiZgSB/+77hkPS0tsBK/GXFLKfJAuf13XFrCvEuI4Q/pLOCCKIGumKXItUIwJBD -HiEmVt/XxIijmlF7O1jcWqE/5CQXofjr03WMx+qzNabIwU/6dTKZN4FrR1jDk7yS -6FYBsbhVcSoqSpGYx7EcuK3c3sKKtnbacK2Sw3K9n8Wdj+EK83cbpMg8D/efVRqv -xypeCeojtY10y4bmugEwMYPgFkrSbicuiZc8NA8qhvFp6JFRq/uL0PGACyg05wB3 -S9U4wvSkmlo2/G74awna22UlaoYmSSz3UZdpWd2zBxflx17948QfTqyhO6bM8qLz -dSyR6/6olAcR1N+PBup8PoMdBte4ul/hJp8WIviW0AxJUTZSbVj5v/t43QAKEpCE -IMHvkK8PRHz/9kMd/2xN7LgMtihCrGZOnzErkjhlZvmiJ6kcJoD7ywzFnfJrntOU -DjNb3eqUFSEwmhD60Hd2OCkfmiV7NEE/YTd9B72NSwzj4Za/JUdlF64LMeIiHbYp -Lh7P+mR+lMJf/SWsQmlyuiQ2u8SY2aDFvzBS9WtpwiznuUdrbRN87+TYLSVqDifj -Ea3zOnzLaLYbOr6LHz1xbhAvInv7KLobgiw1E4WnBNWN8xVwVJLKNE7wV88k43XV -3L/RuQINBFeeyYwBEADD1Y3zW5OrnYZ6ghTd5PXDAMB8Z1ienmnb2IUzLM+i0yE2 -TpKSP/XYCTBhFa390rYgFO2lbLDVsiz7Txd94nHrdWXGEQfwrbxsvdlLLWk7iN8l -Fb4B60OfRi3yoR96a/kIPNa0x26+n79LtDuWZ/DTq5JSHztdd9F1sr3h8i5zYmtv -luj99ZorpwYejbBVUm0+gP0ioaXM37uO56UFVQk3po9GaS+GtLnlgoE5volgNYyO -rkeIua4uZVsifREkHCKoLJip6P7S3kTyfrpiSLhouEZ7kV1lbMbFgvHXyjm+/AIx -HIBy+H+e+HNt5gZzTKUJsuBjx44+4jYsOR67EjOdtPOpgiuJXhedzShEO6rbu/O4 -wM1rX45ZXDYa2FGblHCQ/VaS0ttFtztk91xwlWvjTR8vGvp5tIfCi+1GixPRQpbN -Y/oq8Kv4A7vB3JlJscJCljvRgaX0gTBzlaF6Gq0FdcWEl5F1zvsWCSc/Fv5WrUPY -5mG0m69YUTeVO6cZS1aiu9Qh3QAT/7NbUuGXIaAxKnu+kkjLSz+nTTlOyvbG7BVF -a6sDmv48Wqicebkc/rCtO4g8lO7KoA2xC/K/6PAxDrLkVyw8WPsAendmezNfHU+V -32pvWoQoQqu8ysoaEYc/j9fN4H3mEBCN3QUJYCugmHP0pu7VtpWwwMUqcGeUVwAR -AQABiQIlBBgBCAAPAhsMBQJZHNOaBQkUSg0HAAoJEJaz7l8pERFFhpkQAJ09mjjp -n9f18JGSMzP41fVucPuLBZ5XJL/hy2boII1FvgfmOETzNxLPblHdkJVjZS5iMrhL -EJ1jv+GQDtf68/0jO+HXuQIBmUJ53YwbuuQlLWH7CI2AxlSAKAn2kOApWMKsjnAv -JwS3eNGukOKWRfEKTqz2Vwi1H7M7ppypZ9keoyAoSIWb61gm7rXbfT+tVBetHfrU -EM5vz3AS3pJk6Yfqn10IZfiexXmsBD+SpJBNzMBsznCcWO2y4qZNLjFferBoizvV -34UnZyd1bkSN0T/MKp8sgJwqDJBS72tH6ZIM8NNoy29aPDkeaa8XlhkWiBdRizqL -BcxrV/1n3xdzfY9FX6s4KGudo+gYsVpY0mrpZU8jG8YUNLDXQTXnRo4CQOtRJJbA -RFDoZfsDqToZftuEhIsk+MaKlyXoA0eIYqGe6lXa/jEwvViqLYubCNLu0+kgNQ3v -hKF8Pf7eXFDAePw7guuvDvBOMQqBCaKCxsz1HoKRNYBEdUYrEQBJnX235Q4IsdI/ -GcQ/dvERJXaDCG8EPhnwc517EMUJDiJ1CxT4+VMHphmFbiVqmctz0upIj+D037Xk -CcgxNte6LZorGRZ/l1MYINliGJKtCCFK7XGVPKiJ8zyGSyPj1FfwtBy5hUX3aQtm -bvP0H2BRCKoelsbRENu58BkU6YhiUry7pVul -=SJij ------END PGP PUBLIC KEY BLOCK----- diff --git a/salt/repo/client/files/centos/securityonion.repo b/salt/repo/client/files/centos/securityonion.repo deleted file mode 100644 index 397cb7530..000000000 --- a/salt/repo/client/files/centos/securityonion.repo +++ /dev/null @@ -1,71 +0,0 @@ -[base] -name=CentOS-$releasever - Base -baseurl=https://repo.securityonion.net/file/securityonion-repo/base/ -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 - -#released updates -[updates] -name=CentOS-$releasever - Updates -baseurl=https://repo.securityonion.net/file/securityonion-repo/updates/ -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 - -#additional packages that may be useful -[extras] -name=CentOS-$releasever - Extras -baseurl=https://repo.securityonion.net/file/securityonion-repo/extras/ -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 - -#additional packages that extend functionality of existing packages -[centosplus] -name=CentOS-$releasever - Plus -baseurl=https://repo.securityonion.net/file/securityonion-repo/centosplus/ -gpgcheck=1 -enabled=0 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 - -[epel] -name=Extra Packages for Enterprise Linux 7 - $basearch -baseurl=https://repo.securityonion.net/file/securityonion-repo/epel/ -enabled=1 -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 - -[docker-ce-stable] -name=Docker CE Stable - $basearch -baseurl=https://repo.securityonion.net/file/securityonion-repo/docker-ce-stable -enabled=1 -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/docker.pub - -[saltstack] -name=SaltStack repo for RHEL/CentOS $releasever PY3 -baseurl=https://repo.securityonion.net/file/securityonion-repo/salt/ -enabled=1 -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/SALTSTACK-GPG-KEY.pub - -[wazuh_repo] -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-WAZUH -enabled=1 -name=Wazuh repository -baseurl=https://repo.securityonion.net/file/securityonion-repo/wazuh_repo/ -protect=1 - -[wazuh4_repo] -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-WAZUH -enabled=1 -name=Wazuh repository -baseurl=https://repo.securityonion.net/file/securityonion-repo/wazuh4_repo/ -protect=1 - -[securityonion] -name=Security Onion Repo repo -baseurl=https://repo.securityonion.net/file/securityonion-repo/securityonion/ -enabled=1 -gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub diff --git a/salt/repo/client/files/centos/securityonioncache.repo b/salt/repo/client/files/centos/securityonioncache.repo deleted file mode 100644 index 5064fb598..000000000 --- a/salt/repo/client/files/centos/securityonioncache.repo +++ /dev/null @@ -1,71 +0,0 @@ -[base] -name=CentOS-$releasever - Base -baseurl=http://repocache.securityonion.net/file/securityonion-repo/base/ -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 - -#released updates -[updates] -name=CentOS-$releasever - Updates -baseurl=http://repocache.securityonion.net/file/securityonion-repo/updates/ -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 - -#additional packages that may be useful -[extras] -name=CentOS-$releasever - Extras -baseurl=http://repocache.securityonion.net/file/securityonion-repo/extras/ -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 - -#additional packages that extend functionality of existing packages -[centosplus] -name=CentOS-$releasever - Plus -baseurl=http://repocache.securityonion.net/file/securityonion-repo/centosplus/ -gpgcheck=1 -enabled=0 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 - -[epel] -name=Extra Packages for Enterprise Linux 7 - $basearch -baseurl=http://repocache.securityonion.net/file/securityonion-repo/epel/ -enabled=1 -gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/RPM-GPG-KEY-EPEL-7 - -[docker-ce-stable] -name=Docker CE Stable - $basearch -baseurl=http://repocache.securityonion.net/file/securityonion-repo/docker-ce-stable -enabled=1 -gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/docker.pub - -[saltstack] -name=SaltStack repo for RHEL/CentOS $releasever PY3 -baseurl=http://repocache.securityonion.net/file/securityonion-repo/salt/ -enabled=1 -gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub - -[wazuh_repo] -gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH -enabled=1 -name=Wazuh repository -baseurl=http://repocache.securityonion.net/file/securityonion-repo/wazuh_repo/ -protect=1 - -[wazuh4_repo] -gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH -enabled=1 -name=Wazuh repository -baseurl=http://repocache.securityonion.net/file/securityonion-repo/wazuh4_repo/ -protect=1 - -[securityonion] -name=Security Onion Repo -baseurl=http://repocache.securityonion.net/file/securityonion-repo/securityonion/ -enabled=1 -gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub diff --git a/salt/repo/client/files/centos/securityonionlocal.repo b/salt/repo/client/files/centos/securityonionlocal.repo new file mode 100644 index 000000000..cd928eb79 --- /dev/null +++ b/salt/repo/client/files/centos/securityonionlocal.repo @@ -0,0 +1,8 @@ +[solocal] +name=Security Onion Repo +baseurl=file:///nsm/repo/ +enabled=1 +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 + + diff --git a/salt/repo/client/files/centos/yum.conf.jinja b/salt/repo/client/files/centos/yum.conf.jinja index 8af48e99d..bd31ac007 100644 --- a/salt/repo/client/files/centos/yum.conf.jinja +++ b/salt/repo/client/files/centos/yum.conf.jinja @@ -12,8 +12,6 @@ installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }} bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum distroverpkg=centos-release clean_requirements_on_remove=1 -{% if (grains['role'] not in ['so-eval','so-managersearch', 'so-manager', 'so-standalone', 'so-import']) and ( salt['pillar.get']('global:managerupdate', '0') or salt['pillar.get']('patch:os:source', 'direct') == 'manager' ) -%} -proxy=http://{{ salt['pillar.get']('yum:config:proxy', salt['config.get']('master')) }}:3142 -{% elif proxy -%} +{% if proxy -%} proxy={{ proxy }} {% endif %} diff --git a/salt/repo/client/ubuntu.sls b/salt/repo/client/ubuntu.sls deleted file mode 100644 index 345c9e2dc..000000000 --- a/salt/repo/client/ubuntu.sls +++ /dev/null @@ -1,20 +0,0 @@ -# this removes the repo file left by bootstrap-salt.sh without -r -remove_salt.list: - file.absent: - - name: /etc/apt/sources.list.d/salt.list - -saltstack.list: - file.managed: - - name: /etc/apt/sources.list.d/saltstack.list - - contents: - - deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/{{grains.osrelease}}/amd64/salt3004.2/ {{grains.oscodename}} main - -apt_update: - cmd.run: - - name: apt-get update - - onchanges: - - file: saltstack.list - - timeout: 30 - - retry: - attempts: 5 - interval: 30 diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja index eb9f5ae89..389a95607 100644 --- a/salt/salt/map.jinja +++ b/salt/salt/map.jinja @@ -11,6 +11,7 @@ {% set PYTHON3INFLUX= 'influxdb == ' ~ PYTHONINFLUXVERSION %} {% set PYTHON3INFLUXDEPS= ['certifi', 'chardet', 'python-dateutil', 'pytz', 'requests'] %} {% set PYTHONINSTALLER = 'pip' %} + {% set SYSTEMD_UNIT_FILE = '/lib/systemd/system/salt-minion.service' %} {% else %} {% set SPLITCHAR = '-' %} {% set SALTNOTHELD = salt['cmd.run']('yum versionlock list | grep -q salt ; echo $?', python_shell=True) %} @@ -21,6 +22,7 @@ {% set PYTHON3INFLUX= 'securityonion-python3-influxdb' %} {% set PYTHON3INFLUXDEPS= ['python36-certifi', 'python36-chardet', 'python36-dateutil', 'python36-pytz', 'python36-requests'] %} {% set PYTHONINSTALLER = 'pkg' %} + {% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %} {% endif %} {% set INSTALLEDSALTVERSION = salt['pkg.version']('salt-minion').split(SPLITCHAR)[0] %} diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls index fafb6f0f3..15e203d82 100644 --- a/salt/salt/minion.sls +++ b/salt/salt/minion.sls @@ -81,10 +81,10 @@ set_log_levels: - "log_level: error" - "log_level_logfile: error" -salt_minion_service_start_delay: +salt_minion_service_unit_file: file.managed: - - name: /etc/systemd/system/salt-minion.service.d/start-delay.conf - - source: salt://salt/service/start-delay.conf.jinja + - name: {{ SYSTEMD_UNIT_FILE }} + - source: salt://salt/service/salt-minion.service.jinja - template: jinja - defaults: service_start_delay: {{ service_start_delay }} diff --git a/salt/salt/service/salt-minion.service.jinja b/salt/salt/service/salt-minion.service.jinja new file mode 100644 index 000000000..c7bae0bc2 --- /dev/null +++ b/salt/salt/service/salt-minion.service.jinja @@ -0,0 +1,15 @@ +[Unit] +Description=The Salt Minion +Documentation=man:salt-minion(1) file:///usr/share/doc/salt/html/contents.html https://docs.saltstack.com/en/latest/contents.html +After=network.target salt-master.service + +[Service] +KillMode=process +Type=notify +NotifyAccess=all +LimitNOFILE=8192 +ExecStart=/usr/bin/salt-minion +ExecStartPre=/bin/sleep {{ salt['pillar.get']('salt:minion:service_start_delay', service_start_delay) }} + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/salt/salt/service/start-delay.conf.jinja b/salt/salt/service/start-delay.conf.jinja deleted file mode 100644 index 33917b174..000000000 --- a/salt/salt/service/start-delay.conf.jinja +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -ExecStartPre=/bin/sleep {{ salt['pillar.get']('salt:minion:service_start_delay', service_start_delay) }} diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index 04f2abf93..2fe385de5 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -4,7 +4,7 @@ {%- set ADDRESS = salt['pillar.get']('sensoroni:node_address') %} {%- set ANALYZE_TIMEOUT_MS = salt['pillar.get']('sensoroni:analyze_timeout_ms', 900000) %} {%- set ANALYZE_PARALLEL_LIMIT = salt['pillar.get']('sensoroni:analyze_parallel_limit', 5) %} -{%- set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') %} +{%- set SENSORONIKEY = salt['pillar.get']('sensoroni:sensoronikey', '') %} {%- set CHECKININTERVALMS = salt['pillar.get']('sensoroni:node_checkin_interval_ms', 10000) %} {%- set ROLE = grains.id.split('_') | last %} {%- if ROLE in ['eval', 'standalone', 'sensor', 'heavynode'] %} diff --git a/salt/soc/defaults.map.jinja b/salt/soc/defaults.map.jinja new file mode 100644 index 000000000..cc9f57db8 --- /dev/null +++ b/salt/soc/defaults.map.jinja @@ -0,0 +1,23 @@ +{% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + +{% for module, application_url in GLOBALS.application_urls.items() %} +{% do SOCDEFAULTS.soc.server.modules[module].update({'hostUrl': application_url}) %} +{% endfor %} + +{# add nodes from the logstash:nodes pillar to soc.server.modules.elastic.remoteHostUrls #} +{% for node_type, minions in salt['pillar.get']('logstash:nodes', {}).items() %} +{% for m in minions.keys() %} +{% do SOCDEFAULTS.soc.server.modules.elastic.remoteHostUrls.append(m) %} +{% endfor %} +{% endfor %} + +{% do SOCDEFAULTS.soc.server.modules.elastic.update({'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user, 'password': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass}) %} + +{% if GLOBALS.role != 'so-import' %} +{% do SOCDEFAULTS.soc.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.manager_ip ~ ':8086'}) %} +{% endif %} + +{% do SOCDEFAULTS.soc.server.modules.statickeyauth.update({'anonymousCidr': GLOBALS.docker_range, 'apiKey': pillar.sensoroni.sensoronikey}) %} + +{% set SOCDEFAULTS = SOCDEFAULTS.soc %} diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml new file mode 100644 index 000000000..9dce3fd8e --- /dev/null +++ b/salt/soc/defaults.yaml @@ -0,0 +1,1153 @@ +soc: + logFilename: /opt/sensoroni/logs/sensoroni-server.log + server: + bindAddress: 0.0.0.0:9822 + baseUrl: / + maxPacketCount: 5000 + htmlDir: html + airgapEnabled: false + modules: + cases: soc + filedatastore: + jobDir: jobs + kratos: + hostUrl: + elastic: + hostUrl: + remoteHostUrls: [] + username: + password: + index: '*:so-*' + cacheMs: 300000 + verifyCert: false + casesEnabled: true + timeoutMs: 0 + influxdb: + hostUrl: + token: '' + org: '' + bucket: telegraf + verifyCert: false + sostatus: + refreshIntervalMs: 30000 + offlineThresholdMs: 900000 + + statickeyauth: + anonymousCidr: + apiKey: + staticrbac: + roleFiles: + - rbac/permissions + - rbac/roles + - rbac/custom_roles + userFiles: + - rbac/users_roles + client: + docsUrl: https://docs.securityonion.net/en/2.3/ + cheatsheetUrl: https://github.com/Security-Onion-Solutions/securityonion-docs/raw/2.3/images/cheat-sheet/Security-Onion-Cheat-Sheet.pdf + releaseNotesUrl: https://docs.securityonion.net/en/2.3/release-notes + apiTimeoutMs: 0 + webSocketTimeoutMs: 0 + tipTimeoutMs: 0 + cacheExpirationMs: 0 + casesEnabled: true + inactiveTools: ['toolUnused'] + tools: + - name: toolKibana + description: toolKibanaHelp + icon: fa-external-link-alt + target: so-kibana + link: /kibana/ + - name: toolGrafana + description: toolGrafanaHelp + icon: fa-external-link-alt + target: so-grafana + link: /grafana/d/so_overview + - name: toolCyberchef + description: toolCyberchefHelp + icon: fa-external-link-alt + target: so-cyberchef + link: /cyberchef/ + - name: toolPlaybook + description: toolPlaybookHelp + icon: fa-external-link-alt + target: so-playbook + link: /playbook/projects/detection-playbooks/issues/ + - name: toolFleet + description: toolFleetHelp + icon: fa-external-link-alt + target: so-fleet + link: /fleet/ + - name: toolNavigator + description: toolNavigatorHelp + icon: fa-external-link-alt + target: so-navigator + link: /navigator/ + hunt: + advanced: true + groupItemsPerPage: 10 + groupFetchLimit: 10 + eventItemsPerPage: 10 + eventFetchLimit: 100 + relativeTimeValue: 24 + relativeTimeUnit: 30 + mostRecentlyUsedLimit: 5 + ackEnabled: false + escalateEnabled: true + escalateRelatedEventsEnabled: true + eventFields: + default: + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.uid + - network.community_id + - event.dataset + ':kratos:audit': + - soc_timestamp + - http_request.headers.x-real-ip + - identity_id + - http_request.headers.user-agent + '::conn': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - network.protocol + - log.id.uid + - network.community_id + '::dce_rpc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dce_rpc.endpoint + - dce_rpc.named_pipe + - dce_rpc.operation + - log.id.uid + '::dhcp': + - soc_timestamp + - client.address + - server.address + - host.domain + - host.hostname + - dhcp.message_types + - log.id.uid + '::dnp3': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dnp3.fc_reply + - log.id.uid + '::dns': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - dns.query.name + - dns.query.type_name + - dns.response.code_name + - log.id.uid + - network.community_id + '::dpd': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.protocol + - observer.analyser + - error.reason + - log.id.uid + '::file': + - soc_timestamp + - source.ip + - destination.ip + - file.name + - file.mime_type + - file.source + - file.bytes.total + - log.id.fuid + - log.id.uid + '::ftp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ftp.user + - ftp.command + - ftp.argument + - ftp.reply_code + - file.size + - log.id.uid + '::http': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - http.method + - http.virtual_host + - http.status_code + - http.status_message + - http.request.body.length + - http.response.body.length + - log.id.uid + - network.community_id + '::intel': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - intel.indicator + - intel.indicator_type + - intel.seen_where + - log.id.uid + '::irc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - irc.username + - irc.nickname + - irc.command.type + - irc.command.value + - irc.command.info + - log.id.uid + '::kerberos': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - kerberos.client + - kerberos.service + - kerberos.request_type + - log.id.uid + '::modbus': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - modbus.function + - log.id.uid + '::mysql': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - mysql.command + - mysql.argument + - mysql.success + - mysql.response + - log.id.uid + '::notice': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - notice.note + - notice.message + - log.id.fuid + - log.id.uid + - network.community_id + '::ntlm': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ntlm.name + - ntlm.success + - ntlm.server.dns.name + - ntlm.server.nb.name + - ntlm.server.tree.name + - log.id.uid + '::pe': + - soc_timestamp + - file.is_64bit + - file.is_exe + - file.machine + - file.os + - file.subsystem + - log.id.fuid + '::radius': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.uid + - username + - radius.framed_address + - radius.reply_message + - radius.result + '::rdp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rdp.client_build + - client_name + - rdp.cookie + - rdp.encryption_level + - rdp.encryption_method + - rdp.keyboard_layout + - rdp.result + - rdp.security_protocol + - log.id.uid + '::rfb': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rfb.authentication.method + - rfb.authentication.success + - rfb.share_flag + - rfb.desktop.name + - log.id.uid + '::signatures': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - note + - signature_id + - event_message + - sub_message + - signature_count + - host.count + - log.id.uid + '::sip': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - sip.method + - sip.uri + - sip.request.from + - sip.request.to + - sip.response.from + - sip.response.to + - sip.call_id + - sip.subject + - sip.user_agent + - sip.status_code + - log.id.uid + '::smb_files': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.fuid + - file.action + - file.path + - file.name + - file.size + - file.prev_name + - log.id.uid + '::smb_mapping': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - smb.path + - smb.service + - smb.share_type + - log.id.uid + '::smtp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - smtp.from + - smtp.recipient_to + - smtp.subject + - smtp.useragent + - log.id.uid + - network.community_id + '::snmp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - snmp.community + - snmp.version + - log.id.uid + '::socks': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - socks.name + - socks.request.host + - socks.request.port + - socks.status + - log.id.uid + '::software': + - soc_timestamp + - source.ip + - software.name + - software.type + '::ssh': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ssh.version + - ssh.hassh_version + - ssh.direction + - ssh.client + - ssh.server + - log.id.uid + '::ssl': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ssl.server_name + - ssl.certificate.subject + - ssl.validation_status + - ssl.version + - log.id.uid + ':zeek:syslog': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - syslog.facility + - network.protocol + - syslog.severity + - log.id.uid + '::tunnels': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - tunnel_type + - action + - log.id.uid + '::weird': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - weird.name + - log.id.uid + '::x509': + - soc_timestamp + - x509.certificate.subject + - x509.certificate.key.type + - x509.certificate.key.length + - x509.certificate.issuer + - log.id.fuid + '::firewall': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - network.direction + - interface.name + - rule.action + - rule.reason + - network.community_id + ':osquery:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - source.hostname + - event.dataset + - process.executable + - user.name + ':ossec:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rule.name + - rule.level + - rule.category + - process.name + - user.name + - user.escalated + - location + ':strelka:file': + - soc_timestamp + - file.name + - file.size + - hash.md5 + - file.source + - file.mime_type + - log.id.fuid + ':suricata:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rule.name + - rule.category + - event.severity_label + - log.id.uid + - network.community_id + ':sysmon:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - source.hostname + - event.dataset + - process.executable + - user.name + ':windows_eventlog:': + - soc_timestamp + - user.name + ':elasticsearch:': + - soc_timestamp + - agent.name + - message + - log.level + - metadata.version + - metadata.pipeline + - event.dataset + ':kibana:': + - soc_timestamp + - host.name + - message + - kibana.log.meta.req.headers.x-real-ip + - event.dataset + '::rootcheck': + - soc_timestamp + - host.name + - metadata.ip_address + - log.full + - event.dataset + - event.module + '::ossec': + - soc_timestamp + - host.name + - metadata.ip_address + - log.full + - event.dataset + - event.module + '::syscollector': + - soc_timestamp + - host.name + - metadata.ip_address + - wazuh.data.type + - log.full + - event.dataset + - event.module + ':syslog:syslog': + - soc_timestamp + - host.name + - metadata.ip_address + - real_message + - syslog.priority + - syslog.application + ':aws:': + - soc_timestamp + - aws.cloudtrail.event_category + - aws.cloudtrail.event_type + - event.provider + - event.action + - event.outcome + - cloud.region + - user.name + - source.ip + - source.geo.region_iso_code + ':squid:': + - soc_timestamp + - url.original + - destination.ip + - destination.geo.country_iso_code + - user.name + - source.ip + queryBaseFilter: + queryToggleFilters: + - name: caseExcludeToggle + filter: NOT _index:\"*:so-case*\" + enabled: true + queries: + - name: Default Query + description: Show all events grouped by the origin host + query: '* | groupby observer.name' + - name: Log Type + description: Show all events grouped by module and dataset + query: '* | groupby event.module event.dataset' + - name: SOC Auth + description: Users authenticated to SOC grouped by IP address and identity + query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id' + - name: Elastalerts + description: '' + query: '_type:elastalert | groupby rule.name' + - name: Alerts + description: Show all alerts grouped by alert source + query: 'event.dataset: alert | groupby event.module' + - name: NIDS Alerts + description: Show all NIDS alerts grouped by alert + query: 'event.category: network AND event.dataset: alert | groupby rule.category rule.gid rule.uuid rule.name' + - name: Wazuh/OSSEC Alerts + description: Show all Wazuh alerts at Level 5 or higher grouped by category + query: 'event.module:ossec AND event.dataset:alert AND rule.level:>4 | groupby rule.category rule.name' + - name: Wazuh/OSSEC Alerts + description: Show all Wazuh alerts at Level 4 or lower grouped by category + query: 'event.module:ossec AND event.dataset:alert AND rule.level:<5 | groupby rule.category rule.name' + - name: Wazuh/OSSEC Users and Commands + description: Show all Wazuh alerts grouped by username and command line + query: 'event.module:ossec AND event.dataset:alert | groupby user.escalated.keyword process.command_line' + - name: Wazuh/OSSEC Processes + description: Show all Wazuh alerts grouped by process name + query: 'event.module:ossec AND event.dataset:alert | groupby process.name' + - name: Sysmon Events + description: Show all Sysmon logs grouped by event type + query: 'event.module:sysmon | groupby event.dataset' + - name: Sysmon Usernames + description: Show all Sysmon logs grouped by username + query: 'event.module:sysmon | groupby event.dataset, user.name.keyword' + - name: Strelka + description: Show all Strelka logs grouped by file type + query: 'event.module:strelka | groupby file.mime_type' + - name: Zeek Notice + description: Show notices from Zeek + query: 'event.dataset:notice | groupby notice.note notice.message' + - name: Connections + description: Connections grouped by IP and Port + query: 'event.dataset:conn | groupby source.ip destination.ip network.protocol destination.port' + - name: Connections + description: Connections grouped by Service + query: 'event.dataset:conn | groupby network.protocol destination.port' + - name: Connections + description: Connections grouped by destination country + query: 'event.dataset:conn | groupby destination.geo.country_name' + - name: Connections + description: Connections grouped by source country + query: 'event.dataset:conn | groupby source.geo.country_name' + - name: DCE_RPC + description: DCE_RPC grouped by operation + query: 'event.dataset:dce_rpc | groupby dce_rpc.operation' + - name: DHCP + description: DHCP leases + query: 'event.dataset:dhcp | groupby host.hostname client.address' + - name: DHCP + description: DHCP grouped by message type + query: 'event.dataset:dhcp | groupby dhcp.message_types' + - name: DNP3 + description: DNP3 grouped by reply + query: 'event.dataset:dnp3 | groupby dnp3.fc_reply' + - name: DNS + description: DNS queries grouped by port + query: 'event.dataset:dns | groupby dns.query.name destination.port' + - name: DNS + description: DNS queries grouped by type + query: 'event.dataset:dns | groupby dns.query.type_name destination.port' + - name: DNS + description: DNS queries grouped by response code + query: 'event.dataset:dns | groupby dns.response.code_name destination.port' + - name: DNS + description: DNS highest registered domain + query: 'event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port' + - name: DNS + description: DNS grouped by parent domain + query: 'event.dataset:dns | groupby dns.parent_domain.keyword destination.port' + - name: DPD + description: Dynamic Protocol Detection errors + query: 'event.dataset:dpd | groupby error.reason' + - name: Files + description: Files grouped by mimetype + query: 'event.dataset:file | groupby file.mime_type source.ip' + - name: Files + description: Files grouped by source + query: 'event.dataset:file | groupby file.source source.ip' + - name: FTP + description: FTP grouped by command and argument + query: 'event.dataset:ftp | groupby ftp.command ftp.argument' + - name: FTP + description: FTP grouped by username and argument + query: 'event.dataset:ftp | groupby ftp.user ftp.argument' + - name: HTTP + description: HTTP grouped by destination port + query: 'event.dataset:http | groupby destination.port' + - name: HTTP + description: HTTP grouped by status code and message + query: 'event.dataset:http | groupby http.status_code http.status_message' + - name: HTTP + description: HTTP grouped by method and user agent + query: 'event.dataset:http | groupby http.method http.useragent' + - name: HTTP + description: HTTP grouped by virtual host + query: 'event.dataset:http | groupby http.virtual_host' + - name: HTTP + description: HTTP with exe downloads + query: 'event.dataset:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host' + - name: Intel + description: Intel framework hits grouped by indicator + query: 'event.dataset:intel | groupby intel.indicator.keyword' + - name: IRC + description: IRC grouped by command + query: 'event.dataset:irc | groupby irc.command.type' + - name: KERBEROS + description: KERBEROS grouped by service + query: 'event.dataset:kerberos | groupby kerberos.service' + - name: MODBUS + description: MODBUS grouped by function + query: 'event.dataset:modbus | groupby modbus.function' + - name: MYSQL + description: MYSQL grouped by command + query: 'event.dataset:mysql | groupby mysql.command' + - name: NOTICE + description: Zeek notice logs grouped by note and message + query: 'event.dataset:notice | groupby notice.note notice.message' + - name: NTLM + description: NTLM grouped by computer name + query: 'event.dataset:ntlm | groupby ntlm.server.dns.name' + - name: Osquery Live Queries + description: Osquery Live Query results grouped by computer name + query: 'event.dataset:live_query | groupby host.hostname' + - name: PE + description: PE files list + query: 'event.dataset:pe | groupby file.machine file.os file.subsystem' + - name: RADIUS + description: RADIUS grouped by username + query: 'event.dataset:radius | groupby user.name.keyword' + - name: RDP + description: RDP grouped by client name + query: 'event.dataset:rdp | groupby client.name' + - name: RFB + description: RFB grouped by desktop name + query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword' + - name: Signatures + description: Zeek signatures grouped by signature id + query: 'event.dataset:signatures | groupby signature_id' + - name: SIP + description: SIP grouped by user agent + query: 'event.dataset:sip | groupby client.user_agent' + - name: SMB_Files + description: SMB files grouped by action + query: 'event.dataset:smb_files | groupby file.action' + - name: SMB_Mapping + description: SMB mapping grouped by path + query: 'event.dataset:smb_mapping | groupby smb.path' + - name: SMTP + description: SMTP grouped by subject + query: 'event.dataset:smtp | groupby smtp.subject' + - name: SNMP + description: SNMP grouped by version and string + query: 'event.dataset:snmp | groupby snmp.community snmp.version' + - name: Software + description: List of software seen on the network + query: 'event.dataset:software | groupby software.type software.name' + - name: SSH + description: SSH grouped by version and client + query: 'event.dataset:ssh | groupby ssh.version ssh.client' + - name: SSL + description: SSL grouped by version and server name + query: 'event.dataset:ssl | groupby ssl.version ssl.server_name' + - name: SYSLOG + description: 'SYSLOG grouped by severity and facility ' + query: 'event.dataset:syslog | groupby syslog.severity_label syslog.facility_label' + - name: Tunnel + description: Tunnels grouped by type and action + query: 'event.dataset:tunnel | groupby tunnel.type event.action' + - name: Weird + description: Zeek weird log grouped by name + query: 'event.dataset:weird | groupby weird.name' + - name: x509 + description: x.509 grouped by key length and name + query: 'event.dataset:x509 | groupby x509.certificate.key.length x509.san_dns' + - name: x509 + description: x.509 grouped by name and issuer + query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.issuer' + - name: x509 + description: x.509 grouped by name and subject + query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.subject' + - name: Firewall + description: Firewall events grouped by action + query: 'event.dataset:firewall | groupby rule.action' + actions: + - name: actionHunt + description: actionHuntHelp + icon: fa-crosshairs + target: + links: + - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' + - name: actionCorrelate + description: actionCorrelateHelp + icon: fab fa-searchengin + target: + links: + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' + - name: actionPcap + description: actionPcapHelp + icon: fa-stream + target: + links: + - '/joblookup?esid={:soc_id}&time={:@timestamp}' + - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' + categories: + - hunt + - alerts + - name: actionCyberChef + description: actionCyberChefHelp + icon: fas fa-bread-slice + target: _blank + links: + - '/cyberchef/#input={value|base64}' + - name: actionGoogle + description: actionGoogleHelp + icon: fab fa-google + target: _blank + links: + - 'https://www.google.com/search?q={value}' + - name: actionVirusTotal + description: actionVirusTotalHelp + icon: fa-external-link-alt + target: _blank + links: + - 'https://www.virustotal.com/gui/search/{value}' + job: + actions: + - name: actionHunt + description: actionHuntHelp + icon: fa-crosshairs + target: + links: + - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' + - name: actionCorrelate + description: actionCorrelateHelp + icon: fab fa-searchengin + target: + links: + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' + - name: actionPcap + description: actionPcapHelp + icon: fa-stream + target: + links: + - '/joblookup?esid={:soc_id}&time={:@timestamp}' + - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' + categories: + - hunt + - alerts + - name: actionCyberChef + description: actionCyberChefHelp + icon: fas fa-bread-slice + target: _blank + links: + - '/cyberchef/#input={value|base64}' + - name: actionGoogle + description: actionGoogleHelp + icon: fab fa-google + target: _blank + links: + - 'https://www.google.com/search?q={value}' + - name: actionVirusTotal + description: actionVirusTotalHelp + icon: fa-external-link-alt + target: _blank + links: + - 'https://www.virustotal.com/gui/search/{value}' + alerts: + advanced: false + groupItemsPerPage: 50 + groupFetchLimit: 500 + eventItemsPerPage: 50 + eventFetchLimit: 500 + relativeTimeValue: 24 + relativeTimeUnit: 30 + mostRecentlyUsedLimit: 5 + ackEnabled: true + escalateEnabled: true + escalateRelatedEventsEnabled: true + eventfields: + default: + - soc_timestamp + - rule.name + - event.severity_label + - source.ip + - source.port + - destination.ip + - destination.port + - rule.gid + - rule.uuid + - rule.category + - rule.rev + ':ossec:': + - soc_timestamp + - rule.name + - event.severity_label + - source.ip + - source.port + - destination.ip + - destination.port + - rule.level + - rule.category + - process.name + - user.name + - user.escalated + - location + - process.name + queryBaseFilter: event.dataset:alert + queryToggleFilters: + - name: acknowledged + filter: event.acknowledged:true + enabled: false + exclusive: true + - name: escalated + filter: event.escalated:true + enabled: false + exclusive: true + enablesToggles: + - acknowledged + queries: + - name: 'Group By Name, Module' + query: '* | groupby rule.name event.module event.severity_label' + - name: 'Group By Sensor, Source IP/Port, Destination IP/Port, Name' + query: '* | groupby observer.name source.ip source.port destination.ip destination.port rule.name network.community_id event.severity_label' + - name: 'Group By Source IP, Name' + query: '* | groupby source.ip rule.name event.severity_label' + - name: 'Group By Source Port, Name' + query: '* | groupby source.port rule.name event.severity_label' + - name: 'Group By Destination IP, Name' + query: '* | groupby destination.ip rule.name event.severity_label' + - name: 'Group By Destination Port, Name' + query: '* | groupby destination.port rule.name event.severity_label' + - name: Ungroup + query: '*' + actions: + - name: actionHunt + description: actionHuntHelp + icon: fa-crosshairs + target: + links: + - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' + - name: actionCorrelate + description: actionCorrelateHelp + icon: fab fa-searchengin + target: + links: + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' + - name: actionPcap + description: actionPcapHelp + icon: fa-stream + target: + links: + - '/joblookup?esid={:soc_id}&time={:@timestamp}' + - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' + categories: + - hunt + - alerts + - name: actionCyberChef + description: actionCyberChefHelp + icon: fas fa-bread-slice + target: _blank + links: + - '/cyberchef/#input={value|base64}' + - name: actionGoogle + description: actionGoogleHelp + icon: fab fa-google + target: _blank + links: + - 'https://www.google.com/search?q={value}' + - name: actionVirusTotal + description: actionVirusTotalHelp + icon: fa-external-link-alt + target: _blank + links: + - 'https://www.virustotal.com/gui/search/{value}' + + cases: + advanced: false + groupItemsPerPage: 50 + groupFetchLimit: 100 + eventItemsPerPage: 50 + eventFetchLimit: 500 + relativeTimeValue: 12 + relativeTimeUnit: 60 + mostRecentlyUsedLimit: 5 + ackEnabled: false + escalateEnabled: false + escalateRelatedEventsEnabled: false + viewEnabled: true + createLink: /case/create + eventFields: + default: + - soc_timestamp + - so_case.title + - so_case.status + - so_case.severity + - so_case.assigneeId + - so_case.createTime + queryBaseFilter: '_index:\"*:so-case\" AND so_kind:case' + queryToggleFilters: [] + queries: + - name: Open Cases + query: 'NOT so_case.status:closed AND NOT so_case.category:template' + - name: Closed Cases + query: 'so_case.status:closed AND NOT so_case.category:template' + - name: My Open Cases + query: 'NOT so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}' + - name: My Closed Cases + query: 'so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}' + - name: Templates + query: 'so_case.category:template' + actions: + - name: actionHunt + description: actionHuntHelp + icon: fa-crosshairs + target: + links: + - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' + - name: actionCorrelate + description: actionCorrelateHelp + icon: fab fa-searchengin + target: + links: + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' + - name: actionPcap + description: actionPcapHelp + icon: fa-stream + target: + links: + - '/joblookup?esid={:soc_id}&time={:@timestamp}' + - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' + categories: + - hunt + - alerts + - name: actionCyberChef + description: actionCyberChefHelp + icon: fas fa-bread-slice + target: _blank + links: + - '/cyberchef/#input={value|base64}' + - name: actionGoogle + description: actionGoogleHelp + icon: fab fa-google + target: _blank + links: + - 'https://www.google.com/search?q={value}' + - name: actionVirusTotal + description: actionVirusTotalHelp + icon: fa-external-link-alt + target: _blank + links: + - 'https://www.virustotal.com/gui/search/{value}' + case: + mostRecentlyUsedLimit: 5 + renderAbbreviatedCount: 30 + presets: + artifactType: + labels: + - autonomous-system + - domain + - file + - filename + - fqdn + - hash + - ip + - mail + - mail_subject + - other + - regexp + - registry + - uri_path + - url + - user-agent + customEnabled: true + category: + labels: + - general + - template + customEnabled: true + pap: + labels: + - white + - green + - amber + - red + customEnabled: false + severity: + labels: + - low + - medium + - high + - critical + customEnabled: false + status: + labels: + - new + - in progress + - closed + customEnabled: false + tags: + labels: + - false-positive + - confirmed + - pending + customEnabled: true + tlp: + labels: + - white + - green + - amber + - red + customEnabled: false diff --git a/salt/soc/files/soc/default.annotation.yaml b/salt/soc/files/soc/default.annotation.yaml new file mode 100644 index 000000000..f78488035 --- /dev/null +++ b/salt/soc/files/soc/default.annotation.yaml @@ -0,0 +1,712 @@ +### Elasticsearch Nodes ### +elasticsearch.esheap: + default: 4192 + global: false + type: int + nodes: + - manager + - searchnode + +elasticsearch.config.node.attr.box_type: + default: hot + global: false + type: bool + options: + - hot + - warm + nodes: + - manager + - searchnode + +## Elasticsearch Global ## +elasticsearch.config.cluster.name: + default: securityonion + global: true + type: string + +elasticsearch.config.cluster.routing.allocation.disk.threshold_enabled: + default: true + global: true + type: bool + options: + - true + - false + +elasticsearch.config.cluster.routing.allocation.disk.watermark.low: +elasticsearch.config.cluster.routing.allocation.disk.watermark.high: +elasticsearch.config.cluster.routing.allocation.disk.watermark.flood_stage: + + + + + + + + + +elasticsearch:"\ + config:"\ + cluster:"\ + name: $ESCLUSTERNAME"\ + routing:"\ + allocation:"\ + " disk:"\ + " threshold_enabled: true"\ + " watermark:"\ + " low: 80%"\ + " high: 85%"\ + " flood_stage: 90%"\ + " script:"\ + " max_compilations_rate: 20000/1m"\ + " indices:"\ + " query:"\ + " bool:"\ + " max_clause_count: 3500"\ + " index_settings:"\ + " so-aws:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-azure:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-barracuda:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-beats:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-bluecoat:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-cef:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-checkpoint:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-cisco:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-cyberark:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-cylance:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-elasticsearch:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-endgame:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-f5:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-firewall:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-fortinet:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-gcp:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-google_workspace:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-ids:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-imperva:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-import:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-infoblox:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-juniper:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-kibana:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-logstash:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-microsoft:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-misp:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + + " so-netflow:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-netscout:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-o365:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-okta:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-osquery:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-proofpoint:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-radware:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-redis:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-snort:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-snyk:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-sonicwall:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-sophos:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-strelka:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-syslog:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-tomcat:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-zeek:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-zscaler:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365" + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ \ No newline at end of file diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json deleted file mode 100644 index e6ee71b51..000000000 --- a/salt/soc/files/soc/soc.json +++ /dev/null @@ -1,258 +0,0 @@ -{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %} -{%- set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') %} -{%- set THEHIVEKEY = salt['pillar.get']('global:hivekey', '') %} -{%- set THEHIVEURL = salt['pillar.get']('global:hiveurl', '') %} -{%- set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %} -{%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} -{%- set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %} -{%- set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} -{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} -{%- set API_TIMEOUT = salt['pillar.get']('sensoroni:api_timeout_ms', 0) %} -{%- set WEBSOCKET_TIMEOUT = salt['pillar.get']('sensoroni:websocket_timeout_ms', 0) %} -{%- set TIP_TIMEOUT = salt['pillar.get']('sensoroni:tip_timeout_ms', 0) %} -{%- set CACHE_EXPIRATION = salt['pillar.get']('sensoroni:cache_expiration_ms', 0) %} -{%- set ES_FIELDCAPS_CACHE = salt['pillar.get']('sensoroni:es_fieldcaps_cache_ms', '300000') %} -{%- import_json "soc/files/soc/alerts.queries.json" as alerts_queries %} -{%- import_json "soc/files/soc/alerts.eventfields.json" as alerts_eventfields %} -{%- import_json "soc/files/soc/hunt.queries.json" as hunt_queries %} -{%- import_json "soc/files/soc/hunt.eventfields.json" as hunt_eventfields %} -{%- import_json "soc/files/soc/dashboards.queries.json" as dashboards_queries %} -{%- import_json "soc/files/soc/cases.queries.json" as cases_queries %} -{%- import_json "soc/files/soc/cases.eventfields.json" as cases_eventfields %} -{%- import_json "soc/files/soc/menu.actions.json" as menu_actions %} -{%- import_json "soc/files/soc/tools.json" as tools %} -{%- import_json "soc/files/soc/presets.artifacttype.json" as presets_artifacttype %} -{%- import_json "soc/files/soc/presets.category.json" as presets_category %} -{%- import_json "soc/files/soc/presets.pap.json" as presets_pap %} -{%- import_json "soc/files/soc/presets.severity.json" as presets_severity %} -{%- import_json "soc/files/soc/presets.status.json" as presets_status %} -{%- import_json "soc/files/soc/presets.tag.json" as presets_tag %} -{%- import_json "soc/files/soc/presets.tlp.json" as presets_tlp %} -{%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} -{%- set ES_INDEX_PATTERNS = salt['pillar.get']('soc:es_index_patterns', '*:so-*') %} -{%- set CASE_MODULE = salt['pillar.get']('soc:case_module', 'soc') %} -{%- set HTTPCASE_CONFIG = salt['pillar.get']('soc:httpcase_config', '') %} -{ - "logFilename": "/opt/sensoroni/logs/sensoroni-server.log", - "server": { - "bindAddress": "0.0.0.0:9822", - "baseUrl": "/", - "maxPacketCount": 5000, - "htmlDir": "html", - {%- if ISAIRGAP is sameas true %} - "airgapEnabled": true, - {%- else %} - "airgapEnabled": false, - {%- endif %} - "modules": { - "filedatastore": { - "jobDir": "jobs" - }, - "kratos": { - "hostUrl": "http://{{ MANAGERIP }}:4434/" - }, - "elastic": { - "hostUrl": "https://{{ MANAGERIP }}:9200", - {%- if salt['pillar.get']('nodestab', {}) %} - "remoteHostUrls": [ - {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} - "https://{{ SN.split('_')|first }}:9200"{{ "," if not loop.last else ""}} - {%- endfor %} - ], - {%- endif %} - "username": "{{ ES_USER }}", - "password": "{{ ES_PASS }}", - "index": "{{ ES_INDEX_PATTERNS }}", - "cacheMs": {{ ES_FIELDCAPS_CACHE }}, - "verifyCert": false, - "casesEnabled": {{ 'true' if CASE_MODULE == 'soc' else 'false' }}, - "timeoutMs": {{ API_TIMEOUT }} - }, - "influxdb": { -{%- if grains['role'] in ['so-import'] or (grains['role'] == 'so-eval' and GRAFANA == 0) %} - "hostUrl": "", -{%- else %} - "hostUrl": "https://{{ MANAGERIP }}:8086", -{%- endif %} - "token": "", - "org": "", - "bucket": "telegraf", - "verifyCert": false - }, - "sostatus": { - "refreshIntervalMs": 30000, - "offlineThresholdMs": 900000 - }, -{%- if CASE_MODULE == 'thehive' and THEHIVEKEY != '' %} - "thehive": { - "hostUrl": "http://{{ HIVEURL }}:9000/thehive", - "key": "{{ THEHIVEKEY }}", - "verifyCert": false - }, -{%- elif CASE_MODULE == 'elasticcases' %} - "elasticcases": { - "hostUrl": "https://{{ MANAGERIP }}:5601", - "username": "{{ ES_USER }}", - "password": "{{ ES_PASS }}", - }, -{%- elif CASE_MODULE == 'httpcase' %} - "httpcase": { - {{ HTTPCASE_CONFIG }} - }, -{%- endif %} - "statickeyauth": { - "anonymousCidr": "{{ DNET }}/24", - "apiKey": "{{ SENSORONIKEY }}" - }, - "staticrbac": { - "roleFiles": [ - "rbac/permissions", - "rbac/roles", - "rbac/custom_roles" - ], - "userFiles": [ - "rbac/users_roles" - ] - } - }, - "client": { - {%- if ISAIRGAP is sameas true %} - "docsUrl": "/docs/", - "cheatsheetUrl": "/docs/cheatsheet.pdf", - "releaseNotesUrl": "/docs/#release-notes", - {%- else %} - "docsUrl": "https://docs.securityonion.net/en/2.3/", - "cheatsheetUrl": "https://github.com/Security-Onion-Solutions/securityonion-docs/raw/2.3/images/cheat-sheet/Security-Onion-Cheat-Sheet.pdf", - "releaseNotesUrl": "https://docs.securityonion.net/en/2.3/release-notes", - {%- endif %} - "apiTimeoutMs": {{ API_TIMEOUT }}, - "webSocketTimeoutMs": {{ WEBSOCKET_TIMEOUT }}, - "tipTimeoutMs": {{ TIP_TIMEOUT }}, - "cacheExpirationMs": {{ CACHE_EXPIRATION }}, - "casesEnabled": {{ 'true' if CASE_MODULE == 'soc' else 'false' }}, - "inactiveTools": [ - {%- if PLAYBOOK == 0 %} - "toolPlaybook", - {%- endif %} - {%- if not FLEETMANAGER and not FLEETNODE %} - "toolFleet", - {%- endif %} - {%- if GRAFANA == 0 %} - "toolGrafana", - {%- endif %} - "toolUnused" - ], - "tools": {{ tools | json }}, - "hunt": { - "advanced": true, - "groupItemsPerPage": 10, - "groupFetchLimit": 10, - "eventItemsPerPage": 10, - "eventFetchLimit": 100, - "relativeTimeValue": 24, - "relativeTimeUnit": 30, - "mostRecentlyUsedLimit": 5, - "ackEnabled": false, - "escalateEnabled": true, - "escalateRelatedEventsEnabled": {{ 'true' if CASE_MODULE == 'soc' else 'false' }}, - "aggregationActionsEnabled": true, - "eventFields": {{ hunt_eventfields | json }}, - "queryBaseFilter": "", - "queryToggleFilters": [ - { "name": "caseExcludeToggle", "filter": "NOT _index:\"*:so-case*\"", "enabled": true } - ], - "queries": {{ hunt_queries | json }}, - "actions": {{ menu_actions | json }} - }, - "dashboards": { - "advanced": true, - "groupItemsPerPage": 10, - "groupFetchLimit": 10, - "eventItemsPerPage": 10, - "eventFetchLimit": 100, - "relativeTimeValue": 24, - "relativeTimeUnit": 30, - "mostRecentlyUsedLimit": 0, - "ackEnabled": false, - "escalateEnabled": true, - "escalateRelatedEventsEnabled": {{ 'true' if CASE_MODULE == 'soc' else 'false' }}, - "aggregationActionsEnabled": false, - "eventFields": {{ hunt_eventfields | json }}, - "queryBaseFilter": "", - "queryToggleFilters": [ - { "name": "caseExcludeToggle", "filter": "NOT _index:\"*:so-case*\"", "enabled": true } - ], - "queries": {{ dashboards_queries | json }}, - "actions": {{ menu_actions | json }} - }, - "job": { - "actions": {{ menu_actions | json }} - }, - "alerts": { - "advanced": false, - "groupItemsPerPage": 50, - "groupFetchLimit": 500, - "eventItemsPerPage": 50, - "eventFetchLimit": 500, - "relativeTimeValue": 24, - "relativeTimeUnit": 30, - "mostRecentlyUsedLimit": 5, - "ackEnabled": true, - "escalateEnabled": true, - "escalateRelatedEventsEnabled": {{ 'true' if CASE_MODULE == 'soc' else 'false' }}, - "aggregationActionsEnabled": true, - "eventFields": {{ alerts_eventfields | json }}, - "queryBaseFilter": "event.dataset:alert", - "queryToggleFilters": [ - { "name": "acknowledged", "filter": "event.acknowledged:true", "enabled": false, "exclusive": true }, - { "name": "escalated", "filter": "event.escalated:true", "enabled": false, "exclusive": true, "enablesToggles":["acknowledged"] } - ], - "queries": {{ alerts_queries | json }}, - "actions": {{ menu_actions | json }} - }, - "cases": { - "advanced": false, - "groupItemsPerPage": 50, - "groupFetchLimit": 100, - "eventItemsPerPage": 50, - "eventFetchLimit": 500, - "relativeTimeValue": 12, - "relativeTimeUnit": 60, - "mostRecentlyUsedLimit": 5, - "ackEnabled": false, - "escalateEnabled": false, - "escalateRelatedEventsEnabled": false, - "aggregationActionsEnabled": false, - "viewEnabled": true, - "createLink": "/case/create", - "eventFields": {{ cases_eventfields | json }}, - "queryBaseFilter": "_index:\"*:so-case\" AND so_kind:case", - "queryToggleFilters": [ - ], - "queries": {{ cases_queries | json }}, - "actions": {{ menu_actions | json }} - }, - "case": { - "mostRecentlyUsedLimit": 5, - "renderAbbreviatedCount": 30, - "analyzerNodeId": "{{ grains.host | lower }}", - "presets": { - "artifactType": {{ presets_artifacttype | json }}, - "category": {{ presets_category | json }}, - "pap": {{ presets_pap | json }}, - "severity": {{ presets_severity | json }}, - "status": {{ presets_status | json }}, - "tags": {{ presets_tag | json }}, - "tlp": {{ presets_tlp | json }} - } - } - } - } -} diff --git a/salt/soc/files/soc/soc.json.jinja b/salt/soc/files/soc/soc.json.jinja new file mode 100644 index 000000000..101959758 --- /dev/null +++ b/salt/soc/files/soc/soc.json.jinja @@ -0,0 +1,2 @@ +{% from 'soc/merged.map.jinja' import SOCMERGED -%} +{{ SOCMERGED | json(sort_keys=True, indent=4 * ' ') }} diff --git a/salt/soc/init.sls b/salt/soc/init.sls index bfb6ea4d9..151a817f6 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -29,6 +29,7 @@ soclogdir: - group: 939 - makedirs: True + socactions: file.managed: - name: /opt/so/conf/soc/menu.actions.json @@ -38,10 +39,11 @@ socactions: - mode: 600 - template: jinja + socconfig: file.managed: - name: /opt/so/conf/soc/soc.json - - source: salt://soc/files/soc/soc.json + - source: salt://soc/files/soc/soc.json.jinja - user: 939 - group: 939 - mode: 600 diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja new file mode 100644 index 000000000..7a6754f11 --- /dev/null +++ b/salt/soc/merged.map.jinja @@ -0,0 +1,42 @@ +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'soc/defaults.map.jinja' import SOCDEFAULTS with context %} +{% set SOCMERGED = salt['pillar.get']('soc', SOCDEFAULTS, merge=true) %} + +{# if SOCMERGED.server.modules.cases == httpcase details come from the soc pillar #} +{% if SOCMERGED.server.modules.cases != 'soc' %} +{% do SOCMERGED.server.modules.elastic.update({'casesEnabled': false}) %} +{% do SOCMERGED.client.update({'casesEnabled': false}) %} +{% do SOCMERGED.client.hunt.update({'escalateRelatedEventsEnabled': false}) %} +{% do SOCMERGED.client.alerts.update({'escalateRelatedEventsEnabled': false}) %} +{% if SOCMERGED.server.modules.cases == 'elasticcases' %} +{% do SOCMERGED.server.modules.update({ + 'elasticcases': { + 'hostUrl': 'https://' ~ GLOBALS.manager_ip ~ ':5601', + 'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user, + 'password': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass, + } + }) %} +{% endif %} +{% endif %} +{# since cases is not a valid soc config item and only used for the map files, remove it from being placed in the config #} +{% do SOCMERGED.server.modules.pop('cases') %} + +{# change some options if this is airgap #} +{% if GLOBALS.airgap %} +{% do SOCMERGED.client.update({ + 'docsUrl': '/docs/', + 'cheatsheetUrl': '/docs/cheatsheet.pdf', + 'releaseNotesUrl': '/docs/#release-notes' + }) +%} +{% endif %} + +{% if pillar.manager.playbook == 0 %} +{% do SOCMERGED.client.inactiveTools.append('toolPlaybook') %} +{% endif %} + +{% do SOCMERGED.client.inactiveTools.append('toolFleet') %} + +{% if pillar.manager.grafana == 0 %} +{% do SOCMERGED.client.inactiveTools.append('toolGrafana') %} +{% endif %} diff --git a/salt/soctopus/files/SOCtopus.conf b/salt/soctopus/files/SOCtopus.conf index b6b6825eb..b91b696f8 100644 --- a/salt/soctopus/files/SOCtopus.conf +++ b/salt/soctopus/files/SOCtopus.conf @@ -1,16 +1,11 @@ -{%- set MANAGER = salt['pillar.get']('manager:mainip', '') %} +{%- set MANAGER = salt['pillar.get']('global:managerip', '') %} {%- set URLBASE = salt['pillar.get']('global:url_base', '') %} {%- set HIVEKEY = salt['pillar.get']('global:hivekey', '') %} {%- set THEHIVEURL = salt['pillar.get']('global:hiveurl', '') %} {%- set CORTEXKEY = salt['pillar.get']('global:cortexorguserkey', '') %} -{%- set PLAYBOOK_KEY = salt['pillar.get']('playbook:api_key', '') %} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} +{%- set PLAYBOOK_KEY = salt['pillar.get']('secrets:playbook_automation_api_key', '') %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} [es] es_url = https://{{MANAGER}}:9200 diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index 7ad2640ea..e2a505d2c 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -1,11 +1,11 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} +{% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} -{% set MANAGER_URL = salt['pillar.get']('global:url_base', '') %} -{% set MANAGER_IP = salt['pillar.get']('global:managerip', '') %} +{% set MANAGER_URL = salt['pillar.get']('global:url_base') %} +{% set MANAGER_IP = salt['pillar.get']('global:managerip') %} {% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} include: @@ -66,7 +66,7 @@ so-soctopus: - /opt/so/conf/soctopus/SOCtopus.conf:/SOCtopus/SOCtopus.conf:ro - /opt/so/log/soctopus/:/var/log/SOCtopus/:rw - /opt/so/rules/elastalert/playbook:/etc/playbook-rules:rw - - /opt/so/conf/navigator/layers/:/etc/playbook/:rw + - /opt/so/conf/navigator/nav_layer_playbook.json:/etc/playbook/nav_layer_playbook.json:rw - /opt/so/conf/soctopus/sigma-import/:/SOCtopus/sigma-import/:rw {% if ISAIRGAP is sameas true %} - /nsm/repo/rules/sigma:/soctopus/sigma diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 533f347d8..1ef4a08ea 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -1,18 +1,19 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + -{% set manager = salt['grains.get']('master') %} -{% set managerip = salt['pillar.get']('global:managerip', '') %} -{% set HOSTNAME = salt['grains.get']('host') %} {% set global_ca_text = [] %} {% set global_ca_server = [] %} -{% set MAININT = salt['pillar.get']('host:mainint') %} -{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} -{% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('global:fleet_custom_hostname', None) %} {% if grains.role in ['so-heavynode'] %} - {% set COMMONNAME = salt['grains.get']('host') %} + {% set COMMONNAME = GLOBALS.hostname %} {% else %} - {% set COMMONNAME = manager %} + {% set COMMONNAME = GLOBALS.manager %} {% endif %} {% if grains.id.split('_')|last in ['manager', 'managersearch', 'eval', 'standalone', 'import', 'helixsensor'] %} @@ -23,7 +24,7 @@ include: {% else %} include: - ca.dirs - {% set x509dict = salt['mine.get'](manager | lower~'*', 'x509.get_pem_entries') %} + {% set x509dict = salt['mine.get'](GLOBALS.manager | lower~'*', 'x509.get_pem_entries') %} {% for host in x509dict %} {% if 'manager' in host.split('_')|last or host.split('_')|last == 'standalone' %} {% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %} @@ -53,25 +54,10 @@ m2cryptopkgs: {% endif %} {% endif %} -removefbcertdir: - file.absent: - - name: /etc/pki/filebeat.crt - - onlyif: "test -d /etc/pki/filebeat.crt" - -removefbp8dir: - file.absent: - - name: /etc/pki/filebeat.p8 - - onlyif: "test -d /etc/pki/filebeat.p8" - -removeesp12dir: - file.absent: - - name: /etc/pki/elasticsearch.p12 - - onlyif: "test -d /etc/pki/elasticsearch.p12" - influxdb_key: x509.private_key_managed: - name: /etc/pki/influxdb.key - - CN: {{ HOSTNAME }} + - CN: {{ GLOBALS.hostname }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -93,8 +79,8 @@ influxdb_crt: - ca_server: {{ ca_server }} - signing_policy: influxdb - public_key: /etc/pki/influxdb.key - - CN: {{ HOSTNAME }} - - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -121,7 +107,7 @@ influxkeyperms: redis_key: x509.private_key_managed: - name: /etc/pki/redis.key - - CN: {{ HOSTNAME }} + - CN: {{ GLOBALS.hostname }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -140,10 +126,10 @@ redis_crt: x509.certificate_managed: - name: /etc/pki/redis.crt - ca_server: {{ ca_server }} - - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - signing_policy: registry - public_key: /etc/pki/redis.key - - CN: {{ HOSTNAME }} + - CN: {{ GLOBALS.hostname }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -192,8 +178,8 @@ etc_filebeat_crt: - ca_server: {{ ca_server }} - signing_policy: filebeat - public_key: /etc/pki/filebeat.key - - CN: {{ HOSTNAME }} - - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -251,7 +237,7 @@ fbcrtlink: registry_key: x509.private_key_managed: - name: /etc/pki/registry.key - - CN: {{ manager }} + - CN: {{ GLOBALS.manager }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -271,10 +257,10 @@ registry_crt: x509.certificate_managed: - name: /etc/pki/registry.crt - ca_server: {{ ca_server }} - - subjectAltName: DNS:{{ manager }}, IP:{{ managerip }} + - subjectAltName: DNS:{{ GLOBALS.manager }}, IP:{{ GLOBALS.manager_ip }} - signing_policy: registry - public_key: /etc/pki/registry.key - - CN: {{ manager }} + - CN: {{ GLOBALS.manager }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -319,8 +305,8 @@ regkeyperms: - ca_server: {{ ca_server }} - signing_policy: registry - public_key: /etc/pki/elasticsearch.key - - CN: {{ HOSTNAME }} - - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -356,7 +342,7 @@ elasticp12perms: managerssl_key: x509.private_key_managed: - name: /etc/pki/managerssl.key - - CN: {{ manager }} + - CN: {{ GLOBALS.manager }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -378,8 +364,8 @@ managerssl_crt: - ca_server: {{ ca_server }} - signing_policy: managerssl - public_key: /etc/pki/managerssl.key - - CN: {{ HOSTNAME }} - - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %} + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -401,53 +387,10 @@ msslkeyperms: {% endif %} -# Create a private key and cert for OSQuery -fleet_key: - x509.private_key_managed: - - name: /etc/pki/fleet.key - - CN: {{ HOSTNAME }} - - bits: 4096 - - days_remaining: 0 - - days_valid: 820 - - backup: True - - new: True - {% if salt['file.file_exists']('/etc/pki/fleet.key') -%} - - prereq: - - x509: /etc/pki/fleet.crt - {%- endif %} - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - -fleet_crt: - x509.certificate_managed: - - name: /etc/pki/fleet.crt - - signing_private_key: /etc/pki/fleet.key - - CN: {{ HOSTNAME }} - - subjectAltName: DNS:{{ HOSTNAME }},IP:{{ MAINIP }}{% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }}{% endif %} - - days_remaining: 0 - - days_valid: 820 - - backup: True - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/fleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - -fleetkeyperms: - file.managed: - - replace: False - - name: /etc/pki/fleet.key - - mode: 640 - - group: 939 {% endif %} -{% if grains['role'] in ['so-sensor', 'so-manager', 'so-node', 'so-eval', 'so-helix', 'so-managersearch', 'so-heavynode', 'so-fleet', 'so-standalone', 'so-idh', 'so-import', 'so-receiver'] %} +{% if grains['role'] in ['so-sensor', 'so-manager', 'so-searchnode', 'so-eval', 'so-helix', 'so-managersearch', 'so-heavynode', 'so-fleet', 'so-standalone', 'so-idh', 'so-import', 'so-receiver'] %} fbcertdir: file.directory: @@ -479,8 +422,8 @@ conf_filebeat_crt: - ca_server: {{ ca_server }} - signing_policy: filebeat - public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key - - CN: {{ HOSTNAME }} - - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -519,105 +462,11 @@ chownfilebeatp8: {% endif %} -{% if grains['role'] == 'so-fleet' %} - -managerssl_key: - x509.private_key_managed: - - name: /etc/pki/managerssl.key - - CN: {{ manager }} - - bits: 4096 - - days_remaining: 0 - - days_valid: 820 - - backup: True - - new: True - {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%} - - prereq: - - x509: /etc/pki/managerssl.crt - {%- endif %} - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - -# Create a cert for the reverse proxy -managerssl_crt: - x509.certificate_managed: - - name: /etc/pki/managerssl.crt - - ca_server: {{ ca_server }} - - signing_policy: managerssl - - public_key: /etc/pki/managerssl.key - - CN: {{ HOSTNAME }} - - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %} - - days_remaining: 0 - - days_valid: 820 - - backup: True - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - -msslkeyperms: - file.managed: - - replace: False - - name: /etc/pki/managerssl.key - - mode: 640 - - group: 939 - -# Create a private key and cert for Fleet -fleet_key: - x509.private_key_managed: - - name: /etc/pki/fleet.key - - CN: {{ manager }} - - bits: 4096 - - days_remaining: 0 - - days_valid: 820 - - backup: True - - new: True - {% if salt['file.file_exists']('/etc/pki/fleet.key') -%} - - prereq: - - x509: /etc/pki/fleet.crt - {%- endif %} - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - -fleet_crt: - x509.certificate_managed: - - name: /etc/pki/fleet.crt - - signing_private_key: /etc/pki/fleet.key - - CN: {{ HOSTNAME }} - - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %} - - days_remaining: 0 - - days_valid: 820 - - backup: True - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/fleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - -fleetkeyperms: - file.managed: - - replace: False - - name: /etc/pki/fleet.key - - mode: 640 - - group: 939 - -{% endif %} - -{% if grains['role'] == 'so-node' %} +{% if grains['role'] == 'so-searchnode' %} # Create a cert for elasticsearch /etc/pki/elasticsearch.key: x509.private_key_managed: - - CN: {{ manager }} + - CN: {{ GLOBALS.manager }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -637,8 +486,8 @@ fleetkeyperms: - ca_server: {{ ca_server }} - signing_policy: registry - public_key: /etc/pki/elasticsearch.key - - CN: {{ HOSTNAME }} - - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 - days_valid: 820 - backup: True diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 56a5b9dcc..6bdd1b1d1 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -16,8 +16,8 @@ {% if sls in allowed_states %} {% set MANAGER = salt['grains.get']('master') %} -{% set MANAGERIP = salt['pillar.get']('global:managerip', '') %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} +{% set MANAGERIP = salt['pillar.get']('global:managerip') %} +{% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %} {% set ENGINE = salt['pillar.get']('global:mdengine', '') %} diff --git a/salt/suricata/cron/so-suricata-eve-clean b/salt/suricata/cron/so-suricata-eve-clean index 1e58eeeac..57d44e705 100644 --- a/salt/suricata/cron/so-suricata-eve-clean +++ b/salt/suricata/cron/so-suricata-eve-clean @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see .. /usr/sbin/so-common +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common APP=so-suricata-eve-clean lf=/tmp/$APP-pidLockFile diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index 84b45b369..3d87eca9f 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -20,21 +20,18 @@ suricata: port-groups: HTTP_PORTS: "80" SHELLCODE_PORTS: "!80" - ORACLE_PORTS: 1521 - SSH_PORTS: 22 - DNP3_PORTS: 20000 - MODBUS_PORTS: 502 + ORACLE_PORTS: "1521" + SSH_PORTS: "22" + DNP3_PORTS: "20000" + MODBUS_PORTS: "502" FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" - FTP_PORTS: 21 - VXLAN_PORTS: 4789 - TEREDO_PORTS: 3544 + FTP_PORTS: "21" + VXLAN_PORTS: "4789" + TEREDO_PORTS: "3544" default-log-dir: /var/log/suricata/ stats: enabled: "yes" interval: 30 - #decoder-events: true - #decoder-events-prefix: "decoder.event" - #stream-events: false outputs: - fast: enabled: "no" @@ -45,20 +42,6 @@ suricata: filetype: regular filename: /nsm/eve-%Y-%m-%d-%H:%M.json rotate-interval: hour - #prefix: "@cee: " - #identity: "suricata" - #facility: local5 - #level: Info - #redis: - # server: 127.0.0.1 - # port: 6379 - # async: true - # mode: list - # key: suricata - # pipelining: - # enabled: "yes" - # batch-size: 10 - #metadata: "no" pcap-file: false community-id: true community-id-seed: 0 @@ -79,8 +62,6 @@ suricata: rule: metadata: true raw: true - # http-body: "yes" - # http-body-printable: "yes" tagged-packets: "no" - unified2-alert: enabled: "no" @@ -88,41 +69,26 @@ suricata: enabled: "no" filename: http.log append: "yes" - #extended: "yes" - #custom: "yes" - #customformat: "" - #filetype: regular - tls-log: enabled: "no" filename: tls.log append: "yes" - #extended: "yes" - #custom: "yes" - #customformat: "" - #filetype: regular - #session-resumption: "no" - tls-store: enabled: "no" - #certs-log-dir: certs - pcap-log: enabled: "no" filename: log.pcap limit: 1000mb max-files: 2000 compression: none - #lz4-checksum: "no" - #lz4-level: 0 - + mode: normal - #dir: /nsm_data/ - #ts-format: usec use-stream-depth: "no" honor-pass-rules: "no" - alert-debug: enabled: "no" filename: alert-debug.log append: "yes" - #filetype: regular - alert-prelude: enabled: "no" profile: suricata @@ -137,20 +103,12 @@ suricata: null-values: "yes" - syslog: enabled: "no" - #identity: "suricata" facility: local5 - #level: Info - drop: enabled: "no" - file-store: version: 2 enabled: "no" - #dir: filestore - #write-fileinfo: "yes" - #force-filestore: "yes" - #stream-depth: 0 - #max-open-files: 1000 - #force-hash: [sha1, md5] xff: enabled: "no" mode: extra-data @@ -166,36 +124,23 @@ suricata: filename: http-data.log - lua: enabled: "no" - #scripts-dir: /etc/suricata/lua-output/ scripts: - # - script1.lua logging: default-log-level: notice - #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " outputs: - console: enabled: "yes" - # type: json - file: enabled: "yes" level: info filename: suricata.log - # type: json - syslog: enabled: "no" facility: local5 format: "[%i] <%d> -- " - # type: json pcap: - interface: eth0 - #buffer-size: 16777216 - #bpf-filter: "tcp and port 25" - #checksum-checks: auto - #threads: 16 - #promisc: "no" - #snaplen: 1518 - interface: default - #checksum-checks: auto pcap-file: checksum-checks: auto app-layer: @@ -210,13 +155,10 @@ suricata: enabled: "yes" detection-ports: dp: 443 - #ja3-fingerprints: auto - #encryption-handling: default dcerpc: enabled: "yes" ftp: enabled: "yes" - # memcap: 64mb rdp: enabled: "yes" ssh: @@ -241,16 +183,14 @@ suricata: enabled: "yes" detection-ports: dp: 139, 445 - #stream-depth: 0 - nfs: enabled: "yes" tftp: enabled: "yes" dns: - #global-memcap: 16mb - #state-memcap: 512kb - #request-flood: 500 + global-memcap: 16mb + state-memcap: 512kb + request-flood: 500 tcp: enabled: "yes" detection-ports: @@ -261,14 +201,6 @@ suricata: dp: 53 http: enabled: "yes" - # memcap: - # default-config: - # personality: - # request-body-limit: - # response-body-limit: - # server-config: - # address: - # personalitiy: libhtp: default-config: personality: IDS @@ -280,49 +212,25 @@ suricata: response-body-inspect-window: 16kb response-body-decompress-layer-limit: 2 http-body-inline: auto - # compress-depth: - # decompress-depth: swf-decompression: enabled: "yes" type: both compress-depth: 0 decompress-depth: 0 - #randomize-inspection-sizes: "yes" - #randomize-inspection-range: 10 double-decode-path: "no" double-decode-query: "no" - #lzma-enabled: "yes" - #lzma-memlimit: 1mb - #compression-bomb-limit: 1mb server-config: - #- apache: - # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] - # personality: Apache_2 - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: "no" - # double-decode-query: "no" - #- iis7: - # address: - # - 192.168.0.0/24 - # - 192.168.10.0/24 - # personality: IIS_7_0 - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: "no" - # double-decode-query: "no" modbus: - #request-flood: 500 - enabled: "no" + enabled: "yes" detection-ports: dp: 502 stream-depth: 0 dnp3: - enabled: "no" + enabled: "yes" detection-ports: dp: 20000 enip: - enabled: "no" + enabled: "yes" detection-ports: dp: 44818 sp: 44818 @@ -332,42 +240,20 @@ suricata: enabled: "yes" sip: enabled: "yes" - rfb: - enabled: "yes" - detection-ports: - dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 - mqtt: - enabled: "no" - http2: - enabled: "no" - asn1-max-frames: 256 run-as: user: suricata group: suricata - #sensor-name: suricata - #pid-file: /var/run/suricata.pid - #daemon-directory: "/" - #umask: 022 coredump: max-dump: unlimited host-mode: auto max-pending-packets: 5000 runmode: workers - #autofp-scheduler: hash - default-packet-size: 1500 + default-packet-size: 9014 unix-command: enabled: auto - #filename: custom.socket - #magic-file: /usr/share/file/magic - #magic-file: - #geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb legacy: uricontent: enabled - #reputation-categories-file: /etc/suricata/iprep/categories.txt - #default-reputation-path: /etc/suricata/iprep - #reputation-files: - # - reputation.list engine-analysis: rules-fast-pattern: "yes" rules: "yes" @@ -400,8 +286,6 @@ suricata: hash-size: 65536 prealloc: 10000 emergency-recovery: 30 - #managers: 1 - #recyclers: 1 vlan: use-for-tracking: true flow-timeouts: @@ -447,18 +331,10 @@ suricata: toserver-chunk-size: 2560 toclient-chunk-size: 2560 randomize-chunk-size: "yes" - #randomize-chunk-range: 10 - #raw: "yes" - #segment-prealloc: 2048 - #check-overlap-different-data: true host: hash-size: 4096 prealloc: 1000 memcap: 32mb - #ippair: - # hash-size: 4096 - # prealloc: 1000 - # memcap: 32mb decoder: teredo: enabled: true @@ -467,6 +343,7 @@ suricata: enabled: true ports: $VXLAN_PORTS erspan: + enabled: true detect: profile: medium custom-values: @@ -474,15 +351,10 @@ suricata: toserver-groups: 25 sgh-mpm-context: auto inspection-recursion-limit: 3000 - #delayed-detect: "yes" prefilter: default: mpm grouping: - #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 - #udp-whitelist: 53, 135, 5060 - profiling: - #inspect-logging-threshold: 200 grouping: dump-to-disk: false include-rules: false @@ -496,12 +368,10 @@ suricata: states: 128 profiling: - #sample-rate: 1000 rules: enabled: "yes" filename: rule_perf.log append: "yes" - #sort: avgticks limit: 10 json: "yes" keywords: @@ -534,14 +404,6 @@ suricata: filename: pcaplog_stats.log append: "yes" nfq: - # mode: accept - # repeat-mark: 1 - # repeat-mask: 1 - # bypass-mark: 1 - # bypass-mask: 1 - # route-queue: 2 - # batchcount: 20 - # fail-open: "yes" nflog: - group: 2 buffer-size: 18432 @@ -550,178 +412,13 @@ suricata: qtimeout: 100 max-size: 20000 capture: - #checksum-validation: none netmap: - interface: eth2 - #threads: auto - #copy-mode: tap - #copy-iface: eth3 - # disable-promisc: "no" - #checksum-checks: auto - #bpf-filter: port 80 or udp - #- interface: eth3 - #threads: auto - #copy-mode: tap - #copy-iface: eth2 - interface: default - pfring: - - interface: eth0 - threads: auto - cluster-id: 99 - cluster-type: cluster_flow - #bpf-filter: tcp - #bypass: "yes" - #checksum-checks: auto - #- interface: eth1 - # threads: 3 - # cluster-id: 93 - # cluster-type: cluster_flow - - interface: default - #threads: 2 ipfw: - # ipfw-reinjection-rule-number: 5500 - napatech: - #hba: -1 - #use-all-streams: "no" - streams: ["0-3"] - auto-config: "yes" - ports: [all] - hashmode: hash5tuplesorted default-rule-path: /etc/suricata/rules rule-files: - all.rules classification-file: /etc/suricata/classification.config reference-config-file: /etc/suricata/reference.config - threshold-file: /etc/suricata/threshold.conf - #include: include1.yaml - #include: include2.yaml - classification: - attempted-admin: - description: Attempted Administrator Privilege Gain - priority: 1 - attempted-dos: - description: Attempted Denial of Service - priority: 2 - attempted-recon: - description: Attempted Information Leak - priority: 2 - attempted-user: - description: Attempted User Privilege Gain - priority: 1 - bad-unknown: - description: Potentially Bad Traffic - priority: 2 - coin-mining: - description: Crypto Currency Mining Activity Detected - priority: 2 - command-and-control: - description: Malware Command and Control Activity Detected - priority: 1 - credential-theft: - description: Successful Credential Theft Detected - priority: 1 - default-login-attempt: - description: Attempt to login by a default username and password - priority: 2 - denial-of-service: - description: Detection of a Denial of Service Attack - priority: 2 - domain-c2: - description: Domain Observed Used for C2 Detected - priority: 1 - exploit-kit: - description: Exploit Kit Activity Detected - priority: 1 - external-ip-check: - description: Device Retrieving External IP Address Detected - priority: 2 - icmp-event: - description: Generic ICMP event - priority: 3 - inappropriate-content: - description: Inappropriate Content was Detected - priority: 1 - misc-activity: - description: Misc activity - priority: 3 - misc-attack: - description: Misc Attack - priority: 2 - network-scan: - description: Detection of a Network Scan - priority: 3 - non-standard-protocol: - description: Detection of a non-standard protocol or event - priority: 2 - not-suspicious: - description: Not Suspicious Traffic - priority: 3 - policy-violation: - description: Potential Corporate Privacy Violation - priority: 1 - protocol-command-decode: - description: Generic Protocol Command Decode - priority: 3 - pup-activity: - description: Possibly Unwanted Program Detected - priority: 2 - rpc-portmap-decode: - description: Decode of an RPC Query - priority: 2 - shellcode-detect: - description: Executable code was detected - priority: 1 - social-engineering: - description: Possible Social Engineering Attempted - priority: 2 - string-detect: - description: A suspicious string was detected - priority: 3 - successful-admin: - description: Successful Administrator Privilege Gain - priority: 1 - successful-dos: - description: Denial of Service - priority: 2 - successful-recon-largescale: - description: Large Scale Information Leak - priority: 2 - successful-recon-limited: - description: Information Leak - priority: 2 - successful-user: - description: Successful User Privilege Gain - priority: 1 - suspicious-filename-detect: - description: A suspicious filename was detected - priority: 2 - suspicious-login: - description: An attempted login using a suspicious username was detected - priority: 2 - system-call-detect: - description: A system call was detected - priority: 2 - targeted-activity: - description: Targeted Malicious Activity was Detected - priority: 1 - tcp-connection: - description: A TCP connection was detected - priority: 4 - trojan-activity: - description: A Network Trojan was detected - priority: 1 - unknown: - description: Unknown Traffic - priority: 3 - unsuccessful-user: - description: Unsuccessful User Privilege Gain - priority: 1 - unusual-client-port-connection: - description: A client was using an unusual port - priority: 2 - web-application-activity: - description: access to a potentially vulnerable web application - priority: 2 - web-application-attack: - description: Web Application Attack - priority: 1 + threshold-file: /etc/suricata/threshold.conf \ No newline at end of file diff --git a/salt/suricata/files/classification.config.jinja b/salt/suricata/files/classification.config.jinja deleted file mode 100644 index 122cf4baf..000000000 --- a/salt/suricata/files/classification.config.jinja +++ /dev/null @@ -1,11 +0,0 @@ -{% import_yaml 'suricata/defaults.yaml' as suricata_defaults with context -%} -{% do salt['defaults.merge'](suricata_defaults.suricata.classification, salt['pillar.get']('suricata:classification', {}), in_place=True) -%} -# -# config classification:shortname,short description,priority -# -{% for sn, details in suricata_defaults.suricata.classification.items() -%} -{% if not details -%} -{% set details = {'description': 'The description is not set', 'priority': '1'} -%} -{% endif -%} -config classification: {{sn}}, {{details.get('description', 'The description is not set')}}, {{details.get('priority', '1')}} -{% endfor -%} diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index db09e310b..a46f7425b 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -1,24 +1,15 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states and grains.role not in ['so-manager', 'so-managersearch'] %} {% from "suricata/map.jinja" import SURICATAOPTIONS with context %} {% set interface = salt['pillar.get']('sensor:interface', 'bond0') %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} +{% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% set BPF_NIDS = salt['pillar.get']('nids:bpf') %} @@ -111,14 +102,6 @@ surithresholding: - group: 940 - template: jinja -classification_config: - file.managed: - - name: /opt/so/conf/suricata/classification.config - - source: salt://suricata/files/classification.config.jinja - - user: 940 - - group: 940 - - template: jinja - # BPF compilation and configuration {% if BPF_NIDS %} {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_NIDS|join(" "),cwd='/root') %} @@ -156,7 +139,6 @@ so-suricata: - binds: - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro - - /opt/so/conf/suricata/classification.config:/etc/suricata/classification.config:ro - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro - /opt/so/log/suricata/:/var/log/suricata/:rw - /nsm/suricata/:/nsm/:rw @@ -168,12 +150,10 @@ so-suricata: - file: surithresholding - file: /opt/so/conf/suricata/rules/ - file: /opt/so/conf/suricata/bpf - - file: classification_config - require: - file: suriconfig - file: surithresholding - file: suribpf - - file: classification_config {% else %} {# if Suricata isn't enabled, then stop and remove the container #} - force: True diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml new file mode 100644 index 000000000..65cb69a35 --- /dev/null +++ b/salt/suricata/soc_suricata.yaml @@ -0,0 +1,123 @@ +suricata: + config: + vars: + address-groups: + HOME_NET: + description: List of hosts or netowrks. + EXTERNAL_NET: + description: List of hosts or netowrks. + HTTP_SERVERS: + description: List of hosts or netowrks. + SMTP_SERVERS: + description: List of hosts or netowrks. + SQL_SERVERS: + description: List of hosts or netowrks. + DNS_SERVERS: + description: List of hosts or netowrks. + TELNET_SERVERS: + description: List of hosts or netowrks. + AIM_SERVERS: + description: List of hosts or netowrks. + DC_SERVERS: + description: List of hosts or netowrks. + DNP3_SERVER: + description: List of hosts or netowrks. + DNP3_CLIENT: + description: List of hosts or netowrks. + MODBUS_CLIENT: + description: List of hosts or netowrks. + MODBUS_SERVER: + description: List of hosts or netowrks. + ENIP_CLIENT: + description: List of hosts or netowrks. + ENIP_SERVER: + description: List of hosts or netowrks. + port-groups: + HTTP_PORTS: + description: List of HTTP ports to look for HTTP traffic on. + SHELLCODE_PORTS: + description: List of SHELLCODE ports to look for SHELLCODE traffic on. + ORACLE_PORTS: + description: List of ORACLE ports to look for ORACLE traffic on. + SSH_PORTS: + description: List of SSH ports to look for SSH traffic on. + DNP3_PORTS: + description: List of DNP3 ports to look for DNP3 traffic on. + MODBUS_PORTS: + description: List of MODBUS ports to look for MODBUS traffic on. + FILE_DATA_PORTS: + description: List of FILE_DATA ports to look for FILE_DATA traffic on. + FTP_PORTS: + description: List of FTP ports to look for FTP traffic on. + VXLAN_PORTS: + description: List of VXLAN ports to look for VXLAN traffic on. + TEREDO_PORTS: + description: List of TEREDO ports to look for TEREDO traffic on. + outputs: + eve-log: + xff: + enabled: + description: Enable X-Forward-For support. + mode: + description: Operation mode. This should always be extra-data if you use PCAP. + deployment: + description: forward would use the first IP address and reverse would use the last. + header: + description: Header name where the actual IP address will be reported. + asn1-max-frames: + description: Maximum nuber of asn1 frames to decode. + max-pending-packets: + description: Number of packets preallocated per thread. + default-packet-size: + description: Preallocated size for each packet. + pcre: + match-limit: + description: Match limit for PCRE. + match-limit-recursion: + description: Recursion limit for PCRE. + defrag: + memcap: + description: Max memory to use for defrag. You should only change this if you know what you are doing. + hash-size: + description: Hash size + trackers: + description: Number of defragmented flows to follow. + max-frags: + description: Max number of fragments to keep + prealloc: + description: Preallocate memory. + timeout: + description: Timeout value. + flow: + memcap: + description: Reserverd memory for flows. + hash-size: + description: Determines the size of the hash used to identify flows inside the engine. + prealloc: + description: Number of preallocated flows. + stream: + memcap: + description: Can be specified in kb,mb,gb. + checksum-validation: + description: Validate checksum of packets. + reassembly: + memcap: + description: Can be specified in kb,mb,gb. + host: + hash-size: + description: Hash size in bytes. + prealloc: + description: How many streams to preallocate. + memcap: + description: Memory settings for host. + decoder: + teredo: + enabled: + description: Enable TEREDO capabilities + ports: + description: Ports to listen for. This should be a variable. + vxlan: + enabled: + description: Enable VXLAN capabilities. + ports: + description: Ports to listen for. This should be a variable. \ No newline at end of file diff --git a/salt/tcpreplay/init.sls b/salt/tcpreplay/init.sls index 0fa853d22..c638b98fc 100644 --- a/salt/tcpreplay/init.sls +++ b/salt/tcpreplay/init.sls @@ -1,7 +1,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} +{% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index cc494f252..de9bf6120 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -16,7 +16,7 @@ {%- set MANAGER = salt['grains.get']('master') %} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') %} +{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} {%- set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %} {%- set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %} {%- set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} @@ -628,19 +628,15 @@ [[inputs.elasticsearch]] servers = ["https://{{ MANAGER }}:9200"] cluster_stats = true -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} username = "{{ ES_USER }}" password = "{{ ES_PASS }}" -{%- endif %} insecure_skip_verify = true -{%- elif grains['role'] in ['so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode'] %} +{%- elif grains['role'] in ['so-searchnode', 'so-hotnode', 'so-warmnode', 'so-heavynode'] %} [[inputs.elasticsearch]] servers = ["https://{{ NODEIP }}:9200"] cluster_stats = true -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} username = "{{ ES_USER }}" password = "{{ ES_PASS }}" -{%- endif %} insecure_skip_verify = true {%- endif %} @@ -677,14 +673,12 @@ # ## Use TLS but skip chain & host verification # # insecure_skip_verify = false -{% if grains.role in ['so-node','so-standalone','so-manager', 'so-managersearch', 'so-heavynode', 'so-receiver'] -%} +{% if grains.role in ['so-searchnode','so-standalone','so-manager', 'so-managersearch', 'so-heavynode', 'so-receiver'] -%} [[inputs.logstash]] url = "http://localhost:9600" collect = ["pipelines"] -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} username = "{{ salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user') }}" password = "{{ salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass') }}" -{%- endif %} {%- endif %} {# if grains.role in ['so-eval','so-standalone','so-manager', 'so-managersearch', 'so-heavynode', 'so-receiver'] -%} @@ -692,14 +686,12 @@ servers = ["tcp://localhost:6379"] {%- endif #} -{%- if grains.role in ['so-node', 'so-sensor', 'so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode'] %} +{%- if grains.role in ['so-searchnode', 'so-sensor', 'so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode'] %} [[inputs.beat]] url = "http://127.0.0.1:5066" include = ["filebeat", "libbeat"] -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} username = "{{ salt['pillar.get']('elasticsearch:auth:users:so_beats_user:user') }}" password = "{{ salt['pillar.get']('elasticsearch:auth:users:so_beats_user:pass') }}" -{%- endif %} {%- endif %} # # Read metrics from one or more commands that can output to stdout @@ -735,7 +727,7 @@ data_format = "influx" ## Timeout for each command to complete. timeout = "15s" -{% elif grains['role'] in ['so-node', 'so-receiver'] %} +{% elif grains['role'] in ['so-searchnode', 'so-receiver'] %} [[inputs.exec]] commands = [ "/scripts/eps.sh", diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls index 3c46b4956..a95690455 100644 --- a/salt/telegraf/init.sls +++ b/salt/telegraf/init.sls @@ -2,7 +2,7 @@ {% if sls in allowed_states %} {% set MANAGER = salt['grains.get']('master') %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} +{% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} include: diff --git a/salt/telegraf/scripts/beatseps.sh b/salt/telegraf/scripts/beatseps.sh index aea1cc2f2..5f3db53f8 100644 --- a/salt/telegraf/scripts/beatseps.sh +++ b/salt/telegraf/scripts/beatseps.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then diff --git a/salt/telegraf/scripts/checkfiles.sh b/salt/telegraf/scripts/checkfiles.sh index 3696c6b5b..6b2f1333d 100644 --- a/salt/telegraf/scripts/checkfiles.sh +++ b/salt/telegraf/scripts/checkfiles.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then diff --git a/salt/telegraf/scripts/eps.sh b/salt/telegraf/scripts/eps.sh index 903e11646..10193cc38 100644 --- a/salt/telegraf/scripts/eps.sh +++ b/salt/telegraf/scripts/eps.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then diff --git a/salt/telegraf/scripts/helixeps.sh b/salt/telegraf/scripts/helixeps.sh index 47f1121d9..b85db2a8c 100644 --- a/salt/telegraf/scripts/helixeps.sh +++ b/salt/telegraf/scripts/helixeps.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then diff --git a/salt/telegraf/scripts/influxdbsize.sh b/salt/telegraf/scripts/influxdbsize.sh index bf4431a10..b41f73485 100644 --- a/salt/telegraf/scripts/influxdbsize.sh +++ b/salt/telegraf/scripts/influxdbsize.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then diff --git a/salt/telegraf/scripts/oldpcap.sh b/salt/telegraf/scripts/oldpcap.sh index 4c90dd986..bb1be457f 100644 --- a/salt/telegraf/scripts/oldpcap.sh +++ b/salt/telegraf/scripts/oldpcap.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then diff --git a/salt/telegraf/scripts/raid.sh b/salt/telegraf/scripts/raid.sh index a483151a2..89c35ae05 100644 --- a/salt/telegraf/scripts/raid.sh +++ b/salt/telegraf/scripts/raid.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then diff --git a/salt/telegraf/scripts/redis.sh b/salt/telegraf/scripts/redis.sh index f98a36045..f0c361037 100644 --- a/salt/telegraf/scripts/redis.sh +++ b/salt/telegraf/scripts/redis.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then diff --git a/salt/telegraf/scripts/sostatus.sh b/salt/telegraf/scripts/sostatus.sh index 0d49d9b7e..567e6b027 100644 --- a/salt/telegraf/scripts/sostatus.sh +++ b/salt/telegraf/scripts/sostatus.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then diff --git a/salt/telegraf/scripts/stenoloss.sh b/salt/telegraf/scripts/stenoloss.sh index 298272bb4..5c27ee7a5 100644 --- a/salt/telegraf/scripts/stenoloss.sh +++ b/salt/telegraf/scripts/stenoloss.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then diff --git a/salt/telegraf/scripts/suriloss.sh b/salt/telegraf/scripts/suriloss.sh index 4e43cd00c..78b2aee08 100644 --- a/salt/telegraf/scripts/suriloss.sh +++ b/salt/telegraf/scripts/suriloss.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # if this script isn't already running diff --git a/salt/telegraf/scripts/zeekcaptureloss.sh b/salt/telegraf/scripts/zeekcaptureloss.sh index 03dd243e1..e0c8758f2 100644 --- a/salt/telegraf/scripts/zeekcaptureloss.sh +++ b/salt/telegraf/scripts/zeekcaptureloss.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # This script returns the average of all the workers average capture loss to telegraf / influxdb in influx format include nanosecond precision timestamp diff --git a/salt/telegraf/scripts/zeekloss.sh b/salt/telegraf/scripts/zeekloss.sh index 2a59096e9..72f6a7c7d 100644 --- a/salt/telegraf/scripts/zeekloss.sh +++ b/salt/telegraf/scripts/zeekloss.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # This script returns the packets dropped by Zeek, but it isn't a percentage. $LOSS * 100 would be the percentage diff --git a/salt/top.sls b/salt/top.sls index 87f96143f..6dc1f7dc2 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -1,10 +1,11 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {% set ZEEKVER = salt['pillar.get']('global:mdengine', '') %} -{% set WAZUH = salt['pillar.get']('global:wazuh', '0') %} {% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %} -{% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %} -{% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %} -{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} -{% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %} {% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %} {% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %} {% set FILEBEAT = salt['pillar.get']('filebeat:enabled', True) %} @@ -38,33 +39,12 @@ base: - motd - salt.minion-check - salt.lasthighstate + - docker 'not *_workstation and G@saltversion:{{saltversion}}': - match: compound - common - '*_helixsensor and G@saltversion:{{saltversion}}': - - match: compound - - salt.master - - ca - - ssl - - registry - - sensoroni - - telegraf - - firewall - - idstools - - suricata.manager - - pcap - - suricata - - zeek - - redis - - elasticsearch - - logstash - {%- if FILEBEAT %} - - filebeat - {%- endif %} - - schedule - '*_sensor and G@saltversion:{{saltversion}}': - match: compound - ssl @@ -78,16 +58,10 @@ base: {%- if ZEEKVER != 'SURICATA' %} - zeek {%- endif %} - {%- if WAZUH != 0 %} - - wazuh - {%- endif %} {%- if STRELKA %} - strelka {%- endif %} - filebeat - {%- if FLEETMANAGER or FLEETNODE %} - - fleet.install_package - {%- endif %} - schedule - docker_clean @@ -109,12 +83,7 @@ base: - idstools - suricata.manager - healthcheck - {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} - mysql - {%- endif %} - {%- if WAZUH != 0 %} - - wazuh - {%- endif %} {%- if ELASTICSEARCH %} - elasticsearch {%- endif %} @@ -136,11 +105,6 @@ base: {%- if ELASTALERT %} - elastalert {%- endif %} - {%- if FLEETMANAGER or FLEETNODE %} - - redis - - fleet - - fleet.install_package - {%- endif %} - utility - schedule - soctopus @@ -148,12 +112,6 @@ base: - playbook - redis {%- endif %} - {%- if FREQSERVER != 0 %} - - freqserver - {%- endif %} - {%- if DOMAINSTATS != 0 %} - - domainstats - {%- endif %} - docker_clean - pipeline.load - learn @@ -175,12 +133,7 @@ base: - manager - idstools - suricata.manager - {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} - mysql - {%- endif %} - {%- if WAZUH != 0 %} - - wazuh - {%- endif %} {%- if ELASTICSEARCH %} - elasticsearch {%- endif %} @@ -203,20 +156,8 @@ base: - curator - utility - schedule - {%- if FLEETMANAGER or FLEETNODE %} - - fleet - - fleet.install_package - {%- endif %} - soctopus - {%- if PLAYBOOK != 0 %} - playbook - {%- endif %} - {%- if FREQSERVER != 0 %} - - freqserver - {%- endif %} - {%- if DOMAINSTATS != 0 %} - - domainstats - {%- endif %} - docker_clean - pipeline.load - learn @@ -239,12 +180,7 @@ base: - idstools - suricata.manager - healthcheck - {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} - mysql - {%- endif %} - {%- if WAZUH != 0 %} - - wazuh - {%- endif %} {%- if ELASTICSEARCH %} - elasticsearch {%- endif %} @@ -272,23 +208,12 @@ base: {%- if ELASTALERT %} - elastalert {%- endif %} - {%- if FLEETMANAGER or FLEETNODE %} - - fleet - - fleet.install_package - {%- endif %} - utility - schedule - soctopus - {%- if PLAYBOOK != 0 %} - playbook - {%- endif %} - {%- if FREQSERVER != 0 %} - - freqserver - {%- endif %} - {%- if DOMAINSTATS != 0 %} - - domainstats - {%- endif %} - docker_clean + - elastic-fleet - pipeline.load - learn @@ -299,9 +224,6 @@ base: - nginx - telegraf - firewall - {%- if WAZUH != 0 %} - - wazuh - {%- endif %} {%- if ELASTICSEARCH %} - elasticsearch {%- endif %} @@ -312,9 +234,6 @@ base: {%- if FILEBEAT %} - filebeat {%- endif %} - {%- if FLEETMANAGER or FLEETNODE %} - - fleet.install_package - {%- endif %} - schedule - docker_clean - pipeline.load @@ -336,12 +255,7 @@ base: - manager - idstools - suricata.manager - {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} - mysql - {%- endif %} - {%- if WAZUH != 0 %} - - wazuh - {%- endif %} {%- if ELASTICSEARCH %} - elasticsearch {%- endif %} @@ -363,20 +277,8 @@ base: {%- endif %} - utility - schedule - {%- if FLEETMANAGER or FLEETNODE %} - - fleet - - fleet.install_package - {%- endif %} - soctopus - {%- if PLAYBOOK != 0 %} - playbook - {%- endif %} - {%- if FREQSERVER != 0 %} - - freqserver - {%- endif %} - {%- if DOMAINSTATS != 0 %} - - domainstats - {%- endif %} - docker_clean - pipeline.load - learn @@ -388,9 +290,6 @@ base: - nginx - telegraf - firewall - {%- if WAZUH != 0 %} - - wazuh - {%- endif %} {%- if ELASTICSEARCH %} - elasticsearch {%- endif %} @@ -407,9 +306,6 @@ base: {%- if STRELKA %} - strelka {%- endif %} - {%- if FLEETMANAGER or FLEETNODE %} - - fleet.install_package - {%- endif %} - pcap - suricata {%- if ZEEKVER != 'SURICATA' %} @@ -422,21 +318,6 @@ base: - docker_clean - pipeline.load - '*_fleet and G@saltversion:{{saltversion}}': - - match: compound - - ssl - - sensoroni - - nginx - - telegraf - - firewall - - mysql - - redis - - fleet - - fleet.install_package - - filebeat - - schedule - - docker_clean - '*_import and G@saltversion:{{saltversion}}': - match: compound - salt.master @@ -475,9 +356,6 @@ base: - sensoroni - telegraf - firewall - {%- if WAZUH != 0 %} - - wazuh - {%- endif %} {%- if LOGSTASH %} - logstash {%- endif %} @@ -487,9 +365,6 @@ base: {%- if FILEBEAT %} - filebeat {%- endif %} - {%- if FLEETMANAGER or FLEETNODE %} - - fleet.install_package - {%- endif %} - schedule - docker_clean @@ -499,12 +374,6 @@ base: - sensoroni - telegraf - firewall - {%- if WAZUH != 0 %} - - wazuh - {%- endif %} - {%- if FLEETMANAGER or FLEETNODE %} - - fleet.install_package - {%- endif %} - schedule - docker_clean - filebeat diff --git a/salt/utility/bin/crossthestreams b/salt/utility/bin/crossthestreams index 38222bbec..38b7ab09c 100644 --- a/salt/utility/bin/crossthestreams +++ b/salt/utility/bin/crossthestreams @@ -1,5 +1,5 @@ #!/bin/bash -{% set ES = salt['pillar.get']('manager:mainip', '') %} +{% set ES = salt['pillar.get']('global:managerip', '') %} {% set MANAGER = salt['grains.get']('master') %} {% set TRUECLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} @@ -8,7 +8,7 @@ echo -n "Waiting for ElasticSearch..." COUNT=0 ELASTICSEARCH_CONNECTED="no" while [[ "$COUNT" -le 30 ]]; do - {{ ELASTICCURL }} -k --output /dev/null --silent --head --fail -L https://{{ ES }}:9200 + curl -K /opt/so/conf/elasticsearch/curl.config -k --output /dev/null --silent --head --fail -L https://{{ ES }}:9200 if [ $? -eq 0 ]; then ELASTICSEARCH_CONNECTED="yes" echo "connected!" @@ -28,15 +28,15 @@ if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then fi echo "Applying cross cluster search config..." - {{ ELASTICCURL }} -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings \ + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings \ -H 'Content-Type: application/json' \ - -d "{\"persistent\": {\"cluster\": {\"remote\": {\"{{ MANAGER }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" + -d "{\"persistent\": {\"search\": {\"remote\": {\"{{ MANAGER }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" # Add all the search nodes to cross cluster searching. {%- if TRUECLUSTER is sameas false %} {%- if salt['pillar.get']('nodestab', {}) %} {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} -{{ ELASTICCURL }} -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"cluster": {"remote": {"{{ SN }}": {"skip_unavailable": "true", "seeds": ["{{ SN.split('_')|first }}:9300"]}}}}}' +curl -K /opt/so/conf/elasticsearch/curl.config -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"{{ SN }}": {"skip_unavailable": "true", "seeds": ["{{ SN.split('_')|first }}:9300"]}}}}}' {%- endfor %} {%- endif %} {%- endif %} diff --git a/salt/utility/bin/eval b/salt/utility/bin/eval index e96fc9a78..4b595fc0f 100644 --- a/salt/utility/bin/eval +++ b/salt/utility/bin/eval @@ -1,12 +1,12 @@ #!/bin/bash -{% set ES = salt['pillar.get']('manager:mainip', '') %} +{% set ES = salt['pillar.get']('global:managerip', '') %} # Wait for ElasticSearch to come up, so that we can query for version infromation echo -n "Waiting for ElasticSearch..." COUNT=0 ELASTICSEARCH_CONNECTED="no" while [[ "$COUNT" -le 30 ]]; do - {{ ELASTICCURL }} -k --output /dev/null --silent --head --fail -L https://{{ ES }}:9200 + curl -K /opt/so/conf/elasticsearch/curl.config -k --output /dev/null --silent --head --fail -L https://{{ ES }}:9200 if [ $? -eq 0 ]; then ELASTICSEARCH_CONNECTED="yes" echo "connected!" @@ -26,6 +26,6 @@ if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then fi echo "Applying cross cluster search config..." - {{ ELASTICCURL }} -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings \ + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings \ -H 'Content-Type: application/json' \ - -d "{\"persistent\": {\"cluster\": {\"remote\": {\"{{ grains.host }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" + -d "{\"persistent\": {\"search\": {\"remote\": {\"{{ grains.host }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" diff --git a/salt/utility/init.sls b/salt/utility/init.sls index 1ff69ae71..a131f0f54 100644 --- a/salt/utility/init.sls +++ b/salt/utility/init.sls @@ -1,8 +1,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} - {% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %} - + # This state is for checking things {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] %} # Make sure Cross Cluster is good. Will need some logic once we have hot/warm @@ -12,9 +11,7 @@ crossclusterson: - cwd: /opt/so - source: salt://utility/bin/crossthestreams - template: jinja - - defaults: - ELASTICCURL: {{ ELASTICAUTH.elasticcurl }} - + {% endif %} {% if grains['role'] in ['so-eval', 'so-import'] %} fixsearch: @@ -23,8 +20,6 @@ fixsearch: - cwd: /opt/so - source: salt://utility/bin/eval - template: jinja - - defaults: - ELASTICCURL: {{ ELASTICAUTH.elasticcurl }} {% endif %} {% else %} diff --git a/salt/vars/elasticsearch.map.jinja b/salt/vars/elasticsearch.map.jinja new file mode 100644 index 000000000..f7a39ee61 --- /dev/null +++ b/salt/vars/elasticsearch.map.jinja @@ -0,0 +1,14 @@ +{% import 'vars/init.map.jinja' as INIT %} + +{% + + set ELASTICSEARCH_GLOBALS = { + 'elasticsearch': { + 'auth': INIT.PILLAR.elasticsearch.auth, + 'es_cluster_name': INIT.PILLAR.elasticsearch.config.cluster.name, + 'es_heap': INIT.PILLAR.elasticsearch.esheap + } + } + + +%} diff --git a/salt/vars/globals.map.jinja b/salt/vars/globals.map.jinja new file mode 100644 index 000000000..9a6dd7f33 --- /dev/null +++ b/salt/vars/globals.map.jinja @@ -0,0 +1,50 @@ +{% import 'vars/init.map.jinja' as INIT %} + +{% from 'vars/' ~ INIT.GRAINS.role.split('-')[1] ~ '.map.jinja' import ROLE_GLOBALS %} {# role is so-role so we have to split off the 'so' #} + +{% + set GLOBALS = { + 'hostname': INIT.GRAINS.nodename, + 'is_manager': false, + 'manager': INIT.GRAINS.master, + 'minion_id': INIT.GRAINS.id, + 'node_ip': INIT.GRAINS.ip_interfaces.get(INIT.PILLAR.host.mainint)[0], + 'role': INIT.GRAINS.role, + 'airgap': INIT.PILLAR.global.airgap, + 'ids': INIT.PILLAR.global.ids, + 'image_repo': INIT.PILLAR.global.imagerepo, + 'repo_host': INIT.PILLAR.global.repo_host, + 'registry_host': INIT.PILLAR.global.registry_host, + 'manager_ip': INIT.PILLAR.global.managerip, + 'md_engine': INIT.PILLAR.global.mdengine, + 'pipeline': INIT.PILLAR.global.pipeline, + 'so_version': INIT.PILLAR.global.soversion, + 'url_base': INIT.PILLAR.global.url_base, + 'docker_range': INIT.PILLAR.docker.range, + 'application_urls': {}, + 'manager_roles': [ + 'so-eval', + 'so-import', + 'so-manager', + 'so-managersearch', + 'so-standalone' + ] + } +%} + +{% + do GLOBALS.update({ + 'application_urls': { + 'kratos': 'http://' ~ GLOBALS.manager_ip ~ ':4434/', + 'elastic': 'https://' ~ GLOBALS.manager_ip ~ ':9200/', + 'influxdb': 'https://' ~ GLOBALS.manager_ip ~ ':8086/' + } + }) +%} + +{% if GLOBALS.role in GLOBALS.manager_roles %} +{% do GLOBALS.update({'is_manager': true}) %} +{% endif %} + + +{% do salt['defaults.merge'](GLOBALS, ROLE_GLOBALS, merge_lists=False, in_place=True) %} diff --git a/salt/vars/init.map.jinja b/salt/vars/init.map.jinja new file mode 100644 index 000000000..2540b7916 --- /dev/null +++ b/salt/vars/init.map.jinja @@ -0,0 +1,2 @@ +{% set PILLAR = pillar %} {# store the in-memory pillar data #} +{% set GRAINS = grains %} {# store the in-memory grain data #} diff --git a/salt/vars/logstash.map.jinja b/salt/vars/logstash.map.jinja new file mode 100644 index 000000000..5a6f2df35 --- /dev/null +++ b/salt/vars/logstash.map.jinja @@ -0,0 +1,11 @@ +{% import 'vars/init.map.jinja' as INIT %} + +{% + + set LOGSTASH_GLOBALS = { + 'logstash': { + 'nodes': INIT.PILLAR.logstash.get('nodes', {}) + } + } + +%} diff --git a/salt/vars/sensor.map.jinja b/salt/vars/sensor.map.jinja new file mode 100644 index 000000000..477761d7c --- /dev/null +++ b/salt/vars/sensor.map.jinja @@ -0,0 +1,8 @@ +{% set ROLE_GLOBALS = {} %} + +{% set SENSOR_GLOBALS = [] +%} + +{% for sg in SENSOR_GLOBALS %} +{% do salt['defaults.merge'](ROLE_GLOBALS, sg, merge_lists=False, in_place=True) %} +{% endfor %} diff --git a/salt/vars/standalone.map.jinja b/salt/vars/standalone.map.jinja new file mode 100644 index 000000000..2efabefed --- /dev/null +++ b/salt/vars/standalone.map.jinja @@ -0,0 +1,15 @@ +{% from 'vars/elasticsearch.map.jinja' import ELASTICSEARCH_GLOBALS %} +{% from 'vars/logstash.map.jinja' import LOGSTASH_GLOBALS %} + +{% set ROLE_GLOBALS = {} %} + +{% set STANDALONE_GLOBALS = + [ + ELASTICSEARCH_GLOBALS, + LOGSTASH_GLOBALS + ] +%} + +{% for sg in STANDALONE_GLOBALS %} +{% do salt['defaults.merge'](ROLE_GLOBALS, sg, merge_lists=False, in_place=True) %} +{% endfor %} diff --git a/salt/wazuh/files/agent/ossec.conf b/salt/wazuh/files/agent/ossec.conf deleted file mode 100644 index 136b998b1..000000000 --- a/salt/wazuh/files/agent/ossec.conf +++ /dev/null @@ -1,204 +0,0 @@ -{% set mainint = salt['pillar.get']('host:mainint') -%} -{% set ip = salt['grains.get']('ip_interfaces').get(mainint)[0] -%} - - - - - - -

{{ip}}
- 1514 - udp - -{%- if grains['os'] == 'Ubuntu' %} - ubuntu, ubuntu16, ubuntu16.04 -{%- else %} - centos, centos7 -{%- endif %} - 10 - 60 - yes - aes - - - - - no - 5000 - 500 - - - - - no - yes - yes - yes - yes - yes - yes - yes - yes - - - 43200 - - /var/ossec/etc/shared/rootkit_files.txt - /var/ossec/etc/shared/rootkit_trojans.txt - - /var/ossec/etc/shared/system_audit_rcl.txt - /var/ossec/etc/shared/system_audit_ssh.txt - - yes - - - - yes - 1800 - 1d - yes - - - - yes - 1800 - 1d - yes - - wodles/java - wodles/ciscat - - - - - yes - yes - /var/log/osquery/osqueryd.results.log - /etc/osquery/osquery.conf - yes - - - - - no - 1h - yes - yes - yes - yes - yes - yes - yes - - - - - no - - - 43200 - - yes - - - /etc,/usr/bin,/usr/sbin - /bin,/sbin,/boot - - - /etc/mtab - /etc/hosts.deny - /etc/mail/statistics - /etc/random-seed - /etc/random.seed - /etc/adjtime - /etc/httpd/logs - /etc/utmpx - /etc/wtmpx - /etc/cups/certs - /etc/dumpdates - /etc/svc/volatile - /sys/kernel/security - /sys/kernel/debug - - - /etc/ssl/private.key - - yes - - - yes - - - yes - - - - - command - df -P - 360 - - - - full_command - netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d - netstat listening ports - 360 - - - - full_command - last -n 20 - 360 - - - - - no - /var/ossec/etc/wpk_root.pem - yes - - - - - plain - - - - - - - syslog - /var/ossec/logs/active-responses.log - -{%- if grains['os'] == 'Ubuntu' %} - - syslog - /var/log/auth.log - -{%- else %} - - syslog - /var/log/secure - -{%- endif %} - - syslog - /var/log/syslog - - - - syslog - /var/log/dpkg.log - - - - syslog - /var/log/kern.log - - - diff --git a/salt/wazuh/files/agent/wazuh-register-agent b/salt/wazuh/files/agent/wazuh-register-agent deleted file mode 100755 index 21c3c2f05..000000000 --- a/salt/wazuh/files/agent/wazuh-register-agent +++ /dev/null @@ -1,184 +0,0 @@ -{% set mainint = salt['pillar.get']('host:mainint') -%} -{% set ip = salt['grains.get']('ip_interfaces').get(mainint)[0] -%} - -#!/bin/bash - -### -# Shell script for registering agents automatically with the API -# Copyright (C) 2017 Wazuh, Inc. All rights reserved. -# Wazuh.com -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. -### -# -# 12/11/2018 -# This script has been modified by Security Onion Solutions -# - Added Agent IP variable and option -### - -# Connection variables -API_IP="{{ ip }}" -API_PORT="55000" -PROTOCOL="https" -USER="foo" -PASSWORD="bar" -AGENT_NAME=$(hostname) -AGENT_IP="{{ip}}" -AGENT_ID=001 - -display_help() { -cat < agent is not registered -# if ! [ "$AGENT_ID" -eq "$AGENT_ID" ] 2> /dev/null ; then -# echo "Starting registration process ..." -# : -# elif [[ "$FORCE" = true && "$SILENT" = "true" ]] ; then -# remove_agent > /dev/null 2>&1 -# else -# if [[ "$FORCE" = true ]] ; then -# remove_agent -# fi -# fi - -if [ -f /opt/so/conf/wazuh/initial_agent_registration.log ]; then - echo "Agent $AGENT_ID already registered!" - exit 0 -else - retries=20 - if wait_for_manager $retries; then - if register_agent; then - cleanup_creds - echo "Initial agent $AGENT_ID with IP $AGENT_IP registered on $DATE." > /opt/so/conf/wazuh/initial_agent_registration.log - exit 0 - else - echo "ERROR: Failed to register agent" - fi - else - echo "ERROR: Wazuh manager did not become ready after $retries attempts; unable to proceed with registration" - fi -fi - -exit 1 diff --git a/salt/wazuh/files/server/ossec.conf b/salt/wazuh/files/server/ossec.conf deleted file mode 100644 index 7077f48ce..000000000 --- a/salt/wazuh/files/server/ossec.conf +++ /dev/null @@ -1,220 +0,0 @@ - - - - - yes - no - no - yes - no - smtp.example.wazuh.com - ossecm@example.wazuh.com - recipient@example.wazuh.com - 12 - - - - 1 - 7 - - - - secure - 1514 - udp - - - - - no - yes - yes - yes - yes - yes - yes - yes - yes - - - 43200 - - /var/ossec/etc/shared/rootkit_files.txt - /var/ossec/etc/shared/rootkit_trojans.txt - - /var/ossec/etc/shared/system_audit_rcl.txt - /var/ossec/etc/shared/system_audit_ssh.txt - /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt - - yes - - - - yes - 1800 - 1d - yes - - - xccdf_org.ssgproject.content_profile_pci-dss - xccdf_org.ssgproject.content_profile_common - - - - - - no - - - 43200 - - yes - - - yes - - - no - - - /etc,/usr/bin,/usr/sbin - /bin,/sbin,/boot - - - /etc/mtab - /etc/hosts.deny - /etc/mail/statistics - /etc/random-seed - /etc/random.seed - /etc/adjtime - /etc/httpd/logs - /etc/utmpx - /etc/wtmpx - /etc/cups/certs - /etc/dumpdates - /etc/svc/volatile - - - ^/proc - .log$|.swp$ - - - /etc/ssl/private.key - - yes - - - - - 127.0.0.1 - ^localhost.localdomain$ - 10.0.0.2 - - - - disable-account - disable-account.sh - user - yes - - - - restart-ossec - restart-ossec.sh - - - - - firewall-drop - firewall-drop.sh - srcip - yes - - - - host-deny - host-deny.sh - srcip - yes - - - - route-null - route-null.sh - srcip - yes - - - - win_route-null - route-null.cmd - srcip - yes - - - - - - host-deny - local - 6 - 600 - - - - - firewall-drop - local - 6 - 600 - - - - - command - df -P - 360 - - - - full_command - netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d - netstat listening ports - 360 - - - - full_command - last -n 20 - 360 - - - - syslog - /var/ossec/logs/active-responses.log - - - - - ruleset/decoders - ruleset/rules - 0215-policy_rules.xml - etc/lists/audit-keys - - - etc/decoders - etc/rules - - - diff --git a/salt/wazuh/files/wazuh-manager-whitelist b/salt/wazuh/files/wazuh-manager-whitelist deleted file mode 100755 index 73cb00da7..000000000 --- a/salt/wazuh/files/wazuh-manager-whitelist +++ /dev/null @@ -1,32 +0,0 @@ -{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %} -{%- set WAZUH_ENABLED = salt['pillar.get']('global:wazuh', '0') %} -#!/bin/bash -local_salt_dir=/opt/so/saltstack/local - -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -# Check if Wazuh enabled -if [ {{ WAZUH_ENABLED }} ]; then - WAZUH_MGR_CFG="/nsm/wazuh/etc/ossec.conf" - if ! grep -q "{{ MANAGERIP }}" $WAZUH_MGR_CFG ; then - DATE=`date` - sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG - sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG - echo -e "\n \n {{ MANAGERIP }}\n \n" >> $WAZUH_MGR_CFG - echo "Added whitelist entry for {{ MANAGERIP }} in $WAZUH_MGR_CFG." - echo - fi -fi diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls deleted file mode 100644 index 66250b9cb..000000000 --- a/salt/wazuh/init.sls +++ /dev/null @@ -1,164 +0,0 @@ -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} - -{%- set HOSTNAME = salt['grains.get']('host', '') %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} -# Add ossec group -ossecgroup: - group.present: - - name: ossec - - gid: 945 - -# Add ossecm user -ossecm: - user.present: - - uid: 943 - - gid: 945 - - home: /nsm/wazuh - - createhome: False - - allow_uid_change: True - - allow_gid_change: True - -# Add ossecr user -ossecr: - user.present: - - uid: 944 - - gid: 945 - - home: /nsm/wazuh - - createhome: False - - allow_uid_change: True - - allow_gid_change: True - -# Add ossec user -ossec: - user.present: - - uid: 945 - - gid: 945 - - home: /nsm/wazuh - - createhome: False - - allow_uid_change: True - - allow_gid_change: True - -wazuhpkgs: - pkg.installed: - - skip_suggestions: False - - pkgs: - - wazuh-agent: 3.13.1-1 - - hold: True - - update_holds: True - -wazuhvarossecdir: - file.directory: - - name: /var/ossec - - user: ossec - - group: ossec - - recurse: - - user - - group - -# Add Wazuh agent conf -wazuhagentconf: - file.managed: - - name: /var/ossec/etc/ossec.conf - - source: salt://wazuh/files/agent/ossec.conf - - user: root - - group: 945 - - template: jinja - -wazuhdir: - file.directory: - - name: /nsm/wazuh - - user: 945 - - group: 945 - - makedirs: True - -# Wazuh agent registration script -wazuhagentregister: - file.managed: - - name: /usr/sbin/wazuh-register-agent - - source: salt://wazuh/files/agent/wazuh-register-agent - - user: root - - group: root - - mode: 755 - - template: jinja - -# Whitelist script -wazuhmgrwhitelist: - file.managed: - - name: /usr/sbin/wazuh-manager-whitelist - - source: salt://wazuh/files/wazuh-manager-whitelist - - user: root - - group: root - - mode: 755 - - template: jinja - -# Check to see if Wazuh API port is available -wazuhportavailable: - cmd.run: - - name: netstat -utanp | grep ":55000" | grep "LISTEN" | grep -qv docker && PROCESS=$(netstat -utanp | grep ":55000" | uniq) && echo "Another process ($PROCESS) appears to be using port 55000. Please terminate this process, or reboot to ensure a clean state so that the Wazuh API can start properly." && exit 1 || exit 0 - -so-wazuh: - docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-wazuh:{{ VERSION }} - - hostname: {{HOSTNAME}}-wazuh-manager - - name: so-wazuh - - detach: True - - port_bindings: - - 0.0.0.0:1514:1514/udp - - 0.0.0.0:1514:1514/tcp - - 0.0.0.0:1515:1515/tcp - - 0.0.0.0:55000:55000 - - binds: - - /nsm/wazuh:/var/ossec/data:rw - -append_so-wazuh_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-wazuh - -/opt/so/conf/wazuh: - file.symlink: - - target: /nsm/wazuh/etc - -# Register the agent -registertheagent: - cmd.run: - - name: /usr/sbin/wazuh-register-agent - - cwd: / - - unless: ls /opt/so/conf/wazuh/initial_agent_registration.log - -# Whitelist manager IP -whitelistmanager: - cmd.run: - - name: /usr/sbin/wazuh-manager-whitelist - - cwd: / - -wazuhagentservice: - service.running: - - name: wazuh-agent - - enable: True - -hidsruledir: - file.directory: - - name: /opt/so/rules/hids - - user: 939 - - group: 939 - - makedirs: True - -/opt/so/rules/hids/local_rules.xml: - file.symlink: - - target: /nsm/wazuh/etc/rules/local_rules.xml - -/opt/so/rules/hids/ruleset: - file.symlink: - - target: /nsm/wazuh/ruleset - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/zeek/cron/zeek_clean b/salt/zeek/cron/zeek_clean index adeaa8740..90304e24f 100644 --- a/salt/zeek/cron/zeek_clean +++ b/salt/zeek/cron/zeek_clean @@ -2,20 +2,11 @@ # Delete Zeek Logs based on defined CRIT_DISK_USAGE value -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . clean () { diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml new file mode 100644 index 000000000..f9c606645 --- /dev/null +++ b/salt/zeek/defaults.yaml @@ -0,0 +1,120 @@ +zeek: + logging: + enabled: + - conn + - dce_rpc + - dhcp + - dnp3 + - dns + - dpd + - files + - ftp + - http + - intel + - irc + - kerberos + - modbus + - notice + - ntlm + - pe + - radius + - rfb + - rdp + - sip + - smb_files + - smb_mapping + - smtp + - snmp + - ssh + - ssl + - tunnel + - weird + - mysql + - socks + - x509 + config: + node: + lb_procs: 1 + zeek_pins_enabled: False + zeek_pins: [] + zeekctl: + MailTo: root@localhost + MailConnectionSummary: 1 + MinDiskSpace: 5 + MailHostUpDown: 1 + LogRotationInterval: 3600 + LogExpireInterval: 0 + StatsLogEnable: 1 + StatsLogExpireInterval: 0 + StatusCmdShowAll: 0 + CrashExpireInterval: 0 + SitePolicyScripts: local.zeek + LogDir: /nsm/zeek/logs + SpoolDir: /nsm/zeek/spool + CfgDir: /opt/zeek/etc + CompressLogs: 1 + policy: + file_extraction: + - application/x-dosexec: exe + - application/pdf: pdf + - application/msword: doc + - application/vnd.ms-powerpoint: doc + - application/rtf: doc + - application/vnd.ms-word.document.macroenabled.12: doc + - application/vnd.ms-word.template.macroenabled.12: doc + - application/vnd.ms-powerpoint.template.macroenabled.12: doc + - application/vnd.ms-excel: doc + - application/vnd.ms-excel.addin.macroenabled.12: doc + - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc + - application/vnd.ms-excel.template.macroenabled.12: doc + - application/vnd.ms-excel.sheet.macroenabled.12: doc + - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc + - application/vnd.openxmlformats-officedocument.presentationml.slide: doc + - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc + - application/vnd.openxmlformats-officedocument.presentationml.template: doc + - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc + - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc + - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc + - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc + - application/vnd.ms-powerpoint.addin.macroenabled.12: doc + - application/vnd.ms-powerpoint.slide.macroenabled.12: doc + - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc + - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc + - application/vnd.openxmlformats-officedocument: doc + load: + - misc/loaded-scripts + - tuning/defaults + - misc/capture-loss + - misc/stats + - frameworks/software/vulnerable + - frameworks/software/version-changes + - protocols/ftp/software + - protocols/smtp/software + - protocols/ssh/software + - protocols/http/software + - protocols/dns/detect-external-names + - protocols/ftp/detect + - protocols/conn/known-hosts + - protocols/conn/known-services + - protocols/ssl/known-certs + - protocols/ssl/validate-certs + - protocols/ssl/log-hostcerts-only + - protocols/ssh/geo-data + - protocols/ssh/detect-bruteforcing + - protocols/ssh/interesting-hostnames + - protocols/http/detect-sqli + - frameworks/files/hash-all-files + - frameworks/files/detect-MHR + - policy/frameworks/notice/extend-email/hostnames + - ja3 + - hassh + - intel + - cve-2020-0601 + - securityonion/bpfconf + - securityonion/communityid + - securityonion/file-extraction + load-sigs: + - frameworks/signatures/detect-windows-shells + redef: + - LogAscii::use_json = T; + - CaptureLoss::watch_interval = 5 mins; \ No newline at end of file diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index ff91762f5..6185308ac 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -1,28 +1,19 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} {% from "zeek/map.jinja" import ZEEKOPTIONS with context %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} +{% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% set BPF_ZEEK = salt['pillar.get']('zeek:bpf', {}) %} {% set BPF_STATUS = 0 %} -{% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %} +{% set INTERFACE = salt['pillar.get']('sensor:interface') %} {% set ZEEK = salt['pillar.get']('zeek', {}) %} diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml new file mode 100644 index 000000000..bcb3af346 --- /dev/null +++ b/salt/zeek/soc_zeek.yaml @@ -0,0 +1,26 @@ +zeek: + logging: + enabled: + description: This is a list of zeek logs that will be shipped through the pipeline. If you remove a log from this list it will still persist on the sensor. + config: + node: + lb_procs: + description: This is the amount of CPUs to use for Zeek. This setting is ignored if you are using pins. + node: True + zeek_pins_enabled: + description: + node: True + zeeek_pins: + description: List of CPUs you want to + node: True + zeekctl: + CompressLogs: + description: Enable compression of zeek logs. If you are seeing packet loss at the top of the hour in zeek or pcap you might need to set this to 0. This will use more disk space but save IO and CPU. + policy: + file_extraction: + description: This is a list of mime types Zeek will extract from the network streams. + load: + description: List of Zeek policies to load + load-sigs: + description: List of Zeek signatures to load + \ No newline at end of file diff --git a/setup/automation/distributed-airgap-manager b/setup/automation/distributed-airgap-manager index b5d30ae33..ee55c5317 100644 --- a/setup/automation/distributed-airgap-manager +++ b/setup/automation/distributed-airgap-manager @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-airgap-search b/setup/automation/distributed-airgap-search index 3afc48d3b..a3b7ffc3b 100644 --- a/setup/automation/distributed-airgap-search +++ b/setup/automation/distributed-airgap-search @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-airgap-sensor b/setup/automation/distributed-airgap-sensor index a96cbeb7d..3e6e46c6d 100644 --- a/setup/automation/distributed-airgap-sensor +++ b/setup/automation/distributed-airgap-sensor @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-cloud-manager b/setup/automation/distributed-cloud-manager index 8e298e4c2..721fb7e13 100644 --- a/setup/automation/distributed-cloud-manager +++ b/setup/automation/distributed-cloud-manager @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-cloud-search b/setup/automation/distributed-cloud-search index aabf24a7f..dc6c2f97f 100644 --- a/setup/automation/distributed-cloud-search +++ b/setup/automation/distributed-cloud-search @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-cloud-sensor b/setup/automation/distributed-cloud-sensor index 0ba42769c..56156e516 100644 --- a/setup/automation/distributed-cloud-sensor +++ b/setup/automation/distributed-cloud-sensor @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-iso-manager b/setup/automation/distributed-iso-manager index bd1aec7b4..32de661e7 100644 --- a/setup/automation/distributed-iso-manager +++ b/setup/automation/distributed-iso-manager @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-iso-search b/setup/automation/distributed-iso-search index 9bdeaaa34..095436788 100644 --- a/setup/automation/distributed-iso-search +++ b/setup/automation/distributed-iso-search @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-iso-sensor b/setup/automation/distributed-iso-sensor index 90f17ffb5..11a78b9c8 100644 --- a/setup/automation/distributed-iso-sensor +++ b/setup/automation/distributed-iso-sensor @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-net-centos-manager b/setup/automation/distributed-net-centos-manager index bd1aec7b4..32de661e7 100644 --- a/setup/automation/distributed-net-centos-manager +++ b/setup/automation/distributed-net-centos-manager @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-net-centos-search b/setup/automation/distributed-net-centos-search index 98c0af7c8..ab67e11d8 100644 --- a/setup/automation/distributed-net-centos-search +++ b/setup/automation/distributed-net-centos-search @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-net-centos-sensor b/setup/automation/distributed-net-centos-sensor index f8230152e..b3f0d01d4 100644 --- a/setup/automation/distributed-net-centos-sensor +++ b/setup/automation/distributed-net-centos-sensor @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-net-ubuntu-manager b/setup/automation/distributed-net-ubuntu-manager index c7ffd9ebe..339f651ae 100644 --- a/setup/automation/distributed-net-ubuntu-manager +++ b/setup/automation/distributed-net-ubuntu-manager @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-net-ubuntu-search b/setup/automation/distributed-net-ubuntu-search index 5285f97e3..398432647 100644 --- a/setup/automation/distributed-net-ubuntu-search +++ b/setup/automation/distributed-net-ubuntu-search @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-net-ubuntu-sensor b/setup/automation/distributed-net-ubuntu-sensor index 294b68480..d25bf0080 100644 --- a/setup/automation/distributed-net-ubuntu-sensor +++ b/setup/automation/distributed-net-ubuntu-sensor @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-net-ubuntu-suricata-manager b/setup/automation/distributed-net-ubuntu-suricata-manager index e5c0c137f..614d12c6f 100644 --- a/setup/automation/distributed-net-ubuntu-suricata-manager +++ b/setup/automation/distributed-net-ubuntu-suricata-manager @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-net-ubuntu-suricata-search b/setup/automation/distributed-net-ubuntu-suricata-search index 585de54af..138b273c4 100644 --- a/setup/automation/distributed-net-ubuntu-suricata-search +++ b/setup/automation/distributed-net-ubuntu-suricata-search @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-net-ubuntu-suricata-sensor b/setup/automation/distributed-net-ubuntu-suricata-sensor index ee8eba5e0..58fb922a3 100644 --- a/setup/automation/distributed-net-ubuntu-suricata-sensor +++ b/setup/automation/distributed-net-ubuntu-suricata-sensor @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/eval-airgap b/setup/automation/eval-airgap index 7e1df4dfc..595d21a32 100644 --- a/setup/automation/eval-airgap +++ b/setup/automation/eval-airgap @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/eval-cloud b/setup/automation/eval-cloud index cb8b0b1ae..997d7e53b 100644 --- a/setup/automation/eval-cloud +++ b/setup/automation/eval-cloud @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/eval-cloud-logscan b/setup/automation/eval-cloud-logscan deleted file mode 100644 index 564df40f0..000000000 --- a/setup/automation/eval-cloud-logscan +++ /dev/null @@ -1,77 +0,0 @@ -#!/bin/bash - -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -BNICS=eth1 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -GRAFANA=1 -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=eval -install_type=EVAL -LEARN_LOGSCAN_ENABLE=true -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -PLAYBOOK=1 -REDIRECTHOST=$(cat /root/public_ip) -REDIRECTINFO=OTHER -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -STRELKA=1 -THEHIVE=0 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/eval-iso b/setup/automation/eval-iso index e1461d95f..5c41e1b12 100644 --- a/setup/automation/eval-iso +++ b/setup/automation/eval-iso @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/eval-net-centos b/setup/automation/eval-net-centos index c86357a21..b56b45a52 100644 --- a/setup/automation/eval-net-centos +++ b/setup/automation/eval-net-centos @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/eval-net-ubuntu b/setup/automation/eval-net-ubuntu index 5d1cfb500..24c68896a 100644 --- a/setup/automation/eval-net-ubuntu +++ b/setup/automation/eval-net-ubuntu @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/import-airgap b/setup/automation/import-airgap index 78cd42096..d1d153177 100644 --- a/setup/automation/import-airgap +++ b/setup/automation/import-airgap @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/import-cloud b/setup/automation/import-cloud index eb8b23905..684e487fd 100644 --- a/setup/automation/import-cloud +++ b/setup/automation/import-cloud @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/import-iso b/setup/automation/import-iso index 8c8357f0f..7ad671b37 100644 --- a/setup/automation/import-iso +++ b/setup/automation/import-iso @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/import-net-centos b/setup/automation/import-net-centos index e565b22e2..cfeef5cb4 100644 --- a/setup/automation/import-net-centos +++ b/setup/automation/import-net-centos @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/import-net-ubuntu b/setup/automation/import-net-ubuntu index e115232aa..e6fcc2b6b 100644 --- a/setup/automation/import-net-ubuntu +++ b/setup/automation/import-net-ubuntu @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/standalone-airgap b/setup/automation/standalone-airgap index a17d006c7..44be7b270 100644 --- a/setup/automation/standalone-airgap +++ b/setup/automation/standalone-airgap @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/standalone-cloud b/setup/automation/standalone-cloud index 77686b862..66c123362 100644 --- a/setup/automation/standalone-cloud +++ b/setup/automation/standalone-cloud @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/standalone-cloud-suricata b/setup/automation/standalone-cloud-suricata deleted file mode 100644 index e3e21f756..000000000 --- a/setup/automation/standalone-cloud-suricata +++ /dev/null @@ -1,76 +0,0 @@ -#!/bin/bash - -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -BNICS=eth1 -ZEEKVERSION=SURICATA -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -GRAFANA=1 -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=standalone -install_type=STANDALONE -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -PLAYBOOK=1 -REDIRECTHOST=$(cat /root/public_ip) -REDIRECTINFO=OTHER -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -STRELKA=1 -THEHIVE=0 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/standalone-iso b/setup/automation/standalone-iso index fa47dd66d..11eac77b9 100644 --- a/setup/automation/standalone-iso +++ b/setup/automation/standalone-iso @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/standalone-iso-logscan b/setup/automation/standalone-iso-logscan index 4038735d0..9249fa4ed 100644 --- a/setup/automation/standalone-iso-logscan +++ b/setup/automation/standalone-iso-logscan @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/standalone-iso-suricata b/setup/automation/standalone-iso-suricata index 078190043..e14049a34 100644 --- a/setup/automation/standalone-iso-suricata +++ b/setup/automation/standalone-iso-suricata @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/standalone-net-centos b/setup/automation/standalone-net-centos index 050bdde51..0b36e600a 100644 --- a/setup/automation/standalone-net-centos +++ b/setup/automation/standalone-net-centos @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/standalone-net-centos-proxy b/setup/automation/standalone-net-centos-proxy index 9f8e1b6b6..b22fc4b74 100644 --- a/setup/automation/standalone-net-centos-proxy +++ b/setup/automation/standalone-net-centos-proxy @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/standalone-net-ubuntu b/setup/automation/standalone-net-ubuntu index 2aad4ea0e..9c62dda04 100644 --- a/setup/automation/standalone-net-ubuntu +++ b/setup/automation/standalone-net-ubuntu @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/install_scripts/99-so-checksum-offload-disable b/setup/install_scripts/99-so-checksum-offload-disable index b2d8ffc3b..fdce54f5e 100755 --- a/setup/install_scripts/99-so-checksum-offload-disable +++ b/setup/install_scripts/99-so-checksum-offload-disable @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/setup/so-functions b/setup/so-functions index c92b643cc..7b1ae477f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . # README - DO NOT DEFINE GLOBAL VARIABLES IN THIS FILE. Instead use so-variables. @@ -44,21 +35,6 @@ logCmd() { } ### End Logging Section ### -airgap_repo() { - # Remove all the repo files - rm -rf /etc/yum.repos.d/* - echo "[airgap_repo]" > /etc/yum.repos.d/airgap_repo.repo - if $is_manager; then - echo "baseurl=https://$HOSTNAME/repo" >> /etc/yum.repos.d/airgap_repo.repo - else - echo "baseurl=https://$MSRV/repo" >> /etc/yum.repos.d/airgap_repo.repo - fi - echo "gpgcheck=1" >> /etc/yum.repos.d/airgap_repo.repo - echo "sslverify=0" >> /etc/yum.repos.d/airgap_repo.repo - echo "name=Airgap Repo" >> /etc/yum.repos.d/airgap_repo.repo - echo "enabled=1" >> /etc/yum.repos.d/airgap_repo.repo -} - airgap_rules() { # Copy the rules for suricata if using Airgap mkdir -p /nsm/repo/rules @@ -71,16 +47,6 @@ airgap_rules() { cp -Rv /root/SecurityOnion/agrules/strelka /nsm/repo/rules/ } -accept_salt_key_remote() { - systemctl restart salt-minion - - echo "Accept the key remotely on the manager" >> "$setup_log" 2>&1 - # Delete the key just in case. - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo salt-key -d "$MINION_ID" -y - salt-call state.show_top >> /dev/null 2>&1 - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo salt-key -a "$MINION_ID" -y -} - add_admin_user() { # Add an admin user with full sudo rights if this is an ISO install. { @@ -113,10 +79,6 @@ add_socore_user_manager() { so_add_user "socore" "939" "939" "/opt/so" >> "$setup_log" 2>&1 } -add_soremote_user_manager() { - so_add_user "soremote" "947" "947" "/home/soremote" "$SOREMOTEPASS1" >> "$setup_log" 2>&1 -} - add_web_user() { wait_for_file /opt/so/conf/kratos/db/db.sqlite 30 5 { @@ -145,7 +107,7 @@ analyst_salt_local() { securityonion_repo gpg_rpm_import # Install salt - logCmd "yum -y install salt-minion-3004.2 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" + logCmd "yum -y install salt-minion-3004.1 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" logCmd "yum -y update --exclude=salt*" salt-call state.apply workstation --local --file-root=../salt/ -l info 2>&1 | tee -a outfile @@ -161,10 +123,9 @@ analyst_salt_local() { } - analyst_workstation_pillar() { - local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls + local pillar_file=$local_salt_dir/pillar/minions/$MINION_ID.sls # Create the analyst workstation pillar printf '%s\n'\ @@ -197,6 +158,19 @@ check_manager_state() { retry 2 15 "__check_so_status" >> $setup_log 2>&1 && retry 2 15 "__check_salt_master" >> $setup_log 2>&1 && return 0 || return 1 } +check_manager_connection() { + # See if you can curl the manager. If not you can either try again or continue + echo "Checking manager connectivity" + man_test_err=$(curl -k -L -sS https://$MSRVIP/repo --connect-timeout 5 2>&1) + + local ret=$? + + if [[ $ret != 0 ]]; then + error "Could not reach $MSRV" + whiptail_manager_unreachable + fi +} + __check_so_status() { local so_status_output so_status_output=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /opt/so/log/sostatus/status.log) @@ -256,14 +230,6 @@ check_service_status() { } -check_soremote_pass() { - check_pass_match "$SOREMOTEPASS1" "$SOREMOTEPASS2" "SCMATCH" -} - -check_fleet_node_pass() { - check_pass_match "$FLEETNODEPASSWD1" "$FLEETNODEPASSWD2" "FPMATCH" -} - check_web_pass() { check_pass_match "$WEBPASSWD1" "$WEBPASSWD2" "WPMATCH" } @@ -328,17 +294,6 @@ collect_dockernet() { fi } -collect_es_cluster_name() { - if whiptail_manager_adv_escluster; then - whiptail_manager_adv_escluster_name "securityonion" - - while ! valid_string "$ESCLUSTERNAME"; do - whiptail_invalid_string "ES cluster name" - whiptail_manager_adv_escluster_name "$ESCLUSTERNAME" - done - fi -} - collect_es_space_limit() { whiptail_log_size_limit "$log_size_limit" @@ -348,36 +303,6 @@ collect_es_space_limit() { done } -collect_fleet_custom_hostname_inputs() { - whiptail_fleet_custom_hostname - - while [[ -n $FLEETCUSTOMHOSTNAME ]] && ! valid_fqdn "$FLEETCUSTOMHOSTNAME"; do - whiptail_invalid_input - whiptail_fleet_custom_hostname "$FLEETCUSTOMHOSTNAME" - done -} - -# Get a username & password for the Fleet admin user -collect_fleetuser_inputs() { - whiptail_create_fleet_node_user - - while ! so-user valemail "$FLEETNODEUSER" >> "$setup_log" 2>&1; do - whiptail_invalid_user_warning - whiptail_create_fleet_node_user "$FLEETNODEUSER" - done - - FPMATCH=no - while [[ $FPMATCH != yes ]]; do - whiptail_create_fleet_node_user_password1 - while ! check_password "$FLEETNODEPASSWD1"; do - whiptail_invalid_pass_characters_warning - whiptail_create_fleet_node_user_password1 - done - whiptail_create_fleet_node_user_password2 - check_fleet_node_pass - done -} - collect_gateway() { whiptail_management_interface_gateway @@ -444,32 +369,6 @@ collect_hostname_validate() { done } -collect_idh_preferences() { - IDHMGTRESTRICT='False' - whiptail_idh_preferences - - if [[ "$idh_preferences" != "" ]]; then IDHMGTRESTRICT='True'; fi -} - -collect_idh_services() { - whiptail_idh_services - - case "$idh_services" in - 'Linux Webserver (NAS Skin)') - idh_services=("HTTP" "FTP" "SSH") - ;; - 'MySQL Server') - idh_services=("MYSQL" "SSH") - ;; - 'MSSQL Server') - idh_services=("MSSQL" "VNC") - ;; - 'Custom') - whiptail_idh_services_custom - ;; - esac -} - collect_int_ip_mask() { whiptail_management_interface_ip_mask @@ -514,15 +413,6 @@ collect_mngr_hostname() { fi } -collect_mtu() { - whiptail_bond_nics_mtu "1500" - - while ! valid_int "$MTU" "68" "10000"; do - whiptail_invalid_input - whiptail_bond_nics_mtu "$MTU" - done -} - collect_net_method() { whiptail_net_method @@ -536,41 +426,6 @@ collect_net_method() { fi } -collect_node_es_heap() { - whiptail_node_es_heap "$ES_HEAP_SIZE" -} - -collect_node_ls_heap() { - whiptail_node_ls_heap "$LS_HEAP_SIZE" -} - -collect_node_ls_input() { - whiptail_node_ls_input_threads "1" - - while ! valid_int "$LSINPUTTHREADS"; do - whiptail_invalid_input - whiptail_node_ls_input_threads "$LSINPUTTHREADS" - done -} - -collect_node_ls_pipeline_batch_size() { - whiptail_node_ls_pipline_batchsize "125" - - while ! valid_int "$LSPIPELINEBATCH"; do - whiptail_invalid_input - whiptail_node_ls_pipline_batchsize "$LSPIPELINEBATCH" - done -} - -collect_node_ls_pipeline_worker_count() { - whiptail_node_ls_pipeline_worker "$num_cpu_cores" - - while ! valid_int "$LSPIPELINEWORKERS"; do - whiptail_invalid_input - whiptail_node_ls_pipeline_worker "$LSPIPELINEWORKERS" - done -} - collect_ntp_servers() { if whiptail_ntp_ask; then [[ $is_airgap ]] && ntp_string="" @@ -726,26 +581,6 @@ collect_so_allow() { fi } -collect_soremote_inputs() { - whiptail_create_soremote_user - SCMATCH=no - - while [[ $SCMATCH != yes ]]; do - whiptail_create_soremote_user_password1 - whiptail_create_soremote_user_password2 - check_soremote_pass - done -} - -collect_suri() { - whiptail_basic_suri "$PROCS" - - while ! valid_int "$BASICSURI"; do - whiptail_invalid_input - whiptail_basic_suri "$BASICSURI" - done -} - # Get an email & password for the web admin user collect_webuser_inputs() { whiptail_create_web_user @@ -771,15 +606,6 @@ collect_webuser_inputs() { done } -collect_zeek() { - whiptail_basic_zeek "$PROCS" - - while ! valid_int "$BASICZEEK"; do - whiptail_invalid_input - whiptail_basic_zeek "$BASICZEEK" - done -} - configure_minion() { local minion_type=$1 if [[ $is_analyst ]]; then @@ -787,7 +613,7 @@ configure_minion() { fi echo "Configuring minion type as $minion_type" >> "$setup_log" 2>&1 echo "role: so-$minion_type" > /etc/salt/grains - + local minion_config=/etc/salt/minion echo "id: '$MINION_ID'" > "$minion_config" @@ -796,10 +622,6 @@ configure_minion() { 'workstation') echo "master: '$MSRV'" >> "$minion_config" ;; - 'helix') - cp -f ../salt/ca/files/signing_policies.conf /etc/salt/minion.d/signing_policies.conf - echo "master: '$HOSTNAME'" >> "$minion_config" - ;; 'manager' | 'eval' | 'managersearch' | 'standalone' | 'import') cp -f ../salt/ca/files/signing_policies.conf /etc/salt/minion.d/signing_policies.conf printf '%s\n'\ @@ -826,6 +648,9 @@ configure_minion() { "log_level_logfile: info"\ "log_file: /opt/so/log/salt/minion" >> "$minion_config" + cp -f ../salt/salt/etc/minion.d/mine_functions.conf /etc/salt/minion.d/mine_functions.conf + sed -i "s/{{ pillar.host.mainint }}/$MAININT/" /etc/salt/minion.d/mine_functions.conf + { systemctl restart salt-minion; } >> "$setup_log" 2>&1 @@ -1079,22 +904,6 @@ copy_minion_tmp_files() { salt-call saltutil.sync_modules >> "$setup_log" 2>&1 } -copy_ssh_key() { - - echo "Generating SSH key" - # Generate SSH key - mkdir -p /root/.ssh - ssh-keygen -f /root/.ssh/so.key -t rsa -q -N "" < /dev/zero - chown -R "$SUDO_USER":"$SUDO_USER" /root/.ssh - - echo "Removing old entry for manager from known_hosts if it exists" - grep -q "$MSRV" /root/.ssh/known_hosts && sed -i "/${MSRV}/d" /root/.ssh/known_hosts - - echo "Copying the SSH key to the manager" - #Copy the key over to the manager - $sshcopyidcmd -f -i /root/.ssh/so.key soremote@"$MSRV" -} - create_local_directories() { echo "Creating local pillar and salt directories" PILLARSALTDIR=${SCRIPTDIR::-5} @@ -1117,6 +926,24 @@ create_local_nids_rules() { salt-run fileserver.clear_file_list_cache } +create_manager_pillars() { + elasticsearch_pillar + logstash_pillar + manager_pillar + create_global + create_sensoroni_pillar + #create_strelka_pillar + backup_pillar + soctopus_pillar + docker_pillar + redis_pillar + idstools_pillar + kratos_pillar + soc_pillar + idh_pillar + +} + create_repo() { # Create the repo for airgap createrepo /nsm/repo @@ -1133,14 +960,17 @@ detect_os() { # Detect Base OS echo "Detecting Base OS" >> "$log" 2>&1 if [ -f /etc/redhat-release ]; then - OS=centos - is_centos=true if grep -q "CentOS Linux release 7" /etc/redhat-release; then + OS=centos OSVER=7 - elif grep -q "CentOS Linux release 8" /etc/redhat-release; then + is_centos=true + pkgman="yum" + elif grep -q "Rocky Linux release 8" /etc/redhat-release; then + OS=rocky OSVER=8 - echo "We currently do not support CentOS $OSVER but we are working on it!" - exit 1 + is_rocky=true + pkgman="dnf" + echo "We currently do not support Rocky Linux $OSVER but we are working on it!" else echo "We do not support the version of CentOS you are trying to use." exit 1 @@ -1232,49 +1062,6 @@ disable_ipv6() { } >> /etc/sysctl.conf } -docker_install() { - - if [[ $is_centos ]]; then - logCmd "yum clean expire-cache" - if [[ ! $is_iso ]]; then - logCmd "yum -y install docker-ce-20.10.5-3.el7 docker-ce-cli-20.10.5-3.el7 docker-ce-rootless-extras-20.10.5-3.el7 containerd.io-1.4.4-3.1.el7" - fi - logCmd "yum versionlock docker-ce-20.10.5-3.el7" - logCmd "yum versionlock docker-ce-cli-20.10.5-3.el7" - logCmd "yum versionlock docker-ce-rootless-extras-20.10.5-3.el7" - logCmd "yum versionlock containerd.io-1.4.4-3.1.el7" - - else - case "$install_type" in - 'MANAGER' | 'EVAL' | 'STANDALONE' | 'MANAGERSEARCH' | 'IMPORT') - retry 50 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 - ;; - *) - retry 50 10 "apt-key add $temp_install_dir/gpg/docker.pub" >> "$setup_log" 2>&1 || exit 1 - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >> "$setup_log" 2>&1 - retry 50 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 - ;; - esac - if [ $OSVER == "bionic" ]; then - service docker stop - apt -y purge docker-ce docker-ce-cli docker-ce-rootless-extras - retry 50 10 "apt-get -y install --allow-downgrades docker-ce=5:20.10.5~3-0~ubuntu-bionic docker-ce-cli=5:20.10.5~3-0~ubuntu-bionic docker-ce-rootless-extras=5:20.10.5~3-0~ubuntu-bionic python3-docker" >> "$setup_log" 2>&1 || exit 1 - apt-mark hold docker-ce docker-ce-cli docker-ce-rootless-extras - elif [ $OSVER == "focal" ]; then - service docker stop - apt -y purge docker-ce docker-ce-cli docker-ce-rootless-extras - retry 50 10 "apt-get -y install --allow-downgrades docker-ce=5:20.10.8~3-0~ubuntu-focal docker-ce-cli=5:20.10.8~3-0~ubuntu-focal docker-ce-rootless-extras=5:20.10.8~3-0~ubuntu-focal python3-docker" >> "$setup_log" 2>&1 || exit 1 - apt-mark hold docker-ce docker-ce-cli docker-ce-rootless-extras - fi - fi - docker_registry - { - echo "Restarting Docker"; - systemctl restart docker; - systemctl enable docker; - } >> "$setup_log" 2>&1 -} - docker_registry() { echo "Setting up Docker Registry" >> "$setup_log" 2>&1 @@ -1358,28 +1145,48 @@ download_repo_tarball() { } elasticsearch_pillar() { - - local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls - - # Create the node pillar + # Create Advanced File + touch $adv_elasticsearch_pillar_file + # Create the Elasticsearch pillar printf '%s\n'\ "elasticsearch:"\ - " mainip: '$MAINIP'"\ - " mainint: '$MNIC'"\ - " esheap: '$NODE_ES_HEAP_SIZE'" >> "$pillar_file" - if [ -n "$ESCLUSTERNAME" ]; then - printf '%s\n'\ - " esclustername: $ESCLUSTERNAME" >> "$pillar_file" - else - printf '%s\n'\ - " esclustername: '{{ grains.host }}'" >> "$pillar_file" - fi - printf '%s\n'\ - " node_type: '$NODETYPE'"\ - " es_port: $node_es_port"\ - " log_size_limit: $log_size_limit"\ - " node_route_type: 'hot'"\ - "" >> "$pillar_file" + " config:"\ + " cluster:"\ + " name: securityonion"\ + " routing:"\ + " allocation:"\ + " disk:"\ + " threshold_enabled: true"\ + " watermark:"\ + " low: 80%"\ + " high: 85%"\ + " flood_stage: 90%"\ + " script:"\ + " max_compilations_rate: 20000/1m"\ + " indices:"\ + " query:"\ + " bool:"\ + " max_clause_count: 3500"\ + " index_settings:"\ > $elasticsearch_pillar_file + for INDEX in aws azure barracuda beats bluecoat cef checkpoint cisco cyberark cylance elasticsearch endgame f5 firewall fortinet gcp google_workspace ids imperva import infoblox juniper kibana logstash microsoft misp netflow netscout o365 okta osquery proofpoint radware redis snort snyk sonicwall sophos strelka syslog tomcat zeek zscaler + do + printf '%s\n'\ + " so-$INDEX:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0" >> $elasticsearch_pillar_file + done } es_heapsize() { @@ -1464,24 +1271,12 @@ firewall_generate_templates() { cp ../files/firewall/* /opt/so/saltstack/local/salt/firewall/ >> "$setup_log" 2>&1 - for i in analyst beats_endpoint endgame sensor manager minion osquery_endpoint search_node wazuh_endpoint; do + for i in analyst beats_endpoint endgame sensor manager minion elastic_agent_endpoint search_node; do $default_salt_dir/salt/common/tools/sbin/so-firewall includehost "$i" 127.0.0.1 done } -fleet_pillar() { - - local pillar_file="$temp_install_dir"/pillar/minions/"$MINION_ID".sls - - # Create the fleet pillar - printf '%s\n'\ - "fleet:"\ - " mainip: '$MAINIP'"\ - " manager: '$MSRV'"\ - "" > "$pillar_file" -} - generate_ca() { { echo "Building Certificate Authority"; @@ -1510,23 +1305,15 @@ generate_passwords(){ PLAYBOOKDBPASS=$(get_random_value) PLAYBOOKADMINPASS=$(get_random_value) PLAYBOOKAUTOMATIONPASS=$(get_random_value) - FLEETPASS=$(get_random_value) - FLEETSAPASS=$(get_random_value) - FLEETJWT=$(get_random_value) GRAFANAPASS=$(get_random_value) SENSORONIKEY=$(get_random_value) KRATOSKEY=$(get_random_value) } -generate_repo_tarball() { - mkdir -p /opt/so/repo - tar -czf /opt/so/repo/"$SOVERSION".tar.gz -C "$(pwd)/.." . -} - -generate_sensor_vars() { +generate_interface_vars() { # Set the MTU if [[ $NSMSETUP != 'ADVANCED' ]]; then - if [[ $is_cloud ]]; then MTU=1575; else MTU=1500; fi + if [[ $is_cloud ]]; then MTU=1575; else MTU=9000; fi fi export MTU @@ -1549,33 +1336,13 @@ get_redirect() { get_minion_type() { local minion_type case "$install_type" in - 'EVAL' | 'MANAGERSEARCH' | 'MANAGER' | 'SENSOR' | 'HEAVYNODE' | 'FLEET' | 'IDH' | 'STANDALONE' | 'IMPORT' | 'RECEIVER') + 'EVAL' | 'MANAGERSEARCH' | 'MANAGER' | 'SENSOR' | 'HEAVYNODE' | 'SEARCHNODE' | 'FLEET' | 'IDH' | 'STANDALONE' | 'IMPORT' | 'RECEIVER') minion_type=$(echo "$install_type" | tr '[:upper:]' '[:lower:]') ;; - 'HELIXSENSOR') - minion_type='helix' - ;; - *'NODE') - minion_type='node' - ;; esac echo "$minion_type" } -host_pillar() { - - local pillar_file="$temp_install_dir"/pillar/minions/"$MINION_ID".sls - - # Create the host pillar - printf '%s\n'\ - "host:"\ - " mainint: '$MNIC'"\ - "sensoroni:"\ - " node_address: '$MAINIP'"\ - " node_description: '${NODE_DESCRIPTION//\'/''}'"\ - "" > "$pillar_file" -} - install_cleanup() { if [ -f "$temp_install_dir" ]; then echo "Installer removing the following files:" @@ -1613,18 +1380,34 @@ import_registry_docker() { fi } +idh_pillar() { + touch $adv_idh_pillar_file + # Create the IDH Pillar + printf '%s\n'\ + "idh:"\ + " listen_on_mgnt_int: True"\ + " services:"\ + " - HTTP"\ + " - FTP"\ + " - MYSQL"\ + " - MSSQL"\ + " - VNC"\ + " - SSH" > "$idh_pillar_file" + +} + logstash_pillar() { - - local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls - + # Create the logstash advanced pillar + touch $adv_logstash_pillar_file # Create the logstash pillar printf '%s\n'\ "logstash_settings:"\ - " ls_pipeline_batch_size: $LSPIPELINEBATCH"\ - " ls_input_threads: $LSINPUTTHREADS"\ + " ls_host: '$HOSTNAME'"\ + " ls_pipeline_batch_size: 125"\ + " ls_input_threads: 1"\ " lsheap: $NODE_LS_HEAP_SIZE"\ " ls_pipeline_workers: $num_cpu_cores"\ - "" >> "$pillar_file" + "" > "$logstash_pillar_file" } # Set Logstash heap size based on total memory @@ -1654,81 +1437,60 @@ ls_heapsize() { fi } -manager_pillar() { - - local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls - - # Create the manager pillar +idstools_pillar() { + touch $adv_idstools_pillar_file printf '%s\n'\ - "manager:"\ - " mainip: '$MAINIP'"\ - " mainint: '$MNIC'"\ - " proxy: '$so_proxy'"\ - " no_proxy: '$no_proxy_string'"\ - " esheap: '$ES_HEAP_SIZE'"\ - " esclustername: '{{ grains.host }}'"\ - " freq: 0"\ - " domainstats: 0" >> "$pillar_file" - - - if [ "$install_type" = 'EVAL' ] || [ "$install_type" = 'HELIXSENSOR' ] || [ "$install_type" = 'MANAGERSEARCH' ] || [ "$install_type" = 'STANDALONE' ]; then - printf '%s\n'\ - " mtu: $MTU" >> "$pillar_file" - fi - - printf '%s\n'\ - " elastalert: 1"\ - " es_port: $node_es_port"\ - " grafana: $GRAFANA"\ - " osquery: $OSQUERY"\ - " playbook: $PLAYBOOK"\ - ""\ - "elasticsearch:"\ - " mainip: '$MAINIP'"\ - " mainint: '$MNIC'"\ - " esheap: '$NODE_ES_HEAP_SIZE'"\ - " esclustername: '{{ grains.host }}'"\ - " node_type: '$NODETYPE'"\ - " es_port: $node_es_port"\ - " log_size_limit: $log_size_limit"\ - " node_route_type: 'hot'"\ - ""\ - "logstash_settings:"\ - " ls_pipeline_batch_size: 125"\ - " ls_input_threads: 1"\ - " lsheap: $LS_HEAP_SIZE"\ - " ls_pipeline_workers: $num_cpu_cores"\ - ""\ "idstools:"\ " config:"\ " ruleset: '$RULESETUP'"\ " oinkcode: '$OINKCODE'"\ - " urls:"\ + " urls: []"\ " sids:"\ - " enabled:"\ - " disabled:"\ - " modify:"\ - ""\ - "kratos:" >> "$pillar_file" - + " enabled: []"\ + " disabled: []"\ + " modify: []"\ + "" > "$idstools_pillar_file" - printf '%s\n'\ - " kratoskey: '$KRATOSKEY'"\ - "" >> "$pillar_file" +} + +soc_pillar() { + touch $adv_soc_pillar_file printf '%s\n'\ "soc:"\ " es_index_patterns: '*:so-*,*:endgame-*'"\ - "" >> "$pillar_file" + "" > "$soc_pillar_file" if [[ -n $ENDGAMEHOST ]]; then printf '%s\n'\ " endgamehost: '$ENDGAMEHOST'"\ - "" >> "$pillar_file" + "" >> "$soc_pillar_file" fi } -manager_global() { - local global_pillar="$local_salt_dir/pillar/global.sls" +manager_pillar() { + touch $adv_manager_pillar_file + # Create the manager pillar + printf '%s\n'\ + "manager:"\ + " proxy: '$so_proxy'"\ + " no_proxy: '$no_proxy_string'"\ + " elastalert: 1"\ + " grafana: $GRAFANA"\ + " playbook: $PLAYBOOK"\ + "" > "$manager_pillar_file" +} +kratos_pillar() { + touch $adv_kratos_pillar_file + printf '%s\n'\ + "kratos:"\ + " kratoskey: '$KRATOSKEY'"\ + " sessiontimeout: '24h'"\ + " mfa_issuer: 'Security Onion'"\ + "" > "$kratos_pillar_file" +} + +create_global() { + touch $adv_global_pillar_file if [ -z "$NODE_CHECKIN_INTERVAL_MS" ]; then NODE_CHECKIN_INTERVAL_MS=10000 if [ "$install_type" = 'EVAL' ] || [ "$install_type" = 'STANDALONE' ] || [ "$install_type" = 'IMPORT' ]; then @@ -1743,205 +1505,91 @@ manager_global() { DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 fi + if [ -f "$global_pillar_file" ]; then + rm $global_pillar_file + fi + # Create a global file for global values - printf '%s\n'\ - "global:"\ - " soversion: '$SOVERSION'"\ - " hnmanager: '$HNMANAGER'"\ - " dockernet: '$DOCKERNET'"\ - " mdengine: '$ZEEKVERSION'"\ - " ids: '$NIDS'"\ - " url_base: '$REDIRECTIT'"\ - " managerip: '$MAINIP'" > "$global_pillar" - + echo "global:" >> $global_pillar_file + echo " soversion: '$SOVERSION'" >> $global_pillar_file + echo " managerip: '$MAINIP'" >> $global_pillar_file + echo " mdengine: 'ZEEK'" >> $global_pillar_file + echo " ids: 'Suricata'" >> $global_pillar_file + echo " url_base: '$REDIRECTIT'" >> $global_pillar_file if [[ $HIGHLANDER == 'True' ]]; then - printf '%s\n'\ - " highlander: True"\ >> "$global_pillar" + echo " highlander: True" >> $global_pillar_file fi if [[ $is_airgap ]]; then - printf '%s\n'\ - " airgap: True"\ >> "$global_pillar" + echo " airgap: True" >> $global_pillar_file else - printf '%s\n'\ - " airgap: False"\ >> "$global_pillar" + echo " airgap: False" >> $global_pillar_file fi # Continue adding other details + echo " imagerepo: '$IMAGEREPO'" >> $global_pillar_file + echo " pipeline: 'redis'" >> $global_pillar_file + echo " repo_host: '$MAINIP'" >> $global_pillar_file + echo " registry_host: '$MAINIP'" >> $global_pillar_file +} + +create_sensoroni_pillar() { + touch $adv_sensoroni_pillar_file + printf '%s\n'\ - " fleet_custom_hostname: "\ - " fleet_manager: False"\ - " fleet_node: False"\ - " fleet_packages-timestamp: 'N/A'"\ - " fleet_packages-version: 1"\ - " fleet_hostname: 'N/A'"\ - " fleet_ip: 'N/A'"\ - " sensoronikey: '$SENSORONIKEY'"\ - " wazuh: $WAZUH"\ - " imagerepo: '$IMAGEREPO'"\ - " pipeline: 'redis'"\ "sensoroni:"\ " node_checkin_interval_ms: $NODE_CHECKIN_INTERVAL_MS"\ + " sensoronikey: '$SENSORONIKEY'"\ + " soc_host: '$REDIRECTIT'" > $sensoroni_pillar_file + +} + +create_strelka_pillar() { + touch $adv_strelka_pillar_file + printf '%s\n'\ "strelka:"\ " enabled: $STRELKA"\ - " rules: 1" >> "$global_pillar" + " rules: 1" > "$strelka_pillar_file" if [[ $is_airgap ]]; then printf '%s\n'\ " repos:"\ - " - 'https://$HOSTNAME/repo/rules/strelka'" >> "$global_pillar" + " - 'https://$HOSTNAME/repo/rules/strelka'" >> "$strelka_pillar_file" else printf '%s\n'\ " repos:"\ - " - 'https://github.com/Neo23x0/signature-base'" >> "$global_pillar" + " - 'https://github.com/Neo23x0/signature-base'" >> "$strelka_pillar_file" fi +} +backup_pillar() { + touch $adv_backup_pillar_file printf '%s\n'\ - "curator:"\ - " hot_warm: False"\ - "elastic:"\ - " features: False"\ - "elasticsearch:"\ >> "$global_pillar" - if [ -n "$ESCLUSTERNAME" ]; then - printf '%s\n'\ - " true_cluster: True"\ - " config:"\ - " cluster:"\ - " name: '$ESCLUSTERNAME'" >> "$global_pillar" - else - printf '%s\n'\ - " true_cluster: False" >> "$global_pillar" - fi - - printf '%s\n'\ - " replicas: 0"\ - " discovery_nodes: 1"\ - " hot_warm_enabled: False"\ - " cluster_routing_allocation_disk.threshold_enabled: true"\ - " cluster_routing_allocation_disk_watermark_low: '95%'"\ - " cluster_routing_allocation_disk_watermark_high: '98%'"\ - " cluster_routing_allocation_disk_watermark_flood_stage: '98%'"\ - " index_settings:"\ - " so-beats:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " so-endgame:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " so-firewall:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " so-flow:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " so-ids:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " so-import:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ - " warm: 7"\ - " close: 73000"\ - " delete: 73001"\ - " so-osquery:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " so-ossec:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " so-strelka:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " so-syslog:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " so-zeek:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 2"\ - " warm: 7"\ - " close: 45"\ - " delete: 365"\ - "minio:"\ - " access_key: '$ACCESS_KEY'"\ - " access_secret: '$ACCESS_SECRET'"\ - "s3_settings:"\ - " size_file: 2048"\ - " time_file: 1"\ - " upload_queue_size: 4"\ - " encoding: 'gzip'"\ - " interval: 5"\ "backup:"\ " locations:"\ - " - /opt/so/saltstack/local"\ + " - /opt/so/saltstack/local" > "$backup_pillar_file" +} + +soctopus_pillar() { + touch $adv_soctopus_pillar_file + printf '%s\n'\ "soctopus:"\ " playbook:"\ " rulesets:"\ - " - windows"\ + " - windows" > "$soctopus_pillar_file" +} + +docker_pillar() { + touch $adv_docker_pillar_file + printf '%s\n'\ "docker:"\ " range: '$DOCKERNET/24'"\ - " bip: '$DOCKERBIP'"\ + " bip: '$DOCKERBIP'" > $docker_pillar_file +} + +redis_pillar() { + touch $adv_redis_pillar_file + printf '%s\n'\ "redis_settings:"\ - " redis_maxmemory: 812" >> "$global_pillar" - - printf '%s\n' '----' >> "$setup_log" 2>&1 + " redis_maxmemory: 812" > "$redis_pillar_file" } mark_version() { @@ -1949,15 +1597,6 @@ mark_version() { echo "$SOVERSION" > /etc/soversion } -minio_generate_keys() { - - local charSet="[:graph:]" - - ACCESS_KEY=$(get_random_value) - ACCESS_SECRET=$(get_random_value 40) - -} - network_init() { disable_ipv6 set_hostname @@ -1987,6 +1626,26 @@ network_init_whiptail() { esac } +networking_needful() { + [[ -f $net_init_file ]] && whiptail_net_reinit && reinit_networking=true + + if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then + collect_hostname + fi + [[ ! ( $is_eval || $is_import ) ]] && whiptail_node_description + if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then + network_init_whiptail + else + source "$net_init_file" + fi + if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then + whiptail_network_init_notice + network_init + fi + set_main_ip + compare_main_nic_ip +} + network_setup() { { echo "Finishing up network setup"; @@ -1999,13 +1658,15 @@ network_setup() { } >> "$setup_log" 2>&1 } -ntp_pillar() { - local pillar_file="$temp_install_dir"/pillar/minions/"$MINION_ID".sls +ntp_pillar_entries() { + local pillar_file=$local_salt_dir/pillar/minions/$MINION_ID.sls + + if [[ ${#ntp_servers[@]} -gt 0 ]]; then printf '%s\n'\ "ntp:"\ - " servers:" >> "$pillar_file" + " servers:" > "$pillar_file" for addr in "${ntp_servers[@]}"; do printf '%s\n' " - '$addr'" >> "$pillar_file" done @@ -2019,7 +1680,8 @@ parse_install_username() { patch_pillar() { - local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls + local pillar_file=$local_salt_dir/pillar/minions/$MINION_ID.sls + if [[ $MANAGERUPDATES == 1 ]]; then local source="manager" @@ -2034,7 +1696,7 @@ patch_pillar() { " schedule_name: '$PATCHSCHEDULENAME'"\ " enabled: True"\ " splay: 300"\ - "" >> "$pillar_file" + "" > "$pillar_file" } @@ -2066,6 +1728,38 @@ print_salt_state_apply() { echo "Applying $state Salt state" } +process_installtype() { + if [ "$install_type" = 'EVAL' ]; then + is_eval=true + STRELKARULES=1 + elif [ "$install_type" = 'STANDALONE' ]; then + is_standalone=true + elif [ "$install_type" = 'MANAGERSEARCH' ]; then + is_managersearch=true + elif [ "$install_type" = 'MANAGER' ]; then + is_manager=true + elif [ "$install_type" = 'SENSOR' ]; then + is_sensor=true + elif [ "$install_type" = 'SEARCHNODE' ]; then + is_searchnode=true + elif [ "$install_type" = 'HEAVYNODE' ]; then + is_heavy=true + elif [ "$install_type" = 'FLEET' ]; then + is_fleet=true + elif [ "$install_type" = 'IDH' ]; then + is_idh=true + elif [ "$install_type" = 'IMPORT' ]; then + is_import=true + elif [ "$install_type" = 'RECEIVER' ]; then + is_receiver=true + elif [ "$install_type" = 'ANALYST' ]; then + if [ "$setup_type" != 'analyst' ]; then + exec bash so-setup analyst + fi + fi + +} + proxy_validate() { echo "Testing proxy..." local test_url="https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS" @@ -2180,7 +1874,6 @@ reinstall_init() { # Backup directories in /nsm to prevent app errors backup_dir /nsm/mysql "$date_string" - backup_dir /nsm/wazuh "$date_string" # Remove the old launcher package in case the config changes remove_package launcher-final @@ -2232,6 +1925,19 @@ backup_dir() { fi } +drop_install_options() { + # Drop the install Variable + echo "MAINIP=$MAINIP" > /opt/so/install.txt + echo "MNIC=$MNIC" >> /opt/so/install.txt + echo "NODE_DESCRIPTION=$NODE_DESCRIPTION" >> /opt/so/install.txt + echo "ES_HEAP_SIZE=$ES_HEAP_SIZE" >> /opt/so/install.txt + echo "PATCHSCHEDULENAME=$PATCHSCHEDULENAME" >> /opt/so/install.txt + echo "INTERFACE=$INTERFACE" >> /opt/so/install.txt + NODETYPE=${install_type^^} + echo "NODETYPE=$NODETYPE" >> /opt/so/install.txt + echo "CORECOUNT=$lb_procs" >> /opt/so/install.txt +} + remove_package() { local package_name=$1 if [[ $is_centos ]]; then @@ -2252,129 +1958,108 @@ remove_package() { # - securityonion-builds/iso-resources/packages.lst # - securityonion/salt/salt/master.defaults.yaml # - securityonion/salt/salt/minion.defaults.yaml -saltify() { - # Install updates and Salt +securityonion_repo() { + # Remove all the current repos if [[ $is_centos ]]; then - set_progress_str 6 'Installing various dependencies' - if [[ ! ( $is_iso || $is_analyst_iso ) ]]; then - logCmd "yum -y install wget nmap-ncat" + if [[ $waitforstate ]]; then + # Build the repo locally so we can use it + echo "Syncing Repo" + repo_sync_local + fi + logCmd "yum -v clean all" + logCmd "mkdir -vp /root/oldrepos" + logCmd "mv -v /etc/yum.repos.d/* /root/oldrepos/" + logCmd "ls -la /etc/yum.repos.d/" + if [[ ! $waitforstate ]]; then + echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo + echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo + echo "baseurl=https://$MSRV/repo" >> /etc/yum.repos.d/securityonion.repo + echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo + echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo + echo "sslverify=0" >> /etc/yum.repos.d/securityonion.repo + else + echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo + echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo + echo "baseurl=file:///nsm/repo/" >> /etc/yum.repos.d/securityonion.repo + echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo + echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo fi - if [[ ! $is_analyst ]]; then - case "$install_type" in - 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE'| 'IMPORT') - reserve_group_ids - if [[ ! $is_iso ]]; then - logCmd "yum -y install sqlite curl mariadb-devel" - fi - # Download Ubuntu Keys in case manager updates = 1 - logCmd "mkdir -vp /opt/so/gpg" - if [[ ! $is_airgap ]]; then - logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt/SALTSTACK-GPG-KEY.pub" - logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" - logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH" - fi - set_progress_str 7 'Installing salt-master' - if [[ ! $is_iso ]]; then - logCmd "yum -y install salt-master-3004.2" - fi - logCmd "systemctl enable salt-master" - ;; - *) - ;; - esac - fi - if [[ ! $is_airgap ]]; then - logCmd "yum clean expire-cache" - fi - set_progress_str 8 'Installing salt-minion & python modules' - if [[ ! ( $is_iso || $is_analyst_iso ) ]]; then - logCmd "yum -y install salt-minion-3004.2 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" - logCmd "yum -y update --exclude=salt*" - fi - logCmd "systemctl enable salt-minion" - logCmd "yum versionlock salt*" - else - DEBIAN_FRONTEND=noninteractive retry 50 10 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1 || exit 1 - - if [ $OSVER == "bionic" ]; then - # Switch to Python 3 as default for bionic - update-alternatives --install /usr/bin/python python /usr/bin/python3.6 10 >> "$setup_log" 2>&1 - elif [ $OSVER == "focal" ]; then - # Switch to Python 3 as default for focal - update-alternatives --install /usr/bin/python python /usr/bin/python3.8 10 >> "$setup_log" 2>&1 - fi - - local pkg_arr=( - 'apache2-utils' - 'ca-certificates' - 'curl' - 'software-properties-common' - 'apt-transport-https' - 'openssl' - 'netcat' - 'jq' - ) - retry 50 10 "apt-get -y install ${pkg_arr[*]}" >> "$setup_log" 2>&1 || exit 1 - - # Grab the version from the os-release file - local ubuntu_version - ubuntu_version=$(grep VERSION_ID /etc/os-release | awk -F '[ "]' '{print $2}') - - case "$install_type" in - 'FLEET') - retry 50 10 "apt-get -y install python3-mysqldb" >> "$setup_log" 2>&1 || exit 1 - ;; - 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT' | 'HELIXSENSOR') - - # Add saltstack repo(s) - wget -q --inet4-only -O - https://repo.securityonion.net/file/securityonion-repo/ubuntu/"$ubuntu_version"/amd64/salt/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 - echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt3004.2/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" - - # Add Docker repo - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1 - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >> "$setup_log" 2>&1 - - # Get gpg keys - mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 - wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.securityonion.net/file/securityonion-repo/ubuntu/"$ubuntu_version"/amd64/salt/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 - wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 - wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 - - # Get key and install wazuh - curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - >> "$setup_log" 2>&1 - # Add repo - echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" - - retry 50 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 - set_progress_str 6 'Installing various dependencies' - retry 50 10 "apt-get -y install sqlite3 libssl-dev" >> "$setup_log" 2>&1 || exit 1 - set_progress_str 7 'Installing salt-master' - retry 50 10 "apt-get -y install salt-master=3004.2+ds-1" >> "$setup_log" 2>&1 || exit 1 - retry 50 10 "apt-mark hold salt-master" >> "$setup_log" 2>&1 || exit 1 - ;; - *) - # Copy down the gpg keys and install them from the manager - mkdir "$temp_install_dir"/gpg >> "$setup_log" 2>&1 - echo "scp the gpg keys and install them from the manager" >> "$setup_log" 2>&1 - $scpcmd -v -i /root/.ssh/so.key soremote@"$MSRV":/opt/so/gpg/* "$temp_install_dir"/gpg >> "$setup_log" 2>&1 - echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1 - apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 - apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1 - echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt3004.2/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" - echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" - ;; - esac - - retry 50 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 - set_progress_str 8 'Installing salt-minion & python modules' - retry 50 10 "apt-get -y install salt-minion=3004.2+ds-1 salt-common=3004.2+ds-1" >> "$setup_log" 2>&1 || exit 1 - retry 50 10 "apt-mark hold salt-minion salt-common" >> "$setup_log" 2>&1 || exit 1 - retry 50 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" >> "$setup_log" 2>&1 || exit 1 + # need to yum clean all before repo conf files are removed or clean,cleans nothing + logCmd "yum repolist all" + # update this package because the repo config files get added back + # if the package is updated when the update_packages function is called + logCmd "yum -v -y update centos-release" + echo "Backing up the .repo files that were added by the centos-release package." + logCmd "find /etc/yum.repos.d/ -type f -not -name 'securityonion*repo' -print0 | xargs -0 -I {} mv -bvf {} /root/oldrepos/" + logCmd "yum repolist all" fi } +repo_sync_local() { + # Sync the repo from the the SO repo locally. + # Check for reposync + REPOSYNC=$(rpm -qa | grep createrepo | wc -l) + if [[ ! "$REPOSYNC" -gt 0 ]]; then + # Install reposync + echo "Installing createrepo" + logCmd "yum -y install yum-utils createrepo" + else + echo "We have what we need to sync" + fi + echo "Backing up old repos" + mkdir -p /nsm/repo + mkdir -p /root/reposync_cache + echo "[main]" > /root/repodownload.conf + echo "cachedir=/root/reposync_cache" >> /root/repodownload.conf + echo "keepcache=0" >> /root/repodownload.conf + echo "debuglevel=2" >> /root/repodownload.conf + echo "logfile=/var/log/yum.log" >> /root/repodownload.conf + echo "exactarch=1" >> /root/repodownload.conf + echo "obsoletes=1" >> /root/repodownload.conf + echo "gpgcheck=1" >> /root/repodownload.conf + echo "plugins=1" >> /root/repodownload.conf + echo "installonly_limit=2" >> /root/repodownload.conf + echo "bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum" >> /root/repodownload.conf + echo "distroverpkg=centos-release" >> /root/repodownload.conf + echo "clean_requirements_on_remove=1" >> /root/repodownload.conf + echo "[securityonionsync]" >> /root/repodownload.conf + echo "name=Security Onion Repo repo" >> /root/repodownload.conf + echo "baseurl=https://repo.securityonion.net/file/securityonion-repo/c7so/" >> /root/repodownload.conf + echo "enabled=1" >> /root/repodownload.conf + echo "gpgcheck=1" >> /root/repodownload.conf + echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /root/repodownload.conf + + reposync --norepopath -n -g -l -d -m -c /root/repodownload.conf -r securityonionsync --download-metadata -p /nsm/repo/ + + + # After the download is complete run createrepo + create_repo + +} + +saltify() { + if [[ $is_centos ]]; then + RUSALTY=$(rpm -qa | grep salt-minion | wc -l) + if [[ "$RUSALTY" -gt 0 ]]; then + # Salt is already installed. + echo "salt is installed" + else + # Install salt + if [[ $waitforstate ]]; then + # Since this is a salt master so let's install it + logCmd "yum -y install salt-minion salt-master" + else + # We just need the minion + logCmd "yum -y install salt-minion" + fi + fi + fi + +} + + # Run a salt command to generate the minion key salt_firstcheckin() { salt-call state.show_top >> /dev/null 2>&1 # send output to /dev/null because we don't actually care about the ouput @@ -2391,45 +2076,11 @@ secrets_pillar(){ " playbook_db: $PLAYBOOKDBPASS"\ " playbook_admin: $PLAYBOOKADMINPASS"\ " playbook_automation: $PLAYBOOKAUTOMATIONPASS"\ - " grafana_admin: $GRAFANAPASS"\ - " fleet: $FLEETPASS"\ - " fleet_sa_email: service.account@securityonion.invalid"\ - " fleet_sa_password: $FLEETSAPASS"\ - " fleet_jwt: $FLEETJWT"\ - " fleet_enroll-secret: False" > $local_salt_dir/pillar/secrets.sls + " playbook_automation_api_key: "\ + " grafana_admin: $GRAFANAPASS" > $local_salt_dir/pillar/secrets.sls fi } -securityonion_repo() { - # Remove all the current repos - if [[ $is_centos ]]; then - if [[ "$INTERWEBS" == "AIRGAP" ]]; then - echo "This is airgap I don't need to add this repo" - else - if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then - local repo_conf_file="../salt/repo/client/files/centos/securityonioncache.repo" - else - local repo_conf_file="../salt/repo/client/files/centos/securityonion.repo" - fi - # need to yum clean all before repo conf files are removed or clean,cleans nothing - logCmd "yum -v clean all" - logCmd "mkdir -vp /root/oldrepos" - logCmd "mv -v /etc/yum.repos.d/* /root/oldrepos/" - logCmd "ls -la /etc/yum.repos.d/" - logCmd "cp -f $repo_conf_file /etc/yum.repos.d/" - logCmd "yum repolist all" - # update this package because the repo config files get added back - # if the package is updated when the update_packages function is called - logCmd "yum -v -y update centos-release" - echo "Backing up the .repo files that were added by the centos-release package." - logCmd "find /etc/yum.repos.d/ -type f -not -name 'securityonion*repo' -print0 | xargs -0 -I {} mv -bvf {} /root/oldrepos/" - logCmd "yum repolist all" - fi - else - echo "This is Ubuntu" - fi -} - set_network_dev_status_list() { readarray -t nmcli_dev_status_list <<< "$(nmcli -t -f DEVICE,STATE -c no dev status)" export nmcli_dev_status_list @@ -2465,6 +2116,22 @@ set_path() { echo "complete -cf sudo" >> /etc/profile.d/securityonion.sh } +set_minion_info() { + short_name=$(echo "$HOSTNAME" | awk -F. '{print $1}') + + if [[ $is_analyst ]]; then + MINION_ID=$(echo "${short_name}_workstation" | tr '[:upper:]' '[:lower:]') + fi + if [[ ! $is_analyst ]]; then + MINION_ID=$(echo "${short_name}_${install_type}" | tr '[:upper:]' '[:lower:]') + fi + export MINION_ID + + echo "MINION_ID = $MINION_ID" >> $setup_log 2>&1 + + minion_type=$(get_minion_type) +} + set_proxy() { # Don't proxy localhost, local ip, and management ip @@ -2590,45 +2257,6 @@ set_ssh_cmds() { fi } -sensor_pillar() { - - local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls - - # Create the sensor pillar - printf '%s\n'\ - "sensor:"\ - " interface: '$INTERFACE'"\ - " mainip: '$MAINIP'"\ - " mainint: '$MNIC'" >> "$pillar_file" - - if [ "$NSMSETUP" = 'ADVANCED' ]; then - echo " zeek_pins:" >> "$pillar_file" - for PIN in "${ZEEKPINS[@]}"; do - PIN=$(echo "$PIN" | cut -d\" -f2) - echo " - $PIN" >> "$pillar_file" - done - echo " suripins:" >> "$pillar_file" - for SPIN in "${SURIPINS[@]}"; do - SPIN=$(echo "$SPIN" | cut -d\" -f2) - echo " - $SPIN" >> "$pillar_file" - done - elif [ "$install_type" = 'HELIXSENSOR' ]; then - echo " zeek_lbprocs: $lb_procs" >> "$pillar_file" - echo " suriprocs: $lb_procs" >> "$pillar_file" - else - echo " zeek_lbprocs: $BASICZEEK" >> "$pillar_file" - echo " suriprocs: $BASICSURI" >> "$pillar_file" - fi - printf '%s\n'\ - " manager: '$MSRV'"\ - " mtu: $MTU"\ - " uniqueid: $(date '+%s')" >> "$pillar_file" - if [ "$HNSENSOR" != 'inherit' ]; then - echo " hnsensor: $HNSENSOR" >> "$pillar_file" - fi - -} - set_default_log_size() { local percentage @@ -2672,31 +2300,18 @@ set_hostname() { set_initial_firewall_policy() { - if [ -f $default_salt_dir/pillar/data/addtotab.sh ]; then chmod +x $default_salt_dir/pillar/data/addtotab.sh; fi if [ -f $default_salt_dir/salt/common/tools/sbin/so-firewall ]; then chmod +x $default_salt_dir/salt/common/tools/sbin/so-firewall; fi case "$install_type" in 'MANAGER') $default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost minion "$MAINIP" - $default_salt_dir/pillar/data/addtotab.sh managertab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') $default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" - case "$install_type" in - 'EVAL') - $default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" "$INTERFACE" True - ;; - 'MANAGERSEARCH') - $default_salt_dir/pillar/data/addtotab.sh managersearchtab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" - ;; - 'STANDALONE') - $default_salt_dir/pillar/data/addtotab.sh standalonetab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" "$INTERFACE" - ;; - esac ;; 'HELIXSENSOR') $default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP" @@ -2708,17 +2323,13 @@ set_initial_firewall_policy() { case "$install_type" in 'SENSOR') $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP" - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" "$INTERFACE" ;; 'SEARCHNODE') $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; 'HEAVYNODE') $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP" $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost heavy_node "$MAINIP" - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" "$INTERFACE" - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; 'FLEET') $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost beats_endpoint_ssl "$MAINIP" @@ -2728,7 +2339,6 @@ set_initial_firewall_policy() { ;; 'RECEIVER') $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost receiver "$MAINIP" - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh receiverstab "$MINION_ID" "$MAINIP" esac ;; 'PARSINGNODE') @@ -2768,21 +2378,6 @@ set_management_interface() { fi } -set_node_type() { - - case "$install_type" in - 'SEARCHNODE' | 'EVAL' | 'MANAGERSEARCH' | 'HEAVYNODE' | 'STANDALONE') - NODETYPE='search' - ;; - 'HOTNODE') - NODETYPE='hot' - ;; - 'WARMNODE') - NODETYPE='warm' - ;; - esac -} - set_redirect() { case $REDIRECTINFO in 'IP') @@ -2834,17 +2429,6 @@ so_add_user() { fi } -steno_pillar() { - - local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls - - # Create the stenographer pillar - printf '%s\n'\ - "steno:"\ - " enabled: True" >> "$pillar_file" - -} - update_sudoers_for_testing() { if [ -n "$TESTING" ]; then info "Ensuring $INSTALLUSERNAME has password-less sudo access for automated testing purposes." @@ -2869,6 +2453,7 @@ update_packages() { if [[ $is_centos ]]; then logCmd "yum repolist" logCmd "yum -y update --exclude=salt*,wazuh*,docker*,containerd*" + logCmd "yum -y install yum-utils" else retry 50 10 "apt-get -y update" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || exit 1 @@ -2920,23 +2505,11 @@ wait_for_salt_minion() { retry 60 5 "journalctl -u salt-minion.service | grep 'Minion is ready to receive requests'" >> "$setup_log" 2>&1 || exit 1 } -write_out_idh_services() { - local pillar_file="$temp_install_dir"/pillar/minions/"$MINION_ID".sls - - printf '%s\n'\ - "idh:"\ - " restrict_management_ip: $IDHMGTRESTRICT"\ - " services:" >> "$pillar_file" - for service in ${idh_services[@]}; do - echo " - $service" | tr '[:upper:]' '[:lower:]' >> "$pillar_file" - done -} - # Enable Zeek Logs zeek_logs_enabled() { echo "Enabling Zeek Logs" >> "$setup_log" 2>&1 - local zeeklogs_pillar=$local_salt_dir/pillar/zeeklogs.sls + local zeeklogs_pillar=$local_salt_dir/pillar/zeek/zeeklogs.sls printf '%s\n'\ "zeeklogs:"\ diff --git a/setup/so-preflight b/setup/so-preflight index d1fd89b6e..59c78c70b 100755 --- a/setup/so-preflight +++ b/setup/so-preflight @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . cd "$(dirname "$0")" || exit 255 @@ -87,8 +78,6 @@ check_new_repos() { "https://download.docker.com/linux/centos/docker-ce.repo" "https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub" "https://download.docker.com/linux/ubuntu/gpg" - "https://packages.wazuh.com/key/GPG-KEY-WAZUH" - "https://packages.wazuh.com/3.x/yum/" ) else local ubuntu_version @@ -97,8 +86,6 @@ check_new_repos() { "https://download.docker.com/linux/ubuntu/gpg" "https://download.docker.com/linux/ubuntu" "https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt/SALTSTACK-GPG-KEY.pub" - "https://packages.wazuh.com/key/GPG-KEY-WAZUH" - "https://packages.wazuh.com" ) fi diff --git a/setup/so-setup b/setup/so-setup index 12209f2ad..84d22c0fa 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . # Make sure you are root before doing anything uid="$(id -u)" @@ -49,6 +40,7 @@ setup_type=$1 automation=$2 WHATWOULDYOUSAYYAHDOHERE=setup +# This is for automation while [[ $# -gt 0 ]]; do arg="$1" shift @@ -70,32 +62,35 @@ while [[ $# -gt 0 ]]; do esac done +# Let's see what OS we are dealing with here detect_os + +# Check to see if this is the setup type of "analyst". is_analyst= if [ "$setup_type" = 'analyst' ]; then - is_analyst=true - # Check to see if this is an ISO - if [ -d /root/SecurityOnion ]; then - is_analyst_iso=true - fi + is_analyst=true + # Check to see if this is an ISO. Usually this dir on exists on ISO installs. + if [ -d /root/SecurityOnion ]; then + is_analyst_iso=true + fi fi +# Make sure if ISO is specified that we are dealing with CentOS or Rocky if [[ "$setup_type" == 'iso' ]]; then - if [[ $is_centos ]]; then + if [[ $is_centos || $is_rocky ]]; then is_iso=true else - echo "Only use 'so-setup iso' for an ISO install on CentOS. Please run 'so-setup network' instead." + echo "Only use 'so-setup iso' for an ISO install on Security Onion ISO images. Please run 'so-setup network' instead." exit 1 fi fi # Check to see if this is an analyst install. If it is let's run things differently - if [[ $is_analyst ]]; then - # Make sure it's CentOS + # Make sure it's CentOS or Rocky Linux if [[ ! $is_centos ]]; then - echo "Analyst Workstation is only supported on CentOS 7" + echo "Analyst Workstation is only supported on CentOS 7 or Rocky Linux 8" exit 1 fi @@ -132,8 +127,6 @@ if [[ $is_analyst ]]; then is_minion=true fi - - if ! [ -f $install_opt_file ] && [ -d /root/manager_setup/securityonion ] && [[ $(pwd) != /root/manager_setup/securityonion/setup ]]; then exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}" @@ -147,6 +140,7 @@ if [[ -f /root/accept_changes ]]; then [ -f "$error_log" ] && mv "$error_log" "$error_log.bak" fi +# Figure out the user id that is running the install parse_install_username if ! [ -f $install_opt_file ]; then @@ -166,7 +160,10 @@ catch() { whiptail_setup_failed exit 1 } + automated=no + +# Add the progress function for manager node type installs progress() { local msg=${1:-'Please wait while installing...'} @@ -177,6 +174,7 @@ progress() { fi } +# If using automation let's do automation things. if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then echo "Preselecting variable values based on automated setup: $automation" >> $setup_log 2>&1 source automation/$automation @@ -208,6 +206,7 @@ if [[ -f automation/$automation && $(basename $automation) == $automation ]]; th fi fi +# Make sure the setup type is suppoted. case "$setup_type" in iso | network | analyst) # Accepted values echo "Beginning Security Onion $setup_type install" >> $setup_log 2>&1 @@ -218,13 +217,11 @@ case "$setup_type" in ;; esac -#set ssh commands that will be used based on if this is an automated test install or not -set_ssh_cmds $automated - # Allow execution of SO tools during setup local_sbin="$(pwd)/../salt/common/tools/sbin" export PATH=$PATH:$local_sbin +# Ubuntu whiptail pallete to make it look the same as CentOS and Rocky. set_palette >> $setup_log 2>&1 # Kernel messages can overwrite whiptail screen #812 @@ -248,6 +245,7 @@ if [ "$automated" == no ]; then fi fi +# Begin prompting the user with whiptail. if ! [[ -f $install_opt_file ]]; then if (whiptail_you_sure); then true @@ -255,7 +253,9 @@ if ! [[ -f $install_opt_file ]]; then echo "User cancelled setup." | tee -a "$setup_log" whiptail_cancel fi + # If this is an analyst install lets streamline the process. if [[ $is_analyst ]]; then + # Prompt for hostname collect_hostname if [[ $is_analyst_iso ]]; then # Prompt Network Setup @@ -273,10 +273,12 @@ if ! [[ -f $install_opt_file ]]; then if [[ ! $is_analyst_iso ]]; then # This should be a network install whiptail_network_notice + # Warn about the dangers of DHCP whiptail_dhcp_warn whiptail_management_nic fi whiptail_network_init_notice + # Initializing the network based on the previous information network_init printf '%s\n' \ "MNIC=$MNIC" \ @@ -285,8 +287,7 @@ if ! [[ -f $install_opt_file ]]; then compare_main_nic_ip fi - - if [[ $setup_type == 'iso' ]] && [ "$automated" == no ]; then + if [[ $setup_type == 'iso' ]] && [ "$automated" == no ]; then whiptail_first_menu_iso if [[ $option == "CONFIGURENETWORK" ]]; then collect_hostname @@ -310,846 +311,291 @@ else source $install_opt_file fi -if [ "$install_type" = 'EVAL' ]; then - is_node=true - is_manager=true - is_sensor=true - is_eval=true - STRELKARULES=1 -elif [ "$install_type" = 'STANDALONE' ]; then - is_manager=true - is_distmanager=true - is_node=true - is_sensor=true -elif [ "$install_type" = 'MANAGERSEARCH' ]; then - is_manager=true - is_distmanager=true - is_node=true -elif [ "$install_type" = 'MANAGER' ]; then - is_manager=true - is_distmanager=true -elif [ "$install_type" = 'SENSOR' ]; then - is_sensor=true - is_minion=true -elif [[ "$install_type" =~ ^('SEARCHNODE'|'HOTNODE'|'WARMNODE')$ ]]; then - is_node=true - is_minion=true -elif [ "$install_type" = 'HEAVYNODE' ]; then - is_node=true - is_minion=true - is_sensor=true -elif [ "$install_type" = 'FLEET' ]; then - is_minion=true - is_fleet_standalone=true - OSQUERY=1 -elif [ "$install_type" = 'IDH' ]; then - is_minion=true - is_idh=true - IDH=1 -elif [ "$install_type" = 'HELIXSENSOR' ]; then - is_helix=true -elif [ "$install_type" = 'IMPORT' ]; then - is_import=true -elif [ "$install_type" = 'RECEIVER' ]; then - is_minion=true - is_receiver=true -elif [ "$install_type" = 'ANALYST' ]; then - if [ "$setup_type" != 'analyst' ]; then - exec bash so-setup analyst - fi -fi - -if [[ $is_manager || $is_import ]]; then - check_elastic_license -fi +# Process the install type +process_installtype +# If this is not an automated install prompt if ! [[ -f $install_opt_file ]]; then - if [[ $is_manager && $is_sensor ]]; then - check_requirements "standalone" - elif [[ $is_fleet_standalone ]]; then - check_requirements "dist" "fleet" - elif [[ $is_idh ]]; then - check_requirements "dist" "idh" - elif [[ $is_sensor && ! $is_eval ]]; then - check_requirements "dist" "sensor" - elif [[ $is_distmanager || $is_minion ]] && [[ ! ( $is_import || $is_analyst ) ]]; then - check_requirements "dist" - elif [[ $is_import ]]; then - check_requirements "import" - fi - [[ -f $net_init_file ]] && whiptail_net_reinit && reinit_networking=true - - if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then - collect_hostname - fi - - [[ ! ( $is_eval || $is_import ) ]] && whiptail_node_description - - if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then - network_init_whiptail - else - source "$net_init_file" - fi - - if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then - whiptail_network_init_notice - network_init - fi - - set_main_ip - compare_main_nic_ip - - if [[ $is_minion ]]; then + # If you are a manager ask ALL the manager things here. I know there is code re-use but this makes it easier to add new roles. + if [[ $is_eval ]]; then + waitforstate=true + monints=true + check_elastic_license + check_requirements "manager" + networking_needful + whiptail_airgap + detect_cloud + set_minion_info + set_default_log_size >> $setup_log 2>&1 + echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1 + check_network_manager_conf + set_network_dev_status_list + whiptail_sensor_nics + calculate_useable_cores + collect_webuser_inputs + get_redirect + collect_ntp_servers + collect_so_allow + whiptail_end_settings + # Start the install + elif [[ $is_standalone ]]; then + waitforstate=true + monints=true + check_elastic_license + check_requirements "manager" + networking_needful + whiptail_airgap + detect_cloud + set_minion_info + set_default_log_size >> $setup_log 2>&1 + echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1 + check_network_manager_conf + set_network_dev_status_list + whiptail_sensor_nics + calculate_useable_cores + collect_webuser_inputs + get_redirect + collect_ntp_servers + collect_so_allow + whiptail_end_settings + elif [[ $is_manager ]]; then + check_elastic_license + waitforstate=true + check_requirements "manager" + networking_needful + whiptail_airgap + detect_cloud + set_default_log_size >> $setup_log 2>&1 + echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1 + check_network_manager_conf + set_network_dev_status_list + calculate_useable_cores + collect_webuser_inputs + get_redirect + collect_ntp_servers + collect_so_allow + whiptail_end_settings + elif [[ $is_managersearch ]]; then + check_elastic_license + waitforstate=true + check_requirements "manager" + networking_needful + whiptail_airgap + detect_cloud + set_default_log_size >> $setup_log 2>&1 + echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1 + check_network_manager_conf + set_network_dev_status_list + calculate_useable_cores + collect_webuser_inputs + get_redirect + collect_ntp_servers + collect_so_allow + whiptail_end_settings + elif [[ $is_sensor ]]; then + monints=true + check_requirements "sensor" + calculate_useable_cores + networking_needful + check_network_manager_conf + set_network_dev_status_list collect_mngr_hostname add_mngr_ip_to_hosts - whiptail_ssh_key_copy_notice - copy_ssh_key >> $setup_log 2>&1 - fi - - if [[ $is_idh ]]; then - collect_idh_services - collect_idh_preferences - fi - - # Check if this is an airgap install - if [[ ( $is_manager || $is_import) && $is_iso ]]; then - whiptail_airgap - if [[ "$INTERWEBS" == 'AIRGAP' ]]; then - is_airgap=true - fi - elif [[ $is_minion && ( $is_iso || $is_analyst ) ]]; then - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" [[ -f /etc/yum.repos.d/airgap_repo.repo ]] >> $setup_log 2>&1 - airgap_check=$? - [[ $airgap_check == 0 ]] && is_airgap=true >> $setup_log 2>&1 - fi - - reset_proxy - if [[ -z $is_airgap ]]; then - collect_net_method - [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 - fi - - if [[ $is_minion ]] && ! (compare_versions); then - info "Installer version mismatch, downloading correct version from manager" - printf '%s\n' \ - "install_type=$install_type" \ - "MNIC=$MNIC" \ - "HOSTNAME=$HOSTNAME" \ - "MSRV=$MSRV" \ - "MSRVIP=$MSRVIP" \ - "is_airgap=$is_airgap" \ - "NODE_DESCRIPTION=\"$NODE_DESCRIPTION\"" > "$install_opt_file" - [[ -n $so_proxy ]] && echo "so_proxy=$so_proxy" >> "$install_opt_file" - download_repo_tarball - exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}" - fi -else - rm -rf $install_opt_file >> "$setup_log" 2>&1 -fi - -if [[ -z $is_airgap ]]; then - percentage=0 - { - installer_progress_loop 'Running preflight checks...' & - progress_bg_proc=$! - ./so-preflight true "$setup_log" >> $setup_log 2>&1 - preflight_ret=$? - echo "$preflight_ret" > /tmp/preflight_ret - kill -9 "$progress_bg_proc" - wait "$progress_bg_proc" &> /dev/null - } | progress '...' - [[ -f /tmp/preflight_ret ]] && preflight_ret=$(cat /tmp/preflight_ret) - rm /tmp/preflight_ret - if [[ -n $preflight_ret && $preflight_ret -gt 0 ]] && ! ( whiptail_preflight_err ); then - whiptail_cancel - fi -fi - -percentage=0 -{ - installer_progress_loop 'Checking that all required packages are installed and enabled...' & # Run progress bar to 98 in ~8 minutes while waiting for package installs - progress_bg_proc=$! - installer_prereq_packages - install_success=$? - kill -9 "$progress_bg_proc" - wait "$progress_bg_proc" &> /dev/null # Kill just sends signal, redirect output of wait to catch stdout - if [[ $install_success -gt 0 ]]; then - echo "Could not install packages required for setup, exiting now." >> "$setup_log" 2>&1 - kill -SIGUSR1 "$setup_proc"; exit 1 - fi -} | progress '...' - -detect_cloud - -short_name=$(echo "$HOSTNAME" | awk -F. '{print $1}') - -if [[ $is_analyst ]]; then - MINION_ID=$(echo "${short_name}_workstation" | tr '[:upper:]' '[:lower:]') -fi -if [[ ! $is_analyst ]]; then - MINION_ID=$(echo "${short_name}_${install_type}" | tr '[:upper:]' '[:lower:]') -fi -export MINION_ID - -echo "MINION_ID = $MINION_ID" >> $setup_log 2>&1 - -minion_type=$(get_minion_type) - -# Set any variables needed -set_default_log_size >> $setup_log 2>&1 - -if [[ $is_helix ]]; then - RULESETUP=${RULESETUP:-ETOPEN} - NSMSETUP=${NSMSETUP:-BASIC} - HNSENSOR=${HNSENSOR:-inherit} - MANAGERUPDATES=${MANAGERUPDATES:-0} -fi - -if [[ $is_helix || ( $is_manager && $is_node ) ]]; then - RULESETUP=${RULESETUP:-ETOPEN} - NSMSETUP=${NSMSETUP:-BASIC} -fi - -if [[ $is_manager && $is_node ]]; then - LSPIPELINEWORKERS=${LSPIPELINEWORKERS:-1} - LSPIPELINEBATCH=${LSPIPELINEBATCH:-125} - LSINPUTTHREADS=${LSINPUTTHREADS:-1} - LSPIPELINEWORKERS=${LSPIPELINEBATCH:-125} - NIDS=${NIDS:-Suricata} - ZEEKVERSION=${ZEEKVERSION:-ZEEK} -fi - -if [[ $is_import ]]; then - PATCHSCHEDULENAME=${PATCHSCHEDULENAME:-auto} - MTU=${MTU:-1500} - RULESETUP=${RULESETUP:-ETOPEN} - NSMSETUP=${NSMSETUP:-BASIC} - HNSENSOR=${HNSENSOR:-inherit} - MANAGERUPDATES=${MANAGERUPDATES:-0} - MANAGERADV=${MANAGERADV:-BASIC} - INTERFACE=${INTERFACE:-bond0} - ZEEKVERSION=${ZEEKVERSION:-ZEEK} - NIDS=${NIDS:-Suricata} - RULESETUP=${RULESETUP:-ETOPEN} - GRAFANA=${GRAFANA:-0} - OSQUERY=${OSQUERY:-0} - WAZUH=${WAZUH:-0} - PLAYBOOK=${PLAYBOOK:-0} -fi - -if [[ $is_airgap ]]; then - PATCHSCHEDULENAME=${PATCHSCHEDULENAME:-manual} - [[ ! $is_minion ]] && MANAGERUPDATES=${MANAGERUPDATES:-0} || MANAGERUPDATES=${MANAGERUPDATES:-1} -fi - -# Start user prompts - -if [[ $is_helix ]]; then - collect_helix_key -fi - -if [[ $is_helix || $is_sensor ]]; then - echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1 - check_network_manager_conf - set_network_dev_status_list - whiptail_sensor_nics -fi - -if [[ $is_helix || $is_sensor || $is_import ]]; then - calculate_useable_cores -fi - -if [[ ! $is_airgap && ! $is_import ]]; then - collect_patch_schedule -fi - -if [[ $is_helix || $is_manager || $is_import ]]; then - collect_homenet_mngr -fi - -#set base elasticsearch heap size -if [[ $is_helix || $is_manager || $is_node || $is_import ]]; then - es_heapsize -fi - -#set base logstash heap size -if [[ $is_helix || $is_manager || $is_node || $is_import || $is_receiver ]]; then - ls_heapsize -fi - -if [[ $is_manager && ! $is_eval ]]; then - whiptail_manager_adv - if [ "$MANAGERADV" = 'ADVANCED' ]; then - if [ "$install_type" = 'MANAGER' ] || [ "$install_type" = 'MANAGERSEARCH' ]; then - collect_es_cluster_name - fi - fi - - whiptail_metadata_tool - - [[ $MANAGERADV == "ADVANCED" ]] && [[ $ZEEKVERSION == "ZEEK" ]] && whiptail_manager_adv_service_zeeklogs - - # Don't run this function for now since Snort is not yet supported - # whiptail_nids - NIDS=Suricata - whiptail_rule_setup - - if [ "$RULESETUP" != 'ETOPEN' ]; then - collect_oinkcode - fi -fi - -if [[ $is_manager ]]; then - whiptail_enable_components - - if [[ "$STRELKA" = 1 ]]; then - info "Enabling Strelka rules" - STRELKARULES=1 - else - info "Disabling Strelka rules: STRELKA='$STRELKA'" - fi - - collect_dockernet -fi - -if [[ $is_manager || $is_import ]]; then - collect_webuser_inputs - get_redirect -fi - -if [[ $is_distmanager ]]; then - collect_soremote_inputs -fi - -if [[ $is_sensor && ! $is_eval ]]; then - [[ $is_manager ]] || collect_homenet_snsr - whiptail_sensor_config - if [ $NSMSETUP == 'ADVANCED' ]; then - if [[ $is_manager ]]; then - [[ $ZEEKVERSION == "ZEEK" ]] && whiptail_zeek_pins - else - whiptail_zeek_pins - fi + check_manager_connection + detect_cloud + whiptail_sensor_nics + set_minion_info + whiptail_end_settings - whiptail_suricata_pins - collect_mtu - else - if [[ $is_node && $is_sensor && ! $is_eval ]]; then - PROCS=$(( lb_procs / 2 )) - if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi - else - PROCS=$lb_procs + elif [[ $is_searchnode ]]; then + check_requirements "elasticsearch" + networking_needful + check_network_manager_conf + set_network_dev_status_list + collect_mngr_hostname + add_mngr_ip_to_hosts + check_manager_connection + detect_cloud + set_minion_info + whiptail_end_settings + + elif [[ $is_heavynode ]]; then + monints=true + check_requirements "heavynode" + calculate_useable_cores + networking_needful + collect_mngr_hostname + add_mngr_ip_to_hosts + check_manager_connection + whiptail_end_settings + + elif [[ $is_idh ]]; then + check_requirements "idh" + networking_needful + collect_mngr_hostname + add_mngr_ip_to_hosts + check_manager_connection + whiptail_end_settings + + elif [[ $is_import ]]; then + check_requirements "import" + networking_needful + collect_mngr_hostname + add_mngr_ip_to_hosts + check_manager_connection + whiptail_end_settings + + elif [[ $is_receiver ]]; then + check_requirements "receiver" + networking_needful + collect_mngr_hostname + add_mngr_ip_to_hosts + check_manager_connection + whiptail_end_settings + fi + + if [[ $waitforstate ]]; then + percentage=0 + es_heapsize + ls_heapsize + set_redirect + # Generate Interface Vars + generate_interface_vars + if [[ $monints ]]; then + configure_network_sensor fi - - if [[ $is_manager ]]; then - [[ $ZEEKVERSION == "ZEEK" ]] && collect_zeek - else - collect_zeek + # Configure NTP + echo "Configuring NTP" + [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 + # Reserve the ports that SO needs + echo "Reserving ports" + reserve_ports + echo "Setting Paths" + # Set the paths + set_path + echo "Checking if this is a re-install" + # Check to see if its a reinstall. THIS NEEDS REVIEW + if [[ $is_reinstall ]]; then + reinstall_init fi - - collect_suri - fi -fi - -[[ ( $is_iso || $is_analyst ) ]] && collect_ntp_servers - -if [[ ($is_node || $is_receiver) && ! $is_eval ]]; then - whiptail_node_advanced - if [ "$NODESETUP" == 'NODEADVANCED' ]; then - if [[ ! $is_receiver ]]; then - collect_node_es_heap - collect_es_space_limit - fi - collect_node_ls_heap - collect_node_ls_pipeline_worker_count - collect_node_ls_pipeline_batch_size - collect_node_ls_input - else - if [[ ! $is_receiver ]]; then - NODE_ES_HEAP_SIZE=$ES_HEAP_SIZE - fi - NODE_LS_HEAP_SIZE=$LS_HEAP_SIZE - LSPIPELINEWORKERS=$num_cpu_cores - LSPIPELINEBATCH=125 - LSINPUTTHREADS=1 - fi -fi - -if [ "$install_type" == 'FLEET' ]; then - collect_fleetuser_inputs - collect_fleet_custom_hostname_inputs -else - FLEETNODEUSER=$WEBUSER - FLEETNODEPASSWD1=$WEBPASSWD1 -fi - -if [[ $is_manager || $is_import ]]; then collect_so_allow; fi - -# This block sets REDIRECTIT which is used by a function outside the below subshell -set_redirect >> $setup_log 2>&1 - -if [[ $is_minion ]] && ! check_manager_state; then - echo "Manager was not in a good state" >> "$setup_log" 2>&1 - whiptail_manager_error -fi - -whiptail_end_settings - -# From here on changes will be made. -echo "1" > /root/accept_changes - - -# Begin install -{ - # Set initial percentage to 0 - export percentage=0 - - # Show initial progress message - set_progress_str 0 'Running initial configuration steps' - - [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 - - if [[ ! $is_analyst ]]; then - reserve_ports - fi - - set_path - - if [[ $is_reinstall ]]; then - reinstall_init - fi - - disable_auto_start - - { - mark_version; - clear_manager; - } >> $setup_log 2>&1 - - - if [[ $is_manager || $is_import ]]; then - { - generate_passwords; - secrets_pillar; - } >> $setup_log 2>&1 - fi - - if [[ $is_manager || $is_import || $is_helix ]]; then - add_socore_user_manager >> $setup_log 2>&1 - fi - - if [[ $is_manager && ! $is_eval ]]; then - add_soremote_user_manager >> $setup_log 2>&1 - fi - if [[ ! $is_analyst ]]; then - host_pillar >> $setup_log 2>&1 - fi - if [[ $is_analyst ]]; then - analyst_workstation_pillar - fi - ntp_pillar >> $setup_log 2>&1 - - - if [[ $is_minion || $is_import ]]; then - set_updates >> $setup_log 2>&1 - fi - - if [[ ( $is_manager || $is_import ) && $is_airgap ]]; then - info "Creating airgap repo" - create_repo >> $setup_log 2>&1 - airgap_rules >> $setup_log 2>&1 - fi - - if [[ $is_minion ]]; then - set_progress_str 1 'Configuring firewall' - set_initial_firewall_policy >> $setup_log 2>&1 - fi - - set_progress_str 2 'Updating packages' - # Import the gpg keys - gpg_rpm_import >> $setup_log 2>&1 - info "Disabling fastestmirror" - [[ $is_centos ]] && disable_fastestmirror - if [[ ! $is_airgap ]]; then - securityonion_repo >> $setup_log 2>&1 - update_packages >> $setup_log 2>&1 - else - airgap_repo >> $setup_log 2>&1 - fi - - if [[ $is_sensor || $is_helix || $is_import ]]; then - set_progress_str 3 'Generating sensor pillar' - generate_sensor_vars - sensor_pillar >> $setup_log 2>&1 - if [[ $is_sensor || $is_helix ]]; then - steno_pillar >> $setup_log - fi - fi - - if [[ $is_sensor || $is_helix ]]; then - set_progress_str 4 'Configuring sensor interface' - configure_network_sensor >> $setup_log 2>&1 - fi - - set_progress_str 5 'Installing Salt and dependencies' - saltify 2>> $setup_log - - if [[ ! $is_analyst ]]; then - set_progress_str 6 'Installing Docker and dependencies' - docker_install >> $setup_log 2>&1 - fi - - set_progress_str 7 'Generating patch pillar' - patch_pillar >> $setup_log 2>&1 - - set_progress_str 8 'Initializing Salt minion' - configure_minion "$minion_type" >> $setup_log 2>&1 - - if [[ ! $is_analyst ]]; then - check_sos_appliance >> $setup_log 2>&1 - fi - - update_sudoers_for_testing >> $setup_log 2>&1 - - if [[ $is_manager || $is_helix || $is_import ]]; then - set_progress_str 9 'Configuring Salt master' - { - create_local_directories; - addtotab_generate_templates; - copy_salt_master_config; - setup_salt_master_dirs; - firewall_generate_templates; - } >> $setup_log 2>&1 + echo "Disable auto start of setup" + # Disable the setup from prompting at login + disable_auto_start + echo "Setting the version" + # Set the version + mark_version + echo "Clearing the old manager" + # Remove old manager if re-install + clear_manager + echo "Generating Secrets" + # Generate passwords + generate_passwords + echo "Populating the secrets pillar" + # Create the secrets pillar + secrets_pillar + echo "Add socore user" + # Add the socore user + add_socore_user_manager - set_progress_str 10 'Updating sudoers file for soremote user' - update_sudoers >> $setup_log 2>&1 - - set_progress_str 11 'Generating manager global pillar' - #minio_generate_keys - manager_global >> $setup_log 2>&1 - - set_progress_str 12 'Generating manager pillar' - manager_pillar >> $setup_log 2>&1 - zeek_logs_enabled >> $setup_log 2>&1 - fi - - set_progress_str 16 'Running first Salt checkin' - salt_firstcheckin >> $setup_log 2>&1 + create_local_directories + setup_salt_master_dirs + create_manager_pillars - if [[ $is_helix ]]; then - set_progress_str 17 'Generating the FireEye pillar' - fireeye_pillar >> $setup_log 2>&1 - fi - - if [[ $is_node ]]; then - set_progress_str 18 'Setting node type' - set_node_type >> $setup_log 2>&1 + echo "Generating the minion pillar" + # Create the minion defaults - if ! [[ $is_manager || $is_helix ]]; then - set_progress_str 19 'Generating search node pillar' - elasticsearch_pillar >> $setup_log 2>&1 + export NODETYPE=$install_type + export MINION_ID=$MINION_ID + export ES_HEAP_SIZE=$ES_HEAP_SIZE + export IDHMGTRESTRICT=$IDHMGTRESTRICT + export idh_services=$idh_services + export MNIC=$MNIC + export NODE_DESCRIPTION=$NODE_DESCRIPTION + export MAINIP=$MAINIP + export PATCHSCHEDULENAME=$PATCHSCHEDULENAME + export INTERFACE="bond0" + so-minion -o=setup + echo "Creating Global SLS" + + if [[ $is_airgap ]]; then + # Airgap Rules + airgap_rules fi - fi - if [[ ($is_node || $is_receiver) && !($is_manager || $is_helix) ]]; then - set_progress_str 19 'Generating logstash pillar' - logstash_pillar >> $setup_log 2>&1 - fi + manager_pillar - if [[ $is_idh ]]; then - # Write out services to minion pillar file - set_progress_str 19 'Generating IDH services pillar' - write_out_idh_services - fi + zeek_logs_enabled + # Set up the repo to point to local file https://access.redhat.com/solutions/1355683 + # reposync down the files is network and createrepo if CentOS + # Import the GPG keys + gpg_rpm_import + # Create the local repo and point the box to use the local repo + securityonion_repo + # Update existing packages + update_packages + # Install salt + saltify + # Start the master service + copy_salt_master_config + configure_minion "$minion_type" + salt-key -yd "$MINION_ID" #delete the minion key if it already exists + salt-call state.show_top >> /dev/null 2>&1 #talk to the salt-master so the minion key is created on the salt-master + salt-key -ya "$MINION_ID" #accept the key - if [[ $is_minion ]]; then - set_progress_str 20 'Accepting Salt key on manager' - retry 20 10 accept_salt_key_remote "going to be accepted" >> $setup_log 2>&1 - fi + salt-call state.apply salt.helper-packages + salt-call state.apply common.packages + salt-call state.apply common + salt-call state.apply docker + # Set the initial firewall policy + firewall_generate_templates; + set_initial_firewall_policy - if [[ $is_manager || $is_import || $is_helix ]]; then - set_progress_str 20 'Accepting Salt key' - retry 20 10 "salt-key -ya $MINION_ID" "going to be accepted" >> $setup_log 2>&1 - fi + generate_ca + generate_ssl - set_progress_str 21 'Copying minion pillars to manager' - copy_minion_tmp_files >> $setup_log 2>&1 - - if [[ $is_minion ]]; then - set_progress_str 22 'Checking if the Salt Minion needs to be updated' - salt-call state.apply -l info salt.minion >> $setup_log 2>&1 - fi - - if [[ $is_manager || $is_helix || $is_import ]]; then - set_progress_str 23 'Generating CA' - generate_ca >> $setup_log 2>&1 - fi - - if [[ ! $is_analyst ]]; then - set_progress_str 24 'Generating SSL' - generate_ssl >> $setup_log 2>&1 - fi - - if [[ $is_manager || $is_helix || $is_import ]]; then - set_progress_str 25 'Configuring firewall' - set_initial_firewall_policy >> $setup_log 2>&1 - # create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf - mkdir -p /opt/so/conf/so-status/ >> $setup_log 2>&1 - touch /opt/so/conf/so-status/so-status.conf >> $setup_log 2>&1 - - if [[ "$setup_type" == 'iso' ]]; then - set_progress_str 26 'Copying containers from iso' - else - set_progress_str 26 'Downloading containers from the internet' + mkdir -p /opt/so/conf/so-status/ + touch /opt/so/conf/so-status/so-status.conf + echo "Importing Registry Docker" + import_registry_docker + echo "Applying the registry state" + salt-call state.apply -l info registry + echo "Seeding the docker registry" + docker_seed_registry + echo "Applying the manager state" + salt-call state.apply -l info manager + salt-call state.apply -l info firewall + salt-call state.highstate -l info + add_web_user + so-elastic-fleet-setup + echo "Setting up Playbook" + so-playbook-reset + whiptail_setup_complete + else + es_heapsize + ls_heapsize + generate_interface_vars + if [[ $monints ]]; then + configure_network_sensor fi - import_registry_docker >> $setup_log 2>&1 - salt-call state.apply -l info registry >> $setup_log 2>&1 - docker_seed_registry # ~ 60% when finished - - set_progress_str 60 "$(print_salt_state_apply 'manager')" - salt-call state.apply -l info manager >> $setup_log 2>&1 - - echo "Executing so-elastic-auth..." >> $setup_log 2>&1 - ELASTIC_AUTH_SKIP_HIGHSTATE=true bash /opt/so/saltstack/default/salt/common/tools/sbin/so-elastic-auth true >> $setup_log 2>&1 - echo "Finished so-elastic-auth..." >> $setup_log 2>&1 + reserve_ports + # Set the version + mark_version + echo "Clearing the old manager" + # Remove old manager if re-install + clear_manager + gpg_rpm_import + securityonion_repo + update_packages + saltify + configure_minion "$minion_type" + drop_install_options + whiptail_setup_complete fi - if [[ ! $is_analyst ]]; then - set_progress_str 61 "$(print_salt_state_apply 'firewall')" - salt-call state.apply -l info firewall >> $setup_log 2>&1 - fi + # Need to make sure the latest install is located on the web server of the manager to check the versions and donwload the code if required - if [[ $is_centos ]]; then - set_progress_str 61 'Installing Yum utilities' - salt-call state.apply -l info yum.packages >> $setup_log 2>&1 - fi - if [[ ! $is_analyst ]]; then - set_progress_str 62 "$(print_salt_state_apply 'common')" - salt-call state.apply -l info common >> $setup_log 2>&1 - fi - - if [[ ! $is_helix && ! $is_receiver && ! $is_idh && ! $is_analyst ]]; then - set_progress_str 62 "$(print_salt_state_apply 'nginx')" - salt-call state.apply -l info nginx >> $setup_log 2>&1 - fi - - if [[ $is_manager || $is_helix || $is_import ]]; then - set_progress_str 63 "$(print_salt_state_apply 'idstools')" - create_local_nids_rules >> $setup_log 2>&1 - salt-call state.apply -l info idstools >> $setup_log 2>&1 - - set_progress_str 63 "$(print_salt_state_apply 'suricata.manager')" - salt-call state.apply -l info suricata.manager >> $setup_log 2>&1 - fi - - if [[ $is_manager || $is_node || $is_import || $is_helix ]]; then - set_progress_str 64 "$(print_salt_state_apply 'elasticsearch')" - salt-call state.apply -l info elasticsearch >> $setup_log 2>&1 - fi - - if [[ $is_sensor || $is_import ]]; then - set_progress_str 65 "$(print_salt_state_apply 'pcap')" - salt-call state.apply -l info pcap >> $setup_log 2>&1 - fi - - if [[ $is_sensor || $is_import || $is_helix ]]; then - set_progress_str 66 "$(print_salt_state_apply 'suricata')" - salt-call state.apply -l info suricata >> $setup_log 2>&1 - - if [[ $(lookup_pillar "mdengine") == 'ZEEK' ]]; then - set_progress_str 67 "$(print_salt_state_apply 'zeek')" - salt-call state.apply -l info zeek >> $setup_log 2>&1 - fi - fi - - if [[ $is_node ]]; then - set_progress_str 68 "$(print_salt_state_apply 'curator')" - salt-call state.apply -l info curator >> $setup_log 2>&1 - fi - - if [[ $is_manager || $is_import ]]; then - set_progress_str 69 "$(print_salt_state_apply 'soc')" - salt-call state.apply -l info soc >> $setup_log 2>&1 - - set_progress_str 70 "$(print_salt_state_apply 'kibana')" - salt-call state.apply -l info kibana.so_config_load >> $setup_log 2>&1 - salt-call state.apply -l info kibana.so_securitySolution_load >> $setup_log 2>&1 - salt-call state.apply -l info kibana.so_dashboard_load >> $setup_log 2>&1 - - set_progress_str 70 "Setting up default Space in Kibana" - so-kibana-space-defaults >> $setup_log 2>&1 - fi - - if [[ "$PLAYBOOK" = 1 ]]; then - set_progress_str 71 "$(print_salt_state_apply 'playbook.db_init')" - salt-call state.apply -l info playbook.db_init >> $setup_log 2>&1 - - set_progress_str 71 "$(print_salt_state_apply 'playbook')" - salt-call state.apply -l info playbook >> $setup_log 2>&1 - - set_progress_str 71 "$(print_salt_state_apply 'playbook.automation_user_create')" - salt-call state.apply -l info playbook.automation_user_create >> $setup_log 2>&1 - fi - - if [[ $is_manager ]]; then - set_progress_str 72 "$(print_salt_state_apply 'elastalert')" - salt-call state.apply -l info elastalert >> $setup_log 2>&1 - - set_progress_str 73 "$(print_salt_state_apply 'soctopus')" - salt-call state.apply -l info soctopus >> $setup_log 2>&1 - - if [[ "$PLAYBOOK" = 1 ]]; then - set_progress_str 73 "Update playbook rules" - so-playbook-ruleupdate >> /root/setup_playbook_rule_update.log 2>&1 & - fi - - if [[ "$GRAFANA" = 1 ]]; then - set_progress_str 74 "Installing InfluxDB and Grafana" - salt-call state.apply -l info influxdb >> $setup_log 2>&1 - salt-call state.apply -l info grafana >> $setup_log 2>&1 - fi - - fi - - if [[ "$OSQUERY" = 1 ]]; then - - set_progress_str 75 "$(print_salt_state_apply 'fleet.event_enable-fleet')" - salt-call state.apply -l info fleet.event_enable-fleet >> $setup_log 2>&1 - - set_progress_str 75 "$(print_salt_state_apply 'fleet')" - salt-call state.apply -l info fleet >> $setup_log 2>&1 - - set_progress_str 76 "$(print_salt_state_apply 'redis')" - salt-call state.apply -l info redis >> $setup_log 2>&1 - - if [[ $is_fleet_standalone && $FLEETCUSTOMHOSTNAME != '' ]]; then - set_progress_str 77 "$(print_salt_state_apply 'fleet.event_update-custom-hostname')" - pillar_override="{\"global\":{\"fleet_custom_hostname\": \"$FLEETCUSTOMHOSTNAME\"}}" - salt-call state.apply -l info fleet.event_update-custom-hostname pillar="$pillar_override" >> $setup_log 2>&1 - rm -f /etc/pki/managerssl.crt - salt-call state.apply -l info ssl >> $setup_log 2>&1 - fi - - set_progress_str 78 "$(print_salt_state_apply 'so-fleet-setup')" - so-fleet-setup "$FLEETNODEUSER" "$FLEETNODEPASSWD1" >> $setup_log 2>&1 - - fi - - if [[ $is_idh ]]; then - set_progress_str 79 "$(print_salt_state_apply 'idh')" - salt-call state.apply -l info idh >> $setup_log 2>&1 - - fi - - if [[ "$WAZUH" = 1 ]]; then - set_progress_str 79 "$(print_salt_state_apply 'wazuh')" - salt-call state.apply -l info wazuh >> $setup_log 2>&1 - fi - - if [[ "$STRELKA" = 1 ]]; then - if [[ $is_sensor ]]; then - set_progress_str 81 "$(print_salt_state_apply 'strelka')" - salt-call state.apply -l info strelka >> $setup_log 2>&1 - fi - if [[ "$STRELKARULES" = 1 ]]; then - logCmd /usr/sbin/so-yara-update - else - info "Skipping running yara update: STRELKARULES='$STRELKARULES'" - fi - fi - - if [[ $is_manager || $is_import ]]; then - set_progress_str 82 "$(print_salt_state_apply 'utility')" - salt-call state.apply -l info utility >> $setup_log 2>&1 - fi - - if [[ ( $is_helix || $is_manager || $is_node ) && ! $is_eval ]]; then - set_progress_str 83 "$(print_salt_state_apply 'logstash')" - salt-call state.apply -l info logstash >> $setup_log 2>&1 - - set_progress_str 84 "$(print_salt_state_apply 'filebeat')" - salt-call state.apply -l info filebeat >> $setup_log 2>&1 - fi - - if [[ ! $is_analyst ]]; then - set_progress_str 85 'Applying finishing touches' - filter_unused_nics >> $setup_log 2>&1 - network_setup >> $setup_log 2>&1 - so-ssh-harden >> $setup_log 2>&1 - fi - - if [[ $is_manager || $is_import ]]; then - set_progress_str 87 'Adding user to SOC' - add_web_user >> $setup_log 2>&1 - fi - - if [[ $is_analyst ]]; then - # Remove access to the manager from the analyst workstation - rm -rf /root/.ssh/so.key* - fi - - set_progress_str 90 'Enabling checkin at boot' - checkin_at_boot >> $setup_log 2>&1 - - set_progress_str 95 'Verifying setup' - salt-call -l info state.highstate queue=True >> $setup_log 2>&1 - -} | progress - -success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}') -if [[ $success != 0 ]]; then SO_ERROR=1; fi - -# Check entire setup log for errors or unexpected salt states and ensure cron jobs are not reporting errors to root's mailbox -# Ignore "Status .* was not found" due to output from salt http.query or http.wait_for_successful_query states used with retry -# Uncaught exception, closing connection|Exception in callback None - this is seen during influxdb / http.wait_for_successful_query state for ubuntu reinstall -if grep -E "ERROR|Result: False" $setup_log | grep -qvE "Status .* was not found|An exception occurred in this state|Uncaught exception, closing connection|Exception in callback None|deprecation: ERROR|code: 100|Running scope as unit" || [[ -s /var/spool/mail/root && "$setup_type" == "iso" ]]; then - SO_ERROR=1 - grep --color=never "ERROR" "$setup_log" | grep -qvE "Status .* was not found|An exception occurred in this state|Uncaught exception, closing connection|Exception in callback None|deprecation: ERROR|code: 100|Running scope as unit" > "$error_log" fi - -if [[ -n $SO_ERROR ]]; then - echo "Errors detected during setup; skipping post-setup steps to allow for analysis of failures." >> $setup_log 2>&1 - - SKIP_REBOOT=1 - whiptail_setup_failed -else - echo "Successfully completed setup! Continuing with post-installation steps" >> $setup_log 2>&1 - { - export percentage=95 # set to last percentage used in previous subshell - if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then - set_progress_str 96 "Stopping SOC prior to adjusting firewall rules" - so-soc-stop # Stop SOC so it doesn't accept external requests prior to the reboot - - set_progress_str 97 "Running so-allow -${ALLOW_ROLE} for ${ALLOW_CIDR}" - IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 - fi - - if [[ $is_manager ]]; then - set_progress_str 98 "Generating archive for setup directory" - generate_repo_tarball >> "$setup_log" 2>&1 - fi - - if [[ -n $LEARN_LOGSCAN_ENABLE ]]; then - set_progress_str 99 'Enabling logscan' - so-learn enable logscan --apply >> $setup_log 2>&1 - fi - - if [[ -n $ENDGAMEHOST ]]; then - set_progress_str 99 'Configuring firewall for Endgame SMP' - so-firewall --apply includehost endgame $ENDGAMEHOST >> $setup_log 2>&1 - fi - - } | whiptail_gauge_post_setup "Running post-installation steps..." - - echo "Post-installation steps have completed. Awaiting user input to clean up installer." >> $setup_log 2>&1 - whiptail_setup_complete - [[ $setup_type != 'iso' && ! $is_idh ]] && whiptail_ssh_warning -fi - -install_cleanup >> "$setup_log" 2>&1 - -if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; else exit; fi diff --git a/setup/so-setup.old b/setup/so-setup.old new file mode 100755 index 000000000..d916777fd --- /dev/null +++ b/setup/so-setup.old @@ -0,0 +1,1146 @@ +#!/bin/bash + +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + +# Make sure you are root before doing anything +uid="$(id -u)" +if [ "$uid" -ne 0 ]; then + echo "This script must be run using sudo!" + exit 1 +fi + +# Save the original argument array since we modify it +original_args=("$@") + +cd "$(dirname "$0")" || exit 255 + +echo "Getting started..." + +# Source the generic function libraries that are also used by the product after +# setup. These functions are intended to be reusable outside of the setup process. +source ../salt/common/tools/sbin/so-common +source ../salt/common/tools/sbin/so-image-common + +# Setup bash functionality is divided into functions and user-facing prompts. +# Do not attempt to re-use any of this functionality outside of setup. Instead, +# if needed, migrated generic functions into so-common. +source ./so-functions +source ./so-whiptail + +# Finally, source the default variable definitions, which require availability of +# functions sourced above. +source ./so-variables + +# Parse command line arguments +setup_type=$1 +automation=$2 +WHATWOULDYOUSAYYAHDOHERE=setup + +while [[ $# -gt 0 ]]; do + arg="$1" + shift + case "$arg" in + "--turbo="* ) + export TURBO="http://${arg#*=}";; + "--proxy="* ) + export {http,https,ftp,rsync,all}_proxy="${arg#*=}";; + "--allow-role="* ) + export ALLOW_ROLE="${arg#*=}";; + "--allow-cidr="* ) + export ALLOW_CIDR="${arg#*=}";; + "--skip-reboot" ) + export SKIP_REBOOT=1;; + * ) + if [[ "$arg" == "--"* ]]; then + echo "Invalid option" + fi + esac +done + +detect_os +is_analyst= +if [ "$setup_type" = 'analyst' ]; then + is_analyst=true + # Check to see if this is an ISO + if [ -d /root/SecurityOnion ]; then + is_analyst_iso=true + fi +fi + +if [[ "$setup_type" == 'iso' ]]; then + if [[ $is_centos ]]; then + is_iso=true + else + echo "Only use 'so-setup iso' for an ISO install on CentOS. Please run 'so-setup network' instead." + exit 1 + fi +fi + +# Check to see if this is an analyst install. If it is let's run things differently + +if [[ $is_analyst ]]; then + + # Make sure it's CentOS + if [[ ! $is_centos ]]; then + echo "Analyst Workstation is only supported on CentOS 7" + exit 1 + fi + + if ! whiptail_analyst_install; then + if [[ $is_analyst_iso ]]; then + if whiptail_analyst_nongrid_iso; then + # Remove setup from auto launching + parse_install_username + sed -i '$ d' /home/$INSTALLUSERNAME/.bash_profile >> "$setup_log" 2>&1 + echo "Enabling graphical interface and setting it to load at boot" + systemctl set-default graphical.target + startx + exit 0 + else + # Abort! + exit 0 + fi + else + if whiptail_analyst_nongrid_network; then + echo "" + echo "" + echo "Kicking off the automated setup of the analyst workstation. This can take a while depending on your network connection." + echo "" + echo "" + analyst_salt_local + else + # Abort! + exit 0 + fi + fi + fi + + # If you got this far then you want to join the grid + is_minion=true + +fi + + + +if ! [ -f $install_opt_file ] && [ -d /root/manager_setup/securityonion ] && [[ $(pwd) != /root/manager_setup/securityonion/setup ]]; then + exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}" +fi + +if [[ -f /root/accept_changes ]]; then + is_reinstall=true + + # Move last setup log to backup + mv "$setup_log" "$setup_log.bak" + [ -f "$error_log" ] && mv "$error_log" "$error_log.bak" +fi + +parse_install_username + +if ! [ -f $install_opt_file ]; then + # Begin Installation pre-processing + title "Initializing Setup" + info "Installing as the $INSTALLUSERNAME user" + + analyze_system +fi + +# Set up handler for setup to exit early (use `kill -SIGUSR1 "$setup_proc"; exit 1` in child scripts) +trap 'catch $LINENO' SIGUSR1 +setup_proc="$$" +catch() { + info "Fatal error occurred at $1 in so-setup, failing setup." + grep --color=never "ERROR" "$setup_log" > "$error_log" + whiptail_setup_failed + exit 1 +} +automated=no +progress() { + local msg=${1:-'Please wait while installing...'} + + if [ $automated == no ]; then + whiptail --title "$whiptail_title" --gauge "$msg" 6 70 0 # append to text + else + cat >> $setup_log 2>&1 + fi +} + +if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then + echo "Preselecting variable values based on automated setup: $automation" >> $setup_log 2>&1 + source automation/$automation + automated=yes + + attempt=1 + attempts=60 + ip a | grep "$MNIC:" | grep "state UP" >> $setup_log 2>&1 + while [ $? -ne 0 ]; do + ip a >> $setup_log 2>&1 + if [ $attempt -gt $attempts ]; then + echo "Network unavailable - setup cannot continue" >> $setup_log 2>&1 + exit 1 + fi + echo "Waiting for network to come up (attempt $attempt of $attempts)" >> $setup_log 2>&1 + attempt=$((attempt + 1)) + sleep 10; + ip a | grep "$MNIC:" | grep "state UP" >> $setup_log 2>&1 + done + echo "Network is up on $MNIC" >> $setup_log 2>&1 + + if [[ ! $is_iso ]]; then + echo "Installing sshpass for automated testing." >> $setup_log 2>&1 + if [ "$OS" == ubuntu ]; then + retry 50 10 "apt-get -y install sshpass" >> $setup_log 2>&1 || exit 1 + else + yum -y install sshpass >> $setup_log 2>&1 + fi + fi +fi + +case "$setup_type" in + iso | network | analyst) # Accepted values + echo "Beginning Security Onion $setup_type install" >> $setup_log 2>&1 + ;; + *) + echo "Invalid install type, must be 'iso', 'network' or 'analyst'." | tee -a $setup_log + exit 1 + ;; +esac + +#set ssh commands that will be used based on if this is an automated test install or not +set_ssh_cmds $automated + +# Allow execution of SO tools during setup +local_sbin="$(pwd)/../salt/common/tools/sbin" +export PATH=$PATH:$local_sbin + +set_palette >> $setup_log 2>&1 + +# Kernel messages can overwrite whiptail screen #812 +# https://github.com/Security-Onion-Solutions/securityonion/issues/812 +dmesg -D + +# Kernel consoleblank is causing whiptail progress screen to appear to hang #1084 +# https://github.com/Security-Onion-Solutions/securityonion/issues/1084 +if [ "$automated" == no ]; then + TTY=$(tty) + echo "Setup is running on TTY $TTY" >> $setup_log 2>&1 + if echo $TTY | grep -q "/dev/tty"; then + CONSOLEBLANK=$(cat /sys/module/kernel/parameters/consoleblank) + echo "Kernel consoleblank value before: $CONSOLEBLANK" >> $setup_log 2>&1 + if [ $CONSOLEBLANK -gt 0 ]; then + echo "Running 'setterm -blank 0' for TTY $TTY" >> $setup_log 2>&1 + TERM=linux setterm -blank 0 >$TTY <$TTY + CONSOLEBLANK=$(cat /sys/module/kernel/parameters/consoleblank) + echo "Kernel consoleblank value after: $CONSOLEBLANK" >> $setup_log 2>&1 + fi + fi +fi + +if ! [[ -f $install_opt_file ]]; then + if (whiptail_you_sure); then + true + else + echo "User cancelled setup." | tee -a "$setup_log" + whiptail_cancel + fi + if [[ $is_analyst ]]; then + collect_hostname + if [[ $is_analyst_iso ]]; then + # Prompt Network Setup + whiptail_management_nic + whiptail_dhcp_or_static + + if [ "$address_type" != 'DHCP' ]; then + collect_int_ip_mask + collect_gateway + collect_dns + collect_dns_domain + fi + + fi + if [[ ! $is_analyst_iso ]]; then + # This should be a network install + whiptail_network_notice + whiptail_dhcp_warn + whiptail_management_nic + fi + whiptail_network_init_notice + network_init + printf '%s\n' \ + "MNIC=$MNIC" \ + "HOSTNAME=$HOSTNAME" > "$net_init_file" + set_main_ip + compare_main_nic_ip + + fi + + if [[ $setup_type == 'iso' ]] && [ "$automated" == no ]; then + whiptail_first_menu_iso + if [[ $option == "CONFIGURENETWORK" ]]; then + collect_hostname + network_init_whiptail + whiptail_network_init_notice + network_init + printf '%s\n' \ + "MNIC=$MNIC" \ + "HOSTNAME=$HOSTNAME" > "$net_init_file" + set_main_ip + compare_main_nic_ip + whiptail_net_setup_complete + else + true + fi + fi + if [[ ! $is_analyst ]]; then + whiptail_install_type + fi +else + source $install_opt_file +fi + +if [ "$install_type" = 'EVAL' ]; then + is_node=true + is_manager=true + is_sensor=true + is_eval=true + STRELKARULES=1 +elif [ "$install_type" = 'STANDALONE' ]; then + is_manager=true + is_distmanager=true + is_node=true + is_sensor=true +elif [ "$install_type" = 'MANAGERSEARCH' ]; then + is_manager=true + is_distmanager=true + is_node=true +elif [ "$install_type" = 'MANAGER' ]; then + is_manager=true + is_distmanager=true +elif [ "$install_type" = 'SENSOR' ]; then + is_sensor=true + is_minion=true +elif [[ "$install_type" =~ ^('SEARCHNODE'|'HOTNODE'|'WARMNODE')$ ]]; then + is_node=true + is_minion=true +elif [ "$install_type" = 'HEAVYNODE' ]; then + is_node=true + is_minion=true + is_sensor=true +elif [ "$install_type" = 'FLEET' ]; then + is_minion=true + is_fleet_standalone=true + OSQUERY=1 +elif [ "$install_type" = 'IDH' ]; then + is_minion=true + is_idh=true + IDH=1 +elif [ "$install_type" = 'HELIXSENSOR' ]; then + is_helix=true +elif [ "$install_type" = 'IMPORT' ]; then + is_import=true +elif [ "$install_type" = 'RECEIVER' ]; then + is_minion=true + is_receiver=true +elif [ "$install_type" = 'ANALYST' ]; then + if [ "$setup_type" != 'analyst' ]; then + exec bash so-setup analyst + fi +fi + +if [[ $is_manager || $is_import ]]; then + check_elastic_license +fi + +if ! [[ -f $install_opt_file ]]; then + if [[ $is_manager && $is_sensor ]]; then + check_requirements "standalone" + elif [[ $is_fleet_standalone ]]; then + check_requirements "dist" "fleet" + elif [[ $is_idh ]]; then + check_requirements "dist" "idh" + elif [[ $is_sensor && ! $is_eval ]]; then + check_requirements "dist" "sensor" + elif [[ $is_distmanager || $is_minion ]] && [[ ! ( $is_import || $is_analyst ) ]]; then + check_requirements "dist" + elif [[ $is_import ]]; then + check_requirements "import" + fi + + [[ -f $net_init_file ]] && whiptail_net_reinit && reinit_networking=true + + if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then + collect_hostname + fi + + [[ ! ( $is_eval || $is_import ) ]] && whiptail_node_description + + if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then + network_init_whiptail + else + source "$net_init_file" + fi + + if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then + whiptail_network_init_notice + network_init + fi + + set_main_ip + compare_main_nic_ip + + if [[ $is_minion ]]; then + collect_mngr_hostname + add_mngr_ip_to_hosts + whiptail_ssh_key_copy_notice + copy_ssh_key >> $setup_log 2>&1 + fi + + if [[ $is_idh ]]; then + collect_idh_services + collect_idh_preferences + fi + + # Check if this is an airgap install + if [[ ( $is_manager || $is_import) && $is_iso ]]; then + whiptail_airgap + if [[ "$INTERWEBS" == 'AIRGAP' ]]; then + is_airgap=true + fi + elif [[ $is_minion && ( $is_iso || $is_analyst ) ]]; then + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" [[ -f /etc/yum.repos.d/airgap_repo.repo ]] >> $setup_log 2>&1 + airgap_check=$? + [[ $airgap_check == 0 ]] && is_airgap=true >> $setup_log 2>&1 + fi + + reset_proxy + if [[ -z $is_airgap ]]; then + collect_net_method + [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 + fi + + if [[ $is_minion ]] && ! (compare_versions); then + info "Installer version mismatch, downloading correct version from manager" + printf '%s\n' \ + "install_type=$install_type" \ + "MNIC=$MNIC" \ + "HOSTNAME=$HOSTNAME" \ + "MSRV=$MSRV" \ + "MSRVIP=$MSRVIP" \ + "is_airgap=$is_airgap" \ + "NODE_DESCRIPTION=\"$NODE_DESCRIPTION\"" > "$install_opt_file" + [[ -n $so_proxy ]] && echo "so_proxy=$so_proxy" >> "$install_opt_file" + download_repo_tarball + exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}" + fi +else + rm -rf $install_opt_file >> "$setup_log" 2>&1 +fi + +if [[ -z $is_airgap ]]; then + percentage=0 + { + installer_progress_loop 'Running preflight checks...' & + progress_bg_proc=$! + ./so-preflight true "$setup_log" >> $setup_log 2>&1 + preflight_ret=$? + echo "$preflight_ret" > /tmp/preflight_ret + kill -9 "$progress_bg_proc" + wait "$progress_bg_proc" &> /dev/null + } | progress '...' + [[ -f /tmp/preflight_ret ]] && preflight_ret=$(cat /tmp/preflight_ret) + rm /tmp/preflight_ret + if [[ -n $preflight_ret && $preflight_ret -gt 0 ]] && ! ( whiptail_preflight_err ); then + whiptail_cancel + fi +fi + +percentage=0 +{ + installer_progress_loop 'Checking that all required packages are installed and enabled...' & # Run progress bar to 98 in ~8 minutes while waiting for package installs + progress_bg_proc=$! + installer_prereq_packages + install_success=$? + kill -9 "$progress_bg_proc" + wait "$progress_bg_proc" &> /dev/null # Kill just sends signal, redirect output of wait to catch stdout + if [[ $install_success -gt 0 ]]; then + echo "Could not install packages required for setup, exiting now." >> "$setup_log" 2>&1 + kill -SIGUSR1 "$setup_proc"; exit 1 + fi +} | progress '...' + +detect_cloud + +short_name=$(echo "$HOSTNAME" | awk -F. '{print $1}') + +if [[ $is_analyst ]]; then + MINION_ID=$(echo "${short_name}_workstation" | tr '[:upper:]' '[:lower:]') +fi +if [[ ! $is_analyst ]]; then + MINION_ID=$(echo "${short_name}_${install_type}" | tr '[:upper:]' '[:lower:]') +fi +export MINION_ID + +echo "MINION_ID = $MINION_ID" >> $setup_log 2>&1 + +minion_type=$(get_minion_type) + +# Set any variables needed +set_default_log_size >> $setup_log 2>&1 + +if [[ $is_helix ]]; then + RULESETUP=${RULESETUP:-ETOPEN} + NSMSETUP=${NSMSETUP:-BASIC} + HNSENSOR=${HNSENSOR:-inherit} + MANAGERUPDATES=${MANAGERUPDATES:-0} +fi + +if [[ $is_helix || ( $is_manager && $is_node ) ]]; then + RULESETUP=${RULESETUP:-ETOPEN} + NSMSETUP=${NSMSETUP:-BASIC} +fi + +if [[ $is_manager && $is_node ]]; then + LSPIPELINEWORKERS=${LSPIPELINEWORKERS:-1} + LSPIPELINEBATCH=${LSPIPELINEBATCH:-125} + LSINPUTTHREADS=${LSINPUTTHREADS:-1} + LSPIPELINEWORKERS=${LSPIPELINEBATCH:-125} + NIDS=${NIDS:-Suricata} + ZEEKVERSION=${ZEEKVERSION:-ZEEK} +fi + +if [[ $is_import ]]; then + PATCHSCHEDULENAME=${PATCHSCHEDULENAME:-auto} + MTU=${MTU:-1500} + RULESETUP=${RULESETUP:-ETOPEN} + NSMSETUP=${NSMSETUP:-BASIC} + HNSENSOR=${HNSENSOR:-inherit} + MANAGERUPDATES=${MANAGERUPDATES:-0} + MANAGERADV=${MANAGERADV:-BASIC} + INTERFACE=${INTERFACE:-bond0} + ZEEKVERSION=${ZEEKVERSION:-ZEEK} + NIDS=${NIDS:-Suricata} + RULESETUP=${RULESETUP:-ETOPEN} + GRAFANA=${GRAFANA:-0} + OSQUERY=${OSQUERY:-0} + WAZUH=${WAZUH:-0} + PLAYBOOK=${PLAYBOOK:-0} +fi + +if [[ $is_airgap ]]; then + PATCHSCHEDULENAME=${PATCHSCHEDULENAME:-manual} + [[ ! $is_minion ]] && MANAGERUPDATES=${MANAGERUPDATES:-0} || MANAGERUPDATES=${MANAGERUPDATES:-1} +fi + +# Start user prompts + +if [[ $is_helix ]]; then + collect_helix_key +fi + +if [[ $is_helix || $is_sensor ]]; then + echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1 + check_network_manager_conf + set_network_dev_status_list + whiptail_sensor_nics +fi + +if [[ $is_helix || $is_sensor || $is_import ]]; then + calculate_useable_cores +fi + +if [[ ! $is_airgap && ! $is_import ]]; then + collect_patch_schedule +fi + +if [[ $is_helix || $is_manager || $is_import ]]; then + collect_homenet_mngr +fi + +#set base elasticsearch heap size +if [[ $is_helix || $is_manager || $is_node || $is_import ]]; then + es_heapsize +fi + +#set base logstash heap size +if [[ $is_helix || $is_manager || $is_node || $is_import || $is_receiver ]]; then + ls_heapsize +fi + +if [[ $is_manager && ! $is_eval ]]; then + whiptail_manager_adv + if [ "$MANAGERADV" = 'ADVANCED' ]; then + if [ "$install_type" = 'MANAGER' ] || [ "$install_type" = 'MANAGERSEARCH' ]; then + collect_es_cluster_name + fi + fi + + whiptail_metadata_tool + + [[ $MANAGERADV == "ADVANCED" ]] && [[ $ZEEKVERSION == "ZEEK" ]] && whiptail_manager_adv_service_zeeklogs + + # Don't run this function for now since Snort is not yet supported + # whiptail_nids + NIDS=Suricata + whiptail_rule_setup + + if [ "$RULESETUP" != 'ETOPEN' ]; then + collect_oinkcode + fi +fi + +if [[ $is_manager ]]; then + whiptail_enable_components + + if [[ "$STRELKA" = 1 ]]; then + info "Enabling Strelka rules" + STRELKARULES=1 + else + info "Disabling Strelka rules: STRELKA='$STRELKA'" + fi + + collect_dockernet +fi + +if [[ $is_manager || $is_import ]]; then + collect_webuser_inputs + get_redirect +fi + +if [[ $is_distmanager ]]; then + collect_soremote_inputs +fi + +if [[ $is_sensor && ! $is_eval ]]; then + [[ $is_manager ]] || collect_homenet_snsr + whiptail_sensor_config + if [ $NSMSETUP == 'ADVANCED' ]; then + if [[ $is_manager ]]; then + [[ $ZEEKVERSION == "ZEEK" ]] && whiptail_zeek_pins + else + whiptail_zeek_pins + fi + + whiptail_suricata_pins + collect_mtu + else + if [[ $is_node && $is_sensor && ! $is_eval ]]; then + PROCS=$(( lb_procs / 2 )) + if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi + else + PROCS=$lb_procs + fi + + if [[ $is_manager ]]; then + [[ $ZEEKVERSION == "ZEEK" ]] && collect_zeek + else + collect_zeek + fi + + collect_suri + fi +fi + +[[ ( $is_iso || $is_analyst ) ]] && collect_ntp_servers + +if [[ ($is_node || $is_receiver) && ! $is_eval ]]; then + whiptail_node_advanced + if [ "$NODESETUP" == 'NODEADVANCED' ]; then + if [[ ! $is_receiver ]]; then + collect_node_es_heap + collect_es_space_limit + fi + collect_node_ls_heap + collect_node_ls_pipeline_worker_count + collect_node_ls_pipeline_batch_size + collect_node_ls_input + else + if [[ ! $is_receiver ]]; then + NODE_ES_HEAP_SIZE=$ES_HEAP_SIZE + fi + NODE_LS_HEAP_SIZE=$LS_HEAP_SIZE + LSPIPELINEWORKERS=$num_cpu_cores + LSPIPELINEBATCH=125 + LSINPUTTHREADS=1 + fi +fi + +if [ "$install_type" == 'FLEET' ]; then + collect_fleetuser_inputs + collect_fleet_custom_hostname_inputs +else + FLEETNODEUSER=$WEBUSER + FLEETNODEPASSWD1=$WEBPASSWD1 +fi + +if [[ $is_manager || $is_import ]]; then collect_so_allow; fi + +# This block sets REDIRECTIT which is used by a function outside the below subshell +set_redirect >> $setup_log 2>&1 + +if [[ $is_minion ]] && ! check_manager_state; then + echo "Manager was not in a good state" >> "$setup_log" 2>&1 + whiptail_manager_error +fi + +whiptail_end_settings + +# From here on changes will be made. +echo "1" > /root/accept_changes + + +# Begin install +{ + # Set initial percentage to 0 + export percentage=0 + + # Show initial progress message + set_progress_str 0 'Running initial configuration steps' + + [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 + + if [[ ! $is_analyst ]]; then + reserve_ports + fi + + set_path + + if [[ $is_reinstall ]]; then + reinstall_init + fi + + disable_auto_start + + { + mark_version; + clear_manager; + } >> $setup_log 2>&1 + + + if [[ $is_manager || $is_import ]]; then + { + generate_passwords; + secrets_pillar; + } >> $setup_log 2>&1 + fi + + if [[ $is_manager || $is_import || $is_helix ]]; then + add_socore_user_manager >> $setup_log 2>&1 + fi + + if [[ $is_manager && ! $is_eval ]]; then + add_soremote_user_manager >> $setup_log 2>&1 + fi + if [[ ! $is_analyst ]]; then + host_pillar >> $setup_log 2>&1 + fi + if [[ $is_analyst ]]; then + analyst_workstation_pillar + fi + ntp_pillar >> $setup_log 2>&1 + + + if [[ $is_minion || $is_import ]]; then + set_updates >> $setup_log 2>&1 + fi + + if [[ ( $is_manager || $is_import ) && $is_airgap ]]; then + info "Creating airgap repo" + create_repo >> $setup_log 2>&1 + airgap_rules >> $setup_log 2>&1 + fi + + if [[ $is_minion ]]; then + set_progress_str 1 'Configuring firewall' + set_initial_firewall_policy >> $setup_log 2>&1 + fi + + set_progress_str 2 'Updating packages' + # Import the gpg keys + gpg_rpm_import >> $setup_log 2>&1 + info "Disabling fastestmirror" + [[ $is_centos ]] && disable_fastestmirror + if [[ ! $is_airgap ]]; then + securityonion_repo >> $setup_log 2>&1 + update_packages >> $setup_log 2>&1 + else + airgap_repo >> $setup_log 2>&1 + fi + + if [[ $is_sensor || $is_helix || $is_import ]]; then + set_progress_str 3 'Generating sensor pillar' + generate_sensor_vars + sensor_pillar >> $setup_log 2>&1 + if [[ $is_sensor || $is_helix ]]; then + steno_pillar >> $setup_log + fi + fi + + if [[ $is_sensor || $is_helix ]]; then + set_progress_str 4 'Configuring sensor interface' + configure_network_sensor >> $setup_log 2>&1 + fi + + set_progress_str 5 'Installing Salt and dependencies' + saltify 2>> $setup_log + + if [[ ! $is_analyst ]]; then + set_progress_str 6 'Installing Docker and dependencies' + docker_install >> $setup_log 2>&1 + fi + + set_progress_str 7 'Generating patch pillar' + patch_pillar >> $setup_log 2>&1 + + set_progress_str 8 'Initializing Salt minion' + configure_minion "$minion_type" >> $setup_log 2>&1 + + if [[ ! $is_analyst ]]; then + check_sos_appliance >> $setup_log 2>&1 + fi + + update_sudoers_for_testing >> $setup_log 2>&1 + + if [[ $is_manager || $is_helix || $is_import ]]; then + set_progress_str 9 'Configuring Salt master' + { + create_local_directories; + addtotab_generate_templates; + copy_salt_master_config; + setup_salt_master_dirs; + firewall_generate_templates; + } >> $setup_log 2>&1 + + set_progress_str 10 'Updating sudoers file for soremote user' + update_sudoers >> $setup_log 2>&1 + + set_progress_str 11 'Generating manager global pillar' + #minio_generate_keys + manager_global >> $setup_log 2>&1 + + set_progress_str 12 'Generating manager pillar' + manager_pillar >> $setup_log 2>&1 + zeek_logs_enabled >> $setup_log 2>&1 + fi + + set_progress_str 16 'Running first Salt checkin' + salt_firstcheckin >> $setup_log 2>&1 + + if [[ $is_helix ]]; then + set_progress_str 17 'Generating the FireEye pillar' + fireeye_pillar >> $setup_log 2>&1 + fi + + if [[ $is_node ]]; then + set_progress_str 18 'Setting node type' + set_node_type >> $setup_log 2>&1 + + if ! [[ $is_manager || $is_helix ]]; then + set_progress_str 19 'Generating search node pillar' + elasticsearch_pillar >> $setup_log 2>&1 + fi + fi + + if [[ ($is_node || $is_receiver) && !($is_manager || $is_helix) ]]; then + set_progress_str 19 'Generating logstash pillar' + logstash_pillar >> $setup_log 2>&1 + fi + + if [[ $is_idh ]]; then + # Write out services to minion pillar file + set_progress_str 19 'Generating IDH services pillar' + write_out_idh_services + fi + + + if [[ $is_minion ]]; then + set_progress_str 20 'Accepting Salt key on manager' + retry 20 10 accept_salt_key_remote "going to be accepted" >> $setup_log 2>&1 + fi + + if [[ $is_manager || $is_import || $is_helix ]]; then + set_progress_str 20 'Accepting Salt key' + retry 20 10 "salt-key -ya $MINION_ID" "going to be accepted" >> $setup_log 2>&1 + fi + + set_progress_str 21 'Copying minion pillars to manager' + copy_minion_tmp_files >> $setup_log 2>&1 + + if [[ $is_minion ]]; then + set_progress_str 22 'Checking if the Salt Minion needs to be updated' + salt-call state.apply -l info salt.minion >> $setup_log 2>&1 + fi + + if [[ $is_manager || $is_helix || $is_import ]]; then + set_progress_str 23 'Generating CA' + generate_ca >> $setup_log 2>&1 + fi + + if [[ ! $is_analyst ]]; then + set_progress_str 24 'Generating SSL' + generate_ssl >> $setup_log 2>&1 + fi + + if [[ $is_manager || $is_helix || $is_import ]]; then + set_progress_str 25 'Configuring firewall' + set_initial_firewall_policy >> $setup_log 2>&1 + + # create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf + mkdir -p /opt/so/conf/so-status/ >> $setup_log 2>&1 + touch /opt/so/conf/so-status/so-status.conf >> $setup_log 2>&1 + + if [[ "$setup_type" == 'iso' ]]; then + set_progress_str 26 'Copying containers from iso' + else + set_progress_str 26 'Downloading containers from the internet' + fi + import_registry_docker >> $setup_log 2>&1 + salt-call state.apply -l info registry >> $setup_log 2>&1 + docker_seed_registry # ~ 60% when finished + + set_progress_str 60 "$(print_salt_state_apply 'manager')" + salt-call state.apply -l info manager >> $setup_log 2>&1 + + echo "Executing so-elastic-auth..." >> $setup_log 2>&1 + ELASTIC_AUTH_SKIP_HIGHSTATE=true bash /opt/so/saltstack/default/salt/common/tools/sbin/so-elastic-auth true >> $setup_log 2>&1 + echo "Finished so-elastic-auth..." >> $setup_log 2>&1 + fi + + if [[ ! $is_analyst ]]; then + set_progress_str 61 "$(print_salt_state_apply 'firewall')" + salt-call state.apply -l info firewall >> $setup_log 2>&1 + fi + + if [[ $is_centos ]]; then + set_progress_str 61 'Installing Yum utilities' + salt-call state.apply -l info yum.packages >> $setup_log 2>&1 + fi + + if [[ ! $is_analyst ]]; then + set_progress_str 62 "$(print_salt_state_apply 'common')" + salt-call state.apply -l info common >> $setup_log 2>&1 + fi + + if [[ ! $is_helix && ! $is_receiver && ! $is_idh && ! $is_analyst ]]; then + set_progress_str 62 "$(print_salt_state_apply 'nginx')" + salt-call state.apply -l info nginx >> $setup_log 2>&1 + fi + + if [[ $is_manager || $is_helix || $is_import ]]; then + set_progress_str 63 "$(print_salt_state_apply 'idstools')" + create_local_nids_rules >> $setup_log 2>&1 + salt-call state.apply -l info idstools >> $setup_log 2>&1 + + set_progress_str 63 "$(print_salt_state_apply 'suricata.manager')" + salt-call state.apply -l info suricata.manager >> $setup_log 2>&1 + fi + + if [[ $is_manager || $is_node || $is_import || $is_helix ]]; then + set_progress_str 64 "$(print_salt_state_apply 'elasticsearch')" + salt-call state.apply -l info elasticsearch >> $setup_log 2>&1 + fi + + if [[ $is_sensor || $is_import ]]; then + set_progress_str 65 "$(print_salt_state_apply 'pcap')" + salt-call state.apply -l info pcap >> $setup_log 2>&1 + fi + + if [[ $is_sensor || $is_import || $is_helix ]]; then + set_progress_str 66 "$(print_salt_state_apply 'suricata')" + salt-call state.apply -l info suricata >> $setup_log 2>&1 + + if [[ $(lookup_pillar "mdengine") == 'ZEEK' ]]; then + set_progress_str 67 "$(print_salt_state_apply 'zeek')" + salt-call state.apply -l info zeek >> $setup_log 2>&1 + fi + fi + + if [[ $is_node ]]; then + set_progress_str 68 "$(print_salt_state_apply 'curator')" + salt-call state.apply -l info curator >> $setup_log 2>&1 + fi + + if [[ $is_manager || $is_import ]]; then + set_progress_str 69 "$(print_salt_state_apply 'soc')" + salt-call state.apply -l info soc >> $setup_log 2>&1 + + set_progress_str 70 "$(print_salt_state_apply 'kibana')" + salt-call state.apply -l info kibana.so_config_load >> $setup_log 2>&1 + salt-call state.apply -l info kibana.so_securitySolution_load >> $setup_log 2>&1 + salt-call state.apply -l info kibana.so_dashboard_load >> $setup_log 2>&1 + + set_progress_str 70 "Setting up default Space in Kibana" + so-kibana-space-defaults >> $setup_log 2>&1 + fi + + if [[ "$PLAYBOOK" = 1 ]]; then + set_progress_str 71 "$(print_salt_state_apply 'playbook.db_init')" + salt-call state.apply -l info playbook.db_init >> $setup_log 2>&1 + + set_progress_str 71 "$(print_salt_state_apply 'playbook')" + salt-call state.apply -l info playbook >> $setup_log 2>&1 + + set_progress_str 71 "$(print_salt_state_apply 'playbook.automation_user_create')" + salt-call state.apply -l info playbook.automation_user_create >> $setup_log 2>&1 + fi + + if [[ $is_manager ]]; then + set_progress_str 72 "$(print_salt_state_apply 'elastalert')" + salt-call state.apply -l info elastalert >> $setup_log 2>&1 + + set_progress_str 73 "$(print_salt_state_apply 'soctopus')" + salt-call state.apply -l info soctopus >> $setup_log 2>&1 + + if [[ "$PLAYBOOK" = 1 ]]; then + set_progress_str 73 "Update playbook rules" + so-playbook-ruleupdate >> /root/setup_playbook_rule_update.log 2>&1 & + fi + + if [[ "$GRAFANA" = 1 ]]; then + set_progress_str 74 "Installing InfluxDB and Grafana" + salt-call state.apply -l info influxdb >> $setup_log 2>&1 + salt-call state.apply -l info grafana >> $setup_log 2>&1 + fi + + fi + + if [[ "$OSQUERY" = 1 ]]; then + + set_progress_str 75 "$(print_salt_state_apply 'fleet.event_enable-fleet')" + salt-call state.apply -l info fleet.event_enable-fleet >> $setup_log 2>&1 + + set_progress_str 75 "$(print_salt_state_apply 'fleet')" + salt-call state.apply -l info fleet >> $setup_log 2>&1 + + set_progress_str 76 "$(print_salt_state_apply 'redis')" + salt-call state.apply -l info redis >> $setup_log 2>&1 + + if [[ $is_fleet_standalone && $FLEETCUSTOMHOSTNAME != '' ]]; then + set_progress_str 77 "$(print_salt_state_apply 'fleet.event_update-custom-hostname')" + pillar_override="{\"global\":{\"fleet_custom_hostname\": \"$FLEETCUSTOMHOSTNAME\"}}" + salt-call state.apply -l info fleet.event_update-custom-hostname pillar="$pillar_override" >> $setup_log 2>&1 + rm -f /etc/pki/managerssl.crt + salt-call state.apply -l info ssl >> $setup_log 2>&1 + fi + + set_progress_str 78 "$(print_salt_state_apply 'so-fleet-setup')" + so-fleet-setup "$FLEETNODEUSER" "$FLEETNODEPASSWD1" >> $setup_log 2>&1 + + fi + + if [[ $is_idh ]]; then + set_progress_str 79 "$(print_salt_state_apply 'idh')" + salt-call state.apply -l info idh >> $setup_log 2>&1 + + fi + + if [[ "$WAZUH" = 1 ]]; then + set_progress_str 79 "$(print_salt_state_apply 'wazuh')" + salt-call state.apply -l info wazuh >> $setup_log 2>&1 + fi + + if [[ "$STRELKA" = 1 ]]; then + if [[ $is_sensor ]]; then + set_progress_str 81 "$(print_salt_state_apply 'strelka')" + salt-call state.apply -l info strelka >> $setup_log 2>&1 + fi + if [[ "$STRELKARULES" = 1 ]]; then + logCmd /usr/sbin/so-yara-update + else + info "Skipping running yara update: STRELKARULES='$STRELKARULES'" + fi + fi + + if [[ $is_manager || $is_import ]]; then + set_progress_str 82 "$(print_salt_state_apply 'utility')" + salt-call state.apply -l info utility >> $setup_log 2>&1 + fi + + if [[ ( $is_helix || $is_manager || $is_node ) && ! $is_eval ]]; then + set_progress_str 83 "$(print_salt_state_apply 'logstash')" + salt-call state.apply -l info logstash >> $setup_log 2>&1 + + set_progress_str 84 "$(print_salt_state_apply 'filebeat')" + salt-call state.apply -l info filebeat >> $setup_log 2>&1 + fi + + if [[ ! $is_analyst ]]; then + set_progress_str 85 'Applying finishing touches' + filter_unused_nics >> $setup_log 2>&1 + network_setup >> $setup_log 2>&1 + so-ssh-harden >> $setup_log 2>&1 + fi + + if [[ $is_manager || $is_import ]]; then + set_progress_str 87 'Adding user to SOC' + add_web_user >> $setup_log 2>&1 + fi + + if [[ $is_analyst ]]; then + # Remove access to the manager from the analyst workstation + rm -rf /root/.ssh/so.key* + fi + + set_progress_str 90 'Enabling checkin at boot' + checkin_at_boot >> $setup_log 2>&1 + + set_progress_str 95 'Verifying setup' + salt-call -l info state.highstate queue=True >> $setup_log 2>&1 + +} | progress + +success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}') +if [[ $success != 0 ]]; then SO_ERROR=1; fi + +# Check entire setup log for errors or unexpected salt states and ensure cron jobs are not reporting errors to root's mailbox +# Ignore "Status .* was not found" due to output from salt http.query or http.wait_for_successful_query states used with retry +# Uncaught exception, closing connection|Exception in callback None - this is seen during influxdb / http.wait_for_successful_query state for ubuntu reinstall +if grep -E "ERROR|Result: False" $setup_log | grep -qvE "Status .* was not found|An exception occurred in this state|Uncaught exception, closing connection|Exception in callback None|deprecation: ERROR" || [[ -s /var/spool/mail/root && "$setup_type" == "iso" ]]; then + SO_ERROR=1 + grep --color=never "ERROR" "$setup_log" | grep -qvE "Status .* was not found|An exception occurred in this state|Uncaught exception, closing connection|Exception in callback None" > "$error_log" +fi + +if [[ -n $SO_ERROR ]]; then + echo "Errors detected during setup; skipping post-setup steps to allow for analysis of failures." >> $setup_log 2>&1 + + SKIP_REBOOT=1 + whiptail_setup_failed +else + echo "Successfully completed setup! Continuing with post-installation steps" >> $setup_log 2>&1 + { + export percentage=95 # set to last percentage used in previous subshell + if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then + set_progress_str 96 "Stopping SOC prior to adjusting firewall rules" + so-soc-stop # Stop SOC so it doesn't accept external requests prior to the reboot + + set_progress_str 97 "Running so-allow -${ALLOW_ROLE} for ${ALLOW_CIDR}" + IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 + fi + + if [[ $is_manager ]]; then + set_progress_str 98 "Generating archive for setup directory" + generate_repo_tarball >> "$setup_log" 2>&1 + fi + + if [[ -n $LEARN_LOGSCAN_ENABLE ]]; then + set_progress_str 99 'Enabling logscan' + so-learn enable logscan --apply >> $setup_log 2>&1 + fi + + if [[ -n $ENDGAMEHOST ]]; then + set_progress_str 99 'Configuring firewall for Endgame SMP' + so-firewall --apply includehost endgame $ENDGAMEHOST >> $setup_log 2>&1 + fi + + } | whiptail_gauge_post_setup "Running post-installation steps..." + + echo "Post-installation steps have completed. Awaiting user input to clean up installer." >> $setup_log 2>&1 + whiptail_setup_complete + [[ $setup_type != 'iso' && ! $is_idh ]] && whiptail_ssh_warning +fi + +install_cleanup >> "$setup_log" 2>&1 + +if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; else exit; fi diff --git a/setup/so-variables b/setup/so-variables index a69ef9e1b..a24f70e3c 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -78,3 +78,125 @@ export ntp_string whiptail_title="Security Onion Setup - $SOVERSION" export whiptail_title + +mkdir -p $local_salt_dir/pillar/minions + +for THEDIR in elasticsearch redis backup strelka sensoroni curator soctopus docker zeek suricata nginx filebeat logstash soc manager kratos idstools idh +do + mkdir -p $local_salt_dir/pillar/$THEDIR + touch $local_salt_dir/pillar/$THEDIR adv.$THEDIR.sls +done + +global_pillar_file="$local_salt_dir/pillar/soc_global.sls" +export global_pillar_file + +adv_global_pillar_file="$local_salt_dir/pillar/adv_global.sls" +export adv_global_pillar_file + +elasticsearch_pillar_file="$local_salt_dir/pillar/elasticsearch/soc_elasticsearch.sls" +export elasticsearch_pillar_file + +adv_elasticsearch_pillar_file="$local_salt_dir/pillar/elasticsearch/adv_elasticsearch.sls" +export adv_elasticsearch_pillar_file + +backup_pillar_file="$local_salt_dir/pillar/backup/soc_backup.sls" +export backup_pillar_file + +adv_backup_pillar_file="$local_salt_dir/pillar/backup/adv_backup.sls" +export adv_backup_pillar_file + +strelka_pillar_file="$local_salt_dir/pillar/strelka/soc_strelka.sls" +export strelka_pillar_file + +adv_strelka_pillar_file="$local_salt_dir/pillar/strelka/adv_strelka.sls" +export adv_strelka_pillar_file + +sensoroni_pillar_file="$local_salt_dir/pillar/sensoroni/soc_sensoroni.sls" +export sensoroni_pillar_file + +adv_sensoroni_pillar_file="$local_salt_dir/pillar/sensoroni/adv_sensoroni.sls" +export adv_sensoroni_pillar_file + +curator_pillar_file="$local_salt_dir/pillar/curator/soc_curator.sls" +export curator_pillar_file + +adv_curator_pillar_file="$local_salt_dir/pillar/curator/adv_curator.sls" +export adv_curator_pillar_file + +soctopus_pillar_file="$local_salt_dir/pillar/soctopus/soc_soctopus.sls" +export soctopus_pillar_file + +adv_soctopus_pillar_file="$local_salt_dir/pillar/soctopus/adv_soctopus.sls" +export adv_soctopus_pillar_file + +docker_pillar_file="$local_salt_dir/pillar/docker/soc_docker.sls" +export docker_pillar + +adv_docker_pillar_file="$local_salt_dir/pillar/docker/adv_docker.sls" +export adv_docker_pillar + +zeek_pillar_file="$local_salt_dir/pillar/zeek/soc_zeek.sls" +export zeek_pillar_file + +adv_zeek_pillar_file="$local_salt_dir/pillar/zeek/adv_zeek.sls" +export adv_zeek_pillar_file + +suricata_pillar_file="$local_salt_dir/pillar/suricata/soc_suricata.sls" +export suricata_pillar_file + +adv_suricata_pillar_file="$local_salt_dir/pillar/suricata/adv_suricata.sls" +export adv_suricata_pillar_file + +filebeat_pillar_file="$local_salt_dir/pillar/filebeat/soc_filebeat.sls" +export filebeat_pillar_file + +adv_filebeat_pillar_file="$local_salt_dir/pillar/filebeat/adv_filebeat.sls" +export adv_filebeat_pillar_file + +logstash_pillar_file="$local_salt_dir/pillar/logstash/soc_logstash.sls" +export logstash_pillar_file + +adv_logstash_pillar_file="$local_salt_dir/pillar/logstash/adv_logstash.sls" +export adv_logstash_pillar_file + +soc_pillar_file="$local_salt_dir/pillar/soc/soc_soc.sls" +export soc_pillar_file + +adv_soc_pillar_file="$local_salt_dir/pillar/soc/adv_soc.sls" +export adv_soc_pillar_file + +manager_pillar_file="$local_salt_dir/pillar/manager/soc_manager.sls" +export manager_pillar_file + +adv_manager_pillar_file="$local_salt_dir/pillar/manager/adv_manager.sls" +export adv_manager_pillar_file + +kratos_pillar_file="$local_salt_dir/pillar/kratos/soc_kratos.sls" +export kratos_pillar_file + +adv_kratos_pillar_file="$local_salt_dir/pillar/kratos/adv_kratos.sls" +export adv_kratos_pillar_file + +idstools_pillar_file="$local_salt_dir/pillar/idstools/soc_idstools.sls" +export idstools_pillar_file + +adv_idstools_pillar_file="$local_salt_dir/pillar/idstools/adv_idstools.sls" +export adv_idstools_pillar_file + +nginx_pillar_file="$local_salt_dir/pillar/nginx/soc_nginx.sls" +export nginx_pillar_file + +adv_nginx_pillar_file="$local_salt_dir/pillar/nginx/adv_nginx.sls" +export adv_nginx_pillar_file + +redis_pillar_file="$local_salt_dir/pillar/redis/soc_redis.sls" +export redis_pillar_file + +adv_redis_pillar_file="$local_salt_dir/pillar/redis/adv_redis.sls" +export adv_redis_pillar_file + +idh_pillar_file="$local_salt_dir/pillar/idh/soc_idh.sls" +export idh_pillar_file + +adv_idh_pillar_file="$local_salt_dir/pillar/idh/adv_idh.sls" +export adv_idh_pillar_file \ No newline at end of file diff --git a/setup/so-whiptail b/setup/so-whiptail index 2c60b7e3e..55059e5f0 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . whiptail_airgap() { @@ -31,6 +22,9 @@ whiptail_airgap() { whiptail_check_exitstatus $exitstatus INTERWEBS=$(echo "${INTERWEBS^^}" | tr -d ' ') + if [[ "$INTERWEBS" == 'AIRGAP' ]]; then + is_airgap=true + fi } whiptail_analyst_install() { @@ -99,29 +93,6 @@ whiptail_avoid_default_hostname() { --yes-button "Use Anyway" --no-button "Change" --defaultno } -whiptail_basic_suri() { - - [ -n "$TESTING" ] && return - - BASICSURI=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter the number of Suricata processes:" 10 75 "$1" 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - -whiptail_basic_zeek() { - - [ -n "$TESTING" ] && return - - BASICZEEK=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter the number of Zeek processes:" 10 75 "$1" 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - whiptail_bond_nics_mtu() { [ -n "$TESTING" ] && return @@ -196,70 +167,6 @@ whiptail_create_admin_user_password2() { } -whiptail_create_fleet_node_user() { - - [ -n "$TESTING" ] && return - - FLEETNODEUSER=$(whiptail --title "$whiptail_title" --inputbox \ - "Please enter an email for use as the username for the Fleet admin user:" 10 60 "$1" 3>&1 1>&2 2>&3) - -} - -whiptail_create_fleet_node_user_password1() { - - [ -n "$TESTING" ] && return - - FLEETNODEPASSWD1=$(whiptail --title "$whiptail_title" --passwordbox \ - "Enter a password for $FLEETNODEUSER:" 10 60 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - -whiptail_create_fleet_node_user_password2() { - - [ -n "$TESTING" ] && return - - FLEETNODEPASSWD2=$(whiptail --title "$whiptail_title" --passwordbox \ - "Re-enter a password for $FLEETNODEUSER:" 10 60 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - -whiptail_create_soremote_user() { - - [ -n "$TESTING" ] && return - - whiptail --title "$whiptail_title" --msgbox "Set a password for the soremote user. This account is used for adding sensors remotely." 8 75 - -} - -whiptail_create_soremote_user_password1() { - - [ -n "$TESTING" ] && return - - SOREMOTEPASS1=$(whiptail --title "$whiptail_title" --passwordbox \ - "Enter a password for user soremote:" 10 75 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - -whiptail_create_soremote_user_password2() { - - [ -n "$TESTING" ] && return - - SOREMOTEPASS2=$(whiptail --title "$whiptail_title" --passwordbox \ - "Re-enter a password for user soremote:" 10 75 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - whiptail_create_web_user() { [ -n "$TESTING" ] && return @@ -430,49 +337,6 @@ whiptail_dockernet_net() { } -whiptail_enable_components() { - - [ -n "$TESTING" ] && return - - GRAFANA=0 - OSQUERY=0 - WAZUH=0 - THEHIVE=0 - PLAYBOOK=0 - STRELKA=0 - -description="Choose optional services to be enabled for this installation. Be aware that the more services you enable the more RAM that is required." -if [[ $is_eval ]]; then - COMPONENTS=$(whiptail --title "$whiptail_title" --checklist \ - "$description" 20 75 8 \ - GRAFANA "Enable Grafana for system monitoring" ON \ - OSQUERY "Enable Fleet with osquery" ON \ - WAZUH "Enable Wazuh" ON \ - PLAYBOOK "Enable Playbook" ON \ - STRELKA "Enable Strelka" ON 3>&1 1>&2 2>&3) -else - COMPONENTS=$(whiptail --title "$whiptail_title" --checklist \ - "$description" 20 75 7 \ - OSQUERY "Enable Fleet with osquery" ON \ - WAZUH "Enable Wazuh" ON \ - PLAYBOOK "Enable Playbook" ON \ - STRELKA "Enable Strelka" ON 3>&1 1>&2 2>&3) - export "GRAFANA=1" -fi - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - COMPONENTS=$(echo "$COMPONENTS" | tr -d '"') - - IFS=' ' read -ra COMPONENTS <<< "$COMPONENTS" - - # Set any variables to 1 if they exist in COMPONENTS - for component in "${COMPONENTS[@]}"; do - export "$component=1" - done -} - whiptail_end_settings() { [ -n "$TESTING" ] && return @@ -483,15 +347,6 @@ whiptail_end_settings() { Node Type: $install_type Hostname: $HOSTNAME EOM - - if [[ $is_idh ]]; then - __append_end_msg "IDH Services Enabled:" - for service in ${idh_services[@]}; do - __append_end_msg "- $service" - done - - fi - [[ -n $NODE_DESCRIPTION ]] && __append_end_msg "Description: $NODE_DESCRIPTION" [[ $is_airgap ]] && __append_end_msg "Airgap: True" @@ -501,7 +356,6 @@ whiptail_end_settings() { __append_end_msg "Manager IP: $MSRVIP" fi - [[ $is_iso ]] && __append_end_msg "Network: $address_type" __append_end_msg "Management NIC: $MNIC" @@ -536,12 +390,6 @@ whiptail_end_settings() { for net in "${homenet_arr[@]}"; do __append_end_msg " - $net" done - elif [[ -n $HNSENSOR ]]; then - __append_end_msg "Home Network(s):" - IFS="," read -r -a homenet_arr <<< "$HNSENSOR" - for net in "${homenet_arr[@]}"; do - __append_end_msg " - $net" - done fi [[ -n $REDIRECTIT ]] && __append_end_msg "Access URL: https://${REDIRECTIT}" @@ -550,61 +398,7 @@ whiptail_end_settings() { [[ -n $WEBUSER ]] && __append_end_msg "Web User: $WEBUSER" - [[ -n $FLEETNODEUSER ]] && __append_end_msg "Fleet User: $FLEETNODEUSER" - - [[ -n $FLEETCUSTOMHOSTNAME ]] && __append_end_msg "Fleet Custom Hostname: $FLEETCUSTOMHOSTNAME" - - if [[ $is_manager ]]; then - __append_end_msg "Enabled Optional Components:" - for component in "${COMPONENTS[@]}"; do - __append_end_msg " - $component" - done - fi - - # METADATA / IDS - - if [[ -n $ZEEKVERSION ]]; then - local md_tool_string=${ZEEKVERSION,;} - md_tool_string=${md_tool_string^} - - __append_end_msg "Metadata Tool: $md_tool_string" - fi - - [[ -n $RULESETUP ]] && __append_end_msg "IDS Ruleset: $RULESETUP" - [[ -n $OINKCODE ]] && __append_end_msg "Oinkcode: $OINKCODE" - - # PATCH SCHEDULE - - if [[ -n $PATCHSCHEDULENAME ]]; then - __append_end_msg "Patch Schedule:" - if [[ $PATCHSCHEDULENAME == 'auto'|| $PATCHSCHEDULENAME == 'manual' ]]; then - __append_end_msg " Type: $PATCHSCHEDULENAME" - else - __append_end_msg " Name: $PATCHSCHEDULENAME" - fi - if [[ ${#PATCHSCHEDULEDAYS[@]} -gt 0 ]]; then - __append_end_msg " Day(s):" - for day in "${PATCHSCHEDULEDAYS[@]}"; do - __append_end_msg " - $day" - done - fi - if [[ ${#PATCHSCHEDULEHOURS[@]} -gt 0 ]]; then - __append_end_msg " Hours(s):" - for hour in "${PATCHSCHEDULEHOURS[@]}"; do - __append_end_msg " - $hour" - done - fi - fi - - # MISC - - [[ $is_helix ]] && __append_end_msg "Helix API key: $HELIXAPIKEY" [[ -n $DOCKERNET ]] && __append_end_msg "Docker network: $DOCKERNET" - if [[ -n $MANAGERUPDATES ]]; then - __append_end_msg "OS Package Updates: Manager" - else - __append_end_msg "OS Package Updates: Open" - fi if [[ ${#ntp_servers[@]} -gt 0 ]]; then __append_end_msg "NTP Servers:" for server in "${ntp_servers[@]}"; do @@ -612,37 +406,6 @@ whiptail_end_settings() { done fi - if [[ $NSMSETUP != 'ADVANCED' ]]; then - [[ -n $BASICZEEK ]] && __append_end_msg "Zeek Processes: $BASICZEEK" - [[ -n $BASICSURI ]] && __append_end_msg "Suricata Processes: $BASICSURI" - fi - - # ADVANCED OR REGULAR - - if [[ $NODESETUP == 'NODEADVANCED' ]]; then - __append_end_msg "Advanced Node Settings:" - if [[ ! $is_receiver ]]; then - __append_end_msg " Elasticsearch Heap Size: $NODE_ES_HEAP_SIZE" - __append_end_msg " Elasticsearch Storage Space: ${log_size_limit}GB" - fi - __append_end_msg " Logstash Heap Size: $NODE_LS_HEAP_SIZE" - __append_end_msg " Logstash Worker Count: $LSPIPELINEWORKERS" - __append_end_msg " Logstash Batch Size: $LSPIPELINEBATCH" - __append_end_msg " Logstash Input Threads: $LSINPUTTHREADS" - else - if [[ ! $is_analyst ]]; then - if [[ ! $is_receiver ]]; then - __append_end_msg "Elasticsearch Heap Size: $NODE_ES_HEAP_SIZE" - __append_end_msg "Elasticsearch Storage Space: ${log_size_limit}GB" - fi - __append_end_msg "Logstash Heap Size: $NODE_LS_HEAP_SIZE" - __append_end_msg "Logstash Worker Count: $LSPIPELINEWORKERS" - __append_end_msg "Logstash Batch Size: $LSPIPELINEBATCH" - __append_end_msg "Logstash Input Threads: $LSINPUTTHREADS" - fi - fi - - # ADVANCED if [[ $MANAGERADV == 'ADVANCED' ]]; then __append_end_msg "Advanced Manager Settings:" @@ -655,26 +418,6 @@ whiptail_end_settings() { fi fi - if [[ $NSMSETUP == 'ADVANCED' ]]; then - __append_end_msg "Advanced NSM Settings:" - if [[ ${#ZEEKPINS[@]} -gt 0 ]]; then - local zeek_pin_str - for core in "${ZEEKPINS[@]}"; do - zeek_pin_str="${zeek_pin_str}${core}," - done - zeek_pin_str=${zeek_pin_str%,} - __append_end_msg " Zeek Pinned Cores: ${zeek_pin_str}" - fi - if [[ ${#SURIPINS[@]} -gt 0 ]]; then - local suri_pin_str - for core in "${SURIPINS[@]}"; do - suri_pin_str="${suri_pin_str}${core}," - done - suri_pin_str=${suri_pin_str%,} - __append_end_msg " Suricata Pinned Cores: ${suri_pin_str}" - fi - fi - local msg read -r -d '' msg <<-EOM $end_msg @@ -700,30 +443,6 @@ __append_end_msg() { EOM } -whiptail_eval_adv() { - - [ -n "$TESTING" ] && return - - EVALADVANCED=$(whiptail --title "$whiptail_title" --radiolist \ - "Choose your eval install:" 20 75 4 \ - "BASIC" "Install basic components for evaluation" ON \ - "ADVANCED" "Choose additional components to be installed" OFF 3>&1 1>&2 2>&3 ) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - -whiptail_fleet_custom_hostname() { - - [ -n "$TESTING" ] && return - - FLEETCUSTOMHOSTNAME=$(whiptail --title "$whiptail_title" --inputbox \ - "What FQDN should osquery clients use for connections to this Fleet node? Leave blank if the local system hostname will be used." 10 60 "$1" 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - whiptail_gauge_post_setup() { if [ -n "$TESTING" ]; then @@ -735,102 +454,6 @@ whiptail_gauge_post_setup() { fi } -whiptail_helix_apikey() { - - [ -n "$TESTING" ] && return - - HELIXAPIKEY=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter your Helix API Key: \n \nThis can be set later using so-helix-apikey" 10 75 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus - -} - -#TODO: Combine these two functions - -whiptail_homenet_manager() { - - [ -n "$TESTING" ] && return - - HNMANAGER=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter your home network(s), separating CIDR blocks with a comma (,):" 10 75 "$1" 3>&1 1>&2 2>&3) - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - export HNMANAGER -} - -whiptail_homenet_sensor_inherit() { - [ -n "$TESTING" ] && return - - # Ask to inherit from manager - whiptail --title "$whiptail_title" --yesno "Do you want to inherit the HOME_NET from the Manager?" 8 75 -} - -whiptail_homenet_sensor() { - [ -n "$TESTING" ] && return - - HNSENSOR=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter your home network(s), separating CIDR blocks with a comma (,):" 10 75 "$1" 3>&1 1>&2 2>&3) - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - export HNSENSOR -} - - whiptail_idh_preferences() { - - [ -n "$TESTING" ] && return - - idh_preferences=$(whiptail --title "$whiptail_title" --radiolist \ - "\nBy default, the IDH services selected in the previous screen will be bound to all interfaces and IP addresses on this system.\n\nIf you would like to prevent IDH services from being published on this system's management IP, you can select the option below." 20 75 5 \ - "$MAINIP" "Disable IDH services on this management IP " OFF 3>&1 1>&2 2>&3 ) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - -whiptail_idh_services() { - - [ -n "$TESTING" ] && return - - idh_services=$(whiptail --title "$whiptail_title" --radiolist \ - "\nThe IDH node can mimic many different services.\n\nChoose one of the common options along with their default ports (TCP) or select the Custom option to build a customized set of services." 20 75 5 \ - "Linux Webserver (NAS Skin)" "Apache (80), FTP (21), SSH (22)" ON \ - "MySQL Server" "MySQL (3306), SSH (22)" OFF \ - "MSSQL Server" "Microsoft SQL (1433), VNC (5900)" OFF \ - "Custom" "Select a custom set of services" OFF 3>&1 1>&2 2>&3 ) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - - -whiptail_idh_services_custom() { - - [ -n "$TESTING" ] && return - - idh_services=$(whiptail --title "$whiptail_title" --checklist \ - "\nThe IDH node can mimic many different services.\n\nChoose one or more of the following services along with their default ports. Some services have additional configuration options, please consult the documentation for further information." 25 75 8 \ - "FTP" " TCP/21, Additional Configuration Available " OFF \ - "Git" " TCP/9418 " OFF \ - "HTTP" " TCP/80, Additional Configuration Available " OFF \ - "HTTPPROXY" " TCP/8080, Additional Configuration Available " OFF \ - "MSSQL" " TCP/1433 " OFF \ - "MySQL" " TCP/3306, Additional Configuration Available " OFF \ - "NTP" " UDP/123 " OFF \ - "REDIS" " TCP/6379 " OFF \ - "SNMP" " UDP/161 " OFF \ - "SSH" " TCP/22, Additional Configuration Available " OFF \ - "TELNET" " TCP/23, Additional Configuration Available " OFF \ - "TFTP" " UDP/69 " OFF \ - "VNC" " TCP/5900 " OFF 3>&1 1>&2 2>&3 ) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - whiptail_install_type() { [ -n "$TESTING" ] && return @@ -868,8 +491,8 @@ whiptail_install_type_dist() { [ -n "$TESTING" ] && return dist_option=$(whiptail --title "$whiptail_title" --menu "Do you want to start a new deployment or join this box to \nan existing deployment?" 11 75 2 \ - "New Deployment " "Create a new Security Onion deployment" \ "Existing Deployment " "Join to an existing Security Onion deployment " \ + "New Deployment " "Create a new Security Onion deployment" \ 3>&1 1>&2 2>&3 ) local exitstatus=$? @@ -923,11 +546,41 @@ whiptail_install_type_dist_existing() { # "WAZUH" "Stand Alone Wazuh Server" OFF \ # TODO # "STRELKA" "Stand Alone Strelka Node" OFF \ # TODO ) + if [ "$install_type" = 'EVAL' ]; then + is_eval=true + STRELKARULES=1 + elif [ "$install_type" = 'STANDALONE' ]; then + is_sensor=true + elif [ "$install_type" = 'MANAGERSEARCH' ]; then + is_standalone=true + is_elasticsearch=true + elif [ "$install_type" = 'MANAGER' ]; then + is_manager=true + elif [ "$install_type" = 'SENSOR' ]; then + is_sensor=true + elif [[ "$install_type" =~ ^('SEARCHNODE'|'HOTNODE'|'WARMNODE')$ ]]; then + is_elasticsearch=true + elif [ "$install_type" = 'HEAVYNODE' ]; then + is_heavy=true + elif [ "$install_type" = 'FLEET' ]; then + is_fleet=true + elif [ "$install_type" = 'IDH' ]; then + is_idh=true + elif [ "$install_type" = 'IMPORT' ]; then + is_import=true + elif [ "$install_type" = 'RECEIVER' ]; then + is_receiver=true + elif [ "$install_type" = 'ANALYST' ]; then + if [ "$setup_type" != 'analyst' ]; then + exec bash so-setup analyst + fi + fi local exitstatus=$? whiptail_check_exitstatus $exitstatus } + whiptail_install_type_other() { [ -n "$TESTING" ] && return @@ -1256,73 +909,6 @@ whiptail_manager_adv() { } -# Ask if you want to do true clustering -whiptail_manager_adv_escluster(){ - - [ -n "$TESTING" ] && return - - whiptail --title "$whiptail_title" --yesno \ - "Do you want to set up a traditional ES cluster for using replicas and/or Hot-Warm indices? Recommended only for those who have experience with ES clustering! " 12 75 - -} - -# Get a cluster name -whiptail_manager_adv_escluster_name(){ - - [ -n "$TESTING" ] && return - - ESCLUSTERNAME=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter a name for your ES cluster!" 10 75 "$1" 3>&1 1>&2 2>&3) -} - -# Ask which additional components to install -whiptail_manager_adv_service_zeeklogs() { - - [ -n "$TESTING" ] && return - - BLOGS=$(whiptail --title "$whiptail_title" --checklist "Please select logs to send:" 24 75 12 \ - "conn" "Connection Logging" ON \ - "dce_rpc" "RPC Logs" ON \ - "dhcp" "DHCP Logs" ON \ - "dnp3" "DNP3 Logs" ON \ - "dns" "DNS Logs" ON \ - "dpd" "DPD Logs" ON \ - "files" "Files Logs" ON \ - "ftp" "FTP Logs" ON \ - "http" "HTTP Logs" ON \ - "intel" "Intel Hits Logs" ON \ - "irc" "IRC Chat Logs" ON \ - "kerberos" "Kerberos Logs" ON \ - "modbus" "MODBUS Logs" ON \ - "notice" "Zeek Notice Logs" ON \ - "ntlm" "NTLM Logs" ON \ - "pe" "PE Logs" ON \ - "radius" "Radius Logs" ON \ - "rfb" "RFB Logs" ON \ - "rdp" "RDP Logs" ON \ - "sip" "SIP Logs" ON \ - "smb_files" "SMB Files Logs" ON \ - "smb_mapping" "SMB Mapping Logs" ON \ - "smtp" "SMTP Logs" ON \ - "snmp" "SNMP Logs" ON \ - "ssh" "SSH Logs" ON \ - "ssl" "SSL Logs" ON \ - "syslog" "Syslog Logs" ON \ - "tunnel" "Tunnel Logs" ON \ - "weird" "Zeek Weird Logs" ON \ - "mysql" "MySQL Logs" ON \ - "socks" "SOCKS Logs" ON \ - "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - BLOGS=$(echo "$BLOGS" | tr -d '"') - - IFS=' ' read -ra BLOGS <<< "$BLOGS" - -} - whiptail_manager_error() { [ -n "$TESTING" ] && return @@ -1352,8 +938,23 @@ whiptail_manager_updates_warning() { whiptail_manager_unreachable() { [ -n "$TESTING" ] && return + + local msg + read -r -d '' msg <<- EOM + Setup is unable to access the manager at this time. + + Run the following on the manger: - whiptail --title "$whiptail_title" --msgbox "Setup cannot determine if $1 is listening on port 22. Please check the address entered and try again." 7 75 + so-firewall-minion --role=$install_type --ip=$MAINIP + Would you like to retry? + EOM + whiptail --title "$whiptail_title" --yesno "$msg" 20 75 + local status=$? + if [[ "$status" == 1 ]]; then + whiptail_cancel + else + check_manager_connection + fi } whiptail_metadata_tool() { @@ -1381,20 +982,6 @@ whiptail_metadata_tool() { ZEEKVERSION=$(echo "${ZEEKVERSION^^}" | tr -d ' ') } -whiptail_nids() { - - [ -n "$TESTING" ] && return - - NIDS=$(whiptail --title "$whiptail_title" --radiolist \ - "Choose which IDS to run: \n\n(Snort 3.0 support will be added once it is out of beta.)" 25 75 4 \ - "Suricata" "Suricata" ON \ - "Snort" "Placeholder for Snort 3.0 " OFF 3>&1 1>&2 2>&3 ) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - whiptail_network_notice() { [ -n "$TESTING" ] && return @@ -1412,20 +999,6 @@ whiptail_net_reinit() { whiptail --title "$whiptail_title" --yesno "The management interface has already been configured. Do you want to reconfigure it?" 8 75 } -whiptail_node_advanced() { - - [ -n "$TESTING" ] && return - - NODESETUP=$(whiptail --title "$whiptail_title" --radiolist \ - "What type of config would you like to use?:" 20 75 4 \ - "NODEBASIC" "Install Search Node with recommended settings" ON \ - "NODEADVANCED" "Advanced Node Setup" OFF 3>&1 1>&2 2>&3 ) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - whiptail_node_description() { [ -n "$TESTING" ] && return @@ -1436,67 +1009,6 @@ whiptail_node_description() { whiptail_check_exitstatus $exitstatus } -whiptail_node_es_heap() { - - [ -n "$TESTING" ] && return - - NODE_ES_HEAP_SIZE=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter ES heap size:" 10 75 "$1" 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - -whiptail_node_ls_heap() { - - [ -n "$TESTING" ] && return - - NODE_LS_HEAP_SIZE=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter Logstash heap size:" 10 75 "$1" 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - -whiptail_node_ls_input_threads() { - - [ -n "$TESTING" ] && return - - LSINPUTTHREADS=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter number of Logstash input threads:" 10 75 "$1" 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - - -whiptail_node_ls_pipline_batchsize() { - - [ -n "$TESTING" ] && return - - LSPIPELINEBATCH=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter Logstash pipeline batch size:" 10 75 "$1" 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - -whiptail_node_ls_pipeline_worker() { - - [ -n "$TESTING" ] && return - - LSPIPELINEWORKERS=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter number of Logstash pipeline workers:" 10 75 "$1" 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - whiptail_ntp_ask() { [ -n "$TESTING" ] && return @@ -1513,18 +1025,6 @@ whiptail_ntp_servers() { whiptail_check_exitstatus $exitstatus } -whiptail_oinkcode() { - - [ -n "$TESTING" ] && return - - OINKCODE=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter your ET Pro or oinkcode:" 10 75 "$1" 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - #TODO: helper function to display error message or exit if batch mode # exit_if_batch <"Error string"> @@ -1542,106 +1042,6 @@ whiptail_passwords_dont_match() { } -whiptail_patch_name_new_schedule() { - - [ -n "$TESTING" ] && return - - PATCHSCHEDULENAME=$(whiptail --title "$whiptail_title" --inputbox \ - "What name do you want to give this OS patch schedule? This schedule needs to be named uniquely. Available schedules can be found on the manager under /opt/so/salt/patch/os/schedules/.yml" 10 75 "$1" 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - -whiptail_patch_schedule() { - - [ -n "$TESTING" ] && return - - patch_schedule=$(whiptail --title "$whiptail_title" --radiolist \ - "Choose OS patch schedule.\n\nThis schedule will update the operating system packages but will NOT update Security Onion related tools such as Zeek, Elasticsearch, Kibana, SaltStack, etc." 20 75 5 \ - "Automatic" "Updates installed every 8 hours if available" ON \ - "Manual" "Updates will be installed manually" OFF \ - "Import Schedule" "Import named schedule on following screen" OFF \ - "New Schedule" "Configure and name new schedule on next screen" OFF 3>&1 1>&2 2>&3 ) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - -whiptail_patch_schedule_import() { - - [ -n "$TESTING" ] && return - - unset PATCHSCHEDULENAME - PATCHSCHEDULENAME=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter the name of the OS patch schedule you want to inherit. \nAvailable schedules can be found on the manager under /opt/so/salt/patch/os/schedules/.yml" 10 75 "$1" 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - -whiptail_patch_schedule_select_days() { - - [ -n "$TESTING" ] && return - - # Select the days to patch - PATCHSCHEDULEDAYS=$(whiptail --title "$whiptail_title" --checklist \ - "Which days do you want to apply OS patches?" 15 75 8 \ - Monday "" OFF \ - Tuesday "" ON \ - Wednesday "" OFF \ - Thursday "" OFF \ - Friday "" OFF \ - Saturday "" OFF \ - Sunday "" OFF 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - PATCHSCHEDULEDAYS=$(echo "$PATCHSCHEDULEDAYS" | tr -d '"') - - IFS=' ' read -ra PATCHSCHEDULEDAYS <<< "$PATCHSCHEDULEDAYS" - -} - -whiptail_patch_schedule_select_hours() { - - [ -n "$TESTING" ] && return - - # Select the hours to patch - PATCHSCHEDULEHOURS=$(whiptail --title "$whiptail_title" --checklist \ - "At which time, UTC, do you want to apply OS patches on the selected days?" 22 75 13 \ - 00:00 "" OFF \ - 01:00 "" OFF \ - 02:00 "" ON \ - 03:00 "" OFF \ - 04:00 "" OFF \ - 05:00 "" OFF \ - 06:00 "" OFF \ - 07:00 "" OFF \ - 08:00 "" OFF \ - 09:00 "" OFF \ - 10:00 "" OFF \ - 11:00 "" OFF \ - 12:00 "" OFF \ - 13:00 "" OFF \ - 14:00 "" OFF \ - 15:00 "" OFF \ - 16:00 "" OFF \ - 17:00 "" OFF \ - 18:00 "" OFF \ - 19:00 "" OFF \ - 20:00 "" OFF \ - 21:00 "" OFF \ - 22:00 "" OFF \ - 23:00 "" OFF 3>&1 1>&2 2>&3) - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - PATCHSCHEDULEHOURS=$(echo "$PATCHSCHEDULEHOURS" | tr -d '"') - IFS=' ' read -ra PATCHSCHEDULEHOURS <<< "$PATCHSCHEDULEHOURS" - -} - whiptail_preflight_err() { [ -n "$TESTING" ] && return 1 @@ -1721,23 +1121,6 @@ whiptail_requirements_error() { whiptail_check_exitstatus $exitstatus } -whiptail_rule_setup() { - - [ -n "$TESTING" ] && return - - # Get pulled pork info - RULESETUP=$(whiptail --title "$whiptail_title" --radiolist \ - "Which IDS ruleset would you like to use?\n\nThis manager server is responsible for downloading the IDS ruleset from the Internet.\n\nSensors then pull a copy of this ruleset from the manager server.\n\nIf you select a commercial ruleset, it is your responsibility to purchase enough licenses for all of your sensors in compliance with your vendor's policies." 20 75 4 \ - "ETOPEN" "Emerging Threats Open" ON \ - "ETPRO" "Emerging Threats PRO" OFF \ - "TALOS" "Snort Subscriber ruleset - Experimental" OFF \ - 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - whiptail_sensor_config() { [ -n "$TESTING" ] && return @@ -1903,36 +1286,6 @@ whiptail_so_allow() { whiptail_check_exitstatus $exitstatus } -whiptail_ssh_key_copy_notice() { - [ -n "$TESTING" ] && return - - read -r -d '' message <<- EOM - Setup will now copy the ssh key for soremote to the manager. This will bring you to the command line temporarily to accept the manager's ED25519 certificate and enter the password for soremote. - - Select OK to continue. - EOM - - whiptail --title "$whiptail_title" --msgbox "$message" 11 75 - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - -whiptail_ssh_warning() { - [ -n "$TESTING" ] && return - - local msg - - read -r -d '' msg <<- EOM - NOTE: You will receive a warning upon SSH reconnect that the host key has changed. - - This is expected due to hardening of the OpenSSH server config. - - The host key algorithm will now be ED25519, follow the instructions given by your SSH client to remove the old key fingerprint then retry the connection. - EOM - - whiptail --msgbox "$msg" 14 75 -} - whiptail_storage_requirements() { local mount=$1 local current_val=$2 @@ -1959,47 +1312,6 @@ whiptail_storage_requirements() { whiptail_check_exitstatus $exitstatus } -whiptail_strelka_rules() { - - [ -n "$TESTING" ] && return - - whiptail --title "$whiptail_title" --yesno "Do you want to enable the default YARA rules for Strelka?" 8 75 - - local exitstatus=$? - - if [[ $exitstatus == 0 ]]; then export STRELKARULES=1; fi -} - -whiptail_suricata_pins() { - - [ -n "$TESTING" ] && return - - local filtered_core_list - readarray -t filtered_core_list <<< "$(echo "${cpu_core_list[@]}" "${ZEEKPINS[@]}" | xargs -n1 | sort | uniq -u | awk '{print $1}')" - - local filtered_core_str=() - for item in "${filtered_core_list[@]}"; do - filtered_core_str+=("$item" "") - done - - if [[ $is_node && $is_sensor && ! $is_eval ]]; then - local PROCS=$(expr $lb_procs / 2) - if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi - else - local PROCS=$lb_procs - fi - - SURIPINS=$(whiptail --noitem --title "$whiptail_title" --checklist "Please select $PROCS cores to pin Suricata to:" 20 75 12 "${filtered_core_str[@]}" 3>&1 1>&2 2>&3 ) - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - SURIPINS=$(echo "$SURIPINS" | tr -d '"') - - IFS=' ' read -ra SURIPINS <<< "$SURIPINS" - -} - -# shellcheck disable=2120 whiptail_uppercase_warning() { [ -n "$TESTING" ] && return @@ -2055,28 +1367,3 @@ whiptail_you_sure() { return $exitstatus } - -whiptail_zeek_pins() { - - [ -n "$TESTING" ] && return - - local cpu_core_list_whiptail=() - for item in "${cpu_core_list[@]}"; do - cpu_core_list_whiptail+=("$item" "OFF") - done - - if [[ $is_smooshed ]]; then - local PROCS=$(expr $lb_procs / 2) - if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi - else - local PROCS=$lb_procs - fi - - ZEEKPINS=$(whiptail --noitem --title "$whiptail_title" --checklist "Please select $PROCS cores to pin Zeek to:" 20 75 12 "${cpu_core_list_whiptail[@]}" 3>&1 1>&2 2>&3 ) - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - ZEEKPINS=$(echo "$ZEEKPINS" | tr -d '"') - - IFS=' ' read -ra ZEEKPINS <<< "$ZEEKPINS" -} diff --git a/sigs/securityonion-2.0.2-rc1.iso.sig b/sigs/securityonion-2.0.2-rc1.iso.sig deleted file mode 100644 index c51d7e1e44b5da295088d99b7f9827d9f7d22085..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;3hNsIsr2@re`V7LBIa1&1Q5B@er8aj}!^-1Sn^+8Z4 zpjro zaBQ255?uEdXs6#Lk>0;>f15Jfwb#*O${S?pe6I4LDad&Pn0)2@3wGX#ILr@Ug~b8@ zGIykapWTV_*M6g*s6jZMI8mC7JHb2YN@2H!A9OpH31YXjrO4unT-nntHtdbt=`9^g zfTv+cjA_Of`-tu$i-?!~A-tYSlz~^j(Vdo-iZTVAw1%V?5Oc^zl76&wq|j) z8}Q$WK#kWLs=Qc(|1v()uD48lIa2TDZCrGO8uEDLz0^_#38P^!ywKOyKJ&sKd+Ys< zK5ZCao9m+0kEYHr1a)VPGPRYc@->y~v~(^>_KKdXns?I$`B~|);R;CQC_>q2$oZKZ0Zfp1$qDg diff --git a/sigs/securityonion-2.0.3-rc1.iso.sig b/sigs/securityonion-2.0.3-rc1.iso.sig deleted file mode 100644 index 65a45c7d734438657423afb37160c787a4909396..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;3n;Ku+82@re`V7LBIa1;GB5CE@8i)t(nYoe2iD)Ed! z@yjVf?TthvPJMR+x_471rQ+LVh&A_>_P?tola5qbN=*d836-It&dU3_c8@t>hzJ^6 zIaPq2!g#|rgcO;m1cI{|F?4-GmZ`5Ih6M228mR5i^t9NeosYYjRRkey)Rd^UU+oBX z%gZsLmBtgfsWZRd^;a_7KF23!xgL^JnQ1VM5yMB}qIf>Le{}}YC6h;yH0gLF<1r0D zT6@j{)r;D|_ZY)E!Y@!ru`MowJxlpvyJZcFNNwkT#kv|EIY9lK{?Q6^?q0GUV_lys zlf&yjqY91cwG0R0=Alej=CxsU1kH*S^j6?X*2>eX5g-69>Y6170A778_7M;{H-ofz zn#8QPeWkJOS9%kqn|ko?t~b~n`PeLQG=D2Gp9Wq_E1h9xRI1Wx&54^gszKZc=0r~X z*dAtvLN6|ZR_0Irzpx8^vs1$gcah&2dFTOM^`FS6bh+!_ieVB4Yt=nWTOAzmZr^gt zW3OI90=TK76qW--r#-jT~#j}wr=s>U&=}u9-CMC!r2n7bvQGF=L23RlV89Dao z*fU0!!Req6xJisI1k0As#q4-WG(Ik>*dFG&qrkN-AvA-=@R+&HN6W@m)Gc;?%{oTw zNLUOwLK{>>tBOrn37*qTz%Q=$Ld+#r118MkOD3#z)=dYx?S3?KTw+~@q#Zr36_#(O zSOz0v6y+NaZ~sCs=SkX*at9WeRu)!=FR;}XDMy9Z^h63A654sHI^`y|=k*KaJsXDI zxg>57fUo#}ABGuqgRq9QDJ-a=j)x5{>23IDn&0K=kygffcwHfu?j`&nEVP68_}$j` zh~B8))00 h3&(x_8Mwt8K03P$N5ybIZ3DH*1&e?{$^}Zb!;?|Y0ek=e diff --git a/sigs/securityonion-2.2.0-rc3.iso.sig b/sigs/securityonion-2.2.0-rc3.iso.sig deleted file mode 100644 index 283f56c4923b88f023daff161f30fe63115e54af..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;4VZ6^Q<2@re`V7LBIa1(kP5Bv(?N3NDGg;S33hE_rL zHuBE8fajp6U;QCJu!pu_gevkPV^L!#s75vp8R30(dDvgC-JPH&UUW&wks#|{e3z05 z@zOS3OUpDMW%@S7m5Wu&I0+=7lvsJXmn>R`!k9?d&!R((GZvIM)26WgsNUS5I9GGp4S=4TAemK@d8Xq1b=m$0! z)Gs>MxM+aHw(}jNnU21)n0H#J*(&hRv!x;+Ofpw(14(Xh+v`9EF|B(9B0pme@mhaB zw&W{{p-3`+By;7eRSkYP_nr*2b#f}Z-uY&D0@=jk47jl3PVa7+ hF&E{>GEXbk!G*Lz^;vVn7)wW&A5uZM(P^31CzvUy2pj+a diff --git a/sigs/securityonion-2.3.0.iso.sig b/sigs/securityonion-2.3.0.iso.sig deleted file mode 100644 index 0a6c3a7d61d99f054d45cd6fe56cb4f42359fee1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;4)`u!M3kLHY4`=o^z%hQew!#>(m&>sGSs;W{NQw z$I&Z3kMs;iN@EkG8^xjqKCK40hvU@jGx<|nVT1f2L4kmpKK7>bhW!1NiJe$UQON;l zbvZw6^HSF53XING@ygv4F7AU0|68&f%Tbzn04jP9x=Q8r+~;PGTedE*h7(yEtm=y7 z`rL!Tz}1Dg#$4TQ`>8Xi{guF*3`56z%C`}I%4eY?5acLPe%14+M7{0b5 z71fT@FHxY#M1%z<2gd=dyvv!2(xIkUJXe1`;!dH5WW0I9;%a7k99FCu2hoCuF`W`B zrO6RLH!mYC5lDH}58Qc>x`a}`G#d8G3HG6kX7$HmmjlK@7yX`uF_!5@ee%4^Mly3w z9omdM-e?3^NnakbtN=|Rd;gk5V}FW&Z{U%GQmA^y!Vs{17RT;}j{tUoTNAz*g1Z1= znAvzy{Alp{m}u!@C~lPVkC7lH^-rltL!XJPZell|7nB#s;G%={4WUavx1926F;(`b z7&I=r^N}X*4&%w5a~(@wx7Dt2pOlo=y$*JP_^WmkEjPnxoXO%+AUFWBB>TKG)HR!W h4@`pKgQu;+zN%bUC&cS-gwSxQ52`DJ6T1`UM3k1x3QGV0 diff --git a/sigs/securityonion-2.3.1.iso.sig b/sigs/securityonion-2.3.1.iso.sig deleted file mode 100644 index 751cb380a3d1786a6d9b4508bfbd0eb0dc61423c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;4@m~#LM2@re`V7LBIa1(KF5CEnpg0~t$4(aHjfrFvP zzuOB2jE2;ww!N!e(96=qlL1xbBVEGGI^%k(jFd7{Jecl={))P}GeEQ9NU^o|qqHD~ zACY-Up;cs_k*D3|g zfWq{D{8a0h_EP|1T{_GJHMcZqbjfOF^vl0#^2nqEDXYc17+Q3N_^%qcP16WbK%s%) zO*3%`5rCp>NLQtxFhRRB*tpS~+FVs*aYIL5jPIM3Jlcj^Bgc*CTswWZ##1S7;V8lj z`-0@Dkp0XxbvQzUHe@e5u31S(RL5G}Ps}V7=EIl1%Vg!r*lt%S*bcQIL_u zHPjMy=Y02nj2GbI+ph0-o9*T2W2S#o7Z19m>{Qj?7A*9^1V;=g#7Qn=Y(S%1fopdi zqU3OSZT6Hk;_q8=+j?tmqbuOdQ&&qer6D=*De(2M(Jtr#HImqKaIf76L;|qQ3-a-8 h&3=opHm0JUmlcQ-t*A9@anSpaV=jM_*!_SYLqh_~4-EhS diff --git a/sigs/securityonion-2.3.10.iso.sig b/sigs/securityonion-2.3.10.iso.sig deleted file mode 100644 index f1c9093fd8ffd9b4df1fd0785dbb05d7a4dfdb39..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;5T*WLgM2@re`V7LBIa1(DU5C45cDj6IjNf3oO?VU4* zvBkapzwAI+CK$trRDK_DGhQ^C!E5RmoK1;b>H1CI;$hN$@ryY1B8Byp{z8oJrkSeB zn7*Ni{h1OWCN`oC;5U0oOw(xT{)e}u=uuR9!(0Gqrm8euj@qW^2vbC0yx3vxk&Tfi zTb;x-A7oQezGoB-WAXzh_7~miu;;rW>!?7UYp~U%mX+DX1bk*-+vKcket;7vZ}dL6 zmCBLT@cv==LPejD%x;IMDQpmn4xyN%u|OR~>YK3OCDYj&*G-7i-HMc!(&!?E8?VPX z*6<}V8J$JVSmkDBlJjsqfjBV6WkA<9TOJoDj^{4LflbLNuAl}rT6@V1-=$?k4%{M` zN%`b3*#L9sbmC6f5`^KjN?Ez>Ib#;X$r-(|btiJ(Io=YC^#2ja)k)`mi^4=fXCA19oGkeBmkqabDfmiSQoFOYSYoy|cR%wZO5%DTx^Uf;J zWABj6nFu2%5YGJ91@{_zx_a@r*t4lWoWHRbOJ6Lm!yORuDCh5nXXq3$^9>*%=7!{r6Nu&-+QB? zD?VWnN@*5mFcw(iZSA8X%!($MAb@nVy5pyU>+*e4;D}d;|E>1@!dFy)D$7Q5?f?*Y zlz^5igatu#4RGa>i*xS(9b}pMMY2hRq;@o^dBcuyHdiXDDt2zX@QWPg-^G1?22eNB z5^kCJ`_XI&qBmP5dS*Clk`=o+LMyECSsn608Th=wn2X{&pR7oEa)qefTqF? zozsO~yWBB5G=SDAp_AfRh}zlGes=b`{77b{UQHfNxbHvGlUEd3&D zCs{TojG<>}at&~&Jv!25t7(m(v(b?6iD3uvs%qKEm^(FlICCf3>@x7UTS*oMN*|jG zZ$A#gm{wF@jG`3v^$8=X8@e>NLaoxJhIFG4!Y!iK;}LPT7kmc~tke?Wbt0?Sh=51x huB>Ete4%Ha4#mRpJ|bl>gknL+_9`{iAJ{eTIa>CU32^`b diff --git a/sigs/securityonion-2.3.100-20220202.iso.sig b/sigs/securityonion-2.3.100-20220202.iso.sig deleted file mode 100644 index 228dafb16e078c5f5f9f7e830e1eafd31d515612..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;CEyN3V@2@re`V7LBIa1&lZ5BdVKp==x#DeGNSDm|%D z!egqN7oXL%XpVw3w)!zMKeT(y1-q)4!84At<9^L^>}H{85b8&jQAC>z4Oa^W+>B~J z;<2Q%M>lrTrE|;uq6-W!j9DjBVBCR&7rh(2X%_;qNzMq#VAZ;m=r!=(vRj3SHuHZz@%MwjBf5a}*Te1QoyChK^H8Y(%M+F{ zWP$xXxY79F*Nb@Tf3=y9ort>hUVouVbW^TFGW2;qGudc z%Rv$@=i#S6O6~~=uKGv@w%sv%KfO;`B3DZ5+BI~SHNBqtf~}EP0(7;XGel6${&6LS hi6?&h2PJ6De;|tEHwE3@K`9?vOz?JQ-qfvt-dO$I0Hgo_ diff --git a/sigs/securityonion-2.3.100-20220203.iso.sig b/sigs/securityonion-2.3.100-20220203.iso.sig deleted file mode 100644 index 296efd987e1fa38527e412cd9bde35e593469e45..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;CGJa+&J2@re`V7LBIa1+Tu5C2xyGf|yAh9R5+*84q@ zC#AG@TCn?PH<-4JvujiRi&(KNh5)KCPT`0jOC4PIbl1HJH+d;9$3<+Zp|;^{dPH>%s@~R8Vet(zISIt z9uNyqEepPMyq@;7b*SPgKzs3QE0xVa$-}0GqYVn~KW%;#Gq&8sRPLJ{~6J zJmVF42DVZCn4+SA8;sQ@2d8MsTA*C46L_)5vsP;eY~j;@{nB1_S3SBsb;VR#8?oPAPE z%8B}i8POr!pN(|%c*%6_A?+ud<)-_lfLvs7UrpAf!iWs)o4B{c%DfXlz5%(55M)L} h>M#(5>etjDHOmbhioa6L*-?T-1go*V1?ZWvP*OaI1MUC- diff --git a/sigs/securityonion-2.3.100-20220301.iso.sig b/sigs/securityonion-2.3.100-20220301.iso.sig deleted file mode 100644 index d4f6b021c702a1c4c72bfda286ef1354031f9d0d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;Coeu@AJ2@re`V7LBIa1-|t5Bv%v=|_PI0grAb?g0i; z8QtCHYy-7HiRZ!4&qOwUsrKx>&93rKW$}LX&?nJPWE0K<6QA6v#k!i%{&y0#eBFiE ztlM9CY5@O-k#>LLc)da0)xREP_Nsy{e;l(h0fE%6r`O;R-kxnuFGWeo0{cT}^Y2~>lCYY_++^Qo~8y*9m( zL08uQaufSVhv5mYf^7PUfwTx@j!XUlj)~SHb^=g-bvZRuhE zcjxWv^D$IT%-01p;tqTX?2D9-ca@|en+GU%PLQLZ14FG5KoBYC5}9rMI%P=JBRrgx9xM=)+kH0kcf@}>EVv``TGxmmR>i1u3flkx diff --git a/sigs/securityonion-2.3.110-20220309.iso.sig b/sigs/securityonion-2.3.110-20220309.iso.sig deleted file mode 100644 index 0750f4b4b07e96e94f67d79d0e405cfd6919cd21..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;Cy#m@i=2@re`V7LBIa1;3V5C3rH2oID(mdxY9MW_(| zj;%<{VOH`NP+&jM<=%Jmprg6F@9w=20mYm*t>F6&UB#!Icu-=Vi9u}XB{eVnEsc73 z2OO-*Tu$QhfIKH0f7S@&q=c@HJdeS47l6#Dl3?Cv22wX}(ahKl<~P0WdxAp6^9@Ge zI$9DdNE4XfSl-C+>tTez+2b0PtrWigef2SNBk79ba@VfUz zAsz4~*2JCAgbK?`2P;XpoRh_xa;4`$6rICOQuNfrf;|a7tOsVj&76^9W+@HFt3|+; zTYa?eMgUh9WAp|o{nYuNWuj^lUa7`4FtA(|=qdT(PtQff+x9V^-LGZK%D@7?qDU=i zryNYsrv9ETnX7-9$X^v2TA5Im3x`I1&;R=Pz}8Dq436VWrQSG*nJ&H{l>Q8PjY(jB zbnK?#F-pHqUO5&X63IypCDr+X=eeqymZuHyi{NN<)m#=w}jWC4}X=eD5dH87<7|o5DFkXbAj5+0z-6qe+A@U}Yu-!dT4C@mx|?OdKCL6hL`=C$0uOEHAz*Llt;{%>Xgf+p9gM2%u+hGyJVY^ z?`aH_EBL2g89zvEkI*;#9$ORHpQ9Q_m3nZqGU(t}9063xmV*@!Z#8yt!6yKaJ2FU# z%GqMUdSA{w8xEmdiIRfZfVQu4*a^Gf)nSL9nWg0QrLEDf2oV#!MBhje(a@D>U;p;# z&cvxs4JjdXN+MCMbJR!twvstN9X4mc`hjXu<(6C#cS7M4!J3s`+# h-{176JTXYmstMrD&!uB^(fcr)*joI30fL^>7Hg7r0>S_Q diff --git a/sigs/securityonion-2.3.110-20220405.iso.sig b/sigs/securityonion-2.3.110-20220405.iso.sig deleted file mode 100644 index bc4648f170e208b09d018af200ca617a16cce98d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;DB#Iyhk2@re`V7LBIa1#Rj5CD~~Z->xQCzGa%Q&QYU zG@wSy)a|Rp*fF%|6wbDlkN7BwzP}X6&p6WG32IZ(`sdfDG)%EMk=(8{1p1S7fM$oD z#csC--TYuGG^&h7X69T!*u$Sq#`%>*g%2z%Wo-&8p;nTynq*db-#2?LBH=nV4*8|5 z^w^u5WThDSLA>A@94bp9RD{L~UL;j# znTjw^wlmVW=PEE9L*~-?3u!s6b#Wvh_da`tPb7<{=~(+gqWOnB85FWG=S60P&Y9zY zP#+9VGW`ffhwcTMH`mnK2EQKP;>3~3X?oW2F0Wh=fxcAZJP_7;3pivo(jNMsOHo{i zF_B03Z*0&|OfJtrWt7bg>#l@8#S8MdqSjMCPzCfu)Y z`@vX5KHW8?3Zy;n^j;aB6bvvAQ#8d2SYUP`J2@EuA_)ID96T}I3}P;QH`$zukcxxF$KwVTPphWkRG5e^ zkI4UDI?PgP49EDJeSx(r*qp(EDAKKyO}+20qN9N5NS6MNqwu#M`oigDwVj|MdRsED z?mRwt{^!1<&}n|V75vS0@{^+aR(lf?JOMPP#QI&50uw4Z8U}+G{QRBd9O-_jk*9`~ zgzJTNdPx+apX6VbdV+(ecGf!_6!8{(_rHI3yy)w>>ATpwi0F477~;uvLLjTm_R&mZ zl@HGUc8gBO<44Er{yDWBE1&q<;B4R%Mz!LgKNG+6$kCBQ?SqXnu=<)rr@+J2fBVk8ba_TO(7|a->P{t42iP=cDezp+r94yN`;vW zO14P8gmvb};HCK4dv67VMN=mf_2!5!0V{+ZZ{vmuBG1<6q+ZfceL%%FJZjh%xteG5 z*<$Hc+|cN~vN~xx;$gn4sGxBUR}j9DfeSsMg{SCNNqats4e0$6H}Q~sX#w2#YZUSO z`f51Xhg7-}MxgW6uVkSFE-!qS>$)c2_0C5O^@~F*PoE^0_~!My^_02xtJcy~Ucdg$ zun8CZ+m+J6+VxXCor84nNhyq@dwz9`u}$08%v)pgXNi5vj(kL~jvzgVbUkY5fFIAj z8^aEimQJY5VD}4*J|hN?c|uh|C3|kF`j6n}q$xwlyF@Q(o*!!@7~6r;8z5$*L-TH; z3F7g><#$O@Kv((prkbw#q3TC1Ix=GLVbJpdYqf!*DcKGeT9np+@O(&I7yAw!gvRa- hVkWs;%Jbk5;=}T%VGx`T4Q-%aUQdl!MJw=r1%tMp16u$9 diff --git a/sigs/securityonion-2.3.130-20220607.iso.sig b/sigs/securityonion-2.3.130-20220607.iso.sig deleted file mode 100644 index e3f97a43a86a12382f68c8d81bb2f30c061c24cb..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;E9ig*AD2@re`V7LBIa1$-75C3y}?W<9O_}@~Sg2+>O zD6J=2RFR@M5u<;FzXMg!Ex&>aHAM%P*!APTXcImpD5bLFYp@?PJjC&3{h6_%(Ful> zVjUdJZ7+dLfnw2!+=&1wBoOQy(a@fRJ?O>#;8%*m*EQ zUB4*m^Q&FBtSC!AtErpl>8|vKrk7q~j3Qyp?d`MQtO?0fJ|ZufWNgj_gxU?bMl9iM zeUzRX-Mdd={wlD2N2ly7Jk|Eu@{QRMQ^=(M`Md^yxZ4)ma}I;aV>$wrb4+T~B?`LO zYdiysavKKqiDOEX_N*a>S$TnrRVa{zU%?>T#_xH7r!v~mop$v1nmET72wZfVQP&E5 z8Kmv$BDH0D+O1Hy+eE1L6#R0GxKZph_%9vZ%4!MfQkYIssHDbpvR^jf3?IFh!}k>Q hO$>bCVqe1y^zv33Ve5Rkugd}?v!_*Qqt|A&vhNL<4TS&z diff --git a/sigs/securityonion-2.3.140-20220718.iso.sig b/sigs/securityonion-2.3.140-20220718.iso.sig deleted file mode 100644 index 5628c323f0c85e99d9aab98d657a8a615dd3e108..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;E#Yb5{*2@re`V7LBIa1+Hk5C3JnavmceA)8AZggeZS zDLrEFnGXx|saM*K<6N>OeUiM#U@$`LyVMj(zdoLi#tbaHAl8>}0za7+99++7mq;8L zdyN;F2|5OEnd=LpM8LKh%vTx3L~FnCfg;QFH@d7?W1`vOpMjDjjN)O$Bz2krGWP2k z`1GGfHmC#X84)ksBfb?!(?jH1j+;NsHk7f9r|>ED8(&KnY95p#;9X`I> zLG_nIlhA_`YJdle*XRh`LV$n%0ah4N$9v^NC}wEz$#lyjn8LA$=uMY4FPzmEM%c1l z!wUAG(&It~@htt0*9rhC1ifoK4MD!ouY@$c3UchVYlO{2J7!GtM{QQ^aW02%@w=Hf zb^LxyJA6P)oh#+=XT-UHuSTs$IWpWjSCD!!`t0G;#{rIuLrd zcvO(sv@#Ma*lkdRkh^^#;M8mn_nOx*2Z1$nXUyy%MSm*hk%jCe2@eVqF*nCqAnI9z h>{-9Gx?&Me z>7X&#c-?K_tDM+dD%0aSFBq*>N$O}b4awK`xrR1tE4FlrWSy9LA24YXxkL6@D-d4O z0%ADZJU3kc#2{W7;ctv&#I*bmNVe+F#p$d9h+)zn!~oBPJf9Xl{CWlp25*HG({~eN zfg3w6svRX8PLpeApdNgvud^{J7qn4orn@J@L;CRR>ryHc$3SJg`VJgIP#qYkbi!_6Ips#dee6vIT)ZM?B{i`J7$BZ-m z6mfzlu2Kkm6bfZb_Qg}j(GO?oKzSfkaA=M%DeN{nGNM+-rbZ`{2fSdFfbkt!ZvmDt zT4Yi-3w-+kJj&0wXcl&v5u(6>p_*ZGLq`FtY%aE=F4aOAj%C)oGrk8t5G1}^aB zK?|IZvLv5Cg`Og1^bPwp80b|XN#jXhwk+^x_vhQp6D0e1%7$Q9e?%Skx9iZ#HnYF|^9h`sXt77?UknleS+4 z7_?8GPG`)Vp3*3>2I*)4=iv2)8qvZ>_W8@nqqEr}eQ|rOSQR@P!pf4de?VPLh;v1^5!k>KBGb?aLhYyD;nW|wF!i>vc z_LL4ka5V3d>-`Hm-?q;aQ0}fkc2Ktq{O^5+9ZTdvR>ws6sc}saDbTfAJx3r+I;?JS zA^X8#!3Rl_Yd#n@^}NUb^lS4lC~HcuLonxKG!4n9<-pP3cdNuYHYF0ME9b{Yq*M;v z;NKs5erbK$QUt}(5V8N1Dz&90_ItNQe-0yTwajcOTw>A;sMKIoBlsNNmbT5A&lI%erI(e%g3-iuP zcdWf;`@$Pf7@YK(J|mlObN1~Ps~-_XKY6K7ocrn(9KcxTkoGS~GCJ3$6jZrw$DT0k z7-NTFGVy@R+w4XOJ}XgXS$`EbG|uqt`lL>2)%qr(=PT@_Z?cOgG{oaJ)f9$26h@fNc}y_F#IFDa!u zd60jQ3hur@rJH`pAwW4-_o`Z20VH{d95za62n^%*Di&f{95c)zgS`lx5_sNm1B_SM zO6?VTh&WpF%DEUZK8dc8Ujb;!?H-JCat1x!-U4yGm`_D83QkK_Cy%&9ih4Q*@2R`f z^C+yiCy?sUN=J6xKT4{XZ_cwO8z4tFo|}ho!C|H~A)oO`jRR7=u-`(jbRyC30F>0= zW*y0`reaqIII|U1o>5#nE|!_#%sr2Bgo*!y6SGK=-DLf?kp)@~uLK092Qe!<*88$g za!pHZWs<~OMrYr)?}^w|l(=eONCb!D5wyYA%J)To4dS?B!97bUT$#zx_VcuwA8tUJ z7Fp05)YJIn4sEHwxM7a*Lv}_kI-eBRtDUIO^eQDRzHq|#g*uG@IgZ-5&93K9o3M_q z_iX(RNO_ZF2?YB<%g}IGreI;5#Oy9{z5h+mnY0s10zb@1?)&%$j`M>N;5hLS?%p^q hPAv^$_DZuH&LCJ&T3BSaGxgdG~=BlujVDpk6)|Ih#c diff --git a/sigs/securityonion-2.3.30.iso.sig b/sigs/securityonion-2.3.30.iso.sig deleted file mode 100644 index b89b2364a5380530639a3a52ca29c360d7ccf9cf..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;6_Jx~A&2@re`V7LBIa1#`|5C3}SY0h7lG>C5B+6vX3-0w6Ep585QWujv^j0PV9{N=A1@t+NBaKQ={>Hba6>LK_iS<|#2NQ|K>( z&~3dKcX&Jt1>=N=JZ4Y4D-w~g{SZ#2v&Mr;qR;nakoqKi0(9H1*#ulM(kUAcaRDcDK>NxFI4`gT(&Q@@?~&BbDOiPU0YCxI zHJQkfKlOvTuGFLf4z?AbK8;x==&UD*Pjq3YpFYVCiKA_u|_Tl z+3PzEzfm8^Mfm@;d6O;RV84#p)1!3s4Y6ws@I?|vMz=Mu;<^EUu*36QnBmeGHB9)f zq^6N&7wN{Z-*wS=2S~@(L+p)u=Dj>e?xN5%rJ~C+P6A}y>JEUO3 hhBhLBoAoYWc8)1D<6hv__^>KbSk{m&8KPAJTGKgu0zd!& diff --git a/sigs/securityonion-2.3.40.iso.sig b/sigs/securityonion-2.3.40.iso.sig deleted file mode 100644 index ea7c04fb2b127430e908f4a706d461b16eea5abb..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;7Loi+dp2@re`V7LBIa1&0G5C3outT9R&$*mG+xsbX; zzrG>`D2f$rnE4)Vv*4&$8$q^>_G|qb`)E&?`c(!}!(yp^_jWXN}%O z`DcaUk`!=9b9ANCcxD!Qdeg0T;({(F@y^bM8adOaTtegZh@wH%8&jdN2-~oq(K7+)MkQf&dMWkG% zE`rZ-t0%;Xn+1)P*n=yul&DO=5*a{KThZp$wY1b^p;vvoN;kk5OD`KYVl4Qb zD24iI}aZi-+E3KWI>QWi@bGEzMgQ$bw5@9 zmD!?Tiufw>gIg6H<@xa9Q@TcaTMyxc9a3V`H!-e*c`bp?qN83;2ob8civ{56uXlSI zLhYB;I&~SX1^^5@zHevTB5Y*f1RkEQKhMM&>4XD85);gmOjgSZDI~tm(E4U8fg-Kx zz}psfO6v|P&|;@O`#KbY;(VtMSD*v&Wru`hw3h=_JIflkfJ(Hpu*^u!r)QR@q5HFt zwh%Q&a-e;3Y-bi4PMWy=e|}`OE`5GrV&7imeW^xI;}ssVyv;GNj^C|l>GyeUBD{Ct h1s*75K*KGzz=y-D^Zf9vT`)En2AsEu_~~&eq1c=40d)WX diff --git a/sigs/securityonion-2.3.50.iso.sig b/sigs/securityonion-2.3.50.iso.sig deleted file mode 100644 index d8405a0421e494f77a03bee88e5207e9f73c1e29..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;7*RW$$#2@re`V7LBIa1$Um5CESxa#R+gq=PYL1RQjp zIUjoz5JIvAI&fTWU%o>h~+eB02ca8Fb5cDUR*+^E@ z`nMVQYSe6b-cVv-tuz_HMkKDGT76lmx(uDa5)|)sD?MLv{R* z1E#5Ie<@~K-Zay`EJ1)0fqS55MnW%AwIRWoN&_XyX$rPwU}^qQ1m*+fU}lY}1jLZC h24TfxOI&zaA^x(3X|swT8BU^s0s2 zN5K+$mR8o|yx}I|O-OsnamJ#p&1!`3iX*IDpTyXuf8hx7^*Mx;#+8b5@IkzIu^S7t zubXL$t0%IHQ!0^Pt$2s;cvlCAxW??=O3#4`i@DTuTc_tm*}+iNodb~MhRI|d-7s-_ zRtSk={KP|UGUfHV%G z8+S&nNnv4jm}<^1etZC{v}TLvI2!{w=wjc1E*=nu%|OFkP)q{t$W+qxldpv|BguU$ zwd5eMir&G8VS4vhh!r5wD4>c&Nhn6pVPNao_5G3?n}KLn)tSjpD0tg1;xnn8q_Vbp zSpYprNxdL|n+Ol~FhWIupF2ELwoq&m3PBW0Sfra18PlSt0f%l2 ztVaFaGx?;kjP{C`Ln< z4@d%!)Q~Z_NPCkH*8Y(aY%ajD8jB#hVTkFPrpc2&4c2 diff --git a/sigs/securityonion-2.3.52.iso.sig b/sigs/securityonion-2.3.52.iso.sig deleted file mode 100644 index bd18b5eeae1af0506309e705a5080e2b46a57b31..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;8a0R#XF2@re`V7LBIa1-Wj5C1}2Vv&dW;~UU-W(JVS z%6bk+`W4Qxt>kfrQyhhyD4$M%2H+pjddko*lY}9yck`GrG9t~3-hM`MV%6pct#w0V z1nU()^>bNd2xmW9UDTuet-}7=uv)849}eQysBa!XI=f-;pyR@3Pcr<^h2!iicSBP* z5`N8ClZG%qoOUk|D7d&U7$?NI^7 z`!PVvwhO2=8BK%m@KJu5UxO^%l|HwUAyYhGV^l~2#s6wimZMk2x3ZDTvr6qO3&JO@ zJ$@Rvu`XY!o8ii4q{Ra78V#OG*+Hu!U_mJkikZS|b$uID6f45Q+f3 z5-czVLWhjD+eM1;T52>(cIyvZF0A2EhOyy&*knpA@R5K&RKsJxI^HA1`e{%Jf85hg h3G#K4Sr(h7)<`0yrsE@)`v{TK*B09;X7=Q9E#JA^1K&6cMy-`{?@e&gIg z7}xPNP$!NqTpYsdIAdm63_Ryg54pNNevsnWV^D6g-~3F~`3_D`k5ZQ55Db){gvjPQV-cX`J$(qeL4B7ZMEnXV6;2Gv7PC#Ed(hx=_&%ezixwucVMGf_z$U z%kJ+oGKiKKO0FJT|Cpis>2u*kw`k``b*oN2SD~dn&I|ktVH|MJGXX>RwK>Q$|C+e| zAICSgCiV!3V|EFyqUy&(4xtL_BXQh-Lj0qINA4jh6;Nj~L0W%Su0-e$ky~g*rYSj5 zG$9E5n9l~h^yU{*+_UT$e}2T{3Dylr122{>08Yi0vXjeCtYe2aVvhY)W#o%_ofo~< zd=qN6iR!x9)|a)0POs+HlDsO%wYJu))ayju>%{N9N6+9IGe z^=1tcZX2@XW&g97uh|jdqkxqm$~2BW1b7ocXyJT$j|tglSD5kcE>_xLjiFsSzhsq-pm@2~( z`ODPPDm?sgWAKH%=TtyCuKCRJ{8xw>=H^BMk&XcvQxadMMc$nF6c1%Pja`$8Pekn$aUMi3 zo#Ljw5X3_uxJ%t&R}YR7e}gbg4%L_f$+yf1`eXf^2m*6P`j~mh%fqTxYKxt@Y5{y5*5@Ghj3)zUivs_ zfKQf#=)m(F*^B<*&D&adjU26cS|(#5N}FU= zGgWoFWNPvIBQ6!3p37o?om4$H^C&lJwhZzzyx@6{^Err2-8rXYiQ*PLnjA^do)(oY h$e~h9tfW>;@LmY}O&&)QYg-Ckik79+CJ{}Ek~!yY3sV39 diff --git a/sigs/securityonion-2.3.60-FBPIPELINE.iso.sig b/sigs/securityonion-2.3.60-FBPIPELINE.iso.sig deleted file mode 100644 index 56418a152a0e92f0f49ecb19a5e5829208c02d07..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;90^Oyh%2@re`V7LBIa1(!}5B@xPR#8-;uiHcl0@3*S}#^;B0m+2ie*Z{>Lm)x zy!gLhT|?6%eOJbhKu%=&sA~Rb*1{>`o=S?7#9<9<1yXqNG%G%AQ0Vrlxa*;0aF{6m za0X?1iM6Z0Htd{UMpDl5UlAJWHk(^aW1R?%7{lC@Z#_uuJ(JcDn%|z8WYshk4b2v? zGJ`#Y-^m^?=iO|E!+C|0Wph?}OT^kib5jdg>*h>Ub{x2}DE@48$Q=!-EXJ#z))7C} ziKxQc@30q*wl^QoCBi!@N`N?iFRZUeb7rJv!9og4bsI`#sPJrshrK(B);G>A8sP^Q zea^e*Xs@#})uGVzrIJ3W9gO&Ph8Tb3LE4D-`{PEcyWm;@)w4DX14af#`LxwuuJCpe zUs@qnC+qYzF+2N^@Y3F?U9ZR7fUq`2%#_D)S>D&668~Oou^5CVoaWNsV)*8v1i=u1 z;c7DF!Q76NwQ(_aSFZFBwRyjiYslKr-xS4UT8KyrYQMcN2VF9-2RT#%5} h+6FRS4wBhD?XtfNC`;ny$o=-pb-6W>U0dsiZm&%O4_p8M diff --git a/sigs/securityonion-2.3.60.iso.sig b/sigs/securityonion-2.3.60.iso.sig deleted file mode 100644 index c00a5c66491090d7ef2992b32ae12892e88df79e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;8**h~Nl2@re`V7LBIa1-!S5C3}hMvA}Ri6L7xJi4j> zFszCJy=S#cK3oK=riZv%VRVMH9mLmWxvcOZnW_ChGHo9i13c4am`S;GI>Z{e_e4+X ze@*D61qSOJe|_p9uWar^taTKH}w5Y6(u?< zH7NXs+<-H4bjIIRrg?Z_TDSZ&62w=|@}qjrYRnoVjbNJoP2Txi zIagwHmU>^`4oY0;RpqC++)md3z8P^OaaVaGIW4C1UBEOj z8+_3VGFVyagb~Gf)V~BebUEAzKvJ+sQxxUP!Q&Q#QGT3h#+E)g$lXk(A6|uLQp!Ji zPxzuZTRPR%Z@W0IBjmnwTosYXzgyblq%3ez&x)$cNgI{GP?k3P^hSsO7*7=8ORH>& z;onR{0=9BYCiYO7BN=rE8&Mquh2|_|LG1XT=}-0pklw0EYDHl#>@hxSooF71|7ms5 z#18bDP(kZJ6_onX7L(a6gHz(i!2WqZW^i!NyIZD;>pmHp;L9wI{O)-5ILOFe)5Cus hN0B0jR+y#-m@{3SZOa~s={58!rmdxnt{h?oOdE8}38w%6 diff --git a/sigs/securityonion-2.3.61-MSEARCH.iso.sig b/sigs/securityonion-2.3.61-MSEARCH.iso.sig deleted file mode 100644 index 52b3b7645cfa6becb3e3f223345a4104e36afbf7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;9K%f|o;2@re`V7LBIa1&?%5C4AYFMku1Yb9^S`MLeh*2I)l3goS#SvxGa z2CW^Cn^50tDJkLs3=vKTW=_?d?MoM1%yz4$&<-sgx5Q=^5tmX|4r zo8rWWi}>XX%aG-kd#tXe=Je=&*BE7kTfKU^Y=N{DubAL;rTFUSW?$GXh4>!KZFU-E hECTlT^$VlGc=e#p&$q8RH=qhr-kba_1YiIF diff --git a/sigs/securityonion-2.3.61-STENODOCKER.iso.sig b/sigs/securityonion-2.3.61-STENODOCKER.iso.sig deleted file mode 100644 index aad56a116bacc05e2f3e827b1a3a4552617b59be..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;9I9C82(2@re`V7LBIa1;Ja5CDb*OA52SHJr&V3ysp(JvMaW0`XS2SS9Zv4+><`?ag#M(!na*P|!Q{=$5F;o0 z2DxmH{iT_8CEtKs&2aJIbdDhN7t_HML&(AJJxjwiAs>A`o%iBd0MbvTeDBjQFgX}` zhU2HD3`dd(KRzNTAKD5bjQbGUY27qY{wU8!NQ-P>CjIjC+4EF9p?@L;>tr)7nzkP- zgG2g-<`}JuaLJuT|OE20GrBYP3S-LsF1a3cirRb*R^aMpk=E+pGfnn4U5YZ z%J%6)v>@MNm-|q?&x7Q;37Jbhh%>`W{>vVw#&VV!Ye|$($Wo6SwHExGT&E-&zZ+EC z*Q_k)URQiP6C6c~Us@E_#k6uq3Pw&8Za2d|Wawf*%*a)>7AAq!nJ(kq7l7@R!lwt^ zT+?~13_k=nGdnE8OM0jYh4l-9AQB5Zui0q#+#cO zjA&c*#$Ko|PEbmw-|;@3r^+uHAs$u|m$KoxR{?t6Sng!TGgKH@aC3RuidTnh(4lCQ zGT3bQpumljQvi@Ha2Tl)GjY zlGEO}XfzK#06-cma3eu(hKWb1wUu%j9UKv8$zH`yJ3j6XFsEM3i4CW|*0^5;0 z_g_U!Bb1Z?uz&%rR0(JlZ diff --git a/sigs/securityonion-2.3.70-CURATOR.iso.sig b/sigs/securityonion-2.3.70-CURATOR.iso.sig deleted file mode 100644 index a9dfc3d1d7f0f0d0cdb701e34a1bed95a9942479..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;9o|+^87z{GoYD2B2{aO?q5hc{#Nr* zxgk!wiJq;?2rQC>ZWv_>rE8Y5;D%ShhA(q+@@%KZBk`Jj=i2Uz4jkgQGM9SU_R;Qh zX|I^fwgdW3$v?xvX|zlK!{ZRh!0iJh!#fjc@yoNN7mqdE zvp6=~$M&s`H7N;Y3mUp>s0Nf->)%Z5X-6bbBxj>frxQ1ORjwr<g*aqZ0$~ViB#!zf~3!g6ovVG67Ym00=UL(3;W%+mm7<5aj)s5*Lvz;(>vFS9f#J zfeUUN8$#?3^eGjuCDz_bi^qV$X*1g5P{1U_nSH%1qJ{B diff --git a/sigs/securityonion-2.3.70-GRAFANA.iso.sig b/sigs/securityonion-2.3.70-GRAFANA.iso.sig deleted file mode 100644 index 8abec2097636d1a0a617713e6242fc3da0601c32..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;9s-Xs7D2@re`V7LBIa1&*n5C44arQs$-!yk#kQT4^& zU9S!CIy8L7Tmw<*3Q_bFL(v!z&N?J8Nbi6QN7|&bad=ps=Rs9BE7B+iq)6tF)Nsbz z1V!;S77Pj6#DJ_jfX1SU&^>!1JO_NZD&>WAQzo^jhD-XmEJC-L@>O~Y4fDABv|SNf~gLi7`LIE)9Gh2-8l3k^e|g7{DGq^79)&VbTg-#pc>sd$4k}aszK3 zBYelljMlBthc$cXW9d0PAk7~~_7%MXBRJq zBzV6kK_(&RVgr8cYB!x@wDj>gX&L(izTn9v3V@01yPqWH98?vp;*&K!s=qn&Nsk{* z%8%LKgo62LH!dgf(fy diff --git a/sigs/securityonion-2.3.70-WAZUH.iso.sig b/sigs/securityonion-2.3.70-WAZUH.iso.sig deleted file mode 100644 index 43ce74d15f27fd7404032466521b8f41493d216f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;9$SNZ@72@re`V7LBIa1&ji5CFP43k_8LGaz5WZEq#U zjfxe1>pW9wHJSpK$w&`hIs|gd_hGkOa0Qcjg9u49g;ggxVp>DrKLfl{0N)Lu)vqNUO&}dp0)O@i(&g%Yp!t-=1v7XcqA8m- zNuGLYl+9n8BB~E5{WOI<&Yh%{#!Ri4Is5Sa+c2_#?^po`n{RAG zE>jx($L2Aywe2R-8tb>tYi`!r+iI*8O;Y#iy2!*FFHMy}aL_jo$chB>b^nUi7#~Of zXuk6R{56wMf=YM-PurQnsc0}3gEvnRvtd!qz?St+wh;T9d4Zc%9JTO{#9`lNm*1?WLA7L9 hGjwSAR+NL){>p*2%?PW}Wj1OMZdTyolF!u`t>a4(0qXz& diff --git a/sigs/securityonion-2.3.70.iso.sig b/sigs/securityonion-2.3.70.iso.sig deleted file mode 100644 index 68cedd6bea7db9b2201155e8de7497942f33f988..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;9lb>RRC2@re`V7LBIa1#;&5B(nRDnnRA=IG78V;zAV zo!IWi*{qss+3Zea$P+U07W=bqq^&f?*XU@Y-+12j2-*#1wY!Gz#A+r5*qLMn10Ed9 zFFO2Ed$i(`E}dv;P)*QxSRVo4olrc``&lf?yp(MW_wL)Sv(FHSPAzb_=Wx+xBgM&q z3La0~WLBr1?dkW){M)(^xsaVlqA#{$?1QODPahtp7FVH=9lmla1YvYiwlFOb|IYK@ zxPQuj=pVF#*<|+r5b_E5%d{ce25eTHo|M8H^u1_I9&YCX>1WsGLtZjfxFf?&zO^9r zMZA7|&)}kV!WKW;k3SIx@URM4B!Hd6WjvM~QCD=a6HPVl8s2;(!`6F-(jk@&2NAs8 z6dcZkrP_1)yLN(k+*BjQ7S2eWC|$6-Ci{!L3Fw2@4+^~~cSq1_;0jZ|&QYGh`(=hS zEnXUw-03Pi>C6UGiK4U0;BbF&tokdLs-CPFo`J1p%PQ6rmdv*ikID;F|yv#mb`+l1%HUySB4uBs4ZmdQf12JPuykGQ)zXv*wTiRZ`$K2!;Rv diff --git a/sigs/securityonion-2.3.80.iso.sig b/sigs/securityonion-2.3.80.iso.sig deleted file mode 100644 index 4fa76de2e248663018bbb18c9494692be0d262d7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;AFza;<)2@re`V7LBIa1%185C42D7oKYXdOn02`!}QM z{*}VbE0))c!-F>4rLTz?`f}3am@^@Ms&As|xYR}E2Lqirc*45Rw5I~$UHyk4Ug9U3 z>BzgrCSICSp<|3-b%ftu}USBUI}2L4N&rBy1i6xFY4oY`72)xOu@ z){UdfrS~5@m-I2niyOU45*xGg&r_nyVWFego;#ROH?v9Ka#!9a2NsyEOuj; z_11h7PGq;5yj4*M75%|q&tj21D!pvGH-TjwGzNZ(#8Hi$<}mW0j8~?%;w#@2KT16v z^V<1Io)(!~R*kZpYJRhi?~`?Jg2?^N-49knv04lH%x$cyb}bBn!zx2I;3aDeDq?2p zw5Whgqc~6O7B6I&!4CV(;P(krWxHR*4BR&%Ap+Yn7;LlLvRN?;*jp`9W}AxS53L^Y z30$k>yLfzs3qeyd7I1}rXCkUIaa4jNVNJakIc=XT@MOA?Swu!Dp?LU;)~A*&`x7+n zvEo73A7ZP%F0-JMvJjkHK7x5o=))D`1KLEO>!d9vR7{gRwPhyS9ehYDwjA!*c2{`k h@5q%SJRbyLK4c~-4J8SqZ@nBfxC+)`(s7xyhC9cm1#18R diff --git a/sigs/securityonion-2.3.90-20211206.iso.sig b/sigs/securityonion-2.3.90-20211206.iso.sig deleted file mode 100644 index 5afc243ddb1542bdefb6b8d48bbbc48fd7896b50..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;BNDAfQ82@re`V7LBIa1(tf5B@QT9rkQxv>A(xn+E!9 z-}zIlb9D=ZwoyDh=wlErUh4r$6;isx#0E?yT-A_L;-M5SOea(hLR zk5xM{@11Cxt~&+M)?(y#B^xH0?)131FdaL!Y;V3Yb^#zwO@}(P>U*WOO>4a9K>}tn zQp9XnT|jGaW{=cJ(t{Ldp)<=TVPP{P@^XuM7|Cr!jUf479$WMcK&5RO#XtQgeM`(= zS1$`q5(Kfoe|y}jI3K%nzF&3P|4qm;7@nFr^!UBrY$hCg3IA^Q0`y=t(mR)v2-=?z!}?t#+-du-FIvc`(3rU(k59p~(PaxBE?< zh5c}BB6#`L(Z9b5-R}nKE5v|J9@2Yul|lzG{@BDk zQJl6+q7iRz3l%GBE%O7&i;YbD_4GmS9+?o9OUJ|B#KEj=@91#z%b@RiDw@W+Ln2`2 z!|*8EKm0=>$`nn=cGE8z{gDO`!NbF|Ho(#E|NuXu!@tP%~9FRR@hl*6Y zxQw5E hA#7Ps#-J{hf#jz>w^!|Gfr+KfIRkyMN^~ zj!QV#z?zx;buu>cJ5MAAhh+m{|0zHAAoisyH@uBK(6G}UXkL;>V7Br;_4*RjHPydB z*Gza9<+Y>cbx$PISKMxKvX00CbH)3Q7Nkq=2zyv8q~f9n)|pn!14Z~w#}#&`-|81% zYl?*oP|D!*Ia7r?$R%XRnO@oK!7ia z&!dQzj9U6Ez6GWuOdG#zz%W6hDnj>4eXr+K5?LQ> zg4AGrYl)C8GNS1ZoMms>=;hP!%+jUOX}nL7?~ToEl1CjD5-3w@i^V{zrz6XV|?#Y|0D~`FhmL(of0mSXGJ+*mbvwBc4Sl@FR%mR&qr?U h7l7ECG&x$N)mu;C<`R!LT4YpNm@2c+9BKrCcJ5h<3sC?7 diff --git a/sigs/securityonion-2.3.90-20211213.iso.sig b/sigs/securityonion-2.3.90-20211213.iso.sig deleted file mode 100644 index cbf5489f2acaf5b56bad0204de7b13cb266f2551..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;BWc;f&H2@re`V7LBIa1)c|5CF3JBfJNiFCDh?PA})5zb@@Kw=ARCYk>YZ0!^8|cZJ>-$DX%h}uS zc|U6bZ2b(3=EL_QtR#TpGg82vz06=-wx-j_IVTVPiZ;~oA@usI%`LBieR^~($L2&B zL;&bZsus8glWe$NMK9ik4Bhg`OugiRg~@<`pB zzFKJRn5j9ndWz>^582ngD}vwxrt)RvxzVJoq*pER?9{NXyg@6K^S<@GojuK7p5&uc95D^gt2GCT!je`z z#j!oytvIeVRpO;d=t+%Gu8l4*ZMmB)sVSmFsUJc7<7{0Uv~SkgV@h=HFq5?77L46@bd+dKQ= z{raokbs{~6B)~&dyjOZ;#e)}@s@Ov4u2FLH10aB8B)$G&{yHY}M@*Smb`)DhB{PSz zkTf$)I*JC}0t5O4iHo}n#0Zi_?c)BMieBV1lIge}M{Iy~2}l98eztXRAM?|(jfR;7 zh1fWr-VN%n^HOU4L}4>g-=vpTBb6g_sHvHxV_3)x`lD#BzfmoG9!G{iyXjqUs^1Ga zfMHcN%_#7Yj3VFrG8?c32ekMS7!SaV0+@xa_J?Mpf3o33OckM@#oPk7pl!IxC74(- zp~8fb=-X>?5t8^sEF4LL+yDeHK?Yo2@4&c{2mtCz5MPz0rHF%>@pR;aU3uz_od z%28rAiJ$kX2d=BF#nnGMf zC?7=`36wR#?z8Jq4~mrAM3Frxx9*&(uAKJ&&2%&Jo{ccjq#}I#lPz`{RL|HRmh)vs zZz8*F$NI_-<(AFl{0>#9`Da%t?fB(^pb7TU3{`V{=%n-MdO*%o(K(#~z`0l~dbW3% h6c$QR(_M1|qSyccW==aREv++hDYm~70f7Va#7?UH{;B`~ diff --git a/sigs/securityonion-2.3.90-WAZUH.iso.sig b/sigs/securityonion-2.3.90-WAZUH.iso.sig deleted file mode 100644 index aa9539e05974f00e5d92d210c37375268af6c0c9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;B6OuPUJ2@re`V7LBIa1$I;5C2J0Ady$S0^;=%|8pG_ z6cQJYi_qok{!Dnx#-XL+O7`M$4X7TAfU}qm<5a|>5_q?>t13xY67X5}$Qm`=aFlG5 z{p-of_6h^&R?wUUhumA6yHKC{(~UgL`GfD%gd?_CRjY|;Qce{pe`T8;-wWIFzfL(! z($(FiKo#-_v3~FQ-K(gPy2_dTw7RYd#4FN$67o|l+TLU1( zLr|={SH;hfG(*QzzK9_M6^4La7f^<){toA-Gq`U1C#dA>BF304mC$lN-%(ev=Hj52q?bNBE{ h&RiSb@$GyC=b8=J!EBg=+7kO|Cg|L2suPVCU&7(^3FQC) diff --git a/sigs/securityonion-2.3.90.iso.sig b/sigs/securityonion-2.3.90.iso.sig deleted file mode 100644 index 00f11ea5b3a4cd974dc849fecfa0f93192e7ca67..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;B1A^`vj2@re`V7LBIa1&oe5B?>xxSVwTuqUD9MgR zHRVaiTs?4=@4+SFM698;<7rj05Gm&pma#WUpp?-!TYHX2tI4w+wwAGC55+e42^UUF_LsKvPv3s1-m$Yok zT}Np%KF)X}OZZ)xx?+t@p^w60b|_BF5j-FZ1kY%j}Wg# zvJnauML9U-sn1)!O6Y@@zYlLL97q-iZVGEL**m~@ooQ|~22qVgdBP%~!)h@0lb0BB zL4j@47y%zAe8NF}W>{M#vOCO*N#s}GwC);Hr0c4E|3T=;il(xt4OYkp|IkJ^FD+$s z3I7(@%%;4Y2J>g;>z0)l@3z2cLjcQ5<3ff))Ve>B`_$*ak}hZd?GZ>XrA47*>|0eQ zSJ6XW_q&6f;77#R^=kG8-@d~lr}>@9vlCtI2IWXPJHs=+#V-WlQ9ktoc#Rj?>g$l> h-8)0QM4Bd~6$^eRrJwBI2DAVG diff --git a/sigs/securityonion-2.3.91.iso.sig b/sigs/securityonion-2.3.91.iso.sig deleted file mode 100644 index de428774a822ecc0dccb143c6e6e5722a473173a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 543 zcmV+)0^t3L0vrSY0RjL91p;Bfzh(dm2@re`V7LBIa1&j?5CEmm#}6|~jNcXZU=XJR zajta}k6@2NyejcEgEL=P;>Q0)*;tkIg)Gtc%kZvKMwQrk7Z!e)-JT3=LKY`S;qV}o zO4;?CI7NtP`=c>%FP)yh6~q{b|7%n#)|AcG45yW=xs1nhbZeJ#WGRM^3ZAf zolUiG_clIvLR*uqFG}~~VXnT!cAKH^^7R{AFbgqOoqR(Guktxa=*f9OT;aGtlo*Rq zS_vW*ZGblTSdENVKDcT!i0LFVQ|(hoT-#$Y>yYT4_r;KDGE+2tOTc4pYpq+Sh#U#xHu!`UjM@z;8TrRbPt;0Y zYuxO|lAE|k6=$aC>MRern!Q+dRPwdchIn2t>)XQRAJKqWIvKgSz!wK&mmd-^u9B~j zqWqd3g2Z+4Kf$uw{G(=iK$Hf&SGQ@VgVay%`JOIl{&W=yOGu} z#7tYwx1F)Wqcl9RGi0%t*&ENlqky&_S6*{~j2ySvD4=|6V^$W(CWi%VKf2QuTeu0u zMWefao{DuO&~fmZscgA~bRtBBs*T$aNHVoO`(O!el<&Vek>L{=BF7+(;$UTNAh~Z_ h#MUI1wdV4ovc54i!IPO5(=gkPj~(PS>914W6&Gy^2af;% diff --git a/so-analyst-install b/so-analyst-install index ac92afd77..2e0e4fb34 100755 --- a/so-analyst-install +++ b/so-analyst-install @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . cd "$(dirname "$0")/setup" || exit 255 diff --git a/so-setup-network b/so-setup-network index c78756c98..ca86d249e 100755 --- a/so-setup-network +++ b/so-setup-network @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . cd "$(dirname "$0")/setup" || exit 255 From c9dd2beaaafdb7ec1a7b4c1807cc3d189d2eb800 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 7 Sep 2022 09:15:58 -0400 Subject: [PATCH 0003/1082] Move In Day --- salt/common/tools/sbin/so-status | 310 ------------------------------- 1 file changed, 310 deletions(-) delete mode 100755 salt/common/tools/sbin/so-status diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status deleted file mode 100755 index bb68bd099..000000000 --- a/salt/common/tools/sbin/so-status +++ /dev/null @@ -1,310 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - - - -display_help() { -cat < Date: Wed, 7 Sep 2022 09:38:22 -0400 Subject: [PATCH 0004/1082] Update so-functions --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 7b1ae477f..46833c081 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1175,7 +1175,7 @@ elasticsearch_pillar() { " warm: 7"\ " close: 30"\ " delete: 365"\ - " index_sorting: True"\ + " index_sorting: False"\ " index_template:"\ " template:"\ " settings:"\ From 2fb1f14d09beb31d60c8148df8cc50ecb4de065e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 7 Sep 2022 09:55:41 -0400 Subject: [PATCH 0005/1082] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index c9583b108..197c4d5c2 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.170 +2.4.0 From ce688cfb91c465b7edef729df0c159fcf6af7c93 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 7 Sep 2022 10:23:26 -0400 Subject: [PATCH 0006/1082] Elastic Agent setup changes --- salt/common/tools/sbin/so-elastic-fleet-setup | 7 ++++++- salt/elastic-fleet/install_agent_grid.sls | 4 ++-- salt/kibana/defaults.yaml | 2 +- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index a41beb5a6..c40699df2 100644 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -55,12 +55,17 @@ printf "\n\n" #-H 'kbn-xsrf: true' -H 'Content-Type: application/json' \ #-d '{"name":"Endpoints-Initalization","id":"endpoints","description":"Initial Endpoint Policy","namespace":"default","monitoring_enabled":["logs"]}' +ENDPOINTSENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-default")) | .api_key') +GRIDNODESENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("so-grid-ndoes")) | .api_key') + # Store needed data in minion pillar pillar_file=/opt/so/saltstack/local/pillar/minions/{{ GLOBALS.minion_id }}.sls printf '%s\n'\ "elasticfleet:"\ " server:"\ " es_token: '$ESTOKEN'"\ + " endpoints_enrollment: '$ENDPOINTSENROLLMENTOKEN'"\ + " grid_enrollment: '$GRIDNODESENROLLMENTOKEN'"\ " url: '{{ GLOBALS.manager_ip }}'"\ "" >> "$pillar_file" @@ -78,4 +83,4 @@ cd securityonion-image/so-elastic-agent-builder docker build -t so-elastic-agent-builder . so-elastic-agent-gen-installers -/opt/so/conf/elastic-fleet/so_agent-installers/so-elastic-agent_linux \ No newline at end of file +salt-call state.apply elastic-fleet.install_agent_grid \ No newline at end of file diff --git a/salt/elastic-fleet/install_agent_grid.sls b/salt/elastic-fleet/install_agent_grid.sls index 36249a67f..0396f4db8 100644 --- a/salt/elastic-fleet/install_agent_grid.sls +++ b/salt/elastic-fleet/install_agent_grid.sls @@ -7,7 +7,7 @@ {% if not AGENT_STATUS %} run_installer: - cmd.run: - - name: salt://elastic-fleet/files/so_agent-installers/so-elastic-agent_linux + cmd.script: + - name: salt://elastic-fleet/files/so_agent-installers/so-elastic-agent_linux {% endif %} diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index 6480c9e55..637e80cf7 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -70,7 +70,7 @@ kibana: - type: system/metrics enabled: false - name: Endpoints-Initial - id: endpoints + id: endpoints-default description: "Initial Endpoint Policy" namespace: default monitoring_enabled: ['logs'] From 3c50072690be00918e17e6d887a33609ca11a3ad Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 7 Sep 2022 18:51:57 +0000 Subject: [PATCH 0007/1082] Add Elastic Agent component templates --- .../logs-elastic_agent.apm_server@custom.json | 12 + ...logs-elastic_agent.apm_server@package.json | 681 +++++++++++++++++ .../logs-elastic_agent.auditbeat@custom.json | 12 + .../logs-elastic_agent.auditbeat@package.json | 681 +++++++++++++++++ .../logs-elastic_agent.cloudbeat@custom.json | 12 + .../logs-elastic_agent.cloudbeat@package.json | 692 ++++++++++++++++++ ...lastic_agent.endpoint_security@custom.json | 12 + ...astic_agent.endpoint_security@package.json | 681 +++++++++++++++++ .../logs-elastic_agent.filebeat@custom.json | 12 + .../logs-elastic_agent.filebeat@package.json | 681 +++++++++++++++++ ...ogs-elastic_agent.fleet_server@custom.json | 12 + ...gs-elastic_agent.fleet_server@package.json | 681 +++++++++++++++++ .../logs-elastic_agent.heartbeat@custom.json | 12 + .../logs-elastic_agent.heartbeat@package.json | 681 +++++++++++++++++ .../logs-elastic_agent.metricbeat@custom.json | 12 + ...logs-elastic_agent.metricbeat@package.json | 681 +++++++++++++++++ ...logs-elastic_agent.osquerybeat@custom.json | 12 + ...ogs-elastic_agent.osquerybeat@package.json | 681 +++++++++++++++++ .../logs-elastic_agent.packetbeat@custom.json | 12 + ...logs-elastic_agent.packetbeat@package.json | 674 +++++++++++++++++ .../logs-elastic_agent@custom.json | 12 + .../logs-elastic_agent@package.json | 681 +++++++++++++++++ 22 files changed, 7627 insertions(+) create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json new file mode 100644 index 000000000..bcd76b848 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json new file mode 100644 index 000000000..bcd76b848 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json new file mode 100644 index 000000000..85ba08239 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json @@ -0,0 +1,692 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json new file mode 100644 index 000000000..bcd76b848 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json new file mode 100644 index 000000000..bcd76b848 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json new file mode 100644 index 000000000..bcd76b848 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json new file mode 100644 index 000000000..22fef0fb5 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "message": { + "type": "text" + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json new file mode 100644 index 000000000..bcd76b848 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json new file mode 100644 index 000000000..bcd76b848 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json new file mode 100644 index 000000000..591717165 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json @@ -0,0 +1,674 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json new file mode 100644 index 000000000..bcd76b848 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json @@ -0,0 +1,681 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} From 6adcb4c968a6459584c0f6f1d4a19f9060b987c2 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 7 Sep 2022 15:38:55 -0400 Subject: [PATCH 0008/1082] Remove crossthestreams --- salt/utility/init.sls | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/salt/utility/init.sls b/salt/utility/init.sls index a131f0f54..1dec22208 100644 --- a/salt/utility/init.sls +++ b/salt/utility/init.sls @@ -2,17 +2,6 @@ {% if sls in allowed_states %} -# This state is for checking things - {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] %} -# Make sure Cross Cluster is good. Will need some logic once we have hot/warm -crossclusterson: - cmd.script: - - shell: /bin/bash - - cwd: /opt/so - - source: salt://utility/bin/crossthestreams - - template: jinja - - {% endif %} {% if grains['role'] in ['so-eval', 'so-import'] %} fixsearch: cmd.script: From 6d1bc78f7bf59034b546abd9126756b9b1d7137e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 7 Sep 2022 15:41:21 -0400 Subject: [PATCH 0009/1082] Remove crossthestreams --- salt/utility/init.sls | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/utility/init.sls b/salt/utility/init.sls index 1dec22208..7ca841dd3 100644 --- a/salt/utility/init.sls +++ b/salt/utility/init.sls @@ -1,7 +1,6 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} - {% if grains['role'] in ['so-eval', 'so-import'] %} fixsearch: cmd.script: From 5b65fdcc1cdddc878aea21d8050d8316264add88 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 7 Sep 2022 15:42:22 -0400 Subject: [PATCH 0010/1082] Remove crossthestreams --- salt/utility/bin/crossthestreams | 42 -------------------------------- 1 file changed, 42 deletions(-) delete mode 100644 salt/utility/bin/crossthestreams diff --git a/salt/utility/bin/crossthestreams b/salt/utility/bin/crossthestreams deleted file mode 100644 index 38b7ab09c..000000000 --- a/salt/utility/bin/crossthestreams +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/bash -{% set ES = salt['pillar.get']('global:managerip', '') %} -{% set MANAGER = salt['grains.get']('master') %} -{% set TRUECLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} - -# Wait for ElasticSearch to come up, so that we can query for version infromation -echo -n "Waiting for ElasticSearch..." -COUNT=0 -ELASTICSEARCH_CONNECTED="no" -while [[ "$COUNT" -le 30 ]]; do - curl -K /opt/so/conf/elasticsearch/curl.config -k --output /dev/null --silent --head --fail -L https://{{ ES }}:9200 - if [ $? -eq 0 ]; then - ELASTICSEARCH_CONNECTED="yes" - echo "connected!" - break - else - ((COUNT+=1)) - sleep 1 - echo -n "." - fi -done -if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then - echo - echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'docker ps' \n -running 'sudo so-elastic-restart'" - echo - - exit -fi - -echo "Applying cross cluster search config..." - curl -K /opt/so/conf/elasticsearch/curl.config -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings \ - -H 'Content-Type: application/json' \ - -d "{\"persistent\": {\"search\": {\"remote\": {\"{{ MANAGER }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" - -# Add all the search nodes to cross cluster searching. -{%- if TRUECLUSTER is sameas false %} - {%- if salt['pillar.get']('nodestab', {}) %} - {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} -curl -K /opt/so/conf/elasticsearch/curl.config -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"{{ SN }}": {"skip_unavailable": "true", "seeds": ["{{ SN.split('_')|first }}:9300"]}}}}}' - {%- endfor %} - {%- endif %} -{%- endif %} From 39ed582a7242abf8af544dd4f25ddca967bf90ad Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 7 Sep 2022 15:59:54 -0400 Subject: [PATCH 0011/1082] Update so-playbook-reset --- salt/common/tools/sbin/so-playbook-reset | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-playbook-reset b/salt/common/tools/sbin/so-playbook-reset index 0ece18b54..9907e1807 100755 --- a/salt/common/tools/sbin/so-playbook-reset +++ b/salt/common/tools/sbin/so-playbook-reset @@ -15,4 +15,4 @@ salt-call state.apply playbook.db_init,playbook,playbook.automation_user_create echo "Importing Plays - this will take some time...." sleep 5 -/usr/sbin/so-playbook-ruleupdate +so-playbook-ruleupdate >> /root/setup_playbook_rule_update.log 2>&1 & From df6ba5cbe9e6ef18fe37e2922fabaf192cfda034 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 7 Sep 2022 16:19:16 -0400 Subject: [PATCH 0012/1082] initial salt relay script for comms with soc --- salt/soc/files/bin/salt-relay.sh | 71 ++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100755 salt/soc/files/bin/salt-relay.sh diff --git a/salt/soc/files/bin/salt-relay.sh b/salt/soc/files/bin/salt-relay.sh new file mode 100755 index 000000000..558c68115 --- /dev/null +++ b/salt/soc/files/bin/salt-relay.sh @@ -0,0 +1,71 @@ +#!/bin/bash + +PIPE_OWNER=${PIPE_OWNER:-socore} +PIPE_GROUP=${PIPE_GROUP:-socore} +SOC_PIPE=${SOC_PIPE_REQUEST:-/opt/so/conf/soc/salt.pipe} + +function log() { + echo "$(date) | $1" +} + +function make_pipe() { + path=$1 + + log "Creating pipe: $path" + rm -f "${path}" + mkfifo "${path}" + chmod 0660 "${path}" + chown ${PIPE_OWNER}:${PIPE_GROUP} "${path}" +} + +make_pipe "${SOC_PIPE}" + +function list_minions() { + response=$(so-minion -o=list) + exit_code=$? + if [[ $exit_code -eq 0 ]]; then + log "Successful command execution" + $(echo "$response" > "${SOC_PIPE}") + else + log "Unsuccessful command execution: $exit_code" + $(echo "false" > "${SOC_PIPE}") + fi +} + +function manage_minion() { + command=$1 + op=$2 + minion=$3 + + response=$(so-minion "-o=$op" "-m=$minion") + exit_code=$? + if [[ exit_code -eq 0 ]]; then + log "Successful command execution" + $(echo "true" > "${SOC_PIPE}") + else + log "Unsuccessful command execution: $response ($exit_code)" + $(echo "false" > "${SOC_PIPE}") + fi +} + +while true; do + log "Listening for request" + request=$(cat ${SOC_PIPE}) + if [[ "$request" != "" ]]; then + log "Received request: ${request}" + case "$request" in + list-minions) + list_minions + ;; + manage-minion*) + manage_minion ${request} + ;; + *) + log "Unsupported command: $request" + $(echo "false" > "${SOC_PIPE}") + esac + + # allow remote reader to get a clean reader before we try to read again on next loop + sleep 1 + fi +done From f00aafdfb24548c407277f889c4fde29ec7defda Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 7 Sep 2022 16:57:11 -0400 Subject: [PATCH 0013/1082] Elastic Agent - move gen installers --- salt/common/tools/sbin/so-elastic-agent-gen-installers | 2 +- salt/common/tools/sbin/so-elastic-fleet-setup | 2 +- salt/elastic-fleet/files/so_agent-installers/readme | 2 ++ salt/elastic-fleet/install_agent_grid.sls | 4 +++- 4 files changed, 7 insertions(+), 3 deletions(-) create mode 100644 salt/elastic-fleet/files/so_agent-installers/readme diff --git a/salt/common/tools/sbin/so-elastic-agent-gen-installers b/salt/common/tools/sbin/so-elastic-agent-gen-installers index 837745050..9e579269d 100644 --- a/salt/common/tools/sbin/so-elastic-agent-gen-installers +++ b/salt/common/tools/sbin/so-elastic-agent-gen-installers @@ -26,7 +26,7 @@ do docker run -e CGO_ENABLED=0 -e GOOS=$OS \ --mount type=bind,source=/etc/ssl/certs/,target=/workspace/files/cert/ \ --mount type=bind,source=/tmp/elastic-agent-workspace/,target=/workspace/files/elastic-agent/ \ - --mount type=bind,source=/opt/so/conf/elastic-fleet/so_agent-installers/,target=/output/ \ + --mount type=bind,source=/opt/so/saltstack/local/salt/elastic-fleet/files/so_agent-installers/,target=/output/ \ so-elastic-agent-builder go build -ldflags "-X main.fleetHost=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN" -o /output/so-elastic-agent_$OS printf "\n $OS Installer Generated..." done diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index c40699df2..e7f740783 100644 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -56,7 +56,7 @@ printf "\n\n" #-d '{"name":"Endpoints-Initalization","id":"endpoints","description":"Initial Endpoint Policy","namespace":"default","monitoring_enabled":["logs"]}' ENDPOINTSENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-default")) | .api_key') -GRIDNODESENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("so-grid-ndoes")) | .api_key') +GRIDNODESENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("so-grid-nodes")) | .api_key') # Store needed data in minion pillar pillar_file=/opt/so/saltstack/local/pillar/minions/{{ GLOBALS.minion_id }}.sls diff --git a/salt/elastic-fleet/files/so_agent-installers/readme b/salt/elastic-fleet/files/so_agent-installers/readme new file mode 100644 index 000000000..6d0509baa --- /dev/null +++ b/salt/elastic-fleet/files/so_agent-installers/readme @@ -0,0 +1,2 @@ +SO-Generated installers will be found under Salt local + diff --git a/salt/elastic-fleet/install_agent_grid.sls b/salt/elastic-fleet/install_agent_grid.sls index 0396f4db8..857e31315 100644 --- a/salt/elastic-fleet/install_agent_grid.sls +++ b/salt/elastic-fleet/install_agent_grid.sls @@ -2,12 +2,14 @@ # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use # this file except in compliance with the Elastic License 2.0. +{%- set GRIDNODETOKEN = salt['pillar.get']('elasticfleet:server:grid_enrollment') -%} {% set AGENT_STATUS = salt['service.available']('elastic-agent') %} {% if not AGENT_STATUS %} run_installer: cmd.script: - - name: salt://elastic-fleet/files/so_agent-installers/so-elastic-agent_linux + - name: salt://elastic-fleet/files/so_agent-installers/so-elastic-agent_linux + - args: -token={{ GRIDNODETOKEN }} {% endif %} From eeffded248a2c9dc684b184258749275e8a7ebe4 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 7 Sep 2022 21:23:04 +0000 Subject: [PATCH 0014/1082] Remove duplicate security subfield configuration from component templates --- ...logs-elastic_agent.apm_server@package.json | 186 +---------------- .../logs-elastic_agent.auditbeat@package.json | 186 +---------------- .../logs-elastic_agent.cloudbeat@package.json | 192 +----------------- ...astic_agent.endpoint_security@package.json | 186 +---------------- .../logs-elastic_agent.filebeat@package.json | 186 +---------------- ...gs-elastic_agent.fleet_server@package.json | 186 +---------------- .../logs-elastic_agent.heartbeat@package.json | 186 +---------------- ...logs-elastic_agent.metricbeat@package.json | 186 +---------------- ...ogs-elastic_agent.osquerybeat@package.json | 186 +---------------- ...logs-elastic_agent.packetbeat@package.json | 186 +---------------- .../logs-elastic_agent@package.json | 188 +---------------- 11 files changed, 56 insertions(+), 1998 deletions(-) diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json index bcd76b848..9fd8c928f 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@package.json @@ -1,7 +1,7 @@ { "template": { "settings": { - "analysis": { + "analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", @@ -99,12 +99,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "image": { @@ -117,12 +111,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -137,12 +125,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -153,12 +135,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -171,12 +147,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "machine": { @@ -189,12 +159,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -209,12 +173,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -227,12 +185,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "account": { @@ -245,12 +197,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -269,12 +215,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -287,12 +227,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -303,12 +237,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "labels": { @@ -329,12 +257,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -349,12 +271,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -382,12 +298,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "os": { @@ -400,12 +310,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "kernel": { @@ -416,12 +320,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "codename": { @@ -432,18 +330,16 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, "text": { "type": "text" } @@ -457,12 +353,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -473,12 +363,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "platform": { @@ -489,12 +373,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -507,12 +385,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "ip": { @@ -529,12 +401,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -545,12 +411,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "type": { @@ -561,12 +421,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "mac": { @@ -577,12 +431,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "architecture": { @@ -593,12 +441,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -613,12 +455,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -629,12 +465,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -645,12 +475,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "snapshot": { diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json index bcd76b848..9fd8c928f 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@package.json @@ -1,7 +1,7 @@ { "template": { "settings": { - "analysis": { + "analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", @@ -99,12 +99,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "image": { @@ -117,12 +111,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -137,12 +125,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -153,12 +135,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -171,12 +147,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "machine": { @@ -189,12 +159,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -209,12 +173,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -227,12 +185,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "account": { @@ -245,12 +197,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -269,12 +215,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -287,12 +227,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -303,12 +237,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "labels": { @@ -329,12 +257,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -349,12 +271,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -382,12 +298,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "os": { @@ -400,12 +310,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "kernel": { @@ -416,12 +320,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "codename": { @@ -432,18 +330,16 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, "text": { "type": "text" } @@ -457,12 +353,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -473,12 +363,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "platform": { @@ -489,12 +373,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -507,12 +385,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "ip": { @@ -529,12 +401,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -545,12 +411,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "type": { @@ -561,12 +421,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "mac": { @@ -577,12 +431,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "architecture": { @@ -593,12 +441,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -613,12 +455,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -629,12 +465,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -645,12 +475,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "snapshot": { diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json index 85ba08239..c4874ed3c 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@package.json @@ -1,7 +1,7 @@ { "template": { "settings": { - "analysis": { +"analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", @@ -97,12 +97,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "image": { @@ -115,12 +109,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -135,12 +123,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -151,12 +133,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -169,12 +145,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "machine": { @@ -187,12 +157,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -207,12 +171,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -225,12 +183,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "account": { @@ -243,12 +195,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -267,12 +213,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -285,12 +225,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -301,12 +235,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "labels": { @@ -327,12 +255,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -347,12 +269,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -380,12 +296,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "os": { @@ -398,12 +308,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "kernel": { @@ -414,12 +318,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "codename": { @@ -430,18 +328,16 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, "text": { "type": "text" } @@ -455,12 +351,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -471,12 +361,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "platform": { @@ -487,12 +371,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -505,12 +383,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "ip": { @@ -527,12 +399,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -543,12 +409,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "type": { @@ -559,12 +419,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "mac": { @@ -575,12 +429,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "architecture": { @@ -591,12 +439,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -611,12 +453,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -627,12 +463,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -643,12 +473,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "snapshot": { @@ -671,12 +495,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json index bcd76b848..36978b0d8 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@package.json @@ -1,7 +1,7 @@ { "template": { "settings": { - "analysis": { +"analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", @@ -99,12 +99,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "image": { @@ -117,12 +111,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -137,12 +125,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -153,12 +135,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -171,12 +147,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "machine": { @@ -189,12 +159,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -209,12 +173,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -227,12 +185,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "account": { @@ -245,12 +197,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -269,12 +215,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -287,12 +227,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -303,12 +237,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "labels": { @@ -329,12 +257,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -349,12 +271,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -382,12 +298,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "os": { @@ -400,12 +310,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "kernel": { @@ -416,12 +320,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "codename": { @@ -432,18 +330,16 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, "text": { "type": "text" } @@ -457,12 +353,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -473,12 +363,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "platform": { @@ -489,12 +373,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -507,12 +385,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "ip": { @@ -529,12 +401,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -545,12 +411,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "type": { @@ -561,12 +421,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "mac": { @@ -577,12 +431,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "architecture": { @@ -593,12 +441,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -613,12 +455,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -629,12 +465,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -645,12 +475,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "snapshot": { diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json index bcd76b848..36978b0d8 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@package.json @@ -1,7 +1,7 @@ { "template": { "settings": { - "analysis": { +"analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", @@ -99,12 +99,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "image": { @@ -117,12 +111,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -137,12 +125,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -153,12 +135,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -171,12 +147,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "machine": { @@ -189,12 +159,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -209,12 +173,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -227,12 +185,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "account": { @@ -245,12 +197,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -269,12 +215,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -287,12 +227,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -303,12 +237,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "labels": { @@ -329,12 +257,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -349,12 +271,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -382,12 +298,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "os": { @@ -400,12 +310,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "kernel": { @@ -416,12 +320,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "codename": { @@ -432,18 +330,16 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, "text": { "type": "text" } @@ -457,12 +353,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -473,12 +363,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "platform": { @@ -489,12 +373,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -507,12 +385,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "ip": { @@ -529,12 +401,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -545,12 +411,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "type": { @@ -561,12 +421,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "mac": { @@ -577,12 +431,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "architecture": { @@ -593,12 +441,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -613,12 +455,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -629,12 +465,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -645,12 +475,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "snapshot": { diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json index bcd76b848..36978b0d8 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@package.json @@ -1,7 +1,7 @@ { "template": { "settings": { - "analysis": { +"analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", @@ -99,12 +99,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "image": { @@ -117,12 +111,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -137,12 +125,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -153,12 +135,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -171,12 +147,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "machine": { @@ -189,12 +159,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -209,12 +173,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -227,12 +185,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "account": { @@ -245,12 +197,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -269,12 +215,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -287,12 +227,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -303,12 +237,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "labels": { @@ -329,12 +257,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -349,12 +271,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -382,12 +298,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "os": { @@ -400,12 +310,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "kernel": { @@ -416,12 +320,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "codename": { @@ -432,18 +330,16 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, "text": { "type": "text" } @@ -457,12 +353,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -473,12 +363,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "platform": { @@ -489,12 +373,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -507,12 +385,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "ip": { @@ -529,12 +401,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -545,12 +411,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "type": { @@ -561,12 +421,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "mac": { @@ -577,12 +431,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "architecture": { @@ -593,12 +441,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -613,12 +455,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -629,12 +465,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -645,12 +475,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "snapshot": { diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json index 22fef0fb5..f353ac542 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@package.json @@ -1,7 +1,7 @@ { "template": { "settings": { - "analysis": { +"analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", @@ -99,12 +99,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "image": { @@ -117,12 +111,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -137,12 +125,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -153,12 +135,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -171,12 +147,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "machine": { @@ -189,12 +159,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -209,12 +173,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -227,12 +185,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "account": { @@ -245,12 +197,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -269,12 +215,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -287,12 +227,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -303,12 +237,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "labels": { @@ -329,12 +257,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -349,12 +271,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -382,12 +298,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "os": { @@ -400,12 +310,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "kernel": { @@ -416,12 +320,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "codename": { @@ -432,18 +330,16 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, "text": { "type": "text" } @@ -457,12 +353,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -473,12 +363,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "platform": { @@ -489,12 +373,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -507,12 +385,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "ip": { @@ -529,12 +401,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -545,12 +411,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "type": { @@ -561,12 +421,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "mac": { @@ -577,12 +431,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "architecture": { @@ -593,12 +441,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -613,12 +455,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -629,12 +465,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -645,12 +475,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "snapshot": { diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json index bcd76b848..36978b0d8 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@package.json @@ -1,7 +1,7 @@ { "template": { "settings": { - "analysis": { +"analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", @@ -99,12 +99,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "image": { @@ -117,12 +111,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -137,12 +125,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -153,12 +135,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -171,12 +147,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "machine": { @@ -189,12 +159,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -209,12 +173,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -227,12 +185,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "account": { @@ -245,12 +197,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -269,12 +215,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -287,12 +227,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -303,12 +237,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "labels": { @@ -329,12 +257,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -349,12 +271,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -382,12 +298,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "os": { @@ -400,12 +310,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "kernel": { @@ -416,12 +320,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "codename": { @@ -432,18 +330,16 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, "text": { "type": "text" } @@ -457,12 +353,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -473,12 +363,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "platform": { @@ -489,12 +373,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -507,12 +385,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "ip": { @@ -529,12 +401,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -545,12 +411,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "type": { @@ -561,12 +421,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "mac": { @@ -577,12 +431,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "architecture": { @@ -593,12 +441,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -613,12 +455,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -629,12 +465,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -645,12 +475,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "snapshot": { diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json index bcd76b848..36978b0d8 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@package.json @@ -1,7 +1,7 @@ { "template": { "settings": { - "analysis": { +"analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", @@ -99,12 +99,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "image": { @@ -117,12 +111,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -137,12 +125,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -153,12 +135,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -171,12 +147,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "machine": { @@ -189,12 +159,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -209,12 +173,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -227,12 +185,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "account": { @@ -245,12 +197,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -269,12 +215,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -287,12 +227,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -303,12 +237,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "labels": { @@ -329,12 +257,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -349,12 +271,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -382,12 +298,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "os": { @@ -400,12 +310,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "kernel": { @@ -416,12 +320,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "codename": { @@ -432,18 +330,16 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, "text": { "type": "text" } @@ -457,12 +353,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -473,12 +363,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "platform": { @@ -489,12 +373,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -507,12 +385,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "ip": { @@ -529,12 +401,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -545,12 +411,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "type": { @@ -561,12 +421,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "mac": { @@ -577,12 +431,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "architecture": { @@ -593,12 +441,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -613,12 +455,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -629,12 +465,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -645,12 +475,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "snapshot": { diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json index 591717165..9e593d3f8 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@package.json @@ -1,7 +1,7 @@ { "template": { "settings": { - "analysis": { +"analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", @@ -99,12 +99,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "image": { @@ -117,12 +111,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -137,12 +125,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -153,12 +135,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -171,12 +147,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "machine": { @@ -189,12 +159,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -209,12 +173,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -227,12 +185,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "account": { @@ -245,12 +197,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -269,12 +215,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -287,12 +227,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -303,12 +237,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "labels": { @@ -329,12 +257,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -349,12 +271,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -382,12 +298,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "os": { @@ -400,12 +310,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "kernel": { @@ -416,12 +320,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "codename": { @@ -432,18 +330,16 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, "text": { "type": "text" } @@ -457,12 +353,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -473,12 +363,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "platform": { @@ -489,12 +373,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -507,12 +385,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "ip": { @@ -529,12 +401,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -545,12 +411,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "type": { @@ -561,12 +421,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "mac": { @@ -577,12 +431,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "architecture": { @@ -593,12 +441,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -613,12 +455,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -629,12 +465,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -645,12 +475,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "snapshot": { diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json index bcd76b848..7df3309b1 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json @@ -1,7 +1,7 @@ { "template": { "settings": { - "analysis": { + "analysis": { "analyzer": { "es_security_analyzer": { "type": "custom", @@ -39,7 +39,7 @@ } } }, - "index": { + "index": { "lifecycle": { "name": "logs" }, @@ -99,12 +99,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "image": { @@ -117,12 +111,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -137,12 +125,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -153,12 +135,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -171,12 +147,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "machine": { @@ -189,12 +159,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -209,12 +173,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -227,12 +185,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "account": { @@ -245,12 +197,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -269,12 +215,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -287,12 +227,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -303,12 +237,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "labels": { @@ -329,12 +257,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -349,12 +271,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -382,12 +298,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "os": { @@ -400,12 +310,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "kernel": { @@ -416,12 +320,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "codename": { @@ -432,18 +330,16 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "name": { "ignore_above": 1024, "type": "keyword", "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, "text": { "type": "text" } @@ -457,12 +353,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -473,12 +363,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "platform": { @@ -489,12 +373,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -507,12 +385,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "ip": { @@ -529,12 +401,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -545,12 +411,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "type": { @@ -561,12 +421,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "mac": { @@ -577,12 +431,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "architecture": { @@ -593,12 +441,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } } } @@ -613,12 +455,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "id": { @@ -629,12 +465,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "version": { @@ -645,12 +475,6 @@ "security": { "type": "text", "analyzer": "es_security_analyzer"} -} -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} } }, "snapshot": { From b39a5061ca20c578b00f4a35cdb05e3098a4c0bb Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 7 Sep 2022 21:26:43 +0000 Subject: [PATCH 0015/1082] Load Elastic Agent component templates (managed by Security Onion) --- .../tools/sbin/so-elasticsearch-templates-load | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load index e341c3d40..cb727a5d3 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load @@ -1,9 +1,7 @@ #!/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - +# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use +# this file except in compliance with the Elastic License 2.0. {%- set mainint = salt['pillar.get']('host:mainint') %} @@ -44,6 +42,11 @@ cd ${ELASTICSEARCH_TEMPLATES}/component/ecs echo "Loading ECS component templates..." for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE-mappings"; so-elasticsearch-query _component_template/$TEMPLATE-mappings -d@$i -XPUT 2>/dev/null; echo; done +cd ${ELASTICSEARCH_TEMPLATES}/component/elastic-agent + +echo "Loading Elastic Agent component templates..." +for i in *; do TEMPLATE=${i::-5}; echo "so-$TEMPLATE"; so-elasticsearch-query _component_template/so-$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done + # Load SO-specific component templates cd ${ELASTICSEARCH_TEMPLATES}/component/so From 86d60e444d483c170e4039a716d593b11e337dcf Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 8 Sep 2022 00:20:22 +0000 Subject: [PATCH 0016/1082] Add Elastic Agent index/template configuration to defaults file --- salt/elasticsearch/defaults.yaml | 374 +++++++++++++++++++++++++++++++ 1 file changed, 374 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 830d1372c..6fa356c61 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -60,6 +60,380 @@ elasticsearch: elasticsearch: deprecation: ERROR index_settings: + so-logs-elastic_agent.apm_server: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.apm_server-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.apm_server@package" + - "so-logs-elastic_agent.apm_server@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.auditbeat: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.auditbeat-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.auditbeat@package" + - "so-logs-elastic_agent.auditbeat@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.cloudbeat: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.cloudbeat-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.cloudbeat@package" + - "so-logs-elastic_agent.cloudbeat@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.endpoint_security: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.endpoint_security-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.endpoint_security@package" + - "so-logs-elastic_agent.endpoint_security@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.filebeat: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.filebeat-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.filebeat@package" + - "so-logs-elastic_agent.filebeat@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.fleet_server: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.fleet_server-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.fleet_server@package" + - "so-logs-elastic_agent.fleet_server@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.heartbeat: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.heartbeat-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.heartbeat@package" + - "so-logs-elastic_agent.heartbeat@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent@package" + - "so-logs-elastic_agent@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.metricbeat: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.metricbeat-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.metricbeat@package" + - "so-logs-elastic_agent.metricbeat@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.osquerybeat: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.osquerybeat-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.osquerybeat@package" + - "so-logs-elastic_agent.osquerybeat@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.packetbeat: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.packetbeat-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.packetbeat@package" + - "so-logs-elastic_agent.packetbeat@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false so-aws: warm: 7 close: 30 From 3785b97d95d8c9a1a2499fbed1bc8fb7b0643f08 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 8 Sep 2022 08:48:49 -0400 Subject: [PATCH 0017/1082] so-status --- salt/common/tools/sbin/so-status | 301 +++++++++++++++++++++++++++++++ 1 file changed, 301 insertions(+) create mode 100644 salt/common/tools/sbin/so-status diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status new file mode 100644 index 000000000..596070e4e --- /dev/null +++ b/salt/common/tools/sbin/so-status @@ -0,0 +1,301 @@ +#!/bin/bash + +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +if ! [ "$(id -u)" = 0 ]; then + echo "This command must be run as root" + exit 1 +fi + +display_help() { +cat < Date: Thu, 8 Sep 2022 10:26:39 -0400 Subject: [PATCH 0018/1082] Add salt relay --- salt/soc/init.sls | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/salt/soc/init.sls b/salt/soc/init.sls index 151a817f6..0b9f0a2e1 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -92,6 +92,13 @@ socusersroles: - require: - sls: manager.sync_es_users +salt-relay: + cmd.run: + - env: + - SOC_PIPE: /opt/sensoroni/salt.pipe + - name: '/opt/so/saltstack/default/salt/soc/files/bin/salt-relay.sh >> /opt/so/log/soc/salt-relay.log 2>&1 &' + - unless: ps -ef | grep salt-relay | grep -v grep + so-soc: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-soc:{{ VERSION }} @@ -106,6 +113,7 @@ so-soc: - /opt/so/conf/soc/custom.js:/opt/sensoroni/html/js/custom.js:ro - /opt/so/conf/soc/custom_roles:/opt/sensoroni/rbac/custom_roles:ro - /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw + - /opt/so/conf/soc/salt.pipe:/opt/sensoroni/salt.pipe:rw {%- if salt['pillar.get']('nodestab', {}) %} - extra_hosts: {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} From b7bbe7d69f508f96a2dd1260937fbf9620fc7f94 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 8 Sep 2022 10:27:56 -0400 Subject: [PATCH 0019/1082] Add copyright notice --- salt/soc/files/bin/salt-relay.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/soc/files/bin/salt-relay.sh b/salt/soc/files/bin/salt-relay.sh index 558c68115..732d48dc1 100755 --- a/salt/soc/files/bin/salt-relay.sh +++ b/salt/soc/files/bin/salt-relay.sh @@ -1,4 +1,8 @@ #!/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. PIPE_OWNER=${PIPE_OWNER:-socore} PIPE_GROUP=${PIPE_GROUP:-socore} From 9c9509594ae0a3f87e55cfb493179aaaec426005 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 8 Sep 2022 13:55:35 -0400 Subject: [PATCH 0020/1082] move endgamehost --- salt/kibana/bin/so-kibana-config-load | 2 +- setup/so-functions | 10 +--------- 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index a642e9e55..73b83cece 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -5,7 +5,7 @@ # Elastic License 2.0. {%- set MANAGER = salt['pillar.get']('global:url_base', '') %} -{%- set ENDGAMEHOST = salt['pillar.get']('soc:endgamehost', 'ENDGAMEHOST') %} +{%- set ENDGAMEHOST = salt['pillar.get']('global:endgamehost', 'ENDGAMEHOST') %} . /usr/sbin/so-common check_file() { diff --git a/setup/so-functions b/setup/so-functions index 46833c081..37ae8743e 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1455,15 +1455,6 @@ idstools_pillar() { soc_pillar() { touch $adv_soc_pillar_file - printf '%s\n'\ - "soc:"\ - " es_index_patterns: '*:so-*,*:endgame-*'"\ - "" > "$soc_pillar_file" - if [[ -n $ENDGAMEHOST ]]; then - printf '%s\n'\ - " endgamehost: '$ENDGAMEHOST'"\ - "" >> "$soc_pillar_file" - fi } manager_pillar() { @@ -1530,6 +1521,7 @@ create_global() { echo " pipeline: 'redis'" >> $global_pillar_file echo " repo_host: '$MAINIP'" >> $global_pillar_file echo " registry_host: '$MAINIP'" >> $global_pillar_file + echo " endgamehost: '$ENDGAMEHOST'" >> $global_pillar_file } create_sensoroni_pillar() { From 8c12b2684785fd82dbe5077cd54c636a867e2d2e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 8 Sep 2022 14:08:24 -0400 Subject: [PATCH 0021/1082] touch the soc file --- setup/so-functions | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-functions b/setup/so-functions index 37ae8743e..ac7444cc8 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1455,6 +1455,7 @@ idstools_pillar() { soc_pillar() { touch $adv_soc_pillar_file + touch $soc_pillar_file } manager_pillar() { From 5bb001281bc686433d496dc062e7b7db13523ca6 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 8 Sep 2022 15:57:18 -0400 Subject: [PATCH 0022/1082] soc defaults changes - client child of server --- salt/soc/defaults.yaml | 2213 +++++++++--------- salt/soc/files/soc/alerts.actions.json | 1 - salt/soc/files/soc/alerts.eventfields.json | 4 - salt/soc/files/soc/alerts.queries.json | 9 - salt/soc/files/soc/cases.eventfields.json | 3 - salt/soc/files/soc/cases.queries.json | 7 - salt/soc/files/soc/dashboards.queries.json | 46 - salt/soc/files/soc/default.annotation.yaml | 712 ------ salt/soc/files/soc/hunt.actions.json | 1 - salt/soc/files/soc/hunt.eventfields.json | 53 - salt/soc/files/soc/hunt.queries.json | 67 - salt/soc/files/soc/menu.actions.json | 41 - salt/soc/files/soc/presets.artifacttype.json | 20 - salt/soc/files/soc/presets.category.json | 7 - salt/soc/files/soc/presets.pap.json | 9 - salt/soc/files/soc/presets.severity.json | 9 - salt/soc/files/soc/presets.status.json | 8 - salt/soc/files/soc/presets.tag.json | 8 - salt/soc/files/soc/presets.tlp.json | 9 - salt/soc/files/soc/tools.json | 8 - salt/soc/init.sls | 10 - salt/soc/merged.map.jinja | 28 +- 22 files changed, 1128 insertions(+), 2145 deletions(-) delete mode 100644 salt/soc/files/soc/alerts.actions.json delete mode 100644 salt/soc/files/soc/alerts.eventfields.json delete mode 100644 salt/soc/files/soc/alerts.queries.json delete mode 100644 salt/soc/files/soc/cases.eventfields.json delete mode 100644 salt/soc/files/soc/cases.queries.json delete mode 100644 salt/soc/files/soc/dashboards.queries.json delete mode 100644 salt/soc/files/soc/default.annotation.yaml delete mode 100644 salt/soc/files/soc/hunt.actions.json delete mode 100644 salt/soc/files/soc/hunt.eventfields.json delete mode 100644 salt/soc/files/soc/hunt.queries.json delete mode 100644 salt/soc/files/soc/menu.actions.json delete mode 100644 salt/soc/files/soc/presets.artifacttype.json delete mode 100644 salt/soc/files/soc/presets.category.json delete mode 100644 salt/soc/files/soc/presets.pap.json delete mode 100644 salt/soc/files/soc/presets.severity.json delete mode 100644 salt/soc/files/soc/presets.status.json delete mode 100644 salt/soc/files/soc/presets.tag.json delete mode 100644 salt/soc/files/soc/presets.tlp.json delete mode 100644 salt/soc/files/soc/tools.json diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 9dce3fd8e..65765c8b8 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -17,7 +17,7 @@ soc: remoteHostUrls: [] username: password: - index: '*:so-*' + index: '*:so-*,*:endgame-*' cacheMs: 300000 verifyCert: false casesEnabled: true @@ -28,6 +28,7 @@ soc: org: '' bucket: telegraf verifyCert: false + salt: {} sostatus: refreshIntervalMs: 30000 offlineThresholdMs: 900000 @@ -42,1112 +43,1112 @@ soc: - rbac/custom_roles userFiles: - rbac/users_roles - client: - docsUrl: https://docs.securityonion.net/en/2.3/ - cheatsheetUrl: https://github.com/Security-Onion-Solutions/securityonion-docs/raw/2.3/images/cheat-sheet/Security-Onion-Cheat-Sheet.pdf - releaseNotesUrl: https://docs.securityonion.net/en/2.3/release-notes - apiTimeoutMs: 0 - webSocketTimeoutMs: 0 - tipTimeoutMs: 0 - cacheExpirationMs: 0 - casesEnabled: true - inactiveTools: ['toolUnused'] - tools: - - name: toolKibana - description: toolKibanaHelp - icon: fa-external-link-alt - target: so-kibana - link: /kibana/ - - name: toolGrafana - description: toolGrafanaHelp - icon: fa-external-link-alt - target: so-grafana - link: /grafana/d/so_overview - - name: toolCyberchef - description: toolCyberchefHelp - icon: fa-external-link-alt - target: so-cyberchef - link: /cyberchef/ - - name: toolPlaybook - description: toolPlaybookHelp - icon: fa-external-link-alt - target: so-playbook - link: /playbook/projects/detection-playbooks/issues/ - - name: toolFleet - description: toolFleetHelp - icon: fa-external-link-alt - target: so-fleet - link: /fleet/ - - name: toolNavigator - description: toolNavigatorHelp - icon: fa-external-link-alt - target: so-navigator - link: /navigator/ - hunt: - advanced: true - groupItemsPerPage: 10 - groupFetchLimit: 10 - eventItemsPerPage: 10 - eventFetchLimit: 100 - relativeTimeValue: 24 - relativeTimeUnit: 30 - mostRecentlyUsedLimit: 5 - ackEnabled: false - escalateEnabled: true - escalateRelatedEventsEnabled: true - eventFields: - default: - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - log.id.uid - - network.community_id - - event.dataset - ':kratos:audit': - - soc_timestamp - - http_request.headers.x-real-ip - - identity_id - - http_request.headers.user-agent - '::conn': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - network.transport - - network.protocol - - log.id.uid - - network.community_id - '::dce_rpc': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - dce_rpc.endpoint - - dce_rpc.named_pipe - - dce_rpc.operation - - log.id.uid - '::dhcp': - - soc_timestamp - - client.address - - server.address - - host.domain - - host.hostname - - dhcp.message_types - - log.id.uid - '::dnp3': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - dnp3.fc_reply - - log.id.uid - '::dns': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - network.transport - - dns.query.name - - dns.query.type_name - - dns.response.code_name - - log.id.uid - - network.community_id - '::dpd': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - network.protocol - - observer.analyser - - error.reason - - log.id.uid - '::file': - - soc_timestamp - - source.ip - - destination.ip - - file.name - - file.mime_type - - file.source - - file.bytes.total - - log.id.fuid - - log.id.uid - '::ftp': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - ftp.user - - ftp.command - - ftp.argument - - ftp.reply_code - - file.size - - log.id.uid - '::http': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - http.method - - http.virtual_host - - http.status_code - - http.status_message - - http.request.body.length - - http.response.body.length - - log.id.uid - - network.community_id - '::intel': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - intel.indicator - - intel.indicator_type - - intel.seen_where - - log.id.uid - '::irc': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - irc.username - - irc.nickname - - irc.command.type - - irc.command.value - - irc.command.info - - log.id.uid - '::kerberos': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - kerberos.client - - kerberos.service - - kerberos.request_type - - log.id.uid - '::modbus': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - modbus.function - - log.id.uid - '::mysql': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - mysql.command - - mysql.argument - - mysql.success - - mysql.response - - log.id.uid - '::notice': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - notice.note - - notice.message - - log.id.fuid - - log.id.uid - - network.community_id - '::ntlm': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - ntlm.name - - ntlm.success - - ntlm.server.dns.name - - ntlm.server.nb.name - - ntlm.server.tree.name - - log.id.uid - '::pe': - - soc_timestamp - - file.is_64bit - - file.is_exe - - file.machine - - file.os - - file.subsystem - - log.id.fuid - '::radius': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - log.id.uid - - username - - radius.framed_address - - radius.reply_message - - radius.result - '::rdp': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - rdp.client_build - - client_name - - rdp.cookie - - rdp.encryption_level - - rdp.encryption_method - - rdp.keyboard_layout - - rdp.result - - rdp.security_protocol - - log.id.uid - '::rfb': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - rfb.authentication.method - - rfb.authentication.success - - rfb.share_flag - - rfb.desktop.name - - log.id.uid - '::signatures': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - note - - signature_id - - event_message - - sub_message - - signature_count - - host.count - - log.id.uid - '::sip': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - sip.method - - sip.uri - - sip.request.from - - sip.request.to - - sip.response.from - - sip.response.to - - sip.call_id - - sip.subject - - sip.user_agent - - sip.status_code - - log.id.uid - '::smb_files': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - log.id.fuid - - file.action - - file.path - - file.name - - file.size - - file.prev_name - - log.id.uid - '::smb_mapping': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - smb.path - - smb.service - - smb.share_type - - log.id.uid - '::smtp': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - smtp.from - - smtp.recipient_to - - smtp.subject - - smtp.useragent - - log.id.uid - - network.community_id - '::snmp': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - snmp.community - - snmp.version - - log.id.uid - '::socks': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - socks.name - - socks.request.host - - socks.request.port - - socks.status - - log.id.uid - '::software': - - soc_timestamp - - source.ip - - software.name - - software.type - '::ssh': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - ssh.version - - ssh.hassh_version - - ssh.direction - - ssh.client - - ssh.server - - log.id.uid - '::ssl': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - ssl.server_name - - ssl.certificate.subject - - ssl.validation_status - - ssl.version - - log.id.uid - ':zeek:syslog': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - syslog.facility - - network.protocol - - syslog.severity - - log.id.uid - '::tunnels': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - tunnel_type - - action - - log.id.uid - '::weird': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - weird.name - - log.id.uid - '::x509': - - soc_timestamp - - x509.certificate.subject - - x509.certificate.key.type - - x509.certificate.key.length - - x509.certificate.issuer - - log.id.fuid - '::firewall': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - network.transport - - network.direction - - interface.name - - rule.action - - rule.reason - - network.community_id - ':osquery:': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - source.hostname - - event.dataset - - process.executable - - user.name - ':ossec:': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - rule.name - - rule.level - - rule.category - - process.name - - user.name - - user.escalated - - location - ':strelka:file': - - soc_timestamp - - file.name - - file.size - - hash.md5 - - file.source - - file.mime_type - - log.id.fuid - ':suricata:': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - rule.name - - rule.category - - event.severity_label - - log.id.uid - - network.community_id - ':sysmon:': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - source.hostname - - event.dataset - - process.executable - - user.name - ':windows_eventlog:': - - soc_timestamp - - user.name - ':elasticsearch:': - - soc_timestamp - - agent.name - - message - - log.level - - metadata.version - - metadata.pipeline - - event.dataset - ':kibana:': - - soc_timestamp - - host.name - - message - - kibana.log.meta.req.headers.x-real-ip - - event.dataset - '::rootcheck': - - soc_timestamp - - host.name - - metadata.ip_address - - log.full - - event.dataset - - event.module - '::ossec': - - soc_timestamp - - host.name - - metadata.ip_address - - log.full - - event.dataset - - event.module - '::syscollector': - - soc_timestamp - - host.name - - metadata.ip_address - - wazuh.data.type - - log.full - - event.dataset - - event.module - ':syslog:syslog': - - soc_timestamp - - host.name - - metadata.ip_address - - real_message - - syslog.priority - - syslog.application - ':aws:': - - soc_timestamp - - aws.cloudtrail.event_category - - aws.cloudtrail.event_type - - event.provider - - event.action - - event.outcome - - cloud.region - - user.name - - source.ip - - source.geo.region_iso_code - ':squid:': - - soc_timestamp - - url.original - - destination.ip - - destination.geo.country_iso_code - - user.name - - source.ip - queryBaseFilter: - queryToggleFilters: - - name: caseExcludeToggle - filter: NOT _index:\"*:so-case*\" - enabled: true - queries: - - name: Default Query - description: Show all events grouped by the origin host - query: '* | groupby observer.name' - - name: Log Type - description: Show all events grouped by module and dataset - query: '* | groupby event.module event.dataset' - - name: SOC Auth - description: Users authenticated to SOC grouped by IP address and identity - query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id' - - name: Elastalerts - description: '' - query: '_type:elastalert | groupby rule.name' - - name: Alerts - description: Show all alerts grouped by alert source - query: 'event.dataset: alert | groupby event.module' - - name: NIDS Alerts - description: Show all NIDS alerts grouped by alert - query: 'event.category: network AND event.dataset: alert | groupby rule.category rule.gid rule.uuid rule.name' - - name: Wazuh/OSSEC Alerts - description: Show all Wazuh alerts at Level 5 or higher grouped by category - query: 'event.module:ossec AND event.dataset:alert AND rule.level:>4 | groupby rule.category rule.name' - - name: Wazuh/OSSEC Alerts - description: Show all Wazuh alerts at Level 4 or lower grouped by category - query: 'event.module:ossec AND event.dataset:alert AND rule.level:<5 | groupby rule.category rule.name' - - name: Wazuh/OSSEC Users and Commands - description: Show all Wazuh alerts grouped by username and command line - query: 'event.module:ossec AND event.dataset:alert | groupby user.escalated.keyword process.command_line' - - name: Wazuh/OSSEC Processes - description: Show all Wazuh alerts grouped by process name - query: 'event.module:ossec AND event.dataset:alert | groupby process.name' - - name: Sysmon Events - description: Show all Sysmon logs grouped by event type - query: 'event.module:sysmon | groupby event.dataset' - - name: Sysmon Usernames - description: Show all Sysmon logs grouped by username - query: 'event.module:sysmon | groupby event.dataset, user.name.keyword' - - name: Strelka - description: Show all Strelka logs grouped by file type - query: 'event.module:strelka | groupby file.mime_type' - - name: Zeek Notice - description: Show notices from Zeek - query: 'event.dataset:notice | groupby notice.note notice.message' - - name: Connections - description: Connections grouped by IP and Port - query: 'event.dataset:conn | groupby source.ip destination.ip network.protocol destination.port' - - name: Connections - description: Connections grouped by Service - query: 'event.dataset:conn | groupby network.protocol destination.port' - - name: Connections - description: Connections grouped by destination country - query: 'event.dataset:conn | groupby destination.geo.country_name' - - name: Connections - description: Connections grouped by source country - query: 'event.dataset:conn | groupby source.geo.country_name' - - name: DCE_RPC - description: DCE_RPC grouped by operation - query: 'event.dataset:dce_rpc | groupby dce_rpc.operation' - - name: DHCP - description: DHCP leases - query: 'event.dataset:dhcp | groupby host.hostname client.address' - - name: DHCP - description: DHCP grouped by message type - query: 'event.dataset:dhcp | groupby dhcp.message_types' - - name: DNP3 - description: DNP3 grouped by reply - query: 'event.dataset:dnp3 | groupby dnp3.fc_reply' - - name: DNS - description: DNS queries grouped by port - query: 'event.dataset:dns | groupby dns.query.name destination.port' - - name: DNS - description: DNS queries grouped by type - query: 'event.dataset:dns | groupby dns.query.type_name destination.port' - - name: DNS - description: DNS queries grouped by response code - query: 'event.dataset:dns | groupby dns.response.code_name destination.port' - - name: DNS - description: DNS highest registered domain - query: 'event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port' - - name: DNS - description: DNS grouped by parent domain - query: 'event.dataset:dns | groupby dns.parent_domain.keyword destination.port' - - name: DPD - description: Dynamic Protocol Detection errors - query: 'event.dataset:dpd | groupby error.reason' - - name: Files - description: Files grouped by mimetype - query: 'event.dataset:file | groupby file.mime_type source.ip' - - name: Files - description: Files grouped by source - query: 'event.dataset:file | groupby file.source source.ip' - - name: FTP - description: FTP grouped by command and argument - query: 'event.dataset:ftp | groupby ftp.command ftp.argument' - - name: FTP - description: FTP grouped by username and argument - query: 'event.dataset:ftp | groupby ftp.user ftp.argument' - - name: HTTP - description: HTTP grouped by destination port - query: 'event.dataset:http | groupby destination.port' - - name: HTTP - description: HTTP grouped by status code and message - query: 'event.dataset:http | groupby http.status_code http.status_message' - - name: HTTP - description: HTTP grouped by method and user agent - query: 'event.dataset:http | groupby http.method http.useragent' - - name: HTTP - description: HTTP grouped by virtual host - query: 'event.dataset:http | groupby http.virtual_host' - - name: HTTP - description: HTTP with exe downloads - query: 'event.dataset:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host' - - name: Intel - description: Intel framework hits grouped by indicator - query: 'event.dataset:intel | groupby intel.indicator.keyword' - - name: IRC - description: IRC grouped by command - query: 'event.dataset:irc | groupby irc.command.type' - - name: KERBEROS - description: KERBEROS grouped by service - query: 'event.dataset:kerberos | groupby kerberos.service' - - name: MODBUS - description: MODBUS grouped by function - query: 'event.dataset:modbus | groupby modbus.function' - - name: MYSQL - description: MYSQL grouped by command - query: 'event.dataset:mysql | groupby mysql.command' - - name: NOTICE - description: Zeek notice logs grouped by note and message - query: 'event.dataset:notice | groupby notice.note notice.message' - - name: NTLM - description: NTLM grouped by computer name - query: 'event.dataset:ntlm | groupby ntlm.server.dns.name' - - name: Osquery Live Queries - description: Osquery Live Query results grouped by computer name - query: 'event.dataset:live_query | groupby host.hostname' - - name: PE - description: PE files list - query: 'event.dataset:pe | groupby file.machine file.os file.subsystem' - - name: RADIUS - description: RADIUS grouped by username - query: 'event.dataset:radius | groupby user.name.keyword' - - name: RDP - description: RDP grouped by client name - query: 'event.dataset:rdp | groupby client.name' - - name: RFB - description: RFB grouped by desktop name - query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword' - - name: Signatures - description: Zeek signatures grouped by signature id - query: 'event.dataset:signatures | groupby signature_id' - - name: SIP - description: SIP grouped by user agent - query: 'event.dataset:sip | groupby client.user_agent' - - name: SMB_Files - description: SMB files grouped by action - query: 'event.dataset:smb_files | groupby file.action' - - name: SMB_Mapping - description: SMB mapping grouped by path - query: 'event.dataset:smb_mapping | groupby smb.path' - - name: SMTP - description: SMTP grouped by subject - query: 'event.dataset:smtp | groupby smtp.subject' - - name: SNMP - description: SNMP grouped by version and string - query: 'event.dataset:snmp | groupby snmp.community snmp.version' - - name: Software - description: List of software seen on the network - query: 'event.dataset:software | groupby software.type software.name' - - name: SSH - description: SSH grouped by version and client - query: 'event.dataset:ssh | groupby ssh.version ssh.client' - - name: SSL - description: SSL grouped by version and server name - query: 'event.dataset:ssl | groupby ssl.version ssl.server_name' - - name: SYSLOG - description: 'SYSLOG grouped by severity and facility ' - query: 'event.dataset:syslog | groupby syslog.severity_label syslog.facility_label' - - name: Tunnel - description: Tunnels grouped by type and action - query: 'event.dataset:tunnel | groupby tunnel.type event.action' - - name: Weird - description: Zeek weird log grouped by name - query: 'event.dataset:weird | groupby weird.name' - - name: x509 - description: x.509 grouped by key length and name - query: 'event.dataset:x509 | groupby x509.certificate.key.length x509.san_dns' - - name: x509 - description: x.509 grouped by name and issuer - query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.issuer' - - name: x509 - description: x.509 grouped by name and subject - query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.subject' - - name: Firewall - description: Firewall events grouped by action - query: 'event.dataset:firewall | groupby rule.action' - actions: - - name: actionHunt - description: actionHuntHelp - icon: fa-crosshairs - target: - links: - - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' - - name: actionCorrelate - description: actionCorrelateHelp - icon: fab fa-searchengin - target: - links: - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' - - name: actionPcap - description: actionPcapHelp - icon: fa-stream - target: - links: - - '/joblookup?esid={:soc_id}&time={:@timestamp}' - - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' - categories: - - hunt - - alerts - - name: actionCyberChef - description: actionCyberChefHelp - icon: fas fa-bread-slice - target: _blank - links: - - '/cyberchef/#input={value|base64}' - - name: actionGoogle - description: actionGoogleHelp - icon: fab fa-google - target: _blank - links: - - 'https://www.google.com/search?q={value}' - - name: actionVirusTotal - description: actionVirusTotalHelp + client: + docsUrl: https://docs.securityonion.net/en/2.3/ + cheatsheetUrl: https://github.com/Security-Onion-Solutions/securityonion-docs/raw/2.3/images/cheat-sheet/Security-Onion-Cheat-Sheet.pdf + releaseNotesUrl: https://docs.securityonion.net/en/2.3/release-notes + apiTimeoutMs: 0 + webSocketTimeoutMs: 0 + tipTimeoutMs: 0 + cacheExpirationMs: 0 + casesEnabled: true + inactiveTools: ['toolUnused'] + tools: + - name: toolKibana + description: toolKibanaHelp icon: fa-external-link-alt - target: _blank - links: - - 'https://www.virustotal.com/gui/search/{value}' - job: - actions: - - name: actionHunt - description: actionHuntHelp - icon: fa-crosshairs - target: - links: - - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' - - name: actionCorrelate - description: actionCorrelateHelp - icon: fab fa-searchengin - target: - links: - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' - - name: actionPcap - description: actionPcapHelp - icon: fa-stream - target: - links: - - '/joblookup?esid={:soc_id}&time={:@timestamp}' - - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' - categories: - - hunt - - alerts - - name: actionCyberChef - description: actionCyberChefHelp - icon: fas fa-bread-slice - target: _blank - links: - - '/cyberchef/#input={value|base64}' - - name: actionGoogle - description: actionGoogleHelp - icon: fab fa-google - target: _blank - links: - - 'https://www.google.com/search?q={value}' - - name: actionVirusTotal - description: actionVirusTotalHelp + target: so-kibana + link: /kibana/ + - name: toolGrafana + description: toolGrafanaHelp icon: fa-external-link-alt - target: _blank - links: - - 'https://www.virustotal.com/gui/search/{value}' - alerts: - advanced: false - groupItemsPerPage: 50 - groupFetchLimit: 500 - eventItemsPerPage: 50 - eventFetchLimit: 500 - relativeTimeValue: 24 - relativeTimeUnit: 30 - mostRecentlyUsedLimit: 5 - ackEnabled: true - escalateEnabled: true - escalateRelatedEventsEnabled: true - eventfields: - default: - - soc_timestamp - - rule.name - - event.severity_label - - source.ip - - source.port - - destination.ip - - destination.port - - rule.gid - - rule.uuid - - rule.category - - rule.rev - ':ossec:': - - soc_timestamp - - rule.name - - event.severity_label - - source.ip - - source.port - - destination.ip - - destination.port - - rule.level - - rule.category - - process.name - - user.name - - user.escalated - - location - - process.name - queryBaseFilter: event.dataset:alert + target: so-grafana + link: /grafana/d/so_overview + - name: toolCyberchef + description: toolCyberchefHelp + icon: fa-external-link-alt + target: so-cyberchef + link: /cyberchef/ + - name: toolPlaybook + description: toolPlaybookHelp + icon: fa-external-link-alt + target: so-playbook + link: /playbook/projects/detection-playbooks/issues/ + - name: toolFleet + description: toolFleetHelp + icon: fa-external-link-alt + target: so-fleet + link: /fleet/ + - name: toolNavigator + description: toolNavigatorHelp + icon: fa-external-link-alt + target: so-navigator + link: /navigator/ + hunt: + advanced: true + groupItemsPerPage: 10 + groupFetchLimit: 10 + eventItemsPerPage: 10 + eventFetchLimit: 100 + relativeTimeValue: 24 + relativeTimeUnit: 30 + mostRecentlyUsedLimit: 5 + ackEnabled: false + escalateEnabled: true + escalateRelatedEventsEnabled: true + eventFields: + default: + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.uid + - network.community_id + - event.dataset + ':kratos:audit': + - soc_timestamp + - http_request.headers.x-real-ip + - identity_id + - http_request.headers.user-agent + '::conn': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - network.protocol + - log.id.uid + - network.community_id + '::dce_rpc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dce_rpc.endpoint + - dce_rpc.named_pipe + - dce_rpc.operation + - log.id.uid + '::dhcp': + - soc_timestamp + - client.address + - server.address + - host.domain + - host.hostname + - dhcp.message_types + - log.id.uid + '::dnp3': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dnp3.fc_reply + - log.id.uid + '::dns': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - dns.query.name + - dns.query.type_name + - dns.response.code_name + - log.id.uid + - network.community_id + '::dpd': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.protocol + - observer.analyser + - error.reason + - log.id.uid + '::file': + - soc_timestamp + - source.ip + - destination.ip + - file.name + - file.mime_type + - file.source + - file.bytes.total + - log.id.fuid + - log.id.uid + '::ftp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ftp.user + - ftp.command + - ftp.argument + - ftp.reply_code + - file.size + - log.id.uid + '::http': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - http.method + - http.virtual_host + - http.status_code + - http.status_message + - http.request.body.length + - http.response.body.length + - log.id.uid + - network.community_id + '::intel': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - intel.indicator + - intel.indicator_type + - intel.seen_where + - log.id.uid + '::irc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - irc.username + - irc.nickname + - irc.command.type + - irc.command.value + - irc.command.info + - log.id.uid + '::kerberos': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - kerberos.client + - kerberos.service + - kerberos.request_type + - log.id.uid + '::modbus': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - modbus.function + - log.id.uid + '::mysql': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - mysql.command + - mysql.argument + - mysql.success + - mysql.response + - log.id.uid + '::notice': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - notice.note + - notice.message + - log.id.fuid + - log.id.uid + - network.community_id + '::ntlm': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ntlm.name + - ntlm.success + - ntlm.server.dns.name + - ntlm.server.nb.name + - ntlm.server.tree.name + - log.id.uid + '::pe': + - soc_timestamp + - file.is_64bit + - file.is_exe + - file.machine + - file.os + - file.subsystem + - log.id.fuid + '::radius': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.uid + - username + - radius.framed_address + - radius.reply_message + - radius.result + '::rdp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rdp.client_build + - client_name + - rdp.cookie + - rdp.encryption_level + - rdp.encryption_method + - rdp.keyboard_layout + - rdp.result + - rdp.security_protocol + - log.id.uid + '::rfb': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rfb.authentication.method + - rfb.authentication.success + - rfb.share_flag + - rfb.desktop.name + - log.id.uid + '::signatures': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - note + - signature_id + - event_message + - sub_message + - signature_count + - host.count + - log.id.uid + '::sip': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - sip.method + - sip.uri + - sip.request.from + - sip.request.to + - sip.response.from + - sip.response.to + - sip.call_id + - sip.subject + - sip.user_agent + - sip.status_code + - log.id.uid + '::smb_files': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.fuid + - file.action + - file.path + - file.name + - file.size + - file.prev_name + - log.id.uid + '::smb_mapping': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - smb.path + - smb.service + - smb.share_type + - log.id.uid + '::smtp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - smtp.from + - smtp.recipient_to + - smtp.subject + - smtp.useragent + - log.id.uid + - network.community_id + '::snmp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - snmp.community + - snmp.version + - log.id.uid + '::socks': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - socks.name + - socks.request.host + - socks.request.port + - socks.status + - log.id.uid + '::software': + - soc_timestamp + - source.ip + - software.name + - software.type + '::ssh': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ssh.version + - ssh.hassh_version + - ssh.direction + - ssh.client + - ssh.server + - log.id.uid + '::ssl': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ssl.server_name + - ssl.certificate.subject + - ssl.validation_status + - ssl.version + - log.id.uid + ':zeek:syslog': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - syslog.facility + - network.protocol + - syslog.severity + - log.id.uid + '::tunnels': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - tunnel_type + - action + - log.id.uid + '::weird': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - weird.name + - log.id.uid + '::x509': + - soc_timestamp + - x509.certificate.subject + - x509.certificate.key.type + - x509.certificate.key.length + - x509.certificate.issuer + - log.id.fuid + '::firewall': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - network.direction + - interface.name + - rule.action + - rule.reason + - network.community_id + ':osquery:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - source.hostname + - event.dataset + - process.executable + - user.name + ':ossec:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rule.name + - rule.level + - rule.category + - process.name + - user.name + - user.escalated + - location + ':strelka:file': + - soc_timestamp + - file.name + - file.size + - hash.md5 + - file.source + - file.mime_type + - log.id.fuid + ':suricata:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rule.name + - rule.category + - event.severity_label + - log.id.uid + - network.community_id + ':sysmon:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - source.hostname + - event.dataset + - process.executable + - user.name + ':windows_eventlog:': + - soc_timestamp + - user.name + ':elasticsearch:': + - soc_timestamp + - agent.name + - message + - log.level + - metadata.version + - metadata.pipeline + - event.dataset + ':kibana:': + - soc_timestamp + - host.name + - message + - kibana.log.meta.req.headers.x-real-ip + - event.dataset + '::rootcheck': + - soc_timestamp + - host.name + - metadata.ip_address + - log.full + - event.dataset + - event.module + '::ossec': + - soc_timestamp + - host.name + - metadata.ip_address + - log.full + - event.dataset + - event.module + '::syscollector': + - soc_timestamp + - host.name + - metadata.ip_address + - wazuh.data.type + - log.full + - event.dataset + - event.module + ':syslog:syslog': + - soc_timestamp + - host.name + - metadata.ip_address + - real_message + - syslog.priority + - syslog.application + ':aws:': + - soc_timestamp + - aws.cloudtrail.event_category + - aws.cloudtrail.event_type + - event.provider + - event.action + - event.outcome + - cloud.region + - user.name + - source.ip + - source.geo.region_iso_code + ':squid:': + - soc_timestamp + - url.original + - destination.ip + - destination.geo.country_iso_code + - user.name + - source.ip + queryBaseFilter: queryToggleFilters: - - name: acknowledged - filter: event.acknowledged:true - enabled: false - exclusive: true - - name: escalated - filter: event.escalated:true - enabled: false - exclusive: true - enablesToggles: - - acknowledged - queries: - - name: 'Group By Name, Module' - query: '* | groupby rule.name event.module event.severity_label' - - name: 'Group By Sensor, Source IP/Port, Destination IP/Port, Name' - query: '* | groupby observer.name source.ip source.port destination.ip destination.port rule.name network.community_id event.severity_label' - - name: 'Group By Source IP, Name' - query: '* | groupby source.ip rule.name event.severity_label' - - name: 'Group By Source Port, Name' - query: '* | groupby source.port rule.name event.severity_label' - - name: 'Group By Destination IP, Name' - query: '* | groupby destination.ip rule.name event.severity_label' - - name: 'Group By Destination Port, Name' - query: '* | groupby destination.port rule.name event.severity_label' - - name: Ungroup - query: '*' - actions: - - name: actionHunt - description: actionHuntHelp - icon: fa-crosshairs - target: - links: - - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' - - name: actionCorrelate - description: actionCorrelateHelp - icon: fab fa-searchengin - target: - links: - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' - - name: actionPcap - description: actionPcapHelp - icon: fa-stream - target: - links: - - '/joblookup?esid={:soc_id}&time={:@timestamp}' - - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' - categories: - - hunt - - alerts - - name: actionCyberChef - description: actionCyberChefHelp - icon: fas fa-bread-slice - target: _blank - links: - - '/cyberchef/#input={value|base64}' - - name: actionGoogle - description: actionGoogleHelp - icon: fab fa-google - target: _blank - links: - - 'https://www.google.com/search?q={value}' - - name: actionVirusTotal - description: actionVirusTotalHelp - icon: fa-external-link-alt - target: _blank - links: - - 'https://www.virustotal.com/gui/search/{value}' + - name: caseExcludeToggle + filter: NOT _index:\"*:so-case*\" + enabled: true + queries: + - name: Default Query + description: Show all events grouped by the origin host + query: '* | groupby observer.name' + - name: Log Type + description: Show all events grouped by module and dataset + query: '* | groupby event.module event.dataset' + - name: SOC Auth + description: Users authenticated to SOC grouped by IP address and identity + query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id' + - name: Elastalerts + description: '' + query: '_type:elastalert | groupby rule.name' + - name: Alerts + description: Show all alerts grouped by alert source + query: 'event.dataset: alert | groupby event.module' + - name: NIDS Alerts + description: Show all NIDS alerts grouped by alert + query: 'event.category: network AND event.dataset: alert | groupby rule.category rule.gid rule.uuid rule.name' + - name: Wazuh/OSSEC Alerts + description: Show all Wazuh alerts at Level 5 or higher grouped by category + query: 'event.module:ossec AND event.dataset:alert AND rule.level:>4 | groupby rule.category rule.name' + - name: Wazuh/OSSEC Alerts + description: Show all Wazuh alerts at Level 4 or lower grouped by category + query: 'event.module:ossec AND event.dataset:alert AND rule.level:<5 | groupby rule.category rule.name' + - name: Wazuh/OSSEC Users and Commands + description: Show all Wazuh alerts grouped by username and command line + query: 'event.module:ossec AND event.dataset:alert | groupby user.escalated.keyword process.command_line' + - name: Wazuh/OSSEC Processes + description: Show all Wazuh alerts grouped by process name + query: 'event.module:ossec AND event.dataset:alert | groupby process.name' + - name: Sysmon Events + description: Show all Sysmon logs grouped by event type + query: 'event.module:sysmon | groupby event.dataset' + - name: Sysmon Usernames + description: Show all Sysmon logs grouped by username + query: 'event.module:sysmon | groupby event.dataset, user.name.keyword' + - name: Strelka + description: Show all Strelka logs grouped by file type + query: 'event.module:strelka | groupby file.mime_type' + - name: Zeek Notice + description: Show notices from Zeek + query: 'event.dataset:notice | groupby notice.note notice.message' + - name: Connections + description: Connections grouped by IP and Port + query: 'event.dataset:conn | groupby source.ip destination.ip network.protocol destination.port' + - name: Connections + description: Connections grouped by Service + query: 'event.dataset:conn | groupby network.protocol destination.port' + - name: Connections + description: Connections grouped by destination country + query: 'event.dataset:conn | groupby destination.geo.country_name' + - name: Connections + description: Connections grouped by source country + query: 'event.dataset:conn | groupby source.geo.country_name' + - name: DCE_RPC + description: DCE_RPC grouped by operation + query: 'event.dataset:dce_rpc | groupby dce_rpc.operation' + - name: DHCP + description: DHCP leases + query: 'event.dataset:dhcp | groupby host.hostname client.address' + - name: DHCP + description: DHCP grouped by message type + query: 'event.dataset:dhcp | groupby dhcp.message_types' + - name: DNP3 + description: DNP3 grouped by reply + query: 'event.dataset:dnp3 | groupby dnp3.fc_reply' + - name: DNS + description: DNS queries grouped by port + query: 'event.dataset:dns | groupby dns.query.name destination.port' + - name: DNS + description: DNS queries grouped by type + query: 'event.dataset:dns | groupby dns.query.type_name destination.port' + - name: DNS + description: DNS queries grouped by response code + query: 'event.dataset:dns | groupby dns.response.code_name destination.port' + - name: DNS + description: DNS highest registered domain + query: 'event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port' + - name: DNS + description: DNS grouped by parent domain + query: 'event.dataset:dns | groupby dns.parent_domain.keyword destination.port' + - name: DPD + description: Dynamic Protocol Detection errors + query: 'event.dataset:dpd | groupby error.reason' + - name: Files + description: Files grouped by mimetype + query: 'event.dataset:file | groupby file.mime_type source.ip' + - name: Files + description: Files grouped by source + query: 'event.dataset:file | groupby file.source source.ip' + - name: FTP + description: FTP grouped by command and argument + query: 'event.dataset:ftp | groupby ftp.command ftp.argument' + - name: FTP + description: FTP grouped by username and argument + query: 'event.dataset:ftp | groupby ftp.user ftp.argument' + - name: HTTP + description: HTTP grouped by destination port + query: 'event.dataset:http | groupby destination.port' + - name: HTTP + description: HTTP grouped by status code and message + query: 'event.dataset:http | groupby http.status_code http.status_message' + - name: HTTP + description: HTTP grouped by method and user agent + query: 'event.dataset:http | groupby http.method http.useragent' + - name: HTTP + description: HTTP grouped by virtual host + query: 'event.dataset:http | groupby http.virtual_host' + - name: HTTP + description: HTTP with exe downloads + query: 'event.dataset:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host' + - name: Intel + description: Intel framework hits grouped by indicator + query: 'event.dataset:intel | groupby intel.indicator.keyword' + - name: IRC + description: IRC grouped by command + query: 'event.dataset:irc | groupby irc.command.type' + - name: KERBEROS + description: KERBEROS grouped by service + query: 'event.dataset:kerberos | groupby kerberos.service' + - name: MODBUS + description: MODBUS grouped by function + query: 'event.dataset:modbus | groupby modbus.function' + - name: MYSQL + description: MYSQL grouped by command + query: 'event.dataset:mysql | groupby mysql.command' + - name: NOTICE + description: Zeek notice logs grouped by note and message + query: 'event.dataset:notice | groupby notice.note notice.message' + - name: NTLM + description: NTLM grouped by computer name + query: 'event.dataset:ntlm | groupby ntlm.server.dns.name' + - name: Osquery Live Queries + description: Osquery Live Query results grouped by computer name + query: 'event.dataset:live_query | groupby host.hostname' + - name: PE + description: PE files list + query: 'event.dataset:pe | groupby file.machine file.os file.subsystem' + - name: RADIUS + description: RADIUS grouped by username + query: 'event.dataset:radius | groupby user.name.keyword' + - name: RDP + description: RDP grouped by client name + query: 'event.dataset:rdp | groupby client.name' + - name: RFB + description: RFB grouped by desktop name + query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword' + - name: Signatures + description: Zeek signatures grouped by signature id + query: 'event.dataset:signatures | groupby signature_id' + - name: SIP + description: SIP grouped by user agent + query: 'event.dataset:sip | groupby client.user_agent' + - name: SMB_Files + description: SMB files grouped by action + query: 'event.dataset:smb_files | groupby file.action' + - name: SMB_Mapping + description: SMB mapping grouped by path + query: 'event.dataset:smb_mapping | groupby smb.path' + - name: SMTP + description: SMTP grouped by subject + query: 'event.dataset:smtp | groupby smtp.subject' + - name: SNMP + description: SNMP grouped by version and string + query: 'event.dataset:snmp | groupby snmp.community snmp.version' + - name: Software + description: List of software seen on the network + query: 'event.dataset:software | groupby software.type software.name' + - name: SSH + description: SSH grouped by version and client + query: 'event.dataset:ssh | groupby ssh.version ssh.client' + - name: SSL + description: SSL grouped by version and server name + query: 'event.dataset:ssl | groupby ssl.version ssl.server_name' + - name: SYSLOG + description: 'SYSLOG grouped by severity and facility ' + query: 'event.dataset:syslog | groupby syslog.severity_label syslog.facility_label' + - name: Tunnel + description: Tunnels grouped by type and action + query: 'event.dataset:tunnel | groupby tunnel.type event.action' + - name: Weird + description: Zeek weird log grouped by name + query: 'event.dataset:weird | groupby weird.name' + - name: x509 + description: x.509 grouped by key length and name + query: 'event.dataset:x509 | groupby x509.certificate.key.length x509.san_dns' + - name: x509 + description: x.509 grouped by name and issuer + query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.issuer' + - name: x509 + description: x.509 grouped by name and subject + query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.subject' + - name: Firewall + description: Firewall events grouped by action + query: 'event.dataset:firewall | groupby rule.action' + actions: + - name: actionHunt + description: actionHuntHelp + icon: fa-crosshairs + target: + links: + - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' + - name: actionCorrelate + description: actionCorrelateHelp + icon: fab fa-searchengin + target: + links: + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' + - name: actionPcap + description: actionPcapHelp + icon: fa-stream + target: + links: + - '/joblookup?esid={:soc_id}&time={:@timestamp}' + - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' + categories: + - hunt + - alerts + - name: actionCyberChef + description: actionCyberChefHelp + icon: fas fa-bread-slice + target: _blank + links: + - '/cyberchef/#input={value|base64}' + - name: actionGoogle + description: actionGoogleHelp + icon: fab fa-google + target: _blank + links: + - 'https://www.google.com/search?q={value}' + - name: actionVirusTotal + description: actionVirusTotalHelp + icon: fa-external-link-alt + target: _blank + links: + - 'https://www.virustotal.com/gui/search/{value}' + job: + actions: + - name: actionHunt + description: actionHuntHelp + icon: fa-crosshairs + target: + links: + - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' + - name: actionCorrelate + description: actionCorrelateHelp + icon: fab fa-searchengin + target: + links: + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' + - name: actionPcap + description: actionPcapHelp + icon: fa-stream + target: + links: + - '/joblookup?esid={:soc_id}&time={:@timestamp}' + - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' + categories: + - hunt + - alerts + - name: actionCyberChef + description: actionCyberChefHelp + icon: fas fa-bread-slice + target: _blank + links: + - '/cyberchef/#input={value|base64}' + - name: actionGoogle + description: actionGoogleHelp + icon: fab fa-google + target: _blank + links: + - 'https://www.google.com/search?q={value}' + - name: actionVirusTotal + description: actionVirusTotalHelp + icon: fa-external-link-alt + target: _blank + links: + - 'https://www.virustotal.com/gui/search/{value}' + alerts: + advanced: false + groupItemsPerPage: 50 + groupFetchLimit: 500 + eventItemsPerPage: 50 + eventFetchLimit: 500 + relativeTimeValue: 24 + relativeTimeUnit: 30 + mostRecentlyUsedLimit: 5 + ackEnabled: true + escalateEnabled: true + escalateRelatedEventsEnabled: true + eventfields: + default: + - soc_timestamp + - rule.name + - event.severity_label + - source.ip + - source.port + - destination.ip + - destination.port + - rule.gid + - rule.uuid + - rule.category + - rule.rev + ':ossec:': + - soc_timestamp + - rule.name + - event.severity_label + - source.ip + - source.port + - destination.ip + - destination.port + - rule.level + - rule.category + - process.name + - user.name + - user.escalated + - location + - process.name + queryBaseFilter: event.dataset:alert + queryToggleFilters: + - name: acknowledged + filter: event.acknowledged:true + enabled: false + exclusive: true + - name: escalated + filter: event.escalated:true + enabled: false + exclusive: true + enablesToggles: + - acknowledged + queries: + - name: 'Group By Name, Module' + query: '* | groupby rule.name event.module event.severity_label' + - name: 'Group By Sensor, Source IP/Port, Destination IP/Port, Name' + query: '* | groupby observer.name source.ip source.port destination.ip destination.port rule.name network.community_id event.severity_label' + - name: 'Group By Source IP, Name' + query: '* | groupby source.ip rule.name event.severity_label' + - name: 'Group By Source Port, Name' + query: '* | groupby source.port rule.name event.severity_label' + - name: 'Group By Destination IP, Name' + query: '* | groupby destination.ip rule.name event.severity_label' + - name: 'Group By Destination Port, Name' + query: '* | groupby destination.port rule.name event.severity_label' + - name: Ungroup + query: '*' + actions: + - name: actionHunt + description: actionHuntHelp + icon: fa-crosshairs + target: + links: + - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' + - name: actionCorrelate + description: actionCorrelateHelp + icon: fab fa-searchengin + target: + links: + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' + - name: actionPcap + description: actionPcapHelp + icon: fa-stream + target: + links: + - '/joblookup?esid={:soc_id}&time={:@timestamp}' + - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' + categories: + - hunt + - alerts + - name: actionCyberChef + description: actionCyberChefHelp + icon: fas fa-bread-slice + target: _blank + links: + - '/cyberchef/#input={value|base64}' + - name: actionGoogle + description: actionGoogleHelp + icon: fab fa-google + target: _blank + links: + - 'https://www.google.com/search?q={value}' + - name: actionVirusTotal + description: actionVirusTotalHelp + icon: fa-external-link-alt + target: _blank + links: + - 'https://www.virustotal.com/gui/search/{value}' - cases: - advanced: false - groupItemsPerPage: 50 - groupFetchLimit: 100 - eventItemsPerPage: 50 - eventFetchLimit: 500 - relativeTimeValue: 12 - relativeTimeUnit: 60 - mostRecentlyUsedLimit: 5 - ackEnabled: false - escalateEnabled: false - escalateRelatedEventsEnabled: false - viewEnabled: true - createLink: /case/create - eventFields: - default: - - soc_timestamp - - so_case.title - - so_case.status - - so_case.severity - - so_case.assigneeId - - so_case.createTime - queryBaseFilter: '_index:\"*:so-case\" AND so_kind:case' - queryToggleFilters: [] - queries: - - name: Open Cases - query: 'NOT so_case.status:closed AND NOT so_case.category:template' - - name: Closed Cases - query: 'so_case.status:closed AND NOT so_case.category:template' - - name: My Open Cases - query: 'NOT so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}' - - name: My Closed Cases - query: 'so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}' - - name: Templates - query: 'so_case.category:template' - actions: - - name: actionHunt - description: actionHuntHelp - icon: fa-crosshairs - target: - links: - - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' - - name: actionCorrelate - description: actionCorrelateHelp - icon: fab fa-searchengin - target: - links: - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' - - name: actionPcap - description: actionPcapHelp - icon: fa-stream - target: - links: - - '/joblookup?esid={:soc_id}&time={:@timestamp}' - - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' - categories: - - hunt - - alerts - - name: actionCyberChef - description: actionCyberChefHelp - icon: fas fa-bread-slice - target: _blank - links: - - '/cyberchef/#input={value|base64}' - - name: actionGoogle - description: actionGoogleHelp - icon: fab fa-google - target: _blank - links: - - 'https://www.google.com/search?q={value}' - - name: actionVirusTotal - description: actionVirusTotalHelp - icon: fa-external-link-alt - target: _blank - links: - - 'https://www.virustotal.com/gui/search/{value}' - case: - mostRecentlyUsedLimit: 5 - renderAbbreviatedCount: 30 - presets: - artifactType: - labels: - - autonomous-system - - domain - - file - - filename - - fqdn - - hash - - ip - - mail - - mail_subject - - other - - regexp - - registry - - uri_path - - url - - user-agent - customEnabled: true - category: - labels: - - general - - template - customEnabled: true - pap: - labels: - - white - - green - - amber - - red - customEnabled: false - severity: - labels: - - low - - medium - - high - - critical - customEnabled: false - status: - labels: - - new - - in progress - - closed - customEnabled: false - tags: - labels: - - false-positive - - confirmed - - pending - customEnabled: true - tlp: - labels: - - white - - green - - amber - - red - customEnabled: false + cases: + advanced: false + groupItemsPerPage: 50 + groupFetchLimit: 100 + eventItemsPerPage: 50 + eventFetchLimit: 500 + relativeTimeValue: 12 + relativeTimeUnit: 60 + mostRecentlyUsedLimit: 5 + ackEnabled: false + escalateEnabled: false + escalateRelatedEventsEnabled: false + viewEnabled: true + createLink: /case/create + eventFields: + default: + - soc_timestamp + - so_case.title + - so_case.status + - so_case.severity + - so_case.assigneeId + - so_case.createTime + queryBaseFilter: '_index:\"*:so-case\" AND so_kind:case' + queryToggleFilters: [] + queries: + - name: Open Cases + query: 'NOT so_case.status:closed AND NOT so_case.category:template' + - name: Closed Cases + query: 'so_case.status:closed AND NOT so_case.category:template' + - name: My Open Cases + query: 'NOT so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}' + - name: My Closed Cases + query: 'so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}' + - name: Templates + query: 'so_case.category:template' + actions: + - name: actionHunt + description: actionHuntHelp + icon: fa-crosshairs + target: + links: + - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' + - name: actionCorrelate + description: actionCorrelateHelp + icon: fab fa-searchengin + target: + links: + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' + - name: actionPcap + description: actionPcapHelp + icon: fa-stream + target: + links: + - '/joblookup?esid={:soc_id}&time={:@timestamp}' + - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' + categories: + - hunt + - alerts + - name: actionCyberChef + description: actionCyberChefHelp + icon: fas fa-bread-slice + target: _blank + links: + - '/cyberchef/#input={value|base64}' + - name: actionGoogle + description: actionGoogleHelp + icon: fab fa-google + target: _blank + links: + - 'https://www.google.com/search?q={value}' + - name: actionVirusTotal + description: actionVirusTotalHelp + icon: fa-external-link-alt + target: _blank + links: + - 'https://www.virustotal.com/gui/search/{value}' + case: + mostRecentlyUsedLimit: 5 + renderAbbreviatedCount: 30 + presets: + artifactType: + labels: + - autonomous-system + - domain + - file + - filename + - fqdn + - hash + - ip + - mail + - mail_subject + - other + - regexp + - registry + - uri_path + - url + - user-agent + customEnabled: true + category: + labels: + - general + - template + customEnabled: true + pap: + labels: + - white + - green + - amber + - red + customEnabled: false + severity: + labels: + - low + - medium + - high + - critical + customEnabled: false + status: + labels: + - new + - in progress + - closed + customEnabled: false + tags: + labels: + - false-positive + - confirmed + - pending + customEnabled: true + tlp: + labels: + - white + - green + - amber + - red + customEnabled: false diff --git a/salt/soc/files/soc/alerts.actions.json b/salt/soc/files/soc/alerts.actions.json deleted file mode 100644 index 1addf23c6..000000000 --- a/salt/soc/files/soc/alerts.actions.json +++ /dev/null @@ -1 +0,0 @@ -This file is no longer used. Please use menu.actions.json instead. diff --git a/salt/soc/files/soc/alerts.eventfields.json b/salt/soc/files/soc/alerts.eventfields.json deleted file mode 100644 index 36fb15afe..000000000 --- a/salt/soc/files/soc/alerts.eventfields.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "default": ["soc_timestamp", "rule.name", "event.severity_label", "source.ip", "source.port", "destination.ip", "destination.port", "rule.gid", "rule.uuid", "rule.category", "rule.rev"], - ":ossec:": ["soc_timestamp", "rule.name", "event.severity_label", "source.ip", "source.port", "destination.ip", "destination.port", "rule.level", "rule.category", "process.name", "user.name", "user.escalated", "location", "process.name" ] -} \ No newline at end of file diff --git a/salt/soc/files/soc/alerts.queries.json b/salt/soc/files/soc/alerts.queries.json deleted file mode 100644 index 0e74adad8..000000000 --- a/salt/soc/files/soc/alerts.queries.json +++ /dev/null @@ -1,9 +0,0 @@ -[ - { "name": "Group By Name, Module", "query": "* | groupby rule.name event.module event.severity_label" }, - { "name": "Group By Sensor, Source IP/Port, Destination IP/Port, Name", "query": "* | groupby observer.name source.ip source.port destination.ip destination.port rule.name network.community_id event.severity_label" }, - { "name": "Group By Source IP, Name", "query": "* | groupby source.ip rule.name event.severity_label" }, - { "name": "Group By Source Port, Name", "query": "* | groupby source.port rule.name event.severity_label" }, - { "name": "Group By Destination IP, Name", "query": "* | groupby destination.ip rule.name event.severity_label" }, - { "name": "Group By Destination Port, Name", "query": "* | groupby destination.port rule.name event.severity_label" }, - { "name": "Ungroup", "query": "*" } -] diff --git a/salt/soc/files/soc/cases.eventfields.json b/salt/soc/files/soc/cases.eventfields.json deleted file mode 100644 index f04c50b94..000000000 --- a/salt/soc/files/soc/cases.eventfields.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "default": ["soc_timestamp", "so_case.title", "so_case.status", "so_case.severity", "so_case.assigneeId", "so_case.createTime"] -} \ No newline at end of file diff --git a/salt/soc/files/soc/cases.queries.json b/salt/soc/files/soc/cases.queries.json deleted file mode 100644 index 59bd2672f..000000000 --- a/salt/soc/files/soc/cases.queries.json +++ /dev/null @@ -1,7 +0,0 @@ -[ - { "name": "Open Cases", "query": "NOT so_case.status:closed AND NOT so_case.category:template" }, - { "name": "Closed Cases", "query": "so_case.status:closed AND NOT so_case.category:template" }, - { "name": "My Open Cases", "query": "NOT so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}" }, - { "name": "My Closed Cases", "query": "so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}" }, - { "name": "Templates", "query": "so_case.category:template" } -] \ No newline at end of file diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json deleted file mode 100644 index 7169fd472..000000000 --- a/salt/soc/files/soc/dashboards.queries.json +++ /dev/null @@ -1,46 +0,0 @@ -[ - { "name": "Overview", "description": "Overview of all events", "query": "* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SOC Auth", "description": "Show all SOC authentication logs", "query": "event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent"}, - { "name": "Elastalerts", "description": "Elastalert logs", "query": "_index: \"*:elastalert*\" | groupby rule_name | groupby alert_info.type"}, - { "name": "Alerts", "description": "Show all alerts", "query": "event.dataset: alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "NIDS Alerts", "description": "NIDS alerts", "query": "event.category: network AND event.dataset: alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Wazuh/OSSEC", "description": "Wazuh/OSSEC HIDS alerts and logs", "query": "event.module:ossec | groupby rule.category | groupby rule.uuid | groupby rule.name | groupby agent.id | groupby agent.name | groupby log.full"}, - { "name": "Sysmon", "description": "Sysmon logs", "query": "event.module:sysmon | groupby event.dataset | groupby user.name | groupby process.executable | groupby process.command_line | groupby process.parent.command_line"}, - { "name": "Strelka", "description": "Strelka logs", "query": "event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source"}, - { "name": "Zeek Notice", "description": "Zeek Notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Connections", "description": "Connection logs", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes"}, - { "name": "DCE_RPC", "description": "DCE_RPC logs", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "DHCP", "description": "Dynamic Host Configuration Protocol leases", "query": "event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby client.address | groupby server.address"}, - { "name": "DNP3", "description": "DNP3 logs", "query": "event.dataset:dnp3 | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby dnp3.iin | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "DNS", "description": "Domain Name System queries", "query": "event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "DPD", "description": "Dynamic Protocol Detection errors", "query": "event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol"}, - { "name": "Files", "description": "Files seen in network traffic", "query": "event.dataset:file | groupby file.mime_type | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip"}, - { "name": "FTP", "description": "File Transfer Protocol logs", "query": "event.dataset:ftp | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "HTTP", "description": "Hyper Text Transport Protocol logs", "query": "event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Intel", "description": "Zeek Intel framework hits", "query": "event.dataset:intel | groupby intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "IRC", "description": "Internet Relay Chat logs", "query": "event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Kerberos", "description": "Kerberos logs", "query": "event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "MODBUS", "description": "MODBUS logs", "query": "event.dataset:modbus | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "MYSQL", "description": "MYSQL logs", "query": "event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "NOTICE", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "NTLM", "description": "NTLM logs", "query": "event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Osquery Live Queries", "description": "Osquery Live Query results", "query": "event.dataset:live_query | groupby host.hostname"}, - { "name": "PE", "description": "PE files list", "query": "event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit"}, - { "name": "RADIUS", "description": "RADIUS logs", "query": "event.dataset:radius | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "RDP", "description": "RDP logs", "query": "event.dataset:rdp | groupby client.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "RFB", "description": "RFB logs", "query": "event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Signatures", "description": "Zeek signatures", "query": "event.dataset:signatures | groupby signature_id"}, - { "name": "SIP", "description": "SIP logs", "query": "event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SMB_Files", "description": "SMB files", "query": "event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SMB_Mapping", "description": "SMB mapping logs", "query": "event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SMTP", "description": "SMTP logs", "query": "event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SNMP", "description": "SNMP logs", "query": "event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Software", "description": "List of software seen on the network by Zeek", "query": "event.dataset:software | groupby software.type | groupby software.name | groupby source.ip"}, - { "name": "SSH", "description": "SSH connections seen by Zeek", "query": "event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SSL", "description": "SSL logs", "query": "event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SYSLOG", "description": "SYSLOG logs", "query": "event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Tunnel", "description": "Tunnels seen by Zeek", "query": "event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Weird", "description": "Weird network traffic seen by Zeek", "query": "event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port "}, - { "name": "x509", "description": "x.509 certificates seen by Zeek", "query": "event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer"}, - { "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"} -] diff --git a/salt/soc/files/soc/default.annotation.yaml b/salt/soc/files/soc/default.annotation.yaml deleted file mode 100644 index f78488035..000000000 --- a/salt/soc/files/soc/default.annotation.yaml +++ /dev/null @@ -1,712 +0,0 @@ -### Elasticsearch Nodes ### -elasticsearch.esheap: - default: 4192 - global: false - type: int - nodes: - - manager - - searchnode - -elasticsearch.config.node.attr.box_type: - default: hot - global: false - type: bool - options: - - hot - - warm - nodes: - - manager - - searchnode - -## Elasticsearch Global ## -elasticsearch.config.cluster.name: - default: securityonion - global: true - type: string - -elasticsearch.config.cluster.routing.allocation.disk.threshold_enabled: - default: true - global: true - type: bool - options: - - true - - false - -elasticsearch.config.cluster.routing.allocation.disk.watermark.low: -elasticsearch.config.cluster.routing.allocation.disk.watermark.high: -elasticsearch.config.cluster.routing.allocation.disk.watermark.flood_stage: - - - - - - - - - -elasticsearch:"\ - config:"\ - cluster:"\ - name: $ESCLUSTERNAME"\ - routing:"\ - allocation:"\ - " disk:"\ - " threshold_enabled: true"\ - " watermark:"\ - " low: 80%"\ - " high: 85%"\ - " flood_stage: 90%"\ - " script:"\ - " max_compilations_rate: 20000/1m"\ - " indices:"\ - " query:"\ - " bool:"\ - " max_clause_count: 3500"\ - " index_settings:"\ - " so-aws:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-azure:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-barracuda:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-beats:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-bluecoat:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-cef:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-checkpoint:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-cisco:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-cyberark:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-cylance:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-elasticsearch:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-endgame:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-f5:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-firewall:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-fortinet:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-gcp:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-google_workspace:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-ids:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-imperva:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-import:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-infoblox:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-juniper:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-kibana:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-logstash:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-microsoft:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-misp:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - - " so-netflow:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-netscout:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-o365:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-okta:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-osquery:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-proofpoint:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-radware:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-redis:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-snort:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-snyk:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-sonicwall:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-sophos:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-strelka:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-syslog:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-tomcat:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-zeek:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-zscaler:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365" - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ \ No newline at end of file diff --git a/salt/soc/files/soc/hunt.actions.json b/salt/soc/files/soc/hunt.actions.json deleted file mode 100644 index 1addf23c6..000000000 --- a/salt/soc/files/soc/hunt.actions.json +++ /dev/null @@ -1 +0,0 @@ -This file is no longer used. Please use menu.actions.json instead. diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json deleted file mode 100644 index 418cd4d87..000000000 --- a/salt/soc/files/soc/hunt.eventfields.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "default": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid", "network.community_id", "event.dataset" ], - ":kratos:audit": ["soc_timestamp", "http_request.headers.x-real-ip", "identity_id", "http_request.headers.user-agent" ], - "::conn": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "network.protocol", "log.id.uid", "network.community_id" ], - "::dce_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dce_rpc.endpoint", "dce_rpc.named_pipe", "dce_rpc.operation", "log.id.uid" ], - "::dhcp": ["soc_timestamp", "client.address", "server.address", "host.domain", "host.hostname", "dhcp.message_types", "log.id.uid" ], - "::dnp3": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dnp3.fc_reply", "log.id.uid" ], - "::dns": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "dns.query.name", "dns.query.type_name", "dns.response.code_name", "log.id.uid", "network.community_id" ], - "::dpd": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.protocol", "observer.analyser", "error.reason", "log.id.uid" ], - "::file": ["soc_timestamp", "source.ip", "destination.ip", "file.name", "file.mime_type", "file.source", "file.bytes.total", "log.id.fuid", "log.id.uid" ], - "::ftp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ftp.user", "ftp.command", "ftp.argument", "ftp.reply_code", "file.size", "log.id.uid" ], - "::http": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "http.method", "http.virtual_host", "http.status_code", "http.status_message", "http.request.body.length", "http.response.body.length", "log.id.uid", "network.community_id" ], - "::intel": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "intel.indicator", "intel.indicator_type", "intel.seen_where", "log.id.uid" ], - "::irc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "irc.username", "irc.nickname", "irc.command.type", "irc.command.value", "irc.command.info", "log.id.uid" ], - "::kerberos": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "kerberos.client", "kerberos.service", "kerberos.request_type", "log.id.uid" ], - "::modbus": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "modbus.function", "log.id.uid" ], - "::mysql": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "mysql.command", "mysql.argument", "mysql.success", "mysql.response", "log.id.uid" ], - "::notice": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "notice.note", "notice.message", "log.id.fuid", "log.id.uid", "network.community_id" ], - "::ntlm": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ntlm.name", "ntlm.success", "ntlm.server.dns.name", "ntlm.server.nb.name", "ntlm.server.tree.name", "log.id.uid" ], - "::pe": ["soc_timestamp", "file.is_64bit", "file.is_exe", "file.machine", "file.os", "file.subsystem", "log.id.fuid" ], - "::radius": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid", "username", "radius.framed_address", "radius.reply_message", "radius.result" ], - "::rdp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rdp.client_build", "client_name", "rdp.cookie", "rdp.encryption_level", "rdp.encryption_method", "rdp.keyboard_layout", "rdp.result", "rdp.security_protocol", "log.id.uid" ], - "::rfb": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rfb.authentication.method", "rfb.authentication.success", "rfb.share_flag", "rfb.desktop.name", "log.id.uid" ], - "::signatures" : ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "note", "signature_id", "event_message", "sub_message", "signature_count", "host.count", "log.id.uid" ], - "::sip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "sip.method", "sip.uri", "sip.request.from", "sip.request.to", "sip.response.from", "sip.response.to", "sip.call_id", "sip.subject", "sip.user_agent", "sip.status_code", "log.id.uid" ], - "::smb_files" : ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.fuid", "file.action", "file.path", "file.name", "file.size", "file.prev_name", "log.id.uid" ], - "::smb_mapping" : ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "smb.path", "smb.service", "smb.share_type", "log.id.uid" ], - "::smtp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "smtp.from", "smtp.recipient_to", "smtp.subject", "smtp.useragent", "log.id.uid", "network.community_id" ], - "::snmp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "snmp.community", "snmp.version", "log.id.uid" ], - "::socks": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "socks.name", "socks.request.host", "socks.request.port", "socks.status", "log.id.uid" ], - "::software": ["soc_timestamp", "source.ip", "software.name", "software.type" ], - "::ssh": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssh.version", "ssh.hassh_version", "ssh.direction", "ssh.client", "ssh.server", "log.id.uid" ], - "::ssl": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssl.server_name", "ssl.certificate.subject", "ssl.validation_status", "ssl.version", "log.id.uid" ], - ":zeek:syslog": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "syslog.facility", "network.protocol", "syslog.severity", "log.id.uid" ], - "::tunnels": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tunnel_type", "action", "log.id.uid" ], - "::weird": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "weird.name", "log.id.uid" ], - "::x509": ["soc_timestamp", "x509.certificate.subject", "x509.certificate.key.type", "x509.certificate.key.length", "x509.certificate.issuer", "log.id.fuid" ], - "::firewall": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "network.direction", "interface.name", "rule.action", "rule.reason", "network.community_id" ], - ":osquery:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "source.hostname", "event.dataset", "process.executable", "user.name" ], - ":ossec:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rule.name", "rule.level", "rule.category", "process.name", "user.name", "user.escalated", "location" ], - ":strelka:file": ["soc_timestamp", "file.name", "file.size", "hash.md5", "file.source", "file.mime_type", "log.id.fuid" ], - ":suricata:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rule.name", "rule.category", "event.severity_label", "log.id.uid", "network.community_id" ], - ":sysmon:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "source.hostname", "event.dataset", "process.executable", "user.name" ], - ":windows_eventlog:": ["soc_timestamp", "user.name" ], - ":elasticsearch:": ["soc_timestamp", "agent.name", "message", "log.level", "metadata.version", "metadata.pipeline", "event.dataset" ], - ":kibana:": ["soc_timestamp", "host.name", "message", "kibana.log.meta.req.headers.x-real-ip", "event.dataset" ], - "::rootcheck": ["soc_timestamp", "host.name", "metadata.ip_address", "log.full", "event.dataset", "event.module" ], - "::ossec": ["soc_timestamp", "host.name", "metadata.ip_address", "log.full", "event.dataset", "event.module" ], - "::syscollector": ["soc_timestamp", "host.name", "metadata.ip_address", "wazuh.data.type", "log.full", "event.dataset", "event.module" ], - ":syslog:syslog": ["soc_timestamp", "host.name", "metadata.ip_address", "real_message", "syslog.priority", "syslog.application" ], - ":aws:": ["soc_timestamp", "aws.cloudtrail.event_category", "aws.cloudtrail.event_type", "event.provider", "event.action", "event.outcome", "cloud.region", "user.name", "source.ip", "source.geo.region_iso_code" ], - ":squid:": ["soc_timestamp", "url.original", "destination.ip", "destination.geo.country_iso_code", "user.name", "source.ip" ] - } diff --git a/salt/soc/files/soc/hunt.queries.json b/salt/soc/files/soc/hunt.queries.json deleted file mode 100644 index ed82c10a4..000000000 --- a/salt/soc/files/soc/hunt.queries.json +++ /dev/null @@ -1,67 +0,0 @@ -[ - { "name": "Default Query", "showSubtitle": true, "description": "Show all events grouped by the origin host", "query": "* | groupby observer.name"}, - { "name": "Log Type", "showSubtitle": true, "description": "Show all events grouped by module and dataset", "query": "* | groupby event.module event.dataset"}, - { "name": "SOC Auth", "showSubtitle": true, "description": "Users authenticated to SOC grouped by IP address and identity", "query": "event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id"}, - { "name": "Elastalerts", "showSubtitle": true, "description": "Elastalert logs", "query": "_index: \"*:elastalert*\" | groupby rule_name alert_info.type"}, - { "name": "Alerts", "showSubtitle": true, "description": "Show all alerts grouped by alert source", "query": "event.dataset: alert | groupby event.module"}, - { "name": "NIDS Alerts", "showSubtitle": true, "description": "Show all NIDS alerts grouped by alert", "query": "event.category: network AND event.dataset: alert | groupby rule.category rule.gid rule.uuid rule.name"}, - { "name": "Wazuh/OSSEC Alerts", "showSubtitle": true, "description": "Show all Wazuh alerts at Level 5 or higher grouped by category", "query": "event.module:ossec AND event.dataset:alert AND rule.level:>4 | groupby rule.category rule.name"}, - { "name": "Wazuh/OSSEC Alerts", "showSubtitle": true, "description": "Show all Wazuh alerts at Level 4 or lower grouped by category", "query": "event.module:ossec AND event.dataset:alert AND rule.level:<5 | groupby rule.category rule.name"}, - { "name": "Wazuh/OSSEC Users and Commands", "showSubtitle": true, "description": "Show all Wazuh alerts grouped by username and command line", "query": "event.module:ossec AND event.dataset:alert | groupby user.escalated.keyword process.command_line"}, - { "name": "Wazuh/OSSEC Processes", "showSubtitle": true, "description": "Show all Wazuh alerts grouped by process name", "query": "event.module:ossec AND event.dataset:alert | groupby process.name"}, - { "name": "Sysmon Events", "showSubtitle": true, "description": "Show all Sysmon logs grouped by event type", "query": "event.module:sysmon | groupby event.dataset"}, - { "name": "Sysmon Usernames", "showSubtitle": true, "description": "Show all Sysmon logs grouped by username", "query": "event.module:sysmon | groupby event.dataset, user.name.keyword"}, - { "name": "Strelka", "showSubtitle": true, "description": "Show all Strelka logs grouped by file type", "query": "event.module:strelka | groupby file.mime_type"}, - { "name": "Zeek Notice", "showSubtitle": true, "description": "Show notices from Zeek", "query": "event.dataset:notice | groupby notice.note notice.message"}, - { "name": "Connections", "showSubtitle": true, "description": "Connections grouped by IP and Port", "query": "event.dataset:conn | groupby source.ip destination.ip network.protocol destination.port"}, - { "name": "Connections", "showSubtitle": true, "description": "Connections grouped by Service", "query": "event.dataset:conn | groupby network.protocol destination.port"}, - { "name": "Connections", "showSubtitle": true, "description": "Connections grouped by destination country", "query": "event.dataset:conn | groupby destination.geo.country_name"}, - { "name": "Connections", "showSubtitle": true, "description": "Connections grouped by source country", "query": "event.dataset:conn | groupby source.geo.country_name"}, - { "name": "DCE_RPC", "showSubtitle": true, "description": "DCE_RPC grouped by operation", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation"}, - { "name": "DHCP", "showSubtitle": true, "description": "DHCP leases", "query": "event.dataset:dhcp | groupby host.hostname client.address"}, - { "name": "DHCP", "showSubtitle": true, "description": "DHCP grouped by message type", "query": "event.dataset:dhcp | groupby dhcp.message_types"}, - { "name": "DNP3", "showSubtitle": true, "description": "DNP3 grouped by reply", "query": "event.dataset:dnp3 | groupby dnp3.fc_reply"}, - { "name": "DNS", "showSubtitle": true, "description": "DNS queries grouped by port", "query": "event.dataset:dns | groupby dns.query.name destination.port"}, - { "name": "DNS", "showSubtitle": true, "description": "DNS queries grouped by type", "query": "event.dataset:dns | groupby dns.query.type_name destination.port"}, - { "name": "DNS", "showSubtitle": true, "description": "DNS queries grouped by response code", "query": "event.dataset:dns | groupby dns.response.code_name destination.port"}, - { "name": "DNS", "showSubtitle": true, "description": "DNS highest registered domain", "query": "event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port"}, - { "name": "DNS", "showSubtitle": true, "description": "DNS grouped by parent domain", "query": "event.dataset:dns | groupby dns.parent_domain.keyword destination.port"}, - { "name": "DPD", "showSubtitle": true, "description": "Dynamic Protocol Detection errors", "query": "event.dataset:dpd | groupby error.reason"}, - { "name": "Files", "showSubtitle": true, "description": "Files grouped by mimetype", "query": "event.dataset:file | groupby file.mime_type source.ip"}, - { "name": "Files", "showSubtitle": true, "description": "Files grouped by source", "query": "event.dataset:file | groupby file.source source.ip"}, - { "name": "FTP", "showSubtitle": true, "description": "FTP grouped by command and argument", "query": "event.dataset:ftp | groupby ftp.command ftp.argument"}, - { "name": "FTP", "showSubtitle": true, "description": "FTP grouped by username and argument", "query": "event.dataset:ftp | groupby ftp.user ftp.argument"}, - { "name": "HTTP", "showSubtitle": true, "description": "HTTP grouped by destination port", "query": "event.dataset:http | groupby destination.port"}, - { "name": "HTTP", "showSubtitle": true, "description": "HTTP grouped by status code and message", "query": "event.dataset:http | groupby http.status_code http.status_message"}, - { "name": "HTTP", "showSubtitle": true, "description": "HTTP grouped by method and user agent", "query": "event.dataset:http | groupby http.method http.useragent"}, - { "name": "HTTP", "showSubtitle": true, "description": "HTTP grouped by virtual host", "query": "event.dataset:http | groupby http.virtual_host"}, - { "name": "HTTP", "showSubtitle": true, "description": "HTTP with exe downloads", "query": "event.dataset:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host"}, - { "name": "Intel", "showSubtitle": true, "description": "Intel framework hits grouped by indicator", "query": "event.dataset:intel | groupby intel.indicator.keyword"}, - { "name": "IRC", "showSubtitle": true, "description": "IRC grouped by command", "query": "event.dataset:irc | groupby irc.command.type"}, - { "name": "Kerberos", "showSubtitle": true, "description": "Kerberos grouped by service", "query": "event.dataset:kerberos | groupby kerberos.service"}, - { "name": "MODBUS", "showSubtitle": true, "description": "MODBUS grouped by function", "query": "event.dataset:modbus | groupby modbus.function"}, - { "name": "MYSQL", "showSubtitle": true, "description": "MYSQL grouped by command", "query": "event.dataset:mysql | groupby mysql.command"}, - { "name": "NOTICE", "showSubtitle": true, "description": "Zeek notice logs grouped by note and message", "query": "event.dataset:notice | groupby notice.note notice.message"}, - { "name": "NTLM", "showSubtitle": true, "description": "NTLM grouped by computer name", "query": "event.dataset:ntlm | groupby ntlm.server.dns.name"}, - { "name": "Osquery Live Queries", "showSubtitle": true, "description": "Osquery Live Query results grouped by computer name", "query": "event.dataset:live_query | groupby host.hostname"}, - { "name": "PE", "showSubtitle": true, "description": "PE files list", "query": "event.dataset:pe | groupby file.machine file.os file.subsystem"}, - { "name": "RADIUS", "showSubtitle": true, "description": "RADIUS grouped by username", "query": "event.dataset:radius | groupby user.name.keyword"}, - { "name": "RDP", "showSubtitle": true, "description": "RDP grouped by client name", "query": "event.dataset:rdp | groupby client.name"}, - { "name": "RFB", "showSubtitle": true, "description": "RFB grouped by desktop name", "query": "event.dataset:rfb | groupby rfb.desktop.name.keyword"}, - { "name": "Signatures", "showSubtitle": true, "description": "Zeek signatures grouped by signature id", "query": "event.dataset:signatures | groupby signature_id"}, - { "name": "SIP", "showSubtitle": true, "description": "SIP grouped by user agent", "query": "event.dataset:sip | groupby client.user_agent"}, - { "name": "SMB_Files", "showSubtitle": true, "description": "SMB files grouped by action", "query": "event.dataset:smb_files | groupby file.action"}, - { "name": "SMB_Mapping", "showSubtitle": true, "description": "SMB mapping grouped by path", "query": "event.dataset:smb_mapping | groupby smb.path"}, - { "name": "SMTP", "showSubtitle": true, "description": "SMTP grouped by subject", "query": "event.dataset:smtp | groupby smtp.subject"}, - { "name": "SNMP", "showSubtitle": true, "description": "SNMP grouped by version and string", "query": "event.dataset:snmp | groupby snmp.community snmp.version"}, - { "name": "Software", "showSubtitle": true, "description": "List of software seen on the network", "query": "event.dataset:software | groupby software.type software.name"}, - { "name": "SSH", "showSubtitle": true, "description": "SSH grouped by version and client", "query": "event.dataset:ssh | groupby ssh.version ssh.client"}, - { "name": "SSL", "showSubtitle": true, "description": "SSL grouped by version and server name", "query": "event.dataset:ssl | groupby ssl.version ssl.server_name"}, - { "name": "SYSLOG", "showSubtitle": true, "description": "SYSLOG grouped by severity and facility ", "query": "event.dataset:syslog | groupby syslog.severity_label syslog.facility_label"}, - { "name": "Tunnel", "showSubtitle": true, "description": "Tunnels grouped by type and action", "query": "event.dataset:tunnel | groupby tunnel.type event.action"}, - { "name": "Weird", "showSubtitle": true, "description": "Zeek weird log grouped by name", "query": "event.dataset:weird | groupby weird.name"}, - { "name": "x509", "showSubtitle": true, "description": "x.509 grouped by key length and name", "query": "event.dataset:x509 | groupby x509.certificate.key.length x509.san_dns"}, - { "name": "x509", "showSubtitle": true, "description": "x.509 grouped by name and issuer", "query": "event.dataset:x509 | groupby x509.san_dns x509.certificate.issuer"}, - { "name": "x509", "showSubtitle": true, "description": "x.509 grouped by name and subject", "query": "event.dataset:x509 | groupby x509.san_dns x509.certificate.subject"}, - { "name": "Firewall", "showSubtitle": true, "description": "Firewall events grouped by action", "query": "event.dataset:firewall | groupby rule.action"} - ] diff --git a/salt/soc/files/soc/menu.actions.json b/salt/soc/files/soc/menu.actions.json deleted file mode 100644 index 8af63f2a8..000000000 --- a/salt/soc/files/soc/menu.actions.json +++ /dev/null @@ -1,41 +0,0 @@ -{%- set ENDGAMEHOST = salt['pillar.get']('soc:endgamehost', False) %} -[ - { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "target": "", - "links": [ - "/#/hunt?q=\"{value|escape}\" | groupby event.module event.dataset" - ]}, - { "name": "actionCorrelate", "description": "actionCorrelateHelp", "icon": "fab fa-searchengin", "target": "", - "links": [ - "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", - "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\") | groupby event.module event.dataset", - "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", - "/#/hunt?q=(\"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", - "/#/hunt?q=\"{:log.id.fuid}\" | groupby event.module event.dataset", - "/#/hunt?q=\"{:log.id.uid}\" | groupby event.module event.dataset", - "/#/hunt?q=\"{:network.community_id}\" | groupby event.module event.dataset" - ]}, - { "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "target": "", - "links": [ - "/joblookup?esid={:soc_id}&time={:@timestamp}", - "/joblookup?ncid={:network.community_id}&time={:@timestamp}" - ], - "categories": ["hunt", "alerts"]}, - { "name": "actionCyberChef", "description": "actionCyberChefHelp", "icon": "fas fa-bread-slice", "target": "_blank", - "links": [ - "/cyberchef/#input={value|base64}" - ]}, - { "name": "actionGoogle", "description": "actionGoogleHelp", "icon": "fab fa-google", "target": "_blank", - "links": [ - "https://www.google.com/search?q={value}" - ]}, - { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "fa-external-link-alt", "target": "_blank", - "links": [ - "https://www.virustotal.com/gui/search/{value}" - ]} - {%- if ENDGAMEHOST %} - ,{ "name": "Endgame", "description": "Endgame Endpoint Investigation and Response", "icon": "fa-external-link-alt", "target": "_blank", - "links": [ - "https://{{ ENDGAMEHOST }}/endpoints/{:agent.id}" - ]} - {% endif %} -] diff --git a/salt/soc/files/soc/presets.artifacttype.json b/salt/soc/files/soc/presets.artifacttype.json deleted file mode 100644 index 4afa16c28..000000000 --- a/salt/soc/files/soc/presets.artifacttype.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "labels": [ - "autonomous-system", - "domain", - "file", - "filename", - "fqdn", - "hash", - "ip", - "mail", - "mail_subject", - "other", - "regexp", - "registry", - "uri_path", - "url", - "user-agent" - ], - "customEnabled": true -} diff --git a/salt/soc/files/soc/presets.category.json b/salt/soc/files/soc/presets.category.json deleted file mode 100644 index 191be77f5..000000000 --- a/salt/soc/files/soc/presets.category.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "labels": [ - "general", - "template" - ], - "customEnabled": true -} \ No newline at end of file diff --git a/salt/soc/files/soc/presets.pap.json b/salt/soc/files/soc/presets.pap.json deleted file mode 100644 index 6ef37164d..000000000 --- a/salt/soc/files/soc/presets.pap.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "labels": [ - "white", - "green", - "amber", - "red" - ], - "customEnabled": false -} \ No newline at end of file diff --git a/salt/soc/files/soc/presets.severity.json b/salt/soc/files/soc/presets.severity.json deleted file mode 100644 index 516d07bd3..000000000 --- a/salt/soc/files/soc/presets.severity.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "labels": [ - "low", - "medium", - "high", - "critical" - ], - "customEnabled": false -} \ No newline at end of file diff --git a/salt/soc/files/soc/presets.status.json b/salt/soc/files/soc/presets.status.json deleted file mode 100644 index 239d14901..000000000 --- a/salt/soc/files/soc/presets.status.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "labels": [ - "new", - "in progress", - "closed" - ], - "customEnabled": false -} \ No newline at end of file diff --git a/salt/soc/files/soc/presets.tag.json b/salt/soc/files/soc/presets.tag.json deleted file mode 100644 index 545b513f8..000000000 --- a/salt/soc/files/soc/presets.tag.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "labels": [ - "false-positive", - "confirmed", - "pending" - ], - "customEnabled": true -} \ No newline at end of file diff --git a/salt/soc/files/soc/presets.tlp.json b/salt/soc/files/soc/presets.tlp.json deleted file mode 100644 index 6ef37164d..000000000 --- a/salt/soc/files/soc/presets.tlp.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "labels": [ - "white", - "green", - "amber", - "red" - ], - "customEnabled": false -} \ No newline at end of file diff --git a/salt/soc/files/soc/tools.json b/salt/soc/files/soc/tools.json deleted file mode 100644 index b53f112e5..000000000 --- a/salt/soc/files/soc/tools.json +++ /dev/null @@ -1,8 +0,0 @@ -[ - { "name": "toolKibana", "description": "toolKibanaHelp", "icon": "fa-external-link-alt", "target": "so-kibana", "link": "/kibana/" }, - { "name": "toolGrafana", "description": "toolGrafanaHelp", "icon": "fa-external-link-alt", "target": "so-grafana", "link": "/grafana/d/so_overview" }, - { "name": "toolCyberchef", "description": "toolCyberchefHelp", "icon": "fa-external-link-alt", "target": "so-cyberchef", "link": "/cyberchef/" }, - { "name": "toolPlaybook", "description": "toolPlaybookHelp", "icon": "fa-external-link-alt", "target": "so-playbook", "link": "/playbook/projects/detection-playbooks/issues/" }, - { "name": "toolFleet", "description": "toolFleetHelp", "icon": "fa-external-link-alt", "target": "so-fleet", "link": "/fleet/" }, - { "name": "toolNavigator", "description": "toolNavigatorHelp", "icon": "fa-external-link-alt", "target": "so-navigator", "link": "/navigator/" } -] \ No newline at end of file diff --git a/salt/soc/init.sls b/salt/soc/init.sls index 0b9f0a2e1..55bb70f21 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -30,16 +30,6 @@ soclogdir: - makedirs: True -socactions: - file.managed: - - name: /opt/so/conf/soc/menu.actions.json - - source: salt://soc/files/soc/menu.actions.json - - user: 939 - - group: 939 - - mode: 600 - - template: jinja - - socconfig: file.managed: - name: /opt/so/conf/soc/soc.json diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index 7a6754f11..93c7d0e01 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -5,9 +5,9 @@ {# if SOCMERGED.server.modules.cases == httpcase details come from the soc pillar #} {% if SOCMERGED.server.modules.cases != 'soc' %} {% do SOCMERGED.server.modules.elastic.update({'casesEnabled': false}) %} -{% do SOCMERGED.client.update({'casesEnabled': false}) %} -{% do SOCMERGED.client.hunt.update({'escalateRelatedEventsEnabled': false}) %} -{% do SOCMERGED.client.alerts.update({'escalateRelatedEventsEnabled': false}) %} +{% do SOCMERGED.server.client.update({'casesEnabled': false}) %} +{% do SOCMERGED.server.client.hunt.update({'escalateRelatedEventsEnabled': false}) %} +{% do SOCMERGED.server.client.alerts.update({'escalateRelatedEventsEnabled': false}) %} {% if SOCMERGED.server.modules.cases == 'elasticcases' %} {% do SOCMERGED.server.modules.update({ 'elasticcases': { @@ -23,7 +23,7 @@ {# change some options if this is airgap #} {% if GLOBALS.airgap %} -{% do SOCMERGED.client.update({ +{% do SOCMERGED.server.client.update({ 'docsUrl': '/docs/', 'cheatsheetUrl': '/docs/cheatsheet.pdf', 'releaseNotesUrl': '/docs/#release-notes' @@ -32,11 +32,25 @@ {% endif %} {% if pillar.manager.playbook == 0 %} -{% do SOCMERGED.client.inactiveTools.append('toolPlaybook') %} +{% do SOCMERGED.server.client.inactiveTools.append('toolPlaybook') %} {% endif %} -{% do SOCMERGED.client.inactiveTools.append('toolFleet') %} +{% do SOCMERGED.server.client.inactiveTools.append('toolFleet') %} {% if pillar.manager.grafana == 0 %} -{% do SOCMERGED.client.inactiveTools.append('toolGrafana') %} +{% do SOCMERGED.server.client.inactiveTools.append('toolGrafana') %} +{% endif %} + +{% if pillar.global.endgamehost is defined %} +{% set endgame_dict = { + "name": "Endgame", + "description": "Endgame Endpoint Investigation and Response", + "icon": "fa-external-link-alt", + "target": "_blank", + "links": ["https://{{ pillar.global.endgamehost }}/endpoints/{:agent.id}"] + } +%} +{% for action in SOCMERGED.server.client.job.actions %} +{% do SOCMERGED.server.client.job.actions.update(action, endgame_dict)%} +{% endfor %} {% endif %} From 5ccc103083acea98d1d5fa97ccb8fe7acf2ffd1c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 9 Sep 2022 14:31:04 -0400 Subject: [PATCH 0023/1082] fix soc dashboards and things --- salt/soc/defaults.yaml | 914 +++++++++++++++++++++++++++++--------- salt/soc/merged.map.jinja | 24 +- 2 files changed, 728 insertions(+), 210 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 65765c8b8..aefe6d00f 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1,5 +1,52 @@ soc: logFilename: /opt/sensoroni/logs/sensoroni-server.log + actions: + - name: actionHunt + description: actionHuntHelp + icon: fa-crosshairs + target: + links: + - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' + - name: actionCorrelate + description: actionCorrelateHelp + icon: fab fa-searchengin + target: + links: + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' + - name: actionPcap + description: actionPcapHelp + icon: fa-stream + target: + links: + - '/joblookup?esid={:soc_id}&time={:@timestamp}' + - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' + categories: + - hunt + - alerts + - name: actionCyberChef + description: actionCyberChefHelp + icon: fas fa-bread-slice + target: _blank + links: + - '/cyberchef/#input={value|base64}' + - name: actionGoogle + description: actionGoogleHelp + icon: fab fa-google + target: _blank + links: + - 'https://www.google.com/search?q={value}' + - name: actionVirusTotal + description: actionVirusTotalHelp + icon: fa-external-link-alt + target: _blank + links: + - 'https://www.virustotal.com/gui/search/{value}' server: bindAddress: 0.0.0.0:9822 baseUrl: / @@ -800,101 +847,661 @@ soc: - name: Firewall description: Firewall events grouped by action query: 'event.dataset:firewall | groupby rule.action' - actions: - - name: actionHunt - description: actionHuntHelp - icon: fa-crosshairs - target: - links: - - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' - - name: actionCorrelate - description: actionCorrelateHelp - icon: fab fa-searchengin - target: - links: - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' - - name: actionPcap - description: actionPcapHelp - icon: fa-stream - target: - links: - - '/joblookup?esid={:soc_id}&time={:@timestamp}' - - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' - categories: - - hunt - - alerts - - name: actionCyberChef - description: actionCyberChefHelp - icon: fas fa-bread-slice - target: _blank - links: - - '/cyberchef/#input={value|base64}' - - name: actionGoogle - description: actionGoogleHelp - icon: fab fa-google - target: _blank - links: - - 'https://www.google.com/search?q={value}' - - name: actionVirusTotal - description: actionVirusTotalHelp - icon: fa-external-link-alt - target: _blank - links: - - 'https://www.virustotal.com/gui/search/{value}' + dashboards: + advanced: true + groupItemsPerPage: 10 + groupFetchLimit: 10 + eventItemsPerPage: 10 + eventFetchLimit: 100 + relativeTimeValue: 24 + relativeTimeUnit: 30 + mostRecentlyUsedLimit: 0 + ackEnabled: false + escalateEnabled: true + escalateRelatedEventsEnabled: true + aggregationActionsEnabled: false + eventFields: + default: + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.uid + - network.community_id + - event.dataset + ':kratos:audit': + - soc_timestamp + - http_request.headers.x-real-ip + - identity_id + - http_request.headers.user-agent + '::conn': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - network.protocol + - log.id.uid + - network.community_id + '::dce_rpc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dce_rpc.endpoint + - dce_rpc.named_pipe + - dce_rpc.operation + - log.id.uid + '::dhcp': + - soc_timestamp + - client.address + - server.address + - host.domain + - host.hostname + - dhcp.message_types + - log.id.uid + '::dnp3': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dnp3.fc_reply + - log.id.uid + '::dns': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - dns.query.name + - dns.query.type_name + - dns.response.code_name + - log.id.uid + - network.community_id + '::dpd': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.protocol + - observer.analyser + - error.reason + - log.id.uid + '::file': + - soc_timestamp + - source.ip + - destination.ip + - file.name + - file.mime_type + - file.source + - file.bytes.total + - log.id.fuid + - log.id.uid + '::ftp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ftp.user + - ftp.command + - ftp.argument + - ftp.reply_code + - file.size + - log.id.uid + '::http': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - http.method + - http.virtual_host + - http.status_code + - http.status_message + - http.request.body.length + - http.response.body.length + - log.id.uid + - network.community_id + '::intel': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - intel.indicator + - intel.indicator_type + - intel.seen_where + - log.id.uid + '::irc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - irc.username + - irc.nickname + - irc.command.type + - irc.command.value + - irc.command.info + - log.id.uid + '::kerberos': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - kerberos.client + - kerberos.service + - kerberos.request_type + - log.id.uid + '::modbus': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - modbus.function + - log.id.uid + '::mysql': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - mysql.command + - mysql.argument + - mysql.success + - mysql.response + - log.id.uid + '::notice': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - notice.note + - notice.message + - log.id.fuid + - log.id.uid + - network.community_id + '::ntlm': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ntlm.name + - ntlm.success + - ntlm.server.dns.name + - ntlm.server.nb.name + - ntlm.server.tree.name + - log.id.uid + '::pe': + - soc_timestamp + - file.is_64bit + - file.is_exe + - file.machine + - file.os + - file.subsystem + - log.id.fuid + '::radius': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.uid + - username + - radius.framed_address + - radius.reply_message + - radius.result + '::rdp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rdp.client_build + - client_name + - rdp.cookie + - rdp.encryption_level + - rdp.encryption_method + - rdp.keyboard_layout + - rdp.result + - rdp.security_protocol + - log.id.uid + '::rfb': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rfb.authentication.method + - rfb.authentication.success + - rfb.share_flag + - rfb.desktop.name + - log.id.uid + '::signatures': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - note + - signature_id + - event_message + - sub_message + - signature_count + - host.count + - log.id.uid + '::sip': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - sip.method + - sip.uri + - sip.request.from + - sip.request.to + - sip.response.from + - sip.response.to + - sip.call_id + - sip.subject + - sip.user_agent + - sip.status_code + - log.id.uid + '::smb_files': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.fuid + - file.action + - file.path + - file.name + - file.size + - file.prev_name + - log.id.uid + '::smb_mapping': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - smb.path + - smb.service + - smb.share_type + - log.id.uid + '::smtp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - smtp.from + - smtp.recipient_to + - smtp.subject + - smtp.useragent + - log.id.uid + - network.community_id + '::snmp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - snmp.community + - snmp.version + - log.id.uid + '::socks': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - socks.name + - socks.request.host + - socks.request.port + - socks.status + - log.id.uid + '::software': + - soc_timestamp + - source.ip + - software.name + - software.type + '::ssh': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ssh.version + - ssh.hassh_version + - ssh.direction + - ssh.client + - ssh.server + - log.id.uid + '::ssl': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ssl.server_name + - ssl.certificate.subject + - ssl.validation_status + - ssl.version + - log.id.uid + ':zeek:syslog': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - syslog.facility + - network.protocol + - syslog.severity + - log.id.uid + '::tunnels': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - tunnel_type + - action + - log.id.uid + '::weird': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - weird.name + - log.id.uid + '::x509': + - soc_timestamp + - x509.certificate.subject + - x509.certificate.key.type + - x509.certificate.key.length + - x509.certificate.issuer + - log.id.fuid + '::firewall': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - network.direction + - interface.name + - rule.action + - rule.reason + - network.community_id + ':osquery:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - source.hostname + - event.dataset + - process.executable + - user.name + ':ossec:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rule.name + - rule.level + - rule.category + - process.name + - user.name + - user.escalated + - location + ':strelka:file': + - soc_timestamp + - file.name + - file.size + - hash.md5 + - file.source + - file.mime_type + - log.id.fuid + ':suricata:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rule.name + - rule.category + - event.severity_label + - log.id.uid + - network.community_id + ':sysmon:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - source.hostname + - event.dataset + - process.executable + - user.name + ':windows_eventlog:': + - soc_timestamp + - user.name + ':elasticsearch:': + - soc_timestamp + - agent.name + - message + - log.level + - metadata.version + - metadata.pipeline + - event.dataset + ':kibana:': + - soc_timestamp + - host.name + - message + - kibana.log.meta.req.headers.x-real-ip + - event.dataset + '::rootcheck': + - soc_timestamp + - host.name + - metadata.ip_address + - log.full + - event.dataset + - event.module + '::ossec': + - soc_timestamp + - host.name + - metadata.ip_address + - log.full + - event.dataset + - event.module + '::syscollector': + - soc_timestamp + - host.name + - metadata.ip_address + - wazuh.data.type + - log.full + - event.dataset + - event.module + ':syslog:syslog': + - soc_timestamp + - host.name + - metadata.ip_address + - real_message + - syslog.priority + - syslog.application + ':aws:': + - soc_timestamp + - aws.cloudtrail.event_category + - aws.cloudtrail.event_type + - event.provider + - event.action + - event.outcome + - cloud.region + - user.name + - source.ip + - source.geo.region_iso_code + ':squid:': + - soc_timestamp + - url.original + - destination.ip + - destination.geo.country_iso_code + - user.name + - source.ip + queryBaseFilter: + queryToggleFilters: + - name: caseExcludeToggle, + filter: 'NOT _index:"*:so-case*"' + enabled: true + queries: + - name: Overview + description: Overview of all events + query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: SOC Auth + description: Show all SOC authentication logs + query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent' + - name: Elastalerts + description: Elastalert logs + query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type' + - name: Alerts + description: Show all alerts + query: 'event.dataset: alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: NIDS Alerts + description: NIDS alerts + query: 'event.category: network AND event.dataset: alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Wazuh/OSSEC + description: Wazuh/OSSEC HIDS alerts and logs + query: 'event.module:ossec | groupby rule.category | groupby rule.uuid | groupby rule.name | groupby agent.id | groupby agent.name | groupby log.full' + - name: Sysmon + description: Sysmon logs + query: 'event.module:sysmon | groupby event.dataset | groupby user.name | groupby process.executable | groupby process.command_line | groupby process.parent.command_line' + - name: Strelka + description: Strelka logs + query: 'event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source' + - name: Zeek Notice + description: Zeek Notice logs + query: 'event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Connections + description: Connection logs + query: 'event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes' + - name: DCE_RPC + description: DCE_RPC logs + query: 'event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: DHCP + description: Dynamic Host Configuration Protocol leases + query: 'event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby client.address | groupby server.address' + - name: DNP3 + description: DNP3 logs + query: 'event.dataset:dnp3 | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby dnp3.iin | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: DNS + description: Domain Name System queries + query: 'event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: DPD + description: Dynamic Protocol Detection errors + query: 'event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol' + - name: Files + description: Files seen in network traffic + query: 'event.dataset:file | groupby file.mime_type | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip' + - name: FTP + description: File Transfer Protocol logs + query: 'event.dataset:ftp | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: HTTP + description: Hyper Text Transport Protocol logs + query: 'event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Intel + description: Zeek Intel framework hits + query: 'event.dataset:intel | groupby intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: IRC + description: Internet Relay Chat logs + query: 'event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Kerberos + description: Kerberos logs + query: 'event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: MODBUS + description: MODBUS logs + query: 'event.dataset:modbus | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: MYSQL + description: MYSQL logs + query: 'event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: NOTICE + description: Zeek notice logs + query: 'event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: NTLM + description: NTLM logs + query: 'event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Osquery Live Queries + description: Osquery Live Query results + query: 'event.dataset:live_query | groupby host.hostname' + - name: PE + description: PE files list + query: 'event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit' + - name: RADIUS + description: RADIUS logs + query: 'event.dataset:radius | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: RDP + description: RDP logs + query: 'event.dataset:rdp | groupby client.name | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: RFB + description: RFB logs + query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Signatures + description: Zeek signatures + query: 'event.dataset:signatures | groupby signature_id' + - name: SIP + description: SIP logs + query: 'event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: SMB_Files + description: SMB files + query: 'event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: SMB_Mapping + description: SMB mapping logs + query: 'event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: SMTP + description: SMTP logs + query: 'event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: SNMP + description: SNMP logs + query: 'event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Software + description: List of software seen on the network by Zeek + query: 'event.dataset:software | groupby software.type | groupby software.name | groupby source.ip' + - name: SSH + description: SSH connections seen by Zeek + query: 'event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: SSL + description: SSL logs + query: 'event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: SYSLOG + description: SYSLOG logs + query: 'event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Tunnel + description: Tunnels seen by Zeek + query: 'event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Weird + description: Weird network traffic seen by Zeek + query: 'event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port ' + - name: x509 + description: x.509 certificates seen by Zeek + query: 'event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer' + - name: Firewall + description: Firewall logs + query: 'event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port' job: - actions: - - name: actionHunt - description: actionHuntHelp - icon: fa-crosshairs - target: - links: - - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' - - name: actionCorrelate - description: actionCorrelateHelp - icon: fab fa-searchengin - target: - links: - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' - - name: actionPcap - description: actionPcapHelp - icon: fa-stream - target: - links: - - '/joblookup?esid={:soc_id}&time={:@timestamp}' - - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' - categories: - - hunt - - alerts - - name: actionCyberChef - description: actionCyberChefHelp - icon: fas fa-bread-slice - target: _blank - links: - - '/cyberchef/#input={value|base64}' - - name: actionGoogle - description: actionGoogleHelp - icon: fab fa-google - target: _blank - links: - - 'https://www.google.com/search?q={value}' - - name: actionVirusTotal - description: actionVirusTotalHelp - icon: fa-external-link-alt - target: _blank - links: - - 'https://www.virustotal.com/gui/search/{value}' alerts: advanced: false groupItemsPerPage: 50 @@ -935,18 +1542,18 @@ soc: - user.escalated - location - process.name - queryBaseFilter: event.dataset:alert - queryToggleFilters: - - name: acknowledged - filter: event.acknowledged:true - enabled: false - exclusive: true - - name: escalated - filter: event.escalated:true - enabled: false - exclusive: true - enablesToggles: - - acknowledged + queryBaseFilter: event.dataset:alert + queryToggleFilters: + - name: acknowledged + filter: event.acknowledged:true + enabled: false + exclusive: true + - name: escalated + filter: event.escalated:true + enabled: false + exclusive: true + enablesToggles: + - acknowledged queries: - name: 'Group By Name, Module' query: '* | groupby rule.name event.module event.severity_label' @@ -962,54 +1569,6 @@ soc: query: '* | groupby destination.port rule.name event.severity_label' - name: Ungroup query: '*' - actions: - - name: actionHunt - description: actionHuntHelp - icon: fa-crosshairs - target: - links: - - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' - - name: actionCorrelate - description: actionCorrelateHelp - icon: fab fa-searchengin - target: - links: - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' - - name: actionPcap - description: actionPcapHelp - icon: fa-stream - target: - links: - - '/joblookup?esid={:soc_id}&time={:@timestamp}' - - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' - categories: - - hunt - - alerts - - name: actionCyberChef - description: actionCyberChefHelp - icon: fas fa-bread-slice - target: _blank - links: - - '/cyberchef/#input={value|base64}' - - name: actionGoogle - description: actionGoogleHelp - icon: fab fa-google - target: _blank - links: - - 'https://www.google.com/search?q={value}' - - name: actionVirusTotal - description: actionVirusTotalHelp - icon: fa-external-link-alt - target: _blank - links: - - 'https://www.virustotal.com/gui/search/{value}' - cases: advanced: false groupItemsPerPage: 50 @@ -1045,53 +1604,6 @@ soc: query: 'so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}' - name: Templates query: 'so_case.category:template' - actions: - - name: actionHunt - description: actionHuntHelp - icon: fa-crosshairs - target: - links: - - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' - - name: actionCorrelate - description: actionCorrelateHelp - icon: fab fa-searchengin - target: - links: - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' - - name: actionPcap - description: actionPcapHelp - icon: fa-stream - target: - links: - - '/joblookup?esid={:soc_id}&time={:@timestamp}' - - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' - categories: - - hunt - - alerts - - name: actionCyberChef - description: actionCyberChefHelp - icon: fas fa-bread-slice - target: _blank - links: - - '/cyberchef/#input={value|base64}' - - name: actionGoogle - description: actionGoogleHelp - icon: fab fa-google - target: _blank - links: - - 'https://www.google.com/search?q={value}' - - name: actionVirusTotal - description: actionVirusTotalHelp - icon: fa-external-link-alt - target: _blank - links: - - 'https://www.virustotal.com/gui/search/{value}' case: mostRecentlyUsedLimit: 5 renderAbbreviatedCount: 30 diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index 93c7d0e01..878ea72e6 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -27,7 +27,7 @@ 'docsUrl': '/docs/', 'cheatsheetUrl': '/docs/cheatsheet.pdf', 'releaseNotesUrl': '/docs/#release-notes' - }) + }) %} {% endif %} @@ -41,16 +41,22 @@ {% do SOCMERGED.server.client.inactiveTools.append('toolGrafana') %} {% endif %} + +{% set standard_actions = SOCMERGED.pop('actions') %} {% if pillar.global.endgamehost is defined %} -{% set endgame_dict = { - "name": "Endgame", - "description": "Endgame Endpoint Investigation and Response", - "icon": "fa-external-link-alt", +{% set endgame_dict = { + "name": "Endgame", + "description": "Endgame Endpoint Investigation and Response", + "icon": "fa-external-link-alt", "target": "_blank", - "links": ["https://{{ pillar.global.endgamehost }}/endpoints/{:agent.id}"] + "links": ["https://" ~ pillar.global.endgamehost ~ "/endpoints/{:agent.id}"] } %} -{% for action in SOCMERGED.server.client.job.actions %} -{% do SOCMERGED.server.client.job.actions.update(action, endgame_dict)%} -{% endfor %} +{% do standard_actions.append(endgame_dict) %} {% endif %} + +{% do SOCMERGED.server.client.hunt.update({'actions': standard_actions}) %} +{% do SOCMERGED.server.client.dashboards.update({'actions': standard_actions}) %} +{% do SOCMERGED.server.client.update({'job': {'actions': standard_actions}}) %} +{% do SOCMERGED.server.client.alerts.update({'actions': standard_actions}) %} +{% do SOCMERGED.server.client.cases.update({'actions': standard_actions}) %} From 0f2e9764aba279bbf4e79e8fd353d52976f6235f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 9 Sep 2022 14:39:20 -0400 Subject: [PATCH 0024/1082] add saltPipe --- salt/soc/defaults.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index aefe6d00f..31a35a618 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -75,11 +75,11 @@ soc: org: '' bucket: telegraf verifyCert: false - salt: {} + salt: + saltPipe: /opt/sensoroni/salt.pipe sostatus: refreshIntervalMs: 30000 offlineThresholdMs: 900000 - statickeyauth: anonymousCidr: apiKey: From b5fb7596b070c08ecfdd41cf568e5c7592013acb Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 9 Sep 2022 14:44:41 -0400 Subject: [PATCH 0025/1082] add salt bind for soc --- salt/soc/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/init.sls b/salt/soc/init.sls index 55bb70f21..ed86e1fdf 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -104,6 +104,7 @@ so-soc: - /opt/so/conf/soc/custom_roles:/opt/sensoroni/rbac/custom_roles:ro - /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw - /opt/so/conf/soc/salt.pipe:/opt/sensoroni/salt.pipe:rw + - /opt/so/saltstack:/opt/so/saltstack:rw {%- if salt['pillar.get']('nodestab', {}) %} - extra_hosts: {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} From 921d644a0bd0813970d11ed1560504b0007f4b30 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 9 Sep 2022 15:05:31 -0400 Subject: [PATCH 0026/1082] Elastic Fleet wrapper --- salt/elastic-fleet/init.sls | 7 +------ salt/kibana/defaults.yaml | 3 +++ salt/nginx/init.sls | 2 +- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/salt/elastic-fleet/init.sls b/salt/elastic-fleet/init.sls index a4b8fbf3d..6059da3cb 100644 --- a/salt/elastic-fleet/init.sls +++ b/salt/elastic-fleet/init.sls @@ -15,17 +15,12 @@ elasticfleetdir: - name: /opt/so/conf/elastic-fleet/state - makedirs: True -elasticagentinstallersdir: - file.directory: - - name: /opt/so/conf/elastic-fleet/so_agent-installers - - makedirs: True - {% if SERVICETOKEN != '' %} so-elastic-fleet: docker_container.running: - image: docker.elastic.co/beats/elastic-agent:8.4.1 - name: so-elastic-fleet - - hostname: elastic-fleet-{{ GLOBALS.hostname }} + - hostname: Fleet-{{ GLOBALS.hostname }} - detach: True - user: root - extra_hosts: diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index 637e80cf7..2e9869c4e 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -47,6 +47,7 @@ kibana: - name: SO-Manager id: so-manager description: "SO Manager Fleet Server Policy" + is_managed: true namespace: default is_default_fleet_server: true monitoring_enabled: ['logs'] @@ -58,6 +59,7 @@ kibana: id: so-grid-nodes description: "SO Grid Node Policy" namespace: default + is_managed: true monitoring_enabled: ['logs'] package_policies: - name: osquery-grid-nodes @@ -72,6 +74,7 @@ kibana: - name: Endpoints-Initial id: endpoints-default description: "Initial Endpoint Policy" + is_managed: true namespace: default monitoring_enabled: ['logs'] package_policies: diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 72386561b..f5791fdd6 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -92,7 +92,7 @@ so-nginx: - /opt/so/log/nginx/:/var/log/nginx:rw - /opt/so/tmp/nginx/:/var/lib/nginx:rw - /opt/so/tmp/nginx/:/run:rw - - /opt/so/conf/elastic-fleet/so_agent-installers:/opt/socore/html/packages + - /opt/so/saltstack/local/salt/elastic-fleet/files/so_agent-installers/:/opt/socore/html/packages {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %} - /etc/pki/managerssl.crt:/etc/pki/nginx/server.crt:ro - /etc/pki/managerssl.key:/etc/pki/nginx/server.key:ro From 74ef6c0ed065fa5bf374f78f8bc3fcf08e0a8d2b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 9 Sep 2022 15:30:28 -0400 Subject: [PATCH 0027/1082] Fix yaml for idh,es,kib,esalert --- salt/elastalert/defaults.yaml | 5 - salt/elastalert/elastalert_config.map.jinja | 8 +- salt/elasticsearch/config.map.jinja | 3 + salt/elasticsearch/defaults.yaml | 377 -------------------- salt/idh/defaults/defaults.yaml | 1 - salt/idh/opencanary_config.map.jinja | 4 +- salt/kibana/config.map.jinja | 3 + salt/kibana/defaults.yaml | 5 +- 8 files changed, 16 insertions(+), 390 deletions(-) diff --git a/salt/elastalert/defaults.yaml b/salt/elastalert/defaults.yaml index f21bab4c3..fe53b52c2 100644 --- a/salt/elastalert/defaults.yaml +++ b/salt/elastalert/defaults.yaml @@ -3,8 +3,6 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} elastalert: config: rules_folder: /opt/elastalert/rules/ @@ -16,7 +14,6 @@ elastalert: minutes: 10 old_query_limit: minutes: 5 - es_host: {{salt['pillar.get']('global:managerip', '')}} es_port: 9200 es_conn_timeout: 55 max_query_size: 5000 @@ -26,8 +23,6 @@ elastalert: use_ssl: true verify_certs: false #es_send_get_body_as: GET - es_username: "{{ ES_USER }}" - es_password: "{{ ES_PASS }}" writeback_index: elastalert_status alert_time_limit: days: 2 diff --git a/salt/elastalert/elastalert_config.map.jinja b/salt/elastalert/elastalert_config.map.jinja index 270872fee..2b9895e1b 100644 --- a/salt/elastalert/elastalert_config.map.jinja +++ b/salt/elastalert/elastalert_config.map.jinja @@ -1,4 +1,8 @@ -{% import_yaml 'elastalert/defaults.yaml' as elastalert_defaults with context %} +{% import_yaml 'elastalert/defaults.yaml' as ELASTALERT with context %} {% set elastalert_pillar = salt['pillar.get']('elastalert:config', {}) %} -{% do salt['defaults.merge'](elastalert_defaults.elastalert.config, elastalert_pillar, in_place=True) %} \ No newline at end of file +{% do salt['defaults.merge'](ELASTALERT.elastalert.config, elastalert_pillar, in_place=True) %} + +{% do ELASTALERT.elastalert.config.update({'es_host': pillar.global.managerip}) %} +{% do ELASTALERT.elastalert.config.update({'es_username': pillar.elasticsearch.auth.users.so_elastic_user.user}) %} +{% do ELASTALERT.elastalert.config.update({'es_password': pillar.elasticsearch.auth.users.so_elastic_user.pass}) %} diff --git a/salt/elasticsearch/config.map.jinja b/salt/elasticsearch/config.map.jinja index 86b9c47ae..7cd79e7b9 100644 --- a/salt/elasticsearch/config.map.jinja +++ b/salt/elasticsearch/config.map.jinja @@ -31,6 +31,9 @@ {# merge with the elasticsearch pillar #} {% set ESCONFIG = salt['pillar.get']('elasticsearch:config', default=ESCONFIG.elasticsearch.config, merge=True) %} +{% do ESCONFIG.elasticsearch.config.node.update({'name': grains.host}) %} +{% do ESCONFIG.elasticsearch.config.cluster.update({'name': grains.host}) %} +{% do ESCONFIG.elasticsearch.config.transport.update({'publish_host': grains.host}) %} {% if salt['pillar.get']('elasticsearch:config:path:repo', False) %} {% for repo in pillar.elasticsearch.config.path.repo %} diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 6fa356c61..96206fddd 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1,11 +1,9 @@ elasticsearch: config: node: - name: {{ grains.host }} attr: box_type: hot cluster: - name: {{ grains.host }} routing: allocation: disk: @@ -22,7 +20,6 @@ elasticsearch: destructive_requires_name: true transport: bind_host: 0.0.0.0 - publish_host: {{ grains.host }} publish_port: 9300 xpack: ml: @@ -60,380 +57,6 @@ elasticsearch: elasticsearch: deprecation: ERROR index_settings: - so-logs-elastic_agent.apm_server: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.apm_server-*" - template: - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: fleet - managed: true - composed_of: - - "so-logs-elastic_agent.apm_server@package" - - "so-logs-elastic_agent.apm_server@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" - priority: 500 - _meta: - package: - name: elastic_agent - managed_by: fleet - managed: true - data_stream: - hidden: false - allow_custom_routing: false - so-logs-elastic_agent.auditbeat: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.auditbeat-*" - template: - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: fleet - managed: true - composed_of: - - "so-logs-elastic_agent.auditbeat@package" - - "so-logs-elastic_agent.auditbeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" - priority: 500 - _meta: - package: - name: elastic_agent - managed_by: fleet - managed: true - data_stream: - hidden: false - allow_custom_routing: false - so-logs-elastic_agent.cloudbeat: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.cloudbeat-*" - template: - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: fleet - managed: true - composed_of: - - "so-logs-elastic_agent.cloudbeat@package" - - "so-logs-elastic_agent.cloudbeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" - priority: 500 - _meta: - package: - name: elastic_agent - managed_by: fleet - managed: true - data_stream: - hidden: false - allow_custom_routing: false - so-logs-elastic_agent.endpoint_security: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.endpoint_security-*" - template: - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: fleet - managed: true - composed_of: - - "so-logs-elastic_agent.endpoint_security@package" - - "so-logs-elastic_agent.endpoint_security@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" - priority: 500 - _meta: - package: - name: elastic_agent - managed_by: fleet - managed: true - data_stream: - hidden: false - allow_custom_routing: false - so-logs-elastic_agent.filebeat: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.filebeat-*" - template: - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: fleet - managed: true - composed_of: - - "so-logs-elastic_agent.filebeat@package" - - "so-logs-elastic_agent.filebeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" - priority: 500 - _meta: - package: - name: elastic_agent - managed_by: fleet - managed: true - data_stream: - hidden: false - allow_custom_routing: false - so-logs-elastic_agent.fleet_server: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.fleet_server-*" - template: - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: fleet - managed: true - composed_of: - - "so-logs-elastic_agent.fleet_server@package" - - "so-logs-elastic_agent.fleet_server@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" - priority: 500 - _meta: - package: - name: elastic_agent - managed_by: fleet - managed: true - data_stream: - hidden: false - allow_custom_routing: false - so-logs-elastic_agent.heartbeat: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.heartbeat-*" - template: - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: fleet - managed: true - composed_of: - - "so-logs-elastic_agent.heartbeat@package" - - "so-logs-elastic_agent.heartbeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" - priority: 500 - _meta: - package: - name: elastic_agent - managed_by: fleet - managed: true - data_stream: - hidden: false - allow_custom_routing: false - so-logs-elastic_agent: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent-*" - template: - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: fleet - managed: true - composed_of: - - "so-logs-elastic_agent@package" - - "so-logs-elastic_agent@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" - priority: 500 - _meta: - package: - name: elastic_agent - managed_by: fleet - managed: true - data_stream: - hidden: false - allow_custom_routing: false - so-logs-elastic_agent.metricbeat: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.metricbeat-*" - template: - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: fleet - managed: true - composed_of: - - "so-logs-elastic_agent.metricbeat@package" - - "so-logs-elastic_agent.metricbeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" - priority: 500 - _meta: - package: - name: elastic_agent - managed_by: fleet - managed: true - data_stream: - hidden: false - allow_custom_routing: false - so-logs-elastic_agent.osquerybeat: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.osquerybeat-*" - template: - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: fleet - managed: true - composed_of: - - "so-logs-elastic_agent.osquerybeat@package" - - "so-logs-elastic_agent.osquerybeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" - priority: 500 - _meta: - package: - name: elastic_agent - managed_by: fleet - managed: true - data_stream: - hidden: false - allow_custom_routing: false - so-logs-elastic_agent.packetbeat: - index_sorting: False - index_template: - index_patterns: - - "logs-elastic_agent.packetbeat-*" - template: - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - mappings: - _meta: - package: - name: elastic_agent - managed_by: fleet - managed: true - composed_of: - - "so-logs-elastic_agent.packetbeat@package" - - "so-logs-elastic_agent.packetbeat@custom" - - ".fleet_globals-1" - - ".fleet_agent_id_verification-1" - priority: 500 - _meta: - package: - name: elastic_agent - managed_by: fleet - managed: true - data_stream: - hidden: false - allow_custom_routing: false so-aws: warm: 7 close: 30 diff --git a/salt/idh/defaults/defaults.yaml b/salt/idh/defaults/defaults.yaml index 673b18c55..e5b966c10 100644 --- a/salt/idh/defaults/defaults.yaml +++ b/salt/idh/defaults/defaults.yaml @@ -1,7 +1,6 @@ idh: opencanary: config: - device.node_id: {{ grains.host }} logger: class: PyLogger kwargs: diff --git a/salt/idh/opencanary_config.map.jinja b/salt/idh/opencanary_config.map.jinja index dbd2fbad5..c4533682d 100644 --- a/salt/idh/opencanary_config.map.jinja +++ b/salt/idh/opencanary_config.map.jinja @@ -6,4 +6,6 @@ {% do salt['defaults.merge'](OPENCANARYCONFIG, SERVICECONFIG, in_place=True) %} {% endfor %} -{% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=OPENCANARYCONFIG.idh.opencanary.config, merge=True) %} \ No newline at end of file +{% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=OPENCANARYCONFIG.idh.opencanary.config, merge=True) %} +{% do OPENCANARYCONFIG.idh.opencanary.config.update({'device.node_id': grains.host}) %} + diff --git a/salt/kibana/config.map.jinja b/salt/kibana/config.map.jinja index 32768a5eb..eee52025c 100644 --- a/salt/kibana/config.map.jinja +++ b/salt/kibana/config.map.jinja @@ -1,6 +1,9 @@ {% import_yaml 'kibana/defaults.yaml' as KIBANACONFIG with context %} {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} +{% do KIBANACONFIG.kibana.config.server.update({'publicBaseUrl': 'https://' ~ pillar.global.url_base ~ '/kibana'}) %} +{% do KIBANACONFIG.kibana.config.elasticsearch.update({'hosts': 'https://' ~ pillar.global.managerip ~ ':9200'}) %} + {% do KIBANACONFIG.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass')}) %} {% if salt['pillar.get']('kibana:secrets') %} diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index 637e80cf7..c713f27e2 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -5,10 +5,7 @@ kibana: name: kibana host: "0.0.0.0" basePath: /kibana - publicBaseUrl: https://{{salt['pillar.get']('global:url_base')}}/kibana elasticsearch: - hosts: - - https://{{salt['pillar.get']('global:managerip')}}:9200 ssl: verificationMode: none requestTimeout: 90000 @@ -70,7 +67,7 @@ kibana: - type: system/metrics enabled: false - name: Endpoints-Initial - id: endpoints-default + id: endpoints description: "Initial Endpoint Policy" namespace: default monitoring_enabled: ['logs'] From 1f3b1702132a53d506d68755ca7a91f88884f0f6 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 9 Sep 2022 15:36:57 -0400 Subject: [PATCH 0028/1082] Fix yaml for idh,es,kib,esalert --- salt/kibana/config.map.jinja | 2 +- salt/kibana/defaults.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/kibana/config.map.jinja b/salt/kibana/config.map.jinja index eee52025c..3d285d40d 100644 --- a/salt/kibana/config.map.jinja +++ b/salt/kibana/config.map.jinja @@ -2,7 +2,7 @@ {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} {% do KIBANACONFIG.kibana.config.server.update({'publicBaseUrl': 'https://' ~ pillar.global.url_base ~ '/kibana'}) %} -{% do KIBANACONFIG.kibana.config.elasticsearch.update({'hosts': 'https://' ~ pillar.global.managerip ~ ':9200'}) %} +{% do KIBANACONFIG.kibana.config.elasticsearch.update({'hosts': ['https://' ~ pillar.global.managerip ~ ':9200']}) %} {% do KIBANACONFIG.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass')}) %} diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index c713f27e2..317cb6730 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -67,7 +67,7 @@ kibana: - type: system/metrics enabled: false - name: Endpoints-Initial - id: endpoints + id: endpoints-default description: "Initial Endpoint Policy" namespace: default monitoring_enabled: ['logs'] From 9a08decadb56c76d2cec7243a5066f5ea27cdc52 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 9 Sep 2022 15:41:20 -0400 Subject: [PATCH 0029/1082] remove jinja from influxdb defaults.yaml --- salt/influxdb/defaults.yaml | 8 -------- salt/influxdb/map.jinja | 9 +++++++++ 2 files changed, 9 insertions(+), 8 deletions(-) create mode 100644 salt/influxdb/map.jinja diff --git a/salt/influxdb/defaults.yaml b/salt/influxdb/defaults.yaml index c89257c53..177ebdfa2 100644 --- a/salt/influxdb/defaults.yaml +++ b/salt/influxdb/defaults.yaml @@ -1,5 +1,3 @@ -{% set measurements = salt['cmd.shell']('docker exec -t so-influxdb influx -format json -ssl -unsafeSsl -database telegraf -execute "show measurements" 2> /root/measurement_query.log | jq -r .results[0].series[0].values[]?[0] 2>> /root/measurement_query.log', shell='/bin/bash') %} - influxdb: retention_policies: so_short_term: @@ -13,9 +11,3 @@ influxdb: downsample: so_long_term: resolution: 5m -{% if measurements|length > 0 %} - measurements: - {% for measurement in measurements.splitlines() %} - - {{ measurement }} - {% endfor %} -{% endif %} diff --git a/salt/influxdb/map.jinja b/salt/influxdb/map.jinja new file mode 100644 index 000000000..a13d4c257 --- /dev/null +++ b/salt/influxdb/map.jinja @@ -0,0 +1,9 @@ +{% import_yaml 'influxdb/defaults.yaml' as INFLUXDB %} +{% set measurements = salt['cmd.shell']('docker exec -t so-influxdb influx -format json -ssl -unsafeSsl -database telegraf -execute "show measurements" 2> /root/measurement_query.log | jq -r .results[0].series[0].values[]?[0] 2>> /root/measurement_query.log', shell='/bin/bash') %} + +{% if measurements|length > 0 %} +{% do INFLUXDB.influxdb.downsample.so_long_term.update('measurements': [])%} +{% for measurement in measurements.splitlines() %} +{% do INFLUXDB.influxdb.downsample.so_long_term.measurements.append(measurement)%} +{% endfor %} +{% endif %} From e2eaefab6eb30e4ca69050a3a8c33ea12b9800c8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 9 Sep 2022 15:45:13 -0400 Subject: [PATCH 0030/1082] Fix yaml for idh,es,kib,esalert --- salt/elastalert/defaults.yaml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/salt/elastalert/defaults.yaml b/salt/elastalert/defaults.yaml index fe53b52c2..6a051354e 100644 --- a/salt/elastalert/defaults.yaml +++ b/salt/elastalert/defaults.yaml @@ -1,8 +1,3 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - elastalert: config: rules_folder: /opt/elastalert/rules/ @@ -17,12 +12,8 @@ elastalert: es_port: 9200 es_conn_timeout: 55 max_query_size: 5000 - #aws_region: us-east-1 - #profile: test - #es_url_prefix: elasticsearch use_ssl: true verify_certs: false - #es_send_get_body_as: GET writeback_index: elastalert_status alert_time_limit: days: 2 From 16f2059f17e49b1e9f61de9989a549f27c094e23 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 9 Sep 2022 15:46:48 -0400 Subject: [PATCH 0031/1082] Fix yaml for idh,es,kib,esalert --- salt/curator/defaults.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/salt/curator/defaults.yaml b/salt/curator/defaults.yaml index 68c2b07d7..17c5170fd 100644 --- a/salt/curator/defaults.yaml +++ b/salt/curator/defaults.yaml @@ -1,8 +1,3 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - elasticsearch: index_settings: so-aws: From 037d5d1c460e373b172e6837412307cd2dca41d8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 9 Sep 2022 15:55:51 -0400 Subject: [PATCH 0032/1082] Fix yaml for idh,es,kib,esalert --- salt/elastalert/init.sls | 2 +- salt/elastalert/soc_elastalert.yaml | 18 +++++++++--------- salt/influxdb/soc_influxdb.yaml | 10 +++++----- salt/kibana/soc_kibana.yaml | 2 +- 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 3184c5c5c..309894b18 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -4,7 +4,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% from 'elastalert/elastalert_config.map.jinja' import elastalert_defaults as elastalert_config with context %} +{% from 'elastalert/elastalert_config.map.jinja' import ELASTALERT as elastalert_config with context %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} diff --git a/salt/elastalert/soc_elastalert.yaml b/salt/elastalert/soc_elastalert.yaml index bb7f20300..4d381d9da 100644 --- a/salt/elastalert/soc_elastalert.yaml +++ b/salt/elastalert/soc_elastalert.yaml @@ -1,25 +1,25 @@ elastalert: config: - disable_rules_on_error: false + disable_rules_on_error: description: Disable rules on failure. run_every: - minutes: 3 + minutes: description: Amount of time in minutes between searches. buffer_time: - minutes: 10 + minutes: description: Amount of time in minutes to look through. old_query_limit: - minutes: 5 + minutes: description: Amount of time in minutes between queries to start at the most recently run query. - es_conn_timeout: 55 + es_conn_timeout: description: Timeout in seconds for connecting to and reading from Elasticsearch. - max_query_size: 5000 + max_query_size: description: The maximum number of documents that will be downloaded from Elasticsearch in a single query. alert_time_limit: - days: 2 + days: description: The retry window for failed alerts. index_settings: - shards: 1 + shards: description: The amount of shards to use for elastalert. - replicas: 0 + replicas: description: The amount of replicas for the Elastalert index. diff --git a/salt/influxdb/soc_influxdb.yaml b/salt/influxdb/soc_influxdb.yaml index 5dc8ef763..8e52e9b02 100644 --- a/salt/influxdb/soc_influxdb.yaml +++ b/salt/influxdb/soc_influxdb.yaml @@ -1,16 +1,16 @@ influxdb: retention_policies: so_short_term: - duration: 30d + duration: description: Amount of time to keep short term data. - shard_duration: 1d + shard_duration: description: Time range so_long_term: - duration: 0d + duration: description: Amount of time to keep long term downsampled data. - shard_duration: 7d + shard_duration: description: Amount of the time range covered by the shard group. downsample: so_long_term: - resolution: 5m + resolution: description: Amount of time to turn into a single data point. \ No newline at end of file diff --git a/salt/kibana/soc_kibana.yaml b/salt/kibana/soc_kibana.yaml index 80e15df85..dd0e87734 100644 --- a/salt/kibana/soc_kibana.yaml +++ b/salt/kibana/soc_kibana.yaml @@ -1,5 +1,5 @@ kibana: config: elasticsearch: - requestTimeout: 90000 + requestTimeout: description: Request timeout length. From 57c303b9ca34e451b1976f294d33b68352e7d6ac Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 9 Sep 2022 16:23:32 -0400 Subject: [PATCH 0033/1082] Create advanced files --- setup/so-variables | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-variables b/setup/so-variables index a24f70e3c..861506b09 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -81,10 +81,10 @@ export whiptail_title mkdir -p $local_salt_dir/pillar/minions -for THEDIR in elasticsearch redis backup strelka sensoroni curator soctopus docker zeek suricata nginx filebeat logstash soc manager kratos idstools idh +for THEDIR in elasticsearch firewall redis backup strelka sensoroni curator soctopus docker zeek suricata nginx filebeat logstash soc manager kratos idstools idh elastalert do mkdir -p $local_salt_dir/pillar/$THEDIR - touch $local_salt_dir/pillar/$THEDIR adv.$THEDIR.sls + touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls done global_pillar_file="$local_salt_dir/pillar/soc_global.sls" From 8a7b194f2b44ea42ec6a4a25c5bbb79695f60603 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 9 Sep 2022 16:24:41 -0400 Subject: [PATCH 0034/1082] Create advanced files --- setup/so-variables | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-variables b/setup/so-variables index 861506b09..d140b22c8 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -81,7 +81,7 @@ export whiptail_title mkdir -p $local_salt_dir/pillar/minions -for THEDIR in elasticsearch firewall redis backup strelka sensoroni curator soctopus docker zeek suricata nginx filebeat logstash soc manager kratos idstools idh elastalert +for THEDIR in elasticsearch firewall redis backup strelka sensoroni curator soc soctopus docker zeek suricata nginx filebeat logstash soc manager kratos idstools idh elastalert do mkdir -p $local_salt_dir/pillar/$THEDIR touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls From 9df2aaacb070d583e655c184bf8526cd1725d435 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 9 Sep 2022 16:26:59 -0400 Subject: [PATCH 0035/1082] Create advanced files --- setup/so-variables | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-variables b/setup/so-variables index d140b22c8..cf2f9ae03 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -85,6 +85,7 @@ for THEDIR in elasticsearch firewall redis backup strelka sensoroni curator soc do mkdir -p $local_salt_dir/pillar/$THEDIR touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls + touch $local_salt_dir/pillar/$THEDIR/$THEDIR.sls done global_pillar_file="$local_salt_dir/pillar/soc_global.sls" From f2ff8ca4e25f815159f22f6cc756d64094ac7560 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 9 Sep 2022 16:29:50 -0400 Subject: [PATCH 0036/1082] Create advanced files --- setup/so-variables | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-variables b/setup/so-variables index cf2f9ae03..214fa6b6f 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -85,7 +85,7 @@ for THEDIR in elasticsearch firewall redis backup strelka sensoroni curator soc do mkdir -p $local_salt_dir/pillar/$THEDIR touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls - touch $local_salt_dir/pillar/$THEDIR/$THEDIR.sls + touch $local_salt_dir/pillar/$THEDIR/soc_$THEDIR.sls done global_pillar_file="$local_salt_dir/pillar/soc_global.sls" From 3de4e56db9beb154b93a55a640aacede83a33975 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 10 Sep 2022 19:25:01 -0400 Subject: [PATCH 0037/1082] Fix ES merge --- salt/elastalert/elastalert_config.map.jinja | 4 +++- salt/elasticsearch/config.map.jinja | 5 +++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/salt/elastalert/elastalert_config.map.jinja b/salt/elastalert/elastalert_config.map.jinja index 2b9895e1b..4408111d3 100644 --- a/salt/elastalert/elastalert_config.map.jinja +++ b/salt/elastalert/elastalert_config.map.jinja @@ -1,8 +1,10 @@ {% import_yaml 'elastalert/defaults.yaml' as ELASTALERT with context %} {% set elastalert_pillar = salt['pillar.get']('elastalert:config', {}) %} -{% do salt['defaults.merge'](ELASTALERT.elastalert.config, elastalert_pillar, in_place=True) %} {% do ELASTALERT.elastalert.config.update({'es_host': pillar.global.managerip}) %} {% do ELASTALERT.elastalert.config.update({'es_username': pillar.elasticsearch.auth.users.so_elastic_user.user}) %} {% do ELASTALERT.elastalert.config.update({'es_password': pillar.elasticsearch.auth.users.so_elastic_user.pass}) %} + +{% do salt['defaults.merge'](ELASTALERT.elastalert.config, elastalert_pillar, in_place=True) %} + diff --git a/salt/elasticsearch/config.map.jinja b/salt/elasticsearch/config.map.jinja index 7cd79e7b9..cec4887c8 100644 --- a/salt/elasticsearch/config.map.jinja +++ b/salt/elasticsearch/config.map.jinja @@ -29,12 +29,13 @@ {% do ESCONFIG.elasticsearch.config.xpack.ml.update({'enabled': true}) %} {% endif %} -{# merge with the elasticsearch pillar #} -{% set ESCONFIG = salt['pillar.get']('elasticsearch:config', default=ESCONFIG.elasticsearch.config, merge=True) %} {% do ESCONFIG.elasticsearch.config.node.update({'name': grains.host}) %} {% do ESCONFIG.elasticsearch.config.cluster.update({'name': grains.host}) %} {% do ESCONFIG.elasticsearch.config.transport.update({'publish_host': grains.host}) %} +{# merge with the elasticsearch pillar #} +{% set ESCONFIG = salt['pillar.get']('elasticsearch:config', default=ESCONFIG.elasticsearch.config, merge=True) %} + {% if salt['pillar.get']('elasticsearch:config:path:repo', False) %} {% for repo in pillar.elasticsearch.config.path.repo %} {# remove elasticsearch.config.path.repo value if the directory doesn't exist on the node #} From 9f99939bda31fc25c912ba9890ec4783df1c71be Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 12 Sep 2022 09:28:10 -0400 Subject: [PATCH 0038/1082] Add links to tools menu --- salt/soc/defaults.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 31a35a618..d162294ce 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -106,6 +106,16 @@ soc: icon: fa-external-link-alt target: so-kibana link: /kibana/ + - name: toolElasticFleet + description: toolElasticFleet + icon: fa-external-link-alt + target: so-elastic-fleet + link: /kibana/app/fleet/agents + - name: toolOsqueryManager + description: toolOsqueryManager + icon: fa-external-link-alt + target: so-osquery-manager + link: /kibana/app/osquery/live_queries - name: toolGrafana description: toolGrafanaHelp icon: fa-external-link-alt From 0df7d0249afd1353f368e64abbcadee0574d6ee7 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 12 Sep 2022 12:22:35 -0400 Subject: [PATCH 0039/1082] Add so-elastic-agent-builder --- salt/common/tools/sbin/so-elastic-fleet-setup | 6 +++--- salt/common/tools/sbin/so-image-common | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index e7f740783..490fb34db 100644 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -78,9 +78,9 @@ wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-linux-x86_64.tar.gz wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-windows-x86_64.tar.gz -git clone -b 2.4-so-elastic-agent https://github.com/Security-Onion-Solutions/securityonion-image.git -cd securityonion-image/so-elastic-agent-builder -docker build -t so-elastic-agent-builder . +#git clone -b 2.4-so-elastic-agent https://github.com/Security-Onion-Solutions/securityonion-image.git +#cd securityonion-image/so-elastic-agent-builder +#docker build -t so-elastic-agent-builder . so-elastic-agent-gen-installers salt-call state.apply elastic-fleet.install_agent_grid \ No newline at end of file diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index b29f4bd45..32bfb2acc 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -40,6 +40,7 @@ container_list() { TRUSTED_CONTAINERS=( "so-curator" "so-elastalert" + "so-elastic-agent-builder" "so-elasticsearch" "so-filebeat" "so-grafana" From 2254512a2a6a2263ad8354abdd444ce212bf9580 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 12 Sep 2022 12:48:02 -0400 Subject: [PATCH 0040/1082] Add more logging to setup process --- salt/filebeat/defaults.yaml | 36 ++++++ salt/zeek/defaults.yaml | 33 ------ setup/so-functions | 218 +++++++++++------------------------- setup/so-setup | 100 +++++++++-------- 4 files changed, 155 insertions(+), 232 deletions(-) create mode 100644 salt/filebeat/defaults.yaml diff --git a/salt/filebeat/defaults.yaml b/salt/filebeat/defaults.yaml new file mode 100644 index 000000000..b1b830262 --- /dev/null +++ b/salt/filebeat/defaults.yaml @@ -0,0 +1,36 @@ +filebeat: + config: + + zeek_logs_enabled: + - conn + - dce_rpc + - dhcp + - dnp3 + - dns + - dpd + - files + - ftp + - http + - intel + - irc + - kerberos + - modbus + - notice + - ntlm + - pe + - radius + - rfb + - rdp + - sip + - smb_files + - smb_mapping + - smtp + - snmp + - ssh + - ssl + - tunnel + - weird + - mysql + - socks + - x509 + \ No newline at end of file diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml index f9c606645..8d2a96444 100644 --- a/salt/zeek/defaults.yaml +++ b/salt/zeek/defaults.yaml @@ -1,37 +1,4 @@ zeek: - logging: - enabled: - - conn - - dce_rpc - - dhcp - - dnp3 - - dns - - dpd - - files - - ftp - - http - - intel - - irc - - kerberos - - modbus - - notice - - ntlm - - pe - - radius - - rfb - - rdp - - sip - - smb_files - - smb_mapping - - smtp - - snmp - - ssh - - ssl - - tunnel - - weird - - mysql - - socks - - x509 config: node: lb_procs: 1 diff --git a/setup/so-functions b/setup/so-functions index ac7444cc8..c07a88e00 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -13,7 +13,7 @@ log() { msg=$1 level=${2:-I} now=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ") - echo -e "$now | $level | $msg" >> "$setup_log" 2>&1 + echo -e "$now | $level | $msg" 2>&1 | tee -a "$setup_log" } error() { @@ -31,7 +31,7 @@ title() { logCmd() { cmd=$1 info "Executing command: $cmd" - $cmd >> "$setup_log" 2>&1 + $cmd 2>&1 | tee -a $setup_log } ### End Logging Section ### @@ -58,7 +58,7 @@ add_admin_user() { } add_mngr_ip_to_hosts() { - echo "Adding $MSRV to /etc/hosts with IP: $MSRVIP" >> "$setup_log" 2>&1 + info "Adding $MSRV to /etc/hosts with IP: $MSRVIP" echo "$MSRVIP $MSRV" >> /etc/hosts } @@ -70,7 +70,7 @@ addtotab_generate_templates() { printf '%s\n'\ "$i:"\ "" > "$addtotab_path"/$i.sls - echo "Added $i Template" + info "Added $i Template" done } @@ -82,11 +82,11 @@ add_socore_user_manager() { add_web_user() { wait_for_file /opt/so/conf/kratos/db/db.sqlite 30 5 { - echo "Attempting to add administrator user for web interface..."; + info "Attempting to add administrator user for web interface..."; export SKIP_STATE_APPLY=true echo "$WEBPASSWD1" | /usr/sbin/so-user add "$WEBUSER" "superuser"; unset SKIP_STATE_APPLY - echo "Add user result: $?"; + info "Add user result: $?"; } >> "/root/so-user-add.log" 2>&1 } @@ -154,13 +154,13 @@ check_admin_pass() { } check_manager_state() { - echo "Checking state of manager services. This may take a moment..." + info "Checking state of manager services. This may take a moment..." retry 2 15 "__check_so_status" >> $setup_log 2>&1 && retry 2 15 "__check_salt_master" >> $setup_log 2>&1 && return 0 || return 1 } check_manager_connection() { # See if you can curl the manager. If not you can either try again or continue - echo "Checking manager connectivity" + info "Checking manager connectivity" man_test_err=$(curl -k -L -sS https://$MSRVIP/repo --connect-timeout 5 2>&1) local ret=$? @@ -217,7 +217,7 @@ check_pass_match() { check_service_status() { local service_name=$1 - echo "Checking service $service_name status" >> "$setup_log" 2>&1 + info "Checking service $service_name status" systemctl status $service_name > /dev/null 2>&1 local status=$? if [ $status -gt 0 ]; then @@ -239,7 +239,7 @@ clear_manager() { # This only happens if you re-install the manager. if [ -f /etc/salt/pki/minion/minion_master.pub ]; then { - echo "Clearing old Salt master key"; + info "Clearing old Salt master key"; rm -f /etc/salt/pki/minion/minion_master.pub; systemctl -q restart salt-minion; } >> "$setup_log" 2>&1 @@ -397,7 +397,7 @@ collect_mngr_hostname() { # Remove the manager from /etc/hosts incase a user entered the wrong IP when prompted # and they are going through the installer again if [[ "$HOSTNAME" != "$MSRV" ]]; then - echo "Removing $MSRV from /etc/hosts if present." >> "$setup_log" 2>&1 + info "Removing $MSRV from /etc/hosts if present." sed -i "/$MSRV/d" /etc/hosts fi @@ -611,7 +611,7 @@ configure_minion() { if [[ $is_analyst ]]; then minion_type=workstation fi - echo "Configuring minion type as $minion_type" >> "$setup_log" 2>&1 + info "Configuring minion type as $minion_type" echo "role: so-$minion_type" > /etc/salt/grains local minion_config=/etc/salt/minion @@ -695,7 +695,7 @@ configure_ntp() { checkin_at_boot() { local minion_config=/etc/salt/minion - echo "Enabling checkin at boot" >> "$setup_log" 2>&1 + info "Enabling checkin at boot" echo "startup_states: highstate" >> "$minion_config" } @@ -780,7 +780,7 @@ check_sos_appliance() { # Lets see if this is a SOS Appliance if [ -f "/etc/SOSMODEL" ]; then local MODEL=$(cat /etc/SOSMODEL) - echo "Found SOS Model $MODEL" + info "Found SOS Model $MODEL" echo "sosmodel: $MODEL" >> /etc/salt/grains fi } @@ -812,7 +812,7 @@ compare_versions() { manager_ver=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /etc/soversion) if [[ $manager_ver == '' ]]; then - echo "Could not determine version of Security Onion running on manager $MSRV. Please check your network settings and run setup again." | tee -a "$setup_log" + info "Could not determine version of Security Onion running on manager $MSRV. Please check your network settings and run setup again." exit 1 fi @@ -821,7 +821,7 @@ compare_versions() { } configure_network_sensor() { - echo "Setting up sensor interface" >> "$setup_log" 2>&1 + info "Setting up sensor interface" if [[ $is_cloud ]]; then local nmcli_con_args=( "type" "ethernet" ) @@ -879,7 +879,7 @@ copy_minion_tmp_files() { case "$install_type" in 'MANAGER' | 'EVAL' | 'HELIXSENSOR' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') - echo "Copying pillar and salt files in $temp_install_dir to $local_salt_dir" + info "Copying pillar and salt files in $temp_install_dir to $local_salt_dir" cp -Rv "$temp_install_dir"/pillar/ $local_salt_dir/ >> "$setup_log" 2>&1 if [ -d "$temp_install_dir"/salt ] ; then cp -Rv "$temp_install_dir"/salt/ $local_salt_dir/ >> "$setup_log" 2>&1 @@ -887,7 +887,7 @@ copy_minion_tmp_files() { ;; *) { - echo "scp pillar and salt files in $temp_install_dir to manager $local_salt_dir"; + info "scp pillar and salt files in $temp_install_dir to manager $local_salt_dir"; $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/pillar; $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/schedules; $scpcmd -prv -i /root/.ssh/so.key "$temp_install_dir"/pillar/minions/* soremote@"$MSRV":/tmp/"$MINION_ID"/pillar/; @@ -900,12 +900,12 @@ copy_minion_tmp_files() { } >> "$setup_log" 2>&1 ;; esac - echo "Syncing all salt modules." >> "$setup_log" 2>&1 + info "Syncing all salt modules." salt-call saltutil.sync_modules >> "$setup_log" 2>&1 } create_local_directories() { - echo "Creating local pillar and salt directories" + info "Creating local pillar and salt directories" PILLARSALTDIR=${SCRIPTDIR::-5} for i in "pillar" "salt"; do for d in $(find $PILLARSALTDIR/$i -type d); do @@ -950,15 +950,12 @@ create_repo() { } detect_cloud() { - echo "Testing if setup is running on a cloud instance..." | tee -a "$setup_log" + info "Testing if setup is running on a cloud instance..." if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ) || ( dmidecode -s bios-vendor | grep -q Google > /dev/null) || [ -f /var/log/waagent.log ]; then export is_cloud="true"; fi } detect_os() { - local log=${1:-${setup_log}} - - # Detect Base OS - echo "Detecting Base OS" >> "$log" 2>&1 + title "Detecting Base OS" if [ -f /etc/redhat-release ]; then if grep -q "CentOS Linux release 7" /etc/redhat-release; then OS=centos @@ -970,9 +967,9 @@ detect_os() { OSVER=8 is_rocky=true pkgman="dnf" - echo "We currently do not support Rocky Linux $OSVER but we are working on it!" + info "We currently do not support Rocky Linux $OSVER but we are working on it!" else - echo "We do not support the version of CentOS you are trying to use." + info "We do not support the version of CentOS you are trying to use." exit 1 fi @@ -983,16 +980,16 @@ detect_os() { elif grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then OSVER=focal else - echo "We do not support your current version of Ubuntu." + info "We do not support your current version of Ubuntu." exit 1 fi else - echo "We were unable to determine if you are using a supported OS." + info "We were unable to determine if you are using a supported OS." exit 1 fi - echo "Found OS: $OS $OSVER" >> "$log" 2>&1 + info "Found OS: $OS $OSVER" >> "$log" 2>&1 } @@ -1064,7 +1061,7 @@ disable_ipv6() { docker_registry() { - echo "Setting up Docker Registry" >> "$setup_log" 2>&1 + info "Setting up Docker Registry" mkdir -p /etc/docker >> "$setup_log" 2>&1 # This will get applied so docker can attempt to start if [ -z "$DOCKERNET" ]; then @@ -1084,7 +1081,7 @@ docker_registry() { " }"\ " ]"\ "}" > /etc/docker/daemon.json - echo "Docker Registry Setup - Complete" >> "$setup_log" 2>&1 + info "Docker Registry Setup - Complete" } @@ -1133,7 +1130,7 @@ download_repo_tarball() { if ! [ -f /root/manager_setup/"$manager_ver".tar.gz ]; then rm -rf $install_opt_file local message="Could not download $manager_ver.tar.gz from manager, please check your network settings and verify the file /opt/so/repo/$manager_ver.tar.gz exists on the manager." - echo "$message" | tee -a "$setup_log" + info "$message" exit 1 fi @@ -1279,10 +1276,10 @@ firewall_generate_templates() { generate_ca() { { - echo "Building Certificate Authority"; + info "Building Certificate Authority"; salt-call state.apply ca; - echo "Confirming existence of the CA certificate" + info "Confirming existence of the CA certificate" openssl x509 -in /etc/pki/ca.crt -noout -subject -issuer -dates } >> "$setup_log" 2>&1 } @@ -1294,7 +1291,7 @@ generate_ssl() { if [[ "$install_type" =~ ^(EVAL|MANAGER|MANAGERSEARCH|STANDALONE|IMPORT|HELIXSENSOR)$ ]]; then wait_for_salt_minion fi - echo "Applying SSL state"; + info "Applying SSL state"; salt-call state.apply ssl; } >> "$setup_log" 2>&1 } @@ -1345,7 +1342,7 @@ get_minion_type() { install_cleanup() { if [ -f "$temp_install_dir" ]; then - echo "Installer removing the following files:" + info "Installer removing the following files:" ls -lR "$temp_install_dir" # Clean up after ourselves @@ -1367,7 +1364,7 @@ install_cleanup() { fi if [[ -z $SO_ERROR ]]; then - echo "Setup completed at $(date)" >> "$setup_log" 2>&1 + info "Setup completed at $(date)" fi } @@ -1641,12 +1638,12 @@ networking_needful() { network_setup() { { - echo "Finishing up network setup"; + info "Finishing up network setup"; - echo "... Copying 99-so-checksum-offload-disable"; - cp ./install_scripts/99-so-checksum-offload-disable /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable ; + info "... Copying 99-so-checksum-offload-disable"; + cp ./install_scripts/99-so-checksum-offload-disable /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable; - echo "... Modifying 99-so-checksum-offload-disable"; + info "... Modifying 99-so-checksum-offload-disable"; sed -i "s/\$MNIC/${INTERFACE}/g" /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable; } >> "$setup_log" 2>&1 } @@ -1718,7 +1715,7 @@ patch_schedule_os_new() { print_salt_state_apply() { local state=$1 - echo "Applying $state Salt state" + info "Applying $state Salt state" } process_installtype() { @@ -1754,7 +1751,7 @@ process_installtype() { } proxy_validate() { - echo "Testing proxy..." + info "Testing proxy..." local test_url="https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS" proxy_test_err=$(curl -sS "$test_url" --proxy "$so_proxy" --connect-timeout 5 2>&1) # set short connection timeout so user doesn't sit waiting for proxy test to timeout local ret=$? @@ -1788,10 +1785,10 @@ reserve_group_ids() { reserve_ports() { # These are also set via salt but need to be set pre-install to avoid conflicts before salt runs if ! sysctl net.ipv4.ip_local_reserved_ports | grep 55000 | grep 57314; then - echo "Reserving ephemeral ports used by Security Onion components to avoid collisions" + info "Reserving ephemeral ports used by Security Onion components to avoid collisions" sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314" else - echo "Ephemeral ports already reserved" + info "Ephemeral ports already reserved" fi } @@ -1827,7 +1824,7 @@ reinstall_init() { local count=0 while check_service_status "$service"; do if [[ $count -gt $service_retry_count ]]; then - echo "Could not stop $service after 1 minute, exiting setup." + info "Could not stop $service after 1 minute, exiting setup." # Stop the systemctl process trying to kill the service, show user a message, then exit setup kill -9 $pid @@ -1886,7 +1883,7 @@ reset_proxy() { [[ -f /etc/systemd/system/docker.service.d/http-proxy.conf ]] && rm -f /etc/systemd/system/docker.service.d/http-proxy.conf systemctl daemon-reload - command -v docker &> /dev/null && echo "Restarting Docker..." | tee -a "$setup_log" && systemctl restart docker + command -v docker &> /dev/null && info "Restarting Docker..." && logCmd "systemctl restart docker" [[ -f /root/.docker/config.json ]] && rm -f /root/.docker/config.json @@ -1904,7 +1901,7 @@ restore_file() { dst=$2 if [ -f "$src" ]; then [ ! -d "$dst" ] && mkdir -v -p "$dst" - echo "Restoring $src to $dst." >> "$setup_log" 2>&1 + info "Restoring $src to $dst." cp -v "$src" "$dst" >> "$setup_log" 2>&1 fi } @@ -1984,7 +1981,7 @@ securityonion_repo() { # update this package because the repo config files get added back # if the package is updated when the update_packages function is called logCmd "yum -v -y update centos-release" - echo "Backing up the .repo files that were added by the centos-release package." + info "Backing up the .repo files that were added by the centos-release package." logCmd "find /etc/yum.repos.d/ -type f -not -name 'securityonion*repo' -print0 | xargs -0 -I {} mv -bvf {} /root/oldrepos/" logCmd "yum repolist all" fi @@ -1996,12 +1993,12 @@ repo_sync_local() { REPOSYNC=$(rpm -qa | grep createrepo | wc -l) if [[ ! "$REPOSYNC" -gt 0 ]]; then # Install reposync - echo "Installing createrepo" + info "Installing createrepo" logCmd "yum -y install yum-utils createrepo" else - echo "We have what we need to sync" + info "We have what we need to sync" fi - echo "Backing up old repos" + info "Backing up old repos" mkdir -p /nsm/repo mkdir -p /root/reposync_cache echo "[main]" > /root/repodownload.conf @@ -2037,7 +2034,7 @@ saltify() { RUSALTY=$(rpm -qa | grep salt-minion | wc -l) if [[ "$RUSALTY" -gt 0 ]]; then # Salt is already installed. - echo "salt is installed" + info "salt is installed" else # Install salt if [[ $waitforstate ]]; then @@ -2061,7 +2058,7 @@ salt_firstcheckin() { # Create an secrets pillar so that passwords survive re-install secrets_pillar(){ if [ ! -f $local_salt_dir/pillar/secrets.sls ]; then - echo "Creating Secrets Pillar" >> "$setup_log" 2>&1 + info "Creating Secrets Pillar" mkdir -p $local_salt_dir/pillar printf '%s\n'\ "secrets:"\ @@ -2085,7 +2082,7 @@ set_main_ip() { local c=0 local m=3.3 local max_attempts=30 - echo "Gathering the management IP. " + info "Gathering the management IP. " while ! valid_ip4 "$MAINIP" || ! valid_ip4 "$MNIC_IP"; do MAINIP=$(ip route get 1 | awk '{print $7;exit}') MNIC_IP=$(ip a s "$MNIC" | grep -oE 'inet [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d' ' -f2) @@ -2094,9 +2091,9 @@ set_main_ip() { printf "%-*s" $((count+1)) '[' | tr ' ' '#' printf "%*s%3d%%\r" $((max_attempts-count)) "]" "$p" if [ $count = $max_attempts ]; then - echo "ERROR: Could not determine MAINIP or MNIC_IP." >> "$setup_log" 2>&1 - echo "MAINIP=$MAINIP" >> "$setup_log" 2>&1 - echo "MNIC_IP=$MNIC_IP" >> "$setup_log" 2>&1 + info "ERROR: Could not determine MAINIP or MNIC_IP." + info "MAINIP=$MAINIP" + info "MNIC_IP=$MNIC_IP" whiptail_error_message "The management IP could not be determined. Please check the log at /root/sosetup.log and verify the network configuration. Press OK to exit." exit 1 fi @@ -2120,7 +2117,7 @@ set_minion_info() { fi export MINION_ID - echo "MINION_ID = $MINION_ID" >> $setup_log 2>&1 + info "MINION_ID = $MINION_ID" minion_type=$(get_minion_type) } @@ -2208,7 +2205,7 @@ setup_salt_master_dirs() { cp -Rv files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1 fi - echo "Chown the salt dirs on the manager for socore" >> "$setup_log" 2>&1 + info "Chown the salt dirs on the manager for socore" chown -R socore:socore /opt/so } @@ -2412,7 +2409,7 @@ so_add_user() { local home_dir=$4 if [ "$5" ]; then local pass=$5; fi - echo "Add $username user" >> "$setup_log" 2>&1 + info "Add $username user" groupadd --gid "$gid" "$username" useradd -m --uid "$uid" --gid "$gid" --home-dir "$home_dir" "$username" @@ -2438,7 +2435,7 @@ update_sudoers() { echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/pillar/data/addtotab.sh" | tee -a /etc/sudoers echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/salt/manager/files/add_minion.sh" | tee -a /etc/sudoers else - echo "User soremote already granted sudo privileges" >> "$setup_log" 2>&1 + info "User soremote already granted sudo privileges" fi } @@ -2456,7 +2453,7 @@ update_packages() { # This is used for development to speed up network install tests. use_turbo_proxy() { if [[ ! $install_type =~ ^(MANAGER|EVAL|HELIXSENSOR|MANAGERSEARCH|STANDALONE)$ ]]; then - echo "turbo is not supported on this install type" >> $setup_log 2>&1 + info "turbo is not supported on this install type" return fi @@ -2482,103 +2479,18 @@ wait_for_file() { while [[ $cur_attempts -lt $max_attempts ]]; do if [ -f "$filename" ]; then - echo "File $filename found at $date" >> "$setup_log" 2>&1 + info "File $filename found at $date" return 0 else ((cur_attempts++)) - echo "File $filename does not exist; waiting ${wait_interval}s then checking again ($cur_attempts/$max_attempts)..." >> "$setup_log" 2>&1 + info "File $filename does not exist; waiting ${wait_interval}s then checking again ($cur_attempts/$max_attempts)..." sleep "$wait_interval" fi done - echo "Could not find $filename after waiting ${total_time}s" >> "$setup_log" 2>&1 + info "Could not find $filename after waiting ${total_time}s" return 1 } wait_for_salt_minion() { retry 60 5 "journalctl -u salt-minion.service | grep 'Minion is ready to receive requests'" >> "$setup_log" 2>&1 || exit 1 -} - -# Enable Zeek Logs -zeek_logs_enabled() { - echo "Enabling Zeek Logs" >> "$setup_log" 2>&1 - - local zeeklogs_pillar=$local_salt_dir/pillar/zeek/zeeklogs.sls - - printf '%s\n'\ - "zeeklogs:"\ - " enabled:" > "$zeeklogs_pillar" - - if [ "$MANAGERADV" = 'ADVANCED' ]; then - for BLOG in "${BLOGS[@]}"; do - echo " - $BLOG" | tr -d '"' >> "$zeeklogs_pillar" - done - elif [ "$install_type" == "EVAL" ] || [ "$install_type" == "IMPORT" ]; then - printf '%s\n'\ - " - conn"\ - " - dce_rpc"\ - " - dhcp"\ - " - dnp3"\ - " - dns"\ - " - dpd"\ - " - files"\ - " - ftp"\ - " - http"\ - " - intel"\ - " - irc"\ - " - kerberos"\ - " - modbus"\ - " - notice"\ - " - ntlm"\ - " - pe"\ - " - radius"\ - " - rfb"\ - " - rdp"\ - " - sip"\ - " - smb_files"\ - " - smb_mapping"\ - " - smtp"\ - " - snmp"\ - " - ssh"\ - " - ssl"\ - " - syslog"\ - " - tunnel"\ - " - weird"\ - " - mysql"\ - " - socks"\ - " - x509" >> "$zeeklogs_pillar" - # Disable syslog log by default - else - printf '%s\n'\ - " - conn"\ - " - dce_rpc"\ - " - dhcp"\ - " - dnp3"\ - " - dns"\ - " - dpd"\ - " - files"\ - " - ftp"\ - " - http"\ - " - intel"\ - " - irc"\ - " - kerberos"\ - " - modbus"\ - " - notice"\ - " - ntlm"\ - " - pe"\ - " - radius"\ - " - rfb"\ - " - rdp"\ - " - sip"\ - " - smb_files"\ - " - smb_mapping"\ - " - smtp"\ - " - snmp"\ - " - ssh"\ - " - ssl"\ - " - tunnel"\ - " - weird"\ - " - mysql"\ - " - socks"\ - " - x509" >> "$zeeklogs_pillar" - fi -} +} \ No newline at end of file diff --git a/setup/so-setup b/setup/so-setup index 84d22c0fa..a5ba241b7 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -76,6 +76,7 @@ if [ "$setup_type" = 'analyst' ]; then fi # Make sure if ISO is specified that we are dealing with CentOS or Rocky +title "Detecting if this is an ISO install" if [[ "$setup_type" == 'iso' ]]; then if [[ $is_centos || $is_rocky ]]; then is_iso=true @@ -87,10 +88,11 @@ fi # Check to see if this is an analyst install. If it is let's run things differently if [[ $is_analyst ]]; then + title "This is an analyst workstation install" # Make sure it's CentOS or Rocky Linux if [[ ! $is_centos ]]; then - echo "Analyst Workstation is only supported on CentOS 7 or Rocky Linux 8" + info "Analyst Workstation is only supported on CentOS 7 or Rocky Linux 8" exit 1 fi @@ -100,7 +102,7 @@ if [[ $is_analyst ]]; then # Remove setup from auto launching parse_install_username sed -i '$ d' /home/$INSTALLUSERNAME/.bash_profile >> "$setup_log" 2>&1 - echo "Enabling graphical interface and setting it to load at boot" + info "Enabling graphical interface and setting it to load at boot" systemctl set-default graphical.target startx exit 0 @@ -110,11 +112,11 @@ if [[ $is_analyst ]]; then fi else if whiptail_analyst_nongrid_network; then - echo "" - echo "" - echo "Kicking off the automated setup of the analyst workstation. This can take a while depending on your network connection." - echo "" - echo "" + info "" + info "" + info "Kicking off the automated setup of the analyst workstation. This can take a while depending on your network connection." + info "" + info "" analyst_salt_local else # Abort! @@ -132,15 +134,16 @@ if ! [ -f $install_opt_file ] && [ -d /root/manager_setup/securityonion ] && [[ exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}" fi +title "Checking to see if install has run before" if [[ -f /root/accept_changes ]]; then is_reinstall=true - # Move last setup log to backup + info "Old setup detected. Moving the last setup.log to setup.log.bak" mv "$setup_log" "$setup_log.bak" [ -f "$error_log" ] && mv "$error_log" "$error_log.bak" fi -# Figure out the user id that is running the install +title "Parsing Username for Install" parse_install_username if ! [ -f $install_opt_file ]; then @@ -176,7 +179,7 @@ progress() { # If using automation let's do automation things. if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then - echo "Preselecting variable values based on automated setup: $automation" >> $setup_log 2>&1 + info "Preselecting variable values based on automated setup: $automation" source automation/$automation automated=yes @@ -184,24 +187,26 @@ if [[ -f automation/$automation && $(basename $automation) == $automation ]]; th attempts=60 ip a | grep "$MNIC:" | grep "state UP" >> $setup_log 2>&1 while [ $? -ne 0 ]; do - ip a >> $setup_log 2>&1 + logCmd "ip a" if [ $attempt -gt $attempts ]; then - echo "Network unavailable - setup cannot continue" >> $setup_log 2>&1 + error "Network unavailable - setup cannot continue" exit 1 fi - echo "Waiting for network to come up (attempt $attempt of $attempts)" >> $setup_log 2>&1 + info "Waiting for network to come up (attempt $attempt of $attempts)" attempt=$((attempt + 1)) + info "Sleeping 10s to try again" sleep 10; - ip a | grep "$MNIC:" | grep "state UP" >> $setup_log 2>&1 + logCmd 'ip a | grep "$MNIC:" | grep "state UP"' done - echo "Network is up on $MNIC" >> $setup_log 2>&1 + info "Network is up on $MNIC" if [[ ! $is_iso ]]; then - echo "Installing sshpass for automated testing." >> $setup_log 2>&1 + # We might not need this any more + info "Installing sshpass for automated testing." if [ "$OS" == ubuntu ]; then retry 50 10 "apt-get -y install sshpass" >> $setup_log 2>&1 || exit 1 else - yum -y install sshpass >> $setup_log 2>&1 + logCmd "yum -y install sshpass" fi fi fi @@ -209,10 +214,10 @@ fi # Make sure the setup type is suppoted. case "$setup_type" in iso | network | analyst) # Accepted values - echo "Beginning Security Onion $setup_type install" >> $setup_log 2>&1 + info "Beginning Security Onion $setup_type install" ;; *) - echo "Invalid install type, must be 'iso', 'network' or 'analyst'." | tee -a $setup_log + error "Invalid install type, must be 'iso', 'network' or 'analyst'." exit 1 ;; esac @@ -232,15 +237,15 @@ dmesg -D # https://github.com/Security-Onion-Solutions/securityonion/issues/1084 if [ "$automated" == no ]; then TTY=$(tty) - echo "Setup is running on TTY $TTY" >> $setup_log 2>&1 + info "Setup is running on TTY $TTY" if echo $TTY | grep -q "/dev/tty"; then CONSOLEBLANK=$(cat /sys/module/kernel/parameters/consoleblank) - echo "Kernel consoleblank value before: $CONSOLEBLANK" >> $setup_log 2>&1 + info "Kernel consoleblank value before: $CONSOLEBLANK" if [ $CONSOLEBLANK -gt 0 ]; then - echo "Running 'setterm -blank 0' for TTY $TTY" >> $setup_log 2>&1 + info "Running 'setterm -blank 0' for TTY $TTY" TERM=linux setterm -blank 0 >$TTY <$TTY CONSOLEBLANK=$(cat /sys/module/kernel/parameters/consoleblank) - echo "Kernel consoleblank value after: $CONSOLEBLANK" >> $setup_log 2>&1 + info "Kernel consoleblank value after: $CONSOLEBLANK" fi fi fi @@ -250,7 +255,7 @@ if ! [[ -f $install_opt_file ]]; then if (whiptail_you_sure); then true else - echo "User cancelled setup." | tee -a "$setup_log" + error "User cancelled setup." whiptail_cancel fi # If this is an analyst install lets streamline the process. @@ -328,7 +333,7 @@ if ! [[ -f $install_opt_file ]]; then detect_cloud set_minion_info set_default_log_size >> $setup_log 2>&1 - echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1 + info "Verifying all network devices are managed by Network Manager that should be" check_network_manager_conf set_network_dev_status_list whiptail_sensor_nics @@ -349,7 +354,7 @@ if ! [[ -f $install_opt_file ]]; then detect_cloud set_minion_info set_default_log_size >> $setup_log 2>&1 - echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1 + info "Verifying all network devices are managed by Network Manager that should be" check_network_manager_conf set_network_dev_status_list whiptail_sensor_nics @@ -367,7 +372,7 @@ if ! [[ -f $install_opt_file ]]; then whiptail_airgap detect_cloud set_default_log_size >> $setup_log 2>&1 - echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1 + info "Verifying all network devices are managed by Network Manager that should be" check_network_manager_conf set_network_dev_status_list calculate_useable_cores @@ -384,7 +389,7 @@ if ! [[ -f $install_opt_file ]]; then whiptail_airgap detect_cloud set_default_log_size >> $setup_log 2>&1 - echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1 + info "Verifying all network devices are managed by Network Manager that should be" check_network_manager_conf set_network_dev_status_list calculate_useable_cores @@ -466,15 +471,15 @@ if ! [[ -f $install_opt_file ]]; then configure_network_sensor fi # Configure NTP - echo "Configuring NTP" + info "Configuring NTP" [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 # Reserve the ports that SO needs - echo "Reserving ports" + info "Reserving ports" reserve_ports - echo "Setting Paths" + info "Setting Paths" # Set the paths set_path - echo "Checking if this is a re-install" + info "Checking if this is a re-install" # Check to see if its a reinstall. THIS NEEDS REVIEW if [[ $is_reinstall ]]; then reinstall_init @@ -482,19 +487,19 @@ if ! [[ -f $install_opt_file ]]; then echo "Disable auto start of setup" # Disable the setup from prompting at login disable_auto_start - echo "Setting the version" + info "Setting the version" # Set the version mark_version - echo "Clearing the old manager" + info "Clearing the old manager" # Remove old manager if re-install clear_manager - echo "Generating Secrets" + info "Generating Secrets" # Generate passwords generate_passwords - echo "Populating the secrets pillar" + info "Populating the secrets pillar" # Create the secrets pillar secrets_pillar - echo "Add socore user" + info "Add socore user" # Add the socore user add_socore_user_manager @@ -502,7 +507,7 @@ if ! [[ -f $install_opt_file ]]; then setup_salt_master_dirs create_manager_pillars - echo "Generating the minion pillar" + info "Generating the minion pillar" # Create the minion defaults export NODETYPE=$install_type @@ -516,7 +521,7 @@ if ! [[ -f $install_opt_file ]]; then export PATCHSCHEDULENAME=$PATCHSCHEDULENAME export INTERFACE="bond0" so-minion -o=setup - echo "Creating Global SLS" + title "Creating Global SLS" if [[ $is_airgap ]]; then # Airgap Rules @@ -525,7 +530,6 @@ if ! [[ -f $install_opt_file ]]; then manager_pillar - zeek_logs_enabled # Set up the repo to point to local file https://access.redhat.com/solutions/1355683 # reposync down the files is network and createrepo if CentOS # Import the GPG keys @@ -558,20 +562,23 @@ if ! [[ -f $install_opt_file ]]; then # create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf mkdir -p /opt/so/conf/so-status/ touch /opt/so/conf/so-status/so-status.conf - echo "Importing Registry Docker" + title "Importing Registry Docker" import_registry_docker - echo "Applying the registry state" + title "Applying the registry state" salt-call state.apply -l info registry - echo "Seeding the docker registry" + title "Seeding the docker registry" docker_seed_registry - echo "Applying the manager state" + title "Applying the manager state" salt-call state.apply -l info manager salt-call state.apply -l info firewall salt-call state.highstate -l info add_web_user + info "Restarting SOC to pick up initial user" + so-soc-restart so-elastic-fleet-setup - echo "Setting up Playbook" + title "Setting up Playbook" so-playbook-reset + checkin_at_boot whiptail_setup_complete else es_heapsize @@ -583,7 +590,7 @@ if ! [[ -f $install_opt_file ]]; then reserve_ports # Set the version mark_version - echo "Clearing the old manager" + info "Clearing the old manager" # Remove old manager if re-install clear_manager gpg_rpm_import @@ -592,6 +599,7 @@ if ! [[ -f $install_opt_file ]]; then saltify configure_minion "$minion_type" drop_install_options + checkin_at_boot whiptail_setup_complete fi From 9ca2e6e871f50fcac1b723ed27881f62ce1fdca8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 12 Sep 2022 14:20:59 -0400 Subject: [PATCH 0041/1082] Add more logging to setup process --- salt/zeek/soc_zeek.yaml | 2 +- setup/so-functions | 423 +++++++++++----------------------------- setup/so-setup | 10 - 3 files changed, 117 insertions(+), 318 deletions(-) diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml index bcb3af346..adb534281 100644 --- a/salt/zeek/soc_zeek.yaml +++ b/salt/zeek/soc_zeek.yaml @@ -10,7 +10,7 @@ zeek: zeek_pins_enabled: description: node: True - zeeek_pins: + zeek_pins: description: List of CPUs you want to node: True zeekctl: diff --git a/setup/so-functions b/setup/so-functions index c07a88e00..2f586f151 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -48,13 +48,10 @@ airgap_rules() { } add_admin_user() { - # Add an admin user with full sudo rights if this is an ISO install. - { - useradd "$ADMINUSER"; - echo "$ADMINUSER":"$ADMINPASS1" | chpasswd --crypt-method=SHA512; - usermod -aG wheel "$ADMINUSER"; - } >> "$setup_log" 2>&1 - + title "Adding $ADMINUSER to the system with sudo rights" + logCmd "useradd '$ADMINUSER'" + echo "$ADMINUSER":"$ADMINPASS1" | chpasswd --crypt-method=SHA512 + logCmd "usermod -aG wheel '$ADMINUSER'" } add_mngr_ip_to_hosts() { @@ -62,21 +59,9 @@ add_mngr_ip_to_hosts() { echo "$MSRVIP $MSRV" >> /etc/hosts } -addtotab_generate_templates() { - - local addtotab_path=$local_salt_dir/pillar/data - - for i in evaltab managersearchtab managertab nodestab sensorstab standalonetab receiverstab; do - printf '%s\n'\ - "$i:"\ - "" > "$addtotab_path"/$i.sls - info "Added $i Template" - done - -} - add_socore_user_manager() { - so_add_user "socore" "939" "939" "/opt/so" >> "$setup_log" 2>&1 + info "Adding socore user" + logCmd "so_add_user 'socore' '939' '939' '/opt/so'" } add_web_user() { @@ -110,7 +95,7 @@ analyst_salt_local() { logCmd "yum -y install salt-minion-3004.1 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" logCmd "yum -y update --exclude=salt*" - salt-call state.apply workstation --local --file-root=../salt/ -l info 2>&1 | tee -a outfile + logCmd "salt-call state.apply workstation --local --file-root=../salt/ -l info" read -r -d '' message <<- EOM Finished Analyst workstation installation. @@ -153,11 +138,6 @@ check_admin_pass() { check_pass_match "$ADMINPASS1" "$ADMINPASS2" "APMATCH" } -check_manager_state() { - info "Checking state of manager services. This may take a moment..." - retry 2 15 "__check_so_status" >> $setup_log 2>&1 && retry 2 15 "__check_salt_master" >> $setup_log 2>&1 && return 0 || return 1 -} - check_manager_connection() { # See if you can curl the manager. If not you can either try again or continue info "Checking manager connectivity" @@ -171,18 +151,6 @@ check_manager_connection() { fi } -__check_so_status() { - local so_status_output - so_status_output=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /opt/so/log/sostatus/status.log) - [[ -z $so_status_output ]] && so_status_output=1 - return $so_status_output -} - -__check_salt_master() { - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" systemctl is-active --quiet salt-master - return $? -} - check_network_manager_conf() { local gmdconf="/usr/lib/NetworkManager/conf.d/10-globally-managed-devices.conf" local nmconf="/etc/NetworkManager/NetworkManager.conf" @@ -202,6 +170,7 @@ check_network_manager_conf() { } check_pass_match() { + info "Making sure passwords match" local pass=$1 local confirm_pass=$2 local var=$3 @@ -221,16 +190,17 @@ check_service_status() { systemctl status $service_name > /dev/null 2>&1 local status=$? if [ $status -gt 0 ]; then - echo " $service_name is not running" >> "$setup_log" 2>&1 + info " $service_name is not running" return 1; else - echo " $service_name is running" >> "$setup_log" 2>&1 + info " $service_name is running" return 0; fi } check_web_pass() { + info Making sure web credential passwords match check_pass_match "$WEBPASSWD1" "$WEBPASSWD2" "WPMATCH" } @@ -238,11 +208,10 @@ clear_manager() { # Clear out the old manager public key in case this is a re-install. # This only happens if you re-install the manager. if [ -f /etc/salt/pki/minion/minion_master.pub ]; then - { - info "Clearing old Salt master key"; - rm -f /etc/salt/pki/minion/minion_master.pub; - systemctl -q restart salt-minion; - } >> "$setup_log" 2>&1 + info "Clearing old Salt master key" + logCmd "rm -f /etc/salt/pki/minion/minion_master.pub" + info "Restarting Salt Minion" + logCmd "systemctl -q restart salt-minion" fi } @@ -312,10 +281,6 @@ collect_gateway() { done } -collect_helix_key() { - whiptail_helix_apikey -} - collect_homenet_mngr() { whiptail_homenet_manager "10.0.0.0/8,192.168.0.0/16,172.16.0.0/12" @@ -777,7 +742,7 @@ check_requirements() { } check_sos_appliance() { - # Lets see if this is a SOS Appliance + title "Is this is an SOS Appliance?" if [ -f "/etc/SOSMODEL" ]; then local MODEL=$(cat /etc/SOSMODEL) info "Found SOS Model $MODEL" @@ -808,18 +773,6 @@ compare_main_nic_ip() { } -compare_versions() { - manager_ver=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /etc/soversion) - - if [[ $manager_ver == '' ]]; then - info "Could not determine version of Security Onion running on manager $MSRV. Please check your network settings and run setup again." - exit 1 - fi - - [[ "$manager_ver" == "$SOVERSION" ]] - return -} - configure_network_sensor() { info "Setting up sensor interface" @@ -830,7 +783,7 @@ configure_network_sensor() { fi # Create the bond interface only if it doesn't already exist - nmcli -f name,uuid -p con | grep -q "$INTERFACE" >> "$setup_log" 2>&1 + logCmd "nmcli -f name,uuid -p con | grep -q '$INTERFACE'" local found_int=$? if [[ $found_int != 0 ]]; then @@ -861,47 +814,18 @@ configure_network_sensor() { copy_salt_master_config() { - # Copy the Salt master config template to the proper directory + title "Copy the Salt master config template to the proper directory" if [ "$setup_type" = 'iso' ]; then - cp /root/SecurityOnion/files/salt/master/master /etc/salt/master >> "$setup_log" 2>&1 - cp /root/SecurityOnion/files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service >> "$setup_log" 2>&1 + logCmd "cp /root/SecurityOnion/files/salt/master/master /etc/salt/master" + logCmd "cp /root/SecurityOnion/files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service" else - cp ../files/salt/master/master /etc/salt/master >> "$setup_log" 2>&1 - cp ../files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service >> "$setup_log" 2>&1 + logCmd "cp ../files/salt/master/master /etc/salt/master" + logCmd " ../files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service" fi # Restart the service so it picks up the changes - systemctl daemon-reload >> "$setup_log" 2>&1 - systemctl restart salt-master >> "$setup_log" 2>&1 -} - -copy_minion_tmp_files() { - - case "$install_type" in - 'MANAGER' | 'EVAL' | 'HELIXSENSOR' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') - info "Copying pillar and salt files in $temp_install_dir to $local_salt_dir" - cp -Rv "$temp_install_dir"/pillar/ $local_salt_dir/ >> "$setup_log" 2>&1 - if [ -d "$temp_install_dir"/salt ] ; then - cp -Rv "$temp_install_dir"/salt/ $local_salt_dir/ >> "$setup_log" 2>&1 - fi - ;; - *) - { - info "scp pillar and salt files in $temp_install_dir to manager $local_salt_dir"; - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/pillar; - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/schedules; - $scpcmd -prv -i /root/.ssh/so.key "$temp_install_dir"/pillar/minions/* soremote@"$MSRV":/tmp/"$MINION_ID"/pillar/; - if [ -d $temp_install_dir/salt/patch/os/schedules/ ]; then - if [ "$(ls -A $temp_install_dir/salt/patch/os/schedules/)" ]; then - $scpcmd -prv -i /root/.ssh/so.key $temp_install_dir/salt/patch/os/schedules/* soremote@$MSRV:/tmp/$MINION_ID/schedules; - fi - fi - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/manager/files/add_minion.sh "$MINION_ID"; - } >> "$setup_log" 2>&1 - ;; - esac - info "Syncing all salt modules." - salt-call saltutil.sync_modules >> "$setup_log" 2>&1 + logCmd "systemctl daemon-reload" + logCmd "systemctl restart salt-master" } create_local_directories() { @@ -911,19 +835,19 @@ create_local_directories() { for d in $(find $PILLARSALTDIR/$i -type d); do suffixdir=${d//$PILLARSALTDIR/} if [ ! -d "$local_salt_dir/$suffixdir" ]; then - mkdir -pv "$local_salt_dir$suffixdir" >> "$setup_log" 2>&1 + logCmd "mkdir -pv '$local_salt_dir$suffixdir'" fi done - chown -R socore:socore "$local_salt_dir/$i" + logCmd "chown -R socore:socore '$local_salt_dir/$i'" done } create_local_nids_rules() { - # Create a local.rules file so it doesn't get blasted on updates - mkdir -p /opt/so/saltstack/local/salt/idstools + title "Create a local.rules file so it doesn't get removed on updates" + logCmd "mkdir -p /opt/so/saltstack/local/salt/idstools" echo "# Custom Suricata rules go in this file" > /opt/so/saltstack/local/salt/idstools/local.rules - salt-run fileserver.clear_file_list_cache + logCmd "salt-run fileserver.clear_file_list_cache" } create_manager_pillars() { @@ -945,8 +869,8 @@ create_manager_pillars() { } create_repo() { - # Create the repo for airgap - createrepo /nsm/repo + title "Create the repo directory" + logCmd "createrepo /nsm/repo" } detect_cloud() { @@ -1049,8 +973,8 @@ disable_auto_start() { disable_ipv6() { { info "Disabling ipv6" - sysctl -w net.ipv6.conf.all.disable_ipv6=1 - sysctl -w net.ipv6.conf.default.disable_ipv6=1 + logCmd "sysctl -w net.ipv6.conf.all.disable_ipv6=1" + logCmd "sysctl -w net.ipv6.conf.default.disable_ipv6=1" } >> "$setup_log" 2>&1 { echo "net.ipv6.conf.all.disable_ipv6 = 1" @@ -1061,8 +985,8 @@ disable_ipv6() { docker_registry() { - info "Setting up Docker Registry" - mkdir -p /etc/docker >> "$setup_log" 2>&1 + title "Setting up Docker Registry" + logCmd "mkdir -p /etc/docker" # This will get applied so docker can attempt to start if [ -z "$DOCKERNET" ]; then DOCKERNET=172.17.0.0 @@ -1088,9 +1012,6 @@ docker_registry() { docker_seed_update() { local name=$1 local percent_delta=1 - if [ "$install_type" == 'HELIXSENSOR' ]; then - percent_delta=6 - fi ((docker_seed_update_percent+=percent_delta)) set_progress_str "$docker_seed_update_percent" "Downloading $name" @@ -1112,38 +1033,14 @@ docker_seed_registry() { update_docker_containers 'netinstall' '' 'docker_seed_update' "$setup_log" else - tar xvf /nsm/docker-registry/docker/registry.tar -C /nsm/docker-registry/docker >> "$setup_log" 2>&1 - rm /nsm/docker-registry/docker/registry.tar >> "$setup_log" 2>&1 + logCmd "tar xvf /nsm/docker-registry/docker/registry.tar -C /nsm/docker-registry/docker" + logCmd "rm /nsm/docker-registry/docker/registry.tar" fi - -} - -download_repo_tarball() { - - mkdir -p /root/manager_setup - - local manager_ver - manager_ver=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /etc/soversion) >> "$setup_log" 2>&1 - $scpcmd -i /root/.ssh/so.key soremote@"$MSRV":/opt/so/repo/"$manager_ver".tar.gz /root/manager_setup >> "$setup_log" 2>&1 - - # Fail if the file doesn't download - if ! [ -f /root/manager_setup/"$manager_ver".tar.gz ]; then - rm -rf $install_opt_file - local message="Could not download $manager_ver.tar.gz from manager, please check your network settings and verify the file /opt/so/repo/$manager_ver.tar.gz exists on the manager." - info "$message" - exit 1 - fi - - mkdir -p /root/manager_setup/securityonion - { - tar -xzf /root/manager_setup/"$manager_ver".tar.gz -C /root/manager_setup/securityonion - rm -rf /root/manager_setup/"$manager_ver".tar.gz - } >> "$setup_log" 2>&1 } elasticsearch_pillar() { - # Create Advanced File - touch $adv_elasticsearch_pillar_file + title "Create Advanced File" + logCmd "touch '$adv_elasticsearch_pillar_file'" # Create the Elasticsearch pillar printf '%s\n'\ "elasticsearch:"\ @@ -1188,7 +1085,7 @@ elasticsearch_pillar() { es_heapsize() { - # Determine ES Heap Size + title "Determine ES Heap Size" if [ "$total_mem" -lt 8000 ] ; then ES_HEAP_SIZE="600m" elif [ "$total_mem" -ge 100000 ]; then @@ -1247,26 +1144,14 @@ filter_unused_nics() { export nic_list } -fireeye_pillar() { - - local fireeye_pillar_path=$local_salt_dir/pillar/fireeye - mkdir -p "$fireeye_pillar_path" - - printf '%s\n'\ - "fireeye:"\ - " helix:"\ - " api_key: '$HELIXAPIKEY'" \ - "" > "$fireeye_pillar_path/init.sls" - -} - # Generate Firewall Templates firewall_generate_templates() { + title "Generate Firewall Template" local firewall_pillar_path=$local_salt_dir/salt/firewall - mkdir -p "$firewall_pillar_path" + logCmd "mkdir -p '$firewall_pillar_path'" - cp ../files/firewall/* /opt/so/saltstack/local/salt/firewall/ >> "$setup_log" 2>&1 + logCmd "cp ../files/firewall/* /opt/so/saltstack/local/salt/firewall/" for i in analyst beats_endpoint endgame sensor manager minion elastic_agent_endpoint search_node; do $default_salt_dir/salt/common/tools/sbin/so-firewall includehost "$i" 127.0.0.1 @@ -1275,29 +1160,24 @@ firewall_generate_templates() { } generate_ca() { - { - info "Building Certificate Authority"; - salt-call state.apply ca; - - info "Confirming existence of the CA certificate" - openssl x509 -in /etc/pki/ca.crt -noout -subject -issuer -dates - } >> "$setup_log" 2>&1 + title "Generating the certificate authority" + logCmd "salt-call state.apply ca -l info" + info "Confirming existence of the CA certificate" + logCmd "openssl x509 -in /etc/pki/ca.crt -noout -subject -issuer -dates" } generate_ssl() { - { - # if the install type is a manager then we need to wait for the minion to be ready before trying - # to run the ssl state since we need the minion to sign the certs - if [[ "$install_type" =~ ^(EVAL|MANAGER|MANAGERSEARCH|STANDALONE|IMPORT|HELIXSENSOR)$ ]]; then - wait_for_salt_minion - fi - info "Applying SSL state"; - salt-call state.apply ssl; - } >> "$setup_log" 2>&1 + # if the install type is a manager then we need to wait for the minion to be ready before trying + # to run the ssl state since we need the minion to sign the certs + if [[ "$install_type" =~ ^(EVAL|MANAGER|MANAGERSEARCH|STANDALONE|IMPORT|HELIXSENSOR)$ ]]; then + wait_for_salt_minion + fi + info "Applying SSL state" + logCmd "salt-call state.apply ssl -l info" } generate_passwords(){ - # Generate Random Passwords for Things + title "Generate Random Passwords" MYSQLPASS=$(get_random_value) PLAYBOOKDBPASS=$(get_random_value) PLAYBOOKADMINPASS=$(get_random_value) @@ -1308,10 +1188,8 @@ generate_passwords(){ } generate_interface_vars() { - # Set the MTU - if [[ $NSMSETUP != 'ADVANCED' ]]; then - if [[ $is_cloud ]]; then MTU=1575; else MTU=9000; fi - fi + title "Setting the MTU to 9000 on all monitor NICS" + MTU=9000 export MTU # Set interface variable @@ -1343,10 +1221,10 @@ get_minion_type() { install_cleanup() { if [ -f "$temp_install_dir" ]; then info "Installer removing the following files:" - ls -lR "$temp_install_dir" + logCmd "ls -lR '$temp_install_dir'" # Clean up after ourselves - rm -rf "$temp_install_dir" + logCmd "rm -rf '$temp_install_dir'" fi # All cleanup prior to this statement must be compatible with automated testing. Cleanup @@ -1355,12 +1233,12 @@ install_cleanup() { # If Mysql is running stop it if docker ps --format "{{.Names}}" 2>&1 | grep -q "so-mysql"; then - /usr/sbin/so-mysql-stop + logVmd "/usr/sbin/so-mysql-stop" fi if [[ $setup_type == 'iso' ]]; then info "Removing so-setup permission entry from sudoers file" - sed -i '/so-setup/d' /etc/sudoers + logCmd "sed -i '/so-setup/d' /etc/sudoers" fi if [[ -z $SO_ERROR ]]; then @@ -1379,7 +1257,7 @@ import_registry_docker() { idh_pillar() { touch $adv_idh_pillar_file - # Create the IDH Pillar + title "Create the IDH Pillar" printf '%s\n'\ "idh:"\ " listen_on_mgnt_int: True"\ @@ -1396,7 +1274,7 @@ idh_pillar() { logstash_pillar() { # Create the logstash advanced pillar touch $adv_logstash_pillar_file - # Create the logstash pillar + title "Create the logstash pillar" printf '%s\n'\ "logstash_settings:"\ " ls_host: '$HOSTNAME'"\ @@ -1409,7 +1287,7 @@ logstash_pillar() { # Set Logstash heap size based on total memory ls_heapsize() { - + title "Setting Logstash heap size" if [ "$total_mem" -ge 32000 ]; then LS_HEAP_SIZE='1000m' return @@ -1435,6 +1313,7 @@ ls_heapsize() { } idstools_pillar() { + title "Ading IDSTOOLS pillar options" touch $adv_idstools_pillar_file printf '%s\n'\ "idstools:"\ @@ -1451,13 +1330,14 @@ idstools_pillar() { } soc_pillar() { + title "Creating the SOC pillar" touch $adv_soc_pillar_file touch $soc_pillar_file } manager_pillar() { touch $adv_manager_pillar_file - # Create the manager pillar + title "Create the manager pillar" printf '%s\n'\ "manager:"\ " proxy: '$so_proxy'"\ @@ -1469,6 +1349,7 @@ manager_pillar() { } kratos_pillar() { + title "Create the Kratos pillar file" touch $adv_kratos_pillar_file printf '%s\n'\ "kratos:"\ @@ -1479,6 +1360,7 @@ kratos_pillar() { } create_global() { + title "Creating the global.sls" touch $adv_global_pillar_file if [ -z "$NODE_CHECKIN_INTERVAL_MS" ]; then NODE_CHECKIN_INTERVAL_MS=10000 @@ -1523,6 +1405,7 @@ create_global() { } create_sensoroni_pillar() { + title "Create the sensoroni pillar file" touch $adv_sensoroni_pillar_file printf '%s\n'\ @@ -1534,6 +1417,7 @@ create_sensoroni_pillar() { } create_strelka_pillar() { + title "Create the Strelka pillar file" touch $adv_strelka_pillar_file printf '%s\n'\ "strelka:"\ @@ -1551,6 +1435,7 @@ create_strelka_pillar() { } backup_pillar() { + title "Create the backup pillar file" touch $adv_backup_pillar_file printf '%s\n'\ "backup:"\ @@ -1559,6 +1444,7 @@ backup_pillar() { } soctopus_pillar() { + title "Create the soctopus pillar file" touch $adv_soctopus_pillar_file printf '%s\n'\ "soctopus:"\ @@ -1568,6 +1454,7 @@ soctopus_pillar() { } docker_pillar() { + title "Create the docker pillar file" touch $adv_docker_pillar_file printf '%s\n'\ "docker:"\ @@ -1576,6 +1463,7 @@ docker_pillar() { } redis_pillar() { + title "Create the redis pillar file" touch $adv_redis_pillar_file printf '%s\n'\ "redis_settings:"\ @@ -1583,11 +1471,12 @@ redis_pillar() { } mark_version() { - # Drop a file with the current version + title "Marking the current version" echo "$SOVERSION" > /etc/soversion } network_init() { + title "Initializing Network" disable_ipv6 set_hostname if [[ ( $is_iso || $is_analyst_iso ) ]]; then @@ -1637,15 +1526,11 @@ networking_needful() { } network_setup() { - { - info "Finishing up network setup"; - - info "... Copying 99-so-checksum-offload-disable"; - cp ./install_scripts/99-so-checksum-offload-disable /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable; - - info "... Modifying 99-so-checksum-offload-disable"; - sed -i "s/\$MNIC/${INTERFACE}/g" /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable; - } >> "$setup_log" 2>&1 + info "Finishing up network setup" + info "... Copying 99-so-checksum-offload-disable" + logCmd "cp ./install_scripts/99-so-checksum-offload-disable /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable" + info "... Modifying 99-so-checksum-offload-disable"; + logCmd "sed -i '/\$MNIC/${INTERFACE}/g' /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable" } ntp_pillar_entries() { @@ -1669,7 +1554,7 @@ parse_install_username() { } patch_pillar() { - + title "Create the patch pillar file" local pillar_file=$local_salt_dir/pillar/minions/$MINION_ID.sls @@ -1691,10 +1576,11 @@ patch_pillar() { } patch_schedule_os_new() { + title "Create the patch schedule" local OSPATCHSCHEDULEDIR="$temp_install_dir/salt/patch/os/schedules" local OSPATCHSCHEDULE="$OSPATCHSCHEDULEDIR/$PATCHSCHEDULENAME.yml" - mkdir -p $OSPATCHSCHEDULEDIR + logCmd "mkdir -p '$OSPATCHSCHEDULEDIR'" printf '%s\n'\ "patch:"\ @@ -2194,19 +2080,19 @@ setup_salt_master_dirs() { # Copy over the salt code and templates if [ "$setup_type" = 'iso' ]; then - rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1 - rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1 - mkdir -p $local_salt_dir/salt/zeek/policy/intel >> "$setup_log" 2>&1 - cp -Rv /home/$INSTALLUSERNAME/SecurityOnion/files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1 + logCmd "rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/pillar/* $default_salt_dir/pillar/" + ogCmd "rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/salt/* $default_salt_dir/salt/" + logCmd "mkdir -p $local_salt_dir/salt/zeek/policy/intel" + logCmd "cp -Rv /home/$INSTALLUSERNAME/SecurityOnion/files/intel.dat $local_salt_dir/salt/zeek/policy/intel/" else - cp -Rv ../pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1 - cp -Rv ../salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1 - mkdir -p $local_salt_dir/salt/zeek/policy/intel >> "$setup_log" 2>&1 - cp -Rv files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1 + logCmd "cp -Rv ../pillar/* $default_salt_dir/pillar/" + logCmd "cp -Rv ../salt/* $default_salt_dir/salt/" + logCmd "mkdir -p $local_salt_dir/salt/zeek/policy/intel" + logCmd "cp -Rv files/intel.dat $local_salt_dir/salt/zeek/policy/intel/" fi info "Chown the salt dirs on the manager for socore" - chown -R socore:socore /opt/so + logCmd "chown -R socore:socore /opt/so" } set_progress_str() { @@ -2233,20 +2119,6 @@ set_progress_str() { fi } -set_ssh_cmds() { - local automated=$1 - - if [ $automated == yes ]; then - sshcmd="sshpass -p $SOREMOTEPASS1 ssh -o StrictHostKeyChecking=no" - sshcopyidcmd="sshpass -p $SOREMOTEPASS1 ssh-copy-id -o StrictHostKeyChecking=no" - scpcmd="sshpass -p $SOREMOTEPASS1 scp -o StrictHostKeyChecking=no" - else - sshcmd='ssh' - sshcopyidcmd='ssh-copy-id' - scpcmd='scp' - fi -} - set_default_log_size() { local percentage @@ -2280,82 +2152,39 @@ set_default_log_size() { set_hostname() { - hostnamectl set-hostname --static "$HOSTNAME" + logcmd "hostnamectl set-hostname --static '$HOSTNAME'" echo "127.0.0.1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain" > /etc/hosts echo "::1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts echo "$HOSTNAME" > /etc/hostname - hostname -F /etc/hostname + logCmd "hostname -F /etc/hostname" } set_initial_firewall_policy() { + title "Setting Initial Firewall Policy" + if [ -f $default_salt_dir/salt/common/tools/sbin/so-firewall ]; then chmod +x $default_salt_dir/salt/common/tools/sbin/so-firewall; fi - if [ -f $default_salt_dir/salt/common/tools/sbin/so-firewall ]; then chmod +x $default_salt_dir/salt/common/tools/sbin/so-firewall; fi - - case "$install_type" in - 'MANAGER') - $default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP" - $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost minion "$MAINIP" - ;; - 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') - $default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP" - $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" - $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP" - $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" - ;; - 'HELIXSENSOR') - $default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP" - $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" - $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP" - ;; - 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET' | 'IDH' | 'RECEIVER') - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" - case "$install_type" in - 'SENSOR') - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP" - ;; - 'SEARCHNODE') - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" - ;; - 'HEAVYNODE') - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP" - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost heavy_node "$MAINIP" - ;; - 'FLEET') - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost beats_endpoint_ssl "$MAINIP" - ;; - 'IDH') - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost beats_endpoint_ssl "$MAINIP" - ;; - 'RECEIVER') - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost receiver "$MAINIP" - esac - ;; - 'PARSINGNODE') - # TODO: implement - ;; - 'HOTNODE') - # TODO: implement - ;; - 'WARMNODE') - # TODO: implement - ;; - esac - - # Add some firewall rules for analyst workstations that get added to the grid - if [[ $is_analyst ]]; then - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost analyst "$MAINIP" + case "$install_type" in + 'MANAGER') + $default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP" + $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost minion "$MAINIP" + ;; + 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') + $default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP" + $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" + $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP" + $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" + ;; + esac fi - } # Set up the management interface on the ISO set_management_interface() { - + title "Setting up the main interface" if [ "$address_type" = 'DHCP' ]; then - nmcli con mod "$MNIC" connection.autoconnect yes >> "$setup_log" 2>&1 - nmcli con up "$MNIC" >> "$setup_log" 2>&1 + logCmd "nmcli con mod '$MNIC' connection.autoconnect yes" + logCmd "nmcli con up '$MNIC'" else # Set Static IP nmcli con mod "$MNIC" ipv4.addresses "$MIP"/"$MMASK"\ @@ -2369,6 +2198,7 @@ set_management_interface() { } set_redirect() { + title "Setting redirect host" case $REDIRECTINFO in 'IP') REDIRECTIT="$MAINIP" @@ -2381,27 +2211,6 @@ set_redirect() { ;; esac } - -set_updates() { - if [ "$MANAGERUPDATES" = '1' ]; then - if [[ $is_centos ]]; then - if [[ ! $is_airgap ]] && ! ( grep -q "$MSRV" /etc/yum.conf); then - if grep -q "proxy=" /etc/yum.conf; then - sed -i "s/proxy=.*/proxy=http:\/\/$MSRV:3142/" /etc/yum.conf - else - echo "proxy=http://$MSRV:3142" >> /etc/yum.conf - fi - fi - else - # Set it up so the updates roll through the manager - printf '%s\n'\ - "Acquire::http::Proxy \"http://$MSRV:3142\";"\ - "Acquire::https::Proxy \"http://$MSRV:3142\";" > /etc/apt/apt.conf.d/00Proxy - fi - fi -} - -# $5 => (optional) password variable so_add_user() { local username=$1 local uid=$2 @@ -2410,8 +2219,8 @@ so_add_user() { if [ "$5" ]; then local pass=$5; fi info "Add $username user" - groupadd --gid "$gid" "$username" - useradd -m --uid "$uid" --gid "$gid" --home-dir "$home_dir" "$username" + logCmd "groupadd --gid '$gid' '$username'" + logCmd "useradd -m --uid '$uid' --gid '$gid' --home-dir '$home_dir' '$username'" # If a password has been passed in, set the password if [ "$pass" ]; then diff --git a/setup/so-setup b/setup/so-setup index a5ba241b7..aa2c94579 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -199,16 +199,6 @@ if [[ -f automation/$automation && $(basename $automation) == $automation ]]; th logCmd 'ip a | grep "$MNIC:" | grep "state UP"' done info "Network is up on $MNIC" - - if [[ ! $is_iso ]]; then - # We might not need this any more - info "Installing sshpass for automated testing." - if [ "$OS" == ubuntu ]; then - retry 50 10 "apt-get -y install sshpass" >> $setup_log 2>&1 || exit 1 - else - logCmd "yum -y install sshpass" - fi - fi fi # Make sure the setup type is suppoted. From c8a9fc2f26a4bcb8d5c5be3246addfe343676b46 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 12 Sep 2022 14:27:35 -0400 Subject: [PATCH 0042/1082] Add more logging to setup process --- setup/so-functions | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 2f586f151..d42022a4c 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -913,7 +913,7 @@ detect_os() { exit 1 fi - info "Found OS: $OS $OSVER" >> "$log" 2>&1 + info "Found OS: $OS $OSVER" } @@ -2176,7 +2176,6 @@ set_initial_firewall_policy() { $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" ;; esac - fi } # Set up the management interface on the ISO From 07263e03cbcfdcbe8fbfdb9e0d14c744650ff961 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 12 Sep 2022 14:30:28 -0400 Subject: [PATCH 0043/1082] Add more logging to setup process --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index aa2c94579..ac7f0dfd9 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -196,7 +196,7 @@ if [[ -f automation/$automation && $(basename $automation) == $automation ]]; th attempt=$((attempt + 1)) info "Sleeping 10s to try again" sleep 10; - logCmd 'ip a | grep "$MNIC:" | grep "state UP"' + logCmd "ip a | grep '$MNIC:' | grep 'state UP'" done info "Network is up on $MNIC" fi From 2de2b0eb2341dc687cb3499b18e85eff4b94e26d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 12 Sep 2022 14:31:10 -0400 Subject: [PATCH 0044/1082] Add more logging to setup process --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index d42022a4c..f5a33c910 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2152,7 +2152,7 @@ set_default_log_size() { set_hostname() { - logcmd "hostnamectl set-hostname --static '$HOSTNAME'" + logCmd "hostnamectl set-hostname --static '$HOSTNAME'" echo "127.0.0.1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain" > /etc/hosts echo "::1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts echo "$HOSTNAME" > /etc/hostname From 181e94a69de9e2a7b40e541d5cc0ad4bcdfd6887 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 12 Sep 2022 14:35:32 -0400 Subject: [PATCH 0045/1082] Add more logging to setup process --- setup/so-functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index f5a33c910..f0da78ba4 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -783,7 +783,7 @@ configure_network_sensor() { fi # Create the bond interface only if it doesn't already exist - logCmd "nmcli -f name,uuid -p con | grep -q '$INTERFACE'" + nmcli -f name,uuid -p con | grep -q '$INTERFACE' local found_int=$? if [[ $found_int != 0 ]]; then @@ -1907,7 +1907,7 @@ repo_sync_local() { echo "gpgcheck=1" >> /root/repodownload.conf echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /root/repodownload.conf - reposync --norepopath -n -g -l -d -m -c /root/repodownload.conf -r securityonionsync --download-metadata -p /nsm/repo/ + logCmd "reposync --norepopath -n -g -l -d -m -c /root/repodownload.conf -r securityonionsync --download-metadata -p /nsm/repo/" # After the download is complete run createrepo From a168aa8b812510dce524aed1d9d2e91b95d5384f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 12 Sep 2022 14:53:34 -0400 Subject: [PATCH 0046/1082] Add more logging to setup process --- pillar/top.sls | 5 ----- setup/so-functions | 4 ++-- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/pillar/top.sls b/pillar/top.sls index 1c3fb9635..e8bcabca3 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -45,7 +45,6 @@ base: - minions.adv_{{ grains.id }} '*_sensor': - - zeek.zeeklogs - healthcheck.sensor - soc_global - adv_global @@ -53,7 +52,6 @@ base: - minions.adv_{{ grains.id }} '*_eval': - - zeel.zeeklogs - secrets - healthcheck.eval - elasticsearch.index_templates @@ -82,7 +80,6 @@ base: {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} - kibana.secrets {% endif %} - - zeek.zeeklogs - secrets - healthcheck.standalone - soc_global @@ -94,7 +91,6 @@ base: - minions.adv_{{ grains.id }} '*_heavynode': - - zeek.zeeklogs - elasticsearch.auth - soc_global - minions.{{ grains.id }} @@ -131,7 +127,6 @@ base: - minions.adv_{{ grains.id }} '*_import': - - zeek.zeeklogs - secrets - elasticsearch.index_templates {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} diff --git a/setup/so-functions b/setup/so-functions index f0da78ba4..4954cb9cf 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -820,7 +820,7 @@ copy_salt_master_config() { logCmd "cp /root/SecurityOnion/files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service" else logCmd "cp ../files/salt/master/master /etc/salt/master" - logCmd " ../files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service" + logCmd "cp ../files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service" fi # Restart the service so it picks up the changes @@ -2152,7 +2152,7 @@ set_default_log_size() { set_hostname() { - logCmd "hostnamectl set-hostname --static '$HOSTNAME'" + logCmd "hostnamectl set-hostname --static $HOSTNAME" echo "127.0.0.1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain" > /etc/hosts echo "::1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts echo "$HOSTNAME" > /etc/hostname From f555846544c678eb24fcdf071648b647145ec666 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 12 Sep 2022 15:06:29 -0400 Subject: [PATCH 0047/1082] Add more logging to setup process --- setup/so-functions | 2 +- setup/so-setup | 35 +++++++++++++++++------------------ setup/so-whiptail | 4 ++-- 3 files changed, 20 insertions(+), 21 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 4954cb9cf..aae8261fd 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1868,7 +1868,7 @@ securityonion_repo() { # if the package is updated when the update_packages function is called logCmd "yum -v -y update centos-release" info "Backing up the .repo files that were added by the centos-release package." - logCmd "find /etc/yum.repos.d/ -type f -not -name 'securityonion*repo' -print0 | xargs -0 -I {} mv -bvf {} /root/oldrepos/" + logCmd "find /etc/yum.repos.d/ -type f -not -name 'securityonion*repo' -exec mv -bvf {} /root/oldrepos/ \;" logCmd "yum repolist all" fi } diff --git a/setup/so-setup b/setup/so-setup index ac7f0dfd9..4272468b2 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -534,40 +534,39 @@ if ! [[ -f $install_opt_file ]]; then copy_salt_master_config configure_minion "$minion_type" - salt-key -yd "$MINION_ID" #delete the minion key if it already exists - salt-call state.show_top >> /dev/null 2>&1 #talk to the salt-master so the minion key is created on the salt-master - salt-key -ya "$MINION_ID" #accept the key + logCmd "salt-key -yd '$MINION_ID'" + logCmd "salt-call state.show_top" + logCmd "salt-key -ya '$MINION_ID'" - salt-call state.apply salt.helper-packages - salt-call state.apply common.packages - salt-call state.apply common - salt-call state.apply docker - # Set the initial firewall policy - firewall_generate_templates; + logCmd "salt-call state.apply salt.helper-packages" + logCmd "salt-call state.apply common.packages" + logCmd "salt-call state.apply common" + logCmd "salt-call state.apply docker" + firewall_generate_templates set_initial_firewall_policy generate_ca generate_ssl # create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf - mkdir -p /opt/so/conf/so-status/ - touch /opt/so/conf/so-status/so-status.conf + logCmd "mkdir -p /opt/so/conf/so-status/ " + logCmd "touch /opt/so/conf/so-status/so-status.conf" title "Importing Registry Docker" import_registry_docker title "Applying the registry state" - salt-call state.apply -l info registry + logCmd "salt-call state.apply -l info registry" title "Seeding the docker registry" docker_seed_registry title "Applying the manager state" - salt-call state.apply -l info manager - salt-call state.apply -l info firewall - salt-call state.highstate -l info + logCmd "salt-call state.apply -l info manager" + logCmd "salt-call state.apply -l info firewall" + logCmd "salt-call state.highstate -l info" add_web_user info "Restarting SOC to pick up initial user" - so-soc-restart - so-elastic-fleet-setup + logCmd "so-soc-restart" + logCmd "so-elastic-fleet-setup" title "Setting up Playbook" - so-playbook-reset + logCmd "so-playbook-reset" checkin_at_boot whiptail_setup_complete else diff --git a/setup/so-whiptail b/setup/so-whiptail index 55059e5f0..7b50a0b28 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1224,7 +1224,7 @@ whiptail_setup_complete() { if [[ -n $ALLOW_CIDR ]]; then local sentence_prefix="Access" else - local sentence_prefix="Run so-allow after reboot to access" + local sentence_prefix="Run so-allow to access" fi local accessMessage="\n${sentence_prefix} the web interface at: https://${REDIRECTIT}\n" elif [[ $is_idh ]]; then @@ -1237,7 +1237,7 @@ whiptail_setup_complete() { read -r -d '' message <<- EOM Finished ${install_type} installation. $accessMessage - Press ENTER to reboot. + Press ENTER to exit setup. EOM whiptail --title "$whiptail_title" --msgbox "$message" 12 75 From 030f4d228a714f2ca3bd3d2bede158d41d1f9b3e Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 12 Sep 2022 15:10:24 -0400 Subject: [PATCH 0048/1082] Add back Elastic Agent default templates --- salt/elasticsearch/defaults.yaml | 374 +++++++++++++++++++++++++++++++ 1 file changed, 374 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 96206fddd..d7f5efba5 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -57,6 +57,380 @@ elasticsearch: elasticsearch: deprecation: ERROR index_settings: + so-logs-elastic_agent.apm_server: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.apm_server-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.apm_server@package" + - "so-logs-elastic_agent.apm_server@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.auditbeat: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.auditbeat-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.auditbeat@package" + - "so-logs-elastic_agent.auditbeat@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.cloudbeat: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.cloudbeat-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.cloudbeat@package" + - "so-logs-elastic_agent.cloudbeat@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.endpoint_security: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.endpoint_security-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.endpoint_security@package" + - "so-logs-elastic_agent.endpoint_security@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.filebeat: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.filebeat-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.filebeat@package" + - "so-logs-elastic_agent.filebeat@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.fleet_server: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.fleet_server-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.fleet_server@package" + - "so-logs-elastic_agent.fleet_server@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.heartbeat: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.heartbeat-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.heartbeat@package" + - "so-logs-elastic_agent.heartbeat@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent@package" + - "so-logs-elastic_agent@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.metricbeat: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.metricbeat-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.metricbeat@package" + - "so-logs-elastic_agent.metricbeat@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.osquerybeat: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.osquerybeat-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.osquerybeat@package" + - "so-logs-elastic_agent.osquerybeat@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false + so-logs-elastic_agent.packetbeat: + index_sorting: False + index_template: + index_patterns: + - "logs-elastic_agent.packetbeat-*" + template: + settings: + index: + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + composed_of: + - "so-logs-elastic_agent.packetbeat@package" + - "so-logs-elastic_agent.packetbeat@custom" + - ".fleet_globals-1" + - ".fleet_agent_id_verification-1" + priority: 500 + _meta: + package: + name: elastic_agent + managed_by: fleet + managed: true + data_stream: + hidden: false + allow_custom_routing: false so-aws: warm: 7 close: 30 From 17239ac6e4ca5d120c48a6a9a94362daaaba6bb9 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 12 Sep 2022 15:18:09 -0400 Subject: [PATCH 0049/1082] Add more logging to setup process --- setup/so-setup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 4272468b2..d9680ac6c 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -534,9 +534,9 @@ if ! [[ -f $install_opt_file ]]; then copy_salt_master_config configure_minion "$minion_type" - logCmd "salt-key -yd '$MINION_ID'" + logCmd "salt-key -yd $MINION_ID" logCmd "salt-call state.show_top" - logCmd "salt-key -ya '$MINION_ID'" + logCmd "salt-key -ya $MINION_ID" logCmd "salt-call state.apply salt.helper-packages" logCmd "salt-call state.apply common.packages" From ea7c8e1fd928a61f2c05d6b3ed09aa82e88cb994 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 12 Sep 2022 15:43:18 -0400 Subject: [PATCH 0050/1082] Add more logging to setup process --- setup/so-functions | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index aae8261fd..72f703f08 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -822,7 +822,12 @@ copy_salt_master_config() { logCmd "cp ../files/salt/master/master /etc/salt/master" logCmd "cp ../files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service" fi - + info "Copying pillar and salt files in '$temp_install_dir' to '$local_salt_dir'" + logCmd "cp -Rv '$temp_install_dir'/pillar/ '$local_salt_dir'/" + if [ -d "$temp_install_dir"/salt ] ; then + logCmd "cp -Rv '$temp_install_dir'/salt/ $local_salt_dir/" + fi + # Restart the service so it picks up the changes logCmd "systemctl daemon-reload" logCmd "systemctl restart salt-master" From 7ec66d1cd16ffe81281784a6ca18ad5ad5d9036c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 12 Sep 2022 15:46:33 -0400 Subject: [PATCH 0051/1082] Add more logging to setup process --- setup/so-functions | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 72f703f08..35fac125e 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -823,11 +823,11 @@ copy_salt_master_config() { logCmd "cp ../files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service" fi info "Copying pillar and salt files in '$temp_install_dir' to '$local_salt_dir'" - logCmd "cp -Rv '$temp_install_dir'/pillar/ '$local_salt_dir'/" + logCmd "cp -Rv $temp_install_dir/pillar/ $local_salt_dir/" if [ -d "$temp_install_dir"/salt ] ; then - logCmd "cp -Rv '$temp_install_dir'/salt/ $local_salt_dir/" + logCmd "cp -Rv $temp_install_dir/salt/ $local_salt_dir/" fi - + # Restart the service so it picks up the changes logCmd "systemctl daemon-reload" logCmd "systemctl restart salt-master" From a01fadd067213549273e0f6e0dc9130e5e78b05b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 12 Sep 2022 15:56:08 -0400 Subject: [PATCH 0052/1082] Add more logging to setup process --- setup/so-functions | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 35fac125e..b517f37c4 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -822,7 +822,7 @@ copy_salt_master_config() { logCmd "cp ../files/salt/master/master /etc/salt/master" logCmd "cp ../files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service" fi - info "Copying pillar and salt files in '$temp_install_dir' to '$local_salt_dir'" + info "Copying pillar and salt files in $temp_install_dir to $local_salt_dir" logCmd "cp -Rv $temp_install_dir/pillar/ $local_salt_dir/" if [ -d "$temp_install_dir"/salt ] ; then logCmd "cp -Rv $temp_install_dir/salt/ $local_salt_dir/" @@ -840,10 +840,10 @@ create_local_directories() { for d in $(find $PILLARSALTDIR/$i -type d); do suffixdir=${d//$PILLARSALTDIR/} if [ ! -d "$local_salt_dir/$suffixdir" ]; then - logCmd "mkdir -pv '$local_salt_dir$suffixdir'" + logCmd "mkdir -pv $local_salt_dir$suffixdir" fi done - logCmd "chown -R socore:socore '$local_salt_dir/$i'" + logCmd "chown -R socore:socore $local_salt_dir/$i" done } @@ -1045,7 +1045,7 @@ docker_seed_registry() { elasticsearch_pillar() { title "Create Advanced File" - logCmd "touch '$adv_elasticsearch_pillar_file'" + logCmd "touch $adv_elasticsearch_pillar_file" # Create the Elasticsearch pillar printf '%s\n'\ "elasticsearch:"\ @@ -1154,7 +1154,7 @@ firewall_generate_templates() { title "Generate Firewall Template" local firewall_pillar_path=$local_salt_dir/salt/firewall - logCmd "mkdir -p '$firewall_pillar_path'" + logCmd "mkdir -p $firewall_pillar_path" logCmd "cp ../files/firewall/* /opt/so/saltstack/local/salt/firewall/" @@ -1226,10 +1226,10 @@ get_minion_type() { install_cleanup() { if [ -f "$temp_install_dir" ]; then info "Installer removing the following files:" - logCmd "ls -lR '$temp_install_dir'" + logCmd "ls -lR $temp_install_dir" # Clean up after ourselves - logCmd "rm -rf '$temp_install_dir'" + logCmd "rm -rf $temp_install_dir" fi # All cleanup prior to this statement must be compatible with automated testing. Cleanup @@ -1585,7 +1585,7 @@ patch_schedule_os_new() { local OSPATCHSCHEDULEDIR="$temp_install_dir/salt/patch/os/schedules" local OSPATCHSCHEDULE="$OSPATCHSCHEDULEDIR/$PATCHSCHEDULENAME.yml" - logCmd "mkdir -p '$OSPATCHSCHEDULEDIR'" + logCmd "mkdir -p $OSPATCHSCHEDULEDIR" printf '%s\n'\ "patch:"\ From 6e052a306363ca78f0f25bb7dfde76ee302c27b4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 12 Sep 2022 17:17:14 -0400 Subject: [PATCH 0053/1082] Pull in dev --- salt/utility/bin/crossthestreams | 42 ++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 salt/utility/bin/crossthestreams diff --git a/salt/utility/bin/crossthestreams b/salt/utility/bin/crossthestreams new file mode 100644 index 000000000..38b7ab09c --- /dev/null +++ b/salt/utility/bin/crossthestreams @@ -0,0 +1,42 @@ +#!/bin/bash +{% set ES = salt['pillar.get']('global:managerip', '') %} +{% set MANAGER = salt['grains.get']('master') %} +{% set TRUECLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} + +# Wait for ElasticSearch to come up, so that we can query for version infromation +echo -n "Waiting for ElasticSearch..." +COUNT=0 +ELASTICSEARCH_CONNECTED="no" +while [[ "$COUNT" -le 30 ]]; do + curl -K /opt/so/conf/elasticsearch/curl.config -k --output /dev/null --silent --head --fail -L https://{{ ES }}:9200 + if [ $? -eq 0 ]; then + ELASTICSEARCH_CONNECTED="yes" + echo "connected!" + break + else + ((COUNT+=1)) + sleep 1 + echo -n "." + fi +done +if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then + echo + echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'docker ps' \n -running 'sudo so-elastic-restart'" + echo + + exit +fi + +echo "Applying cross cluster search config..." + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings \ + -H 'Content-Type: application/json' \ + -d "{\"persistent\": {\"search\": {\"remote\": {\"{{ MANAGER }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" + +# Add all the search nodes to cross cluster searching. +{%- if TRUECLUSTER is sameas false %} + {%- if salt['pillar.get']('nodestab', {}) %} + {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} +curl -K /opt/so/conf/elasticsearch/curl.config -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"{{ SN }}": {"skip_unavailable": "true", "seeds": ["{{ SN.split('_')|first }}:9300"]}}}}}' + {%- endfor %} + {%- endif %} +{%- endif %} From ec187e9d854eaefd5da3b390871bbb35f15cc4ee Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 12 Sep 2022 17:35:42 -0400 Subject: [PATCH 0054/1082] Pull in dev --- salt/utility/bin/crossthestreams | 42 -------------------------------- 1 file changed, 42 deletions(-) delete mode 100644 salt/utility/bin/crossthestreams diff --git a/salt/utility/bin/crossthestreams b/salt/utility/bin/crossthestreams deleted file mode 100644 index 38b7ab09c..000000000 --- a/salt/utility/bin/crossthestreams +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/bash -{% set ES = salt['pillar.get']('global:managerip', '') %} -{% set MANAGER = salt['grains.get']('master') %} -{% set TRUECLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} - -# Wait for ElasticSearch to come up, so that we can query for version infromation -echo -n "Waiting for ElasticSearch..." -COUNT=0 -ELASTICSEARCH_CONNECTED="no" -while [[ "$COUNT" -le 30 ]]; do - curl -K /opt/so/conf/elasticsearch/curl.config -k --output /dev/null --silent --head --fail -L https://{{ ES }}:9200 - if [ $? -eq 0 ]; then - ELASTICSEARCH_CONNECTED="yes" - echo "connected!" - break - else - ((COUNT+=1)) - sleep 1 - echo -n "." - fi -done -if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then - echo - echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'docker ps' \n -running 'sudo so-elastic-restart'" - echo - - exit -fi - -echo "Applying cross cluster search config..." - curl -K /opt/so/conf/elasticsearch/curl.config -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings \ - -H 'Content-Type: application/json' \ - -d "{\"persistent\": {\"search\": {\"remote\": {\"{{ MANAGER }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" - -# Add all the search nodes to cross cluster searching. -{%- if TRUECLUSTER is sameas false %} - {%- if salt['pillar.get']('nodestab', {}) %} - {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} -curl -K /opt/so/conf/elasticsearch/curl.config -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"{{ SN }}": {"skip_unavailable": "true", "seeds": ["{{ SN.split('_')|first }}:9300"]}}}}}' - {%- endfor %} - {%- endif %} -{%- endif %} From 4a28841a7c14c29f5a4cc37908bd4a9a57fe4506 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 13 Sep 2022 06:38:05 -0400 Subject: [PATCH 0055/1082] Fix elastic agent gen script --- salt/common/tools/sbin/so-elastic-agent-gen-installers | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-elastic-agent-gen-installers b/salt/common/tools/sbin/so-elastic-agent-gen-installers index 9e579269d..131292dab 100644 --- a/salt/common/tools/sbin/so-elastic-agent-gen-installers +++ b/salt/common/tools/sbin/so-elastic-agent-gen-installers @@ -6,6 +6,8 @@ #so-elastic-agent-gen-installers $FleetHost $EnrollmentToken +{% from 'vars/globals.map.jinja' import GLOBALS %} + . /usr/sbin/so-common ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints")) | .api_key') @@ -27,6 +29,6 @@ do --mount type=bind,source=/etc/ssl/certs/,target=/workspace/files/cert/ \ --mount type=bind,source=/tmp/elastic-agent-workspace/,target=/workspace/files/elastic-agent/ \ --mount type=bind,source=/opt/so/saltstack/local/salt/elastic-fleet/files/so_agent-installers/,target=/output/ \ - so-elastic-agent-builder go build -ldflags "-X main.fleetHost=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN" -o /output/so-elastic-agent_$OS + {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} go build -ldflags "-X main.fleetHost=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN" -o /output/so-elastic-agent_$OS printf "\n $OS Installer Generated..." done From 74d991da45f813254d917bfa9e0a5cc6a65f80fa Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 13 Sep 2022 07:17:03 -0400 Subject: [PATCH 0056/1082] Fix Typeo --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index b517f37c4..7bba91092 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2086,7 +2086,7 @@ setup_salt_master_dirs() { # Copy over the salt code and templates if [ "$setup_type" = 'iso' ]; then logCmd "rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/pillar/* $default_salt_dir/pillar/" - ogCmd "rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/salt/* $default_salt_dir/salt/" + logCmd "rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/salt/* $default_salt_dir/salt/" logCmd "mkdir -p $local_salt_dir/salt/zeek/policy/intel" logCmd "cp -Rv /home/$INSTALLUSERNAME/SecurityOnion/files/intel.dat $local_salt_dir/salt/zeek/policy/intel/" else From a32ff6f4033105336f5c3aefc1a8fa414b926b6d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 13 Sep 2022 11:29:31 -0400 Subject: [PATCH 0057/1082] Modify Suricata defaults --- salt/suricata/defaults.yaml | 187 +++++++++++++++++------------------- 1 file changed, 86 insertions(+), 101 deletions(-) diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index 3d87eca9f..ed60dca97 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -33,98 +33,97 @@ suricata: enabled: "yes" interval: 30 outputs: - - fast: + fast: + enabled: "no" + filename: fast.log + append: "yes" + eve-log: + enabled: "yes" + filetype: regular + filename: /nsm/eve-%Y-%m-%d-%H:%M.json + rotate-interval: hour + pcap-file: false + community-id: true + community-id-seed: 0 + xff: enabled: "no" - filename: fast.log - append: "yes" - - eve-log: - enabled: "yes" - filetype: regular - filename: /nsm/eve-%Y-%m-%d-%H:%M.json - rotate-interval: hour - pcap-file: false - community-id: true - community-id-seed: 0 - xff: - enabled: "no" - mode: extra-data - deployment: reverse - header: X-Forwarded-For - types: - - alert: - payload: "no" - payload-buffer-size: 4kb - payload-printable: "yes" - packet: "yes" - metadata: - app-layer: false - flow: false - rule: - metadata: true - raw: true - tagged-packets: "no" - - unified2-alert: - enabled: "no" - - http-log: - enabled: "no" - filename: http.log - append: "yes" - - tls-log: - enabled: "no" - filename: tls.log - append: "yes" - - tls-store: - enabled: "no" - - pcap-log: - enabled: "no" - filename: log.pcap - limit: 1000mb - max-files: 2000 - compression: none - + mode: extra-data + deployment: reverse + header: X-Forwarded-For + types: + - alert: + payload: "no" + payload-buffer-size: 4kb + payload-printable: "yes" + packet: "yes" + metadata: + app-layer: false + flow: false + rule: + metadata: true + raw: true + tagged-packets: "no" + unified2-alert: + enabled: "no" + http-log: + enabled: "no" + filename: http.log + append: "yes" + tls-log: + enabled: "no" + filename: tls.log + append: "yes" + tls-store: + enabled: "no" + pcap-log: + enabled: "no" + filename: log.pcap + limit: 1000mb + max-files: 2000 + compression: none mode: normal - use-stream-depth: "no" - honor-pass-rules: "no" - - alert-debug: + use-stream-depth: "no" + honor-pass-rules: "no" + alert-debug: + enabled: "no" + filename: alert-debug.log + append: "yes" + alert-prelude: + enabled: "no" + profile: suricata + log-packet-content: "no" + log-packet-header: "yes" + stats: + enabled: "yes" + filename: stats.log + append: "yes" + totals: "yes" + threads: "no" + null-values: "yes" + syslog: + enabled: "no" + facility: local5 + drop: + enabled: "no" + file-store: + version: 2 + enabled: "no" + xff: enabled: "no" - filename: alert-debug.log - append: "yes" - - alert-prelude: - enabled: "no" - profile: suricata - log-packet-content: "no" - log-packet-header: "yes" - - stats: - enabled: "yes" - filename: stats.log - append: "yes" - totals: "yes" - threads: "no" - null-values: "yes" - - syslog: - enabled: "no" - facility: local5 - - drop: - enabled: "no" - - file-store: - version: 2 - enabled: "no" - xff: - enabled: "no" - mode: extra-data - deployment: reverse - header: X-Forwarded-For - - tcp-data: - enabled: "no" - type: file - filename: tcp-data.log - - http-body-data: + mode: extra-data + deployment: reverse + header: X-Forwarded-For + tcp-data: + enabled: "no" + type: file + filename: tcp-data.log + http-body-data: enabled: "no" type: file filename: http-data.log - - lua: - enabled: "no" - scripts: + lua: + enabled: "no" + scripts: logging: default-log-level: notice outputs: @@ -397,25 +396,11 @@ suricata: locks: enabled: "no" filename: lock_stats.log - append: "yes" - + append: "yes" pcap-log: enabled: "no" filename: pcaplog_stats.log append: "yes" - nfq: - nflog: - - group: 2 - buffer-size: 18432 - - group: default - qthreshold: 1 - qtimeout: 100 - max-size: 20000 - capture: - netmap: - - interface: eth2 - - interface: default - ipfw: default-rule-path: /etc/suricata/rules rule-files: - all.rules From df1a64b5e023f4ce48f855fb17894b3cf6e4aaf4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 13 Sep 2022 11:45:59 -0400 Subject: [PATCH 0058/1082] Modify more defaults --- salt/idh/defaults/defaults.yaml | 1 - salt/suricata/defaults.yaml | 12 ------------ 2 files changed, 13 deletions(-) diff --git a/salt/idh/defaults/defaults.yaml b/salt/idh/defaults/defaults.yaml index e5b966c10..4ed6bc3c5 100644 --- a/salt/idh/defaults/defaults.yaml +++ b/salt/idh/defaults/defaults.yaml @@ -26,7 +26,6 @@ idh: tcpbanner_1.datareceivedbanner: '' tcpbanner_1.initbanner: '' tcpbanner_1.alertstring.enabled: false - tcpbanner_1.alertstring: '' tcpbanner_1.keep_alive.enabled: false tcpbanner_1.keep_alive_secret: '' tcpbanner_1.keep_alive_probes: 11 diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index ed60dca97..0fe3b444f 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -77,22 +77,10 @@ suricata: enabled: "no" pcap-log: enabled: "no" - filename: log.pcap - limit: 1000mb - max-files: 2000 - compression: none - mode: normal - use-stream-depth: "no" - honor-pass-rules: "no" alert-debug: enabled: "no" - filename: alert-debug.log - append: "yes" alert-prelude: enabled: "no" - profile: suricata - log-packet-content: "no" - log-packet-header: "yes" stats: enabled: "yes" filename: stats.log From 21c7f940d7152b4c2b6d2e5eebaa82183cfccd09 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 13 Sep 2022 11:48:25 -0400 Subject: [PATCH 0059/1082] Update copyrights --- .../tools/sbin/so-elasticsearch-indices-list | 19 +++++-------------- .../sbin/so-elasticsearch-pipeline-stats | 19 +++++-------------- .../tools/sbin/so-elasticsearch-pipeline-view | 19 +++++-------------- salt/common/tools/sbin/so-elasticsearch-query | 19 +++++-------------- .../tools/sbin/so-elasticsearch-shards-list | 19 +++++-------------- .../sbin/so-elasticsearch-template-remove | 19 +++++-------------- .../tools/sbin/so-elasticsearch-template-view | 19 +++++-------------- salt/common/tools/sbin/so-logstash-events | 19 +++++-------------- .../tools/sbin/so-logstash-pipeline-stats | 19 +++++-------------- salt/common/tools/sbin/so-tcpreplay | 18 ++++-------------- salt/common/tools/sbin/so-tcpreplay-start | 18 ++++-------------- salt/common/tools/sbin/so-test | 18 ++++-------------- salt/filebeat/init.sls | 17 ++++------------- salt/idh/init.sls | 18 ++++-------------- salt/soc/files/soc/custom.js | 14 +++++--------- salt/strelka/init.sls | 19 +++++-------------- 16 files changed, 75 insertions(+), 218 deletions(-) diff --git a/salt/common/tools/sbin/so-elasticsearch-indices-list b/salt/common/tools/sbin/so-elasticsearch-indices-list index a71f127eb..7267ec1b5 100755 --- a/salt/common/tools/sbin/so-elasticsearch-indices-list +++ b/salt/common/tools/sbin/so-elasticsearch-indices-list @@ -1,19 +1,10 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-elasticsearch-pipeline-stats b/salt/common/tools/sbin/so-elasticsearch-pipeline-stats index 8f541d2ee..82590d142 100755 --- a/salt/common/tools/sbin/so-elasticsearch-pipeline-stats +++ b/salt/common/tools/sbin/so-elasticsearch-pipeline-stats @@ -1,19 +1,10 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-elasticsearch-pipeline-view b/salt/common/tools/sbin/so-elasticsearch-pipeline-view index 03e3c2a6a..535556f2c 100755 --- a/salt/common/tools/sbin/so-elasticsearch-pipeline-view +++ b/salt/common/tools/sbin/so-elasticsearch-pipeline-view @@ -1,19 +1,10 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-elasticsearch-query b/salt/common/tools/sbin/so-elasticsearch-query index e5d1f58e6..f616f24fb 100755 --- a/salt/common/tools/sbin/so-elasticsearch-query +++ b/salt/common/tools/sbin/so-elasticsearch-query @@ -1,19 +1,10 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + . /usr/sbin/so-common if [[ $# -lt 1 ]]; then diff --git a/salt/common/tools/sbin/so-elasticsearch-shards-list b/salt/common/tools/sbin/so-elasticsearch-shards-list index 378888873..192d2c6f0 100755 --- a/salt/common/tools/sbin/so-elasticsearch-shards-list +++ b/salt/common/tools/sbin/so-elasticsearch-shards-list @@ -1,19 +1,10 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-elasticsearch-template-remove b/salt/common/tools/sbin/so-elasticsearch-template-remove index d69b82fc4..5028cbb07 100755 --- a/salt/common/tools/sbin/so-elasticsearch-template-remove +++ b/salt/common/tools/sbin/so-elasticsearch-template-remove @@ -1,19 +1,10 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-elasticsearch-template-view b/salt/common/tools/sbin/so-elasticsearch-template-view index 6d549d7c0..5934de13e 100755 --- a/salt/common/tools/sbin/so-elasticsearch-template-view +++ b/salt/common/tools/sbin/so-elasticsearch-template-view @@ -1,19 +1,10 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-logstash-events b/salt/common/tools/sbin/so-logstash-events index 1765fd654..5ea34ad80 100755 --- a/salt/common/tools/sbin/so-logstash-events +++ b/salt/common/tools/sbin/so-logstash-events @@ -1,19 +1,10 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% set MAININT = salt['pillar.get']('host:mainint') -%} {% set NODEIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] -%} diff --git a/salt/common/tools/sbin/so-logstash-pipeline-stats b/salt/common/tools/sbin/so-logstash-pipeline-stats index 31cfaee34..4ad58e5b3 100755 --- a/salt/common/tools/sbin/so-logstash-pipeline-stats +++ b/salt/common/tools/sbin/so-logstash-pipeline-stats @@ -1,19 +1,10 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% set MAININT = salt['pillar.get']('host:mainint') -%} {% set NODEIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] -%} diff --git a/salt/common/tools/sbin/so-tcpreplay b/salt/common/tools/sbin/so-tcpreplay index 8165d55b7..99314c289 100755 --- a/salt/common/tools/sbin/so-tcpreplay +++ b/salt/common/tools/sbin/so-tcpreplay @@ -1,19 +1,9 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. # Usage: so-tcpreplay "/opt/samples/*" diff --git a/salt/common/tools/sbin/so-tcpreplay-start b/salt/common/tools/sbin/so-tcpreplay-start index 3bef3c76c..8c0d95623 100755 --- a/salt/common/tools/sbin/so-tcpreplay-start +++ b/salt/common/tools/sbin/so-tcpreplay-start @@ -1,19 +1,9 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-test b/salt/common/tools/sbin/so-test index aedcb0ad6..8d6bcf4e1 100755 --- a/salt/common/tools/sbin/so-test +++ b/salt/common/tools/sbin/so-test @@ -1,18 +1,8 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. so-tcpreplay /opt/samples/* 2> /dev/null diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index dd30d4205..8fab6963a 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -1,17 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# Copyright 2014-2022 Security Onion Solutions, LLC -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} diff --git a/salt/idh/init.sls b/salt/idh/init.sls index bcde7212a..d4191c31e 100644 --- a/salt/idh/init.sls +++ b/salt/idh/init.sls @@ -1,17 +1,7 @@ - -# Copyright 2014-2022 Security Onion Solutions, LLC -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} diff --git a/salt/soc/files/soc/custom.js b/salt/soc/files/soc/custom.js index 9b8fd51a3..cf6c85b8a 100644 --- a/salt/soc/files/soc/custom.js +++ b/salt/soc/files/soc/custom.js @@ -1,12 +1,8 @@ -// Copyright 2019 Jason Ertel (jertel). All rights reserved. -// Copyright 2021-2022 Security Onion Solutions, LLC. All rights reserved. -// -// This program is distributed under the terms of version 2 of the -// GNU General Public License. See LICENSE for further details. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +// Copyright Jason Ertel (github.com/jertel). +// Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +// https://securityonion.net/license; you may not use this file except in compliance with the +// Elastic License 2.0. /* diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 6bdd1b1d1..330bdb681 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -1,17 +1,8 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} From d2fc712400caa3c9cfa92d60c9ffec87758cb7f1 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 13 Sep 2022 11:49:19 -0400 Subject: [PATCH 0060/1082] Initial SOC annotations --- salt/soc/soc_soc.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 salt/soc/soc_soc.yaml diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml new file mode 100644 index 000000000..7ae91d98c --- /dev/null +++ b/salt/soc/soc_soc.yaml @@ -0,0 +1,23 @@ +soc: + files: + soc: + banner__md: + title: Login Banner + description: Customize the login page with a specific markdown-formatted message. + file: True + global: True + motd__md: + title: Overview Page + description: Customize the overview page with specific markdown-formatted content. Images can be used but must be hosted from another host that is accessible by the users' browser. + file: True + global: True + custom__js: + title: Custom Javascript + description: Customize SOC UI behavior with custom Javascript code. Custom Javascript not provided by Security Onion Solutions is unsupported, and should be removed prior to requesting support. + file: True + global: True + custom_roles: + title: Custom Roles + description: Add additional roles for assigning to users. These roles will not have specific permissions associated to them, however, this can be useful for organizing SOC analyst teams. + file: True + global: True \ No newline at end of file From d12ff79af03b55d3718daa7fa5f685c32a02caab Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 13 Sep 2022 12:08:19 -0400 Subject: [PATCH 0061/1082] Remove comments to avoid confusing config viewers within SOC --- salt/soc/files/soc/custom.js | 17 ----------------- salt/soc/files/soc/custom_roles | 23 ----------------------- salt/soc/soc_soc.yaml | 8 +++++--- 3 files changed, 5 insertions(+), 43 deletions(-) diff --git a/salt/soc/files/soc/custom.js b/salt/soc/files/soc/custom.js index cf6c85b8a..e69de29bb 100644 --- a/salt/soc/files/soc/custom.js +++ b/salt/soc/files/soc/custom.js @@ -1,17 +0,0 @@ -// Copyright Jason Ertel (github.com/jertel). -// Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -// or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -// https://securityonion.net/license; you may not use this file except in compliance with the -// Elastic License 2.0. - -/* - - *** WARNING *** WARNING *** WARNING *** - - Future upgrades of Security Onion are NOT guaranteed to work - with any content added to this file. Knowing this, it is strongly - suggested to avoid and/or minimize the extent of any - content placed here so that upgrading to newer version of - Security Onion do not become a burden. - -*/ diff --git a/salt/soc/files/soc/custom_roles b/salt/soc/files/soc/custom_roles index b95b94da4..e69de29bb 100644 --- a/salt/soc/files/soc/custom_roles +++ b/salt/soc/files/soc/custom_roles @@ -1,23 +0,0 @@ -# Define custom business role mappings, or remove mappings that come with -# the default SOC deployment. -# -# IMPORTANT: This file should be copied from the salt/default tree into -# the salt/local tree (preserving the same directory structure). -# Failure to do this will result in the customizations being -# overwritten on future upgrades. -# -# Syntax => prebuiltRoleX: customRoleY: op -# Explanation => roleY and roleZ are adjusted permissions of roleX, op is: -# + add the new permissions/role mappings (default) -# - remove existing "explicit" prebuilt permissions. This -# does not work with implictly inherited permissions. -# -# In the example below, we will define two new roles for segregating -# analysts into two regions. Then we will remove the ability for all -# analysts to see the roles of other analysts. (Seperately we will need to -# define these two new roles in Elasticsearch so that each analyst region -# can only see data from their specific region's indices, but that is out -# of scope from this file.) -# -# analyst: westcoast_analyst, eastcoast_analyst -# roles/read: user-monitor:- \ No newline at end of file diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 7ae91d98c..57afc11e3 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -13,11 +13,13 @@ soc: global: True custom__js: title: Custom Javascript - description: Customize SOC UI behavior with custom Javascript code. Custom Javascript not provided by Security Onion Solutions is unsupported, and should be removed prior to requesting support. + description: Customize SOC UI behavior with custom Javascript code. Custom Javascript not provided by Security Onion Solutions is unsupported, and should be removed prior to requesting support and prior to performing upgrades. file: True global: True + advanced: True custom_roles: title: Custom Roles - description: Add additional roles for assigning to users. These roles will not have specific permissions associated to them, however, this can be useful for organizing SOC analyst teams. + description: Customize role and permission mappings. Changes to this setting requires a complete understanding of the SOC RBAC system. file: True - global: True \ No newline at end of file + global: True + advanced: True \ No newline at end of file From b38f0fa996d717cf693d049a27f2581bee34664a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 13 Sep 2022 12:13:45 -0400 Subject: [PATCH 0062/1082] Update watermark settings --- salt/elasticsearch/defaults.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index d7f5efba5..bb22849e5 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -9,9 +9,9 @@ elasticsearch: disk: threshold_enabled: true watermark: - low: 95% - high: 98% - flood_stage: 98% + low: 85% + high: 90% + flood_stage: 95% network: host: 0.0.0.0 path: From de047cea8e6cfebda32be848652f621db34a0b65 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 13 Sep 2022 13:56:37 -0400 Subject: [PATCH 0063/1082] Add Grafana annotation --- salt/elastalert/soc_elastalert.yaml | 11 ++++++++- salt/grafana/grafana_defaults.yaml | 27 ++++++++++---------- salt/grafana/soc_grafana.yaml | 38 +++++++++++++++++++++++++++++ 3 files changed, 61 insertions(+), 15 deletions(-) create mode 100644 salt/grafana/soc_grafana.yaml diff --git a/salt/elastalert/soc_elastalert.yaml b/salt/elastalert/soc_elastalert.yaml index 4d381d9da..efc0058e7 100644 --- a/salt/elastalert/soc_elastalert.yaml +++ b/salt/elastalert/soc_elastalert.yaml @@ -2,24 +2,33 @@ elastalert: config: disable_rules_on_error: description: Disable rules on failure. - run_every: + global: True + run_every: minutes: description: Amount of time in minutes between searches. + global: True buffer_time: minutes: description: Amount of time in minutes to look through. + global: True old_query_limit: minutes: description: Amount of time in minutes between queries to start at the most recently run query. + global: True es_conn_timeout: description: Timeout in seconds for connecting to and reading from Elasticsearch. + global: True max_query_size: description: The maximum number of documents that will be downloaded from Elasticsearch in a single query. + global: True alert_time_limit: days: description: The retry window for failed alerts. + global: True index_settings: shards: description: The amount of shards to use for elastalert. + global: True replicas: description: The amount of replicas for the Elastalert index. + global: True diff --git a/salt/grafana/grafana_defaults.yaml b/salt/grafana/grafana_defaults.yaml index 024fd5dfd..b05775886 100644 --- a/salt/grafana/grafana_defaults.yaml +++ b/salt/grafana/grafana_defaults.yaml @@ -8,22 +8,21 @@ grafana: org_role: Viewer smtp: enabled: false -# host: localhost:25 -# user: myuser - # If the password contains # or ; you have to wrap it with triple quotes wrapped by single quotes. Ex '"""#password;"""' -# password: mypassword -# cert_file: /etc/grafana/config/files/smtp_cert_file.crt -# key_file: /etc/grafana/config/files/smtp_key_file.key -# skip_verify: false + host: localhost:25 + user: myuser + password: mypassword + cert_file: /etc/grafana/config/files/smtp_cert_file.crt + key_file: /etc/grafana/config/files/smtp_key_file.key + skip_verify: false from_address: admin@grafana.localhost from_name: Grafana -# ehlo_identity: dashboard.example.com -# auth.ldap: -# enabled: false -# config_file: /etc/grafana/config/files/ldap.toml -# allow_sign_up: true -# enterprise: -# license_path: /opt/so/conf/grafana/etc/files/license.jwt + ehlo_identity: dashboard.example.com + auth.ldap: + enabled: false + config_file: /etc/grafana/config/files/ldap.toml + allow_sign_up: true + enterprise: + license_path: /opt/so/conf/grafana/etc/files/license.jwt dashboards: overview: title: 'Security Onion Grid Overview' diff --git a/salt/grafana/soc_grafana.yaml b/salt/grafana/soc_grafana.yaml new file mode 100644 index 000000000..f9c291a74 --- /dev/null +++ b/salt/grafana/soc_grafana.yaml @@ -0,0 +1,38 @@ +grafana: + config: + smtp: + enabled: + description: Enable the sending of emails from Grafana. + global: True + host: + description: Hostname of the SMTP server. + global: True + user: + description: User used to authenticate SMTP. + global: True + password: + description: Password used to authenticate SMTP. + global: True + sensitive: True + cert_file: + description: Location of cert file for SMTP. + global: True + key_file: + description: Location of key file for SMTP. + global: True + skip_verify: + description: Verify SSL certificates. + global: True + from_address: + description: The email address you would like in the from field. + global: True + from_name: + description: The name displayed for the from email address. + global: True + ehlo_identity: + description: Used with servers with SMTP service extensions. + global: True + enterprise: + license_path: + description: Path to enterprise license key. + global: True From 064b64f68a14ff4188c96e148a3a38606a1a0fad Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 13 Sep 2022 14:00:04 -0400 Subject: [PATCH 0064/1082] Add Grafana annotation --- salt/elastalert/soc_elastalert.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elastalert/soc_elastalert.yaml b/salt/elastalert/soc_elastalert.yaml index efc0058e7..5d9e386e8 100644 --- a/salt/elastalert/soc_elastalert.yaml +++ b/salt/elastalert/soc_elastalert.yaml @@ -3,7 +3,7 @@ elastalert: disable_rules_on_error: description: Disable rules on failure. global: True - run_every: + run_every: minutes: description: Amount of time in minutes between searches. global: True From d1eb7ef8490e57cd1fa667d08ebc9a46349fd5e5 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 13 Sep 2022 14:23:50 -0400 Subject: [PATCH 0065/1082] Always use local docs --- salt/soc/defaults.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index d162294ce..7c0f78f96 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -91,9 +91,9 @@ soc: userFiles: - rbac/users_roles client: - docsUrl: https://docs.securityonion.net/en/2.3/ - cheatsheetUrl: https://github.com/Security-Onion-Solutions/securityonion-docs/raw/2.3/images/cheat-sheet/Security-Onion-Cheat-Sheet.pdf - releaseNotesUrl: https://docs.securityonion.net/en/2.3/release-notes + docsUrl: /docs/ + cheatsheetUrl: /docs/cheatsheet.pdf + releaseNotesUrl: /docs/#release-notes apiTimeoutMs: 0 webSocketTimeoutMs: 0 tipTimeoutMs: 0 From deb19d24b86dc980a24a9c58d070bb28be6878db Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 13 Sep 2022 14:24:35 -0400 Subject: [PATCH 0066/1082] Always use local docs --- salt/soc/merged.map.jinja | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index 878ea72e6..09f8c8926 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -21,16 +21,6 @@ {# since cases is not a valid soc config item and only used for the map files, remove it from being placed in the config #} {% do SOCMERGED.server.modules.pop('cases') %} -{# change some options if this is airgap #} -{% if GLOBALS.airgap %} -{% do SOCMERGED.server.client.update({ - 'docsUrl': '/docs/', - 'cheatsheetUrl': '/docs/cheatsheet.pdf', - 'releaseNotesUrl': '/docs/#release-notes' - }) -%} -{% endif %} - {% if pillar.manager.playbook == 0 %} {% do SOCMERGED.server.client.inactiveTools.append('toolPlaybook') %} {% endif %} From bf14612258a48e627d1b693beac6b23582accfdf Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 13 Sep 2022 15:58:53 -0400 Subject: [PATCH 0067/1082] Change out Elastic Fleet certs --- salt/common/tools/sbin/so-elastic-fleet-setup | 10 ++- salt/elastic-fleet/init.sls | 6 +- salt/ssl/init.sls | 82 +++++++++++++++++++ 3 files changed, 91 insertions(+), 7 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index 490fb34db..85ca755fa 100644 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -20,10 +20,12 @@ curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fle printf "\n\n" # Create Logstash Output payload -cp /etc/ssl/certs/intca.crt /opt/so/conf/filebeat/etc/pki/ -LOGSTASHCRT=$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt) -LOGSTASHKEY=$(openssl rsa -in /opt/so/conf/filebeat/etc/pki/filebeat.key) -LOGSTASHCA=$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/intca.crt) +mkdir /opt/so/conf/elastic-fleet/certs +cp /etc/ssl/certs/intca.crt /opt/so/conf/elastic-fleet/certs +cp /etc/pki/elasticfleet* /opt/so/conf/elastic-fleet/certs +LOGSTASHCRT=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/elasticfleet.crt) +LOGSTASHKEY=$(openssl rsa -in /opt/so/conf/elastic-fleet/certs/elasticfleet.key) +LOGSTASHCA=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/intca.crt) JSON_STRING=$( jq -n \ --arg LOGSTASHCRT "$LOGSTASHCRT" \ --arg LOGSTASHKEY "$LOGSTASHKEY" \ diff --git a/salt/elastic-fleet/init.sls b/salt/elastic-fleet/init.sls index 6059da3cb..ea3092c0b 100644 --- a/salt/elastic-fleet/init.sls +++ b/salt/elastic-fleet/init.sls @@ -28,7 +28,7 @@ so-elastic-fleet: - port_bindings: - 0.0.0.0:8220:8220 - binds: - - /opt/so/conf/filebeat/etc/pki:/etc/pki:ro + - /opt/so/conf/elastic-fleet/certs:/etc/pki:ro - /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw - environment: - FLEET_SERVER_ENABLE=true @@ -37,8 +37,8 @@ so-elastic-fleet: - FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }} - FLEET_SERVER_POLICY_ID={{ FLEETSERVERPOLICY }} - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/intca.crt - - FLEET_SERVER_CERT=/etc/pki/filebeat.crt - - FLEET_SERVER_CERT_KEY=/etc/pki/filebeat.key + - FLEET_SERVER_CERT=/etc/pki/elasticfleet.crt + - FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet.key - FLEET_CA=/etc/pki/intca.crt {% endif %} diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 1ef4a08ea..3be0e9711 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -152,6 +152,88 @@ rediskeyperms: - group: 939 {% endif %} +{% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode'] %} +etc_elasticfleet_key: + x509.private_key_managed: + - name: /etc/pki/elasticfleet.key + - CN: {{ COMMONNAME }} + - bits: 4096 + - days_remaining: 0 + - days_valid: 820 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/elasticfleet.key') -%} + - prereq: + - x509: etc_elasticfleet_crt + {%- endif %} + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + +# Request a cert and drop it where it needs to go to be distributed +etc_elasticfleet_crt: + x509.certificate_managed: + - name: /etc/pki/elasticfleet.crt + - ca_server: {{ ca_server }} + - signing_policy: fleet + - public_key: /etc/pki/elasticfleet.key + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} + - days_remaining: 0 + - days_valid: 820 + - backup: True +{% if grains.role not in ['so-heavynode'] %} + - unless: + # https://github.com/saltstack/salt/issues/52167 + # Will trigger 5 days (432000 sec) from cert expiration + - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticfleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' +{% endif %} + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + cmd.run: + - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet.key -topk8 -out /etc/pki/elasticfleet.p8 -nocrypt" + - onchanges: + - x509: etc_elasticfleet_key + +efperms: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet.key + - mode: 640 + - group: 939 + +chownilogstashelasticfleetp8: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet.p8 + - mode: 640 + - user: 931 + - group: 939 + +# Create Symlinks to the keys so I can distribute it to all the things +elasticfleetdir: + file.directory: + - name: /opt/so/saltstack/local/salt/elastic-fleet/files/certs + - makedirs: True + +efkeylink: + file.symlink: + - name: /opt/so/saltstack/local/salt/elastic-fleet/files/certs/elasticfleet.p8 + - target: /etc/pki/elasticfleet.p8 + - user: socore + - group: socore + +efcrtlink: + file.symlink: + - name: /opt/so/saltstack/local/salt/elastic-fleet/files/certs/elasticfleet.crt + - target: /etc/pki/elasticfleet.crt + - user: socore + - group: socore +{% endif %} + {% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %} etc_filebeat_key: x509.private_key_managed: From 6945596eee64b1855d1d8022b051ed010b48001b Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 14 Sep 2022 08:10:42 -0400 Subject: [PATCH 0068/1082] Tweak elastic agent ssl gen --- salt/ca/files/signing_policies.conf | 5 ++--- salt/ssl/init.sls | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/salt/ca/files/signing_policies.conf b/salt/ca/files/signing_policies.conf index 1e05be006..cb57cc640 100644 --- a/salt/ca/files/signing_policies.conf +++ b/salt/ca/files/signing_policies.conf @@ -57,7 +57,7 @@ x509_signing_policies: - extendedKeyUsage: serverAuth - days_valid: 820 - copypath: /etc/pki/issued_certs/ - fleet: + elasticfleet: - minions: '*' - signing_private_key: /etc/pki/ca.key - signing_cert: /etc/pki/ca.crt @@ -65,9 +65,8 @@ x509_signing_policies: - ST: Utah - L: Salt Lake City - basicConstraints: "critical CA:false" - - keyUsage: "critical keyEncipherment" + - keyUsage: "digitalSignature, nonRepudiation" - subjectKeyIdentifier: hash - authorityKeyIdentifier: keyid,issuer:always - - extendedKeyUsage: serverAuth - days_valid: 820 - copypath: /etc/pki/issued_certs/ diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 3be0e9711..7093ae912 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -176,7 +176,7 @@ etc_elasticfleet_crt: x509.certificate_managed: - name: /etc/pki/elasticfleet.crt - ca_server: {{ ca_server }} - - signing_policy: fleet + - signing_policy: elasticfleet - public_key: /etc/pki/elasticfleet.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} @@ -214,7 +214,7 @@ chownilogstashelasticfleetp8: - group: 939 # Create Symlinks to the keys so I can distribute it to all the things -elasticfleetdir: +elasticfleetdircerts: file.directory: - name: /opt/so/saltstack/local/salt/elastic-fleet/files/certs - makedirs: True From a4dc63f3a4e2c9ec4796647fc2afa6a1310d8145 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 14 Sep 2022 09:53:57 -0400 Subject: [PATCH 0069/1082] Change how zeek and suri are populated in the minion file --- salt/common/tools/sbin/so-minion | 16 +++---- salt/learn/files/logscan.conf | 7 --- salt/learn/init.sls | 19 -------- salt/learn/logscan.sls | 58 ----------------------- salt/suricata/defaults.yaml | 26 ++++++++-- salt/zeek/{map.jinja => config.map.jinja} | 0 salt/zeek/fileextraction_defaults.yaml | 29 ------------ salt/zeek/init.sls | 2 +- 8 files changed, 31 insertions(+), 126 deletions(-) delete mode 100644 salt/learn/files/logscan.conf delete mode 100644 salt/learn/init.sls delete mode 100644 salt/learn/logscan.sls rename salt/zeek/{map.jinja => config.map.jinja} (100%) delete mode 100644 salt/zeek/fileextraction_defaults.yaml diff --git a/salt/common/tools/sbin/so-minion b/salt/common/tools/sbin/so-minion index 858d2706c..24544940c 100755 --- a/salt/common/tools/sbin/so-minion +++ b/salt/common/tools/sbin/so-minion @@ -160,16 +160,14 @@ function add_patch_pillar_to_minion() { function add_sensor_to_minion() { echo "sensor:" >> $PILLARFILE echo " interface: '$INTERFACE'" >> $PILLARFILE - echo " zeekpin: False" >> $PILLARFILE - echo " zeekpins:" >> $PILLARFILE - echo " - 1" >> $PILLARFILE - echo " zeek_lbprocs: $CORECOUNT" >> $PILLARFILE - echo " suripin: False" >> $PILLARFILE - echo " suripins:" >> $PILLARFILE - echo " - 2" >> $PILLARFILE - echo " suriprocs: $CORECOUNT" >> $PILLARFILE echo " mtu: 9000" >> $PILLARFILE - echo " uniqueid: $(date '+%s')" >> $PILLARFILE + echo "zeek:" >> $PILLARFILE + echo " config:" >> $PILLARFILE + echo " lb_procs: $CORECOUNT" >> $PILLARFILE + echo "suricata:" >> $PILLARFILE + echo " config:" >> $PILLARFILE + echo " af-packet:" >> $PILLARFILE + echo " threads: $CORECOUNT" >> $PILLARFILE echo "steno:" >> $PILLARFILE echo " stenopin: False" >> $PILLARFILE echo " stenopins:" >> $PILLARFILE diff --git a/salt/learn/files/logscan.conf b/salt/learn/files/logscan.conf deleted file mode 100644 index d7aa30734..000000000 --- a/salt/learn/files/logscan.conf +++ /dev/null @@ -1,7 +0,0 @@ -[global] -ts_format = iso8601 -scan_interval = 30s -log_level = info - -[kratos] -log_path = kratos/kratos.log diff --git a/salt/learn/init.sls b/salt/learn/init.sls deleted file mode 100644 index fb5b89802..000000000 --- a/salt/learn/init.sls +++ /dev/null @@ -1,19 +0,0 @@ -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} - -{% set module_dict = salt['pillar.get']('learn:modules', {} ) %} - -{% if module_dict.items()|length != 0 %} -include: -{% for module, _ in module_dict.items() %} - - 'learn.{{ module }}' -{% endfor %} -{% endif %} - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/learn/logscan.sls b/salt/learn/logscan.sls deleted file mode 100644 index 91f64420a..000000000 --- a/salt/learn/logscan.sls +++ /dev/null @@ -1,58 +0,0 @@ -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} -{% set logscan_cpu_period = salt['pillar.get']('learn:modules:logscan:cpu_period', 20000) %} -{% set enabled = salt['pillar.get']('learn:modules:logscan:enabled', False) %} - -{% if enabled %} - {% set container_action = 'running' %} -{% else %} - {% set container_action = 'absent'%} -{% endif %} - - -logscan_data_dir: - file.directory: - - name: /nsm/logscan/data - - user: 939 - - group: 939 - - makedirs: True - -logscan_conf_dir: - file.directory: - - name: /opt/so/conf/logscan - - user: 939 - - group: 939 - - makedirs: True - -logscan_conf: - file.managed: - - name: /opt/so/conf/logscan/logscan.conf - - source: salt://learn/files/logscan.conf - - user: 939 - - group: 939 - - mode: 600 - -logscan_log_dir: - file.directory: - - name: /opt/so/log/logscan - - user: 939 - - group: 939 - -so-logscan: - docker_container.{{ container_action }}: - {% if container_action == 'running' %} - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-logscan:{{ VERSION }} - - hostname: logscan - - name: so-logscan - - binds: - - /nsm/logscan/data:/logscan/data:rw - - /opt/so/conf/logscan/logscan.conf:/logscan/logscan.conf:ro - - /opt/so/log/logscan:/logscan/output:rw - - /opt/so/log:/logscan/logs:ro - - cpu_period: {{ logscan_cpu_period }} - - require: - - file: logscan_conf - {% else %} - - force: true - {% endif %} diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index 0fe3b444f..4e4d28a87 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -1,5 +1,28 @@ suricata: config: + threading: + set-cpu-affinity: 'no' + detect-thread-ratio: 1.0 + cpu-affinity: + - management-cpu-set: + cpu: [] + - receive-cpu-set: + cpu: [] + - worker-cpu-set: + cpu: [] + mode: exclusive + threads: 1 + prio: + default: high + af-packet: + interface: bond0 + cluster-id: 59 + cluster-type: cluster_flow + defrag: true + use-mmap: true + threads: 1 + tpacket-v3: true + ring-size: 5000 vars: address-groups: HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" @@ -348,9 +371,6 @@ suricata: include-mpm-stats: false mpm-algo: auto spm-algo: auto - threading: - set-cpu-affinity: "yes" - detect-thread-ratio: 1.0 luajit: states: 128 diff --git a/salt/zeek/map.jinja b/salt/zeek/config.map.jinja similarity index 100% rename from salt/zeek/map.jinja rename to salt/zeek/config.map.jinja diff --git a/salt/zeek/fileextraction_defaults.yaml b/salt/zeek/fileextraction_defaults.yaml deleted file mode 100644 index 3823b8203..000000000 --- a/salt/zeek/fileextraction_defaults.yaml +++ /dev/null @@ -1,29 +0,0 @@ -zeek: - policy: - file_extraction: - - application/x-dosexec: exe - - application/pdf: pdf - - application/msword: doc - - application/vnd.ms-powerpoint: doc - - application/rtf: doc - - application/vnd.ms-word.document.macroenabled.12: doc - - application/vnd.ms-word.template.macroenabled.12: doc - - application/vnd.ms-powerpoint.template.macroenabled.12: doc - - application/vnd.ms-excel: doc - - application/vnd.ms-excel.addin.macroenabled.12: doc - - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc - - application/vnd.ms-excel.template.macroenabled.12: doc - - application/vnd.ms-excel.sheet.macroenabled.12: doc - - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc - - application/vnd.openxmlformats-officedocument.presentationml.slide: doc - - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc - - application/vnd.openxmlformats-officedocument.presentationml.template: doc - - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc - - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc - - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc - - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc - - application/vnd.ms-powerpoint.addin.macroenabled.12: doc - - application/vnd.ms-powerpoint.slide.macroenabled.12: doc - - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc - - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc - - application/vnd.openxmlformats-officedocument: doc \ No newline at end of file diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 6185308ac..b6f3231ae 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% from "zeek/map.jinja" import ZEEKOPTIONS with context %} +{% from "zeek/config.map.jinja" import ZEEKOPTIONS with context %} {% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} From 43f89adbd4a6a72a414049cb7d7b1b5495cc2dc6 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 14 Sep 2022 14:19:07 +0000 Subject: [PATCH 0070/1082] Remove preprocess configuration --- .../so/1000_preprocess_log_elapsed.conf | 13 -- .../config/so/1001_preprocess_syslogng.conf | 33 ---- .../config/so/1002_preprocess_json.conf | 18 -- .../so/1004_preprocess_syslog_types.conf | 19 -- .../config/so/1026_preprocess_dhcp.conf | 140 ------------- .../config/so/1029_preprocess_esxi.conf | 31 --- .../config/so/1030_preprocess_greensql.conf | 21 -- .../config/so/1031_preprocess_iis.conf | 21 -- .../config/so/1032_preprocess_mcafee.conf | 26 --- .../config/so/1033_preprocess_snort.conf | 125 ------------ .../config/so/1034_preprocess_syslog.conf | 16 -- .../config/so/1100_preprocess_bro_conn.conf | 77 -------- .../config/so/1101_preprocess_bro_dhcp.conf | 56 ------ .../config/so/1102_preprocess_bro_dns.conf | 74 ------- .../config/so/1103_preprocess_bro_dpd.conf | 42 ---- .../config/so/1104_preprocess_bro_files.conf | 64 ------ .../config/so/1105_preprocess_bro_ftp.conf | 56 ------ .../config/so/1106_preprocess_bro_http.conf | 77 -------- .../config/so/1107_preprocess_bro_irc.conf | 46 ----- .../so/1108_preprocess_bro_kerberos.conf | 56 ------ .../config/so/1109_preprocess_bro_notice.conf | 56 ------ .../config/so/1110_preprocess_bro_rdp.conf | 52 ----- .../so/1111_preprocess_bro_signatures.conf | 43 ---- .../config/so/1112_preprocess_bro_smtp.conf | 65 ------ .../config/so/1113_preprocess_bro_snmp.conf | 47 ----- .../so/1114_preprocess_bro_software.conf | 49 ----- .../config/so/1115_preprocess_bro_ssh.conf | 66 ------- .../config/so/1116_preprocess_bro_ssl.conf | 186 ------------------ .../config/so/1117_preprocess_bro_syslog.conf | 41 ---- .../config/so/1118_preprocess_bro_tunnel.conf | 40 ---- .../config/so/1119_preprocess_bro_weird.conf | 42 ---- .../config/so/1121_preprocess_bro_mysql.conf | 57 ------ .../config/so/1122_preprocess_bro_socks.conf | 62 ------ .../config/so/1123_preprocess_bro_x509.conf | 154 --------------- .../config/so/1124_preprocess_bro_intel.conf | 46 ----- .../config/so/1125_preprocess_bro_modbus.conf | 49 ----- .../config/so/1126_preprocess_bro_sip.conf | 66 ------- .../config/so/1127_preprocess_bro_radius.conf | 73 ------- .../config/so/1128_preprocess_bro_pe.conf | 46 ----- .../config/so/1129_preprocess_bro_rfb.conf | 65 ------ .../config/so/1130_preprocess_bro_dnp3.conf | 51 ----- .../so/1131_preprocess_bro_smb_files.conf | 46 ----- .../so/1132_preprocess_bro_smb_mapping.conf | 40 ---- .../config/so/1133_preprocess_bro_ntlm.conf | 50 ----- .../so/1134_preprocess_bro_dce_rpc.conf | 54 ----- 45 files changed, 2557 deletions(-) delete mode 100644 salt/logstash/pipelines/config/so/1000_preprocess_log_elapsed.conf delete mode 100644 salt/logstash/pipelines/config/so/1001_preprocess_syslogng.conf delete mode 100644 salt/logstash/pipelines/config/so/1002_preprocess_json.conf delete mode 100644 salt/logstash/pipelines/config/so/1004_preprocess_syslog_types.conf delete mode 100644 salt/logstash/pipelines/config/so/1026_preprocess_dhcp.conf delete mode 100644 salt/logstash/pipelines/config/so/1029_preprocess_esxi.conf delete mode 100644 salt/logstash/pipelines/config/so/1030_preprocess_greensql.conf delete mode 100644 salt/logstash/pipelines/config/so/1031_preprocess_iis.conf delete mode 100644 salt/logstash/pipelines/config/so/1032_preprocess_mcafee.conf delete mode 100644 salt/logstash/pipelines/config/so/1033_preprocess_snort.conf delete mode 100644 salt/logstash/pipelines/config/so/1034_preprocess_syslog.conf delete mode 100644 salt/logstash/pipelines/config/so/1100_preprocess_bro_conn.conf delete mode 100644 salt/logstash/pipelines/config/so/1101_preprocess_bro_dhcp.conf delete mode 100644 salt/logstash/pipelines/config/so/1102_preprocess_bro_dns.conf delete mode 100644 salt/logstash/pipelines/config/so/1103_preprocess_bro_dpd.conf delete mode 100644 salt/logstash/pipelines/config/so/1104_preprocess_bro_files.conf delete mode 100644 salt/logstash/pipelines/config/so/1105_preprocess_bro_ftp.conf delete mode 100644 salt/logstash/pipelines/config/so/1106_preprocess_bro_http.conf delete mode 100644 salt/logstash/pipelines/config/so/1107_preprocess_bro_irc.conf delete mode 100644 salt/logstash/pipelines/config/so/1108_preprocess_bro_kerberos.conf delete mode 100644 salt/logstash/pipelines/config/so/1109_preprocess_bro_notice.conf delete mode 100644 salt/logstash/pipelines/config/so/1110_preprocess_bro_rdp.conf delete mode 100644 salt/logstash/pipelines/config/so/1111_preprocess_bro_signatures.conf delete mode 100644 salt/logstash/pipelines/config/so/1112_preprocess_bro_smtp.conf delete mode 100644 salt/logstash/pipelines/config/so/1113_preprocess_bro_snmp.conf delete mode 100644 salt/logstash/pipelines/config/so/1114_preprocess_bro_software.conf delete mode 100644 salt/logstash/pipelines/config/so/1115_preprocess_bro_ssh.conf delete mode 100644 salt/logstash/pipelines/config/so/1116_preprocess_bro_ssl.conf delete mode 100644 salt/logstash/pipelines/config/so/1117_preprocess_bro_syslog.conf delete mode 100644 salt/logstash/pipelines/config/so/1118_preprocess_bro_tunnel.conf delete mode 100644 salt/logstash/pipelines/config/so/1119_preprocess_bro_weird.conf delete mode 100644 salt/logstash/pipelines/config/so/1121_preprocess_bro_mysql.conf delete mode 100644 salt/logstash/pipelines/config/so/1122_preprocess_bro_socks.conf delete mode 100644 salt/logstash/pipelines/config/so/1123_preprocess_bro_x509.conf delete mode 100644 salt/logstash/pipelines/config/so/1124_preprocess_bro_intel.conf delete mode 100644 salt/logstash/pipelines/config/so/1125_preprocess_bro_modbus.conf delete mode 100644 salt/logstash/pipelines/config/so/1126_preprocess_bro_sip.conf delete mode 100644 salt/logstash/pipelines/config/so/1127_preprocess_bro_radius.conf delete mode 100644 salt/logstash/pipelines/config/so/1128_preprocess_bro_pe.conf delete mode 100644 salt/logstash/pipelines/config/so/1129_preprocess_bro_rfb.conf delete mode 100644 salt/logstash/pipelines/config/so/1130_preprocess_bro_dnp3.conf delete mode 100644 salt/logstash/pipelines/config/so/1131_preprocess_bro_smb_files.conf delete mode 100644 salt/logstash/pipelines/config/so/1132_preprocess_bro_smb_mapping.conf delete mode 100644 salt/logstash/pipelines/config/so/1133_preprocess_bro_ntlm.conf delete mode 100644 salt/logstash/pipelines/config/so/1134_preprocess_bro_dce_rpc.conf diff --git a/salt/logstash/pipelines/config/so/1000_preprocess_log_elapsed.conf b/salt/logstash/pipelines/config/so/1000_preprocess_log_elapsed.conf deleted file mode 100644 index d098eb11a..000000000 --- a/salt/logstash/pipelines/config/so/1000_preprocess_log_elapsed.conf +++ /dev/null @@ -1,13 +0,0 @@ -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - ruby { - code => "event.set('task_start', Time.now.to_f)" - } - mutate { - #add_tag => [ "conf_file_1000"] - } -} diff --git a/salt/logstash/pipelines/config/so/1001_preprocess_syslogng.conf b/salt/logstash/pipelines/config/so/1001_preprocess_syslogng.conf deleted file mode 100644 index 84bce8802..000000000 --- a/salt/logstash/pipelines/config/so/1001_preprocess_syslogng.conf +++ /dev/null @@ -1,33 +0,0 @@ -# Updated by: Doug Burks and Wes Lambert -# Last Update: 10/30/2018 - -filter { - if "syslogng" in [tags] { - mutate { - rename => { "MESSAGE" => "message" } - rename => { "PROGRAM" => "type" } - rename => { "FACILITY" => "syslog-facility" } - rename => { "FILE_NAME" => "syslog-file_name" } - rename => { "HOST" => "syslog-host" } - rename => { "HOST_FROM" => "syslog-host_from" } - rename => { "LEGACY_MSGHDR" => "syslog-legacy_msghdr" } - rename => { "PID" => "syslog-pid" } - rename => { "PRIORITY" => "syslog-priority" } - rename => { "SOURCEIP" => "syslog-sourceip" } - rename => { "TAGS" => "syslog-tags" } - lowercase => [ "syslog-host_from" ] - remove_field => [ "ISODATE" ] - remove_field => [ "SEQNUM" ] - #add_tag => [ "conf_file_1001"] - } - if "bro_" in [type] { - mutate { - add_tag => [ "bro" ] - } - } else if [type] !~ /ossec.*|snort/ and "firewall" not in [tags] { - mutate { - add_tag => [ "syslog" ] - } - } - } -} diff --git a/salt/logstash/pipelines/config/so/1002_preprocess_json.conf b/salt/logstash/pipelines/config/so/1002_preprocess_json.conf deleted file mode 100644 index ea7c677da..000000000 --- a/salt/logstash/pipelines/config/so/1002_preprocess_json.conf +++ /dev/null @@ -1,18 +0,0 @@ -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolution.com -# Last Update: 12/9/2016 - -filter { - if "json" in [tags]{ - json { - source => "message" - } - mutate { - remove_tag => [ "json" ] - } - mutate { - #add_tag => [ "conf_file_1002"] - } - } -} diff --git a/salt/logstash/pipelines/config/so/1004_preprocess_syslog_types.conf b/salt/logstash/pipelines/config/so/1004_preprocess_syslog_types.conf deleted file mode 100644 index 243abcc15..000000000 --- a/salt/logstash/pipelines/config/so/1004_preprocess_syslog_types.conf +++ /dev/null @@ -1,19 +0,0 @@ -filter { - if "syslog" in [tags] { - if [host] == "172.16.1.1" { - mutate { - add_field => { "type" => "fortinet" } - add_tag => [ "firewall" ] - } - } - if [host] == "10.0.0.101" { - mutate { - add_field => { "type" => "brocade" } - add_tag => [ "switch" ] - } - } - mutate { - #add_tag => [ "conf_file_1004"] - } - } -} diff --git a/salt/logstash/pipelines/config/so/1026_preprocess_dhcp.conf b/salt/logstash/pipelines/config/so/1026_preprocess_dhcp.conf deleted file mode 100644 index 2f893cf7a..000000000 --- a/salt/logstash/pipelines/config/so/1026_preprocess_dhcp.conf +++ /dev/null @@ -1,140 +0,0 @@ -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Email: justin@hasecuritysolutions.com -# Last Update: 12/9/2016 -# This conf file is based on accepting logs for DHCP. It is currently based on Windows DHCP only. -filter { - if [type] == "dhcp" { - mutate { - add_field => { "Hostname" => "%{host}" } - } - mutate { - strip => "message" - } - # This is the initial parsing of the log - grok { - # Server 2008+ - match => { "message" => "%{DATA:id},%{DATE_US:date},(?

0>ubF;hYR&C?XO^0WpOru7kR9pw__|U)VCqL(iT^oEd1b!Kj4wlVo-{tw>)g72BK6BDwTVZ26XgSzMIRI# zTVBxh@7Dc9xq0j+M4k{;X-GzgIe3#Qjig4n51Yzk6V%G>h*3^}Y^$u;kv+KMA45Z% zSXiD}IU$mBDo3xvB@@dLb61213etU9%$iu9_j~f>6VTn-=H`!(QZx@iyU#9y|8Vc) zxq=4Ee7D7?2!VF+rKSe*_}YaIEKZN}*co=_P3mS=wth<$JTH)8bz;X((TCwVmiPN6nVJT^mB z<4!78)qg^R%j@>*Iw$f|9XvoDKKU?drny|HC>L_4n7UMvO?`#j35uO}(eOsw_dAke z3AY6%3RGr9yO{Axc6$15y#f~mLIShH1n}ADshIV<&6{q~oj;PgUX&{-D^|=>|8zYK z^{*qBsyk~LmTFy9x7zM{<)6`%+2ca3D7sCi?qaHM_d(#iI6{cKACYY%O5_l_D^F7v zxcF}6-OZfOMJ<7q5N&DTTj;oE_QA+f2;HV#?7PrDIvFBl^xAov4~|NGsF;@Hx#}Rs zO}fV@Pf^oDf(u0YRcJb)?@L9zWkGetc}f8e^+!nA0c~DSd=E*x80Kq4w+bjZYWU#Z zY-AQ^unS2!;3xFE7;b4yk}e04u^=5JXdCKIGBxY6Ii_b))?X*#K;WSux2v{DqlLhvrDKfDInp&h^2u~pVh6NB9g&aB}NC` z;hPFA1YN5DveiG;=gC29kV7?oJ?0&h zRi02-iaOG8Dz%qMn!hbHT1!VMtnF@J*%ZUlL0;YbCzw7?gYP@KQ~6iDj~lOI1T-o!56Rh zVGo=kiuBj78{^erUn^#sD3QaPw2bSb?`(Ye;Ne5{I;nx7A(ecGtHiDtJrlI6+=g6< zq6<;ML9T_+;{zC7DN>pe`>!00C@4*2)n)Vpen-K;rc;y)=v~6~spNiVJcj_6AMbxD1yLYbuNP@hZK!605!YDbh@HRd( zbUg;mYORlkSTLv)_q9!Xl5=ULpRqjw0Tkg!N0NhdX2$XxWbYXn#VkZfxw|255YgD$ z+S;C)2)z)E=+he@1C=o42CxDOkyQW*p_mzq{R6vKm4}||#dB+O1YTHGy^LU_AGJJ5 z$=xWG?mMV(=&^~4Y=6FCAY0;=QPzd4TrjAB*gTx;f4+w4i+Sm0Fsp{v9|_ipB>@)HI`tE!bYi5J;r%nmLFo&dHfFbiVaUsGfUGQ4P*6|^ z-&R)E8XQSkx_AQ=pj&tXUl2m5O{U$4yCBN`kWfayInH84;lhROFa#%60;+i9*B4+d z0Zzze0FBIiq}amXK3p@NY~*Q%h3mnqD}ZpG)fV$b&j@34_mC`dGpvNT0#2khQuQj$6qKL6EGVa zheU8-1Z?%0dfjbhFZs|3)`;n6l}3}DP=C;GBDMsC5te*DV!fk{Zl7Tnd93(MZoSj6 zG9kLDARgGlG?7U2!ox*D!51PxwgYwS$ zo3j)y^E2)d_TT0nw~#71&qCw2R*_Zve)~|sx2iivEC!0P1GKK8$U2DxJ%((fAZ_k~ zCOfH)QGyO!D1b^Kx(vdAnu*~tmUgD6B^)Sr!=?r}I{7m!?m&-Vpbj+=Qq5+$>o;v8 zj5m}*tP7%`krkotwWl#bHuLM}&rc%8sSxkSOM!50{!{^ku9@*SXbe5IY6nK}1k&|D z0?ISdGJ#alK@hD-BSZ+IU?!B6ORGOC3jmE6&2Mi zaG4OOe<5N?I8ENhCO9*+h+a2YiG(BAU9uMAwP;WVz1VepT>xjuVny~fdxPIQ+@{O)jzWh}9nXJo`@t?9fQ???deH43hn5f0hN&EMC9Z@II5g(i6|NQ_!9Kz(2 zOff1~MCTVf>pkJ&*w{SBqK8kwBaD&jTU(O_Lpl`TloGRs=O@+@i3ZThfZ<1@X@phz zLOluD7tw1*-8~N6hhgq17Gi%f)ktVBL3N$v#$W}%auw*S0r`ctXE*B20^ZIFjN3k6ZvJQp*b&)j=^3AN^i(FMyVKzJQSG4dSJtxPabebV5Qv zN+g18kVYn=Qip=IUthVHXNuU@hnNif9-09Q$a8*H>D(LWe7nlJ*kmSHofQ-T- zHhhMcS6F`usup7OgHr|IT_|!MV}~VD-tTsXDf7LU7E-Jt6; z{&RM*JdtkzLIpTkz~3T`eprTiA%t}!ZjwK zX}1pEx46Jw+c26UDqr*I!tCLepYBJt`L7KsO}ob5?bYP^c+{o0n&U8qsJLJQBR@xCM7O;NU3) z@%h?V;ryWTTugOmOeIat?3qloYU zZS6ie1RwyO>{tkkn$vyi%iJV%@f@7w*M zYYm|PJ6s`PK!ZRO2c(_(ci-l*bEu((lFvZ1n{?MfQxJz+04jh5bWR9|T3Sw_q@mqP zrib0@8^GoIxI@oc!Ame|*>?Ixt>M=-a;qMRx9)CXIM~`!&|$Y`aLWr>MP@Svk?fg{ z>o*^T{GLAgKDGAVPd4%2V+^B^a1uvyRSYwk0Lm&lditv{0;sIyX)D@+2;MaK>k+(7 zaGeQCFK9eA-acoK)e{Bd=E#w^7Xt4forJt2Wh9Y>)Xdn|#!#EtdLv+a8`62C zf7}e_6d>^i40t6W{pnrIQx5(U_nS7@yxupH4;EN6{{1C12#N=c&xExybB-#Ou zKr&2p_2JIMF@bgsTmyQ*#)N@LIJR-Rb%!KM@)86Wm@4STI^L7oi?RhhtZnGeS?Pk+ z1`{?n>v^00>K!PrWPvi)SIuK!ghWAf>}984bmGnc&VA0aHwS@f**D-j$v9D`VnSYB z*~_pQFX<{o+#Ri^hnjr>ErIO0RQ=l(FO6WI*c0YiA3(_73^7J6s-fuec=qdwMMct* z^TQc-ypg;-JTQx@H4|mf$0&*iB^AjviLDBJBD&B?Ko3Z7b#@%RTMkkhuZ{!vmTU zC{zg?iIdv{Wf;m3@@mQ1j-5ZS?bzx^TLI;Na6esh?y|U6d&6;Gz7d}G_hNVM_9zIi z5;?zFR`WyMy3?#YzNzh$Uhf#CUK`*+abl!|0C1ojfHOIcIrXcHbM}Dsjv@UDIbiv8 z<8gpQQm857P^uuUE|}?FOHO)}%76$+8iAu6cm|%N+Ia66as@y^0)+}k$iH|$ ze!K}Zuo;dNG`v=knFZ+GpF$-CN|bc6dOb+ZXxP2S(y+!z4Zf*;(#_Pu<(GdNQR+K;ap~6W+p43x9cYqYHy*+#Pc9_ zel1$om!}?~<&CPq+ne*P8vJ(%*E(?Im|OvIka?k;aNF1S6cP@{&to_bL9z@qDw%&A zme+$U5#`!C>=<=rYiL!~BjqXU;Az)+a+-uTZ*}>J+D6fSoq&Sn()(+S9<&b>FgMP5 zM$6>A2{(WG`r;S!O-_0PJ0)Zk^lrJG@nslw*dgT>O1jCwxbbiin2 zLQgP2Q7-&3;go|)MNmH!!C$g1pZV{p0;)`Eev}@h)mgB-RGIBmfP> z1r#sb_^I&pF=5aSUH;+#VymGcyP8zuDHqC+MA>FlgE5j0HhZ$hHJib?+1ajvfif)n zQXCBE^-JKAiU0)S*cx!DVRc`ijFyQ1Wa%NnUm=8dcxsGT<=_DR4ycjzm++$gnA@z| z{s~#SCPoJicZ`7|W5=MWTi_y#(CD~0CyIoz6ATN&SHYPY%3mXO-BJ*Vk@qxwXq@ZrhPJaiHfZQs!Zx5m)0pAc20C00k9l*fl?Hn?ogoT0|r^UM) z?kJ1^6v1gAK*oDe_JYAsj&N%$Qgr3y)FWiRWE_J`X<-Qf!88K8Ea5Waht)>KnQVxX zvJz319H{uP1!%~U$A!rq0psfJWP0nN#-8@%;Rbe$AjyIrRM#pbAh145>jA8GH%B_` zpG1`7cHMb%#vMRmy?D{P!eT*I?csa9TqB2Q7rU8%E_z*`V83K>%j~nR|Jj#z)nW%F z?#)En$FB+4XIivwa?;+Nrm_0b-V5KBkA`ay+ux!h4}^NCAx)uGfB=Z5!qE`4woW1h zy>^*RuhxGIAP4C$Fd%jvMa3B9UuF9v*6-Z8RNJR4DlGg0-2~+J{fBlO)dl?%#vJR= z#KH;v5zvg(T?555{iA?RDgmG_tC{NHnCH|?--|-3=Bi=`TyZwC%R#Cr&@TB_harj} zgsohBtI%yjEeOLAU!nn;a|Z+jB5}x+$B$V%)8~MKhoz20?8QsigiwN>jckE*^l;VX zMZTs;+*Ar&9Fdkk>ix1Eapk6i7;xUxsQScF2jn>sat!sF&5CuLJ*p?CHUL5<_B+@y z=meu)eGI%A2U%Q$brtk|?O1ToV}OCA6cp&%pS7?U);=P#HTQ9|y)0XM5S%zpfA83S zC45lHFG&7DZGA-x`!hd^il(=Q^}qYa3=12oH`O)_Kkaf^6b+NTe{OaBHoC70%1hmO zh4;fxKFX}SWhlRJ>S{_$Yb#MqM<8a~8vbdMDeZ0-6_R^;72IaHhjI}RFxmdtAp(|P zMT~U6df0-4u=(${Zg&{zhnp@uqpDs$ndoVBda&@wd-V#6L6#+xhrCA%&l+rGaeX`h z`PeP%-N*ZVpATayK)8yP`{w#wL;-p-r-EGpJi$|abQlQ(Deti!g|`>~GxYlRtrl*% z!l(DukE+!oK)t3We7{Og)ehZ4H>u#Pi(v(OFN>Vl=Zm+ZeVmry8+w~O`@h=G%Su8f zk?WT)2B&_^Xxtxkoc_ayeHji_71LWRXindixTEXRZeP*##zl2q;(z@wfLF;lV(2QQnV|h;TE%AQW`Y; z9|HrjNAnGE#{L+p$WZv}#y@;Kin$f#gy>x#+`l5a2#4{*CcPa8Y)!U`xidh#bp6tii)MKxG|GAT2H;B3YvQlZO zlS@mj=eh`Hs>oDNMkz+awjhm}u)B*I!!O+GH<&c+D__1tUwCx+Ilt^x{vL|E5-;N7 zd=e5&y(d7s5;$<+q@L9Gb7V*h-FZWo3=x4MP^ppp#t^`&fTts32O<*wE?QgRa%;7z zI3t(pZM42HA~YU7+-N51?d?5Kepr0AO=<=w8XH(+=*f=v*VF*3KtfQ{IbX;0;N;^Z z17x<66k)xouw%E!c-SHBUL$>dpc}*PeRFb0ma(#vC-TdxW+R-c3Q}#^4|i;0-tj%N zUsL^~dW`ab1OqU7AGsLPOLTOj|M2mn0gRL;m=Hyfd9<608>^j6sB^P6oSrKi%oh|9 z*^6Rz0ho)8!DgA;7rs?|aOd6WH$RuWe#{H3nQp01d6AUQf;EM&J>g`mSR50wQr4?_ zO0CWlru2ig<5ZxInuLKsUIvH=Ao=9#n=u7(5I7+$JMi>Kml(4@Qg?0mw6l4D%rO_3HN+Q#t0<&H z4(Jf87f48uyT&{l{qf^8_>qMRRZQuCe&dzQq!Xz6yDcQHY zXkG6E|3VJQf=bK?|X$szIdNX;s>G_%Kx)?Feu!+G+@QBZ{Q29RBmF^D9dBS(&K z>J{V*@#Z8i6HQ|rpI6X}24fdl59b6Kw?wxDeXuPTvZaoEG^ULIyT zfJl-KD;REORpuC}!K6bc-n_V0Kb*@=@du#EyIV(mM;Qj#O?`G52HU-OD_R|o@=_|M z9m9oeTryI^Jc>1`$pQ9?eJW?~bzHw&h6A(IFB9?X6(8j|I8K zQ4B=h2-u>9jtZG0LMhcfJp3}FWJ2m{J4zX!U8$o+$zfp$%2`|hbA2`^uHSuTEdN%< z$rn**8jzZ2s1bx|PFFUY;@l8Ud&#mn&D!R-XFplT%$@pO8>w}w`<`l@IKQUR?Zkl} zAT)@gszn0`-34)|M!=7t4@d^mEx!6`QLArEKx#ZaJu`j#oAojPj`{woQpB4OtB*{l4@k~lG&zoZ8yTF9t2$R!w(V5>S zVQ7=cf-#xXj@Fll?7+=NMNB#vXxDQjOWDpb3zL>1$w#x+0qDg`x zWibbcdK3V}$v~#{BFl-}V!d3Q7(6?PUz~*_cimfiU|!`#6g z;9q0!^)4e)0C7jm-7nfqKXaNgV@tXmw#!;H3YwA_z=U@69MJn-I!p9p}S|+c&2mA-Ypc@Aap@JX{N=Hv2 zS(Oh%fkZt9uZmP@ILO8`FW_g9p^`Z!58#F*oS-*f4(O!>$Fn9nzZl1%)`uMm&^aN9 zTcCTyeDKOHfHLJay692{=96Ow!&5hn$RtkRu$c z`fPn0S-1Fq%1P?H$=@Mf5E&?zha(%k5g+bgexf-+N=n3lIm7-m1X z?2K<8L3kl^2H3XMKtgV4C6^W#A1zCez@|1GYelP z%}-=f{xthCY6?Lh3YT(ESxM9B&X5UTqO9y8OeLUq!UQ7#Fh8{>gj!2+$`GU<+`n>P zWG!!O0E&gR>On3D7Mk541pplvB@>ve5=Vr2j(Gs=7@+ejbkwB)^&Hzlbp{DR z8t?%T9dVc%3{>wtoUsTb(h$`@`CVXAmo8qs0p(fHgwQ6|<9dp1dg1av+Z4J<^7v6Q z{DQMH7V%bYtfF%837OaC;kl2l6%qTPAhUr4u0=Z^t1b4}$A^blGw)sJ&zN7pscrJ@ z^{a9H-^67Z*Hv!a2;X6SE32jA>93o{^iq_~h=VUJEp6DuPPB6PK3%+gIcSJgT(bpM z>x5DR_KoQZ%Q-TcjvywCx*l}3+n`gS2MiYGZ8&^iS@)1 zzn5p-SbxWFr+w^~8aeJ>*OI*VNS^=ro@^U!0U?Euc8itA=Z>ZKc}biDS(aI!bRaPu zZ8Om)pBz_Vig}Aat|XRUKLESW@^u`jLkrZLnhTHz!OVav6oHuq6o|xS2*sdtLu7Dp zi-PFv`1XB;!jER2Ddt%*jJg>^)!7rT8d8r^+O%SkFPKr+Z^NrW1M~zpwFy_RvPG1n1lAHwg;Vo z2+knT5(0{!|2YGMJrVP!vzpalx{zwv{;LQDAhZ)8WSZ1Ir^W|0YZ-$QQ?~}`|5s$% zT)g2pVrmddkqboPM>SJ2(CNUwI?MBb8;6GKOz@r8s<9}oXCwDd3@>Nn6o{rmSm5NR<7 z$;qjMh7^Ik0`(6_qX`8uoqd>3#O0V+9!?Vajlp<~wMOA45uT6;yJB`4#cmfKw^nN^ z%$c!`U*HnKk>i>g1&vT(A}+!%C`vBoIXJYW0a-B)_?-_=;hoNAW-@QDpKU%$@Xf8anP%a(;wO$bQ>4{u4JJ+v*>qJzw;S-=q9 zWnl?K)Ie{VL4+1tt}Wa=Hg244UD>79%Iaq$Tn2^tJTgVLAm$dO>QbEZWJDWBeUz1(W?!>p13bEEv{D!7a!u7!X^%}aCKQqUkr8C_q)BH?2cAE2FyDU03P{*$&4;Ho7iPyorl#~wr@onIF<($XbQSMDeteL) zBpZ(}NJ5QVPd8KL<6b{L_XapAGOd;h1lVLW>p_@)da>gQ+Rbn<-B6h&C{Z3GpgqnJ zr<;io0-(3)4w|KXyLZo`trMf=;49%o4mLgx$^I)I!7EgtlmVv{GGM6Sap>Tm#xDpF z63eZp;ox!(<(%4npBw8Mxd}paZvSJEW{A>52#;c}}m6aDqZ<~b% z8&!p+-pCAr(d^$JK@Dmvb87U&N{@l7ZPTLpthg7LHMY{lnZ|x6UkKHfP*=m;irwAC zTL-GCB~J}f?9kyX)sOA=?e-YrVO6%fI2mW6dK!j#w>GXO9^Pk4>S*S zjvwQVT5TEfF-OrJG!%0kS5_@jLA0~zugluGA#b(Zgm<699%fHztzP_o(zkc-&~ndt zsarM(thnvTd5;60`gmA1d19N!L}&&9nH53ZFi|O*c*}vg)!EJ)-E#B7ANDTEH9aNLk)9CpKb-q$B5xnYWsp))+6_Z3^Al&8^68zM&FE|!(yAfpnvg(dy3kV zGvTy!X%-*k6Kbfyy1o zVJU%A4#vTP>E4jMh3q* znK>F=m)NJlDTn+iUNK7)KcLfInPTcJUciQqsuu5Ou!H+Jhod?rN79|Ab6m2M$Auq!3f$+zZ*B?z2i%fV`b(n?yCT^&Of- zt{9hlIu-WO?-O6xE_$vYEBecRvzo2$TPu(+srg| zYDD2!aC%^G9dmY6K7KMGtXpW&9N3M~lgU=#_}XDPMYLOUAJ>+C@ej8K3PndPq+>ND`b^*p>Kv6+e@vp zr-h)RDE!^>;NxZ>DTXMe<6T{EwOO`IpIV9ecGh70`5*eDNaUW<0AF@@rvAR(xOMvKGWN&pI=wbIW^vpVi#W>QEU>4%;9=+jtv)W z)1)DtYyC5C*{wZ4^#Btd7CRnA``O^_l~4FwwMq8x4&%m+qi)Hd=Xj2{m{q%tw9cjl z+av>*Ea9;F^KJx%4aJ9!W~hELDQ#D5tR|&iCGQ1;$;+jytQp+YQMP2nU{Y!blxfNwo-)E|zhA0yLB3D;L20v>dqL7B=@pRwApr1;E;6}2KiWbR&U_2eRZyCkP{{?a*%@tLSXl8ocPJAbkIzgNbJ$E#waqup zoJ+4J##j*<3g-?o#eEJt4`kU1{e>Y<8`9%J0wa|(E^$%WM84S7bq3v^&Gj|?7~#4P z@5rAhpt%RL)jkz+E!Z`NR!q}dxlbR9L?;vV0kV%(<^Qb(I8nvl`>$E`t6RDW!vVW^ zjSUF0EO*49)r-pyIu=X4wD8u(S-qPd1J==%d|LRHF|kL4tKR6zs69ULA_dWp@InB| z$+I8*t?NP&(P8?nC#jbiA(rQP6!cyQ?I<7s>ZsA6j#S^l@vDW70>h-zs;a$_km*}9FX-BEG#vY!o2GCSOwmqrXmn&g9d})e8f_Q^r;kh zxNsei8v#RrXT<+0d~3XjlataoS@c!w0i%R$i3$u2)S}++t`aVBRy>3$(WFU}FsoPw zR$=;Vrs}%$(`4)W4tHB|Zd&Ez`qZX=h4T!r%uQKl8?k?TtlMJQ2*qRBmMaf!Kig5| zbz)sZLnIJ{>B?e8_zTj#y%8@=S-*Y^IGupUX4s0cKC0Bn+d^sv;lX$nbYE$8^-O@B zAt=redZSu{=g6Uh!B+Ag-%t$1r~v0tNFr*SMn$zVT3K%j0Vfh=&ZkAaBlkaud2dBe z0O&az^#Im3=MQVgpkEZ^MM?NV+%QYY}xlgxlN3O3h zr0>~3_557B8yI?MVZS^e(j=Cg1Vr=!r`H)bzkF|ij}p_6tLk zfWn}@xzR&7B!R%f>vQ+`ok9(Hp?*C|vRlQ|t9ag~J)g|y{|SW#nlg)M3w5D}V#P>d z;phb=pU@XVF5H9W7Xy+f!}|2KWYD%xA8l+&vC`81d~gef(Ac`guHUL4FQ0|@n6IQh z{aE3Kw3=lPAM$rb(NB=}3N&7w`m)6C{{%`@2IaTW*XlzC3cC-&%QsTB@L5I&0G2is zh{5VjtKQ>Any`6H4vP#ybuw`3{%|gsh!ZPs@?AZCezA`qGX|-_S&C%Seo27TT-brR zj}?c;pCzS8VFJ71SbP9uEss&P#7+A3FmEi!xV@a*5`K`veMy)vFsc$)UVw$Xwe^|b_a6)}jkK_sue0j8 zdF)SPtENw%KksJ-fV(SZpLmIp%InSBtF{acEqRrcGSY=9#EBx9;TKA-*(2fe0j>f1l z9lC7&zm|;)2X29*g@lAycqS}LO*wo^x8~5tr^TzOe#D>^s{OAt(A3zrAQ;?u%Zghm zDHhkvddK@N^nZ|W>_GjKc>BBsQx77>%?KPn!v2u=vZf0$FHZX#rFhJ`Kkj#@KiaeM zyBC~(X*kEB-SDY*uSuyq{g%S)lIUQ?h%d4wA#?+#-l?e4DPnypcC3G)pF;Mkm)kH4 zRT&+=J91+_1Qos2_T|L455R5ox5D>RB24#irD%#u2-?3+-W$eI*Uv8$f4~mhQ_Gxs zq9&z!*Xf?&y}EQcJ6h!v;T4!x5mK7wJP>S;mQ@ysh1l(lVdbYfv&t!yr6BX8#S!GJ ziCaME5+>vTSf3yXK-;)>Ol$;jhIwnm)#VB|8ua2BP6R+oBsGDB8Gz>7wC0Zd%-}M@ zH)jnq7N5BLvoULyT*4Me%Ss; zu10zqo|R*5D@{B>T@TSQsSY2mV05-K z=j`RPuR7$UE5lL&%~ruBZ?lb06WYy)u? zJuqjSKkQaGU75`l7X^!X^Aa(BT*&-chboEXrIY9+?mm0gld60wg%)$8Qx@&&2Pw7v zPlGiUyWMcSE&aCnBfTxwdQ!~Bkn8$0O(3S(i?7plX5G7|RXrW@#?DOIQu+qHu7s%{=PjaJm#te#i-=W56D=!qFmt{S|!;pdpB9ul(dY2W#;8|!}m(H=9#A9w1y`ueq$IYB)f zMV@Cnfl>U;7@gHGy92d!O`lh?E+H;Xo>n%}`eh#zq5Wm_| zt_5s-%=79MF)=YTuo*Pr13I_QsH`W^Jo+BIYUN5fdwctchzKw3OS?~=I3dP}1>9yc z;CX(2=i=gG;Ui@CLqq%0*byOe(4N%zvd+#0DoKep!$iyX^5x4LuoQkj-@*p%5|Zbp zTi}JiAO@-|cU9fW`*}KhXWsS0hr2?{osEd_2aDTXv|z)A4Iitjv@g{Z|4^;Ioscl% zX;D$+1(P292AunMZ_rmA*@{g#cHJh(n^FshyD29(SXjQ{>W1B zpTie%)hW5UmegF&Gl9ROCKm_VoL&{BumQ(Ls3Mgy&le8IG9AMYSqW;C#lRiEVDUQl z?mhI6%a!6*9Mw8^42X)0^GDiu=kDF0lPC9K!+}6(z{rt`ln-4S5610lK^Y=+o>QV0Ft1f0pnFS1iL5pO}(Y*XPI3a9Af=`q0`@6XNFjWd>Rtmb(M@H^L&i;#X&!m zs#C(gbLZ49C>a`yL(<_43mtaLKeT?fr9l;^&*`fdYu0R1bL-Du6s1Om_5nsW{o1DO zd+8hh`;B~BuI}4S{grj!Dk&*xOYgvwD#)|`w`z4WoJ(2S4C`m>b8^!oihnoU92(`8 zfAz-?);YYHsacou8zGDH*zUjP7tCm{s^FPtUUqxPq2z>%W%f&sg@laGbeU1P#pKe9 z>36q=)K5~aHTG+JYQfbN>Rnf1^WH^nEH538TZPcj(1!-&6(U_qH$j<-RqjHr+;*$F z*7eJs8{hu@cL#j)g#SA7lCM8%7Kq^kPmTFoGX~l|Up1DhyK}#OVldm~MDnxL4s-n- z9?1O)@UnA#|IzMj*4pC_2aJz>W#-;>oX_ef?ILN^CFW;KdfmRZWbT>1-z+~r#?Wu( zwsxWa5#^P66b*Wr#Zaskc z0G--kAF>XbD+R;se@MN*S{or&07opsl_uTOG5C+* zuWrK1d_!qx1}pjqzX5D{;bt3;43#h)%ubb=pZ7h+vz__fhZ!T_oXv3-zwtJ$O6oRF zlE>HRLmir%n}2=cS2rbTj%U7sty!O;?;b5sU6k6ziv??z4H??W?Y^!V9vk3x=Dc?6 z2ulFA{}Vd~&Ur4YJm#y1`bvY-^n!bu9k#Z$_8g>8+JN^#OmIZz!O-tEY6Y#ZN*Ny>>i8k{)&(Hh6A1ZLn$<56yUl%>#!Ls3+nlmfBI*#vF zcgB0^|NJFh!=KM@`#=BO*{DyOcBlTwc1qQMOnd&=f1VZ}-L-Rf_y5W*`O*aghLrx# z2X3z#VQ8N5-+RMfKix0fXSAw=kEia5UxxE)j+mW1Y`Mujy`=4#+%Yfb{`dDgj91ra zW2EQyW0JGHRk^XG$B)}1j6%(S{T*@Oyz7n})mTYF$F^4X;S1;cBqgUN7ykDtrJ0|i zlx&)()!D*i-n?!|*Bgfw9_vb^d#8pon5u*9+`0r?k+MJo!aq}gmf2(+;92FCzo!!sb**U;_ zo{slVm2=H8*Z->a8u@AS*^gS$TPDo-WNBfsa62uhmfP*)Ejl=;VCARs$Ii!V@y|~j za*C#+gE>S^ZsSsQFL*B<}WZ*z`KeC&bp-*zgK4=gOa7Pb7{VC`8^7vyG#d~zsh zS@A5P-;XcBB}rQWXl>HBr#`R5WYO`MP$Myx?2Egh|E^ual|yZu0KTM#$!(dxG z#67=F;k%fQ&8d*VU3a8bL9WmnM*Jv>#sS)s$B(yJWo!HDHESfGEDjPYD?ETpK~CGV z0Lk&##4X>Wp4Op_NP8_;#L&w^rp~d+QL7i)JCO2-3m4RMbd(Shh|;~2ir)Sn!&|lv z*g$IqoNTkIM9gaQDH)zpl;9@RLHr0)h>+{0wCUrK{z0@n^janupZcynd;X=Pf(ihP zYZ_kkb+?M z0lB!cU#)RLqEo=@C8qW{4%XH^`Lpy= z=%U(G)v+(~JaTQ$A(~JAJ>84u(H6S2_lPf@w~wRYTbF+R<2r>|L0j&)TuH>Bm9f?( zd{Pt*J!u0jQ`!$1YMEMw)1Vt~@Ei?-`Z`AjW3RgE8$O%BcARzG<7(Er%6UmLD59YngT@?L%E(jhnizuafEu#Y#iAgsN*?Z6JycWkF6q7$zGj@g!|t8B);eWt_usz7gKz@( z?OIt>ZkPMuL3>PmVPh^DsVnSFc{-qM^!JkqJ?w_eXl?va`t9qHW4dFzr!`I=y40^| zS%1l~=ci07gGwW6{7Ucr8M$2_0azyn&41xS66zQ_28aE8>_0*)81qU#DzH#2+jsDC z(fxD*8@SH{c>+>2L{swv0#X$4+3;I1W_!Vjj2A3W_6Gj3uD>OgJs~R^JT^5h&TLRA za^3MPuWyg>RBI8|uX;>-?Kx|_OE~bW6;h2KLSDFc_~Y_*-yV&7TS^i@_!P2viKZCD z$85hNt(zFFmk5yrtwaWji={6>C_aECZg^S2N)`PeWd)?fG{LL@E6OFPwxu(Z4=MhV(b zK_YZ!(35^NUBbmd;=`Ae&OjM|x?#_wut4}q>FEh~ItUKz7<(!roPm3I3AfA&;T^Y^ma5?z;X8mhVJ zrdFR7`4wKL!p1*yZL6{0Zu+Ue%7*wAqWf`jxJr)Ym^)n>HFF*6T>&39LUXnC(hGA{ zc!eXjFsK29WKd0;S41@+1u7-Hb|@Xhsxv62%a}MIH}|%TKP44@`*vTv$eqHfti5CP zi=?to6h?r}I=1mGf{K+vLbzvmDC&!GJ)Uopo!*!gn1MnhC_A9ovlx zgFrlbv^#h4nWsMO)(4W8S)hVM)c*wU%Qmf(%P1(j)~m(8l0uDwbW523pusXb<5rT= zj)6BU8jrgw*{Ptlr5YDa_i;%JRmf#DomjE#c;xbIsCTW=qQ+OxpF4s--&p^tD?_&; zzPgWZO`Y`tS_w*mS18S&nhMo5C}A0J_IS(^PKPc%>=d=doc+=J_(1Q0D%FN(qHxqK=t^F{kL9<^n~s52 zof`i1LvwoW^5xEG#+;53fjfyUNpQu*v0s?FL5|Z82t*h7Q?0J^&c~Gq-8*CBA}lqu z*z)3X2KZ0}1%_ipJ{2oNuq~!0czj#Q-2NDjk|G9z+^$7$E6Koy;rK4Mq#wKDwhfEc z``h%&AY?@XBF;NAc^`*MJN?xP$YvwBJnVQ90bg9+&OScMa9DcXwc+t`>g9L2$HL?k zbeb5v3pG;l&=Q^Ay?UXHl?L&(2=V;(z8&&f;YGw2oo=&EjPbp2VemY+O`o5O*+$_v zkN1N4_4XuEy}dgPW^X)?Jt2A!j^og-Fa{JDxjXZk5ttiGDo~{{+11k9`ndEU9Ona zP1XB4Iqay%4(LmWI+9M#Fsh{GJld)6zg?OMzfq-{BPWuyhY0qef zM2W)8A^xKeHDwlNS45vrs!ncQ^R=*(!BD;Kul@BiG@?_q5-xw~s2=;pp*ig(b1D!X z-M2TSo}l^_s5;U=?M#1kq++h*p*D1Rety0It;U!!W4_`c6Ld@txIuLBp7R(s41@w${TFFGx~@1BvDSM$WxM{>)ZP$h1zE9(GM`_K%_lb)K!o(8}EP>8oQ*Uu4*6s1x-^CAn~VZ-ES?Addi;gK5)N5J@p)1@UH zgdM#D5DeO{wn1J}xXzOPkBov?P7smbu+A8$sVRp5NLhVk!oRfuZ9;PIagW41U|3m- zn0&-5Z}Am?5IOW6iIP{aYE#yD0rLCuaGanA$pisHkCS&=b8V`y&uUW+g?yJ2D+C>w zKlZ?-&A`CG=lMEuqHwPwio^&axMW(z{oB9qU-~`x2}4}uUhUkoY3Y6f zCV%))o*N`;6ORwQzz;clZgs9k^~=Ul+S+$`HlWWK zj%813ACs`DuE72zgWep6ukf4?;=A$HWp>>adL>Xxye54RQ}m;1LaB-Ok}sxwMxO$M z50R%oaMKyh*%cF`!8RALD%FB>&oCwBZ?K9QvB1`LF-PWOQEX3~5vClRQCH=ugE;B) z>zm!s!`~N0pi2tMZCKS(iVVV}5DGs`TmkTCK5w3oXo>YgV%-nn$7s=_{#OoC>tO>w zZP+8`a>ODl^$Mo_`Vwf(%(rq|dSO#fnYl~AX=q6w-t{nfCM}i$YFBsk^j>Br zMT)X9-ugvuUyAhJR8&@Kdd)tvK|XkW-y<7R4fOUSqcq~KBe)YgCHqf$Iw`@j_9vNo z37=~EtXcQa5Q(ZbsG6M&6{@s!G!p)&PoI8z-ManU?i->FA1u4S|NO7V#fG-Mm+dpv z|7>{AxsS%v7P*x63119N-qghG`>V;f^VirNlkY6L;`>?7Akt^!3bFrG+(9^+duFkX zRd(>dmt7w95mhwhpg)W-$_UWR9f;e&8qlU1T3Ra60Y1phZPLh@WihT3HTiuE2o}_C z0Ph{Br`I3dve`Zt?uMY6J`a8fnZOZrUNeG?$U?qW;q57o%jeJX5}~=k$7zicJ%ND5$kyO z?`bh4KKz3ivH6AmaLO_0#N!WI+5Fh`mO)T9MGb%3{lK%vTHEim6{ifD=5toG5i(8I zq|p#&rKK}avB&-qshxdC*6-HiSvKR;BKuBP1&WIK;4enNgbo9D2MHa*ZoQ52C-2@3 z-4?UFrONb4U8VbYs&E<3-`(4@-!dD7|Bea|G7Go7pkv2mT3gd6%$hx0;0GqZk8Hr8 z3c5@S!(0S<7A`3-ue&J@A3mIt>OGQ`=|b!lI{GZ5%6x7(i}tjPU8{>P^x1ds4tD_K z(2fj-bwZD2$Vqhs|Do#Jy}nER?}nA444-ze@8bS~@aw&5?1HM3odBuCz!NgFM4XKz z2ClBrSv?M+)->6&MOXMp^z}wBAPgb#_lSN|{*?lF%b!l%5Lq}B;o#~SwU)+KbfA<# z3H2-M1bl#R5`G_hcv0^tq!85xz|#;hck(}qH@^-pi7!_1zziakg-_V%Yzvag^5x5S z7X{HP4ItuDgmkHHwSLnQc=gcAXBSCiIc6R;bwUI$Fkh=GDs5IRE~{W-wp%MJERJW) zf~%#)*ohA619h%A#77)FUm?;+f10!iL}9vK^Pgr`&-zo(olQ#W3jc^S?Hd7=Nw!!p2lIQGx?P+-=lw`}g95R2+QYwQMd)T-yVs@Bs=X>8KTpKi1YNg5WVm z(2nBxuFyWe9TWCA+b#XiPJ|L#o)bLlB5XqX5H`749TivQxm*!Wc>^Jnh_Zyff2RC| z;Bj^}gSD#A3C2AuRD9z+cBrjTaZ`TZYYP)2K_8Cau5MSiSP-9{N6H9DyZ7wz6;;B7 z{f{d@K!J(VCi=>Xl=bYAQmeMZ62E?wA^4dv^J+5~u(xcbQ$)n(eU{xK6;>~G|JwY8=AivPNkwR1N*E7v^jlboD9idiPJlVfMSZ$|Skd~^-Lt_IIJ zv!8)j5e%sH#b64rO0+w|>z(xBFza$}3Ch30#p$e@zFLbwpoj2?0T&XBNHI?9o|u^E zBvnbmeotmb!s5e2Xxm1LRX4{69G?XKA?jvIqkJyepg-READaW@guU+gzMT-%4exrx zV*N>x*K$XKX`=dAEZl=eyU3FWvxjZ^T53opGaR-WmcgQM^3n&L;m1ZvkHj8PxECI< z$$0VPNf%l-C>lYXvXxL+E{~r$@jNY^pvZ3Rk4kgjPAv^iCt-e2Ttu4v9n|~SJMAH! zzbCp#e7F^h@oICbX60VUjTUxS1#M4N>X26S<(MNCaX#b5zfU8qpc*!&)S}tzg?ezR z_s@P?8onGr26Gm!@?CRLa9rJ`83Q^CZ&!CDPKx@?5}v2nbJ*dHz>YiU*gfyrqsKYU zq$DQAH@bhu7y{Uu%e|vkXaxrc2M{#H_5lIKfSXi*e>HsQP(xTCA)`jak^%Y7Lscu8 zC9&L=ZwDy{K@YKS!ucytYv<(Z+QHIN6bD*`^g4H5?|-&*h-7@C=bo-IXIkVNWoVFO^M-Mq2~|^UZF@8G=KG~2_Kjn~ zlP97P>Gm-9(W7k_4U4+JP}%Sz8%X?cXvK*?J*_KSQC&E-c;oz2KVS-viY{~~<(C*{=2I(1nh-m&& z9%;Nt4;k%2Mi3nFq^C+Y#5DTKseSw8*z+|g?X21?FR$BKva^zM(zf_KLrT*P&Yykl z2OsFRZR0z=`W?OJv3?5Y83yj~KZZq|>Vw2gPS1UXDpR%*x{Juuh|JV`Bm>W85?RIgu_FafFBFXrX616SN1?00aYhYTnu{H*WGRoAi7D zsSjdl4;FmkFnn}|Ur@%=!M3_R&=;PY zLJ&u9mGREqoR`4cXvXE2urK>2ZJTDnAvY6~fUMio<<97D{wm>w2S5KAj_4ZEh)K%B zsJuCk4#j0EHGThd_q+aYRQh6rB^fe+<)`(5;UgMjH9gB8FYJ}{g4k+^odmoPL!P^V z%w5trz8#l-pLvOd&5<-_jZQ?Zm8*uPrj}Dyd*;0EfWl&GhH!KL(}Y10DbvJmIyk1`T(PHH>-=DJXyTvP5Beh)|Cf_X@(;aw7;~@Jo${+1l{|z z9?6p%2Mn4GTCBA^KV0`2TAbn0Zo11?t~`J4T$`$@D*8yDojYZqqApWhxs=}DxmhyA z&HJgdiss>p6U5N0AGMGgQwmtomlZeD*jQR9eNfPxzCJuQPQ9k*S@R)DC3FO%-Ddo4 zdOi8A`=c*@ONG53U(Li$W2UaY#^Fw$jZwC{I1^LsYI!A!kkHZd>|^>Ly*Z-c_DkyL z&MGR0kW?jlOnoGKvFMXh#{kY$78x>fgyv(KMaR{vhp$}(3?RILnn$jV+mVtmt@ws) z*`Ju|n{%&NZCYG#@VbJheDEewFH_0yofW%nRrHtH2^Bi-ix!=EZtzm)(Axr;7lR{4 zz)?O}7BOK?hYh`*VmpLL2g~$XYT7@+r03Cb)vDX?#IAYwutKsh?ZG5f2f3V*Wls*q zFJ=}I@>^-;1~IdT{89W1$o^dqyr>hH0*U2fK@?Y1FE?Q@v;*^+PK8H~95HEQS*z(? zmy>QsS;Jh4G%zOnp?c!9Ab38H58oifxq{lcu`w~i-}YfLG6>Q9(SKzVGs>=It-$qy z?tTaMWt-XN$0aehw2ZGeuq;yCdH;}#B0g6^Yj*p@SQjvH?nn18FlRuWTSii;LM!ws zu9(#%d!%C~lXUsYJwjc8#lA1LU$kgML8Z$hs{RF&0A2vR+mn|NUbU$3`_Gu zf|lfhI}?5aP;MBTm8sk!pCJxK?b0iIX9#eqv2P0EkZaQBx`9<i1$MQ=fs$E|u52di3 z({qO?`HUK*we(ukn_@1wxTrM$D{bh;Tr!Sn`XL+hCVBC;@bOZOTjl~wJ$}%+or7=e zg*J}iDLJy^54#WeJb7B(q(@UN_bu0v8L-_#)1z-k^}7`gC23={v_$&jTpf2s*2O0c z&9XklBD}SX)S?|dM+f)tBBk_$M~?znQ^8N=-uw=DSXql0h<)a zELFz7c1b=l3Bw^SM{HcuqhCJ-HmAB=K2xQ9=teQy=`XyQ zeR8Y$RddSTL5_W0%(78>(~Kvo5t%;j^WPk)$kl5$uW*bCnr$9^C?_;AXi#tqUt zNR^~sL3U|pP!z7K-TzQ_+@<8?`4QeWu6y_GTMPGs z1+Oxr9bM&oIs_QO84c02o_uZf>l<3^6}Yo%p4Hb+w8l6Wwgn3#mx>Bt`YI_VOvO%s z(M@@jy09K*4#$|xT(%~E7U{N)Wm3-B!6wx+Fy4md_GN-mTk#l%2U_{EPAe0oja+aB5i3Yd0G?wZK;AzMDVeJv2o3*kq0W9`{gvKr=R)j0P4ni=Q3Mz;ghfRPAT?hhITN6zjTk6obU%w=cuyuqK-M_^ z2(JbDJq00lrv1CTrbIW?ug$hSD-^xvt`>B&-?*ly=)N?eA!M}PK z@uy+5+kz5ft=oh9hQ3dbQt%uD$NIR;Vv@;((IO#YKp%>FL|gi9QL<=#b#>nZViEpL zC{Zr2el^ym^cGoLFeBqxGt~0ur-Oi4p$Iz$8`s<(Vlf9I+0oI_2cpSnK<993QTl0^ z!Nb$_?@BI{&J%0+2K!D;WBcf3R@I7L5jYZ_Qur!`E)f}3c=*WopVW(6BX$)$bS#5{ z8wHyqga))6*1xU~TJ1d~NuWk45se_p0ZG zc8*K^T2X0Te62iqLyZ@z9aY*bno~dCKi&#Hd@YTmUtR(Wp1p8E20Qqm0o9!Q<2`;d z@0!8Me#Z*azWU`sAqQ!zr#})yo3MIfT#UdkoR>s@1fb>%UN4qhDr_9C8vA)=dSW8@ zKi13bg~btU!(2iTU7}Fv4C^5$AWywVd3ifYB3L*0Ggs6B9rO+696W}JX$L`ophWRv zKE%l{tA~=3P!6G7=*>h$`?KclK{}F?#Zb3Jg^gT;{T#sDK5^yaqm?}?{jsn`#VQse z-M~16Z#ke~clow{#w%5_m)eiy2|YR3>@O0DXi#{c2(mhJH6i}SPTyqhKmG2Cw`r48 z>kS^XvKnw(rPS&-A=3A^jB_hCcdV2zhuD>YBs?n%;o zg~WYIdBk1E8K10Acx1_zU!Uz|*{~XR4N$kM^2dZU0Gm^%PO&Llwcxs{YM3%&Dl`ut zz!fYOpfR$$1K+_7>0aIQyS?j*73YAzhYT5FuyNzHEZ@kgeaOR#i+d21r_Y#SIAg}& zvX8^m0ExJHs@f8avb74+!(iCZqurCSioGPRGSQBQ-ecl+rVZ#Q=dZ9W3gFG-iLn+G zjr{qw(Ti%llmyhVC>Ln@W{K=^UfW z@QwM6Vm;!p)>UJb!An4eOr}oVX``Qc^*_lDdvW1@_WARwJs)~LFundw%HFu75a=BV)rymJu2qU)}W9w7zp>0z~b5qjqU)>6EbE;~{;RQA-e>J{fS z=k(rC;~KqiNLIo)lkv?JeO({4 zUjy2=b9OMX2kW{EgWG+(Qm|0emKh5z3UQFmIbCL3=~O)xbm~(*Jtr_ZKRdwiLC*m= zU$JCf@BmcXox68$OYupcV*W1hXGN;)sTZrpLJu8p>A13rEsQl%bu$`|O6P^C9Xz9? z@mI^76|v5eQkTDs0x$Pp6`K(CQQNZO_tE#pb2qN7x1PI^zHQBWAxN#8VMm6ciu$Yg z@x;cu=%^@1ggCfBFZ8=@Yt+8+7X|e{X(!))@&HdmLn)3kme}JU zd?uDs2MrXK)lt#Wd(7NE`iwr5?Z=T~3`DtEX&5Jp;l>KfE_KeoU$@CSwy@JiodVhF zR$13A>fN2b7J41^3V-4o{OW*lKyqfAYTx?t?aG7n%}oaVTX5T_GbjwtXTy0zz1>?B z`rHuY!Rl95?{B|;y)e<|3W?*!!Y^BM{ZE|eLtg|zq3AOI>5d(3L~ev2b((5+=@Ol7 zDO8U!*Gi0PUft=X{Ut=sJua%(+o-5;d85yp|NQW4cTy_6F4N?4&fWp@tyTv%Bz`${ z{`7zBUdN2uveMUUdPB$Y!dTg$X!)(H)6~&>cWr!2>CO0*xs{cS#AVRyop;LDi7_6U z4>iKGpaIcF(TWOd3Bi@|v$e?w#J2Y^@0LvJhv@r(bMoqXUb<}gN#TuE$8RZhcMnS0 z1#MFPJnK)U)~ZhLZnY#h=ufkKv-;)Pe?OM?s$q#++MSA(zQ3|K&T!qjq^IR8WKWK? zPw^+a2wo5XSmCfQkK;Vo|2T%~0?C$$g;EUj(PaBk8NWv?+F5S@vw&mAdcaoKeX0z)e(aA~jBKR2Cf-H7 zM5!#Gas0;?laB=-vij9ECZ13oWOdjz+Gm*f0_|Eq)#in5#wzKJ%1et z>m?;Yd%pOBu)_q$>S;SdRaNSrnIVMP1S=U}2pI{x$=WiC`WywXL};4$Bs;GLE6onm zqf6{Ac3%=vq59fNkkEDJC;7?}2^-|a0#v#glZ_k4O2X-fRCf!=6nV4ik+L9&w5R0&lZ815^;}%vcK2%p2lynj^ax02DN~Xvd z-$oNvxJ^dFF&9E%9}%Amomyz{=K(aZv!Y%-%h(a?(ixGdl~7m{r_`t37ybFzoiKfLjp3$ zF!Z~;;nmp0(rZ+Ozr50()?RtBio}BexDWLH!!byuqTjOi&4^5)wV`T0be)ocW$v1A z4TDIgo2HfuC>=pT;qO}8yF7uykygnm(*d?!6!a`^ zu=jHj@P2-A@qHM!d^U^xtDJGn+T8_PRIyq!a{F}%Q6%#KcI{3++DYu^zJ^ol9z0xT z<3)6r7%*62V7am!<+8-*&YUQa2F6RyQpArvDPnFol-kprL;o3=;sUHfFCwlky?X5i@L9}_5PUsp$RB()U`L*8r@k3{Au*H$Kp-@3JmTd~qqLJt{jNS7)ant=4|ckaTXVyUw; zyiVJHB*5gv=u8i=9fla+Lq9VKNRq%{Pz%9S+}Dlh6wGaGcEj{ZEaNW(A3gdN8X+cB zMOZKiZTI(n^g$Zq|NGhMEE%{6oY1;&?@^c{c@Wvy`k!!}0yopHp$F7X7n=x!GTdRX zPBXjaj)757t3&D*6PSkMES(|Kw&&fb!(xlr zzizhI{Wl9#^2j~is{M|4u6uX&+J{V!C~b{)IlG_NcXW2XGiUJXVG2u*-jtPIsFZQ1 z-R*Ndhs=39XX1hX9HcV2d#-pj>MKdBT8`1tDeu(FR{7+kmLaa?^|rmnS;!R*jxu&Q z)UJoJ`>M>lxgkcA9!CEf(`i(~zPT@=8oj&iugT2&rQ*LsJ7!fxCapTvl%cJy?fZ+I zTnG@7o<)dMjEr}D^p8#SYD@L*>1b;kapVL_$n`zTbk5T4kG@Y=Tb%|F{<)?GAEfrY zupp_Gjb3`7L-($=o1eOko3MjPnf3vPRi>;R-&cS!FJANppcI61$hI)5b+Ph^L=e=x zr+@t~A*JT@GAOEfEgjBi(3fd5z>Ju^Ij)UpWL;Rkw;7VZ-md8g*Oy(PTtyU)-9@PN8zW7m)3X-r8H#Wx{w7Q ztM?J6_IL@_{n{zezJn_Iop7jiIf3Nv*a-W*Vzdy-q<#DLQ6AT)g=qqU(1}d{BN7M+ zAo%7(A?7LG$`0y?ix&qnNlqCc@;)5;C@c$t64vu~A3y@5M!ctUh8`RZ2$l%+#3Ybb zE;zb8E(3>89KtPOF-+sbR=Vj$ix#0-yi0i|c5<^eTj(kQRiq{Iy|vpi5QDSnmFK^& zttr_{AR0W%@)bB&(3vv_NzhKXVF}f(5SVabyf1Idc1lFLwhI*$C5Gtm$Fs?<$M4^J zkA4Gm65JLD6?=f&(_m#2cS+HC!;U}_i##Izkfe^<2E8SZEbDpz2lqS`~Y^)Vm>0^&{`zHD)Fa~3GSqu zoq4J!!4di~$d%wBH2*?&sJ)G%04K!mxSr5jOHnOEzXJL_y4fpXH3~K6dZLV6Ez8DR z+b=6DC=h&9GcL)Dz}HT^6gEL|_`)IUCe1DTWrfHdd@RVLtEzwC9PC&IVL($f;O7{X zdapTImm0Qtc|{F)@YlXJdH!BIi-#BbE}41oY2%v7H;>mBX3L+roKdACE19`!wrzD6 z$4@7`m71bqT!rx;o-YCX?{E9!D(Wfjf}FV)AV>Ldz$7l0-w2^ZA%R+4 zT1ejLlBgWhV%~}@LU)y=$E)mxdAul7Ri=@ILrwn+$&#% zybRP{z@mhHWcdF4!o6*eF^%NQSc6cP0y8;Pqb$(ly-A@v$C@&n`dUN)m;w@QR-3i8 zxp3<5zI^FK-WI$Z@|#SWh~0}>qX>{m)kq0TN0JGqh^>o14E|Zn=?Pyr3mK@>LlV z|L67V?ww|*D0kTbsYBVPhbCD$FQQlsk6pnAQKOm~0bL;@sT34R?ALtsoV%S&%JB4lPy zS1N`*!V(xL@!I1SuQ}}-Zwo2)Epj+H?W$Jb`!`JNZj1&yTFD2W6!66A^_t`P9xaUslM zv77BfiH+m=M80JDiMIkW5S9XZMrX}GOB;Ol_M{ASN5Qpp*|NJ}Jd#n2&9E+489Nu@ znRf+K@4?(KIpQiV70G#?^fmV&MA=XzrqxDWy50&;C}u(E85gfwB`*=YB+FgtzN92n zZO1to?9n>}-<7xlF9IjHh3CnxN2ce_lwd14K&Xe9o9hqsCDt$_KF?=A8q+g9p?HiK zJuB=dB_ZE9^15#DvV`qC+TYRjc+VUZs5?&QCU9`{38OHk4XS0UopAkrn2gxYk@-g2 z$TkvT-@x}4N(w3siKsb6I|?L%#`4Y0FG3y3**mVYvInVb6cczZZ|MBRzA(0%bfLTu z3TK~~5lUi~K=e@LP$4cNcnQh<(P^N_bne_)0xO5Bj?Qy8%|V0OG72;eI#2kC5Up{Kk(G=h z8p`(_(;lliv+%>H__2TC6ELwfjGLDkHUw#Gzsf#3*iGn%<(a?n*3)ZqD1a|f~^ zT}uDYpca`&%u=a#?m4T;R=D6Z4*Rr-it8zyO2yzv;3L!VPMrUrFivmS$0bx|<=A{D3};Y5PzC zJ0dAZ80?&PvgoHg-&5)4{hwdI8gM`)g6gEn^+k(@sd5K`zo6d#PwD@XMq4OW7#79m zeYBein55Xp%FN4D^k4#l;&e@){FYgs0X%sz%|a%=od2vR?a;Nf)Oj8V--rA^u zV!)8XMryv!l<3Bc#Yk_3fz7V$_16^pwz>>HvTfS#-GL^b$DA|ztPp?toMH4fS1iB# zM7CeFwZ_sZ{@UJi8~4O_H&jzgtWC^HD4xDF^kMCx+Y{3F|GhK+eapgU3$0!9LPyWZ z`+cfu(&Im(osaA^AG1Rtwg$#~CkL-@?PygWdMpBN0j<1On&~H8#yR6f zGkZ!z2ExWm2o1jL&6z$u+`F|!2r?Su02F%l?u|s^$fk*>}By1G3+x?vf= zlj$_9=GF{2f2)zGlyv$hn==HwJHz|iB$!wh4@K8av}FchH&)Bo70DTRc})T(nT)#N zqE};`aP1XVpWB;%tqQSc`z(MqlG8^Ue}gn?jT@Jpn=1!sOe$dzMp&>5{D=9mp}89& zS84v1U$qlPPeh%sosWpC`@3hGAXWx;(`xGU~vA4 zBU6LP9rf3L>`a>&$>EH1NIxSaQhBHLAf)=!wCt3kc=CXDFH*OT<7+RYY-?tpL{3W1 z8WpAs9&CKcwX;q0y7^`q!{-n*N4X8cVhi`S1&-DCu(d;qbMDFV;~2hc1e@MWoJ<%& zH7dN;W^|w%?8{X5Bf^nbAV7Y7ckA8VVC53tjW(`?cun!CJ-_^QbM-D1fWjfH{C*>I zge7VizhEjPF+DoO5RYJ{!6)#f9q&Pm#uTS;-QxyO>jrj-s40k)ql|T?=@H&! zz0(cjt?H{UrCYEXUC?=mg2AFLVyY=&mEgh`VP}S~WQ4Kt^OeV9JcU&qjHw3D_fL9u z&6V;W6(+&{nPVfeZh_O8j+Da+ljzExx^)LDufxy{tquFx4A!Pz_3Y9}B^?&d&0qyH zb&5M=ycpLeqJ>V}l%PFA`0h7sxyCn?rydw^{+%HZzfjK7NC2Z9VwoQ9(QPuYU;I^e zWDd$?8U5z3(g?W3Rt|&ve%ai!E0A!)M++w~vFy_0_8aV*{dhgy`u6?D`>Ot1HpRT@ z*i!vczW4?1k2p8%^JG8PFUm^jM^)^|SsFUzfTiBAQfb!XMSb7R&~gvRj!B!p8dyaP zF~6VG(SP%m8#gOjFE=DCHF}=#Oxb;Y(~p5gNr82Ge;$|?)VjRR=o9QFbD_9**fSOR zkUNGKgAe>p_nFOW0@>hKbOKuucA9hp!ULXbStd3C@yKNUZp24wmW|Evx|X|&`Vk~B zc2b=Xh0N$`cYsEjFy`rZcj~8m`>VFtkQ?zzsKs-0#e85A>7#GIep;hPqiEL4u0`?F z6tK>f{ZGAKev| zsWVAG&hBbQZoeMuB=N{G-Lgej+)Zx1Sc8H}i$7t^5Yi`Buo&-@Uku}ylf=;C@_e~c z=aQQqyNm*~^A=0X$d^)ZmZrD<87bi@RFaLvQeEDiRBy#&+CPJcDrhkx~vuA{7@=Tlf6ozc3oL9R27Xozfl z_s{QfvqoH1?gKS<7AVuvW2KMx;@XWd*JEA$%V$hpLfFgo$dbCE5TJmDs z^A2Ur8(CMc?laQA^ZR>^zkWHcTshOmrWc!R%t0740iSbH zZ0WyJY~<#aiGz<0`?h7GR@7(v8TFm=n;t&+-g@guwOLEL@^(Abab~Id>J48XC(Zr) z+i1V*EUjV@y$V*IqEST2vWj z7V7IR_5%$bJug_p5>i}PX_{_PB3L0$B|cf~hy=bUY+5wCX~v>g?_QKIT?SS!9PbD! zz~*8mTSB@K^CB#jseiMz*7?=B*Nh6&@-W^K{5a`?jt1-d$WL<%-WW{H{nH$A?19y=G1g`?IxrzwMZ*r^0}NaRy5<)mwvR2Gj0Anik#1cNj1CZRgO6 ztidG{8%bsBD&YEbZW@RqRNe=eDfHb{w%e3N|iM5_7e*Skl2YMGdBuh>slOwJzt zN$H15<_Pgq^dLDQBOfC+iL$+N;jnT|?4`8#%s5!cbb$LCffnx~B@d3TWv3VH!i0B7 zpkZ3l-UA07Y3Z2YC`V?PYj;^Mc6yK+V=0x-w@n^LsV>ppVf$ES7f_EFD`gkiQ{~UB zzsMD4-Ir#1ZPd=4ch)FimGmm0GWE%mPxBK)#_8DR2ELfA5AuezcD-)D;^J2CQ(=?0 zT8(r+&N`Fp&2dA~+=z{Q<4HB|sHslrd;k9!dk=7~`~Ur0b)~(h)Rl&chSF9Mm5?Mv zBn=};DKtnZX)DQyipolob_r?9ij0N^4I?dC+1!uUb$!S6z3<~b{{P?c`yI#iyRPE% zdB0z;=Qz*vc|L>5t`nJDll}D$NCH20O1)xW6UNN~nF-ECUm!-HFgGI{%6b2Y$+o^g z665UYoAi>Bmj2f4hFlMJ+0ZFOYVNaYqMU8OM*e4FM{AwwTOs{=E#H>1xa64~C3Do$P)Uka3B|h|(1Z$aabo6E)SX@L5x2X1shtML zySsN7Oo?LMD)dn0E`Hzmi~uvf$k^G7ya=FPpEtm81p-urWZ@%wMhHkJB!97YaOpFFb1$pg&|7wT9smXW8m!F=dTZ-sH*O zY`DOJcVmxQZ)xdt>J`B#;Whw}lj_m7LQCVm@qy_Y?G^fHFRmQAdBQS1PtUkRkHe~s z%%*LPG6~y}H~F-;)aGe=9_mTqzL^>QxBh4owsB}xrrlePu|0Fbi4x~YoE$=i@4GlV zox)U`1z9r6%3^~KOI07jY0pHRLZKnUnvL%MuPpdXl!=E>rd1Md6W60{9KmjS0D?KS z_Mbn0rodH1^Ax2z@g{kS%?1g-=6TZX(?ikC%<0-TlPZ^IFM^E73+~tV@86%}^C~N= z#~Gcc)V#vw6=!1SHrFUMiyEy$DGK;81G}#6-=~iUXsQGe0p#Ndckb)66ZP&9G94m2 zb?kUQElu?2VyxdVnpGxR3O(zY^JF_ic&XWMG@3ig6Kkup%KFI{oxCP9eE1$hoFdlg ziKm?b7KI&AY6$ARWwYnZA<7t;M5-mb+lB1xl#Fuy5|6uMCl5#S4rdZVz zB6aAl>RuF!FQn&BN=o0E|3fq(01FG~Bv@FG)+$E!k+O+(KueUyz?=%1c zxi=3|Q{~<|4wB$^KS9vLFlOxgbaPX4Dm>wS$TPbiO5U%F*!4!g@X(r3_?x=jKIj-8y zbBBkct$DL))rynS*_Y#rqZLjbAN1AjO!LT7M}F4JORu{>ae1(5)YOX)&C1{1aKzb7^)(G?J;L9AiZel(8)29oa z5*NjE6{!}-!>(qr*ACYTWL78A99!U{PhF(`tp(t2t;LRyzbrNyePL@2ii}XRE6>qh zoplNH2(%2Rrl(XWEDWKNMge_@j*-waV#bVex{zkPcOcLs}D zt>`tJn(8JAcWl}vJ~<6Sd)BQ!!~zCbs*R$g*Q_m{_L^OhT8-!ueYae@@Khdqx_40yF#1@;yZ}TG96stxNKRqP7sYSmy zpIe4qJNH=T^O`N_kbNs>?@U~>XwkfIJ-HsM#lDEDs3kpZM>DN5j8g+ICkbvDT2kWcNeif%}xVxvFWUG?@A2+5r{VebHbA#sN zj~1DxE?eK5z9`=+b93|Wl}Y+GwF`^Q25ek&%r;UwD)0H`j!gyM&b$f6U;8}7yI4`e z%M&q=V)-!_me0#70WnE{rN!6T0W4ecP!ClWBoW7yBNd6CNU*62H19(N_oqkpz=~_u0Bz)P5>W_zeuLD1EUA_;rafoZLX?)CCdAqK{<-%Riy(JyE%l9AaQJa9nQbp)p6B06y{#I`d| z9RA!Z4hQxb z!$*z6;7m#MDSRz5$I@F-GN6G^k$4FQGAfVQ>ep|1VDz#U02E>unYhJUKFt>rP_zep zbba+Ww_b4@JET}2e2b!rhQMBXA-k=0M0(wH5fS(!!0T&^6;7;YTpFfxOpoa-Fk8%y zmo|cHpwt>YX3POTuR!AHc^1$kUSDbW@>)w}x&nUUzT{XWfC0K^6X{xJ$>fI~$HBmKq zd~2pU<(qUtwDpl(40Yy(>pas0p++ISV+%k)>MNcOoeA#?2FK~4X{gC@6%7dNgnZ&i z&{FH%h;Eqt1zeh2p*1kEwWTqqRP{isSf8qTFFnCRxnkFgZ835U4?QG)zCNK|IBdJw zGtI{t{a0pn3p@4Ja@KptR|a}LT93RrH%0Efp?O%E>#jiCfogB^HADT$e6~ZF2{*P(d`YVuJ_SBRIY*XD2x~_XM0~$!q(!=&b2L z`Nga#nDDE{`}54ql#Vp3)S67V)Gg|vyPPE=%+Wa5E8evRr`JC`8>nmq!!Q*i=$fG#_yq z-zRgMt{N(otSrEBkZfjyx@HzqYe2sa>{@VY6|6aW=T|bGC%FHRwj~tvgmR#Dm|^|o zb31-Jv)EMghDnT%%4@JJsQ$QP^&JqfeP+xMOH&Ye-zkSb`H>>h6I&*X{T8SGh;urS{@o$+d;O-m&3d^x7QQ=$GUved zy?>nc+|j+Y#Jwu%_?ri3d^aVPzP6E?+voPshi>zi-JO=|+HAivxU9f9Onsd5=$B{E zc67Zstfl6nLDWN#-l&!Fzq=HV@BeA#FAC!v2uW_P@Z6x`csBV?H^VQus_VuT(i1OW92_Pr{`#$>Uk?+qPn`& z{)$Hnm27U_d6F9$TYBZCLF17k$=&U5C)7Q%Hmdd>vXoRSJ$iEZzQ5H%cJT>qGv$pJ zs3pW@J`MlXxGyqn!>~!3Pme9~FU#YP2S$+NQzbX~x zdA+A`LX_OpLj$Ic`gri@!cK2qwY-%-tTu3_^8<%<0WTvL-C5l5-r-uG&i@fDHXSa0 z@i2e6;qjh!_rBfEX}Macv!qFS!jAy2e;7rN{P(B(TN8C)&oB$7B2VzBR+rE29>GUQT)x`oBNkPR{e*g^W*qW zo^3O^CUh~Uxx7-^@mR;fQW_LQMn?8wO*u+A1Q9Obtw+%NBdVDVZH2%XHyi)*a_qUu znfnZ*n-``<>O~QC#rkN48foOpw3=JMhy%?2sZmp#eQZGI8B2nubQ(G|#5R%^aFN1? zu2OBj8s)FN&#j|SUdlEugNsLQnp(^8%A2lAWFB--O#2E28lA@G? z@&9t4|2R62H`Jy{cEdD5a7Ma&p7ASOnrmK#MMUHvR7R<` zs$n|OyZ%e)G1@>C-_@H&#Tcd|YNC34#A05y#E7XYV9~IQ+-M_(G+#L(=4j_06(|~2 z+8LjdCpBP5a+IXbV(H1;)kzR;x|BWu;7?&Ue9I`%`Ut!k>Yi+Kuijk^gY-CFogdQv`7LAl3w@?^Rp_R1Me#1)*?XK&nlLZfR~X0K-S(ri*qKhbWzHKGRvhm1PeLd`OZmV@c9C#D zG>I|Pvq|t6<)}Tn#jc;jt>!LE6o1xCto*t6Yr|5XN2Mvr|CQM8INZ3;HZoD$nfCut83fSwF#Y@v&Uf6OJ8@5mX|*y4hm_FC4*u@ z4aRn9#HpYl7LV>F67}9(z#L&0zaB{F&tM%hrW`uYi!~`U_#D#ndQoCo3ypHxY|6U_ z&z>#*U9|o6&hR5&3}*cqlX<|?&41*~#kH|=r`|-&D2s{QlRP+P=SJ<`t)q%lI_F#e zHz3KY9y*Sik#pQ1@h(*Mt^I07xUdL)7EYN9IY26DsWhOA-tBrjn@;@_A@SiNI}e$y1DCx zFZz}kYjRUw0Fz`Q5oAF}!71Nt~z(AYFBYpL$Tep8?CZx&XFyjE%SVT4U2iV-#Mgg+z{PYEtO~9nql*@ z?#ZF1+u#2r@i0p391<85R4E835Mdw>H4+q?`Ec_ne{=JjLvz8YOo$`SZ&BSvKBYis zwgwYu294WJ&&FhE%7-d~nIM5!b=j5GSKemj{+B=j#l|iP20B?$+Q(6}p7*$}!Y2}} zEnvgUfN{ocg~(0JyZM%j9aV4#Vj)xAB_n7e=$4Eb?`P((BDAG`5XNb?j2 zHwH2;R4Oq9PfR^W0?+q9$6Pdy?Ry|xBN@8XeoYC^&+V ztZQn8y^Oz&(>vBv;r!gTnY1*9^7W#lflX1g&Tsm-e`sa?x{wOW*8X2qkksrDJ47KN zfBpWQ4DQR7oQ&b!?AfzVPTLq%(5;zB%1lZTisdFsF6Z=%D{fB!oMRO#zj!|&GEcGH zYCa#0g>ZskD=k}4%n?2b4Mb{L)3xICXSA$hFS^k45TtQb7V~uX>Pt@9u2^vR_S+tF zPF(ozJo;(b&}E4ap8MZ*tIk_nq|*11Ydi0s&7ExaZy(W3o6fq7jZ~C=k#O8jnT52# zNc=K^#k%d;0oDV~+IKmy3OREer^9G|^%)Pj?`D0t}3is!)Ue&I0b8VVFRGOG>7DH=!jl&pV zro*2>_8EWa`F8KT5swd#@pi8QKM7=_4|pbJ+Uq8HSjRvB0nBlQ#1FM3OU7k^s>Lo& zhEV*RaQDi`xB>qL+jn=eR~rMmaAgmmyZ)8CM5ULMR4R@KZ3G?xsKB%K(utOE6@%gnK%<`)>T4q2oP~ob_}$#wbkZS3eQA=yb1=F zUNM4XD-hNy;}t8!IS1*i*ZEVLoJ5SyFz1SLqwK0Lw%f#r{cL z98N_b{@D9EsJ7^?DP2H-&9N^N)|q16#kJGxN*z$UQ3g@d_)-MkYy3H@xQ!DqS3Q@$ zx+M#ksVa4Jh=f?i1bmFDOc+c%r|(+ov=L{GB}7R9D6zNJSALm%p(X2mEvdqt-(Es4 z2}F5>5PB8u69@QLtDm~xA)w$sfBu=t-?7G#ht@ZofF>b?rLk*vL+Ah}>**OFS`|Wl zQ8V*-yE^y8{UU_;+GofRAxA^u!JLu@V?FJ}*^pfxA{Souyei*g} ztrxPvVr&~&U${877@2WyozR_OcY@|;9nTJW46SMg@rr{O4x;D$b`ytJXf`;!6YYyM z@@#HCxVkh<<1dLTY%Zj!4DW_hP#mN+pN{;SpZ*!S*akze{6IP%0r7&(u*LT%O;Zln zHe8umip|4^4;Pzp1vwKt$4mVY0hV8BNutMf;1mloC7u%_!74Qg5%p+fus?X)Xt(TY5u97Ex_#ouh+QS$ziT6H77QZB#Y4U0Q5%a< z3%8c~$bwR1J8#kK5RJR-nUC(!g7e0{RG}mSr>>4D%~KqwQVf56CMQTqA4v`p@w7%x zaSqaTNWH5!ZWQqlakZAqrGZJO7_p3XO@C3XmHNs>{{AcdC;lg^UzsTTMfEGA>n@+V z(D2+&#~~v|OkH2TeZe}b#X$>)9C`ok__mL+x1Co!J2T5D>W`BCt26SjeUlLCvBWHf zFxW_WNKqo1-h_ZsgzU+=G>WhQBU`pJk5huZvEa(+KiO}I`u^i@xmfcecc1ECOV0UgtaMkn-J7cgk)^VN1Dgh zIx%KL8-} zvyKpWA^kjeW84J&h$EFUBfcrGS-ZCFeIf26&4Wk4K265-l z6rj0CM9|%fm&}MlX-o5wDI&U(`R10ruVxD5(}xdp2?h08ZY}c&qjj8mzDj34j4Th4 z`2u_PBY?=N1qF4g2%N_6+;gyPD=@)U;es>HnAM<&z+ z3Wf-Us8EkH2j)8Z)lv5<$Ns^*8wuw&@svnaH12=3xo0*WP2$>$@OZE8Qy0dc#Oa{JS(BUWm9grIJBo`^ z<69KULy`Kc&6^hoRRdblb?^*bg~Sy2ci&UKsL4=^UVL?E=m&A=7`gkSRbiI~v;6$+ z=_#RaQM(iB%9wJ3DgHyT?b+7mayKazSC`;o4$1`5%4B|~kfSh1p140DOP-D66oR=M z-WD=JF7TH&V<;#I73Tb3obu)dHWUd!&b#768eI=(UXkG|iH4dVi3|R)B zq6LH;Slo_6r!6F@04E)UClXZh=vBov6%~RIr0t=c>nb_{CPT0QQxbtVywc zK|gOh@qP*Dx+WhEJMj`k`;zH`)(1>A8pNXPE2^XtsP`6)e8L=w&#{GY50Y;1v zA&&izOIspg9%Vaz|M^n~8mf--{0MTQ4z+>toz25Qi3lG;5667Rs#94qij z_O?R~3byWCc}pK5^Fn`ua_3}D`}qf^FFmNXq-sv=hL2M|)OcxJx~AZHE2zcYT0P=r zTA|X3)~t$iV~h4_-kcCNxIuH;R|o8IyCW^X0Xz$`hA4WEmsdAP?(@8m*r{_KCoSfZ zcXJLd>MxUV3@fLv;d>>7*I>aqW3LjyyaULVOz1Mll6e_KN_~o)!2v^h^-|?1vr&SaBCKtcb~VU#Q>k-5rra)MbR zo85(okcm+tB5Y~+rXX^oo}N$6_-ZN$=cGu(Xur8mqoBKfTdaT52+e9a_tT|f_Px&* zI>$ZFyeAz91s2ZfJZ8G6AegWLFs;M^P7Jntyu4}5y+4Y+Rm#Pc7TxGt($gnT?+0Bw-C1ZEVfpp~%pr^?&M&c( zE;jmyj&pTxLBXGh^h7x=G6f~I@R7>L;EtCqFu|-uGpwkDrg7{FnmRO<^>2Pk0OZ9< zwPUfF3i^cU({H=XF-^VO!)l0bHJ8kJ_j=JJ`e(zxzM2&*)VEE|Xpscr%GveZwJKZ> zkI+ZdumT6=Uqw*+(irI_x$c59KJl%^y9~jsWSgyExUEOtebug)x>Qe0%kS>~t)yfh zGtmY0DjSx3L!a0gtCwD|bdtLaaJO-y2b$HmS%|DpJHu(#2iaj{D2(eeR*oG#p? z(04O6!ekO$g@fCY=oc;KBUVg6zRfIcO8)_N32T2JtD0lCWq)6@b@z>PH+PJ(>C@cf znXRu%?&6s0tWK`GCMw}?QhCj7VQ9^#Mu zFiV)h4HQ5wzh%t$;(~36taK$S<;R%By!@bAcD+pz*n%G5?36)XIlYG{-kmZ?TDpqk z;!!+GR<@$BwIu*}TO^#e)?h-4pA+=r51+L;=SKUo?u%1ZL`XZ=HE_Ymd_~6zj1*qA!S~-xiV~IPUqe z%Pg%V`svzBM1*~b>~-zx)sN*aMGM3tMvcg|kbuXIWt`6TuF%EBRwP8>H%uB~llF?E z)AbmjjjcJ?Aezx0J=}gata#}w4`@zc4B+}40Jue|epn~+ky84$SqS&ZJP$aA?vYDc zThFa~nRNZc&8>H_{O1Zgf15FWyq93y@iw7D)aJV&>+gdWEgbew%$XtgXo_ojno;QT z`=h%_Or}F)>5W(mYaPcR0fR+GzFuB9aAgy*QG_>^LtxAr^+Pw<~_eZR=n-f{`Ba@L62!d{fa80B`a3ku1W4GUH*UoPh6JqG7t`4fp;&ACTg$cSv4n}S3O3c6U-f8P<8gSZ#XRhO9t zf9b=-qmK_x5-afro*%JBZzOZT6q~1*ExOB z;>9o0OhpDvKyN^s#LL4M!7#}_yUT7&mIkcR?1<#yN>rf}1zjn;( zOm|%bytYFNio&Tfpz0(UBPwpav@H6iLx)tT*`_M{=*gDKwwau+QyJepjvYH@AA`~} zk|Tx5^DzR-WX6PL7q8sp)wTF;l~ro=pZ-Q?it`)HbhcU#yXO3H);l4ze!rorQBcqd zrMYj`XH88C*Bta?!@Z-E4-R_YVcxY6EBz_v{a38J|4YtFt9aVLS^m39Z&}hk2|}%( zyg`aX0Ul@eSVc2|cbKb9wi8a2I1LbJ7+o7eC81}AFV5&;!*j zu}Sqm&GNXJPXtAWDLffzL1?z_b*sh6N2KQA%6eI@A4aVem6Z(4N6bxk#2J}+y{NFD zlqr;2LI}W^v+tDttar%>QCStc?AvvrDHWPRtmO4xf`#+~N+8G{JalL{LSXiti>Z1j z5ZIm^>8|r*3@3xX%JyVXWzy8CFQQYrV}(e6De6v|A|Q$B*2BbJRSM(X`}cRiZ(lH+ z1~Dct&Z^OXSs{Hwl&QBVLlAF(E7&F#p)>X!XY4~%6HfvV()WHVpP>xHcd=zDG}{{* zhVF$-X!m~0318o^t_`=5Pz%_Z@*QQZ7$4%y>Y;8yUnlglRDm<8wovPitv`D`I9kze zE{|RZaL8{xm-jPera(to4X1b4aXs5EM4aPlKudZey886x%gHUx*KUZJA|bI{AGM4{ zxr1BxXOuxvjB;uu`=KajOJ3|x-3<6Y~PXo zv*?Rcx5bGF`0AC>Oa)=nMX_(`Tr%cI;O=?~A?k@{wKxTI=DJY^Y0B^^=JZRx!EM1o z3kLt)jTM*h;IKA5K)-e_+jl&vQ#@Etfx{u#$c2Ywq3il=Z9qIUMXN&6SB%3W~uIa?yia!)p8yPm>cgnV) zTR$bV?~Z$PVdwAZ&(-Cp%D0}~zG-KFd4mJo6n##T%QF>r4hW)=I|?O1kW(HuV@BPX z&SOd~x#1#DNX8DDYLk#t2>U7q_y84XAjMQ4FO4z0V3@|@hWDbCn)P~(Dmt2js#kW> z;BqCh`R+`r%!I+@f#Djmn{;1t=Muby5a59>it$#exxv(hK#)14L)ncfoG{@80VE<) zs-62SKt-L?GlT~NiE%Wv3C+rv;*G>Srlj^E+(UsuD|S-VSjZ1VWhnqkhDI(x(lbwl zgjdz>9&@kUD=AtwSP)*m#KZg^H$v8^4ZTUxIIr$e4u-UHJ+^>$Ey#EJFx@ zS)!bvdK;Sy|0QNU#iCyUeSp)!O~}=scjG6DVHEl+Q6!?l#t&F3ZFMSr*;*brRkc)8 zk1U;5Rw;0ihM|q*!$ab17o2q0Yju~ZVx;T?YC6F+BhBzooiTZ1;k`4U zfr{Xw9_tB(BNY{WaM?wqMfEQw;I?X!Kk!Iq9cm_@LQJF41iGE8b^yMTg_@$zv!{N( z*HpQPM)nYNB%ks`7lAdXR$iQ3Y*?7K2z@&*2aUiHs&RXPTpaszv5CnbUW7};>Gpz&0F9Lwug_jlni3@r`lV7Z#sK9WYE4TH_LjXi zWcA0w)mdK}@AP+VQY(D#dShUsn)YA%zV2HKpZ%@x+fmwAuY2>}HxIn3%{ENZvkXaH zm^i^ZFLw?4zW#mtKIZs!mAspN5Ri}jqu+L1mgMWlDp{;}qw^p$*2LN0feEp~vGGd!uHRNTZP~t^^E^wk zW|{C_efLh--O-{axdK&ecC5t&Ch8oT)VhU-G8^_(NgQe#*t6UEs>UR?t z{T?0Kp(0GddbiH0N}cZ;E?>SZ2qAFF^xdNioQ&ILDw@=sdc=p3`7rKZN}<2ToF^Yy z9%c17ZNReyjW&CpeO3Dzwyb`}E15fYAFO^oxr5)%AvyLPr?va?UF)n)0&7@7j8dore| zJ6=Ac^R0Gho3qn$Cf$Ce@A_tAW^iun(U+MQojtN`GW=@SyM}}+4bgJ0G|zWGe;;85 zG5z@GYDBccj5*5wXWj`PA2l1Biv{bzz|gD>a@k~SE08Df*rk^p0BZTO9>uuc$fr+Z z8AWLJn8KaEZ!)Vx! zKDE2uKG>J(?S0aA!4=gfYFD@axEy=+_vNd}Zw?Mw{`%1QwU>TezN&R#$le3PFPt2> zVfT1Rnav+-J0$J&|CZ>xHm1rcxN7$1%+qlWC1?2G?FCK?_fZKEI!y0u-i;Ed=zDx< z>=M`moPR`O^7YM{{75z+9U<=V;9B$CU0SXT`fCMDc!tJ-H9G#uidLgOW6TZMe$6(^ z{m|^|8(PaFTm6Nf02-jr@xP;z6etW)ut%*Nt9w==D@0}CIbE0E4Q!XtZM?ke!X?)4 z0qB)bG@RG()$xx#tpo8f4GRmqPts)*<8CIWGiFP-K1WiBurRyL(j zmx4KEJx>lJ$qX`IniLCQRC0H*+Xe&^o7t+P9m{_W2IE_L&!t{FS37uiAa&J+(*jx$ zr3?dw@}=~uLWCw*B`6R}r2IFmv)e*{-E@gv8J`T9A{rjRaxv-zhIQQ`@?vBwP4sdK zB1(5m&=qs-_wC&)%#(z|4@WoAV@Obg@tm{6H2eHH$9ZHp_R-3KSx>UFmn!D))Bwk( zBLIMueu6lJC5MWnDAatuWp->?J3?Y!ZEc+bHOQ+GI|~GNNmK5kCnZWF@nIlwiZ$;p zdC{Fwh6N;fAxcCI%iy~3gaOnUEmaDJl!-8OY6$|_IYQ7bzCqJ?9FJ13Ea!`whPURi zEaE5?kOMl4*;&*;?@udj)%x+aPEKz56(Kbef?dW~F3t|AG@<*Qsx!gGMr5(YH4G8H z`-qM(aCkG|#ntw!6!K>d-Q^vg0lAMTcJ-Py=eGUeFftdkszHT~8`QkWEY?yF->dKZ zA}2?zMrOP)%IR*$KSB;$?kcddv6Zwo{n#dSMPKuKSpl7MFMAq#WGC3!N@`rpYxASa zERCJ6r78-MqLHC6LE$yURiQAFDP`aBEBw)aT#(XbjyM&tHvh)@K74=CBM2x142$+a zc!4j=VG1%B9AuZ_ql|zES_5vZ>W?PgBC0Vjt(AA<;+CSfFMC(o5S-*xwGa0lu?88h zw#(bzGYA3j(YCDMG*yH-?kC`1)8E?LZ1~I4!j-Ml+PUJH3&soHo+%!|X7OgBS$a~v z33-{9x;!-&Pv|j)QvSVNvpRdWCB2AE0JznmwQLNlxdmu2ZgfBUQxjrSLsV4oPZH)f zG$_nj9?~8ais%J~Z4fmM6v2dWH&VU2=Nz6f5syM9+(FD)1Cr1I&Nbhe$Q=9S95)+R zY?~M!`K8%4bCvK866QszXPa)$DWr9fnrh>#wZfEn5ZFT@Y$kHpRtX37oweWBlw2}a zd(c}16&Y&!tP?L(7Y~{qVOn4L@I%v(%5X>92e+SfFb)MUPp7D-uipPA`?lSxo7Knx zQ;I8>R7wa*z?3Nl#lnrArydTbsdtyHW7=~h96TTZz-@F>XT=H|7@WL0<=JZOZKiC? zIe&4b?X9wgsR{G$DNK19`uX+Iu%T(z3I3yU7Z`4@-aagvF?ro6Jz1}P3%ssve8(t; zG~i#vge=$QurwIXZT)!LnS}33J_IY^uMCj5xmu}U*4lG5`$^pU|tChcJvd@G$)&H!C- z%}0@Fm_%a?Mxks37|2>0KKU#FthK2d60Eb&3%wQp9W%C|C?m!D44&cl)J+V}@x(QH zxb+5^fzWzk)r!(!%B^MLTXaukT({|vA0De8*`3CLjjx?lRFcNki1l%Th$htM1HTKG zaZU|TN87Stsx*b5Up+Wr764N@MbBva(47nwdwikh{>XWBMSKz%58-;xHx4edtA!x| zWmIImsryjn44PI}$Hi+6VplY(J24=OjEqyS`AT^A!{!@9U<(2cg5x|^TZ7!vA3d69 zX>Ubh5L;v$TH)Yme`kteYDW4%OQtFhbtmp&)dOreS%~5Q+cz{lLxUs6ts%w_K(&ZZ zO(K!ss)DkB#$GT+{JKZU$)k)4Pr~wD2V&~lt(%Y!g;nvAEFi0Bs>KE<*!OT}28BY` zgsS^|R2mz|1VV3yshBDdOQPf`oc-%zcC^YHpu1`IPwE!2)=Q>?MZ{#wNW1k7I<)|W za2ZQ;Iz07~UPz}Z&`hw~zGHM{-YVY%3A$mO??dk<05DCrs$ajv+#|CGle3?73)CL9 zw>A)ov+!LON=h=&CumdBuMm6@4(rf_efl&!JWFTvhSyhyF{CyCu&s{Q5e- z?0MYyfDcLO9i&ckw7T90Qx*7U8kpTBpO;M8l03C4I;%Xn-va!#hBwWdY)41NPP4;2 zT!QQ~MXSiUzsBo58YcTxVS7z)laM5L=j4&E290cvmaZS|9O-{f`pd!Zt>)85`(5zV zsZeTlGG6RH zW{NJm6ab3JLZSA66uS(9(RN0F`p7R-&-&714UbNEF(_@V{5?b{-x*DzlrT2eE(Foh zJ3F@xcj4kT4zm|GLHG@B$Y>;C1M=*H+j&j|i|S6)O{U7gCzhok#~?tWACHFlh?sw{ zcaDtUQw1*0MG(?0GSl(&Vq%a!W7i-MY5Zkg$bFnxct{e0w&N*D(EHvem4M}myJ9-w zDaI+J06#}6TjAP2Z{9p0lZ=01O)x;-X(b;%oUJ?!nyYt8O385ypUy(0pEoxT1DROa zWNdeI1SFhqZu^+iuqf*s=0FQ$V%}f@X={7BwA_<%6rx8l*BfQ!DYPddKXEZ5CN&cc zh0H}@mXu5xr)Qo3BN<8m>oEl7o6coi>e58QS3v&F8g>6|9VKEb~3k4Q(N0$Qtw$aXHEjyVw74e z7^N~D&qz_;@>ujSpBP8?xpx&tLGZjed*>r7*->99Yae%-a8Gr0p`u=bXZJ`HbEGT| zh2NXkjY309MTu`+Dxx5)vOc3*Ii5C&DRnXbfS^~H!16;xz)HXKvwTEA`uc)|nLUOo z7m)(z-kr1q4H!!}#S}1w&TFzWe;R>FMN_?lfEMw%yrn40Z^$a}4>_z!{0R!{0+Yzf zXpx1tOrZAf_ce>!?w_m}RQ@xzdks2-%r7n^} z*|*BdziLf^|zB)=R)1{5;D3B4cwiS~j;2cTvC2?$FprWPt zaTKhE*{avS7NU3;dLa4+UQu_ZQv5WVk0@>1rsTLOUAC^gQgztW8#i*imXjsZ^tL!6 z%OzyyJpDywBH%!>W@*&0I#4$v$A#1J)G}b$p{Q1c7+%BVSID`#9-1?CzM0PUY&Sr; zeBAX6ONmtV)_un`<|KLKMNZF28e)0M!|ZPM@S6pj@AUa&edl3$gU9s2{6Jnho=u`X z`}7Gd(KKQpAC*Sk%H&si`_88@UNjJBuI0n*w>Q>@_C7j7;f_%1HC61l&`3}9sXZ-% z8ZlXFjBmKMjTZ`}GEz|+9UENCLGw?56H@lDF-CV zO$~B{2Oj;*qCh}*|ny-(bBf`XX(2SmkePN>24PWIC1(JVmLlFU<) z*>gjJg3{>Iu-p1f-HZWMF3nJstDlFRM#wLL^Kzkmp1Lw*&^J_(A{6aKHtve+H(we_ z>S3ab4M2y{wNkhtYF!#?s@9h`zkp50MYwtxec0?Sw*C2)kM;uH^f>{YVW$ zgh`2OaO5@SC}a727Vvj-8!C@8u%Vl5 zNY-h6dw1y20qum?A7^}Zt!MH|m937BLiKz1?p@5U&j7V#+b5YHT3%$@a;v@1?yPm2 zUuLdbbjV?}pM!~W>!yK05sl@IC)cjoA6%6+GNf@{$EniT088ZgUkHzgsH~2%8OM>| z`57CUwFXUQMBW1?rZ0}Y*UZPikdP968nev6Lq_3>kLO!i-@Qkfiql>i+bs|X=>)%E z(T*aA&62BNQ;??Rd08af`!ds}8CG5(+l7H92bS!D=_F*$10}d%e0`Ki7&I4XWd&jI%BV9PoCZ6(J`7$)F={E){6yPH*=2$y2e>1NIEA1k8Fyp9|Z7T{nD zIW-I<-PG;n{-*Kt0Hotu8}%PRa(kW7<7GX9)>zP8C}=gWBSWNPlTvn>!Hfn16j}Yz zd#DqVijxB*z?=-$OQXum z8z?y*0X|YbGUa>{G=l1)CiXl8?#t6nYvIe}w2J76 zbqoBFISE#=(=Wb~&^AaNpIY(ZK|AX5aoq;{NlU{E_5%SSPA;U{P7P2P3J-Mr=T4Tc zQ=cHMn`oq{uN-RMGiYUtmPb`%(g=17?dg#lXy5zInp^i_uT>NV^PVK2mDb>`xs zvASb0oEa(RMZh^CFL-t1Ch6x&{}JMU#5{zWcME0_>)Tbpk+BH~bC%3oZVWhHIyCt) z#XQRbb4Du!Oq|hryMAQFD86R+r~JW8o1k8lUE&X496hGgsYUnA8|-U?cuW_@sT$?r zt%ZVp9>JAPyO>BT>?HA(ItU^{ZdjjxtvE??^7!!>aE5#vwvPhU-?k3}wz=4C+ zTs}YlC3Cs@OYXEP2?meZ=;D-vr5g=t*Eus`_6b9eO~>REdgEqdXF3uP$EA~kjFs;>JpyJ0~~!k z)gJJ3CfD@Oy5lp?_~nrk(}E;NrTJ}lH+k!wYB6Z^E?zZ0E@wG3LZ=K_OO3~;Nk#|8 z@RUvU{g;nH0G7RRGE8WFmsZV1oO`!TeRFA6olCihD^!_cP?cz5j#gLf1MNKTyyGuG z&*K(U(0h`SlC)ZnO9xu|s_Im^Rh4*s$!Jf*x4&rqx-{*=v`euWbS6xBv zFD!KaLJuwGBMm-j+SE3o+%!}(DJLf}KjxjZz3`;SP>8|NujO@p)D=@Cx7ZIt0pN@Wj&Ybip0wwrpXI%^d@DU(;Xvr zHf!kU7#?&R6Ob<3LkDJpY9$5QSE!rGHNp#kiyF1VXsnoiVPKiDj``2JD492XR8WPw zN9?IL6UpgJuYxyeCzJ3TJJGcmQai_;#~=pSMTvkWDy&?`3J2#N?7-#Uj4GQbx?@B? zfzA$N&9&vDOm1E@xIDOKXKPa2Is0FX5(H|0{z4)IT|Gj>DCWd@;5gz4UPf2<`8vN7 zl~OBBO-Js^#S;!`iO7f12{h4KLfev^{gH$}rf+AsgTuFP-}Wuxo4!10x5?7~Z4>8y zuJ;_{GHrNv&zW{B`u=@f%`8TU#a?)v1ZEiRav|q2ws#iUqTao!HhFcIPHpL8 zAGyxrMG_WW8s-Burc2IJQnGQ>NY&ckzoVj0%Yj78N zJaU?I*pgA!MvYtOSzR2BR!?o=!u_BD{E8_1X7YxFyreA2PzZ%KZ@w~dS{I2gpMv7I zr)o_1Jo-XqUSzDShjZwZRf^5Sn$68k2I_`9aVdQ*`J-+4y;;V%`FmryVEwMTd>6=u zm=d8y=3W)q&!j^i3I0f}xu}db<$V7WH9ODKU}D(2;zx>&(@wL^I6hJ!KVj$yWT`KG zD&((lRz~#~+q>hj-Nj#cwPmp68j5{H!Uyy z_U$m<9W+kaFp)3Jr*}Imso(&MrGg_VbDce4%-4yNVe1H43+w}8(gJXn8y zcp&7B8!J~p0-3LP_GMSFk&y2o64E%QiF|pZ#17EE}bc*0Ug3KWka*uI5F=*^gFRN9tA6Gkd9;8F@ zq!+A=VN`#TB6d~>dI?0?_E&97{0g9EvP~RW?nc99%KyNE6BYH9K0Kd3=+Zfv;SJ5q zxa=TFs4LWeuU@NByL^d`P6=g{eS-6HX}4S#HGxl>hia(Z{d*_?{PB(ktahSZW+Nl3W6HV|CX;QGw~l7k7*eti&`E z7Jp(8RKR1Dj{?nfoP&yrxa&mGkVbWA6Zj@YGyif@#8A<)7 z<+!vS4#`pvAY>>!=90~Yll1GRU$aUh?Vn#&|M|JH`-YYSx!EsGkJUTwTW1`eIdZ`B z!RCrlFJ*2l%2Qo>-|X|&@f)S44D2?`t@(1%dW<2MyzA7xduDe04`wUKgCe3b=p_Vp zvXYlfCqyz8$s25p-?dQj@}SfdoXiZSIi_zA{nv}=0b(-;(mBNm>htG={uPcZr#zWJ zIrkB4FssUbBcKTKt&0Pzh1Sy)54BJZZUtZb}2 z#Fr4dp-&uzDvq9;7@<(}gfE5*h8J%VUg8Ou3r;T~L-=@aY&v35|(a zjMR*QGBFP-U&i{nDJ6d1-g6ljsk$+Q%?*EoH;Ouf(HVjD*C9~X_Bu&%ZAp#*Jz~Bs z3(#ALmiW{Zt5^csFsiP@YZu#bs7(R=1-MQ)7dFUWu%@Tt6Rs@S1x!NZP8jiIOEV?B z@3iA+AB`Hj6Bzu2WDM;oA>dbS?K(=anXU!EXJvC-_!Y{(Hh)A8_+HA7mC)6$! z^Mx5w79&4bIXOF*L|sC8!z!&Juus4ejT49Cx-C3cJ%1C^yYOynNZ!ITpH`aoX)e$E$@YgH{bIKPd3kRn*3jR z&%kyLNk9E&Kdrc#1u!T&Oa%ZcixpHpSL?w{#FmLCuWjw@mXMf{+UmVcC@~kMD&+-8 zmdaa2y1hU#y9_tTCkm`>jo*l;u>%Ql+t1ezF18jPe+Oy}dx3H_gPC9vltDRIr0vf^ z5tf01@iseXVnWB~je;N{A%PLziF|YUSlx&BErG!t9Y7OimDRrXVQaav9J*q^U}{Yd+( zB8Cl^!fcAi?%k@FfA(@w=GE=@@MuRR&^)qY2P+5bgU7#p|DFK>au6^df)muoDt<8ZcoTniUBfIb#1wcJ zPC-06D3`4YCuz&AkKEjd-VTunWztNu^%krlBN$V})n9xwmoGeqyu&AYQFloyy_Fqj zBs*YRV29HH`uK6TPkr=)TAuD4wtpGrf>;xE>eQmE=bvR{?5O>DCQrG#rbd{;a=+x) zxEHJgvKQ?U$4k5l?9c6&?T6la3<3g(ctTV${rc5t`v1Py>f(f-Uw6K?C~p9xOY`Mb zVMWN~|I%yZZ^}8LAGpi9g(^-a<+iu&H0F5C$SRB~bAnB<# zZ1GPMV`I*)!rEH5aEn(-Z}aod#l~h4#;(0McP-~!`@#lxB)q`r1x=4L8r z3r7L=xC3JR6nzheO`3}r7ZY`O!spq&c<$UVVOs#7o}xIg`#d!@!3l^;2}omOpCAeq z2e3{K*Alo?fC9k|egYXp6>*4y<_gl$;Mq=U42?1(x`xX(x554c^{`OHLbmPOw@(cD z5{I`ic_8=24OJ*Ii40~hsWb5L2pQL|woA*~(|6Y%3O4V(-b5*`spI{MG0jU1C!8_y za0)nhRch{*>2n@?e5&7A6uVYqlETIM_m?JjjXCvHLw}^(fXW*T-RvLgnsW1F-8?_7 z2c;kBt_$Zc@8hXfp?ab}FV1Gzxq?y}3*+vJ*BalS9<(h4-9c}?QIkca3)fbxa$V*x zdwW<69r254WsQUGxV7F>KlT!{bGtvqiU8)XE3be;8N9ut@L7hnAxnz`3y1EY46%9l zc;;ATE4}e@a%G|046}|dnR!J^Q#1AW?&-G?yR3gVa$@xMInx!>H~#gG>+al}IBVC~ zS&DDRDa9)*BSEtCD6D-tYIxr-uNH4>-f4L1K&d(vxXiJxnG25&UIVF3T)ndT!Je$% z>YvRqPO-w7Zm_b;Kynu)cK%iK4h(LBGz1YVkSB_s@?Z3+jguI?LEj_Tah^GO$2Z|B zDwzF%5#Zb-*b77Hdv#sbpDYdO><&!}&;+{s3nB^^d-PNN$uuvP7l;%}K%6t0cCXsG4>0&^Ljz;o>5PRp#(IaxB$s_%r7DeGXAK+nF;p@OzN+Et zR$Wnukq35v*eSC_&8BECV)bdlFN^s;^Q~>#4d(7qL(0K30sX$ZGja;C1(&})SQ4B5xIdxJ(dF5&sZ&0#j`3`* zJLU6W`UF*-XPVPSj&l1m)GNWhN5PAsf!piftL$I9b7*!?Iu(>?h>k}XG z?@#)m_Sw2lQ5EBnh2{CLP-d~T#&q@cVtbb3JY&(+nf33AP@-#3Z`4|}=rc{faq`)W zGW*rLWhQTW9C3AW*q9-vKTn(-_h|Cjly#G*wHwpYNp-AT@RXI0W~VM`OzyOI{X8DX zz1bndm9PHm(V!+$u9NYof?0Ww`bRig;+eW#B5>*fFFi;DkG;>Lpi{eXY{ z5gCP^lI#Baq5u8YiaHIiyEOOLapC7}@X*bh(t#zf^A{X&?*E@Jxo0+7K&d#>3G!;c z7K1;XDc-tfbN`OY6^lmw`^Wt2&$=ia@E-L4`oR3olsS-{Qv#w-lIEuT%Y@E=xS4CednM-yZkJ3<(3X`TBuNM z+M$zbr~mn#O;59XEtBc#^49lNZure}%AIe#{;d=ocH>5Dgsoz(TG%aP3Hx?^Wo^z$ zw;l!9}i3E z7S`JDrsTO@`2l&`V?8C>JMFu5YZ{?H(2S9-g-e$72-NmpAA~UNIBPBJ8Mo*GXN4?N zV&b%EjBk3vi@ex2;l!HNtM3CNNucpdslLrj5UI+qW%{&f5rnEQWo5$rSm2h`84PF$ zri;N600xy6E2Rex^!D*NZ)h|$Xu^`DgAEN5@|8<(dDRw=MIV}*`d&?h zZfCv9dDXd6Xxr&-4jwy}Wf1G+_WgKZcZ)S^9st6=aFp5oA+&nK()Rq}g>3?-1sm26 zw6!^sn3<%$_p9^WaT#`*-`iTPN;pzEe3^z^?($;Oprx)BHznP+R|;dYx3^2*U1!nL zImjfvA5E<-wJJCVrNX3cad3D9K;%xFE4E&EEu>g&t*TkU)uPH$oP%+G3guIvWf1(~ zh2nT-2np=+&2B9C27w*3{K{Fay9DuG{rbsD2?ynJZ8toG6n*yGVZ{rIJ@~EB^tr-m zi1e>ZLLb-fA(e=5nWB^ygrgAhU|Puj+=iJ&B$|n|)0^kU{F;xF0RRSw~YoEMn5jcl|L0@Wcn^!pNJcI0$P`=RYHbL2Pg&Z?c00>1? z-onru&w*jNH~5DUc;3LeTv)l{uA>}>qviWnAu;1SD>vE=7^CY>B1CfF`B1hr*CgTJ zS^zFvYn#f8v2cv?5Lo^CHTYej$3smx-Rl*?CCc~nkR16X<{LLYBMrd_p1fe78a#aV z>GpfjXB}DC5qOl-LoSVM|M_uYF+q$2s`h%p8LP;XJuuacGbyy7D4#~}HC!&5umF7e41x>LQvfQyTHTML06Yn>qZ?kF?=gu7BAfLDjH*!AUH7<+rL7QT9`~9Y0UXwaDHUO>l4CbBBEQvp>+)D3;zjtn z{X? z9C0^pV@JIkX@83vbJjoqThz$x&4rI8KakFd4QPCuYeoYntd|h3^b}isqr-fur3p^< zki^2wgRg(4JFA2tGlb1bg2HIAIE82xGm_mZC5xI`r#Sd|I5jkq(&kBfzhxF;V_C! z0|(WzyF=6Gs>g=;J|`7j0xP+D|9tn{x3?@=j1tv=$#Pn#rx_WizzZ#;A8EVS zmseH_M`dvUI&}hzlavs8O^l`pd$xg7B><{#Srts-KnX!NLm^iVbQpR_6e~po(tqAl z)e7-CdpN4FY+d)zFbkc{U*=@CR@dyiV!N?(^_jF+S~{oRUf8&9pkJ?Dtu>KrVr@oq z?lN{v6M)xC{QB7CbKQo$u05crsBdNc?%S4i?{eq>^K#cqJ^~=3um!~~dVPO`rR8s! zn2|ZJkigC*SBBM$v66 zHgusJownn{!8Hb~)Z@F4<+YQIfCk5h^@2`Co#F+)6~)+eVS;n$#-yyA9Ia=6U^q^5BlzIwE`G?Gd^)(UhB?B zrz~EZqNV;-Y@Q;F>Z{%34)A`w{43`@Tk`t~iF|{fi*Ry7tu1zmc~t^Q1fZQ1-w%B& z#L1Gk_jUy>)i&^&r|A8$y!;uAqfnO+H@G5Q_{?nm?aj*VZh^Wt-zM%`Cuc0OgHOu! zh-IHNVMX;E#0eIi^0Pp|cf{_XZ_X5oneBICl!zsiz;#h6wsRrGE@yaCpm59> zv-~w)#a^*N4NSQmZR9D4y%R0nhF*}NOGWDP#(r|OizOCqnb2ih$GO-4 zIyY2XLd$v z+E0r{ecWK(qs-%$)~h$Ovf(m8CC z#low$ZQDxRb*Q^;`qFi0MlO@Tz54fGh=m)`o#!xb^vYX+cDxi5^eEy-E-JFCLixF@ zDIOr)jeecE1cj6&Sb5069o(gHX>0!8m<(iGhD1O}|44R7K2^5e1Z+Bnpv`^T>O`C% zz)6RXns$!QCBSLnZ~)akshe(3X=(W2DZnOE&b%v2Et!hsP1cNl%-cr zzik|40#42li964iIHVqxtLzmwg$m>PTwbLFmVAx!k! zUB0qviQZq5!?U-NP$ibuYzNL=(KYcEKE8ba1nr1u5|uy*y=>2)STj^x=+uIBHgM!U z=C-J#U|~Pk^$U*84YvZHTa*ko0^fAou)>pSMc6rk01KlV{wJOk&g`@to>q-u2q!2h z5XF>mkwoERmKBRcs(1hXvcJ$v31(|WHGnJHF|q4Xy9~*F=q+_51;RFeMLOWxQGS%^ z+8iXOG@5y!SmLKqlCXLkqoN4>CO)?1;aZ%|)>vF;B3Y#CCN04L(5FR*d-+{P^4D&uY`i^RQJzGlI@DA)D6Ux#XsFp%?noz{wl?M3F$5K@JY1N!SoS^adyib zT0M6>8$L7ega-mVQ-kg$!&E*tLC1$q*)LC%c0g&~N@q7eKcn0AiA6oi^!Kf$$Rz{` zEhT@8Whcr;eFG7*@rf}rxk6PX%s;SQ7Q({z4bmyoek_|FO%Zu*+8xu7sdBN~-ycZ5 zyWn7UPp4?-Mf&6js|`VZHFsC%gDLx?Y&525lcGiU3E)ETk|_&d#sTzOfkf(I%E=FN-jb+bl_U*I%)= zA$@#T8T>fGfthT=eQXSDvv@bk#OwB@=6y3Cym`}HWUaAzEIYE-Q}3-_yY?dsd!UY$ zyD42BRE&A=859b(pIWD8Npu6KK@f&AX6F>vFr)8XLp(Y*2_PP#G`0i(x` zr%j&t8(g4UUCQ4RW&m^%H0?Oj()62Ye$V(a$wDX^iZd==96s-`)6RkQH8la0LlVvG zw-DxN9=hZ$NE#e62_|#-KWNOyz}GIlSZ;80eH%)`GCCC|qOn0**Zak;c?8iW# zU5>(yA1w>rN|<6&p^+Zm5kGCpqlr^Bbg{+W*r)=Jtqdu_4&X5#9fS>U?1A{-TWz*0G}W=bSrlB<{)MMzHI7$~%WyLJT$+{wav+eKu57qR?iSE*Qh zGW2x3NDUZKj-b2gPaBxplR7oP$ffeOE?91)tJp}OO0 zMC;ePsZVpJENnCnN=zxS5i)kjKtZ^Z(9>-`)=*C@X9iZx%#e)45H*_cM@t*~diWL6 z4vrNda>L&qHq4G+u5GjV_{kL&UzeN} zbvT_bP?KUoG^jjT+A{XMp(5s}6X(yLfAyd-2PuDH^0r@RflkyAG_IVX{@UgyR)bNd zDZNst2VZa4HKjG_% z%YcL-J06J9P#bRh_qQQkFZ`&lF(~lHK1}fmK*IcJTE1sGt$76-mMgnnU@4MB&Ia(tr~Mih^wBMolP+X z2flVN#_l4FmM|FS?b_E@6%F_S`A-PjP7Tqw$EgdE@RFv=(n#OhW`68rUYl80S4WSg z-McLuuP`*_$n+XIv`3)QX)9QGbZvTTnMRn1$KGi*$63WblOkD%iM`7T$-YA$5p@9N z9-!;sOf4$ZV>)6K*F%^Oo11HpsRdWa<;fgyR&b+S?}g{vQ+l)J^&AC9*}bsh!xRp$ zXpl9BP-h09#gj3KS4fPaefzMlwP`3oC9~T-xI1EK8RD4#kh+p%IdC!e^Ej2fmaog$ zSXeoVmH_UDxX@JL41Ne80Q8jer#^IT_n;eI8)gd>|C>F{QS81}b?d^o%T$5{>z4@f z+(Hkloc3xV*dCsH+5JL4wle4d3I-PaS!|N#X z8S!(5HJF-T(f!qqCY1@9NL2P-VqW{oj}8Y6mnJX0*za)c)FJhgCq6P>)uNdeT-H44 zT8Gb*dwi&rnscYAU$n!PDFZfHroC*j{Jck27cn)LL<20_#&a())f+ZS3!g|#Mumlg z5D_KB0GBW^`~hVVu`Zp)?Da{~-M+{o&K^Sod4m$Yotq*N_y}Dd!gJCXefJ-I`poCn zPMX}s-p)?Ushm|bA`Gp%i?K1-^ZW%1@FVOrZ04I}G3o}a%-g4e(3D)VsHj}n;^E#b zMqxnwRx|kpT|N8f;gKTqfJIa9Fk-7@HO%8Q8X+-2z|K(wWeaKU4@IZhYjAQGg4u9s zMlf^+{2K|{VmU9Gb75j>new;OQ)01Z*9u<=jRgw?1B;{a7(~T0irb zm+_0#)hV$h{5Y{N5ikgu%|pKZ3bj|vKEI%wW^+>8%a<=_-amJ131hYU={Wk#Q)2BN zRHs+u-e;2%GceUtk!iI(4uQuTANw=|VVJT*?Iuy_b2|lLOdiMDUc+Pv-%}{4m|_ys zAK*0PMMipu=UR=P%5(%grhP53?ykfRo%yUl3T9<}I7906{t% zEFJlUS+L|+7#EQ*-3sGSZ3;pG&>3Q9l;6eaW?e>WdtCuN;pHAC62aJqj!P3RdI&K* ztnQ()6_6+G!Htz;d~`&3f@`>~Vd4mUib3r=a9Y*y0Nn+=MmA`+=hAqT*=PuX4I5yn zQ8o|ED>)od;WHU=$tmPGEV~_RB{vEDkZf5-BFj6x>)G|N;(q*aUN$B7+>@2dRQI!W zEI{Y6z3J$SZ*pGzDQ5PCZH%EJ1=|n;8`YNFs_+Z7-JQ3p^0Qb~d`m@ov}gh{v}pnW ztBBm{UQLx5x6F0)v8R9CpQxeVYw~85TgR`=cRMtq%k51! zwdapKCZph-SKni=&T8*5Q#{LTyO-UxwXiU^sCr)LT$*kRw7qqLQQPzpi76Rv%1-aj zQJFlc#B$R3(Uo;K_V!6GU8q!A6_k_J(dccD$Z@M$8`S0RWF80@({9h{&1_J{;rt+$Q(6T2~-xo`63uOp!ZO?xF#8O}Xf~(gU zY5IV6%tyUSF6p>(Q&l_jvM8&}zg7(k+U>p7_1*b?kKezmzp9`zdi3%2lUxderPkD+ zTGYj8&9IXe2r%0FE=cHo(Ou{iO&4}Low1k!O!f)EA4vsv8+3l+3y||n7GdsL6c48lQ zmngL>}87qZ$t<<6z;{^lp^`U0yM z!9$8ABhoKw?U{@)qp7x0S+L($)gbxDUAw~Z`bS39-f(DW2xV3G4W3ui0$-LB8}=on`o@Kv#Vg!IpIy)F5QYGM?G6163rNao36R5sEYCefn4sXx!Pu z^WENXfsG)zB%wkGR2Qvvs8woa2FOSrh z$JA#DD5e0@2ocPnZpZ0I0(|rV^D1%(2oYAj=ctR$zP5bXwK@NGG5bC%WAeK3FK;iJhjL8ZhwyAEbZFaH1HgPwQljfq}v0m7#FI z!iX!2MNvtx7#NFEpP-%Cy42sppr`-KU#*|N_5&6$!eX2fv5(_mQ;{Aa{#r%bgXF*=xE2jAVw@=#qDg5BP zhY#m;7AqmYp{JLr+xnxnHjpX=5#T4U4j0-0CJQaASpP+u74{GmxI#51!EO{@qSXLc zRx*}wsKMj2J-9ABR)@g4tBQ=`;zWKZr0XAz7g?IS^(fA z;f=yo#9EHBdLs!@LU>gQe~Ksl*S);I$C~5K0>EN+myMV_xvvY<^#sP&g|!d|N-^e! z%YC5o&+Y$ZA7^(`^#W!exvQ$%a0)McRHMFI)pF|i@y9SzaP{w4kgTuox$OE0{sWux zbU7x_si`hY9{OW{niXw6?3ymLOTxbNsir z-UwHM6>5KhR)aO#J4F1BumAi%N2cofYi!QP6V!iYa8?Cqymvf)jsHD{*2BDz600j& z-=J9|vgp?N)8|8PDmWSyuN4lIYHH2b3So3c%vkc@Bi5%AS1#{tnW`RRnxjQ6;<)<1 z|FzTb_U_4;2p(xR^IW{)=W3s_G^yN$H zXG(I`b18{#4#9b=tG76{-OxFuapS<(Fa8Y3>ZfNMqS7*`E>A+Q_t4ZfeKOow(1;0j zS~Z9{TM(CpM(w>S%h+DA>EoJUUpBcy#oV1zvBbcLmn0&70Ju(({%wayT>n3>!h=@E>tBDD0Y7_4(wkCA&I5 z$j(+tE3w#ZTyl10=#!+Rg9!e;@9Fvnr^i40*?3)jpSdX55I7^{iEvuhd3cfnPPM~n zrfs&S9nIB-VPGI`jG|(dPr+#3vhbxX-@~46;pO;U#^&W!15=9^mmVFuy1u%|^7FRq zX1o7TNQjAYC@HuqZ*;17tW`JHPW^UolIcEndvY3`FLK>thrI+nCJeTz{KBGD%q_qc zinVqMZC=$EI-X+xm15Q`_8d&z+j@^sk5|mN*3GP{Cg(=_mAUp%pRi^dodt;C6~Gk@ zGm8IGIvMPR9$bB%ocyPd$Z#D4BJpuiZ!GQ|P$6gl;0ehr;aW`FNg|nYP8}~1oVV%? zBM>LYhxL_(@f>#7^8PYd?|V0@9e7&rN6C04}N zrLVcHV(x3~s_NqkDF@WwNd8XDEAx{6D|33vp-9F3yluVjg#UR4?#K?7mu2;LTwdj zT8VF+*P#DdGpMl_m^2W?*R51 zLSu+S%|J)Tra@(2G2?^O4A|G&g40dfCFV@_{vOmuI|h%X&IcDZ$HMCYsTR8lC2Ml8 zE^{TZOaw@1YilefZ+K18i*J0=6p(1^^W0bHb+{;YRVboLB&2HXvP# zyUj!$7zd*rV&7s=ZUrR%ImoeBO;Mk|thca82J;py2;>0368_r4zyb6O~GFR$5z5e>A5SC;fu%ue|`EkH`jkTkLUc5%P zfF->~w4T0w_*suYd|4x;d)O}DTyiCMz0&cye_dS>VLEW}=H0`u*}c|DtCd-<@?v4% zBPJ!Kr5XUku?)e7m)6(T3W^m#cz{AFLA>Ll|+qukhq! ztK_$%ysLGX2?(ekJbBxjbJQPrGt4Ef?T@~+4uo3jfV;gx850Bsa5eBisgds!^(A#% z%<4Lo($x#=4%Ba>g}JmcJ}qKd7nvh94)vEP5;@WkM#2r-GZI)U61z7cEaLe8Q*!qi zzee9D1clj+H8ICF0eDUqpn=>!gJ1Pw7S zMXlzwv#;)06ou5F>?{~6#tqO=ie&+=U(T_PigUdcd*p~@w|N1tfDx~>Uk&`bnEPz| zrpjU&Q_pN%)#Y4@03bdW)8MIRdQ_P-s6R8kIUSc~-lIcG{o5V#!f017~Z z@UNC9cWwKWnRVe5-LVOB4S}#Psyr&3?FfXy&uiZ9DH4}NpfLT{IkkB}^(8#vsnaZ2 zaHCpvM)n0Gk%S5%kMBN2?Fje{r_b!s!Ok!hLKTFgm&A!rZ{XW1@?#VP_*!c9_Fl}Z zxQbl@YK5Nk;6YC?e?EZPJRsYbf4#xVDs1bjpKd|S}G8oZ0wt4!+~?*mrzbQtmz zR&N?*>&eP^XERH!;PA3(Lc= zhlvDYBO43KA5nlq?VcGt&i`op3y17pWKT|e8<0OXUOl%)y~ui|wui6OO5^kX&E2Br z6>X4-9`K^oW~%IpO$Rg^&8?enRrB3>6w^yamEocs0Y$UHbOn1z>FY>RkloZbtNT&M}^&P26!7Xzmve5Wq4S>`(BS)gvz>?4y_BBsAz$vKTUsr8$BHfmKn+ z5>{(JE`!sIT~RtU0y{>{O`A3ax2X`C3PzVp>WFc=+;4$&3X?8jEl|1Rqf7LlY&3rF z?te`%VN;8Uu1Ekz4*-9j$l*V=B*cViCo$#&`64Gj2jpK!o6wf7Cm(N$Sp!w#`KC}T zrz5Yg7nmT<1Pr%9=%2Wasj+x7Ogl9oHD>FC8MS~|$l_zc-^9G-7zn|Kva*F`iblv> zMq)fFR<=lpkXl||KIl%9fzZ>HmOkY+=iS{gk~kX-2rAhW$1@UR9ss&R^e3tWN`p4S zhfsX8usel9^(aKI{Dx}GVQ1CcO4l|@P3L5CAeK8cP2KcTj4#WzF=Tlm$u@RpMK9*G zu0TOZi0O7tqui|Pw)wKUHuzQ)6bytCX4YQ=j9zH?zzfaz4gl~=8{g>Ws6tqXJQ{G#Q7XA+Rld{vHlPWMBx5 z3G9F-tl7jUMKv{(1jM32ZYvsugJ>LxB+K=ZOjp!rW%voHHwpvc7dvFu-mTl0%PW3Il>u{vKc+v z8O!@gG(dR#eoIqI6g1MEqP^M#(wmV#mHL*66_PaUVqrCxR%khQ-?SU!p*QbH?umdg z_4P-u`=0-{&?!^iu){(K__En73I~5^Y_oIV^{_DaHQPD~<`lsIa>?`FUeQua6 z%4;6D>wa&_UcA2!zw#?X1e%FLD!@3l!1;p$HE~#& z>`yYf=aBZ&?Sz-!G8qRRL1}z_p$Yn(*fqIie5S3tOTYz+QP-rWPi+|FWVPBObW37c zE^~(O!LD>;1TmrTaB0k%ux2^2*1KCNZ_0O0#H*c{o%?ieUIEYUTH8UK8;U2%8iw%y zKzE06jiX)3YHXfA@# zSCw^=GZo;L#f&wt@gvW70mxovM5o$&31APKDFDja~9325d=_F80R=)s0?*vIq4UtG}r8ZZl7O>c|q^f}JUn5c#^FxEoctqr{Fo^ZRz@SvaHqQd4#-a)V-Q? zU|!MElv=n04CLhT6}mZum+kh08sfXo)Ot`sUKg5ophV@WeeoxTTiv`vwi#emKx3%< zwv?E{0SbxR3s;aiFOgJxx5voWXtjKB0*7 z%0+1YyjpVcwo|)|EA^HD*m@56D(o$(qD3vrWrol8uawxkq^Vd_IznD-Zed~r612Aq zA30!UC^i|-YvZMD6I;piv-1~Up-ve1!jWm7l2-nP!c?WqT;IJqV3bUt5nx{t2JjbN!^i4v(|irRzFkMCNo3 zjxG`pTmob=^)1z(vtsT}Q0%Xf_a)7n71LA6peGKzh_&oJeqF*KoG*pf0Fn>8spe5(?X^;V~M$l zn$>GaCx}yY@j{D*&&;ul7mJoh)Q~jAVn4~ssL03eG$`uXn&314sN82DC5TIejpfMhpcvPCT<>LP~zVOuVu6x4(+uvT*iTVQevZz!Ha- z(?7-;@J3ap-=`Nw6Tf&$3pK0}=I;9a{(5*CO?BZux z&&4`T*IWu`pY&CCwi$_KNn*Do8U1@rO`6Kg=UIDOYHL8ClP)Dlwr{_ks%B7Sf|r+9 zuOqtNJKjAHnfYg(!%V_-2;Y%mq+@7pv0&*$>h>~QV$bfs<)(YOJ=b}Cw0igXPnSp{vYPVg>gikKtH-sQ*7b7p zl+#ATk}3ltbJ}NxoJ%~RF>konu?FvNhc3(K9vS7WBl%dX$FxwDOOvN=)$!>+CoAc= zXHnv5S6?^A|Ipor2F{US_MC~Hr>w#~}8m(DGN z1&4q<`pU&Rwl6eE>#w3#%-^H~jO(Or+u+wBbmgqHoH3eIx6`t4Z*f=W zK=QHTYysAo;|7*wM81tJp=qr>iFwLI5PWWK>8FX$YMoA26gpIncfC+(ubQKjn%LTs zh7P!qc?ePCauc{hhOvK;Y+KsynE5F$N|s%@dYNA5&Yx#e;)aFsHXKRlXdn<=eaSI( zBgT#$n|yB{M8@=;zRI@QM;^* zE|aFVe%<3mQVu`sYxH+bN!WL)f4fKcCN)}}_6o7;eRP#9rt$a#{bI3*{j%}1q}r1O4DXXq<#PmW~n z18hMxYfh_wU{(dbWS8i~r%j)J<@ILii5uGsV2~m()ro>EW4zMm%B$E7K~rRxf3;WZ zj(~MGoh9}XJA)goL^sSimuj0R0qjEAry>1DD)WGo?lzO3A5RnaFGJVS>AhLM^br-Y zFy`SIdlh!pjY@wGlsupzBDY;&x9Ml{)O9k3HU+{u+hVpT8VC*_YbZsoQc7qzu&2n` z8%5@@Fz*I(hH#)pZ}1SF8sZB(*n)A6+2+w~b_73N47NbaOBR{{+2Q&}ew5&rz;C=} z+fYVO8LbYk>?S3}O+E+!M5n))5|o|NQF;(Y0B|ca3xri8M@u0h%kfn3sZK4?1#cO} zpmT9Av5;1?ySdERlp+pL`5LE9oJJy~!H=yDz({92lJBDlq?y&B#oe6lEBa{Y(p34Tw-Uii%`~ z3JCNB;&Kpeh-%I+vS`4oO~UZUeRs{snH?RC(>oB*a8bKb9J4C)H3v1pJ!JL4o)GL+ zGImgjbQ<%~FJT-NNP#W+v43&Q;=tTWHZ-NayTPw1#o2$w?T*8SPZTw`ip=7ZMO{a< z(kw_4DLw$=UIA%hCMw0n|$B-fEJl6&ir)RC?Kl&$pZ5TWi zOILgldeS;tV7(`7e9*4pm1+6c&G*Z#_fTfLN!mOw2N#?CbD58)XA;^fm@9Zdv&Ql* z=7NE>xacfQvBcOPPh_QJcv|JH^eslIZlKnjT2-cn+|Pd0<6kuCC)0!*z8P&+=CD3<M_;YrZlKyjEj4G45i2?MVcSTL}cD8N3|qw29GG;O_;K}@63 zS$22(2H=S2%%(E(`YIBm=#r2T$0ji2)x7$zgMzWRQ@*J1Z0EvIM+C? z`@`hqQf6i^0tBPpHt|X%PF+A65gI^#N_l~?LtZLPO`bkWD5*)w z*4d}7)719v+c!w<+B-(bIBd3cNwaSkRgCT1S79ZQ{4iqXfpupyu2qTB7zl)gYVFd$-JvP#7>v zZZOt<#&HeHJD#k`zuM=+g5#paIbk{)zZ4$_IcgvEEEh-BnJ3p#WQbcUbZ2ZQhkJT2 zXt&gYU&ZzfrqlnFU1xFUExJmaYv0NZULxp96yw3csuoolWBulDoB3szoOr4!(-x)s zen=TOC8P5GoQT|kQX0NldtRQ|^%WbF7eAi<%JP3~W4of$GIz5*-JC!sCUw}wA;)Z4 z+9_Ea7pF29hJjMkFJ#ppcs5k9ZdB+#(|29>@Mo0o3>)>7JOwVh_<4Nmx!A_7zAC%> zF1q^q(C3ZsuA9$$)m}-%D53N3=c2b&%cL~NyLduk+Z}2F0RfnL1?q1dUVR!JlxV0i zj(G$`fo+dEe_{@{tYqp;p%FyLgG0@NJ=H)}HEOP1lh6gLZ$63Od|Vy12|!#z#Kl_07ye$=9uI zyZ5MdxR+Eo^80AF?l;16y_5Ql^e?IoUvOz{?z*v8dVcWI*1h&O^PS|&FvkTJo>%0J z^FMw;Z}YQD`{%|z4IfqcO?T1kKabh1-(~nnyDQ5FTe>gs>Qn#bY)HcP+1;=A9I?)Q zebjFf-0qApQ@d#pry@u|DdRgs(kqT_$xf=MQ`2#742jBrG-SoCRF_XaX9M=_Jf2<9 zKd{$-H9o~A%9}3r?C@Z*(I>bqpha-m7{fHLmE zv{pbQ18R{}IwiX{ZyrnIEx_bHiiQndPK#`9ZRzBI7`#R*`it?tlqGiUD(W2c$9jG4 zl$Y_(C;t9M80x*=Y_{-7ZaxK9)cB0$5A1zfBr_c!0x3m3ogtQ;BDUC_r&Qek;a<<#Iucs~);3kOAO9s8D8W(_S1pP?S z9P?jE#r*vqf6Lk=gnX5bTv^Uhxgm!KfNJ?9tM++q!aj4BSn}q)*N$VQ3=GXIqiC|_W`)E4EPegfp z7;9wZw~P!0RlNkoA^`=O|65?vWl-JmHQQkVqz=4*of8BK`hQ_bA-tFLW?cni=G^mV zgSk(VK!dK;s6BC;*CxdYG8FLtSxuQSqG$;;SICB+UW%g`6reqIz^vT5|DLx_!;?aP z%x#`vB{Lv05jYBeswL*V9SS z3o0*+pFww%s?4KUNTq2LpDwIV)<2Non?IqfN1a7sF6TP7boc-H#dhIs${-ac!orOH ziy*lSI=eB|^@WSF`>+RqDK9JQF!)-(ZQBxr_p!KQV)U1)M$SR-o4#I}M+{ygqr>-I z+V+|5F*i4{_7KbOn=s?BFIZ6vZ${l1pk`$>U}*}I4G>=CoMdMFAdzwWE9JA*)VnjPH_;D6~M! z2e$Wp4A*?%1>$Rdpjf4jDEFfE?%5bolPXE16ZW+@ncXAzW4W9$sP-++!UBN<8%Ay+ zlv?qgb;k|_Y*Xz!)7Nlb$f{dT7e^kIZw#s0bVK`ezGe4KT`z~eY@c;^#;C#TWIHbY zk1**&w>m?~ZaaB`2VU@Aov1c6X8K|TR8eq8iJCff&y3-yzM-uEmzIXU7MtdTW*|23 zHcQUMA}X=*+e_;S5T$Xd!xP^O!_bYh70wmbw2_eU@(*g)`}@`4^r;0`Ehn~(KIEBu zZ;b0QUxSo~y_HT-K2Wsb9HCI8Eo~XIhB~2JOZMi+wi*GiOsCJ3r6viaQ^JQj=_=|U zDJ(d2iYzv4*iSL@(5WI~Qj?SP?>TkX3cAm1dY>zoT4K4ZqK5$2h~g?wm;B zX$T@Lmf#3VlvL0`?2X!4^+uZ7J11npG_rJ37J%F#346&jxsb z2KO?Ij+zKdjwbBfgbfEiONn=>wg<3C79S>5%W5^&GBht-NYjvhH>X^Wu3TWOc4tsJ zcFL6szlQNtgMcG6vU>OGrR-ODX->P6Rs?5ELI`C)cL^Es4$@yxGtb;dv7Ok-BWWf) zSP2}GHB11H$f_@kHXa@sS$@VYV7;w|b#Cm#^6q9n35)BF-CpW;y>8P3yI#dH6eJ9-dhH3XOZw;cby~{a_}zSdy6!J=@boSH1Bdv13O|vpu6+ZG<$X zu&_|@7YNE_(}WG?DR{F2xp!~K?jS^e#>B)ttc8vrJ9Q*?5?^RudVdfI+zy&jPo^N> zDDHSv)H_KEQ*bu`eW-n&W>1bn`Eoe=YnNe`xyR#{rYSa{j*=qDD$Oi!x}Kw8tot=P z=biEUl_zVu)t-17{w*|5!^*E-Q-0axEamv8eHN!hbV<5p!>?l@oZum+flNBbvaJE3 zhnQmlkl8PEx`d&&mho$O_F-?b^CQi~im`T=Xk*KFP8T{9;wFD0yuX=nyfyoC8Iw`f z=`+5H$r&2hOH#d>NWntf3Mmn(vqDfnqN1k|+P-t=^Q@m((FTlJ06&+yA;lY|;U1BBL& zH3z95ZG;JIQPD+AdE~ybnWVql95!5pT2o7ivd-;r!^aJ4v$}xg_{K#&| z5I(k+0mmNf`y(9)yDA56UANmzy2QK{)8a^+CiLvCvTabQC`1XORMFpWT+&QpYZ_8nB9h2{-eWN(l~yhp^bB*eA7 z1nw%7Fo+L?I3mbM6)l(8&B&(|!(1|M8r=)E#g4b1Kfa`)>H@ld$ONl6=RijMO&tm` z!9bMaSY$yJ4r1`ffC0~dg{97V8x5Rnaz6nE1R=(=ck$x44t4rA$N#o=Tx@lp?Mrlh zZZWC@4q{W6d&hd6YkimD)xjG|0u3*|={7c@*->lrByBz4?kkPAoN7IsvcJQo9*T3l z-21s}@31_kd8ias%unQ31E#S`pv$4>U}oO|$7OVmpF9~%VJ<<#J0#vXgW-m6H8m#4 z<1qPea}ybx5Q@~(h<2u;nBQyEu z3>`9L2~otS{Np@o)|Z=OIO5p*KOh#EP54TYZpk9m7rquot;}o*Ze(!&ovG7;33>?K z)>`t4NO(T*l49r&o1|l;TKBVUtGFFtU~b^4Z7k*IYGa4N zoX~3I%z(g?%SR0}9tZhHx)g$G6n0`jmA9!!XDyc1@~u6ms0&ToCW>yM!{i8)q~r&0 zu-P17zBSidZrR+}KTdzIUkHg%9c}dCg;$8D3>y(I@t1XfsROXk$$Z{5+<(rY53w03 zYcmXz(|apT4Lhv)@nK+}mWYLytNv07O!C*>qW0RZho61^rTst8j(o4xGw@UKC6BWm z8@M`>S;C5{R&SS$jS%(-uAb(b5Ge)~_#O*Fvg9j9@NO5Nlx`qC5Ec}AHZdobQr`JA zMUs3QtwjR^cY%jWU=b@fwGFTi*aB`E*_Zl%%4(=iQxZqOZ~C6nk1fAYS_&r^F+Pn7 z(bb;Ocj3}4mV{d6N2gSe`OF;`&i1`q>)Ty|k7QoujJx}K6>F*#&kPKE=7|A;qeoMI z+`2<@jKuOu0_dHCdh%gQ>JkcNFwF#yp$ISh$T|ap&ZL$@t_oYK)G|(z&>8B7t`q~x z1D^*ReJ^*8eNVUQ4%x;ukaN zp#lp6nH6ecK5{aSSX@lu1}x@+Fo1Lak^O;xz;9X;o_|$oUbqwVz%er+QS7 zS1mM!{J_ps1_e=Z3`^TatXyfiD}p{;cp3T3!XOpeS1tm)DvjZJx3(>@yO?XlhweD` zHrDZV{m>`{LT3s`Kj!6guZA=-3?ueT(?d;2&AOn-T0ssUCAL^Ob^@nQ6j&)c3wbGW z7iHOTO`N<*k-c@`cGAa+mL6TZ{;iAk2(49uK$tS%gfjh6a^X0dmg0B&+oe|WcCjKk zT@eQ(HXJW{A>8E1Ehh*7`!Ke{&La~{QDHp18nc!^=WLEoQ|6U3-7Q?&i4rSQhpO4l zrY2a8)JQlL6L7H?IRy=hifWcvZ$OhAInHqn_ij?TeG5=QfWscfjFB2e#Ho`K_fI=@ zh%%{nsXBBnHm8LT?jZ1Xj-P^y)H7#M`5@K7{Qa6?%(8V! zyEPv)zBpSpryY}8o?k|$&OOpU;NX|Xh8b&96_0vLZ_l|sXhG!D?Cnx!`QkFDdsCD&1M^5XN?pQrA$@pD!lp9~f$kN~lcXvk?&Ybke52)B{Kz}jGS zy?N`_Wg=UuU&9Gk1puX2>)9ngWFjNbWs%zuB|Y z*)4KehYKG+er!Y-X@Jw60Ks;~QfG+YLH#4(7}7%;W`xS!GW{{9yEaSr>5%soQ>S}) zDC_2$Sebc!iNsk3{aIeRa8LC!Y#-GI;60hQuez^A4TlNg1ELjS3f2|yMc3O`nfkdz zqkUlAs96|i5gp>7k9Jn(xS>1~wps#Jt0%2K1IrZRxxP(1l{U2^| z(+E&|D8>ViOkKD8i^rSj*OB++{f*XkUQes(RGlJA9rT^bO%x=`h=p{@R)oH$z%$vh zMcf#a&0}aE30o;`oR0cS{bl~6Hjt?x7y*WeU3cyV4iSSaNIH0{Q8lLL%Jvz>hRbre}3<;>CnR>Ml!lo(#)Y|#JMR$$8_vB zZBNyOR}XfJiCR>Ho+zS;+x|Qs1v9oT)9fDv-y-ZCi-?GL=*W;2@=2dkALlF*LO@mp zDf8Mg0|9kO9(F7gL!B(7rQDsg+0>5;Jk5AGcXkw+hDOwUhAy=}EbkX_`;l zj7G9|%s4{mKeb-wy=hLgef=sW<=egL`7^^%GXlY-?RFMhP56L%#%ouvX3g6gSIY`| zv?ll_GLulcktlZcOj{AdZMZx1^nD-iA? zgzyEtCt)BoX3QAzqLJo#oI5944&lsC!F!p~YIeR!6H5@~F{E((G$<+}01he&{0qnE^PXviWE0NF#EObbsv-9=^zzOc9=0#fiOX~3p;?@kh1mC)c4R$?OX(TKo^83$gU#-l8=qtHcvbWWAFKUZ zVRPQ*56szXcV3AgLX*8&V+xou=OasA)3Xjba#_dwngjT>#m6WgH^6bYpO zS?gKpD+)5oDX&PnATb%7iDM#@p<*Sa`OEvjL+6BKm`2!S+qQJFEsnFxZ&$7bSU^lC z%QGjdk!ha(JvMauRUGiWDKUuV{?hBs!k?Co#R5U{!9V}R=cQ{TqOV%3kp&p(Pd$IN4lrn2R0 z3yU`pBeQQUNN|;*f)ZMOZo$)!Z}z9MOq@V_3Z1}m@@~(x*&J#n8+u!hM@Qo$&}8bZ z{&cM{6(T<2kojIrMuHm)vsm;&)azofhT2Wdq4o$|50CpX-?t&LwJC92@{m6wo^k{R zOy1lF)Z+>@AD8NP8p9LY@XoR*SG9HFjy;3tDgrRfhDg>7ahRg2wPSIM{rX`-XKT(%TMtdQy&YG;d;; z?sgOiyX@6UzNCU0112n-{N&{uBjl%G=puJFg;!C~2z{K}pK2l`rGKYb$= z{sJNabHp70Ljlb;MB0aih5n-R@!OZ@HS2HfeUvD%s3kob?$E=>e zN;{!-qgn@DT-trTx+&BR4I*>h89SFgxRHO=N9-sfSEbfu1%7xT+s0zJ@-vJ;Qiguo zw7hbNuJ378`2}e`_AgjHuzBN>U11?T?%f+|Y7pM?-C1v2PzU|Rl2s#K-`-l?kPp3kDKDNh;_si_Gop9J`*HIn8)N^pH6MF+>G!6FL@$@G@zW-KIyHXI z-0C#du*F3`k9gjY?E1Xj;+@k{w*1sw(1+Xd&j(waveW~LTQRBJU}$yge~ed@?vFD% ze@SlT>}9u-WV-eH9ACd}N)f0jJ~D)`RRdM z+UtJ&a`kSERb26KevMOlp6&Yl^g_!${;@TN7SYp38jq5xc@ciVdi-Bf?l$A40+QZ1 zjxQ?DoRfF;KcA-O*9n&I$8EjvHRXS_07=?~G5yjlyA()&A2Gx~DgM`E1G5U3d$Xl? zYG_#BzGP9ac`{aR#$|E+e}AE*89Fx8x_%$hQ2A1i1rG2CcwK0l&+PPFv~Nf)hdZK7(T93FS= zKKOXksv7~<{im*Ri>=-lS!Qun@$;zB?|rt;J}nCYB^H872w9!Hyry-WMgVJ(=UcBP zAy0qXIwTw5La=#*pWHo-&>{$lS{F4{HlJ1MI>gI?I*0h;~nIj9GaWSKXxs$ z+`9DyjZyVmC0p<+#7H7ppz0;l`&QM{3?8GIutofjBDt`jH{GmQe?o0Xbo8s59<*wu zWuj5QD|goEVeMGmnpTJJz>N&6h;1KFBq+_OyzuJB5(QgU6hnGNz8Rv_`jk|vhl?)j zuhXfxvfd^O$socs)*fv1AFRM3ojpsk1&oW z@HHqXXmU#o0ghuI_J@iJABD=Wzw1y2i#lfbYkpf?e8Oa}$=QsUkd3M_h2QSQsAPwk zrB$^%DkAMqbilaBTXy_<$Fc3m4#A6gY<&5-~r~`6y@fPZ|Th_MHx&LdA?Kxfxl!;Bu9c25 z9EmYYE-V6P7f{=)%`xo3iEO=7bWU|kKk|Yg-@!t~;vG7>O*c;<1X#{E8wGGD)=SW% zsaR&tS2gDL^CN_Jwvb^zepiDK6sg{+!YK*hD3C@U@iJQ3_Hv#uN6$mHK3t0QF zm@VGbMiMyQFuQ+CjGy4a?39bs+yHf_yOHsXor<9_3ZoS#n}8Uy!q!fOKbg<3%8PfL z3QU<<5Mh%>ow*492eLcmbqU>+Cq*YKIldSgZ9}uMi53>^ihFN=LfiKqhBcupLN!E# z8Si+f&!@x(lm$nQ9otB0rZ?cjx{8?T-IzTeD*8-Hm(X)i4eI_%;8_X357=BI^LBdW^=nWP*ADR6BID7NBp7Xu`KN<|m zGQ*JFSj!S6OO`ByBuOPIR7ho)P>Ilxtt@R)S*A^r5G7g|OO%RA$x=v>G*Kc_eeX{* z=eo}CT-P7J+x5@6%`v7vpZEKo{QeR`(?M=_`AVQMkKO~_e7c77l! zDd}Bpz!6Q`Hst)k=kMaVNcg|>;Ix$h!c(Ffiat0rHf#ZOi*^;%0j?H~AfxL-51}GT z9QnD|(Pli?T=8iodR&<@l#wwjA=9gimYzx;VE!qg-l1dk7xg9L*_CB;%;zEIJ3 z@Ul?Si1}D_c^+QfW$vv;FsB0z7cTC%8I`Di@T2?q70M_hpCYrf3&wzc&ZHV9VbwCc z#Fg=lHg%?_47X!kk_L_AW|*dC`U7p->F}t&mDL|V_9eU#WydsCbr^p7%9}jd+BYEw ze5zO=+B}Do6Sp^|LajoCEK+7kS>mC}3`x43d)`ZM0teEzq~DcG-YKgjPb=375@^PqfxIwK}I{m9{u!qn+&U5G&{Ck$hLb$4BV{BAy0L!bjOUk4cY`xU-; zINN;CqF{pv*X%l-@#vS4x_1J(?lj-6fYdM<$IFT-C0#P@z4TKM&tR}VD^9_xp&EY9 zm7FHaPTDq=36F+QFf$L}1qWE#IryL9z#8r&I%1X#$HU-qL%MW3poy6;=JgveK%^lE zjDzgo9-4QH;nv)U$+a(AGwy=lH`^v-1dDd;7DdQNr$U*b9&f9`@q-^AovWI44ItzG+9XP|ER|Kh~5e zG~6lA(ZdTTK$TM#?F~{Rt^t5vajj#;wKd;*e9I>l!LoRhuF&j{3d(fGRpiI?ge7~9 z0v%q`T;=QoJ7J+{FH0E$4#Q|zd9ndq=M9MvEZJ8P$G5sfZ&<iiyM(T~c?VoL(Ayf&7Nxgl1o@hkbH>W8hpq7>ebD0F<$}}&a6Wz7nK+N;r;tw0Ev+^Gf?#ry~8iN z?WB{URQ|`WYivv{%X1^W3l%-U3q;S>>X*T%o^ER1tQkpogPN&2_^QSHLKD9#$!a}- zBTxDztR&6$sC2z829n-|FP`%vsBBV|WP$*8px#5a31>RbUaR)uJj>xojFQUI$x&dh zsFDZGD!yG*WT|2cTEcS`c!3h@HbKwS1**~63PO%i7jY$Z;$MWbP$s@DPXn4(v;uNU zo3)j5U1WoF_cFOeoHnahpY24HQfz;!q5-{nP5e~YcMp=cGad1X90hYaiw0k~tRK)^@q4+Oz&m zGke=dw#k<0)wge3g(k=8EWLBETl~du>ZdtQ-5Tph;W8cZy}G5v7ARID$TH-C?0EN4 zjt(y=z?io(O!iYyvbr?&C_0)S4@y4CfR){h0Y#lQf`Au{?jrHyXv+ysrs3{}NA}q| zT-YyQCr~yjM7EtzDU%5zCFdo0HO&W6A5^5BvKLO{?EpR5qF}^yZjcbiOoZ~V7pSp> za=kt4V@?Gn!tcnkI={LcckZ0wR$BxN65K+G$tvrY`s58mW(DP>$A4uPY$=J`NPmi1 z<~~C#eu3O4_ri`ap@`W?8e0)p+6}WRWwXFECATXvg_LEsh}>R?k*7>~5Wr)zRvi?K zEIeo9vxhb0oafWH1Z(*ZvGBve&=e;i2hGCye-HY(#ruy*{@O}+l}!-NDM0m zs}uXx5o2+5^yLR|8|I|Axp9BD4Gm8h34<_&1iP>SHJ0ZNv|03zv6ed0ci#5(7gqC{ z?gfrIkj~l2DJ@nQEU&&Uw##ge6kG;uu4b*vg~k53dt65cXZ^&G2PYobNnyabCE^NT zCnU8`2B#tic8a&z=ru}9D-1h>OWUI0pdg>kKO!-cV)>tV21e4{`=q54yTbnOOl8s4 zAwX)PyXF2u93E5-H>t$zi%z;1-kAU4(^6AQ;_=kDSLSqSHUgInkHwgbeFaI&;hzW8 zFWtSsHmFnUS*=G#%ypsM0702!zLqO#pPX@TH<1?QO?{xb^3gD&7mxmx@r5Q~302@P$OtH$wYRiKxy$p&&^_ zST*#9!Iu~aQ^Wu|Kj29}zOE*ZQwAIJC1o@_C8iB9ohTGx&*aKL&O=`yxGzcHhJ160 zqk7uS3%?U5dU9SyoRiMw4p|M>7GXPDUTu@;6jdH^cFd8!>5Ur(9(7pWN44!xMJtoD z{f?B*?EY7Ya{lB=5nI;8KNK+q79$BJ$lPK-q$%&v14nhW+l0VcBs}317^jW8B9va7*$T zr-J)ksfH}dLSg*?OOrGi01-mf0-U3xnUv7bRYm1IqZL4!C-K|FVFiDI-t;`wziiO@ z_49qzFjY-iGoKMXiw0E$Vb7hTJudSvZQE4Aj;~Civ;$pR%#XyQ^YY!hGu;{kX6WfH z2KRMs`0|?m$e0d?%+No1X*m_&hL07!eDb%dnF>IV_h2m<--urMsbM&gh!O+#ofDcB zjI(RNan~K(uO!1*bIEaPca)J7q9`M`eimLuki-$ob9J2`9nx{zDoUk_*Ci!Wf$)5~ zeI&*c+uJZoV|R_!c+6QH#zsfj0+SL{^a4Ml5i5mVl+lh<-p?7#!Ge)u9pKp{FNY9f zBt&K1f0jPV?!H2>fq(G^bVwAzTCU?)bvgL>(MdXZ{?#@qE6jJPcq+=A6HF|opX%vb zeB)-o{OZJ~R zJA=CzV(d;v*HP#Ay;Q=06Ox6^Dd^)e6`_zl3LSo*pJ(kaHgheXz;wxc1ju)x7+Hx9 z6j=P^+Z0Q}4$;VY@92;)G+!~3-ENHph~k#3)a80huh(hxE>9cf+2f-KAOP@W0P|wvtOv%15mpMs`k^uQ{&= zNx%{oh5~S~F!oOuER-~Dhn%f^FkueZOA@@k=&=N3Q*2X&T+KGF=c;$OwBfST=MF=H z>O1|sx8t0ohZ~FwIu1zCo0nugEj%x+Nc-oRC6%wf4LxF7HpA%E(a#QJ$BZ2-o<|Yn zQ7jI`Rwl$9u>4|F#(FK*P}~KL-|WYUwjMz#qOLw;o!d}_8gnuvUCTz`yT{kJqXK%L z7gb?18=rhW>|LX6%hWL)G!nz#oEsj2l|^non%1=UC!fRep-&FD{ywO=;ec63Ll;<5 z$9|})`V&$I!@Y{*t17IVNQr%(-YR2|weeYrq?K(UIcmHXqm->%s79w?$YhL}7n?J8ga@%DnmkG3)oRYJ;>?wSi2T{lj6Q-Urk%@~`QlJ1sof})d+Jtnz5wt< zJl;+TP9hj}7(ztO`H0+67xcE+K+VZhP0Tb)Kp&cY-jdh}Zt5kldJ1~)vq;!{R#ba| zm3$5-H(zZRbBv^lg}5W)qvX=pYfjF`8-M|}<+f<2-XdrwL(qWSIY>=+5nbks)I$c> z08o)(bXnssiVEsKWx|re6mR-lTVVReloJ?a}A{1-w zNpF2I8aT2tPHq$@FE0Pz{Hlvs2G2${YFu4p^V$3;83QsalCt(q&ec&<_jSBM6#{{A zr@3o7e06~RmRS)wz(12vzKDz(6SXA#-A!Ex8_EIFj|y35f=^)UD2w>Bi_Xd1ru|*C z)Uw<&?0LZwLdk?ft@nYc#}1`r z$fRHn&ax6GrPi(cFci7+<`(R&aCWKeZ?hzqOI1f#xBw%}BGk6<+{M7gi}_2oDOv9M zrLns~vkQ%HlVWq8WSk5;{o36i`nbizH;on}7y)no)^p|=ErmYoud=^L8~c&lS`Kd6 zW592+R=EamKwb0d9^gk80U^+hR8$DL?~bT(*DYe%ox61DVfpUW9N`jqO|REgzwz6b z^)^pY`k8SvbZrrs^ZTw{7uLTv;L<5~9Q1~lNQ*tF`SE)Woor3+BFF9vZwc~M&9Uu( z7YEG2X4oo@7y^-1HrBqTCg$Y=Cq&RUG8V4gC3BJeaO5rFoRhLf?!DThueehF7_39Z zjy_W2lEngCKCenkQMxxO@g+-_{)S*x<6Xr#p5vEbnRbWt2GB;LI*7UF=k!G}g#()F zE66?o`LdeHsS_*9gU+sBCL-;3vw2hVc4Qp<`d;w_8?t$Iz>y;|$bzAad&oHh2AcSG z3Ygw6!{~d^A{~Aaw|Va4DSji$O18OaZJBAlA`+E}yM0dKPt4(oYe-lW_UD~DyQ%n8 zw|^R;p5kS{Vuj3D1K50(?tg$k2f{T&rg5cwBSfF%A91loTEq{9W6s~aVo0pjX|$o- z6yfY;;Z{j{&9pk|U)T0-*_F9x7X;AWaiM0=HqD2RpgGy(XLBTY9lq2wZTS`KLI>>Z z#HCR6Nt!3}VKF{%J0R}4>lg%ZzsbTN>jQm6`g<4uXDf_0#)PTo50Iu&QUZ5|Nunf% zjOil_b$Ug8?Gl>Ydp;xmBI(<<)o+D2Jseg{VsR~DHlfS)WsI$l zfBa%DIyH<_z2mRmllvruh%1%mK{>|I1S0raeo1_OG76CZ&VIA>rU{2f z=n2PDwGQU3@uux%S`zzRrbqEp9$sy7)-?KP)n|aJ;V9l&H)$Km?NZ^=$ypH@6wc92 zNyBY3jcZya>GB8Y^K8F%1(C*^Aw$z#KNZ*xMjj+Fp4zhw@}ueNzv1c;?K3Bd%!cZB z?YNoBvbo6+HXMsK-D%pc(cNC&SkXlc)Drc}K`e?*UWgUZRv^n7-Qhr9KJzOWGhs;S z`>Mbd1r@d0u`7%WV#2ucB;im}tq@i-#FpU}cUL4G>Q|_5TBD`AB|V+fmh%U;{Vo<1 znd*Zmw3M7iw~CLeCNJ$j@7FoJ>&4vdY08AI|32wl0SU~45R{boM(DhuI})v@3^Gx7 zv!%(S25Kh49{d`}kncRNc?lySiU?{aw(;3X6SXrCYwVOP5C8T?7DL0H)kd1AvF@i4 z*Tcormj(j%NPp~zL?{Go1KSJFaeOMiNop9>@Z?H-mVZdukb9nQa?>;_=iSp)UKEnu z((S zsvN`@0~2OW{S-`D#r>~=ErkdCJK%K}&s}id$l-(XGxs4pquh)P`F#H3y{}GJU=)zA z&RLY>7Qpwpt|35D#V=>dk=k%&Yr0lwX~OpqUazlX`)f8@MuPpy2pWR`qoMK zH~?A6!bSbT*O4<2iqus_Coio`_tw}Jya`ygFOxmT)}5m-RYpS7LS#azjLI&(@P;5+N&3qc2P;Qt3N3p zG~(i-@%h*fZ_f=D1m3m%o}S3Fj~eNiM4Iq5nJVO~|6jO83R?wfeFW|(=}DPq#k#1z zo&W9Kf|h4h!{7Y_6Cb-n6`&e#i(6KHTSFWZ{qKACJ7R@@BTJu!q zuNVoW;TWk5zC3BQ?)k}Y!7U}eQoP}mY9u%zCYM|#M%;xJ zA3;kvZGUH>#n@HqRC%`$`2(Sy!<9oSbiSj%4$K*^PvAYybN)V+cFVSHk;*0Y>1*-}stHlAA-u{B1BG#F_%?>vd{J(Ki*Rk3}u^+B9d0%PDy)4fW}fM?#H0ast$dm zm^rE2nc)82uDO5z4|o19S)0&9 zbxWx}m>2jNn9Dcis$N)1OGnso5(^4H4_khfyrcBEyL8Lno*BwD}E~732nP3Q==WJ64MgrB~50X+v zVJH?<;S@P|aYXh4;b9C2nV0U)mF$*%_T{Hm*iqW}TaCxZa*X##j-Z(FA zgKpoY?jlsy8m>W4O)}VE=8uHTJ1{j$GMyWV{?PpZ*!c!Ru2ME5^$8^CHv7@ntMbCj z=g+^7DZ@xNHgbs2^ zVB5^%vAX~A>7z%TH*MO)VV^VpKml`(-@Z)~Drr_dK*KH%j~2W_Yr{_goacEAlsKUg>YMVaP+f5!^5zn3-In zedN}NI=|S^i1*DO`jrU zqz_jepa|X#aFek4^V!4urYDYXEZtW9YR;z-XKW`MXzuIZFRb0U{$4ecva0%T%f55q z_qJD-E|{==;fy^A2VLGN{n)=C&hBf@_+-!3b1fXr6Na_w-S7kuAQOj6$;t2jWolPT z)u?T;AKaoRX1na0?LDXP&OOnM*yr?LmUS!xP~XW6Pa+>l+uAhsJH{m%P|R-~IWt4bxAwshK|a!pN2?q#7Mw6+ApT z&m;7`?}hU_+cnzTZ)p9GRLiMTlIgWEy?Zx-;gJ9W^XlaC9ur*e$Q?_CL7f|IWN}+aV5sR9vv zsT*!{pIQ*aV;AFL?bCT*=FMN{`9)lD{V{r_=|7)bdeyuYC2M!(F1UlRddyLoa!ZJX zZsb0Ry=pPTjh{)#WK(u`|na#;43qb5FnU^M41WeA`!I z*5)<3o}6AiFSL7k{6l`yE4O!7jTblWS~1oG z`8xP-`ohqEY5soAM>&oaAhg%bu|u@AwZ97se?8DvKzvxNt(Sw7jKwdTdn=Nrrh z@6i^WU~b;d8TO;vjwrQTxMImqb))t~jJz|A{r<1@H+#l4v)!9~0uHtB9(~V#nRT0O zUAo6sKRNed>R{`2dm8s{FvYR_IY zPxUpQ1*xoResQ3PjaWu@mmWL%`^I?%ID;|!*#tef5)cqzy>g{KIy5!kRz%Ss({b~n zpvDGsqXbC=U0%$n!LiPZ8iw$JurPgFQWrQagmmKXg6T0~@s{DAuf|@jkOVQ~a3x^1 z-W)n@T;(w=-3QhHKVg!(O^`3Zjp@nB3cJ)27dk5sW422VNuLg_LnQc!nAp>elqq>XnF%7Es+D zo>?X)!+^MSyv$3HV1Dr<5P7aZTX&V_pt{$h?HH5~L<2L^oLgI$5A)&kXNk^}Q3bShHkT7& zbh06s-HWXrowF`8NFk*}X3mg|PDBMA-d~=d0`TWCWg;QpJd@ta9_0qK>&fev>HVaY zBQ!;3~x|AT25TX7cOLlu8P^VZJXnorZi~3#Vkq^o9sV=KKeKr77pUa zaV0^ZKrE$qGhPMy_>0!J!HfdBFG0k}f|4FMFfz!?-CdDShQX)E>xuYe@yV)tv?X1;Bv9rql z8Ijq|Y9c-DdM0a@6 zgt3)K9;)3tO%85{@exMK{RP0AO9_0a4r_t*Swp76Sa%G}>+ai>`htYhYL;XB@?oj9^r| zK~4E529JS;CloZ7z0tXs;9T9GLd2w@=$y5p=pI24%o;x31B~`SO0bvr8P>IzC7M3* z<10YyLSGF>Pi2#&`8AVwhIU}puyJ_Qw$T*5)|={tjS?)n_Dd+P%J2xA|z$i2mpZc==<163eg3P%4=d1 zfIDT)x^$5+%W>%GWd1m|PJx9?Q-)gNJIkU!{nzqq$< zrS0-v@9$X}aiPpBCvukIsM;!>^U(s%0cxTAG@3x9uHo%b$V1_JRinFE=AE89NQUo# zHJ}{(QS@~D8@+v|)&rTfh78($ww~VJ!U55j%F=IW(ADKETxLEfoAyD%2Lu%XC^@z8 z>PV0<*7_Kpn9b#Dc&C-kC4BftB_)|eh(*8iy}-iC zdzovp?r_uN<`*$#K-}%Eml8K^V}7y$hjI;RCOG zb*KH_4yuQvoxuh0;kFb`dKX^EJ@iBC8SD$cEYpV+K-Fcyk$CU`@$a8qICg7Y#VGOJ z0{uuZ$^|9JCIn5s>-7lcWOjoxtv;Q^Zlp4{^B2h-cBgoAveMh(w3z)zkDedX1JoBmfQ&>NAhLMw7RDcsoSk+K!K&-W2LQysEnV>y zvT;tL(>j^#B#>HKBi)w}@jQW*g^4QLV5`<)+WMPfmK+rRGh+A@MH>9nG4$C9F4rc1 z>z#n|Z=|K|6=B#0g&5j;O+?Gh^BqBF6=LJ)K(u zBalX`XO`%6USr5L&R@32csaqcvf7eUh=E;sB5E5XTrw(S#*}#Ic4oyy8dd4)P6T`~|vu;luUsG3sH!}~08zSVS?XWHcms0&)OvWL}(*u~F|-jH83 zyVd-}_A?@TbEaL^uJc$$e)Ol*{)x}L_r5kfJfyo%j&pI-S2VI%EqTnMK0^x5Frh~zU4bg}W_zGwItWNd_TFr&Np_8l z0_T);XEYa?HBCcH{r@5pUal96jLyYHBes5X0&Q!ujn11|OoFotGDE;Er{PQ&08;n{ z;whm0E-(~^51xv;W;9ii!sbu!<`^xf(as^td1bRWGRI~h^pP}0uymQD2&nM`_r6H# z=ly-6Sp+;>a-mO%_BIqdWb=u=0C7!w-HIb)Dx$+_i&+CoNV|R54Brzq>DlHEC>lp)rR8({Ax)C`P9(#L zZ35d!*278(c;U{UylY{46wtFLew@$sazTGt2xD)#}e=J-T0l?Vh2etT>1(U&f zFd5Gp zTrQLXkkPq;tKnt!BDRn5&2tEawb$EM=sy<^t&fk-xQfm}zY1B1aKBAm(YQ|j?aBF#7& z#L*1{fqHoAm9|RRfLy5rFKpFrA|tk+Sk0^83#5byB3^Q#NXRwpmMK8 zCFo=jT!Rz~bScvuRq`}V)H*_oi3J!#0LBHZ4a6%i82Q}dBN(!~HJG1ErcEvox3)wzd7zVwgP`an&Tq6RZ@r-*}SLn8n^kAzIuzO z+D%7@rw7+w0>>$AxfmKavql_!ntrkeB5R(K@4Oy0UgJG?vBqT%hvV22_bOU3?4yKv zX*aK5@11jP<)SMz7$6BUP!HDQ+qZ8V5wGc2(UKjf5D~A8-18ExIX4P$@fT9%u3MQQ zvhIs6g`}ZjM9w0~59xGg>qEB11G^Det*5SWdfbTkAbTh}}ff#^Lk4R_56RXB1FC(V6r@5U( zSJKoFUe;zlN03s}oXM|7e#aW@ZLJT5lx1u;HC^*UHCE5_?8!A>i_aLZPdmLbsL73e z=8JEA>fC8yb>XTgzSVttYvP}pO6;F5WXBlS+O>W|CL>>+%{iOJQj|1DtRAy<>V4Qd zcULSA7-*S14rY0HZQ|W>D;k2bp_gmKELM0*Kk8Q(H2l? zN*X;0X%b(_NVy$^zeSsB(!2Ki@r-E{;}Qi5nz%f9GF4NrOEwn|9ctgjvpGO166k%A zk@mZ;Kjj!+M-&ozX+6$P^y*><1mIaqU^!h{V9D3iTenn$FE6!0rHAWr4~2qi+jAVk zlK}?^_WAw7INgeb34JII=B#eRt$6R+c17QHobp^x53qhINb(U|&$mNYb^q@`L6zyU znj^GqAJAS+XsBJntvmg1g~94Lzs-0fB{_^!pHD-6cV~=NC}tSN0bH-IZxlF+B1hBi zey@_coVSX|=(ws7mY}fH+Y-r91u3GIv)Ana*{1tIJmeRM;0y^z*p!JMOm(rj7q;Ip zf3B0pSn^$XI|{Z)IoYF1vxMZMXFyFJbB9uYlO>F0PCyY4f?u9i+y(>gsZ z#QIrk<-^OA{IBYqEV}lqhqQPo`eUlk@oHTlsH>k8dx+$qRT`Jx; z0vV%O-1>egr@^T>v;VZJ1=5n84wkW)a@-|SgRt#Km)G@?<`q22tn}L!Gme3>!lbK( z=fs&o>T8($b!vUeq3K*oR4$wiG6WV4*f-Pk%^Z?){&LQeG}U05Qpci$sFOfIEKt02 zRjK_83kwx!=hlCEXC@SQQgv@@}=xgaGI z8NEoK;ZhXrso9Lt{{OoxPtlAAcZ$^ zT`@ipNt|M69An5E#z}CWNC$`7as)_>5)wnTT_9p~VAD(<1(;(GNLnREx>DQU-Sw@L3fUW{ zVo#?1OA8>FAA~qN^a4Nt`*6S(#XaL}AR3jOUr*ZIIFH$XD>q&E7+1ewpw3j2n9nzB zbtgBqoZxhL)PVMy7P-e)54iPoDP>0=*c86hl2cIx2VaIb&i#HG+tIWmlTBhA=tzy4#NWL5)cEv$~t}= zvr*SqtK-g}hoYQR=5vnYOhkEzR}~EzsSSs^$22PAeO*OGh5TUtJnP|tyfWHfuFTo&9!W__*;&&K60Tff z<1R6D6CDrvK@@>BFNp7NVAi0NQHYFu%3qJj)uA&0cD%62V*_Pd*+z#U4PyXeUjk>L zm|zYFfBLVfzUKKIU(OP6!2esIVrIy@=*T6@;kt(OD|0-vrAK;9R&{AvSa{hyyFr`o zu1$PfXVAB3cE$Mo+MI=7#07u7-LAvyiiyawL1cvVrc>fnJ|8{W0v@@9WS z{x`3dz}&w=VBm^UfI|tOX%GD#N+It*+dEGqiy`qKE2ns$?-l(eCW7 zKgNGkR?FA!o8K@vr$nWv`EQFKIjGM6`)9I#JF!wlu?}?7Hgw~Jde-l2dynGDx@~NG z7g`VPqP3#6w$;bRq$WBK%j`D4Zt`JG1 zulC~CkUSlDPHMEnBf7kdHk<*|@z<5Zp*9vPyP5Cbt(Z4%^M|}0849ZTe-6{zpK+-~ zWuf-Ku5$h zHKrDBNzHd`Y}?I^2?Fna+aJ1dce~!d>yG&Sh}P-F{*TOyPOF9G?rlF}aq8&;!;{PN zch3)-_UoScbD~CSE&2J-oy#dYRq6I;183Nk)qQb#+9KigQ_TslT{E4IXF0nayM5U8 z^X!6_{~at*Xe~2eKVPeOmFu>$Ff!|}LoQ?VNA3_XTI&4XzaRAJ@?ZZfe^BM|p9E6t z|IDT6^q;vD>Y+IkdoS{4&35>6vu@PGKa3(ndljBz=9ZGus{-b=%P)JG(z{>3X3Sk` z*1OOiS6JG{%lsy%S)2gglmGkkv}+2a@b^di`wxFT&Qkr?r^N#7O4jpw)i;8`Eqw2bb@>@@!o0rDPxFe@oUsrs?x5;zQGdJMGpiSz=^( zUVG@FPUaOU%L+{VZaKXe-)uy@rUia<|PJh9I zLX>4?b+BgUc&sJ8RA?Wy%!%_8JS%?k}%atIlf6Ok)BPN-ELcP-xWLW?WI0V@eZH06rx7kufWy&Kx-s zniLFza$=sB`fMHY3C3^U#cj$J5|F7gK(us$futVZaJ%>y0b$Y+ks`&gTRsIE(p|fD z735t?ME>>y9xPz>jZwGAOP%+mVJ^_qp~Hv&WS2T@QM!9MCH#QDFKL1%YID6()9-~> zhv%_8Zk9U-uW0_EaxNNL%pVt$`e$V%n1vb5!9|M@;>4y^LvOBl79lfI&MNJ!brX35 zpT+sB=gAjO+*TX^wrb+GOZ_@3KMZJ7ZZ!W$uXvX8Q zUv%Qv&{28P@rp~U z;0rw-+pQ27nsOG4!+O7BlwG@cduFe%A`wHK&UlE^4#PK6cOZACxoPdAV2ZdpfSy4< zGsq9n;p(?W`KUc4n>LA`KIjOm2FNFbg)tZhg#0F|4Im`^ z+e_haQE22q7z@$B)eMoc$7F{-^xfK*H(MrEf>FbaUaHzeiN}!IFsh@pO=jc2SYjrj z-fNm|Ui}bE6Y6@2o!uP}&UKqM$utE3a3pf4Rt8eiX;P1)e49dtx+ro(3B1~yf08eO zNhze~oU@uF6UPuoQ!`3oD=Z}1_xmUq!%D1yc7VHNiJHZA$gqE=u=?rcNho+fZVl{l zYOC)m>=a@Q4q(0l%rVqnD~!l|6iO^L@V~U$812UV8sv={&JK^=&$FM5;0Ii{Y{BLw z3coMfF$mGcq6j15`}`t#;GZjtB6wih#iqn7Vcn~45v5k6>XCXlux4mkI=j(UOQDRYHc?pb{k>W4(NuiaZtsX7^69-O;r1% z`NQ--k*5-RZYKhvUsKMi9MxK-XJc#ooik+E>eG3xKFmI3pt#d1HFwnTKb8+QpSx+e z=B>vQYYq$!vG$Eiti7h1V{Lw^{acr!dfPaEkYf~&$Tg=8I0YRslT%Nk!6ootY}Mev z#^$TSTPVoyhGmjCOT6;_U|3DswmJr=%H&{VOTox*1Q;Mf2#NE-St# zD}+})dh}=#Mtcsd`;DF+Gp)k&ed@`E=1pd!3g_jE-3jWD|U7U`jCVaB!`rCxAuahXPnpvREXB zAwHQSeJLEQ0->%iN=k0Y_J{gBX8#3_Xghuxx?OBOVFokb`{N>j`MM2PCM=~K(}nM; z?qiW0Fe@^XSIv{UXtayQZtm^i;Y*r>OE%U8Jtk+i|13%11ppQCA5$sx=~p>CZ`{7! zKgR})NAp-~;pK7n@TbOU8qef&pp}$-27;~cjC?qCb&2C(SKs0=;4^?`e18*FjVaS& z)@990nZPoBi6U0MGON0s?h4Nfgelru=SfcMeFjm(Y=F5NhtI|1 zC-!rgfbZjVO->!`aL#GS-#GNM`QA|&v=3mcV&3^Zc2UmTB{gr;Ms6+u&q%~dIu7PhK~iCP00Jiw<9idDSUd}`pRUmx+%Nh}Qunv#SI|Z}RjeXy zG#xt(g4338=GLe%NQIbW8iZQ_g~>*PBF)JUFs!lW}`rr^=7Vs&Mbq4L)3nz3oCWt|9 zbGJ&6Ef4_$b1QQ0Vq;?sdelpo0B_tY`o$!ELT7~WJP)zcYv(H!F}Xx|eIA+2&LD>P zI3!}z_dN6*V%;!QWw4OAyks3ueB9NHl}3H!4$`eSY<;Od)Seftwaosue_~pBJ<=(b zV`CRD6`Bt%@xZp}T3wW3oAip*DBT#s;XzKsPVlGqpwh)9B|F2y!Zf1Ue-3aN66ggk z?Ni>d_aa|uq`MoN2iFDOPMfytTf?_o77Hg_O7-s>(8;vHV0_%s+|93ZRwoa-q)>d( z+kAQbq_zFJU94P_`U9ZYEnX~jSPo5nur-L84fi3jP`@P{wBUA;wR-2yj~v!8e7osT zz_f3oOb52bt{k0{aHQ7a>x!2uQ>RY{n z)-ZwHXs>m+6Ve%lI~yOX458MNr4T)@@pDR}&Ev@VtMi8xE9)<7vcb*GjYO9!^C#pX zc(GrHvsmTj@z_3Y_0Ip|_Tg5iw60Ccs?QKT(^yy3=ws4>4vM8cEGsw=;UG8lVVjwG z`Rm@??~Q@7d1%QR!3Lpv`{9FNEr_UQdG4v}yrWpxH;zjfG!uWy2tf%iFlF zpvk&0FPFd5M1*dL)fB*6n^Mm6L8if3AIv-S0=8W+Ktu#4F^jryBYI)&x7u}Kx7Kr= zIlX`0MC2wMY@ps_$xN6z<~CZrH$z_2sQH}uLicweW8E`GMbIgx3#r^fh3gV{n~xi&W1F9p%0r#@+YW0%aO z;c#7#0hehNZLV?mQ6<^M)fs`!#YP8yxeL3hs)(ro*#J9RPp^kubsTV>;$FbK3Y4sm zGKYgL>tn{rdmTt@;;w%atVzJ3)VH`*h(Gy7cjhK6k;j|7$G9M7uAl+R%E}VE&Y_47 z**oRzLXm%PGbvv(&tL+HK;7UWiYI7Eh-))(J~y~9@uSC23TOZaP}H1+*3n+06uxE? z>xlK*>>8{xLx6IwZnY%q`Cy(CEtN64j9-M-@lrkNv2Fc2cVW>dO&WW6;n=sX5gKtu z4KZ3@$9DhC!Fu!lg;x(c_N`5NY9KC1PIu@ncrjCSE%G&_Zfwz}+X-$0j=kyj!%ZYp_ln-RmX(A_)GyOvI*GaMeOfvrx);2#ef7Z61N1fasw_WIkxP647CeTclK z(CTabICiKSmRT$V1U~^V?^2YKwr=16&KT{wXKY$7y=z^|2G2pPI+HDvz>R{|Y@Sy% z{rW2o5jx@i^YRY`j6X3LjWf8A_Um(e=Rr+MDM{ONfZ)#g4POv0kvmn&Oc?JVVS{j2 zWrfjQ!}R>a0TQHqgh6(M>eY{Fq@z0-|4ehE!SRBPU+L5wKlKIzT;wn4VCthTuO_IQ zK8O#Rl76Dl>hQy9S0?o5#6jiAiA%Bq= z7MgDRn4nAcQz&eCPYT)Qi}UDLg>~eTpmS`gtUR~r5)n@z%tJvlv)`RRacx#5E!hvO zHQ3lV(dokuunszrBV}tLvT!X)d{_0jBH;F>hVb;kRvkl|P1pofLw@Bc;4M}a9QA%~ z;gnBT!e$y6Yz@=M$cPh`7PWy4CF4vhroEtOb~Io5YC{8_AeSM_ER*NBJTzF3K654r z(BZVcI$@R{^I;mPs15D65FEz1%9datx1keGoH#K!g3Q!YpM${*33Z^Ve&gCG9-2m? z23+dq-`3!s>d6dq5r@jEr7e&YZ^{X&FIY_z&G(f`Xgs&iOIi=w4w1}h&Wbu@!H=L3 z49*|Vl-N`X#hTkgP~@JdGrdMZg)MLMzW(E9O}*Xq+{X=bBTcyHo31EVpem`Lwj#iT+)AEq-9^s^Ih0MIX!CZ-b&4RK!=D9n)mm z?G^jy*$4IheUYo~-if<6d4$|<7cy?YrBU>4lbVg%ZA|U9J31=&#Di5W zPiv`eyJFDz*}($4+CFxHTqzQG%ReIjC}o$6hC{*!7ruLz=*+C6t_b~PfcCA16z>+g z={L;joaxkib$nqN7Yu;zYc+40s0)bDAR4mN`3gB1uUS(Z{8QJ=XU#}i3-P(xHa!Ch z2wiA<@)0?lcry~j`uFXN4u1+~=kQ^}oWe|}Ag5(C{fvl^D<54Sl%|P&}L1m*3k|uCSF^0UR*Lb@kK@TB;!^rx{ zjkf57qErAMMEct@yKYRVIHNVbW@l7XRMkRiRB7|!a;a&gkC5?zRPV7#m8UFICQvR# z@N;CIGgWg-u=bWF4Xwj06>Z)rhVVIEw%hlv3Y2rp!zr-qYkODY=Swt;N2OS)Y324j z{H0e^+w3+YP5UX-dz&xz&FkD@ooi*>Lkh(JrnOhe0LR_?_AQ}umhdBLWNB3;$wV(q zCVPGtpiZ0C^c?!X39BD8#r3W~YnI9|D~Y>?dexhHX9u||;L{K567S|;=jVEuM%l13 zVa>$Biof!j4E$_t_^iXfjL12fOE~wMFB;7ovzgw4_(fn@Kr_@n*7O@JHcE>=$YVhg zQa)&CX=tQf)L-%NbPd%jDF(u6b`QkCyNgapVw&kYKc-c)ipCNSU{v_SDWZK5Gm@t> zVRredB}?1`1G~}-NJ=3W4_L(MR~EC$8B$GR+QjK70;LL3j#TTvcBTrM@a_E+j;8RO z$yyleIRp<a+9@PuiUZ*E`0c(uRmqETagpFC{&gxV1VUhxp4LJ<@-Qpki`(&wzOqFgUyWA zJe3qM_660@Fbxd}b!4)Eu?iR11`rnm5&tT@=iD^Fu8UTqS+@C6inl=c3_zOjM00bH zMo@bH*CknzD|6hNe`i_x&|G@aQDwJsp)7L6^a1OSj7KK3YHqm<_4KlSv7Oy+2J=`w5zfrXJVZ}& zg61HtN}+Gx{zjm!Nc_3%J9q9pua#d-dzTPW4O1hRlewg?mDOEz#)y=??=Pr8MV5MmKxs zyiilr8u6`7-p7X7tFk_}3Bh}Vv0OCW4D$g^XdT*2gRs!)Yd7k9cmJ0bVC}i8x1Z=W zi*y?veZH06-7=J_qbHY%Tc2tP%3xzJLkb~s1^ITSQO;C>LOFX3F5}utMQapV{fz6; z?*57Gg%`nav-oK;WE{=irj z<}hSrsEE>#5E2^sY*2<9xQWcqKvITcp}Pc9?C>9A+;nfkLuC8_6N=Y(0}`TG|FtHk zb=9V~xieyn(}4B{CirQVkBcVoAt1a2>tO>?dqimnHrSm+ps-g59t8%9Vz0iKp zNqU?=Kb&?&d{Oq>ABz|Yg&_Nh!F(_I@Jj(|(nd&R`LnC>hnEnV@RP4z*tlMbk^}^D zSB$I(SRyXDo#WKq3~ahGs1QJ%K<~-_INA}h zlYYe-?T3Sc15pegRGT0~UIr1z;BE_Nvuh+^mP6qfZ$IqCkPU6cL-arv8yR z2e?j?ych7jr7waRiSJ~2spL(?e)7sM09X|_s|Q-}$v#Xg&Q{QjLV z%$*T_yldHP*P@GaM>bQne!n~>>GvevWjAjOShF<2q<^#fTayD!jLY>sx;9P-4()UO zRBPXosaYFNDQT#yhh!8Ta$Wt}ZT0b-?>24+R#M5Ozx+SXU@Za>RX^_je9tJxsZ2H@ z52zGE&oUn;`1#BpkER~s2QB+Lbf(c5g`p|=^~w`2mO9I&8LoW z&5VnWe@$EM5($BQZy=$W93@Pp!WQr|u$J!x4Gt*UFj4D|u?-6i9k``0Jtkew_2rl_}%XB zLIjZzOu%!*Q8ZRRX!Idu3UCPI)L4br-}>>8#h7M6$dTJs?p8T)e0Z^Coc`O%CAy~` z`@LKITrFmep-0w@6Dzy_6w8p8z83!19z~CxF=vukuK)hwyIqM{y2ffP0KirNA|mq7 zvemT2Ip0xbQ`3-TX4WfA8XNak{2c8Ux2fl$TE9gJS_8`iZ1(PVoME$KO2OlVql=cC z&Hgu$!y$E6$Q1e%ILO}2!pOGU9slP(6(mb^O;?t}>fEdB+cdw=DXg%DwZvDCowRu{}>I@6KQDeDv$5sMzgh)+TXY z+umLZ5AodBucpxX-&G_HxB7a-wrgy%$;hbjymQ3uB9B2W{y&cC|I}=_{a-X2+R7bX zYWb=fPiysJd?;xoktRm%jQ%yX<3+?>7?h?Wb=qHNy*k}!(^C94Xmg0o?P+e<9C8ZOmy<4{Ju_EE?yzG?4 zDq0!ebnCCp_+nvkrq$^q8|;i1-O21vn@wye~{1 z33=F1e_~p+DQQM$KX2JsJ!06fUSr0Xeg2`YF~|ACudCchFb0+T&9<&%wb z6!2Xm$8z=rC_GVODTZowDgrLf|AA9#Vxgm~dCSuN{&4;w=j?obW=sNu6BZk(6r!TXz+6Jcp zLQ{eVlVVT8Y6MCXyEi=>%3N+k5AG>La-r&r^Ws*SkX1@2d>&7@NEzUte79XDfdyDW zq9Wm(ma5$A0#Qa#-Ti{wRNo>Z!E)8_zAUeM1WgJ9#I7g?d`4yE0BX*ikU-bn^+~Fv z?9G@*ALw5i#} z-s+07mWt~j-1}Rlcc z6y8Maa+?znod!r|&Fo`AF*&Q4y#z&j?Z%B_OXp9`FddRY*epyIQ7X1?xm_)=9yQSICLM07-I_?y;GZ>T*Kd|*6Rkwtg7@O zrmxsIT4V$+^%fP1^OQcjYScd-=wWW+=~3-)PNmnw8sprZ?;4Gtq_c{la@3ma|Jdsm zMY*`QktB?Bsy#?WAtaOnA(D5gO=VTHu3m#G^GMneM;NIPKom)Hv^>_VW}dVn3Leza z2N)=b#Tl}AP%#^R@tQRUnB|CQUuJqh;t#{7H?OEzS&3Nc1zyGUhDtCDNwWzO5*-xU z1;DRgID-_(Ww$693x!~#Ei-PmmP4@u4$BCk%*>%VUr?!d11p~=rH})27dhdAKG3N0 zTcqb!QqH-s5|G}5e6i;*U+zFDLNhCjK4KmyS&iTZ#8xuSTiR%{Z)m&kW1)T=za~rc z{vX(u67EJ>tev9HWGkrB2P+;hd+6jDTco-osNlgD(<7wE1*uympINyCe}kZ!2q*-~ z0y%d!FWvv{-8Ld0}}i)6SWrbJwkOoNRdPEaDBvSl4*kW(DC{BJ-+!{~|3=E5Z3j=`2+Q z9MJoy|57e}4Sr(Ne)6~Vsda8u^Lzd7^jT!coAj%9{gQj;*!r(E>Q^lc@0i!4a0xfx ze0blot?SRs?Rs+c=#M(FNyOg?P?B9WVj&M%2q-ZV13WDgw)EC538_q@(A=_Ugw z;l78FsfE~$_~V@>JN&_Z{OO29bpU?^4K+@IT#TjA9!x}kEs!>m*Di_#n6j-U zHZlqdNF@xauE5Lx@L`k*I|>IRJv9BgqCrKmjakyy<3p2bke1}NJYy@|xTwWg$wCWP z)kE8JcK#^KmGex2m9&-tPr-g0WNr^Znv=tfY_zwqV1*o@dG)EJCQU{3GTN;nG4nFw zrx1R*c9G2g5XZxl!z1yN(Wh1c^+JU?B&`BZ6p0U16mt~)0Pstl19Ill!T(d%U;NDz zPzi)=<&!vNMfZ#8YSiPLZ8FIo2+d{EE%1!FT8($`!kH}f z{FD2O!p8D#`A>+#diyOI8XTvj&g>03qiRa#e$vuyy+6h>rH51y!|%a1HDZRW1-)x?89=?Aty=N19`$q_uKV$mJp^Jgd6ct%e zdQg2prb}UwwbPBy%pZ<^M6?0i%i%Pf+UY*VTb#^TlhS=k2Ms2K+GS+gImAbzB!Yhc zEX$Alc}#Q+7#NsXfh*d)ALD+%tvk6cG_(bb(*Y-t=__a{ z&>9Vd7mhDVK6U09omA`ACx&0=Oc&YGy7y0K)_h>&9-Fo0N!R;XisatVt$LfJ}EAuwE`Lw31K;?bs577*`-79xrH7L$8K!kq<1DG2m#yL?6PE zQ?u2Ki&HOYVZP(5#`34^rLHyc89bZ$~MC#8fJbIGo? zvrDZmHw}I`kliScfuoow(Hyfza>c^M$H)E-Y=je2WL|QAI}GTbx5iB4hE6pz-!nk{0Q)-VlVXDqR`&5$W_ ztiY$tFteNG+*i+^fY0rGSWN~VAx^4HFYM@Ygv1GO{Vic7YoyaAp5`*OmQP~#a%~ZY zuz3?IGzmaB0=n|LxEMF|e4p3u#D(3v+tl?_e*I355b~9 zAA2%Zg$>hJXNiPlFmb4n&7bqmNeXB5@`pXx6+mtc5#rT5Ml=Pg8CSSVp}Hve(4DN@ zmn2qj^=lO0RByMKk0%)}V6!rCKzIQVW6bOD3^Gv#py&j^rQVH8ajO$Kn8f$a6)FN2 za7r`aA1>IIB)3C;K#~}nv@+%t;V-`Xt#c#>Xl_J!Eb`^G(A99>--Wpp@gF-WXLS;g zHMfTA*|TLUI&0B;$cdjfU_t+UIXVG9Nm$t*Ze0|X5SN zc9H=J-E|!JCl4C7l2S#rXF0Wd_^G;P3%K&k2EUDJ8=$`65PlA2a@wZGpY7< zNy%jPI!kE{2TW$(+m1|oA?Uz@gW(5Yv{+yvA>MWlkBKa$WX5NB7aHWdj%~pT>YHdB7X*9idPjW*HeTm)E~u=!%r6Y02`)F@ccR*Fo2Bu zMGj_LVBMG7M z`?x^kK6aLNi&w3fJ-GY2FEN)k&nSOCG1{S3QJGh8;(n(u85j2UDV{!Q(D~m+KU?$1 z!sf1zyuNH$K;Us_U_Uy{@el^f~P4TR`Zn??cGRm~I2(?M>Iv*Qr2`DN( zN%^Y@z{ZoLz$6@*CuY=26B*;{^v*8=ia@3xI~XKlKipDVW2GQ~+g8qn@)O#2NO zXZjfSPlB#km>HUfD@gR|AJszZ6t&?|J!_SrYmS-DuwrjO47`oqc`-JYroY!SmFlNY z=Y_6Mqm7icXd_#f{82cuWD9%q-`ji49j+-2M< z){E&pX(W^vTR-@TUff#~oZ}dz&2yHm3|m79N|?=I>pu&gd)@YR{)VSzI=29jL~jD8 zsnBGI8%B!D=*l7N9a0CgOILENGz=+HqpQ-R$DN<|35Xh&BDnCfhr7E|(Klt%fXH#-&tYq z>EmWlu}R>I40pM-7DlRu9Rsp>9Dr34YQbphufZycCwLnQTa2HQ20}bf(Y9=Hb>O`o zy|4OZk>fJvvC(dJq!Zrnb1i`)Oq{S3UTBXepup#4isw~IRHu(u=I1|ui;9(BWRQ?W z#W#~@B%nE}kQ_3SAzo+PVZfxWgv^jRo`}Ksv|7pcmBesDRvGWh#&Rep7pm7lpD((P ztKr}grXBC3;R&yIq5c`vq3DDPWbo&L#DG*?XXcMSPoZ62o_ir;+Rs|r41jsp)*+3d zP7tG!T(^s&zHjlZs`l$Cj2cnB&(6C*Uz1gm)s0qKt`iBeLY_yWh$Nr@`#YxfxaBei z1#3Sv47BmD(R%PL|4trJw-@R9F9lP_p4VQFxX$rOM>u2O7sNi23eccI1F+X%`!iUV z1K6fiFt}P8|M>Z2$+s(u;yUXFMsoRN@S!NasBM_^bDs<2?+~hveP|QW(`+~_uSum z+((PjZ{~@=rk$(i6rN`i_F*&C*(-id>Q|URGLj8yfRtWHvF9N6j*ms+&JT zn@2SH^pSYn^){A_P15&R{^Yb0*pp~`sHN2cd!joP2!eAyojQmdjV0`SiQp0N2;J`1 zm2Q?0fW3v){q0z0gH@~zgC^mSllF{avfOmX?0Y2Mh4gfu!#s!4ie}4}`IH{Xzi08j z*WmvB8^@Y>xVnzJ82CjdJHsc5^i{22bJGdmToEz1U^_7!szj~mW%?@Tln)6Th%YOu zm&@@mlzB8P;InZ@l|0v%vH~icFE+LaP!mSINz*oegCZc+ghuLluKRMzNsREfy!HpZ4 zo^;{)Y1`FeO6LX*ESq+8ctl}sEvs5Y2RuPa{Ri~iD4hK^)MiYOfl-SuMjW(Tkezh% zCPRgX?*FWsMhkMCH+25erMpQ<g2taZFN=1ojpy;1bKfR*2J}d0Rs5! zRG4LABmk}IpZ%0JO*g?(^_JRgw-D(l+J5i$7SXO8Jla-qtr5zQft)30^L3EBTrLrt~FkmOr?0K6t)9 z?X(v!gc8)u))uS})l>d>@T*=dBAlIBR4@>}NipR^Yc)iK;2Q+)f; zrFoA0CZ{FX_#G-`tw08~&UsSF`{SE~9MuQ+{|kOwItM*H|F>`7uC#wyKXpZ3Nxg`; zKehf)Y;XG?EkH>8_QPEYod9@5@``Qd@4>7&fKB_DSizY^vB7YV-C%?K4~c(4!Y#%| z5>xp zSt8)j65I|H#Vdb9ji34n&{}GEL}Ay_&Zh8Ze4W&+Z*O*bdwWmY-{FC7*kaIpid9z> zR{aLF8aH;V-6CVVXG=$fUrk`Af=tV#Yw>G<0du@_eYW7@Jz%-#Ft_ZmlJ9$2D(QNh zVj|)Sv|pvKwBSVI`y!t-n^?V!;tAdJ`k<4O>~~s9p=ALx?$EP)Cn#6#Yv<#0<&F9&o>hZI2i8V)Lg|(+T&!CO%#A(Ivsy2H8e6sXzup)F> zt^4-v0}h)(ke6P-scjmTd}ECo6ajnM#rpXIk9J50CrzxVqF{-U~fm|3&bGk3gWj+-F*w0 zP2rt7Y{aFNdUP*=(d}O)ip{BHpf5bj+PAl0t4sNh+?8$Qf=5k+yK8*kiH5^dZBv2h#j-`k=%cpAr;H$SQ-##!%*w zhh&L<45(ghz{y+r-1sT{tP+%1;t~>Bu(qGKT0c_bQkQ#@n+>F$ zs{PiOBO_kM;~883JnVbKo<}FCb(DYfi4u=>CD|#5x`60zOX@CFYo!5Ib)2zgj01cd`=~hW^w45CvO@I_*GeVGd>RGqR9N|(MfIgpi zs<9Rp7CzfXLVsJ1KxikUeC2ykOQ#M=UT$F#@*_PhtqJRxFF4W6>{w=fjk9S@Wk5D% z7GzSVxpS@WK4BGt*4^dlk#aRqvg6p(avh2LgjP!8hPZUblI=!8MC#$flBf3pwm1XI zA-5$RdAKI>JgqhomeFU*yBqJ?-eXVv-a7~T?%7j6Ey3lJ=8_k`-)Ns!scV(7q`0|O%$JY%p2ypl z*=v~2-r^2t8pJWE^g&WExmsnK^54_om-~3S@Wd%L?^(E)p3X(uNuT@6B;wYE>_=@q zE3{bwMU_Pp5?0J#%WZvn*I6M6R*)OdgHIsb&a<(27fR^+b-8$}>Oua8gx3MJ?QX{a))Ar z4HiWUTQq6HkP%-{E``3`mtyK!`N(jXT1~(P4@Iv=VVObsTo6DyJ`gc7DDWm$B=$ z6zxT^d55nVPb{9-c2>r5VJ!{Ilz92a-z_`AEQP0BQ69=*aJ}NxT(r3fM|! zI())|(rVW9^KR3^zWOF6j-sy z+$7RKiIWJqQGwhxlP)2+nr?jx*lx7bN(Am9U>B*LPHL{50`)J$h0#EYosyQ&3}FnF`X9`R=MYl8RQJp_@g<&dz642V zNLwnYgW;x@w|uP?Pv0(rS?i9jzzy@P3-}w7JH_DALrYXM?Kf00FsOIz^Y~N zmkIlHp+=S@?UZynZdwuT>)I7|qjm+3@83d4rqEE2gH`lHSt8mPz0n-xod7S-eB2VgGrRvfp*cRDsU6rpkAd*Jh$fM z*lw}KQ)qJ}xgHOJhzGEop9kZkLb(f!L2ongX&HwTycI_N0J?YP!JS(f^o5|mEiX&; zb6q{D$CoKzJpuh_U_Q?ufVh(AGRqPthXZ9MbEVBj8v`Dl3ciYBEiv=$;YBj84RBl} z0P&{NIVvlhl~EFKxW7WzhTQ{kv3Ounim(B-V2R)pC06*{xpQV1t*2T=cxf2D28yK=DeeBEpigA(3rX4*)q5^n=<>jpO~D{5#sseAYE()HH8 zHCwmk`}gl!E1sz17>B>DPeF*^zLko~_p!~An8p|e<1OWc=wmspEfe-wdG-!&7&JC+ zIz=Lj{w3mDdZqTvRE3rDcJq=)Allj(Ue|!Dc90m(X5JLr`30ur$yPC0;J$7~Q&575WYSK6K!qu^`jYxu$ zKYej+sbM$=CQPZa+pRja8OKJ49cuT}_w%ZIZY#ER*sOm+Yv_TqiHX&YfA;X%u-tKF z@7`{KDeGchw3#$K?hg;=B}NIgZM<`$w+32L7IFdW84**`TgPSQ=1H6_v(A?OvJN9%N;#$z$t}q>9t=ZDKWx5g z)z9=%Q_@mvDz2utK-Yr8?CZ^7-ApxRNdqDdQeF=TqmOQavn^n_gHfZh{dZtYdra7a z(ZxL4*Kt{~Yd@N#S9C6^E%Vu3YpMMh4v6p<%1C1W4lU6&T_67dO^f*DhPh}BGmb8u z6I41s#cEP#Z+n$rT@FMd;k<@@!Jdho#?^w(Ve;x^QvT)$uhw8h5|7 zS>4&Sa_0Hlx1N9o1cZLzd__um>#KbmYY2XW)A&66C5 zHaU>~?0Hg7ThE(s-p~6GQstOXH+uRG#cYH%?IA^hg?sz{ zSKwK`&&aU-ALSqQHV-;5N2SfACpTXIHX>1D)7Lx7N9q~<>2}<}X?@c1IaXf`j{ncp zpSYwDq^l)yD@Ful71rUny4!E~uI%`7=SX|KV<`)o#v4@Isq9IdS`nyK(Yx(`6_}gc zCO0Kiu7S?#pBuFvgbn|8#LKW@NX!3zmhON3_2?hP@88*E_e3C7~>R<-LD0`7V=bM|`GiYEe?{NY1Urtrb284{kRZkTLQfO>tL6)`WiW z0r!?=7q~E&`TyArF?0y-6a&?N1*2{IKR?l)|6iX-(dysw*p_Gi(jNMsK~lfI-lpEN z=)PRn*y8XtY}T1e6;JOyKXu%CP=l$VM~(iM`c*4M)UTF?CJ#Q^+Z*BbTwK2O*7%{s?b;?!%1Qj6S91#^Gjdw1hxy^AJ|r~db=yc*G4zF@HWfH_VNpZjE}nAAV^aCU1}VY~wP|X-CF61T8F5c@*wC$w67;_r9h|AS~YAb9R={v)*AEK&;;D zF(Wv?X-X}fVzjk@CAV|dD}|z`ue?$h)Q*mZ|E9F6PmHsbP7p`hWrS&ZfgimK;~6Ui zhTk`_`dfBgff}j~3W`Idd2%s|^@N|Qv`}LJWrW6TeXh9Q2Kv=0d+6tU=CFwNS`0$V zJsCHv_-Ra0z~hYXD|P)O&IaWU)&-xvemu!?|I#V1oNZccD*qPM(sny9?^Wl*!*|`= zX?0f0&EB(gLfr_D$T^wO-LCIbO4R#NeD~zq+P^}Uu5ad3a{B$l+2209s>dMbI7n}Q zWXdd3&|#V(^ZKO`ABwp{@BqYXm`z*I;1;IYZs(LjT&k47G=(H!MXg1W4(<0*hT=$p zzx)cJq5K7aoTq)Ihe1tB-lZK7&qOLzAcN66zdvOZBwu2Pi7AA(uz71XU8$6SO9T!u zx8G7L5*V+aXG(7+7nn)b6-(t4qfA=XTnj{>IV zUy7(U_ySD15Jyy}(HEjbZvjb%4+uUescC8rWDq);flR-{M-fLRSm`w`zqQ7!L;^4OcVSJrhIyoT7&n@_v!vR_MyYDmYSnv}zjW<$7@7>bRQg_NcjBc?Lr*au~#14fXRQ&u(pEqqeRMd;}Y*+S1jWdhS zcIj>Cy_C!UV8qy6#RuhCnZJ8{?!=F~87^}l{Y>jrcroiopS#QFUe(>*wVjS%SoY!I zh>>qy`)N=Vk(Hc=M|J8DO*k8Yc@RafJQs%uM07%+-r@t2dbOhBCT9I<+nciM%BjwS zeNE5mIM&lIi;*2B`aI|&JK!Afi1IRBvt{~tKEI-J5Qh`%h=C++saZhYOyAkt#F_{M zNniQ&Z>#g5<-^ZHCS`a(+gm*pVP6 z^|QF70GnT8BSM1!%n58FGA^94f6=XUtg6aTkD{put61Pr#!d!^64Mg5a>j-1m2mPR z&_s7NB~Y*WN->)H?-2{K*WA*F+a*YjrtPNL6|7Ml->NWn5>A5HIru}-{Ug47Pz>0= zhkPEHPp~m`fYB3~%UhA?wxztvhMqaSwRYW#a(o}rSU^VPys_S^5jKLl3pEkn8CdQ5a(IPM7BiXHx!OlCAq zJvowKl#xSLKVLr3<_z!b2ZKK5U+u6$TN!64q*!;7-Gs9aeybU24)Eo7Cm}&>l1e$n zpt>S4fj*L_Fsf-+#-<&(`Mm{^k;M6ohFOM)Q=fNkbi`ib`VZ2?^ectz@aLOXi1=;> zwnUnsPnn4`|JvlkeN(=#y!>KvZc5aXS?5m|9T_#c$%=y`e@=5)v1Mhm_TR&oY%x>x zuk(BnFt2bHmydJHqQTIW(nfI@dSp^iN-`qQl9o+XQwE>X#fhRAEr$$`C8d6h#_}Zr zK>}cG;thO>{gAC6H$jx6gyEu@}GzBQD znQ4j2q3(m-C(sVeBNI<_*nbaz=s&8h%ueI*l|D(*I*B@f;VG)4Z6#$yIVI^ z8S>uy&EC0@p-9b;$k#8xiH}l8eyJogaqbEaDTd6guyO}^K@h^p-~(@;M5&OLonxOx zk;(kxz0vs)ANI_h5$p>?Dx@!h&?j%d0o^#! zVo_IRWt)~dx#Tg@nAm-MKVM|W2&-5;F*AR!h0sA#FbgxEmC>PgBOh0z@*+DvLz`I2dYnQ@a9SC1$|0xF-}np)o%;>7Y^KNQ zwkBqGgDgYJAUg=O!;Q4IZ_y zdA<0L@dF~|ZsUz>Zv40qrMT_>Fr$dW%p#{BF6Oi8*L|nY%mP0Fq-zoKxf2&mWB^)u zUHhlE*G2eClwSRam%}x)PKaDR zUJ2aB{L!#SDp&lJSc~Y8<-P=#km=W4X+1diSWhaqasqYjRXIHy7^#$?s;e-n5qJKr zKG`<0GUEf5M|7njpU1=J%yrBYppSz-D{6s`sJld~$^Qhvkf2Mp5TNL+ty8j&#=@V3 zmjB>Lh5`Eo0jF|1n?<9;d0Gs7UauR3BEW>$1?Z)xtRBW_GX(z{Lg{6dA3xSl?4orhv;tYnJ?Z)Pk<7m~X2Ve{K{CAdp6{E*ab=ulO~xk!k!!Z9F0g zhBl84bT4+Oao2dq(OH;MSvI&X$9yujs|kR`K+$JfSAHX*bqNJl#Ft3BB5qzq7IvTE z!#gR^{IRBA-|;Nw$BNEvvCB^|sWT5QuQf+3=T(%_gd%>|#tC!Z+54ruHC<_KEkmOu z{|xZFp3%6B(4TjbPw#Vpm^ia2eh+eMekpcZ8MZ?4gWTwpku5jX(V2l0<4j>I5%wN{ zK<;n35jdX;YY(>yPpuEUKkcRPQfRli9i+mLD=@*y0Sv6KQa@8&YZ)N;`rxS225lO* z-xTB8@zIqe3M;YM_}w=svTglho{ zusVZhXM#+f(H6q(Z0T?)wg!XQ+^>|PRRI^E9 z8M13tz{UIvmgEK)OfS2QP;+PPb1FZ-f(5myzOCIg4E($c-t ze5)I7V*x1k9GcnH(2+~DH(WYpaL2+i{_qg{2~6&x)8pUIa90}BOhjePqq%ZcY0rqI+N2W%umh= zZ{9iaM{D2hzelk0IlF!9J0;N@or{h(dbdwOh#EGN44DEgBz8ea8Hx;<$|`w_gs^q1 zK3;cu?dx7WZ%5j8J*ZBe_A4)A@1pgAfq5&N4p?7Z@9p3>ifOa!@`IJS-R==yR2>xc zA1%Nblck|&XBH*@H1)~S$#+Vku9nPS@elxMl2jo>!z4BtJLyo zjDzd9e4s#zMiQ+?v$O3=D(qopMT;*IMx;gOtTMXroj*UnQ0(xnD&k?WVX2Y@BfdR6 zJSrMDZu|RTh5_oS*KZ!%Nkr=4L#SdQcxOP7Zw)uZ{YLTC?Js zTrb!*X5qqs%*(5+tS0h!C`(cYm9EpP{rb9vtLX>p5&o7v#sWH&MV@|CoEdZee9Adf zvr}EXX6{P3_wH~86TX0rm2jh-wtGVi+qczL4!MN>dArX`|5zqxGEvpih_L5+w}pRIcRQ>1Hb&$c*JT~ z>W>B`&!PX>uY67KgB~h@!R*l+M5SIP_jJEk=cvX!ec zWlD8kL%+wxnfhPmnbdy2_AaN@BBjZZhkVqGrzx#6MzYTBGYv2>{muZ>g(maAef=r~aM7i`qyZUyX+lN-GmehI#f{h3m$sA#%Fxh0pd`Z` zt0rk0#o7HL;U-5#KO2T+j`r9Vc4*}+tHe3a^cvjpD4K4lGwwq{ z4XcR*MkHJnJmC&4x{kCUmqT==C`6P(n6A77(1V*VnaWqb_+sbkcHDmu@={X4Oc$2e ztAYkdAO;1o4c^jVw=QmjYxNwCDhmE-w$bAQIcI2t1M8Pa9G8NG9Epw)Dzn?w{x#g87XG zuIF$-vb4=P8i#NCw3Tflft#RDdV%{$1+t@Do{}}i`q{;(8&lrFq^7ofs4awQUi=X- zC9>7l%4|c5K2f9_ef36ZN$$!XE?ItsmcjH=k28!q(b2g}2hgO+-llHBJ9q4Oh*8<{ z=?XX!3jHF^RD<9Z8!pvE2My}Uc0!Q$nmU&C!HvwU=^z=?MC(;tTgOB3a{Gh7Q<&yE zT`9Fu#E9fFrUGKakS&7NPpUUo#EGnuWd1;+52@n{DMkfMz=CA9Ox3xMbRUc9J_zEh z;AE!6`wK-H;-N6qP4jap#UfV(^R= z``fP3eIOo>fq+15&L7=5&~cEa;5S+Ybj zqFLKiQ=I{B?%;Tk++7Zxp1=!i=GJZ7TC~jnI&}f(oBZ`>7d?;*#2`_bduHAZN|}eH z)%OC2`JyhCVTqI*+$O*}eY3P@arYLli42Q92Nm+~haed6EPpQwo6w z(gqG$=ZK)=HzSpujJGxON+4_(NQ9W4J_PG}IST(2<%qULE6M(69<-hP52UF+Od_ggj(HH@% zm}#F-)1qMP4W!x$WihcgYmioB|0phgGN>LcyBqP3@(b!}e}XNv?$~h>k1L!PO0j+uDE*Pcy;^ZbvAAK>As&5w%~_t4;qRGPp=(#ijOb0 z6*RJZ5J3@G1Ls?lHUpF*c3Bk*M8|G7%=cEb+^At)qN7yYjL> zfvzaZI5Cy~=E)F|8JxDD+`_+|^o9+y=OPN;SwL%z{5&1r+xuwz{K=br z!1X~ns2@?p9xh*R7I(s%E(*Wo5PD|Dn06dGbTCW!YJ)Vr9*5BYLpS zI}X_;3}3Kf?yPH9bx*CVU2J63IL5cvxuxTNlv)ozsTC03^-}s!m-d&s7frMAoK~H^ zVA4hVLGh-~*H<+;aw0p$gE&t$_LmPi3V1_4~j6jb@{W?&I~!Y$kd9=;~Mg>A=y3E!NvQ z<=aFKKUv{8_F}N1O6I7zsj2zJg@*qk3)>%px^!Y*gh6e_=fH}uT`za)zoXkfPl2D_ zD`e;2Pvr04w99zh{{>z5|02hxFw@p_SeySoANef52)2L!$t|_+|9*!29n(hi@_&EszyD&n z!T%lCcWd)?jY|UpSK23d-(5C0L@#%4%=wcQfo;A1`zUU0PM;D@ve1HlP3-+m=ARgM zd(YRqz1~&Z-al`>vhq;o${x$@kEvDkd*fNxz5J~~Kkff4tg*Ykc-_g#aR{++Z5e?( z@(LSe*xJ)R{oActdHU_jLv1$4Di5AGhOx6=!3{!^>PRxEH+Kc>L~vZ-8Gg*uo|c>m?I1HH1SKRK$zQ^^m_u5}oo zu8w@7kfJG76Mf`IF4E8y+at;4m{kmr_+1ob*1A16*_$SQ0U_w z(MB4$kx);QE1jid$`-Xq;HMNw1=wdPP#GW z(9YzSh`?|_9nA?-kuTkdrp{^ArcIL2c|NeUdCOni`+Nm8mdv#jABNuFRY5S{RZfG@KuUNDN&lBuseUa1Ycwtd z)%`4ULC>_X#vRN=V0G@kpB`H>_{rjV2W_=NSSFr#Msv72ZGim&Qnlch322TQC5Gt^ zu5n6)jO@(rF-zv&i%SNWUXmOnM+LwV#53+uu{8`I!kOfCfs_IVu(~SDpcP|Y!hPE4 zqt`ybgYwPComqJHi|JcXZO~R^jq^NaZlxSwcJJ^Q zsu0SWi%vCK4@oP&>$`e`cK%SY4q zKeUUQYshjKO5PCTp;Ic(yY1X*gaO0Vtug2uEL-hN<>#4#K?we}A_zD$95GC4B+f7e zq3lG&8xKZvDIc7oie7-@;pO_IpRfQ9aOOyJIuJj- z_5FE$R=Ck^E$S%qe`A~_qFw2sXcJBn`^aI!1aZUpwzP=SdV{6SVAQ(|@CHu@{|KY; z$;q?D#V!F4pdc6#|DX>>&Y!~a6PXw6v{OVyWqEnZz<4?Vr*9?U21;NpDgfk|PwSp6 zw1;O*CVC;oPiuvJUtaW9QavrKUtr#&S0?c&XyJ3NjktE}!`?r?d&{Mi0#5!GP5z{1 zyXwx(ne<2bvu=&Z>TpFg(;8?h z@j0hjIMODf(tAl6s+cCbNU~p%u%YxD#fa7$D4+o@bQ@{z_wu^MH+46)?%p!f)Oy_Q zOpP>I;U^bdI&&i$K`7+D0c!u0J)5w1qU_~u4M}oqnvu&-f=dOJP)oxVeiOuv5F%sc z6NoRzVV?P;Su^Jd=URkv!n{z}xi;*q7np9*W!YdSQB9M#AjG10!P0=ar(v0*0$mDd zsu*uB12cHIP*+I#GmeG3EVHJ4Eg&IhR^BjdX{Zy>Ajn$+bDX^MZVoGyZ%3fIWVq(& zo#j|fL%=4B0OBMGEf?!YCd9i|%Pbw_6Wc-D#brcc2a7PiWJw`pCTE_=y8bgfHub^eZj5V@?O~s@@V@2yISmBUW zxdjCU*ZBjZGA)wH`^cv+SJ6Q^6{zLAmgA&hmAZHl2LWbQv`KLy(%Jiph*SE`IR}mU{joaQxS$X zdp8C5KZqj-_cV@Op{9`!XT)Ffzv}6*X_LhDKvqmLGwUW^eDpMp%bG=BxFDGg;v!@6 z0-NjikbPe4ub?${b_T1y&WeuP}^2kU1L7z)Wa9)RsrMa2mu%`i(hyZJ;6OrK7Cm8p7yx9HXybvHJa6g6k=&xl@0QT`TCq37Tm~! zk^z;2U^ETgxPo3#B>40tBcS6#!RbL3%C1;*V-Z3(AqTgeGZPTn1AEIvJ2b}+EXFN5 zGGvulo!E#t333L@xc!tTwT8cP;WaR5|`F86h}z8 z(bBTUmjV~j{|He`L=fvy>GM}2nqRRh#HRv~-FH+iyvc0>S-eXp(y_{V3P~I#4ivt6 z;IxV8q%nEj`}`%5gPA+qZ^{u2Bi!K`Mn~JzOoDIB1o69Qn=gJ|35t^az@t#TR8~@w zf_b!_XgB!oGDifxQ^&0m0|W~h12r!B%rwpjcL(K8;{=lgC@C6P0Sep`d+GCKR1sV@Cn#R-LG*`)N6V{zG?=Z`^W8Q~pnHdh2$9zr=qUf{Tq<*D#<|1J5_q4l-LOxJv~3wor}@ag1+eEs?1l8Rv2oGdY)5 z!;m3%ye1i?+_Js00oUbx=3}#0Q5{eAd#)Y%oeNEsdH26p{`qI71`kcifW_Ipi2?K4;Kc2*nqTr50vr8 zvr1%!6o-=_U3?dr1SgUNZZt^NxldX&Zfa3jS7y)Np~4P>FsJos*|Fm;qV0GN#gOIt z->;Ib&FN4C1Zc^OCj=?(Jd1OdmCN4T3ygH?D*j)|Ac)Br6>gY)hI8~Uh@x}&dHGDy zKh1T(Kj!;S(ou8pM;ra%0Cd=Cnt4WIBoH@x5s|p zuz&`LSgbX5wa%fZnU@O9)QQ)$gu6z9bQBCumjcnA13i?}h=e8a5E>=m6k3Z?Ce>#^ zWI!Tqbe;daZd|~UeIUtuH4GfpT4>!?+Ix(ARiof<`CFdGs3|RCc zi}MyRcgAu}S3;eUnIGi3li{D;))&gmsCm~mM74dTBBQM=e=9(=C%IjZA3r`e(wra; zkmVG5jC*tm#~%&IdZ%WMtM1J3DQniODZrxP-L$<%_K;rlyWP5WJ4L;8M6=2x@i}9f zzI(pofpg{)DEpiGH4AKOZ37IQkKR1&Qqg<2TZeexqS^Esz{L}Rai{ED`8F%u(`dJr zC151ihp5AN@%ZVrNCdzB?Afp+#Y-(-5N~xCML|=a_&sqDg-dzTG6GH<;gn?p$UZ7~ z&Vi02c{GN4(e=|}bH7p8+P2la?Zx0)N@rIdFD+Q_sydZFzH}XWJ!JAB#P`&RPmYbz zjQoyLMuxpd6o(kx=22J^VFMDoV~jg~&TLICr(pAIQ29IW1~Mjy2CrfZU79#JttVAg zRcXJw?MNmkfsidirded2T|5fHp3S}taFUZwe}m-h;nDkvo=kYn^|*L99)-OtX>n3s7C0Hv_rVByELVE+Yq|@Sy*-gPc@% zN%&h34{7fB(KGjSp*8P0?B$B1@mt=l)1wvedZ|a#as$e;UIRrD#PJ2)9baV}(eY&H z)Ib_T%Y16J?wFJ)Ir@%pnXHC1-}*q9g8<% z-uTUK`lyEYU`stNw(HzE>IZ*k6}Xca40Rx7m1_VA;eK6hYD{7;UC)&XM+=T<>3bMQldz zoqK7L#q2MCNPv;_d)$1%nf6tvyd+nZuObmzx~-;srTR8ayG6j*`vN%BP--sbo&~bH zT{~W}22n6ry0i!V#|$6-&n`TH77;geqqdvkGz1SgSv4Aw>4f`@#7r zmkXOq`F#f77@m~M;0=~K@P1Co?EQcxS9yc5=i2jpYVW4;i7;}VpcrS)#G&ql`SQ|e z1AVP?D~CIOYx`3xP2|odHG{O0?!3u&TO!e5a5M{ou5sIOxJ&R%x9S_?bNl{9ub@0N z{ZQ?&Lu$rqk*Td)?5W#0s_^yO`nk()4O7REBdL&9ETkEgOO`^ zE!oxk*}5;Sk}oGs$c-=N-qvukox0ffS+r#n5%W;*8eG28N!M-?D;Bm()8zB}xX#wq z?p2*9LAeLtTVa0c%(s>PEj7f>vB|A%%)q4KDy7$!4=$V$F=*CcSscbq{d#OPK(I6B-Tye=|AA2Y%UZj?;{rFrL z+6gnOqW2Bjm{tr^pYo$y9?G8IK9}WtqTGSHmIE>pzi0QIS(EWHhea<$($nQOx}Ab%6w!1 z6Ok^(th1dui?F-l!-u1{+86zTL&R`g(Sp8Fr=1bKt+D0kcR1cCbVqXYUj)jenBu0Z zw#;pQ?0mJ#rqt6s%|dzu_@ngs%#+e;?$~?xXLY>+t0{d% zxAiygP=W2kOAt-QC`i{hVk$(pE^PnJIf^0h-rAt1~wym8-smckDpwty)jZQ*Y;O0Uck16W^rFwz^L*D z%qkL-yXGY*$96d~;Y#z6p@&y@d@!ffqsBLF=K4V+9R4zh8nei1SKBq;hG&&f z0k?oq;tZB*kHcOTI}M6&)70zC47x>s>28Wl(Wzur_|%RYNIVMObO)lBv*NIO-DVDF zw)}J?(q1x2OH1$0g~`3M95o4@P+r+5%Gln-^U3> z?91Y17yB}J2;b#aMutYx(+B%=ldSkuvQs#t?C65$+||M)tHOS>nPDL04+81Z)OF+D5xGK1QLNk_Rx4+*Z* zT{m+xU<|k5ZR+sCI@LaXWYDVwvtt;N$T~SXS#{!=)-Meo9KaWE)1kv%CL2rGBf?(` zngaa4Dz~zx*|OZEN1nVO&XnZh#JSEDP-%8JkT{Mts(nZf#&C3*g}BQMg^&`v%jIRm^Y6g>wcXSn0L z;{5Kn>G|Q2 zs_q{_uim`bNs$5;CV-()w^y-e7Vl*^0umwj`Zv0C=^`(QchWI*aI($wED~Tj#VKdB z=D&%LJ$LRHHW&$05wThS#5Hrdiv?=rzPUeS$DZ0Bf6}qY<-|pqGtJiAd>k)T;AVo za0C7kdNt0hp$J9*_&Rx8!Wlu@8|huvmOOQ?iUUx~b|#cvFqol*0iP=?UlYBH{_l^i z@FJ+(Ecp?@+O$t<)eduup5VA7lv&30gw$^}c30goPI%mTH=$G9KdQ+oNSL&{(buBc zz!VZmdQe$CJo`!bS#xlwknnJob@P0^yey&<+mx4yc!&)#Cio%pZtjj2T<0_NY}&ut zachr^saZ0*a89$KE{m?$b6KHgcf`8i)Nu2M!Q;0$R4qMfYUAHje?dfG&Gqzviy`@` z??+@;WKFdg+F{Tlr5A}~@7x=`E_b$W%N;GxwgZQx@}Tok=hoKDu`w>J$UX7!904^n z7M70={zx1hH8+OfiG&{&hN0#L!ujvAI?wIHFp3mNTs9U&X=5v^V)d@?o0P|eWR31_ z+UE7g5oXULKf68+9a>_0DP8lAGiS0pY?ylc#N|;X%eLQF&u;Y zwqCg1HF?{AH6w-H$wT2+_VU=dso$?}U|yVc;k4nDv3vLQGP{vCpkx*T31A6Y(Dr#`rE641CODHd#wr)AUU*Ooo;^%rp5kbllw}cV8F11%>t#KA0*8 z8dN(qaon`G>REVEw|}|KJtj9tpRAyhsZ|?WmcGf!&ArJr%RYZ=JAMf){?7qRw*Ti$ zqND$s7xnA)4DVj=e>=Gy#>#*t-I}joCv}h8M%muq+o18Q-_w$luiqSd)cGIFe60%0 znSP=1*tjQLeL+Q=WR!FO2t}`dt7m>YXf*C$AFuoPE(f;$Z~OcI$M0u`*T4Tw#b1od z{IBqYB~{pn-}US3{_}s5+sM?cW&`7#l}D(&Gfi0^qyD+eyCGRK62FhinfX6I%yy_D zla@?v+r`gWchW&AYTE69{JjSb*1kJ^q`%7;qXq8uJO;Fl+_C=Eh|GQJzJdQEzbW5o zwAs;dr{SPK4y15P&<_;ZbZN5JrFcR;6^}iu*ROMWQdn}I{W}Xn>y&0ZXt6gq@`3fNBC|FQ`k_V#Fz6v_ow6k}D~sgj+vuC$Ybz)zDJiDK zqHEQCjvNKs9BWJgZ0zaNr+w>2QJgxZYVxn{O{1uGn--3<#vHBqh7pf#2A7nSC_W3T z>+*A`tNn~92E3-f9mXHyOQQtv^yYnP)d!R8#Jf0_aXD%k?T{Uo(E`flhcs={xG^(MB_M?YABV;;+Rg@= z4U8ztLQ!zwUp^1qE|yc8mcsGQV#A_!&>WUP#&}aD&EM#FW3nKpKyzra~ON&{MT#rc@W|lMDM{GMac1b?9yzE{*derCH z03%s#7{Qey8CjxFKrA9zd0T0h*w%c2BAU+BD*6m_LiOl1juJ?!AZ5$)<$aNQ(hoL3 zbj0_)MPh#r*sjm0xmZ=E(<4gaHHA4yC+LHWKDZ0vV;?t)$6z0qF79ziVO8J38`C@O zY}Pg1D#%%1G|o1$sY7YFx!T1EE9R+BLVn}WhvREB8bnmEA0bu7T+8NcANn)e zHE{}RF4|xjHOeP?Si_*%1bFd5F+^8tJzj#>jJ8^Bn+cvOsQ(F+k3d=J<#v)RNu?xF zzksK7*6!@>;r3>q`KZF&0`VN_bXLROS*d;B8P_fRien`x9`Kq85&Nx7@38+sLd*dg z^euVF{i)>r1}+)9&&PXC=XM=CCiAnS16(L=BqbFlY{bSKh>F(qo<&ZXAmO|XH1eOg zJ`-DIJ5d2k)+fI^=h{Z*3^Y2BrdQ@LysUa!oaxcHJh;b0P;Cz}H}>mzJo#h2zd}f@ z7_5EeyLrrwWm{Ek7l*o3o^W4OXB%p5eEd{?P`K-Tg$VE5rE9etzlh&k=l8Q3Q+XvK zFhUE=EoGc_NA2Y;MW)5dgIbPZv(WGxK;y^`nRK8B#r7`#dpTk74*|9S*cWdqJ)b>? znw)xiu<}tx^30gAzoL%m#-mx?JiXaF<4k`D1J`hJUrD7?gQT=KOPBMoQnIr*yE*;8v6bWVU+` zdLB3uO%^5Er?EWdX7yd?fAD;MTI)K0-f=|k*D;R|<@@g6KN_cmcO5eczP=6ilmSW- zB#+QZ$3GFQL%t=STwa4cqtvO9fx;v`+smsh58P5apAltad0fj0Fs2$-IEGAFpp3h_ zck4EvT{4w1mQWBzK+!Z>zg-vT1BzMv9^_jo7SLM7egAmPFZQ&-1k$@jR09+fO5UKu zMQ2KFOIlU=aU=?(muq0@fWT!5U!L`-ZXC7nX!t#udP|;<0-}o(ybt_K-lS^@tcx#ZaaCerI9q=$(+5oarBKczA$yG*)=f z(jIDx-i4ha+W?rDX?O0Bf6#hAho4Oo`jOY@H*{?eiD;mjUY7P_&LhNLMco&gdd*=k zp`y4Sov?YnFkB=vY`yoSl3teFjR45@{@+X1qw0}-OUZvOi~rIE)uWe6*X~D;r*H1! zur|KU+3=GmPpYeU{jsFtO9VOXXMI)M&7NI-<-mt^Ba|22(#=nd+2>QV;Lx|ZN{3#r zvr&7r{#%{ZXJ5i)$quyOK`CzA17dIvfeOw0U9L*a$JB+S;0E85QSsdVvoc4*XVUDdj9X(5dd{mu2A&PpShr(P*s0XkJwB zMn1OrXYvA`uvzt6@H>`qoXZ#h7My=THl`Q0uqIY^7Eb7oJ5tqpqr*H;zFk+_{cHXYiMSTpL|E0w~UcL^A;T0GAo4d zg28tU9gpQxWD3F=ae-YK`KO2*IQhL4`dTRFAkA>cAF(+=W)2ebJUl-Eb%mre^L9@B zcBFeuyDBnH_R`G2-UQ;EN{hSaWT3DVnPIrolwdh zN0E}ck()%o3g8WyK;*y+x_>4p;U1k{Dr>*#_QTVC9oR{1D@iVx8z%b#eqL+n5PA8O zSMx8e?ws$o^Tgap@A7}^;yef{%vKlkl&UdMSH`?2ra zw(Z+aL_kOZ9-OemAj31h+7$qF%mFJDPklN=advUZah(5-K3xSo3*Il5w7G%`gFMpOejkccTmxkMVj?3XMC2iG9}$ih zC}H0pT@_VT3tX9iJ1t!R<0T`wP{o50=Rd?`14F~e{euuv5akVV;ly_kVvtQSx#l0<+)46T9ca@8L|R?^o{ z*PeCH`N}cOpKGlzDjnJ1F2epd&i%nZ z_H7lfY-nHtKH(c$R5X7@q!|f2(jHFtM;EvjcS0bA*%RMOW`0j^e2LkK_)g?K%qGWb zLh6e3n1vIL>PoRUx46t%pEjq%h8%rPeSoi(dPpuuk~Pr5S4s}%p0Sce2A5#z;^Gp; zR6R^fOKS=v<>xI7U<%ptFD&fEV++k(E)Rva3f?ed6fWFbmZ915X0O5tHeLKD*61tT*lXW=LmQkd4 z7?Kb;+>aGctO3Syq5b9i-aOPN09LeDnaG~kizeV62pDn~LanAbJOe=;9JtlcsEPWB zIL5q9jXsSZIhv_WreS?ZqT7bv97-1JmcsmXVVPKdf;b`tz&(2^L5bCooz4Z!1tiEyD(%y7HM%t{Ku1SMA+!LwzTNs6 z5xR+~!2;|lm6*d&`r%g+%NA4;aN%491q3c^;<5y~7*i=LunrL>PYceQ0wyE84WdkU zdUk0yZt2=+T3}^xafn9h1M}hj3!#}PDlo#KvfgdKurQD}c&VQH6pzq?Mg^W=rAm+r zLz#=GPn!&;{Y!b{)Lz*7GpiF4?=B4#ZJ(-LIr4Vf;3DPoX1nPKN4IE^Dwi!SM~ z)ba}AXnf=PP{sRSEx;RpglJ;OiSptYH0sdWh=3zA#U~P$3m&6_%~o2>R#!_zG*ehm zzv_fYLpAB^I6gI{^>gA%kx_TUwjH~#J2$Yp2@h=gsU>>%T~dPB%#LS;)o=+Mc)SpM zdGF0z2dpG%(k-KX9GB|59Oo;lIGe0HKYO%*m&d+}0;3KvUWzl>E(%QgmA}+bX67Ba zp0_A0LIuRdS!&!f4elppV#6`0I>!M+U7j6WIb~`4^RsJieQcKWt)E;UZ9omY1%VeaVvH3di6qEt!W8!7 zWH^j|W%DL(dhWjx#Rl+;PQwdHJKN|4b|%ufWV{U|2scoy<-(=G*9B6lIL79CY;h}G zCg+`Tf8(N$I&qA&%_i{HAwrR`fR!No!?e<$hIl*RG085t^8q;1E?j>2%p*W+{}R_^ zG9v&GsP`DXAvPsSL;PQ#b1j43I>O56g?f5E^uN%hN3gd7Qu>%}%mW=QB6csCrok!MI$PFLsW z;jgb~?Rq_hpl(N^vK>;EI!$`04hR8GN+nWzqe3Th4Sjhs2=;>6hotmI)$`0Ja=DOr z=;fbMRZ(%xvQ$E*N;}cvwd~>h$yTj@?VhTSe{dw$LB9&=L}KyHha3dSMq2`a2&K%( zDQSnf2xC;5*d)xSE--IeT*`Ln90uS(z zH20E4p?_YUlrQ@|6jEq6_>WpExby%}3hX_rFS+}Lkv|ik32-meFwXd=DI%H3rTzV_ zqC5Y*?db;0(T`(d1=VLU@)gLyLvctkPuU&EJt@!Rq?($JhB<}Uz~PSE!06U73W1&+ zLKJYz`!Q(s(|g+(6Ww#LNJ5gBAgjE&gJtT4h)HGhEBq}^J00t}OF29~SuHs(_F%H* zVg@l1fgn^NeU4~Ep|teXF4<>lY3Zk**^iGP3r|$`yxwlmOcISV3@M1z+g=Z8#TNLl zEG;e{v$h0G8Wgk|!VmQFhoXVTvK@P=K~y-|GK=}a*{kj(Y(dxcA^$kXO=lPA5)1*0 zM4lfC&m85Eb$yLYMOE~8a`R;v@pQNhYy$as3r&Sc1`-jt)jrTjDjh9gV}%@D01o0T62p#~8e%vB0zDYl1^mp3 zW>^_*q#$6xB?4F`O#vuiHHVWxYGS$vnP-)nnhN(sonw97y}j4T6fOQm+z{(7uy-$y zetGuh$E+qMv|kvIzADFtKn%JEg;Jy`;BGDI`u}**5w$V=k^d$#c10FCUP1SI-nxzA zO{eTeo0CHmfT zTXx5}+gW?uEp?}sMIKN|WH5!RB$v+bVi))nf82HA!(l=)1KsG0)cj`zN5HLH7QmN? zm=a3ZsvI6R5k(x~p@|9%t`;yMB<^5;qoVW)&O*<{LUnzAG z{YX7KByR?Of_QHhVCYwF${CvI zEyXshWg-}AB;_^gi-!J7rOxC0fCmZGNTvn+LfjYXIRleQgZaw#{Rce~9z^2HfVHv_ z{{gkWD)1N*>@hkf!G+8f*h7zw17(uJ!&2~8H3mS&VBZq>1RAuxc%kIHBEeQ+(dzsS z8@}dqp6I9RiyQ~V_yMwa0K$s;`rK~QKL{5O5pp1Y9MxUw3I*)wh;$v6Sj%~gF(q{3 z+l^^+jx%U3MQvEyG9DW)A&HP+dG-v?NNWO8$L-Djni%lP!rh8hh3(R_F@R|cc8 zuBrDG{B5k_Y7;Xv0$aBD;+rzW6%Fajg5Qf`JK+Wx7wpn zok-7%D;W2KyW35lF~Xy)g^wo@%3njx)qazv5F6fI6-;8`Z2}BQ`NWATQ~*)h%QRYQ zonOC20Q6nIaic0yRnnFL9E(5>|B)Z}?`1I?rn{s)FUH6Bs@IpNMpa!BR(are$&~0Q zbSD0uEBx(S|KSc`%%*2nYQ$9nu{YxGE#j4B`5b+l?_{RD$A);rmI@uAS7R45QpM$X zuA{g>qw`>a2d-JY&1aB z-taz7fd-YivYMLo-pwG*028R&OB`=f2=D?T{A?h6huWvLdNFEqu2tOK0`(ao2936O`n~!p zF|g^OOVM(0W=maaP0Nwm{xXHvM(RswbduIyx%I4y8O4A=;}l;4^>1 zdT|1P9vQA%ocrV|MDHL?$RI?#k==t9!?@!?W%TW*OK~2@ng;zdF;vM%RNh))ArA@C zf0}gd+4j~3V!_GKSX|yNWl{;MOCCj?f+3v=25DGy;$(q?{NQ0W_Wt(M`B;8o=|+&j>3PI+%-hMz>3M<%>2vBp7Tax*x$R8u`j)Tog!nP-U z7Avx1%jJ;%{l!k}=r%!TI-oU8s)GDg>E5 zu_`1DfH;+&3*$$_XFp!i_X^TE?lg7DHtPj&&y{7zc5?@RQ4;Ph`+J2b9kS^Y6+0)F z?r<%=?0QhC3X@~m9@$zx$tLrz@2fcJ*feVCOuO`lgWGhle=R|J)LH=@b1zO^`hxC9%AnAZ?NGDhkIp%D<<8c?w~c!coGmsg4o)@Mpu^qcR=-+3kT z(iFl7B9W4a*Cc7%LI$jdZXqyLq{xC6Wfwvpi~-;v`{XU@$y5ag;S3luC$HXJF9TBd z|4>H4or`s8T5xP>Mp+7KSrB;?Y4}1&#FSk;(-jEYfFu7JA6K_+#{fBJTTX+zrGu7fVFYQSt@IBwa+tq~5}YA#$y_vEv<*`W+{npnTv()YDst0|F8g z=t&}qUyG$>grC;9F8N@Iu&jjszLRHBgo5AMS{3+jhj|PXe>3tFtpDs(=%k;ETv`)l)TzgYQAXp>KM}ovk#b&Y_s4<-qaRhy%4=f8)kdg_$(LhHm>DLD55BYZVLpdB`0Bhh#wqi5{;m0sPh7vWa zkMOz5LT)RUocqgln8xz79Qy{#Nu)dIG$Ue2VCaxbNg^A8k<`PB`kVQdf>5F5rt3Vj z$L&Z)9AZ;N@OGg;2}4_sBsY^Vc>W%8S}+4SxpHd8e*xI^ZAGqorCZw&!n@%-h6hAn z3E?bUI-He?`5dDNjpBc!kN3|v;etnFb!Vl&TzTg!*=lU?UC%I;#yTs>xb0--;y(7O zPQ?-ZieBePKknff|304OtXKsHJ0bZRc9pbhXT zH}Q*vD*tv0z*ZUTha!l2FyNSdmkYmbK(|>d`s*X@(5Mb`XA>BS;$}y!@dhP2Yz|&c zr#>ue%sr@@DJc(mC4AhK(3(_+anN%XdTRinlKlvfj58RP6=dQOf$IfB-`Q>mJ` z@R}hh5BG8KhC3>9L&9)DdWyXULWU5quhNq%kHS;>Z6Ll3X6E>yOhQ_Z)cLf_HaS_@ z82ln}$OQ-?0VJLb0|z^XHrg+7TVA)jei|(TiVP+ZVBu3RtAB+(4^Sbl=jKjxkcvR< zmTWn_6D{8-(b@DL(c2#d0Eh0c~(K%g6%x<=J}7kpw5{Ug!Dy^oF+eQT!GQ6kOo4)H-i z1XD+P=diJx0Vble_&DUBIH2FbVvJcz_RpDW;~qXBLQTe9LIVP9Olk2j6c2 zY))E_fomYaw@0mlb_!TnQ3(BuCj^c3cf{1SYow!EufRUhJ_H%XdXOiGTM?S4(Y-(l zMi8e&l}oHW@QqvmCKFrB4~Iz4$!0=eApP;Fzq^F|MuR#*?EnPP3VMC{@V6xl5`of{ z63C$;bOmI;+!RY8UWl6bQ9|vmh|!hh&{x@^vR=u?$3P?_F;)2Xy7n zaC)|C5?k$1jw2dfHp{uEM5LZf-XbTr8Sv#c!)D}>1g$~=*b9vfPy*si0>Fp9+?$Gq zXe^L^l!G5axUaMj$UhYDqcJ&Sxa9{UkT`^8QtO^fCSLetFM_HdgcvdVhTs~#X=cbL za52WBE10zXCX5(rPt73TwK!UO2ncqprR>A#kx`t0eR%!of!GT48~Z}Im5z_mjP&e; zU)_BDj~Bj2KM?1F2S=A*&m5V**wpD1S_2rAbV=py`e3 z(J3}GGz1vDjgL=Z72^Y_+6B=i0ArDNxy_BZNih<=3du{becIB7Ho7R;Z})_CLXc6O zjXrun06Ave4?S$mTL{m;5PJn(@{E=A0Is4ujvUKF>H&m+Y)8@^vGA#}65=v!+AC1E zhY!U5qe$2yeKqWN~^vbXub4<7hxqc7!ic)LBkJ@7N3K^8RMnXpW z>(d##_eEFjuy>R4Ugy7fkqpy?vm=ZkmC*HbXZ|ZX2%+}braacuLs~KcpSYW5pFe1* z?E=Qa-k{i7z2L5!iwm5ATP~dW14~;DCH&#M7 zfT50Va1ps)^JO-|u;jre2$+E`nLCs`fA%Z^HWFlT5h4eEAF5;(|D^x*k~o8f$MLdw zPUY)7VL7uw19*WAM#{a!BS+N-pwZ`__JUFwfea_kT?Id7Qg??{O6-2u^)`W&Luf9=2mS|bQ}7(DBm@_Fws zwQb*{!=A+V^NQVRHhLGdn!U;<>cs8%d)gV>S<|Bu`Yc(~X(3GfFa4qO#bY{m4i#6w z>uAc6$)eYfx%npbu4_te@G|_ zq)3yYi|NVV%SwYq<6rUSZ7YD8pyxDLy7K|S6zqI+93(1-`<+$)wVd?h#(W@G{-3p- z|Fs(UPj3qlMf3mo8Gg0@cOusg3eCe!f6Dnfg$r!&R*l513VB`lX&^V@zdx(v(p`-e zhl)EEGBVFuTluoH9p~A8C#|_eVkF5)@UT*obJOR?B1Rk1Ul%>uY_$Er{}@HYv<)g+ zqtkofV)o;rwT;zkZ|+Uz1{(uiA1WJY3=8Lk47)BWw|*8{K7ZaTq$<$(t+I>Yfm6L) z1S$LRqdr6pYzJ(=^Yt$}p+TM%E5~@_3!vR!xVU=E&tz6ZWd6^E&m@*{_b#ASDC4d} zpP`?WItD8rDskPro<)xy8DXL%I*Fbd>3Jk)W@f&B9{qLu>1InUIVHzC!AyYOF;KYl zAH4cDX1XO;@^C1mrcpeZ3h#ee#xr<3ekz`stSpLzWLX8Jqiry$h!~p#CDw>BP^biD zH~^_gA1vK5odKlc?mq;EURn3_`SY{bRRjyR{~oOlo7fPZgSOMBG0VjhImOOom}XnW^k5AJ~r+se7i=%L@Hdr0W|T49L()jk}m3Lim3a&lB!#&~Me^ zF)usR&rbEieS!FI3T?xo>1JEU##RNYV5+??6@w;_NNU7o2jCX{fZ92{2es5*d{@GF zIPF761@x_?_dq57rpz`Gge@i};qS^^$0w5Q49}mJyOL+6Uy3iV!Y$gfnAc6Z%EG(^xR52lyqjA0LTMWMovNF2YTb zfTm=ai1_2mtMQ2q#!6!Lk)4#x?%k0f4Fs2gECmA@!`mA73OO#RwnV&jkq{zPx&P`H zFrRP{70`vqhI)Xy0*k%|@Sy+PH}Hkl$QhADX@>Y<$u5E4Axc>Bizu>T$ZwogdIed< z%7aAoc^_u^#Igk28n7INP!)i2O{Kh?GB=S*4H!P|?fM$p{;;mM1Bg-gGWY#zI=kmnE zgZt_q;*b!%rLQUI4$|iWFfv@a8^@ElegL6Rhp=;FrW>k3Fq+UB2vuVJs!*R0GZL)p z3JIDjWOLj0?3peooj~Tc)8Hiw@+k1vkzM+kpDeh}&M=%s$@dvHTKFFc`kyoa4kR&~ z3-9AK;8b1cg$MwT{v<14E3kn7h5p;6(_ZJK2;YarBK?18^d|FOB}ySih68^zuwGE} zsS&|O82zYM?7RzghX6Xxa8{|JvNyqd;4ac^;bwh({am>25b`YHA~%HF1i(UTmB!}1 zPZAT?;#>fMN4(O0ZU@N$(eS{pi)DiZh3nkET7V7dGMcpw_K&9Kr^sQ$BSR7^X>+>+ z87xs~1LP#3K|y#D61iMhmw+^=#_^to6jL=z4bMj!iqCWGPuGb$!|3i zlO=42$cjN3^?i8w!Kkb*I>d#G zUXqa)Gwh{eRFV^N^ZOICWBu}Fxt3y=*URi*ki2_9ApXm4S}pstKl>-wE$OmnPbiHg z<5i!Aez|WMVoK-+)`KHvvREl%hXVnz_kGwL1De7-^`lXq_GRHw}bgOaMgQ zD`N$GQycjK2ooDD4=z?#2<~pZ^``=Y-UZ0V5(Of`H8Clpf6xu`>%RuQV=!_QNA1^x zDyj=Q8`$4bys@PpYovZgxVYkxtdzh98W!i~G7%xZEGa2b=W=y(L%Z^l(@tJWfmA|>V^6J{x0AvL>qa5wN~r710Pmu7Lq}UR z6pHB!%KAXx5OvR@hZw}vXI|Y=xWl3Bf<~PjKlH2-=MtNbDGH#P&||^NyVT(}rVdRM zG=>&=hCp-pL`C2A?rDTR6NssB8wWJmM4gM{0%ZaZfmD9S@h8{0d>ZqwpX7jeme96D z0;eW7dwAbj%mh+{8k6{&LFj|G`V_vLm?y6B2$9=;szry`sY6K%^EcaH9ysVkT#6F= z0aU$xgZJNM8IUZkJKo;Z*MV!Hd zC}Kr+K(h2#Ed@XTNWx$4tNH9zX7>Mxx9s~EFt>?f0+%mz-UmQ}2LSm9LJ81-$RFkR zQt-Y|3Q0h&1-25-QbcNysUHcy%N_G2a4I3=djMY$Up_R>B~0oi#P;KQByuA-9)#fA z?JyZP*qV5QC7a96@ts=RZ*A>`yMOG@)aZYjdpPNyRlEFE@%XVakNp$+#>L;im#uqSI^luV{X*gLVYz!&e_WQt9nsGmn22i>= zN%6>PQ|wU$!h;hM%^yBs{|OMTL0?K5u6D4&5)`qTB17$GW~=~1%l9k#Lm1Gv{DVlb zut8{`s!}8*6@o%wP;eDgxp+6~I8!itjLW;;ICS+B2zSs8)KMZE$p|kK#AAb>bGDGM1pO);&1jI%0!Sn1ECNh7&Xm%@NnFVh_U}Rf7oiou3poK9$%9nq zbfJSaG=aC%`(zqtu8w|4k-?%@p@~ZRlI@m;i;Xf%XxY7E>7@ z0VLjbh~k0>2Oxb&#vp(8cpA$7bsQX45o!y1b)XtWG)zgsaTZKD6A`D_w%0)Xi0=`P z-t~R9m-V4Rfo|V?a?c}_rO4g3^YdT(OTe3-TWmX__sus3s8iX}To87^GkC^geuu!x zhbHJKS%B<}0!9D^WV}1dj2?qeAtg73*wUfy{xvgpR%U6RQD6xQ(+OhRe^ ztip76x8ty8pXoKsO2+HGOU>TMvEdFsOZQZ_Y19PAdIr7H_IsQ=9|k@4NcM#;#nH3R zE=H@=YsqQ+)o_gHlb^9O)nm_yISelM_aKYNVM1<77(){H@x^IOh~^Jy3}yq>S|r=^ zTlFnCJe7m>dBMFRph1LQ0=Q3zbJ!CT*`?t3_AJ8#Ah_fKi4Zpg80o>KJPr06E6kta z`aTZaleoe`EBm_oHH8H}A%Ml82qtVOC^!4X7?=u}5*a=*a023Tt~rS;>RG@}wGO1Q z9c!&Lau@u%Q;F}jYcK8lZhjc=#tJ~55T#H)i_0GFBOKo3;<{4wIKij><94846|Y`V zdE-2tf{F|Oi9dV`F|Fs6zOGJ&uDUf-797KpS3InnoxL3vRxaJS5dQoP+}37&ovyD2W@N?~k@-Fm2069{H1SE2jOjBGrr3qVz zw=$jm|D+53RsT4-;Gi{-Mk8=%v#_XyZbQO(%ZG=!#UH3H_5+cDa0zEp`^Hf7oaI&K zX(^C&xb2SNl+8lshni5U7{}2&G;L*qHrPP{j?8Udq91xlx@(gwO zlaR({u!j(}NIl5HAtaqz_?|+Qgq1?bw`aZdsWYxMLob|^Pa-U^hK7kqJoaz|?0pe_ z`sNOxCaZ(4@7ymBoY!O&7D_%f?GdIB_!GGqEHI^X{lSZ<7dc(r=BH|JpZmTTr+WLn zFL3=LEGrRs6NX==dd{)bWg_X-q?%I)8Vv#flX@+AZFT@GuD{9^6KZ3~!A1H4qTuqC zD@0Yly_F#3z}YH#UjkD{N~VH*j4HQ2|4}sdhI>*iNBNg8`zFpde)tflN|Hxxb!@Ij zU+#{$g81#m!9?Q~pNh#WV&KX*_vFOpnzz!G5ct9k(kSBA`u)2J@;}nuMr5vz!}m`f z8~pWp_vU)(mrb1f12Q=)=<#KX8D zti9BuZE$JyZKrhq&(Z5OOr#f=d&k9#fm)(TVvp6$(=~2St`p^aV3vPuBJ;fatL7J% zo}coqt~Po2u6k|ye&aj2*1tBq$i~@J#1>=PzXkDOrAmk?zO4UO|LICSLo64}k8M@y=fz^>g8LXV(xh3N*mAfs^S3b%#zxE@Z3hX#OH z>m9rO+d{w*p(Y-ii+}@dIN)c+J3z|v4m<=Ecc*NP#F-4xTu~oCYU0YVYNDPwhU_R2 zc?9H-^}H#geAzeje&{&)90W@!Ra=>sB-5<-!y1C3<3hUJm?l;Rssnv{l4Ot>6n8qCACrrQe@qK9NVH8Ne`r8Z_VJzMO?ZKq}# zK8%fEw>*Uf8Kna}WD~{Y3m>^){ zu6{hTiQ)Ln2fOytIowvnln(|ZD~Oqs`@;Aek^v(4VNhv3%rgW}CozI{#@egH*!o$f z$dPF@RsNcpk)G?V8ZiNkf%=6WAT62xDpiV-lMICB{k2+9}usWgq?7 z_97GydkIred_ToQ-ABycz?uqWuD73vNg6zJ7=6V;m4GW$@8UdH52Wa4CJ~`I6m;j> z@wTnoU*;(I@7V_e3>~AodX{qf6PS&MPQKb1EdCnw|A15n6Y|?_tR%U<43#tZ7-aw_ z;4YlV=G2so-)MMh{&K|msHSV$|`pa~}(qnICq-l#pZ-}%Jug>!V0 z$cAcz+*(K}DnToOJ0p+>kqIMKfjoxHl*=24`vgYPay|Ks2P8TG#HeQ6{c!IVj10yx zAE!=ju>tH5KRJpaIs`~V`ao(Ke2H-ge2CT`Yh-arEFu!Yn@kuc#6NTdsQrn?4sM1Q z#$NGGG;Bk=H*yY0_lV`r4r%bQswhGttgF%q@DEF}>u9G5!`aiw(A_n}a;lh>bi?l+ ze-y*iFlx^uv$WMqPDR(+Xs}QZg4P@9Lpo*oV^bArb!M784}QuVvW%~O-1Wk)eQ7^j zXJIQ!%5tJdK#G7Y?I`kFDo)JO1Ir4t@S8Zj$Ze`2xzQ_iFWC5_@f-oOV5U3>G4s@b z(KHk*RG*(&g~C`J;RC=3K?__qV)|JKG~$-J%E|%n_Yc!}&auD3)>v-s@Hl$pa)}3J z**3v<(wmi5Q$8nX+a5E!obyu8?|**Gxx4xr_wk+CwB}oG%G%tLRXXycy5m$1A47n* z6qUjgu`?Y9{}dF8YH=j=&+qfU@;T}NnnZufOw@mKYxy*ht2F@(rPC(b57Nn*DeXT1 zQG_NrQ4F5niK}shzv#(cbS}VkvgMN@w?q^pijXS6duv%)ucLM~M>ND3CJe4Vz{159 z2#(eSR~xYv#V$>rj+%usHV33Rz!ho)n^#zwOQ3RK9;2rPx2aXQ8U5qqO>>x?bDuri z<^JcAa-s%Oe=^bQHIT`8O`-RIqRi&=KUKTtTiUItsP*5lFO&9USPPZhQ@TMn+9XtG=cxEy)7V^o{!;a`Op#>FBCfVb_`yn4fqe1d(PDTpMmT7Q0ps?kFlkgivsmp*f zQR7s$wQT^Ha0H7&8ep}%>H49Qxu(0b8e00xgH3!bly_e_$8MwuUc*BCmS#S@j3GD1 zgOt@g*JPiwKjkR>w!UY=#pV9PJ4T}O+nOZ(&h?rKPM%mDBPN%>;zL{~pTyN0W}iLj zZw~6{PtF|fJ-B!7ZOm!t^)Fq%tN@!qRHM6BenNpkvSy^N45J+P2g_>8%ZVi$Ead$R zMExH<+FV~>9~Kryi8GmWL|zEt1nXChJh*+~j<^A76i8Ad^HP9*77|f5-oB;7aDcHwE8}ScOZd$fb8NTpw6A(2ltVsCHnY&_xP^2IUX zFu#J6(;i&xYvHwvP{6wXm*nj|;$5nf5199LErb`WdN48^mmw?CCmi`_i{yrR$-04| z#3ze8YeuF;>`O15wyU|rpw!3~D#PFxrPyVx)My^BySy#Jeuvs&ejyI{eWz%qt|J~x z2#BQYk`cs%AD%qchQbQkgPVxB3ZnPSakGm{N-6@dalVw&eyK_Rap-ls;njaUP3E`e zUh>IsYBUS~{#a}~Wx&(7DRH00k*(2G^42!Y$13f3ONv7xPaN(ugXn1xUhvvk25&7S zQ4y?N6aail0VS@@wBH4CLZXGFyHU$_X7Bovens0Z15T?zdN230t6nWD(RjvdK0b4Z z!M?M3uzdfcPI>K*CO&owlfC&(B(vys(g@2tF27%NR%J{ zLoMv{pMM$fIdLWVuK)b8rd$8+KfjMWEt~4z_5c2>wYRnLTL1fB>c3K;3GBEHrw`@| z0p(Q9L%b}%j$O}a zy_5YTu76I7LCU{%Rlum+eY>{vGe`F6$x287*~{*l2!`K{~N3PK)}zhd0yCL9io ze^UZt7Eybx@lV~%RR42|{7!a7ob!T$g0Q;2s?ryCLaOLy7L$|d3Ji<}Jxkp?_4M>8 zl)%H(n>K9x>c{uF2}!#d+Cz6o!NtWg zq|I~nt$=`(heIPHird3IevNPP(1mp|@4dR)k&#+SpF@=$jjI*qC&zOn*iF6#IDE8M zRgdoYAiG)Qn~(X6QE}JspJj!i{6%v$SI;N!IbmzE=G*p!_`S~t52~xdMw|e{;F@?@ z87@N&k1Lu164(3ak-->9sk`ceten!e8!2(1`Y?Rp8qx@xFZYf~xdJ&7!qB#Jwnlpyd%@b^ndL@qfxiZ~qHWB2vC%ftYO zTRld{Pyjh04gF!9IsrJk2hWb2F21@LSzHAsLSj4xxjEnXW*LVM!2fums3JQHm|oEf#Pi-+@P-4?wm^YolYtkva%h8j*35IfP~9I83!) z@Vf}W3|z7|=F^1T8?Q-EfPeI;Lhnmjos2R&`1l@9;T(PD+@9lGzAO|@=l6)G9=F`N z>d%WpYYzD)n{^bQ>W$XlI#@cs&|2Dj6fjnU^tc)&Ne*x(Y-bbHAtXb^uf73npaO!8 zOm_roO%W}BMy_jkUIMkeywpWa{tNUN#-TB#>UsTw*a%8W;Iaw3WW~goLG0?3Y=$Bg zg4__$KB-A;j;csk0s*K{1kX+BLy8Mo@Jh2BPV`jx1LPpL22dLUbUTkf{?0)Mu%#R+ zUyj?1E%INz$cLgq01{1r>gb{k9;(XQckWQb26o|hofsJ+0+ZJOe86LrTQEEk#Xr)g zYBI!qH~pJDpfu(`!w*3+TM)ao+=9!q-43Sv^Xx*oH*e-?U?PUX52UO$evNKrDF^O@ zw7vph$qn4Z6P2d}Pp9l3`T4F~=V9@+bzOP$zMR+gTfQp2s{hsb<>=*xM`51*MuRem%5;zKhRe;m+B-SH zrf5BU(0zdkbOC)w^>Y;Eo2i{$DEb^suo2SAP|ywzVFXOgZQ3bmvlS@+y-|jeNiPsz zDxg1s%!rs!Jarx6skgu1W?@I9O7KAnclL4qNENbUKoW4`cu>6Y2D^|4V!MP0ePN{F z3=kgz-hbO_VO(P~0X z!C$(79^r+b&vW&RF%T7-bnY7%fb5u?G?o*smewrpeN)&c5Oa-z|mk@>Ug9}8C3g=h4b%BR>mjU%g zQ*k+j1Nh7or;VLbaHb&E!cYPdsT-j)@@KI-b@E+jCMFb7{yl|_4GJn+B*aIs<~I$l zq5}$}se?#!H4xVOyFB(E=D%&z0S>VVmapW~fEf6|fr*i6wdh7f3;!1{uEvjecyz#- zkxYBS>zW)+991QN+#jC{u+WRc zDgXdGJ06S757l(k`8-QYL6t__{KzVS&nMY4vAZr43=9}d0HNy#2D%IIP};~w3K_Ny z+~Mhq7dnxnt=T*fTWO7l<58hcxQSw{65}o*EtQA3nTo=Hn;t?4GL4)J?M1n^0fKD` zL*c6ja1%j$_9YNEJB>>XTI3U+{>gs1*S9tnp9BMf092{Oi-UAQL;Wa@nH=!AN4Y@- z#6Bmj7`ZcvzeKAGcK;8`)Q_K9pIx?G5YQwrXr%Eh)R`= zIY_g{$YK`y72My(&?uA271@ZAsEiGCX2OPzWip$X&`q+k# zd&7p+P)I_|z>3T14QX!9$k>TwHSY68PA)F%jbb1P=vPpqYT$*K5}$qD$A^lP=6I84 zxPo4~&q@Hp4~EYZx`mnK6>?orfe~v0G+z<^1N-cBi*b&>KOK=32OQ>yB99FZJP2nJ zSesk}I!|nS$hf5@@HP~0)H1kAZ~l5JjyWJ}NDM&4R6TJbUn6u~;0lVgS1txPb8BfTp>2pk?LOty>J=TG0hhv=fBB1<(_)S=KFW-3)qHiPRdP zRxtRzSFNoa(5h<1NP{6g42WvA;n>IoPB=L>&aSR$`aOVe&qPXj>g_?iA~TC9Cis7d z6Ba82E$PG7w?jkWspONJAiF$$(T&WWsgcXW&`EGkY*k< zkU>JZKrUrda7}4+N03tUNCY0f22Uj3y?Z%9u*(DF!Rw$wmImD>+;dWb)nI8sgF29+ zIL|@IKeMxB^ckL$ngUHl0wN8j zP;fwAWJTu9qV}csKGajz-OVWEg#wg>ZU;xl9Kf|7)3jEjFXuWw6td|M&}I4aKIFw? zsmSbMLMk(IOVPtNosNQ*T4wNYHSgY4BX%@F#gVT>^*;_-&T*#4p|_f?K4{#_9N1d< z{=gXQ2U5lbdpGE(7ztmys&IRqQCLc92UpW>(fdDlQw0>#3--lYpm%y(>f(}M z{X}_;B0oQu$aw(XUPc>C%MpD+*0jj*w-(CE%HEjIesIMRc&G(e=K-mK9(gRYbrud9 zDRWL)fZQQHzYTX$Ti5bm~n zpF6MOs%T19;|U%jrv8wxkX?k^v>eeNDvj5;*hy;?r9AvTC#LO^VE`0wbn0}Yd7=V# zPZSCe=nBMxUw9Y-K~gS3^Nijj4hq>o^nQoPafT*_Ksj)|UxnJ7xR-6;zWwhe5*vaH zI?ii(i7?GV)_Uy7RnuG}l(%98oqtHk8oVN-en&^(dZdL0Kq$0zE8^m+YRKR>+)SoW zJ7edDq$R4ueH_1lw78{*@K79vKG2eB9C%=@H#t(cI8%mw#{mL5D$1_nVlQQ1FUiX3zz)x*BnqigGBPh1_Y6tAci6Knfm@ke3v1WMS41 z5BB94e;pk5lQTdO>|yak#QwP9^E;Mu-ZS?uu|Lqdmhos#?JjL$_S_Eb;o{*Q#j{{dor3-h;YxPmdm{dp7BoKfjf@P`OLDX=3>_J_4&fY=mC_FtTcK=OzTz{S}CSfB|)cuR?C#vWx`SS9$BTXV0!g zP45sAQrW$?zph990i7(i;A{9^d>zB2)*->u6eCDyr z-ZD>5!jiz#T)o6|X@T^Z{n>U5d(sall^6Dv;F(WX?ZgKiL7p7nx=_(wQ*p-+Tl@xY zW4yXVClSvmlMa}rqao}XN)b{hAVP>rObcCnsL(eu#*|XWq;3 zcz3w9Nt@OMh6Or&Oj@vQn}Lz&zzLud`K{SAiH2}I094I|pTvx$YNVod?ZeZK z*vb0yLyu6#D#a9gN&?@!1!)@p0F5^!93-b97S2dQ{(w*lYVU~tW+~$~tvZ^oyj92{ z?kMsUh;%AGeq<%!F>(pMNEI#SypDxZ7d?MUtxQc{blF!H2ERmZcR0nY#R?I%$`g$p z=s&y!3^`vytVlgDD5&}K4S8O{$pr~1Db117B~LxzYC3lcl@wW5Fb#*03KP>*^w6uf zFi%7qg_coRqh7mlJu6u%Uv@+;P>v#ijOij$Eol4hFO`XMbnJN-_j~GW&jab6k$aAo zHZ}}Vs!8lRwSD%)Orxf*&KFR-zD}6DLeK3Fu98L~qn_`RPnejVecWq`efcktb+rlz z-hTmV|Np?Ye?OF;|NkRO_rL!KyAw|CEqbZxqr1~H-O|y)QN8G-AxNj+JMq;Y9~$z~ zrlr2Edw!&OS0;UriX-2L-3w})j><--H9bpZNR&VIv+WM2-m9jZHP_9){q96(!d4~r zZFKEshMYQSs{?Phc$Idn;NLWOMr-zaN4h-kHPb3?@u#UPedJ$@9mLCh;-1plIdl2j zl5WpauPq%d{UwcOGA&a@)4xYreSbBF zu4maWe^{$J;jGBReQulCE@tvI)SW&dEg?~1m)=@|eoaCmtX_QuVrA;}UK>LtmlqPA z$C$rSd-bkkbMS^wM^UO!(|#`>>u26)H8H?(|&#dX*w?uF*J13 z>7(ZHJS?c$Jd)y%g*UF{;qXs*6Oy*6?CO_CS*3E@PcE!N{i>jA}=OG78*0S4y z0V&FhbIkG+{UW^Kb#awklmTi00m7d+U9tTjht^b;&0mmWLP~2;=0* z)=s(_o86RPr6$P6@S{D4hKh>rc)nMpTm5y*%FQecD_Ax}^&EM<`})Ob%Fr{NoNBA! zxeCXRuECa(vll|reR$h|$gb;a5s%kOU@`z-R4yB+en?bj&kXW(E$skZ{FAmDbn+dKeHCN8^>Z! zWj4n5IDdYz!8gvDiMQ^U*!147`BO@Xw&A>u4c9dI{9iXQs-4VGnDn7d8>RC0NapEk zw_^X9IT-r!j8AsR8#TJH&A*u+ZPd$p(BD4K!Kt0*S9H86{bF5;y~j%?l&FS_Q!nx zY)$Q;dXaCBxWdT~<}&+oH||iFZ>bHOy!CzhoBn-QcPeXr>eou_VSP`wnANR#^6g-z z_VahQPCGmGgnf1MI33h5ME|Ibo9lL~@ur?NJ-_sNj9%_5qNS9Vf7-;_!wo_q;dFkh!} zjpmP~+Tp_wE}PA8UHTyr|6N~rr?L|RD{VoBz?;_Z<3G79Z?cIDJ1R1bWuEFCNJ~0q z{DgOOde`9}_Zbom(jFLHeMigLR?zc1^k+wBef692adPOC2kCB4`ArbJ;Suc9ixs# z8JF)rDv-UF)Z#Dmf_GUUVle(oVX{rm4f$3|!{U10#>UfChxZ)|UF&7WwC>$S_0SWY z5-XRbyT5&CpO0ucv+d!`&kjEbq${64-n6c}hvB5WtZd%7FY9_dITO@N9fif(OW6#5 zH=OV6fR)Mxg{K$J1<=q@KXrbqF**F@gjUk=ds*-qrq|!Iyb%qdPczT?Czgp;RvZc1 zbxD4C-HV*_jdH#Hy^lRhzA7I(xsrlwkh{ofOfh*48As!o{~Oa@?(Z?*o^&E6BT_7h z%J+uJkC)@RIX`q{TsH=~Ot6>Ne&tSI)MhVg*Nn9WoJ4bXad>rsst;TG!msb1f@ods zaB&Obn6Icz*v`K5zJH);__uH8 z4!XCqDq=^tW{!f3QFMKS$ghFeqNiS+Mj1vu{$r(^Zk&krJc@_Z968sVCEG8i>uv1e zF+O;CD=bs}>N6OF>FVurQ(D>fh|u*^*Eil?=3iBK)+t58nJdk`WW|im)M?@9m_PKb z9>Z)rPtIr_Y6yg6Wx!$Uqc6JR4M{@7ClB}(e{_Bw^UH0d@MTd3^CSO9I|B3^nbh6v zDQRmK*sk7n5^*Zn@GLrQ$u5_Fo#~nCo-Ze+EZnu->CM#U5>(1)U+x;=5$ux~)cnI3 zVz`~(Y(C;nc*7=7WdAwzdiy9trnIY0^{7mpGH*W_P*oVve&BRw@lFAncg78GCft%W z6C&OqsR++Y60=5#TAnQqd> zRfo-9G8_9p&0HVm?#O)I%>X4iPVI`9eL*^xi_z$ z>Hf6fWD{t9@$E_assdBm%&Zf#UmsWB7kT-|qe=rMl(cB-CsI8_pS8m9Jkf`=~3IAS@`j#%fw2e5-)j^9v<)EzXlZTQ4^CmrP+HT zcD1ZKtt`7PmGkN9rN3ZF>(%6f8yLVATFTbfZ%jYcbNSiMoM?!CaTuzMu2EV2$O|he zUdt`8!mF$q+a3Gyf^OLwv`HVG8s1!$%O!ioi}%m1pS&>S_F_yIixt&6Z9#w)5Q(UhOtKrb7k3vo2LarDzCofzt0&R zcQM+j_$JHR+c&;C4p)>nv9!Ios38AcUGs`#Wx0ZHSC{&F$+LeLxi}44(tX3)`TK`MMdk#;>b>7w@de zWiSga&f6=~v707Unz^iH*RwHkc3cBmZ_iR{PB6ZyWJ(B&omD;WxTUe~P;D?J;6z@l zq3-0;EXy&6t|rfol=9Ru_u_y;!?X>o{!ZqJJ~65VSRkly*4r(2Xr#iSx>*XE1qFM$1LrU{fTj4`CmJg@yNKP<%*>P6Y^d;gtS2m-bt=2mcz#WXv%Li^_BIuTK0@Vn>=*Ah^BnRS zb`@eCh+aAtRqcnA>Nf?PIM{su9{X?Rox_gWCG11o6`!lt4|VC(_063h{X!EuvqYV! z$`GW#i9uxI`DFvA3dQRe7pRgp8;RSeB<7Dyx4kx9CD2;=e5h6Y>5SmilCXt~a)~47 zWq}3L&UZxyje);!Ud{IyODIfsYole}B;yT4)U?4aokEG(?-jWIO(@$}q30g{CsVYF zvW6XvY(=Mkbfl`EH14ESS6Bb-BuUT#6XN*$iGCDRYi6~qJR1+Xa6`CN^+nR^(&(_| zb$`FemyM{i6)k!b4xKT=_GNG!v5|AU85CNX6ujZ-rExQd(GRILj>jh^_%MX)GEaX) zjBnoZwmPcvXX;xpKREJbd)=qDmiG3pmdD!wDfx}}RF_UnKQuH5i-`%YsX3Z$D{5{= zU?9)R_1L2QBKqHd#Vej0>hnXzUg4F`bDe)J{OE)451tzwj%*LTzbESihv>t~;Am;B z>@#_j6<`fo3MVf)IK1XL^P*J$s3z;z=OVK{!xIMtP8G~+eq5a8ky$NwEiX(`*~@|J zOW=c?8;2V?pNrf`>EzvdI3=IIDSPn7Ex`t3*Tjx}bML13KD_r=&gOl&$3BC0q`GAM zN5`?umKXd7Il2xcRe1c_Z*kCLMctes%R*V!hMNiI`fK-}-J`sEU*c>jyc;^5wmOJx zY$>Ft@;=&@9QUbL(b;uetv4xRNvWnLXZxeh<_iT&{M`~ytkq1<4cxSnZW*YG)nyt{ zDlzGtb9)_QU^sm7SaWQ5Rl-Qh&l08`(llXCV>~itUMdNRg}1MG^lpbg)Hg?Cd!%Dr5 zf<_~*if3Al%?DP7acY)73+r)qn&;fPVOl7+F7-ulkNur3VKWOm@FALky;n( zdym`y&*=@P9KV~j8+}eyom$}kA@Q(K%`Yy1{rlHbM*jv?I;Qq#Rva?28!A53G9Ywi zp2@E+Et_W3e-4NYmKEN^**aq#es|kS%>_0eebar}Vdt8a8*fBL?q28^wCOe-^vL^d z;{zHDbns95y&D70xB9++Zs@;m=1Y48bz|&7F^7(DY@4AWw*7X2V`h8z?|nR`bL8rm z9Oo|T4CAuruRQ_+LxA|N1R?OW+G`UShG3Cs>Bza4n4=2B^Bwm6mR^g2Vr*EU1L;hX*%sUjqSq0_aviup4!&jji%Ap>rZ}VRboI8?&x0v)x=rH`!91PZ-Sc%d{Rh znU>B9_BR-NYo&jrIdP`#rm~t>%cvrp)EOC>RNO=L#%C^@JFS*smSq-h+?*mgO3%G$ zEMC9b`aPe7xR2w6f{hoO!9gA2EuW;X?VLYS@bPHy_<{Eh4eO;0CsyQptWh+0#hr6h z$J%j2>I>@IuFH(=N9_)^=X9#DxvQvVP*G;Nc07<~3+$p*NO^QN@olNMn=w5h>Wr`FPWGMRZ}(Mj!5JL_*#qc`p=mWteIDT3)xw@7)cWsaZEk6jTJfZ4b&&K?mzO6 zS)5x*3FEl@6OJt<6ZuK3IsBAC&8ON`4kxs)S6=MZfAVer&09wwWZt!$El_4Iqpn*? z`>j#`I?D;Hh7wstal%cmYzY3dZu{`S1aXSice2o2@Prz`YZ_v;tgmR;P) z?s1OKK}6_P;jv|jQ7_MGNkQ5}^w+!X55SnJL!_=mO|RIoV&9K0#r86uYqo|(mFZgN zdyggVb?kPIw|uksJvd~vEp2ITN<^lsJ^3p0XV0^%+8TGhf084BIvaY#G<8va{*97W zs*26qnZ{khZ#c7X-|W=B*DkS5PIL{NhlCth6dRR-(XL}WXz#Lb-+fuD?VgYJt*%y5 z8gsvcHZtaWSu0+BtY^$DevqF3UFhvoyD|l>d$oiPndCZHHZcupzp0H)nzoU#8jpG? z&qOUq9&Wg~ocdO>a?StM+LeYw*|uSlCEFPL)-XttjI3EgV@;MJ#=g{u@M4lIV_#m8 zC0^NM@U}1{OPZ{c$kJet!8=(BDIu~ncHiB%9^cRJIKJn2{yzWi`+CmnT&@eImAr7S zO)|^Wq50D~tuit{xWWL7dm2M~B_|tGH6?Oia&as=hSJFFIcKk;VOO7j8-s0GI`X${%jXAS|^#`&J_JE!F(PAN!^7Ph9%0_23HacIRW-km`ih5nQ#Q$tO zV%b^`bah?gPA-J?@IL0Arude;Zk?;42>lcD{KFan^X-}ys7C98_{sfE!~9pOqnyES zo0Wps^aG$wB|4A;)sz^$mB`AlZh`W&%r6K;;yva<}W)mz}|=yNK{y5 zW%Bd3{eE%JeNUHsCH;3~VJdr#h1!B6?q~e1$IXED!3jN15nz-&3jag?iMHN5K?oR` z`q*0|-`3x0TTN|SNnt4@4pq&eLR<(7IVc@_PC6FHHn!FBraXjo6d%E?=#EHqm=Vt9 zY8Gnh|Il^IERKQqs@niVV1XsArw>+=%@nhx_4FhF%gF}e=&UK$Mm;O6aw^aZ z{hmbGv`-lWaw;&RDC8G8zn+{dpV)FI!H!EyORM@#yI@Ly#YNHe6>1*XuD67w-gKV7 zbC06kW)eyl-Hsxw@6W{Vd_A(007Ip6e49v+E*Dtsmx$KMQ29~KjZ1Wqyo zTHC>ygd4f$9e6)8v!zw}7nB6*SUJVs9S+y!K5Z%9*%7P%+r%po;5r3kl+Qthgy?QH z7C_bgKwN#j@j_MAXN1k0@^E z6uk9(otfBAR>J6DYV=z&dvv)Ytz+L))2BCTS9n3KeTZ}2RnNrO7MmrVMXtAjMtMLV z?jd4Pa`M!l%CH$Ev&KLXgpVl5bFa%3a?yFd9@_Gxli>D?Q?VoX|D`IHhP$oUcF+B` z3N$qMlrjcc8n{RJkSCNiE(xk~Ws%pU&+Kfr7M3y z1uP>Ln65rdML!#=y*0->^S~K?kXuOBSGj0D$IkL4LaqIkkt}}!|7`S#7+hf$mLEdC^!R4Oj`d?lANq6)7>-o zrs;M*(E~nK_LQg;TbT|Jk4U z5{5Wq>>;l1n|FzpAUAf$7xo8Y)xh%n3CG2T(_umVke36j4}6^|(uxK%FWD9L8%rND zFtAu&HoRmDVu4RYw8r8}>`r+alY9%Zq2VWe=oC) z_=rk;hL4f$H+3#FSMzLN$J@_1#T@%q=Uh;I!=4TrUB}=*4iXBwa9q&c;NI7d2b{zIKt|psva>AlwaJ4Ow)}AzZ zsxIWDmT+{mANFA39H^}wlat~=Y1Mz4v67jUWxZTqRt5*_QT&C^Uw_oy3Y8|A04P}F z+GMk=1qQdK0>3I|dksqPfglZrs~4+0w}>;`CdOVYimte=t{VrtjT5hYIGX8S86We$ z3fYnmS+bZg^(`nPbexf2Ge3gW?3Km0Q!AiYq72L zMRL%{59}11?SU7w{L5YL_11U{e_govqrm-#h>Od|V5|81-!Mn9I;WX z38Upga%BF}z5#fFOEUb@-zNf1Ay)&>@qN<}rnWnCQQi_WkM_?Pb}#g%#KeBwS&^hr zm&aRd=w~WM5A5>fM68KWoi9|$^sE-I(q=mT=Dwetr{f}z7+QZnrO~wgB|YIev391X z!++jb)p1LBWb{IEdVdx)O6)$pk{;zh?!~{ZVxyXI!&MX>>(}lyj_9_$qo(`k zxGdG0D{^~zfw2olk8Po&<$@aEBUBT#iyW**tOF4NP>VM}EvZsuv%9yb#zuoyT-=G3 z5h^mQD~Nh?pXVge@nBabhf$yV5#(Khg;fNWWqnfNS83^LAd&3EzYP6gy%4<5h&uLH z9X%^-fsSkuIb-fv^WjE%r(2$YM110HXVB4lmTfEzXmK&1OmAnwpoy$Y#)8@(%hbUi z ztX}`3IiSvglMWPoN!15^UVt@`ytzc1pS59LM2wIl+r}$Bm<}ie$)(F|o|>z=75RWf zEVEE!J1*rZn}|f2+j|21#lo!yw}@J|JjbDX{8*N-@lQ2)-a>nx;GekM9C)QiLiN{= zHld8`>W0lpO0`woj%cU4b7li%HNWP@XH{-H%1)RSTI_j@kb&0!dyHT!|8A6f-s-(dVz(folpE*0P)6K-iVqMO^={gaWeH0HFMTJ+#+} ze@~VCGiky6KO`;wKOg=+)Zd?G^6%gWfFT7#lat5Hwf>Xw7;f2(L0e$Qf5!Nd7{GJc L$kMO|=@I`oCs&7T diff --git a/assets/images/screenshots/alerts.png b/assets/images/screenshots/alerts.png new file mode 100644 index 0000000000000000000000000000000000000000..ac8a1c82810b4193289fb98e9250a8a32932afa6 GIT binary patch literal 191000 zcmd43bzD_j*9J;=h;*Y!iF7xJf;0ls-MQ&*5K!sPO{kPgcb9Z*WYgWFmoNLax#vJ1r&odV973C!{(MZr>U|=w%UcFF)fkCc@fq}O`K?2T1 z2dpZ?z@RN!h>I&qiHlPyI@p?8SewAWym}v>h^(TlLE^XP$pU^0gNhUN&;$1~uBh}n zEZ*n9ythxH6ranYpt+dXAxI+P;HXI0sk~_UffH3iMeq&fsUc;Qn3x7KI=9LRtV~j} zP@U(A?^@#}`1bmg<#gI};1(wHtsPB_lRBawhJ6C3U~?)lDIw&$2s}|HJUt97w|2U0 zD;7FBY@TetZ~Un%ET`~XCCTZ}y}8@3c?XE>6flZ#JyKr8EbuD?PW6jYpEY2pBwsfy z3_a`SofAuDeu?|ST|Z5k_Pm#uPL5T=q?ML^8rg&z2E~|JEd>r{0%?S!%$*^R(t)Ul z+pzIf*da-rklS-+N)t}zr1ljt`rM@pMoUQ4b-pf+WC^zn5piA~SODB4 z+LwO95c+1hgYfJ^Zt4ZYHjT#Y2lbd^)}RI|Am;17!>^ ze@YZFO4@gDF3rT_aFTwesWj>dT)JTjIZq^?O5>QaO{|CGvho?G|9qAM4hNINESx z27l0>b`UYR8ACnmoDY^~KFE{|;knq8ckrPw*eGI1Q32Wdi0bHvVvokrDgzx9QNOf^ z*&&d@htK2jA~XA2Wx_l8hh!oj2PWzh)gym;fUxig?L{ExBcU#$(zn}G1k14JVviJg z@sMerGei-^h%;vXRD7g@5ijnUMY3+T{=^BZ7S8$kX_l_}0}pubV4Nfjr~&ynLON!d zJ~tVLWGngto*QZ!`dUls0(&)@Fa}Ta+Psw=;WT{HTgeB0^p7xJP?kJbe~10>!*}ZL zcX%2>cvRW1@RdS1scpJ!J|h!97dEgXA_;z9(pqf*$M%|t!W7jM-xN28%<%!#ug0$? ze4`!1sL_By-R2w3D1L8ChoN$@Ov(AU(zeew>h?=(!b-|ZijX!oyBuCKZ7OE0#1C2# zQ*Wojzjjv4^V@q@;|Nj|y|4OSwhW ziDr(Wh@O4Qz(7o2L*K9VkfGr9Q)T`yP8#`Y8@L+b)?z1*=%QAZ`}mCJx}A&;$xrAJf;4^`9^C*aRg&T?n{VDQ65&_!ienf)$p06yXA=G+Q@}D zN`KU<_|lJ2=*bV}p^FXPS_ZJVLN?)0Ne= zw3;%SBFz3N$vuUM?JIkoQ3Qusa&Gb-_g=9d6B*N60(=4 zvM;92TG0jLsuQXestuzUTMxFJN5e;pOiBAAGITiWY)*JcB~zVJy}7Y%Myvy^$0oR^ z8cWKGmnPnf&y?hjUrrTO+Lrq6=x;sLyE~(L((d8?Hp_ygTjvtSh z*FXed{Eo@*wc7#C2QC^r4m~TeUt_Hjw%Eo*roT-OO=Hzy_OXGflge!6GwS>W#=MI> zBaxxhKb9mTDHOaF3eDozlv%`C8pnK!)~p>}o?fzE##e<`4PU-JMW$5Ch!u+0^k)ju;S2Ks}3xA7ut9iQs)9JSY%j7@aJm37W85DsP(wV=2fy{?ofKmHE7ApdU z8QX`%5a%(bMLIeJGo{XE_mg|a(f1<~aWQ&2C$04*R%kJeLDN8IKX$4f+pR{m&Dn?j zN)*lSi|@p7_NW`Et6m6)v4_S;R!As+!u@FVQRMqs2VUp#_kjoFJo0iAaAP^wy?S_)*{q}Z%q@L8T{}%MYB9Z($wYCT;Tb;Gd#@KOAII|j^W*a= zhn_>RK8I&_ejYP>!2Xa!{=>+3i$(P0+T>n#0h)vuFDb~wF`B7F44J^}OOq(;tZxjV z5!}*aE2f8g%MBA06ZjL9i4rVAjk3w~R)4);5+4y0gqk-Kj&=~IhI~44en{}frxzYsjuSEw-t|>xeZ%4&%Q99@3XhL43jov5xHQRUG>ttz33eNueA+7!!BAs&F5XM zhi2gVHhMlgQ{S>5J*d?S^PO-GaQT=CYuRN%1j6G!;cVw}PRHP%nA{%qT2$N8!%iC# zd1J46eVoAYnZwLo8qrfFoGoLjrsNY#b8|gADwB z2z*{-!u`66T%8I3>lohR?u%l|;!;w;Z)GC~6BCf5xvkSi^Fkxg)tH5fx|6z`EWeSh z4YPrIq*NB$L3B>cKj?XuCA`kt{lv^4rVND ze0+Q?tn4i8>`cHnm>k_fP6lpFAV=!IJNebm3lm2p2MaqV3tJG?UB3o~w$4sMk00ON z==Z|pD6&5yTR+is=15E|*&hjf-xS3dMys)qVmIt_pFfR{> z;9uYWUswLz@gFVK|FmS|-^VQV4;Q41X+GRG-0%piK+}37*QCh7h)=Iu-h}pNh%`~%?IMjD$Tm@{ALgk zt-g(GZIf`(QoUz-iqb(ujgn)rP4WrnwUMkLyr*HC`LKHPN&CBi1|$L1VwuZT-!9@k zERH&kva;e8-*htt!iE-_zsWO<_TE@c)OKGd*vHaSe4#7JT)87(m2B z`au$e$)XY~^QKkitTrC*cexyw4Qp-NRTS7|w0eZCbhZ`2%Ex5)ERp#U+)jdK=~fzd z5tV2!zPe@jpv6{n)-}6Thhx&UJ#*6a2wm3okkvB8q9brEctT+XZsy)~H~#^LRIPQ~ zJJx|MOgOD;ek$_T1>F_BY|i&lpVxjp>)KA|5k2|EHYLBc+bi=b#WB{SnyJ=rmkRxm zBmesrv|JDtewt~I>*$>$oFl(8D*9;?Gg6hAun2Qs?OxnR=4Vxd6rT(wPQyGEP|Ng) z)SUR}p5F7|MUM#0=dQ4SP^(Z;NA*tTI8R@#*CbEX#4HLNDuwdv+;4Y&u)C%=aPDq;=;eAwW9l)2%K_8mW7Av%Nk7Lk;KjBtNRG@_ORE@6 zm-K>wCtzsqR+zse-Aniv>nhm6pNvwlU>B{bh=xyiB^PO>3R!kQbB52-iiEKo(b%g|K~3By(y0{(-|_!_q&xHv{ zzEzBB=(l({J!>*H)4CYSLXjhvI*JCFR#y6V_mOFXUan=?UFbN;?QfQWzdmYnVAqqM z+b%^HMuwB4V9V!k*fH05+IYZLE#%Vo#$aff&S=o{a9QezX?`Z=x^xfzz6Bg4yPIl6 zQ4gG8PD@}U20Ri*nB@M2RZ$SfKoaS;u3w1CNg5dc#0*SFqGZnz_!i z^$fXnL@g3^$?;TfL|$m;c(Caf*8Yg8zbIdJy6_%*s(8rStn)lZcKYTT`K^xYl+f|c z6pz}8$9q$CKI$ zOu6ZFD7aBg3-4AI|5Uv;Og{9{vL?Pb*&x+x6Rx?`g~vjLLQ7I#BW`)l91)NHn8xXjyCx9r<(`q-mA&9 z9HlSZaWn(6)U^3%318^scTLyC=Ez;rE4F%WkAIbBhANqDr=UNEcB}-nPmC7L5wJB+ z7wXha*HC7FM?OcQnqrf3KSs(Woy0M+)pPo>ZfC!nKpv866Qv>U|m+NepDY-ampq8A(~eeKdZ+ zF~G4>q!Hm_TKLvg=IPQ5QQbn#JS*%XDsD%J(CK&uTk2C!9ri*6zLjJ144wBzR9Y#b z>_t);(*B5%l^X@&-xa*CJJth9~80A?tCMl1*z#3}<=Lz=y-)1eRhGd+-x{T0j*$yKTcF5`lOljFn zu+*PSj?vVW37DjwrWY5&rQI1)j5D1 z7=a-22)9+w2TIPP)%wtYz5&6~aatBbKFj86k1 zMYASfk|!Ed;)nRdq~wkpQl`EZHO6p5zwI)x$Wc4iso15S$E}-wGlN^GoJ40map$h~ zb_Vqw6;w^u8{4H)>&xyu5=RQMshoX`)Rx@AJ+4|A9j<`H59>I2USopdF?Ej_D`pz_ z$E#^%w*;x`n2aDL=9~IUAXbN95tDiR+}0hjX~P^XSan;Q;-5H3Wt?GH>4i{o@e2yu zE4keUZX8H_xG6U13<1q-Vt;<9pR4Mv8F|@TM1g2oFX_iJ~}wfZP7;>*LyX<&0f#fVf->1PB+B(=OLr=qE(vo zNUn34uEh*zq~`$mRBRM%Q?jEp@&GLovCOb@D9ZDM*X!HA!!6MYI7**=vB0m5w=I{L z%*y?6;ZI-d_G6`9@)y-#Xkt9q1-4^Sw$8@E!{Pe#gsDZM+4fPIt?LkYi095tLHze52g8?e);Mp6wKpqO@c(GkUxMB2HQAW>wT1b zrQtfda;9vx-q7M;)S;bBDo_t979vM4f?zveQJ5rmBcu`{rPAD(1q9#Fcz;T6 z>lZfU#u5^ei`0ti?#W5%^Cd~-aUDm4;A3DkR$#lk#t_hpu z=8AfH2%#=6Rh=!$yj51X~o=_3HT>hDF2qxnLalbOevn@dnTdGi+Z$WtxB~kH+Lgm_A&J z1to$oqzkbe)o^H>0HTp7>cBKfP@~T(HtIaKf!n2Grbnh%qR-LGmN8{jk)~+_pNsA(o;6*R zj`~HK&9LjUd?N|*6YI|V*2xGFRJ*aaa5*=}B6xHRJ(p`Z8W3P>IU%IOQ&{g~8GnZy zj%GKO=rB9T#$`GaTsf0;jzEPfpR3P8TyZ)h@+czL`;Z}b1^!3SC6y?cy-_lPNS70u zqHmA(fr8E4&IdOT3Bn{L=NH>-R?=}$>{Bq=h0{6as-7H zXomA!$wf~VWO5F}>ZdL>?Krn-DrUh{NfzQ}s&7l)Q5$unp!VEjnzaT2XUlGPbPpu| z7d?{LBu>UugRlHzh86>nvETEQ`Y@2D_pi(OPsAN)Z<3*WD4mJ3NW(nSby`?g`a0so z-UMy_#nxja)xlxN5U7!NbO&$Ujn%Fb8TFU67T?rUAHe^XB z?X54C>uS(NNMbOea46C;Fq+XZoNv%t_!bo~e$dGHz6|=wGfw4XKKE$a5u#H=w6MHCqNW$z&pjo$U4O)!Wi5bgL3oPlg4?$$0TXjxP9)erLrB`m z&%ED6Ig!aLHioxu%H6VX{^Ns*{Fr4^9D>>OrV{Zq!?@N{_0*nNN5Sl#SlqB2n#;2% zr$#+-w>cqiX3X?Lzi=xWX5$S*8c%2lFk^3du=vTJ-j_ab()n|ZX>)`Td)la*#J@QT zao&FvvPwxP%zJYdz0lPXvc@PzI8e0e4oqQWyO^d>d_Gy9o2N8H0l?7erm3RLVsA>L zyXkYBw?>&TNL6``DjOZ;iF;QNM7E~nX^w`}C*!{<@0P~tchbZ&Kuqn;%0^@mCzSmX zuW`1S36|yk*EbL~dJ*bFO}umU?OmoOj--yD>eCbMN0;{8uM|2zoR4f6_+;c>{`=E0 z*MQThbHNBnQrW__sSKgCmte}v&4L-t0tb%egSO{O8;bh%npD4tVIM3z5oGL`}aVKmRo}g$N z`lUM3yz}hX$PIc;s7(|&5yzwuZlA{h)sd$bNcLmS?$J`F9wdXGzGb9IA1KH=Tz(cJ zMbhaR>Z3(aA$w$RBzSy5vZR4apDyg}@#CPp`=Nr#4;jSfttlUxBk6EhT}#r4uR78l z8~>hp9%<>9^>csqNK6H3Ue^W**r@o`vB6ebK!u+QCJ_7-OtnaZ`5l*Mpi783x z1`3*4#X8l#A<0g(*7HzpbHw7e(_bGc^L$gqHFoAPe-L~+T%Sl~m(ru4Mv^CQB#VnN zU>d-)$5D8@u9WPMAZ^lZbmFk-||_S|Ns7VUuOd=-}- zP3BXgE*E*5WP>ve-Op0W;IM$MS0mnO7n3mu6~^BG*F(M~)rTgxu@?GJQf4Cm-c*{N;aL*)vN)Nu`^=2cE7zrehZ*WthQis zy}f+a6AmK*sM5Ye>)V5xZ%YjJlMK1(6w=uf9M|ut8wYr4MTK3qr`hVdU*sISlt|1A zAQtSkeCi6?GO4k?PS|r=V(g}n zzvP%u%xH8B>}`vrB)(WH%|~Tds=R1Hru**4wbGd^tl!-1_8q}mGUAM%NO-wRY++Ta z1F_?E`q}r-%}1!XwBMVVVRhk#fYvx`cc@g+GPQ%d%Z`@FYwjAil{hzpM8+K#k7iy@ zbuY6;vO|8_#(0tLF*(ha#u2(q`B0SBJQ;I5 zrd`OXYd(tIzNmh4^XhN{`CBTJSU>j(kVH58pqk@muBwjfdfI?8!S>&}qiCt5i-i!U zp@%@O*KoLLWuYXuJHfK{N|Ye=8>HNVvVD8oTAv$n5jx{!iTrm*^K`g4Yr3V>d1kTm4o-ej z)?nvKGItkGgnfpibWBsTwIer>)S>bkablevU&cK&N2cfzE^G75m2Rx6;|qk3sCLj% zttyBh@$5)Ceeyw^86C7is|th(3dUHsUvkhmt=T>|)Y!lTHQ$qN;wffopb*W22w23o z1W=^E>DjL&@g}%4l~&21;%w){T`kTK6qR+wXcEo`$cw>R*unbYcvap($0p&SF{a{umRfve_WqMaSzwrkOh5ld;hlZ8RkHU?eM zfdMT$-(v1V_llXC0CPUlQ!^_F7iN2{S;)z2(n7qKQc`5|?=cp*Dq4W>?6oeVRMn^Z zW{5^V_!({|)oBZ)eeY}l`G^FSXuc5VbL#7V_Y-$l&F_XUx3x8TPZo1Wh+94ZR4Iul zki`9C$h1Jju;VEx(z?f0-3=ix8jvzb#A=D}wH;Ca9DKkk%Ns%W>LY-mNdO+g3Sq4T-E=^jS6Fa{A;fjh zDyKAwqJbPgZ?O6AVv+NI*Afn_+gDMNa9wc9U>qbtTwgcvtK(`cO^^Lo_b4iZ^9pun z`yj^xp~eX5^l|937%(NU-$L5xY+m?zTn9Cw+bj>Kk+I0h?$8Qk@pgZicC=uCK}D_v!gsXN5(`e?)Inaa8H z{&R@;%5$99uyB(b2@&*(?K3}MT!;1>`_WkGg__Xs*GehiCg!;#Eyz)~P0A{PJ9ip* z;-PUiz%(IG|4MZg8~rj!d#fCzelLapC_@x;Y2`rK(YIf_#~+a;3ezt4(|d-m6WE4; zTJvZRAJD;ucN8ivwJvKseExQKD%4S!rn#Lypl=dG&cE8iB5HmTJt?z4v9}UbgGl|d zO!YxH@-oWmq4pj`Z^d1`U#Ar_&r$Y?*}UcZga;@LQZm4+M!yI4cTXOc{31Cfxn`8P zCiQK&(W~yi%Q-ayTXhzthIO+l13v_wRp=P7auY_L1AkHc(zPBj<~- zEB5=IqW-IlQH6B&3eL^PY19M4phmO#=-)Qaq>w4^SGPjmDEWtU9#ny2&=Nqbs1dCi ze2&gFvim<&F(ys@)xP8sadR{mM|Pwdtz((ZmjA?DQ4W0bIoZhGwmJ3cjs4i4=+Uq32kG?!$!BCiy*Wgzv45*W=Jt0w__WL_?C)rPq~I6oU~K2Q zK4@^WGc5Fb0zd$Hj(9em_LQn(PZ{Onjw%CzM8nZu>ds$Zo4&Wt;}`X zN~5S(`ynD2bm?w}8ojgjo#YFE#1-CKI;$kZ^k&o}2>p7QP6V}T*25~z3nFy-HeOA) z#xDBm=yJD?h0JTe<$Ns&TUEz-#BNN-6<;3Y0%56HjCJdj}uca~Xh0{*^RR8gR0FoZuVnKIzdFJfDAb@CAv&hXsq#aa_r@gyw zuhDY^cDHrsqF&ISK{@BGBSffbpmneD5;QL{c)9*5GNOtfefY>YD~RBW8E8f${#kDd zQuWrwxvW1TEvw~lo@i0Za3!D=?vFLya0&g?{c9xt=d}7A-CmzuB>$M0ji?`FY-h5< z3f^p!;Vb>}$?$G}S5G#T+uD8w3-5Cq34R7oneTzpmt%8;! z1PTWXm@CH(oztsM=okyimHN!-Bu4U;bL|e=2?61xo<05KC7});mdMrqo!o$sP`40F zy1GE6b=yss5e8LG@TKV;C~J9$i(!}OXI~08f_8P7*o2`5JRQNWbM9+kgP$X68D<`i z>7pAEQn9ov*wMbSQ#MsPH#OLQIT_6=Q8cIA%Te#jbnriHwgTr>Mh4W|rgBsDZ(n3C z42R$in8eljaP2x9>Na8qjx>px{9FVsxjc1RaRZTk>0KH?12V%Q!er$p5;;7Q7ZWjtxeNpY7QQ}yrO=s;a zi%Z+bl(%P{2FqR1_7@$bwq$@6HWas_F}?-JbCxvklL@w0^?mHUZ?8|LSTM->Ii1!A zANkTp3Z1C){v1|rgDQxStFQV2%J|My6$Ani&im}dm)*sHn=uf$bG6FTgvvAL<(LEz zSzh2-U}4>WIOdAARn+9;qUMjW-yKWWX;Gh^YE!AZ}a(BNO9{aoXV#Szl-Foec{MCLNwow{KomY`=L+jJ8-yWiXIGE3F zujg(}%sLOUiH$C9F88q2wC!Jl=k36Vy>6{ZWAMmWVQa4jGaPB>!t}i>8SS9#6 z#Ux=#dehujli7GF=r|WU0T9Fwnf%_Mgp33?;`EAsBu_dmnEy$!p59mE3BxG{iUF2N zV|XZ$TbeHV>8z*i8N~MnckUZtO@`W`{$1|&8wLjlos>Mq*@tFOj)3D+%By+gg{iq4 zmvJYkTw7KM1xZIFrQVIi>QW3H*h$F?+TW>D`}O=;^JRvJUpvW?#JFQsQW*44MEze! znH8uHNUxSCZ;2E_skqQZ8vS8@6Az$Jqa{fAu2hO zzC?mOORA7u$iqoHZJwiLrGq=h8C&>lp1*3Vu#OpYl44cZja}Rw z1r)_g&vU2Z!2U!szi)G!eS>XH%rEuXy7l1#Q`K|~!F$*}ylGm;%O8@In29RW8>_QjX2&<;0%*B>!nsD@<)3{%a|KFB5*~Lo?uXAP6pZGEATB)| z*DQkZO_SmB_;GbPcgxH*^{jVtrHM3yfchKJ@m zOZ9w!I#c4|>O@i>;Kh^%Ouy)^>fK(b`OFwa@X-Rb7ec0Tx4_2kS715SK4iobr0VFY zWRR3svhB(9IqK&*k`X>06hB})7+i`J5jHKetyxJhsG4!UT6y$>;8~4aQzO4+K}AGa+K$1QfC@Z zIFFKeI2(+0ftnu$U0i1ux6eYE@39*sXI5}x<*9d{B8+wDoQMbSK}awbUj5p}Oq?6$|2`;Yplqa)-B)hyo0APdXDoTSJ29#(7u9IcU!S3rFn0q^2F>P48P&uy`-kmg;^&F^Ei zI4_puVl4;Es%~R5uAT@tTx@<_5(+F=?x-)u$uk-}kJE&BA=Rt}P3i|?whjpFkp((W z{B#rJQ-C|G+b)&Sju_g0mNBbhaZae~_UL#6N|zw5uUYbNC5|QYElj5vc4(}EFrOX| zB~PU%5RkIvf&p{k0mW+Gw|%3zO_+SW=jI-3j9s&Ts0jJ{Zee-Ivr76~{v| zgv>F%y4|Jc@gD^9o;J&ghHIV-C*~H^tfsK73s?+&COV@*%$R5MU)=Lr6R>AJF1OVu znQ~iF_VxK%Q28{456B5BMl~5TG^D9gR&YU+B7tLN;lpi@5a(Q`?K{=m(wpZr%)s%! zI8cu;Y`ZnEYj7DvSU~YqIQy6*%DZv~z?}y#pT(E-sxJWgYy=I)`nl)?Y^7%pL+3a5`g;E){}oRB-3h*^DIg-}$Nh@Y~rBaRs&o&UJnk3z&M6lanxD(vGht8*BLRnf=J=oUcg4qx6i|EAU^IhxTROH{L-~ zu<^up&U?b2yE6i_B!`O?j|`HQwMh;X3>$Fis{BQ-sm5-PmH3|?^R1=fRsu+qD2^7Iae%E9mFz%%RagMvaT?e5%XDA3DcdG*bw0J{X>+zu zNd~(E*mm7*b9DKw-_8XZMGA2@33UW!3f*2E9b_n_v{0(|q~}t|8QY7TFUKA<$PzpK z8);Auf_-TGz6Pg=s<3*_=W>M4z|c@dUY_Yq@ap+smiUtKmz9UPRHl+}3qWioTQYu9 z^w15gX9K(@94S?V@k4r%0kwQWqJGbF?ov0c{OYi`ldYW6=WIbVhp$A~F!ZO1m|4}E zxus8$!u+gZOl)e4yxoJS@{?xFj6g|R`Q zL0GyVan*Hmm|?rP4T}v1oIsiV8!ie(=FJ{(_-p4AT#W!ux>Ynw%t>ZZ`Ultn_HNUBb5ga_Bnf}fa@;V8O`It z{?tSY-12P}@3i^I^QX;}W7ZbPH&NLKPn3dv`KfMT%;pp{NME{~BGPeZA= zF0+orEy=KHdbg~;by8CE+mrcT9k6Bg8_muMc^oIvU8eXF$tqNFR=zNpa9#ym*k$e* zev?(x#Yj=>`j1ar0#DZdk);1O$0o{%L**xjxB}o|-Ut@Cz6b<`;Js{V_Jg;>E_2?e zL<&zDV;*h~)pI}uIcOJ{fc%v$SRyQXL2XTqnpe)*>LF&+&jQ=_o?4Z$YXJKbb4kK?wZvtf9N|uEPWG1h7Qz z2Wu-)u10=KTR44cUmtg51 z1{0r-ZbXzk;oro;@TPK!)Dvu;K%N?zK}y7~vJrh6=`tHuvTs+fzUO2)Fs z`GFz~>+9|E4{+1kL{GZp6vJTH2@$$IKzY$p(lwv}CuDLbMXx^6k`%xwAJfm|DrE2y zu(iy$ijDDA0!Y19o|{ofe4NhTCL&|r?y1@UH^ZrH9T0ItkwVLaUM&V7iqtx7JmgTB z@IkW!3KLAC37@6UbwYej%0!b-TRTdIYF&0npy%$mu_M5a9qi`>#c>xi@xtmR#@Rz& z@B0`}pITGT%kdoy({JbjxPNFND13+jvw|~DG=C*eQ8Bb*57O)pzjd78as6{_i3o3E zhl3f3hQkYD`sVNA&nN_=Zh-@+bkTIB`&dbN?dz*$SG=NNccq!ASFFiF9(){J-;kmp77Wqzv#dt zCO$#hYpm+okrIu6Z~|kRo;rWMozK%xy1Wf3YsRfV0mP8dLEra8Vd|3+s;~I^erxG} z=2i-4mS!)}_az7U=@MghC18Z@?DAe%kM+S!r*R4S$2WPOBEC4`C;p*K%_ZPeEIzk+ zmq>@UW5rtGYh%kw(X=Pnr~KwnM0+3PnPcn*%fAn^4(OPs@12edpJz)J9G(_gc#CV; z9A+OSRhDad3&0@4-p6K<{xHXY9!_MnYzqKqXXXfp?GOqNbKcACvZWm$`;PRt+-#wA z>|>kgkMoixhG(u$cUydK-{-d-G-1d{?zvsEknXwre#%Vt5YX!pqy?}k1bK})Tu>9( zSGgzV8$3@VQXe-9*)M({@AiYKwrN381pA$8WrzE5?TtB10ip;Gn#gQh_ce5L=j+wSyNdNZ%kfm^!E2QKt}YUDGNLYmt8X7Zqls=C^GV9Gj*6 zX2Fb}`NhMi9DWp75D6hCgT}zEGCz7D02B=XY7WyENVAXLT~U5q90Y3i9wwTc-$4m` z;iHo|-`lHF!TBabuRgI`>wYQ@TvYR?7b9WS(W@uM0KYyH^RTI@!9j;|v(k@s>OD~%lrIZ-f ztur2sMNZOX-mv-QYikmlk)dJ)dX_O}JQQUSXPH(;Q0u0CxYh|F^9es?G3pRhRolM3 z8dEwpHvw)O-~~X9WCDR*90dFgDrH9Dxz6<&B5-l2W?m__QeD)AF;Z-G~2K7c;>3GsAvW=4a-{ez8%J&bKdK0m)+)vECR zM`?<}2MmL*6<{rh8F!6yb2}~82|J$jsCM&he2#4`^1a?-^*CPV^}+;`oi|A-CJ(#? ziqIqd4^$RH*cw8)n8TFtLm)A0>7Jl7fVD8p?M&45VDK50ygYV8xndfR=brB<^*wky`?!Ff7?$ zmVfX?zkL{kS6wJZ>&nD9`NrqCFzdILJE-mtP-mo`tnq~k5*&mqHSy4DR;dmr?}DtI z*ZgIT3GB_GOtF~z+2_V)xXXn_Ol5uS28YYt&IFIN60Dz00fJgrnoSs+&KKh=0I(3S zyvtoVXO}P)CLHRuh+DY>f=8iBI(}i?rK3uG%*+Evja1?uS7!$$WfDek(=tpIDn7n~ z`l;AL$BN$+oA)R$^#I5Zr{Rhr)Vzlc7R;M3UjG={;SAX9bNE`eV=FA{EEfn>Y%eN@Aap}+b1_7hqv#XJ&)I;RT(@KkfjnD zwo7}TuML2g*fAjDL6lD~t%0a+PeLdm89_$O4RA8nc`coB9 z+>D^<Cp{p0u4wttHxZPrq=jd85 zF|p}%m&B4=^+@S!E~=@s!&jL?T+%VO0PP&6aIPffLRN)$m7|QB>=y0_vm?L1_wf(O5?obq@=w7>foY;nXrMBB$VT5w)IPj< z)7$)7tlnZlFply(SYDUIYyd;#dP8BUdO`bz9Jo<^_D}9M=msmS7hNHzFMwD>{ACp& zG$CdV(1Q}z>VB@&R!D5P2ual+kjUDE_=O@+Kp+RizrKwq)^S4PNi+4KAQrr5gs2$< zvy>BC0~pYbt{!6=b^g7hUALj)#2I%N=YMdK9wb84{W8b6&o9b%m=F~@4M32{!j3VB{o^JCCtKO;oe}!K2G#D`u++@B3 zdHm5C*~x0EZO5{oRbdUSZ@I8OvBDpD1x+3w^og+kO3CyzhSvyn{F$??KycpA`;`~70O2E*a28V+`pzb`5ESx zj-EyyxpbRo3UvvfeZs&w)x60zLH^b^EJF!epqgz%OkrI>RcZs+eIAGd!ie&qS9&rH z?I3YDDY$`%BIJ>TyueQR;GiN84fmSyZyf3W5YB0vu1k*g^p3MZanSQRXfHW3kfxtM zqQ*bP040h#mHvv|gK&snubH_z~<1W*pQgH=N zNwxldoh8#5mB<^UQZ0~Th z9lC6NFQ?Qs)`4^d&Hjz9r`z0NcX ztjp8rJMqQ7eh0|lpEflFQ-l$7(5Az06=wkI4j0k@G8WnR;Fp0v*eXvcleMeglzYNB z_O1dxsYWL||LgBuuU`YGIC1oG7W|D%Gci%44rGyd+T0)H9FR&~^0(()jG_ zw=~L35kYYqreT|_!(Cyspt_ybyEJfA&-Z%O$($nemyKqMk`lU|&bS&$_5-CJ2q27~ z>qPT5S8@v*za(Zk#2y97{0-1d((g8YzVj)nzy21$pR@mc1mN=d!oJ?@Ut;$!=ko{r z|2`s!@-wnyp>lKm`a60nHZ=Dz7Ln=toUd&1%%}YFM8B{94Zj}WyVJ)6@Z|2D>xQvujz8}8_q_g#q1F5h zR9X?7m%0!BuWo)1^FN_jbP9L8{=h zC2Du7GT7`7fX)YeP`gULZ$Fe4)faT>rHuU`RYk5Vp;k3h!0<^O&ng85!FahxjVj_H_`gs#zfVCr5~2*9O(Vm6e%USUl3;8c8lq3$0<9!-M(n? zuY{y18kc{-`;)EmuO*jMf)Cyk&`yRQByYTj2ALA0Jf^dh+7 z0U2b14OCeS2XeFx!M3zHuwXA}`12~kZFIo)G+mHtbOtV~QMwZUo2^5>_BQX_8^3Lc z+}K=~?LSpJE~iE}8U%T)m7Cdw{y_Z8T?Lz>)1%OwhyV%$UW2mPgih~Er4&oDvmO6h zU6Vp^pymBzIY&Kmw)Vc9n_p7|aFYT$}dQ)q|~sS7A{9~kDUXS+H4yuYGU z*Pe>mD)8v%)0gQF1q4VY%}CBId(IVWM}uJ-NKSC>2#!v8qi)dBcqZ!jq`%=xXJgJ$_T2GKUsW`nxfg8J2{eMec=^SD{f#nvRQk!o7YwDxR~F{ zlKmPuFqJLXV^HryliMDJ3yf2je%?;M8!S@|RX2{lxefiCgP&W(pSQL6xnCCc7$*OW zApm-(EHIUFLy)Qs@msq@k^90AC`Oxd&=`-)R4vi5gKs)D+JFG#eN^j$97*Rl@FV3~ z?fKb5ucMuO5Ecj0hw|RF&ac08xQj_HXj#G!ak|TWM^j~^H-OvxrVUd0U_$F4r>KK~ z%C^k#hfXafmd40p4R*H5TMKIIJ(psgdbIod_v zzLSXDb{>Zf7DnYc-SJ-qB>=-AaF)NIJ0$Tr5WgZdNHKMvN!Veo`R3cR?l5n%3YT@7 zrfamoCAs2m*0fOrJSwBiT@1PM0z6AYkRA#Sl#K!qKrIc%!^sC8 zN24fTn=o(!rvb%+*on~l2e9;O6Zy6C{2-j4yP#jRQ}(+rvEgoKYy3xjE&A7?gM+M z-kxQ|fo+gf6emMtDFCv7b<-L zo}0xu`Kk(h3>d#R-u~O=FJRX)Y-1~ZKmUW-%J#pD4gb7h=2fB%7uLWI!di8Hc5JeK z7-N=j87GW+TE7j5j7HuuCh&Hef={1#Xxtp$RdZT(8HE$iETkX`^4_{N_Ax4*Em(_E zUGPV(ppPLnq~>6TpP^G0vEuY=ng6Y&_`ShpA-2a@2az3D5zeh%V_mzN!-bg45RU^u zm^9FFFtoUURmx9=sXZEj&zi#|$v~%vSN7l%ab)82K;15&h{{vJc@Oye>JEH`buM7< z;O*GQfFTZiX1`DS-`o$i`%22b$C>E~1YqhA)+FVrn2cUNU_J~#)+b;$mO);t3@mD+n5`EV*1S)T8a7JJq3)rcF-JV0HI+&($dm!wIh}GY8YW=jo)NPb7#Z7hhyE_J%1I1yVA3cyU zUXx};5Wwf zDsT4w@s9L6rW(RuWD9IftFf{}BJsDG{d+$b-!G_f3W7`o%b&*@5JQLB;G9gVM_0Z1 z2kiLM-}%oIVacFWbbUUrYD;EmtlV*FqS^xy+Ky&=I0?ii!jl=}AO6R-p-#wIA>lT% z4KlbNY25$iw*KvSlYrKeQa`zBL3-}jIr*Q5_K$%x-36{We$c1?ei?th8k-0lFZ^|xc!q61e+fnO=0{%_axAAZbGOEOAjEvx#UcA;eD$LF}v z=l;nyFNUBPh*ePZkL&cg;H>{^?4n%Q!_S@fUUH2(z@r$$4YsY51dhvU9&^;`Cx&kS zFFQ|4!^YuJ^?iKITltAoM4-KiO*aWNCbAe_9&SqQ7{GF2{+WaOFH2A!S4C7{yfZ72w*th_KEm5C%QnvTzi+G7UZM3_ zJ{UzTMncx*Dj;K!obs`6h8r5Pfz%!@A!4@v8|glrxd1?#%tAzPgppW8Zyoce}60DvQRxl@XvD)ZgCzf4(1>ICf@P z;iH;;%L;v-fkIqY5#zT0K^JZ=cI7ib|GWXHcz{Wi_Whg+R2HVU*DiX}?Kk86kM`Yl z>7N3K>G^%LV!y|GWNqYAr*+5vJ#)(%mg7=*Wl&7;3W`{bZ;yZu;kp5kPGP{X##0zT zRB~$1jsU~uj2{fCFwZoy{~Irj4F5+w-(%3a%F6I)XZfW9$gPTp(FlD55+SwxuZlk} z-EVXu=OgB2^ey1WACo(CJ#(*XA&pn!V5^wx27vj;rbYfKem8gSTF zkifZ@|6ww145k1}MhFVRt{@<1OK!k`+keKDEbsK7ZOBk+fj1cVZnd~qfvff`ay;yp z+|n^_IG7%1}_z>f5tVl3}N zsy4n&$2)es%k~DYvfpe42tdArW0XQFj7Hy%t|IodJQTa+dXf=->Iudh#B?EPAg0XD zDU?|PZdNwJx$Y1%KH~FzpK}TfdOtK8Z+Hbc?mRklAuY;>%5s;#zZ4FNz8o0Rx|#jS zx*Pu{XkpTUp=LI@+Bar zD2se2fIDN;b7*0BiOI(ccAi+?e^1H9qUY2tiKzpU=hZY)TD`^q2;YeXa%N!qzsZ%r zxy5vUV{g>1=`~K{?XLuPpD{4!j{}9qpQ(?2VW2`0)z}C0=q*e%oew@Q5V(%yqhEV} zZUTO$tfE&xbqaCg65z&KU$JeytA2e<0S`l5H`F~ATT@w{vlw<*KlH8L9nf8*VElfR z^op23m6? z(f;Qf@mT9|FJ8{?Mc%%CYt&deI<8#53_S?-5!!>W#T&FOg4i3(TY5sC#i+46CUE%& z&=2wy-+^VeiJH10H|M7?44s}SfWb-dZrh7qK^jMYNngFp7=M);6gjmBP@t4; zfa#q=x*te-HJ;jlJi$w-XF1>IAEZV}5eZdhaG1vGbew*469!o@YGiJDX66UV2!SLb zC;9e|5(hTEztujU9Ml0)9dE*5*wCt?b72^NS>cSBoaCO4=8YaLn#|hGvkx zGYa$#v`p=#z?6*{kF|dHyGFvXsDo~Cgi?i#KA|r=?M*!6w1)>yaYuHQZGN_By6q@e z(>e&y&RYpUkP%zhr3_afS$7o=VkNgI067i-843H7ko|kVA=J6 z>&DadU?-^MHUNW|ADz_W(MF7DX!ouVu0@vkaoo7eEAPxR9FeI^a0FC4?=DEy&|Q_I z;de5RrGE8Ig zdrwd}#)~qV#0gb(=JLsRJ4-x2VZ53o48%OMW#d3=W{*j|d+Qpvk>cOuZTGGOP}Ri= z9FIaGRbf|0j8sYXw$Cz;^M%&ITYQ&yNvTjSA5pRZyLunks|wn=nYP|s7eYw7W68Z z=$;J>FX4RuaGU85UDvxE(Os_FssS+hr&G)pYmI))VGg|mMt zE~X8&1C^(O$1*@XWkimTRJOrT$1fO@cAEA}Yfo*ijHv_(k1qYFv+7tk6AvMAz+}Sc zf-7qpC$llga{*~5hU*e2>$>pf$CCAINzy0c`Bh9Jtj2ASu@vDx-I${!@oa#BAyBj=ktC z?g6B|gv55)12zjfIhNMBovlF6gYa7RrE5qWW*;Fy!uyNQ`PrriWYVvUM$P7l%-9t6 zN&RjfF8R~~B~TzH(gMElR$h1b`zKVK=1OHCUJuIJ@cOud&t{WRlFT?O0X+VsTlinG zT(}c@uMoG119|`XBMC*K9%V%2hFqxBjY3HR17Vi{AHT;^2LOglpdN9lrkpiw&33BJU(3*%|XbA3oq*X6)TpDgi>(!hyu zC+?|rN;vz$=o2$qnj$!O14$&mpUYkYvh1eV)tG&@Jaw)R!~4y9i+72&PlvWD?5{ZG zw{lPDVtDA;GDl;`hD%iFofAa*pa?asxf&{ol;ncL1Z!0qPCZ5px4J;N`x%S>f{pun zqC+cl0cjubV5n`}pgqcU|0?N#I3e=#M$9?z07EAIp5A^MvL56)`9){^ew?*Rv7Vt0 zl3_gEN_p65!JTxF_|GE!My#db^6~vi^23@Y7wTNeY9JZ&Bc4HS;U3U5?OW&4r!{i% zPs$ZttJD<-w(1%iHPvatm|sDuX8Yxic-^hFN8 zSRh)R0}OakpNedQb({4qV*ZQa@@F93+2~8OC}C=3SnkLnP~^wzzlf8DUzpms^2FJw zwab_v>YfW6_nV*ZdVG2=01dS+p=dTW`ji?=WNWtHcpNOsn|EipOzq-RI9*{|NkkKl zUiqdsyEXH}__XcgsMAW(Iu2ZB?fa2L-^1vbh}f~CaV*!%W}mv~ z3G6`@Q0UUDBC2G1VhXP%-j{&RSumScMDh%G7w-;2MIcQFHpaE-o8wxcEEnTh2XKm7 z_|xwRP!p>dd7U+0?MkJT92?;Zc3 z6|f~N1W<|DCW#S?MH`-i@Plm=KamWaPnT~zzGTnOSo5%p@IcY$NcDlff>MCBX(1Ui zU%U=dnz6U}lHBOiw*1p?jm4Z%SN9u)MIW=_=3VaD==61@BaN#gH%V}dXPa#E#?LXP z8cmn*m=-2@m4!oa`Q+-{LL&L-ow$gt<>f>r=StyR13GocRHC!^1*^it!yaj)>Nin& zXBn~H?cYN0TZDOHv0S-An)9PZdO0M~CL(#(B_wCsdUii{l5imJex3f1MZhE%f9?iu z^%pE2AF3r@@f6j|)aC~co%Z;i=CZe@c2EoZK^=rn&Ua?xLs>oVKuR|So~3d4P&7jr z?e%kBzMRS{fB#a(*5_b4@a45LQ+w;-#>r1Pk9^q6HtQeamTJ=wQbK1AJtQ*egk3)} zgxi$u0-YR2-kHl^*S8QBpY~b;HRP5!BWytM=CUd$ntpwPsw!0P zbF()VBYykjKF~I?Ra&Zt6{MaBQS__W#}RGveD)QI8T$p|U}6C#sBhU1Gs&{3%7wUJPo-KUr`nL54N0}5RBxziUAv(=_)-+v>O%TCouLrR@{)~R-krwoxYY?|mD;HEy@vy~U}Sz?w5(`YPEV8gxL>$rB= z=_S2mluGG)qxJ)-%t0mR;UgLfs`PjZ=Il5+gM!U_2jcPm%Q$tsQo>_q7a!w9QCeCj zPE^NBBOf?TSKvHvUYe8I2)ZI&W4$qdFV145>nwgUAM1iXWggzzZpo_1da;358;>&$ z{I;vl9;!ckDJ{db&LdOnhI2PL2k9-I1QP1yZxXQ$>)uC&vW*Xcwn1Y^?3FJg8x_tX zpE}->=tsnlx*Z2y!*ue2SuUoWA4=99POra+Ke5CKd^zWW0tMDkhJhIAhmlwtphwQE z*1q27J6dw44h$jahZ9`Tv&#uLxLXHb8U~(ji(R9bu+x)cT7CQ7O7*~C&d%|ODgp_I zTuPh|Ol#RpsQsIUJ6dnM98G9^zS`ZlDDlu=*V2=A4t9q$&gzw#Y06{lcT6}u zJ+QzK?hz)$b?D%ZQ0R{}%Uq#39*q<{j8c4dlQgH3yAbczn~?Ph%o0iB!na44#}b6i zYiP(x-MjX|T6#A2_Pf90CAQe-mXFbSMa!gUWG z!Ht>0#qZw33p{UpyaX*O^WXzK@2i$W>>Iw*etkwXVRzh~dpNbH+iUvz)!C8d=N;4W zvJEQQcKrS7jb{fd;_HF3mvYH8^paH%1_Z_bWG~nh z7G6F}FRb?DOWDB_TaAFX(OPgQ^}1Gh9;BOu#ZAcLBvV=LSf|BbzZHt}hl*^6j+j*~pGuKMUN=O!->+i!T6P!NNsY-n}8Rq@g z6VksQQY-8wwX)lPE*#RAPUnk-jsMRtqDR=4=9DFIH7FFE7j3T=xn+M(NG$q#;7)K=WN(`G zVr{X*0ZxmLb*>R=Nb(B_&$q(`qZOU`tyFZ6*+KvsN+Qh8Z(5sdgx3~JH0@EnUwmXM zauJ$fH%So^pKDN_Q(~<(Y^g3Qly+56q3T$2`gY})ZQ99Rvd`;BQ*u0(0uFJ`m3DUO zEKvoKRy-r)q!c5FroobAzi~Hq6IH%s?DS3l#G@B0uf`}_GNz)WaHVhHdVe~c3L1lK z6`W;o_UK5~v*P-aPbp(5Tljlj)u&BDd1Wfk6S%W>QStRCq&$nn)~Dx|qk=5qnXbc5ioOuv9rks(cXg`H5zvIPN<&=Dvb7xtJNLkW%Ym zj_x~J3CX?&c&W$li_tp>buFZ)rvH{|*9 zTy=<3X8rf>z00TBADU289~G3RG@uon93w6U-QFP6y4bUK%r4`8&iXW~Hs*OZMV`5& z--~vVg-%&&#T`m!EV#lUXi+n6`azXEV>^hS)O@apfBc~1K_-p(@@U_vzGJ{j5k#x+ z+8qap3jXZ_;>Y!{-s(K|h$HOGPQuiSos!CCSg-}Gp62iJUc`*TRcxJGJ6)h(7~ZDU%xO&raKy&V!`x9h?hz^OgQwDwstRUge8| zqjGZA`zd20Gt8;`-8dbzZJyN7!;;ZR1B)0M^ydWLy{a%(5$s<#J zX=#o`QGl5k)la;Hci>Fs6Jp7u?4ejAa1*C9>==wolpmY2?1RFaCgaDfM~+)I4rc`; zYh+^s=O@N965e#dlLn$7oKosjqw*8}F#oE0)V@bkfI*91QdR{jgZC(yFnR9 zfJ?Dgo?a>Q+F5HfvkBTIZ^nOWwq{2gJ~)CWa`u6lcSN{oQ*Tr%643(jxk7h)Z{S-- zy$$sul5|D;^sO>_nAbb&_$hPGSN3cICOi*gDVm2j=QL7kNgVJlJ|gfoOIf=3BfX_R z@GEvXffG|eq;Q|7#V8U%_?&sZ4EyTQT`!OVFTdvEO&wBkV%Hr{q$6F;!G%(+w+TVY zm1G2F`478{y$oE@&&JvUic9enu3bfOzgy}!JM@pel+2ydMeMxHtvuji!h(GQYP4j4 zuaHwoPuZcNG|W_<W}+W>cb-7}btO?5jne*E!~k)1HS4cxYsGvz}%m+x!005O7Kj=40 z6<#4z)6A1iwN%BLP<)xxsSP9R;Yz=L(0^<|Up7llEiGoNpD2~F;;0#N?dZL#qQ|-R zNVX8?1%hAHRmLF0o9bs%J{G?>ERYiI2>)Q{hxEuD=g7!QkBe2JgI1qgW?(|Kp^>n4c zkX15*-uRCZWH6gZq|Jk(AI!q<<9Jw&{R*Sj$x~UOboOMFJY{yq)>Xa9JQr}L9#yVs zT(E+kR9!!NxuH=H!R?tL$IZC=%0bwEu9T3bQzTtC)u#s^-ArbXC3=v&9qbb7EoA$c zLh0%js5iV!QHfNMi!29q&ykS1L31PZ8S>j|jD(Z7BqFmU#3p}q{&-T~{5)K@NgZWI zj=QoG#=?6f(m$J3nC%Oh^%G9gcE_j7w_&%dP3w~nts{~Zsoi!Gddv{H3WRtl`-P zZX|*mzJwE~$I!vt&g18n`v7#UsB{1IQx6(g_x&d|6cm$a{lsPFU^s+nkZtPL= zey|i_vl#sDj&Se!qiV*;VR|hUw@I8*RZ)Y)euDTm9Y3FtsljuB#7O!w;r(m>G*OJP zCY6cWs}-VN9);%7k`vi?HJkKbbb_K)>*sZ(>0j-tehki?R18jCiHIqT&&(JXyM?>0 z-sgO0y}80OXPE$IV0o^TjvFF17@t{W+U{_{7J9x%zqth?I^%6sN^}2;8b(Rb+Hij1 zhp=MNJgCqpQOtm3>=6-wGbbN`e=kn^kv2)m3aW^Q>KyL{2!8kUwAd>|jl)OrN(oa_ zbT)Dl`SO&N-=}6&*D$G<1*v=rJKpN#D>--F3!CiRwI%ahS}VPI5@NBo{CwGE2$Dt% zUGq8CtlW%DJQa5tO*7vqTBw2?Rosvn^qMCW2|&!!nvWlf?`@Kdqe&$%n54?>&nKrZ zkhLT9Cu=Ic#K@+cb^nOmYh9ELZVyBchK(iq2uF@iOQs+bj}CZrE4_=@SSU+qvYlwo zs?~EhM5f+G4v^Wz<*9J@U(BpG5EAENVK>+mv&D@hf3NH-eqn}Gf%ndY=>zd334*25 zyo3So8msnO2+=&2^dr37+UVxw=cO!e!X~bBTh_vR)Qq0t0&(>=J_#s^WEp63vQOw{ z+7qSc976(vBWGlNYN?!s5~F!1T-cf-nGvqkFJ7RV_7ybigkqAFTe>^6M=cYInv<=R z^PwX3;E~Vye^eO2zP){Lv~?YQd!*FP?&zJS@ZlV3?>QD+v+Cn}lVV4W1!COPUD7-z zE9v4;?GN+GZ;?$op#d6C!im_fyE?k#nB{;}VNI9zHAIc*2f&`)73Dd(T zYgI;Cp&~MIxjBCB2(pck+YLEbC*V0;r~&14W8kwdJjR_ped{O^IStC<%lxOTykCy; zNj#5d7iKi*K~tY&>*zzdbv~0z_&4<9I>c3pq;81l=wIV z`RYiDS|v3;0G!Mrv?g~7{^I?Q1Sn_L>7inj)aVZ(7mZPrMy98Q z$9f?7Udz~tu{w+T4lV?}IfG*0ciS>P1{l3QrB1ta_6K(v_3UeoM=#=@>CApsc_2#H zhE2e`=w4&x(@J2uVkaeLol2^TA`g*J=Vt}mMh89R@@=`!w8QxAYjXp9mNh81?S*o_ z1lg_0_0~vM{q-}D9%yNwUVtX*jb-5_s}!USCzc9 zdY>}aArxjP3lMMCHfNhEdog7O{Vc1JXGFBZV>cjrOABB3=&MTKSjjns#uBdp-~>jU zI*Z6w?vU99c=A(m$*8(JK?pP+cIoLUY{@?-UZa}2ZFr7#znE0|#GLk| zjH9@-fP$Mlb)SZFt#kGd9iC$4sn9(>chvRD(_JWb=bOpuY%8JcS|c|X>)Nm1X+|rj z+*j^Q4$VaRgm#1?b0_b2qi-Qx3hSHtOUCn#do=RS>5E588bT#Af2?T3S!yrJ~+A1q4v2>+IuldrVLtG zR=1)tGu5F4OPG3#`Cu;mxZBxX)s~Q+RQ1sdeVn_vJAoO*bVu*hITuUZA?I6dw6w9Y zlbWN}s#FFU5=)BTN>Z8Hk$s$e2dKF^x9R!MqzT>qKT2z70Ah~y^9?ncf_64nSd6Qd(eWH&8)!Sc3d zW%r`TV5a#gNuI^0no}XNvAxlS8E4h*Lvx5jdr7rd0EaE7XU?piyOwlR9-jXe`QR%HV#5EVnPR2Ax&ZIv1Rxp-8;YSIha`rFBd&M+C>1U zDDChwd7Vb<3Pz(`Y=m1I4LPM3N=|F+t&o}3zb*^d^RcC!kFGX)q(AL0oWySv3MrD5 z%&cY?Hm0atOFc9UyzQ=1o!{hcZ`6HzkRZq`#XNUaH#E;`zq-2FTl;LWYW#QrJY>H1 zo~O5UDzBZxxRc8eOtO28r{-*2VZ=_Fs;eMP{Xy)YhnRByVRkUptH6x9fCu`dWF?bHfK% z`{(2#Bf@KT0$T87I%H5!q+(1-k152!j4DVfnrArG|Fl}ngjM$_OvpTRGneGV9D2^) za75dgb}ldsnzw@)^Qo|YhlO2$6X5`!`1gQ1;r9Rw%)`(}?D8wND-{uidaxI`Wn6f$ zQKXH$qnhf^APh5CbjR4S9>DKGB%jK4HFkYb@0BWHENQ zT>80yKfcrRa!pxc}2V zz|4)33NF5Vbf0F_%9G#1-G5qT;e&@S{&<@&BqdC&+kEl2S-OiO6Uj24uvvO7*sUyt z@L)fnHl#r;XiJMjFiiCF)iThCSGG>w{_^ji1V*D9TnFTuWhL<}i{&ANU8aR0wHL}f zF+KptdEns*>lb!!KLd>op-kWTh4whY9XUS46Y{s@OOTQm4FnVN0Y_Oc4ctgSKQ;^H zvKisDYnm1Pw-5Nsk9Ej<`4+wRdogDif=So{u^wy3I%p${t!E|Z*E-)WT=g~71|;7# z(&TQj>Q@vWze5r+x2Aw5m;Ye`|6)gTa?b}XeZI1G4qq7B)L;m2J@&)e*VyfGDE!L+ z{_=nRv=M7BY#AQ359gCokL~0;m1H<)j7j^iCMeE?uCof2YnTz+PH_K^x1bAmynxFV z>8|7VL)<0LoN543(v+54kf;$=!WD+vc+BiBeOC zO&tpS>;=#o&29%2RYmyV3r|(h473y`mSzraQo* znY#)WTeEhG6wzqe%M_c5s^L@P!>-lbI-DJYt}rQU%^a<6+|vGOv30`Q2M6Bo1iiq? zbXQR7FYovNe~@1e;XzWW)VfB7Qavs&tP&W7|ETsLWR?0z6gfdiSq`_h*VUBtt;~n& zb`bj^RGx#3t467 z!daG91Wju8{XGtVvIQ_q9vU>RZZ#Llv_8S?w4fxuII*5--Bj_H+bep9;DJHakZsxY zrAnZ}99w44tp#!^Uwy#2Yosf{BiL6!GY@25?HT{#ZkBN#!vroyLpkvE8L0sHcNP)# zQU4n?c^yGaRSmBF(XGU9{T5i||#p4j^J3`$`XM|Pw@>qEh8YAe_&-7aaO-1rG5IO+~y>NgGkJ<>Bb=)2WjQaPe&A(a@ zlY}1t9mj!Gp5YjDsj-=Fjnt@ihgl65nq>5PZ^Rer*BX@Be<7meWFiwKp~?O_-ig$| zn`qO*9oqmt%qr3Q$l~3VA=9G~sZnpx!D!TUlr5#&2TY{rWt@xf3dM&4(5(QM_~!j5 z9A-~_1#U46h&^W|*Q)id9tW0^tCB|ZmLLiU=X*oGcFZ%N0UP&aoL#@754TfB#(uQ( z{7b~GmK(Syy=UIt?hvhTZ(=VKq8b#dHl{l6^GxS_G0}%RgmVZ84aK9$*LN!b z6*;z2V%kng1s+9AXt~0bqmmkg0cZBWZPW##7t97qh-M$4=EA`|WY!t9=xWjlSo}RH zh2`gebpu8RlUeUg59`lTZ-YU603bdl>WA?PR|Or_Yl#J(UiR|UzwBiw+ibFI2NeNF za&xU{aov5twUb(6UDVt9L6Lq(x;l8)%@z85^2|0NeVpB=8FC4>e3vsT1*( zZrKyTEWo!S!foI@f~^h}aDy04HU9*tG~#p(YCPRab9?qN+7HN3mdqr08kk`S6%Th} zvYy`>p#5Xq#aY|C3_Q>#y=n4AfZ8vAj&M#k0S`lnq?$%N*U4vkx_>YmHhOZnt-pZ) z;o90kY~UT8?iwx~{gg)Ftylpp5`pQZ2ecB8DV&6W!rvOSc6EtERRB5wrmDjn31sM_ z08vK!w`2{q*5jcf9kMO^vutDJ`d764#_ou}d5xXRkCf8E$k%Os>Y?>yvK*RqN*8=W zvNXFi{OX?5_1I;1;LC(@f>LF+c2Sy#4*hzkz`EdK>Y#e(@%E>|LX$SVK!2ccZ}OBB zboEr9fWax@y5Nwr>P-uw1|0y`_*M9Ls%b$vPEr80bbFHKPRmSQc?CR6f&Npe9Ou>; zp1|%1ll&;Kg2m9x?r(}hyAd9Uof>}NDPsD-Iu4>b)4>U`w%dKY2v(lL$hd%1rTV&O zwGT{~%d*ctue8%LyjgX<3Gm>Pdq81Pre+OpyklOv)Dy-EgK9<4+r@;!bHGE?;so@} zm{L%Nj&Y)Ns&gWv7Qw?ckf6plyfOWKeAZRt!(fKmw7cRVJN`QZc5O^sZElO6dxO`c z)*nsAh^}7?dEvScVaFSwgn>uKwxoM zvs44F8q?xgDVB_kojN=TAisiKIYc6?r@Wb0OP^B_(1h4P@7iZ2|L}<1%9nt+Rj*@JQ#J>+YKmMYm z_i$UoBVccOQrA)wQ$Kysy|P+5Xj8RESer1?-v_d_3?^>dXe!W7=$$~#$Rp15+z}q| z^pVB0wBnEv8YhUQOYamB9BSM>^-c@z+HIg)62^S|CC#$eD%k>i*Cplsl@AOfd#%39 zsu9OztF5N{pjA&!o}VU;dv3RD6ugk6 z7)#)?iXs$UAs2E$u4h z>x%sV!v2CGl#b#X;WD(Q63PtMq-2a;wN7U-T>(2QhxzSDwTDaXvn35bH?M1&K^Ccr z8uO~7O!+wPu6e>&JGx(6gLY}qC98k?7>`v_@519I}QMF@b zQ9b&hl9~>7{r#zOCiPl=4W{N3(ATrFHGLw5;6e5uTWa*L{I|0{XTI{AU`72ged^!z z)*0%fNkFqgX_7$@H-VSsn#u8%;42IKNT7c*j=e?e5C#*lo2csY5Dz1*HgHh))h#`u z+Nig&$xaTvLtvl%k+ITMvaLT;Y(308vd?w2@XBADx#sjb5JJuRf9mG%VYJlKl-ZU* z-yNw%IRjTF*J|`_6%sfMlc`MmHurUMebZ21%@W+wm^0EkChMIqmbCq0nf-38mOqWv zKHZtNge228Xj`zcP&ed%ww>VQA2rGF4QdT zst$0Hx0|3#^+9H4MJZ1K-;z-EA@2|}a@8u28xI#suNu+h0Y5E29Cbxg=ty61h3Abp z_G#DyM@I{E^cZuqQmSK!)_Xxj#qG4hJewHwqc1l-^tL5b_05yh44X%h*U=?#VXq3R zw_iF~K*#+OFgv|8u2UB(fp97q))$7XK2z|Q984#MR0tE@?c&N5uRV+EOGrcZVi@{0 zub9??SKz_*7zbU{6g&0tXguPYXi_*XS&k~5x|pC>%s})*+*!5F4M`|B`BjbXXft)n zod!8ci#NLgT0*AeQyQI;yQXU0OscrC zW%t2AhK_p8PJ^b{A3$IPK~2C6C^HeesTtlff!2n8`j=L5yovg4p{)yPnif zUbRP`466peDp4nER_*H7G#>l((z``hOr9KGvLO|@%;HQerbe|S`%cswh0KfN2A%t#X^>6%CIdRI6pM^7usQ_oXUWsKWpqmcFd9ZdClv2ueET^C=Rw zlk0p}zjWkw#IF4CmglqilKoK}JJs?tV5TGK{Ped0La+u?d9I5#2DaE;o;_O)(u-$b z_k_r)p*9`_b#2nx7sy}luiKQW#Mbs*lQDjf+eR$AWx#V$SG2*V{IKDLyyAws~ z$Vv*`S1(stf10?*!r`0Mglf;COTaD#2-@3h919Px7}YEza@-cKAm09D-&A4R2w^=x zPW9KEGdw!VsZuFY{YIJ=a3^c8%b^-h9Ryd7lG%$|G*q~b^n|#$UW`(Br7ppp z#Or;$T(kZxd-v7xGbh`T=n2Mp(X72Mj@$LlLZRw&xjQm`4?XVK~eIjcdEOei+8 zxXP*1?T#EI@5@vTw$(;EWp9I8oo?S`EtK8CZKJ?v9hY^we*P~|!37)wNl{q*b2xA0 zwoD&{LR;0Ix?CVA)c`igwiS730tsqWgq)~3$X8Px>LsMqk%=$!~v#=F@>n`a$JI7A}@r ziYSdkJC9cg1`y;pgI3_lyd=m+=3YLx%NdSGD&dkRGP_5!B~bH0OG1^=SM2Wa2rtpW z>~56hW7W6>4)Ab7g!StqT|y*mNr!xHaJyjS_~eXqoFyD_1sCKH4b0UKTR4Y^Z|HoU z3eA=G@u*pX1)WsxpdrJ;NRj*hpp-Uo3vWzm$Xri-tE{Y}vpbdyc00q%OR@#-XQ4Dg z{7x@W?KdB|=X_{BO3uQH?7@+geU`)i<)~6I{h+&(AkC`JX@k(n-bV)hl|6z$(25$D zpq*jU#WrPh0G5s%muj8d z9WBa&+@M;dW+17L9$H|ih}Ts_o%NK2IPH<_j(etbdC-I-DmB+}hulsm&tQnZ)|e$e zme9aQ^-L%Y&HV4lf(+t0>4vONF8K!)IveFvr{KH=nnq+>S~{N}*9ec!<$=m%wlGhK zvaYu7gY#I%?C~>bdrx6 z?^J-ycjU_*b?+g0_Jl_B*>=V9l_6znZS~yzehF0Eo04|nVXYmp@)XNY*1-+7-*2)J zbMF(bva{+7gEe94z_F;8imMshNjr{GMxv)&&a4fmI65Ih|4(N!w$!eQS}^(5CKxiE z#zt57bo1!N4l!mT4|G+!BW+~G?l(k&nGA!p4sVuc3Fg)sZil^#GEiCN+R@6$(*0U8 zy4{trWy)Tq_Fy*4Lg>i5T^4HdtJunXs^RyA- z6LtdQiN`a}N~9*S_a}1Tj!Eqzoh;=&$4SF)VR|m$&_OLAr4)qsL{$vND&zAoPy0C?pGwA^KKR*+xTouL>evDxUzuzb$+MaJAf zTdq`2oUL+azhOm-S+PPdt1FRiG@@-03mrfCzqwvShIu}9Gp_S#>oox@>cYsjM%){QmH{b zZzAkbS3`F?xU$Cb9Mk5#v&9Vh~?uu#ZqF;T7$48sCFL%g|eY|*n)v{+t zWM}n4c>mbZe$RZ-qW<`d-5ayXRD~j0*|EZl_l(sQxE(NSubviK6g2jiIW%JD*s;>P zl(=#0va(aiP&YLjsqy~G&`Q$tvLac7Q-L2gX3xf;OYf{f&Eu-dU7ktK6T4e{;(LN- z?fyB>x3k}OJ4Zx-A7tN4@ggNeYr*0tK17+PLF?;+{`pAKCCJILh_KPUm=eaGVJBt2 z^ktABl^rZGl8+>9j<23E*#o7+h>z0xH3exIRC-dSK8Ur=fe>di7rlpSCBPO{sGwTuM`042aH!IaYy6VU`k2{aYX3 zJpe@FrJSY-C1t959juN~@>}z%x!9h5j?D~u)eJ7%8uHUQcRQVxw?FwQuU+^C66#=_ z8=^a`l;*>_k(o`1!PY(SFb{D$p_h)|UFi6Lb|`;ltn1@6qEE>4NW?wzrY)4H(tO>o zcOhxh$5e5vXCV{2#*sMt=RqPV%53m_e99GkbgRTex!FJ31S`wkSH9`t z>MX041(Nt`Tsdx9%mE_a4Vubb$3injclqEo1Ofoy;L{8c;DjIp6!v#*Ak&fbCoN2=xzLlSAm3j0xNwZfJ)! z63oDd!%Qe^J`g)2EAMp7TZS*xkBvxVpG({5w#w#K#SUHc5N=xT$$VmxEfc%#$C!u3 z6yzwNrG9(rh;g~>&L=Pl)|imBX#~l%NZ!oMTu|@#LT3yas#+zrY+UylZTa5O?Qw#_ zHVG7?v6bR*0C&W@e5cK&yc6_&wfFeWwsM4XgzDz;3>7K@DVDp7*Vxmi-!*ZelfO4DsdLWJobgHgOsbNb z`gPONStEhB_WjACCq)zL7;VZbV8+0Rqj7Zi0$J`WlP3R-p{(TRMV*4fGp~~*0k~z2d8~lzPVfS%V zt|9v-I6k1D*W9*~x`31J;hfbol|>hlxqH;pXOKSvy?DE;?sDw|>dWD!Hyh>=ACJr+ z+|c3lFBKspy>qvS#+wgWF!U3kG+mg!qpIhqhrS54(^uq_RAi8GHOc>N$0EO^L$4U>IaEw%%Ez23?YSFLTnj`$-EhFx+mkqcww1IpBV ztlfNOdR1qFcxrZ>>~`nw6DjUDm%F*eqC5SPcQFd@>? zG}$a{B|}%dcx;im``=>d=bxpX9Y35q(B^=ShH(!&gEqB`2y@mfsL~RR`6&k~iiZbt zpKivnBAc^7&S$#F)X1*&@&*{YREH^Jf6Owl<=~d3%Z=PfS5Ol_k*A5n z%zXg#s=_4H7i@HQYI^U}MW*77>}pJIYbX1qv4+vvICJ>z@l%2!W~8g++$;9>tq3OZ zWBov^yzD|sez2N@w|9y;As{2_h?KC=m+)=P%-TP5Dmh_g3YmbJ}-Z+%-|p5J0RIBqt^P5O@D5PDP>IqC9HR8Fy{ zD>01&rNrhM`rmqSy3`3=nL4c!v2R=liN9B-?vF2q$hkQU6x^K=l{CS{<5Q|vqp4iC zU;EgZCpt)<9`nJBRw~9&{6e-K!(>x%IrLtc2?g5-<>}>-0VnsWJ7ZFXt^7%x_@B{6 zahg+>MWGJ@iC<#CiuVWR=+CSE&!QMmcyY9)I|<6k72pjp?`k~+?p!vjAq;wcOVEyE zF|F+D^f3{LFQqh4W3RJ&7jfBt5iz@!30uAUvL!+D zoYQRNv~4p;Le9nEBsKp8jn$TM8br5@v? zbGbH(grD=Y>uRgx+qJKn^pya%-x^4%Or<4!eY-iqj&)WcPlKyGN+grfLh5f(}keod}w@$1okpN}9tZ`}P@>la}}L4+#506W%pp)WTV zwi7bmYVbp&|02*Ni=jK9@{Col?5l~z zLW`_=Zx|lzZ)7$v>`y$nyE$%NY|w6NrG*S?NQ)<8RH~RQkz6qBflgm+H_yvUri!J; zih#nh>iI!OrPHix?jjlVC~+Lqt9JM{23~G&ESf~k?m!m`{83lqGnYKp4`AB6H^Bn%jfd2PD^Mhb&4M@`4I#J1G9*A%*JX37ma*k*Q%L%mTD_uB3b9C5F~YI(-y zy=kbG!iDuO?{*F+g<_)b+-!TiIoN%cLSzu(1Evw_0810O4t#=NRSYdY9U&U}h}Rc! z3(5mo?cbl`t#qmR_!#t%n6uT(^R&IxF|gI#4%uC={K3A^=YY&|9#Tj$}}Lt5#|(Y{7HNx9MN516jXkj_K-QlnWddI9on5nnqP{ z_1F~;ClklgYsx>6Gk(zkM=2(laxll#+j3kTB>9)82bUozL&Zq{){|%II~4i%M{;m0 zRpLQk4o7hVxIO=N3n4b}&{b*my#MVV!oB|Aul>J=@W+Dszm@R+RFF%onA{Iljd#0imL0wnk;qF7#A4V3yVZoVTVRaD3Ah zI`F-K|KA^2A3+Rc>gT|GK$4MBF{9Y8FY5> z$B9OtY#^L5uUUB%c$(z}Op!2}eiw;wQCf4mYaFb~%>#w%px?O&J~rig?;=#6T)Yid ze@s?8Uye$boUEfP_o7V*It?Av%QXa(0e?SJ4xZ{%=R>-%%mnW7l-Q8kv7QK72qC?- z2a3a|9wWXU!)n@A?j{PGVA=VhD@_0xD!@Y0CcA1JMqHin9DNM<8l^zC7_72cFa=A_ z?%g{9C9$2AUA|f=!zZwN{76G0x!HiK`wS>h5lriN%O?ph z=EMQ1?>}stxnn8p9y{PQC$UVYI+g|NP^rvRbq8F}2$r^h9aM@mX2B_pj$~@gC_Q$B z?hAo5Z)abg=0aIN9m0gE>>Lo+%yT(wJ8;)bXcL#`(;bP3OZSc1h{#V82U0^Oy!d2D z)PiT}cT!F!C|`EK#5~CHVboO<&T>}c%82f$cP+}R6~3tA9eHIt5Fe*;4!9t=Vc*^9ks|kNXh(yd_&%RWU(STQ>hp2v*u$9n z_+2o&DbsrH=(VUm3wwRJLUtfqIlqiSG3(*w{+OXczdl85tJcchQM>WVUbS*F6!ucS zcHP(>&`@3tv9CFoxI84bJbG}i{HoNVy6g^`%fg@ni}yF2Aj!N*lgVj5X6ncknF>yJ z9C~jFzZ0-T>^^ohz=!L?B)bwYgas;jSyw>0aqnA7hbjDSAIrdkKIb81IMqNVz5On5 zy#~>al23>@FQ>oUA+Ubs~C!kVNmegV^qp10JnQ}h-5j^@%&7O zD9z8_Jv#O8MUv^wQ`jqx0Ywc-ywOVga+;t4Wi^*9!)c6+_gI7KzLU9?g7T zt_im5=BGh6c1tJVS2AVfR+fMpKC`^qD)6C3mntT4Bh_}{+fpC~*4J*&Ge#!WfOWlD zn;B-_)wAV(A|61>+vRZmW{*fKjLeqwTce(J-RGVB0#E7?eT`HLt#lvDFL@090!WCxMPU!H!Z)#&u8bR^xtU`ByN+sN05e?by` z%7`K?5Krue8{zaVszOA4`43^>`w!Gr5=^t2l-;7JY_g1Vf`73Ke)``bnS$c%|?*p7wqveOZPBQ3-jszcXL1fqIxAN ziPP+=S zT9DlIgT=1=!f?4cYjn{s$jk+|vGFFxE^6B{k^XnzxxXO!I9Qy%2=iSM2`;ObUCCyK z0t`1+C(Dj?kfT?p@E4Vi%qa})Vy}$z&6X#Ae8M52f>49!XjEF>-2qU>GmwI(@1k^^ zDTE6!)?7621IUw6yS8Q&7Ar!T?iMo-M+jsHgS31P=EImGbkcMwifWhv3Uo?wvske0 zY!C@JeHYLZs~v8@p>wR~dh{*3Rvb5%7DXZjfaBpZ5y5rDQ zREc_jVBuu(g#Qqs5Xx z`Z!2_is5z!VQ$MJ{Jab}-P?^uqpn~PW()k&DnYQ-9Y=v}s{h67LOS%_WG@>lg*5$ZVz9S{O*u)ID_H{))M&6e-$bij2`bc4k96`Zo`J@b?IQN1fyj#%9?b?!@*FfrC!QeKLrr4Kvop zk<_Pl?DTCc4}uJMDN`lD#w1h zlhiX88VsJ~3nW&*ieVv1htQS?8&oL%ySC9VzR)B%6oo7CssQtwCvps=MMDkgqr1(O z#aHu7`?MiiA~fB`KIRfy_7}f|c?U2vhXnOOSBK6ij9Mh6b ziN6X`LhuOftV!a&_YwXBmARu6egt?b5LovxD%lv0CW}?|vq1brIJMnAi&C-NgMpl5 zhGd*(B`_`YMG)VHiW5u;GX)=TrbY+A)^fmm-$-*1ka6?vl~hQ6IDi+pe`RtQvW|B! zU|1LCg>wdKodw(1*E_mLf85-EghIhv1ayi$bS0H3nuPtHf?4P=0jLnljkKyW3qOXk zA0O7AzeSJ|Q%p8a)D-uiUhr3UPZd%NFLP~i;M9*V^VdlwRWLe6#i~zh;;(;vAgAae z0YIjfLj5-mm?>F6t|$w+2>;~}fx80}CX9;iavh1kZ-oP&4j1Uo3n93ThQs?8r^3(I zFQ%Pfx*c6~;qMn9V~GhNL?4XwV<1*DE&5*qkxnUUxNigO;Y&6f9{u^q|MMCiz=!U2 zdpP~{*T|)d-2t3<1E5YM&A!o|YLyOi+2C&6b;u6f4V53f5IQ>E1Mf~_ z^5CKe4pRZR4>aHke6uKTtGGY;2|&|Q=$$q3jnz05KL>|*WP6zOWXKlo>hAb%tx41KFztvBwEeS=j_9vyvH~jx@h7N4ABInw3iKL|^4DvE5Tpj9Vz&^XjC;(_=d8ggGXzxvs=))(7N#OR^%(P# zA-=3O<*^TwX2-ECNM7K);QC?bg?J#rvp|LD$Nlz&v7leeX%K?+nau9Mw!!{eaMU}|1#rU_Po5^}@}29_nSFAn#Qfh?#*RHcey1qTG} zC4$`7&0Lsbfv0>1v)n67wjJ_$ZH000Jm;8St#r18yqHOh;@LSGdr8bOI1{xu!`fUx zaDWVB9s;ZU-0Pl48WbxJW@;&yAV<|><@j$u0k)Ylc8+Fs-`j}GCNL0|-gW?bR~2rz z;`v=(M9}Lk!_zTCFaf{@?wbt)NBJ(|X$~hmZFrIf%{dSlTty$b>jAKYyO_Iz$H*YI znP}Y2smW%->4s^5Zi*zBpZD;s1Fj$KssIz;?;?Vo>V2r>s={UjcGsTl1SqCc2VUEx z@LbzMrgsg)Icq9D#|H)T4(v5e?<9MgrqQ;;bzyRv(=Zeq2ih%beFn=An3q|NKNhQ) zHBma{gfl8Lm8?UjYC*)!R+dLOXP6HK+)TBy6Ox^_e0+d_^&{|1#KKj_j{MM%gtgX26O4j^QxD)yIGt&dB?Ut^%@j(#T|{@viUG- zERGdUde!)$5*biIqUCN-1g@RggSPj;Qx+YK0`&%?aA>l=uuVF==ufjZ=z zh5~aVvQ&thdKq}44KP)Gq?V5k_bYOwa}zKfxYEsyu(ff@7%TESXAdZ0>5e0h3&bA^ zLk78HRav~c*&{HyBaiySX1e&}E^VVAzHznzW-3#Xq^hN$ zlT2+N#GV#Jm2I&+!{84*Z--yC*q0ma0yFfM3LSAx_Ub%wxtmk3=0Nx{C2Vm8Mn(>_#t==FR~f1&Bh-YTGsF1y=7a>2A{rX*U+c`B8B^Nv zN1StyI_<9a-(C$h5nzal+yTR)BJg8xW!Ekjhb=v7P?8qeVNlf9>xj+0BT4ScSAP9S z-P(R4$Y;$?ZlA>~=`6HaB7Kv$FTj9ZUvAX>dUW;xuJy-~eHN4F_*K7J0rZRPNjHU0 zXdy5ZP7-5a*m7u&f;@H$V}i@pbY%6KXO;#qG_~rY@|jhjW}Kyzin-PacS%sH`~?n8 zl=$H^zbHon1cFPm){5#5KG2$dhLgcI2fCY=wkdAqA}g7=6Ng7?<3j14hJAAU0}asC z6hu?hQ|ic=QW0)Y35>ful|)tEbq_HRPV81_iZVS~UTUS6B18M_j%?Gei-xm&b|ujx4uQ zk0IBova@d%gOk=uNfR?1FWb5bZ4<*`8Pq)iiu%)QrDmNw=~eXrDMIM-}72GUrZ^GEHbM0t+J z``c+7HC@epD00JOYzaF5?WOJ3%VVRcw8;e*WVR4=|99>|y}9JDcyn-b%ykFFX;9Xt z7<-nzylm!en{ekoQLE-2kQJ)dK5lEv)w#Ox?0uai2#RWN+&XA6LWjV3>QcUQ9w>r~$)1P{FMu|%3`lsfe=An4G31jPPu$#ZoOzbPse9sYp z1<;ed`kA#^O}Lw%-LNBJ0RO57*OMfpDa3}xHc??7+uEef+(xbo>pn#tG?MdnFBB!a zaePtTvex#*TT8y=1hSt}J{ai2G~fdJ)}(M)TG!xMZuBi#bvZaUCHHCAhjzo2weC07 z!1NrAw`-Cctz|!+4q$CzZ#UVpSuVVJ<-wk_opWnw%G-c0Zxh!~&121lQgUdh)KNKM z5qDJJ=Z)u4I;iB?@Oh2K_SPxN&yXGbH~Z}(?ywdN6&|k!iQImah}-t^SMkwo_A;0R zcT8Oq4bR3{@k%3!p0-?B`UKq)WGJnAnaJRoU1OlA2~uJZPVrBN$!l;MQ?wl|2Tn$; zcd|K;x6Ef10RSRSRvVT&(e;*hHD)KfPDz&)e>UPb!7L%7Q}Q`_Zt?!b z#JvNkZ$0rTF(c?nH-WIx+oNi)QrBGZ)(TDBlhKP~j{K-_24T;mCvC0tk>Hj}rmROh zh~JAH^Z<%V+cy^?D_$C5c+d2?f@7QpY1RanVI6Rluo!*z0F|#^(==8&U}7OSgC6xj zeY{k?%yf?XaT}cUz&F^h;L^E@8On@p&DgjI!yHc9WiPKF`Zjgt4jvV#UyrjV9kTGN3WuobCjh(5lx9)01xDxRuVxl9N8}0N@3_y;CvsiL_<=ETEnFA zUOMEPUJS|&HV0GAOdP|pUV8boinbJqNG2P1FUYJ_V5r^g>)v;`W}fP39GXJv9~gfW zB{xaJb?(cbUH}^l{q3!jWE%Mh+QP4B6VUrDi}XZ>!@YdytaSK%p4bKzg!>2%UGw7M z(Mo}#G6xJBN*V62h$`7dY2#z(OI+U1f;^y|9qBm%a&QZGeVdtn1zc=OQ3>_9%(x-- zp134iVjEVVQAF|t&CDv%9u3S;5>#De!Pd{Fqsw>5+4b#_X}kLRMVnkZ#Od-W+_xz=q74D~A6Gl=Eia5#_xjTW3fGYD5Y z9tJ)5oY{HNq)DVG$YWhcM$IZchebHb((_U!{8G5tXjP?7#=T^n%n!+0jbXX!f_$&T z2aLTBo0g4rGD+Oub=pr(cu3*+t4HXvvP4^{jFh8EWyb+iwW-`RY*g=YO|8J_rkk zX`rRp^?7`MuUtZ!h<6-DH&;z;0+yyPE}hpo z0Qj|)5w_<7{d8r-(ZeHu)55@_c1KB1z_a1FotUtd`zKNF&&${%5M!*5t?PdGNenO^ z%hin&6x=jS#X}lAMN}PFghn81f7BFo2uJtWr=9<^kb-&lqyIppFjdD|=>Y zjgXoJVaX;hBBl$V`Kzp~Li`T+oHk0Jp@Kl>v~t??vt-!^dU&-~YXH zFu;Mi2mE9;NIXmdOdY;>NICGp6;G)q^gxrDgVw19hIfyFt>4p6^LH1nLgmqhr=P~7EGDpy7MaUxM+s!jBkhFB+^ zpug_^Zx8?byA@1BZeJl}@yFlwGobdLEB!(ZAOLdMGwdS1AG6ed zxB@K!x2_LbE@BEj3rH@P0^o{^3QqOM(fJ0Yme~ zFIUaM%W}X6aFawI_vhGn;4=UCFCm$51(KM9l)v$~m=SpOMa%VnxWXTQ11k|+K_=Bt z-LYR@`jjxht6ES0m9Yr_8P)*+ZbZ6Hzwx+gumE1gVLSRetWyQJf;11)gJ{yhNBW;j z4X)~2@V`7m0N(%qELs_kZVJO4sPczjo)j>JUWj_nD8lu?>`NF26W;FzphN?iUw0|^r@R8AomB#BFO2Wk-1*6P=NR2p7`~)x$_Q3 zm#-elGahO7cBM+dXDzrx+t2JI;Kj)Jy)tz^S7;4FyK~^oK!1*^4rEp(?_YX*qu%{! zH}>n_e#rd=VY9efwL+#`Vz$#%sOXJNPdkqVjCkqIJp}s%?3tc;WMc=ZXm>TE`JBoq zT-G`{tUt<-@!00vj^iDKB*6f1$!cNfZ5sE`A-Ed!hFf63txkH3rMRK?$Zzbh0ao-v z?`!E6{0K)JPI#6XV$xgBA@g{p5jT$>Si1+To<+CAxMD`#>SmRVh;=X2c)nb-8vx@Y zO)KEocn<y96ukF?vM}syk{1zh|RSP;_|`> ze}1u!%r7+oIoON!Z`iQ@ZS82f;~4q2!8r4qu`Q4R2B67&+HnNzqdImC?I6w41FFY! zFxcWTy$?26U?k@I`8TfOyH)}4y+No9p76he1dO)S43b4i-<0#UMgb$&5!nA`HL!=I zXxI_?DupkAZ$?lidGbT5Z2uR){N`R8_hh^`+s)Us9c&z*{zHNBKNtEPoMV7G)k2d7 zVQ3`E!x9rk{H+k!*elN8&H&*=a^*=2>{`P%4OLf6E_fHoeAc}9-a7`R97AX+l!FDf<(Yy|p1GW5sIutbh4to(1i_lcqI06BwqV*XY?I+3g7;!NES%fWc zQhftPvJL}Q{UXi@im#i&FasMQGaTcS+GvCBi_y>~!0pUCU;vckvas-C_K9v_2ZKj~WZoU&;ikx2YYrf6spKk$0g8%1X36)bGH_jj3bpiLvp zk{J9<&B3qfvPMM*M9R6LJ|H7hPe-VKdPHVMC#S?HB#7~wU*bXa5B#kBns~wMDJG=F zj7`6#03bXLvl9@~iy-7bd z=NsnbP8JWn(o5*nRKNEX;($)y+7P?-GFt>65AAoq#DWBe@JC=XvF$xB1wds8ng>y) z_rnQ(`#0dZ-@uRyn#hAqpNQ?D%`vF^WJ0-|Jf9cy6pC3cQOU;*>o>m?#L&3_PNox^ zZh_9H2}oi}zkU05qk4L3Y9K=0%n15`3?*^Qzz<;A@GpVwTkS&Kzfg@8#_oN31VY_(hk^$HYQyux3Imhm;k>>d|FZEci%KD2w>3IClpt$P*itdFn0SN-DE>@KqsjHRwUOlxO+AF7E)6eTf$YJme; z`M-5LOurKK9Krt@c}R@;Vh@!%mi>wBlH`hPT^zj9 zA73lgRdmPOon{$yp8k2WwG>G=*DZK+sUmdh`}{Ht_KpO zvd~1(rOCQ|=7Y?a<|8<*U!S%r2K!MIajl%hJ1CT{_))?q% zovxY=bU1uCD&KX%$ymr@8FT}0h?Tj14)Am^%D#G;AJNR^z%wX=n&TqxI0B0yqC<7l zLNA2zdF)-fdID@QC3u%N@JHVC31e`&h(5#e5p+feudip*v$JIF?steEes#J~el^yh z@lhFVtd0mzG)*vX7m_<0MxV-~@ld~re&JSv+$~DUrc>WTA6+yCLLy%1Nc3FzTx!_) z0^z$a0AxHpJsm!9Y#nfBprh+MzZFWLK9!;Myb3PU6)_tP+qWHaFyO?J$FH1=5k7d# z7J1e~kdJ*DkkC?ei5m^WdfQ@dZTBNvmtB~z;C%wRg-te{0I26m85H+?(I~()(}{mY zH5BoRY`b-_clP9m4gQ@^@}Zq`BNFaz)D;qFRk-xXO4ReMhtBIF9PSocf!0O9c%|I| zlKvtj#s%MpdsC}KwB15oc0m_9H>t`b5qM~<5d^E^sC1dRR?hK}vJuO7VVm8!f320j zzPTVh0sgV#*~{hN^cCT(VQkk`F@hqTm&U*q7#y|B(O z14o9*X?-9Eia1_I{AQJk^>0@LWdb!(?`{j6DK%K(xiEll1JSnJZ=#s(vOoy55CjY$ z3(iMa5w>6sIs~%TkMs7>B?_#&d6KUO+|{|trS^3N(Bh5f5Gn%_3dEj`=Bjg6gOosX za%X*EHZK-zd3zyUy=iy(RaE&bB8@%C|Fs@Tbn~9P#N}xbOB9Oj{FLZTS%gq-gSci+ zBZ)F_!`_vR+NxJW3r3SP>w-kYHSZHg@RahkP!N<#k+!uI&m#M$3u}9gsC$svcP2xO z_>_;`qTcZCH$Vc;pzg(lnuM*qkYK8O#W7|-S1`xXiCkeV|qV4`$Kd@aEcHIj!zp7>59OPj*SiG9~wvs{nc_&bAgZKy-A(NgK8 zy&~TFAqy6h#?2>CFc4wj-Mt>Y>@!evr;~*riiZI9nU*I36QU347l0LUv$MeAJ#!89 zz4t&&zDn&h_mEnstFsa5K7rM5s`|_-csN_$OI1&N@RraW%qT`RX;M6})sjqJM(Wjn zsO&g|<4J?)c>B*MeFaX>l>e)5DJ^hr=tQH+o*|n<!i5}mwy{-=aDqXGl3WCz67 zYpW2coci~-pc52Z%$50Q&U><>jeA@4^b6calMYF{nhg*38_u1%??YIQ#X5E!X{Mee z(Rnu4j+Zp4TI6zNTL;m}!6gk_@V|yZdnlwu`wsqGy&%B^1;7$h-Ics@eDWbi4Ib~y0h|WRfX1*X2P#slV8nh}m=*hR zZV`C6EP2m9F(7E;3b48dB0#%%-Ci1dZ-eLuZ51bOePgp*(wM#Uu=|9LynLEuA?Wt9 zn&Wi4rq0~%yP1?B8gTmkTf+Wp@}Wl_Dy6J`yJZk>*wn|3FXrWjv7}&_nS&g93Rlpr zkF#)Bs-sF3dx{?*G++ScY+)r;i<#Ea9HN$?IdvqEq~89KcS-O}+6eSxV(WtRKPQ-vA>Uyl0Ig12<-hb>_27ei9KndKso{mHyNICj%|kCkcd9VM zeX29t3qlvSU3quU&(lgoa7N6vzjq^Vf4u1F0+h}?()pSR51bZJADX<$1j$zy9?=QM zhZ%lRX?yu*Lt6gs2i&+90&_mXbDy5vc%s1Wk9EFkqiD`mzXeanH1rUfkPhoM3$gs; z*@kZ&;4~2Xj=c~v7sBnUzF}h!okzL(9fCr*P8pm|bJhuXGCPY52U^9rUW4#r=Ec^$ ztY#c+fxe1}x?4{ly_B%B&FgcsVA%b-gXH%cez#~edkWQZI?%Aa=Pz( zr8&^4NoqoI8MfG=xyVX5vW zo$r!JaI>Ppr$+=&pOlr{5x-hhRDki>u1jjD3-h@2mtpxW$M04`Fv zbV(~$`!$~QSY42x4K?It7-9}A#&JKPd+61z*8=b4Vi)3OJAg_$6PFvRbK7}SN3x_r zAh~SJ(WE~mRU)!VVSbM@_$noF?(STkgu!w8SeGtT{00GoheUb`KCbkr=IVgLF3*W>7+{Ur2o1xq}3d~A`NM#+E|PG_uY>~N2u z-Pr%S(Dh(5-gjv3UFzzy`2@^aGDg;Ov6Cie4`!L}MWXdQ1vF71gA9iJx36{j0f@>* zUG5TP`Rc+YctNqDyJ?0CbJY$v>(6--?;0mHdJ?ND*YKad!Pd5gSc?D)NZX8oetrlJ zzfp(6fPp}kGQ7EKl4prlXX7OI!@jIME#jk)C>?KN=^CVsEi;Pmq77-;eR_G5ZS#^U z0T$~WUhlbMXFTt2dq9!U*AQTLQg5EuV^X%$_4?aQNdLT1p?fzXNKO@;uFIZgb(T4;`{o7Z%`PuwqVuqqPj-le{Kp!D_Ik zo>QRaf86Gcdk;ufu^Fu~L)H;4j?N+hKV@zhLvB-F^Y?ZM+)*(Qhb!O$EE0e4T zR!vLg?Rb)xT*RWA2$>B^qxa-JXAajt9vmkMSUvdy&xM_u7%Zc>XnCK!CGYfiB}e%Y zR!k}=8+O0g|1cX(0=Yk@adMVbeHn#F@&jv{j9*`=-973seEn>w<4U-zD{Fei=O8V^EB zilyRfP0vQq(DzduT|Z^bN*_ufmIx3`l_dAQu16^cu2OzGI?rra|9GoK(i7mB9=~wD zOLgjk>4#UoODRm1Q>Xd|sTuTc1TuY_7n@K$F86IkMk5LUsA6U|E=*U%ALb(B zZdnQJKR?#zllTnp+!HSTxxST{00ZkTU;W5bDYq?ev2#sS==~&~xGMpbQEdYI&i(ZF z#!xd31{M!-MXGE+_|jGd5#t}Wp9Yn@3}cY(HpkY^+XvEX&!n2p%f=2d{q*+AuqK?P z#P4itw9xqb_`7+06iT~l&VMg@*%cQR@nkfJ;8Jap(0J2)OI!KR2z2$M-pAahlUCraPqhl&{Ky=e?r$m9LnCLRv6&ypcOwUH^X&ccQgs7ixvrvEP;R+83qsZNTXu$WN$7+_8QHu!0S~8p?Ov-&XbqfsH`$w;gu&11FB=gk&cNBZ6a{AE!sV&WMT|#D8g% zomKvZ@pf(0r|Ec{>FG?Gr|ow?b|jkRg+sGUa_*l0{&pumf|4Y>!23*H9y}FMp?TMJ zJBO!Jf#*bKM0*v1lIPE`Qv&)au~Ozp<1K6-h4f44^aS=WZUF_8Gng_$=$C4C!MkAt zx>;ZI-?ziCi3YHA-~PN=R3QT_63)wwphA3XRvRa9D_O4L_$j(>bWYA8;42Zo?o7K) zRt+-BQD+8Tp{Ej$w&?!zXsAPup=(XmA~t!vTD~)rZ(p$}dSeNl60^bfS9m8%DLwuZ zU;q~^9w(UPQVFm@q%#dte9vN-RZd4_7z{w+SPf!9KT}3#N5b}aB>!&SYE%oIUu96@ zQ)5QY#A_Dw`=WrWGNM;La1Uqp+{BzES(hz`jg*S{R`66p>n%!PLzGFlaCZ?gj=-fhr@ zHUb@J3~-^e+RjY?7*yQoPePI@@t+>WDFVSM%4-%0P8%1Qa!*l1QvjJ1go5e3w-hCh z>c9(=&dR~|{Tn8)dlD^e3IUGfP9z13Y0JWHkYUAWW0)D-}e)!indj5wdUqEeSysh;sP=Nf~c7xa+Jk7+?(ya zE0~|zZ{A_bL{q{rr9@bF*b2VU*yMe1Vw&xjA`W~`Vw#x}q*v^5I=4lPp( z`Am)l@oyW}W&Dx#B5{gUT=4K|y)|$7;-9xE)h+aZ^vKAtrdx4Eey|pGkDZhIiDRHpD{QOyoZ{y91P z;C<`o^Iq5Pl?3Np^oTaJl8dK#y(&7tip(NfJgO}hLG$|PWfkTHu5`o=1aUy58FB`q zV8aJBVz|5C`EqByNtKIb))r)V@1bhfy(Tv5czX56kG@J+SH>^985+m;@eJVhIW#<7 zPto`a00s(H3}S$?FjSf?k^dREaFy)SKHV*&6zmUI61J?5Yh~b?={&&r9~Lkw5Bk-+LBkXrP$$v@H?dURh(MK|m#^vmY@b{-&fmRZ9qK*NZPaCvf@qYw_v zbRn8~7xlI8Na$ZH_J4dsc7qD#9_@KbQ&Mdira%dy4zJ!26(JP8{PcY|LUq1(A2b>o ztv>ZBq`~ZRPy0b)QbX##1A3%_V+0o~RuSY;Gin_%nh?HDuuFcXfntp74JLDymFYth zb7$J=!<`d83qlqGu*CWjt{>JuA9E^>NNYe}YB53BHN6dosiJ_=RRb5 zxy15qYzuRL5@y>QwlW3!&w6Gc8z~_u@_ju9=hO%)TeGo#Vdo9`SW7f3 zNcC=1<6UU`Hql}{zu6X@Uf6;_uSGirX$vrY*n;H5E*b&YX|8SokCt4u=h&;zxk`URaZ614 z=Pqm4R$XY&Pr?vd-yVcwK=3%zZ{rFHm`G@&!22*2nF{4QfYl0=C#|oBDa#`4`fZCQ zd6lnoY0;w`D!AGpVW(t@UV@Sl(ShL$$3{lZVyq#a*;|EYUDjlkQ9zf-1yvC6C=M-v z^dG@=5tD&F%wP%9RZwcaOjVlYq_T{y^00+ZQG<1TA~c@+S#b2n&j7P>sz|>3AM5SF zk3!Zl3!=>T3{E9`qP9wI$cS&IzN(wOim z7rIDu1M#{gj`1fAjVePdhj*uEW=QAW`M$-CNWPpx5Au_$oi!9q5t%#B>BYtJ)Kv$B z86!f5(uKN)Mb3{C0uXpDk_BB8HAK7`bD?tIfbly6O6n**V7U~5NF=x8JwULNGiyuW zb|InN#)V*@BD-UFW!@*q^pS`fT~`ggeOoZ==RS&|EfPO?i|U$yvu&A7?jLQF{~bm$ z=rB0I|0w5LZ;Z^8)%BvwmEe%1Lwq5YgT4X30#G0mpjQN|ZUD08TX~yID1jXd?}GI9 z*Dj8wvons`&mBvngP)fSCr|qS?YRGY*U#q=M#qC=`ub6`&@Ptqd@P4ySEFQk1KJ*b zst=zC)jauo&hU$0^2Y}Wa$_*07Rwjy#DLKFd!0i#0uzL;7gcA*{M4WW~nYs<(RC69P>AAj`TNO>e5(PY2)3Q-&9oX7r6>8%s;Q@ zAHSh0hK{d6M7lA7`>BF;jt-0|kkJnhLDXe=t)R;a9Lzx!r>v0g_^GCy=dhmdc>`WYK^5NI zV4i^jSMmGr43mF&P=Xt$#Aafdoz(Lqd<6&3C+y^z?wJ{v!j;WniA}VTOZ1*cp9V{V zb6P72gI(FJeXeWcTT{DuY7goLA4}Xw+WfHJ7uh8@esX3wDcq}Z<4v*hunB=g9V+!< zipohIvyp2^OB6vSq%QehxPj=Ukx5s>04kaylvALL4S=ZrCF&;m>WirTDLoA(7A$b# zNo`(kw?XJZgV5?Aw27{h`by4nPe?(=o7~ce4>)4NWqfd4B9v8ih-H4J(a_R}g~NSG z4FzUr6!%}@=LM}V;0P#F+XdLTL_yMJYpC~JyP08 z(tY8dA^r@AgoKoIHwY+F(hbrbN;lFi-QWGV&pGdT|8MPY z42NTnJ%+GYJnN2Y{^p#t=N7E>%#cq-eOjQa!l!@(+cU zbs}Pc?s~=+c?oRw^5-P`nAd=haD<`_fNH;#nE{#MY4ODe1KCAD5u!Pi3NbVX(k@-B zzrhq{!6`HAD!F^!532xLYemy47VapzXh7jBy3*bhls3T@NXHiLI|%gJHW}M4EnAkOb@I*;aPVq z<}1v0FsiS{C`S0O)JMU&8 zQwLN8`LY>Xk?PZXFD}DZbYS?It9rP`iH8 z5iDwWJ*q2Hf9WGKaRAI1q0hZSq}RdJPaM`lM(Leim~|vR7l2onlCmC691?Q7PIA69 zNC{<`__oS}A!)QSuG3@tb>yRl<<(LeTk*m1)Q|h4UlN;XzkEiZ2JT3(B9xOsET{z- z{3w2;))Zi5WURY@`Yrei!62i0vsc?`#^Db%RB0xL$|?4)Q6aM;pQ!XkqUwSHpMkWNI1cmDc5=t2%?dM zVjn|maL;jtg1_Tx=!tHa`t^X%NS}>Z;NAQ1Q?R70-p<7(1W}<F{D#8sp}CO?4pI+D1DgdSETXXp>E18`*Pxn}GlZWoiW$$ewXd8? z9hLIr@ZL5I)#V`y-JZC)_km=T7C@~5O2 zJs?(U3W_NKw}EdUrK63{wbcv@`3XvZVc$E7#_x=2?u(w^JFj$=Mv?stl5df;ioP?( zrDal+-XY!=P-J?2hnJV#xog*V-;LwrZ$KXT4?L(6=||_avknF6sl9=x8CTONVzs{_ z<;Z;*Q=MDDN%k4f32zt^q8kL@4)VEMD?!(p9m?PG23oYuHUCb!62^#To(vgQ(;f78 zxG{$X)fK_h!A@tT*P%2U4zfx&lEX-G;(>At&T@UBw1aca)o~{hoM=Oj_WdO+>aN`R zJU)m@(u;bfdJ{$53vx8@}U85%u~cWB#htyz_X3A5ar0uaB=y=}sn zjQ&?(2Qr6&Gg5`;qw*K1AHqeiFMnU~@Sgfj3RuDSnf2Lnm<;HBP|nCmLh52Q}zVAOLBYwI>}>rFsZ$m z{ddwOaDc_M466wVB(dnXLTFndxDQrC-4?-hwhWpK&7cH!VgH&Z@VV75C<7D#>n9YbLG5g8LvpN0OK~IK2sQBy3`erQ{j*N66TbQ?TD&t84aOvuwOa!xOP! zGeC{j?t%FA7`ee1Hhlx~CLG4jKVnMmiVXpOrS))o_;M+;y+(iO>o#Q4aC+<0-Y%a#@bK{*uIik!vt( zu*7%xsaEGyR1??RR{mD58F}OS_b3fmR--gkh*Kd(?)N?hR7WYR`PpU5VnMTXJVv%$F^jcLy_Ob&omWqW0K1}+SDg&%fx zi+G#ZSwpjzEXFWgc{R3<7802S*Y6R?5v(SU>JKC3?0CQ|m6%>sBl+%4^sA9lBe}*kVLrw*?t(#o zuf}Be-(75riAB9HDdjCFzPejeoIG;Byz1fJQONXw284_)7r!G~IOh0X^0#-X*V!>{ zQ~Nxj*pdl;GQf4gE)%y#iuWt%qg*Toyl{jg)yVLZ=yV&+ExiO2J9y!Och$B9ShXCN ztxTppK^4$TT^?-dxb`*;g^DV!pS>FE4oWInFvK)W@dHwo(te9IWaKc<~+ zlVS-bVG&=JJUcj0vEHoDQ+}Ygd=`5{th?K0F}gp6dXkZX-ETc7rD?4jy%|H0gkZv^ z;D4-F=4PmM{%?vKVd$-0UGQ8)Ek~@S;FR3IGw-}xYPiwdMZ~BiVx(Ah(%8wJQ>$Yr z1pd)-Xj6g4x9R#{9TdDG=WhWz^|C6wlRMd$6ouv)`J7E8Ll1HLDY*f`AKj7Z0qQlG z_k#xyUkHE!)`tL57L^IM$t3UX8&xG@rL60Ghlxb@%_HrFy#1fmXtBhJ$4>}4EqWxT zXo1VaR`9HG&3=P?QaFBW6GRn91JEY&y*(SLd;|D$S zr1FThK=!=1vnYtw`lc0;DOXQ3A6db#I{!vdFT^auWj?T1kfP$DH*5&N!7dvs!>tAuwBgVcRT&a~y8mywvf4c->p^Rn!bm zsWz%bA!%lLPy(mOgJ^O{Y9{@jy&j_4~Zd5*$QVOuvB>clB3+uvJ1k0)DO>|D<+&U*!s1jS*8 zKK?+3(z=0DOt*8cgLbCCm8c+52K0Gv`L|0TIifmx7GZbLk=!1r7jf|VPIwS87qU%e zbNsw;Ni684SyM$sX_DKJ=_OU5-9@?xqz$u99Y(Jy!?9Yo56!bcb-UJ=6zKSzr1mQt z`LOPiF~4Afs0`@EXpQ&hU@oN5i{Z^|$ryDHHA=GwoklzOos#wAM-uIKx)SFC&T{0s zbrl|CsvI@1k|`4I%~!A7jUbXv{p79o3wx2n_z)1aDYUoi>S1>!x~-FG`GJOe`{uI3 zB&~T4h4Jo+WPt2r+Hbc_e{<;}wxS|aWbALtMn0L8Dm#U|inZ+V;-e^5Wl?5*^7# zi*VYb-w-h26}>(8Wg@oMvzfn)6`3&TmWS;5l9;q!J5QCB57Mo`NyB6POK+p&g@kt_ zg7TWBuD_{(Tpm@{_lPg`^3UQ>DF5hq?4O#R*mjNZncy3dG=NKTRk ze?Ci(&w7GlFlyXFTtgYgp5#{ukCBp?=h(>T*4LW9(@Jg&4b%9L1oKLLc!(-oj-TrhxfcS5U5UrE+SkX3-$IuP@g_49wh%w{8Jtf22REVX$2K*Da!xWpF1VT3N2Rivz3yN}a=4V7CJ_1qMl3Ds@f zcIR>y@r`!RHP~r~7X=!fI23eUH|b8|h+NM5sjXliNY%z0Qy5T%-GFNkFGnhX^q~@P zow`=xDPZmdlXDQkTT`tz-AmecIb0UUH`h4;=52mUBiaQn!oER8DE_`z!5JKs5? zO*$}L-Rxda1|$$qwT#Kie%PB{w0@3+FNx<1a?#k0D)6Q1ekyZV1ypw)rWyy^sdH{+9gvySDN_?LewwRj*{-Kt%NiCxMV_JdIFi zr*`Mc@ML|AT-8Z$T6Pbj)*ZuRJHibrSl&BS+|Q4&`Q)PLLxhE|Dxo|Tl5m51o|T19 zX#?t1ON=BZtV_-ayF1^^&OH7STPB{0GIxJFic_gYq-UcO_#xt!g`SB_Ze(Pz*Ih}t zNZuqo<37TSoLVZ3uzToqC34^{wPSN0mBFV#_OndMO9NKj<&oCNIzV~m>^ z&dG;t&jQk!so17-m8h0*hWyp)Ne-Ie_u-s0&QHKS6%yf#n-t!@Rqf5fva;u0ro4mBu0C90F(tm*R^FUkyMCYf0JkHs>5~Kz!7E>fQ~+Enj?+qV<>$cG z*VbrExSV}>WAlIXp$ER+46H{lPUeazoDEbJEtX{ZG{ft92(oDIj-PVUA9cMWJkfnD zjgOGnF(SVMVqq2&TRpH^!6l_3`n)GRMI^uV8OIJ!vTR_@n+Bfa0B zMm5ek?n8UKMFh5!jMXU6PJPc}@g}W@t+w~;h{(TBhTmh*xl*-p#GgF&GbMk~^`l)t z=QEsV*RC#(Q(II7gcTAN4!r+P-+nO%@t*GUhms^pO{UjTgO7!0aep~Gz3JbBy!0T) zG3|$^rx$dyp?ep_-cRkh6(|+bV<$&tv0n9hlPIlkS&JbsqSwgSlum5>;Pbd8@e-nM9 zS><+a!Z2qJ)1!yK`3unvvAkIX0uI+hCB9BDwKd+)ShG-_AQ(Vl75U|A*AZCF!EEt7 z_cMMabFov@_<>hp--F^>>9#_~6{IpS2Lrkv?p;O1E#{_WqvT7awqV9*81p|QUF{R9 zxA69;OUK=cgCTO{)o+zL`4Hqq(XfY5E!0~YXg8$S=dt3MB>$r%>wW&*sfjv&&K%WjL_i@}Z zUR4xQ4kuh$3f;W3ZpP>r!B6@BSnK|qZwNeTAgKkD0Ft2c-oDrz#`X6a34b}mNM}i< zoT;uj{sdIZ`G=g@a>4Rtmex6ON#?kjaO!0^x zF_l>570xS@Vec2BXErB=L!C+|S@8d&qbL)B znLHa-W8@?ga*kxW>eXPx*#inQ^`g)FjQdm>Mx_*|M+zM=cg`P zB3+eV;30@T0v2FXfK)VsTgR+l+*2Lq2RB!9H+&p! zm#6z|HEux3VQWcZ+68rj6Hue^7GGMMZ;EL5ci;BYK+=3Bnz6z5*NBAioFfuSf9z z{M&n&;bUYI$jkjvwOAoSiaHEw7=K(zKspH)WY};6Vr~UM#3n&L)pD@q-YOuc44%CG zQ4B^HWJ5pbA6iq{cG9%#d>(D|x>0kI{VaG7jm)AZ8zs}G66Ov z3$X1v80jvA5-juHdhPJ@xh0{>KIBUS=d6AiCr}cE631`}hW9+(*Wg=#ywmV%5l3fG z(mGvD4rb|WES?~vK?+qM;uj$5NHtAI9o}oHE;xVh%C>~8GAfRSGPAujP;Qr1#3~9h30Q89n{G5 zqVLS-CUn6Yjd+@C5LkHaH}aKs(ni+p8hqLWV6H&mvToso%^-r@B;M@+=OQ4#`Xx1i zLa{muvep`_2N_!qq2vT8Z44?*23(c7@Y^e(BiW0e0?Fj9z*ezDMA>Zf2gqLbYW$83 znfGO)Sz!qTSA#+pGS>UrP*1{xU?#|Q4jDDg!RBu%aKXjMZE;{{K+EX{6?3H6b~Cp# z!Ug@Q!`PwzO~!aG9R3SVC;t2)zS&Zvo-KfU*dJtn!&x8AngAiwx)5iU$-M}*U0~k> zD2}b-EzdOj{;AzB|6;NJuMdX|0;uD);AI7E1lOdLO$27BGf0fVzQK%e_}8ex*GvpH zc{2k55{gv(3n0@%omT=SiAz*qf?EL!MY3LJmwW}mg_ci-Mgu5a^E^OCtv@f+4N>U{ zQE2mId{z#{g+PUoKtIkO4??8^W=)#HG;qLd&a_PEbX*0M{Ok-P1iDQ zfzWf_=Ezq52G-4b zdSHQTPu|onQ#z_!q5v28KWo+h{Wmb`ik#)pjCDnT1ky^iTMh>k`rg z@TIaj#Sg%6avPz!L6^eYA@0|X`%`vEfn_fpqK=!37MAB3z@wSPnXQf30WzSl`&Hhb=q~BI=nU>lz&MBq+`}z2P`|pn+6*#a1Kz5z)Zz@Y!~ zwipy&ZrAfrvrNXd5rI}8=mB(7LS}x~Llffqt@qpM=yD64yOJzS?+L*c^bPE4{4jR_ z_aB2HaJ5TqR*tID55dgOLGy2Rc0f<5U+@y@$ImYQy$+O*Z-j=CsMV$ZKAa>Ap;>nG zkZDy?mT@W&z&_P#3y723BaV!WT3x@Wi zpj8g&87G+AJx-a+P9Xk9eDg^1?{3{6fCWYEtX@k` zy9SCuWB5`F@kYWwhkc6py{t_ja+F@1QP-- z0K!=bc|;@?pc0`4M@T-9LU6CzLfPgc4FOoFL?9gn-#{mG6^J#uw4o3qxwe5#@a>r* zUmFw{YcOlI;SR#ZeUrZTK)Lm1BRq5N2Eb@tUccW?R+z%t)6L_}Vn$igy{TQ9T*s{8 zl=;Y`yjA<$HKgyOzlN8yA3t-I?v_3|b3B#cG9T(bS~zz! ztBRRAh#*r2+jj#syc!m2Z7b8 zP79-DHvqqctY=sUD*S}1lBXP}Ebcb^W$yudp7(DB>V%X0-wL9}jL7s#q9F4lFb z+W;jDG{jAT0o;en2#pppQZ5oy#s{s?iU!=w6@bin<>}e*D02W)@m2=yq=P-M1>JuZ zj+i2P%>&}G@=&W+-1$Bo^MX8~>1e9vme*-@NstqM=iJaW3iw9KWVi`FVP+JnxAT>O zDxSeNq8~>p)Vq8CYv;lRW*Mnt_HIkmMUhi=6I7WE}>=7OXXl+%rtb zufT-&+G(M30!Z6;hxWiJuo7xMAbQxn!_2a%MHSJw1X|*z&p2ijKbeEW+)m;f%w$6g zkXB%s2GT(2YvqEXr@&2Y3mkjH-B=5GKCNNgKfxaB2RX04U+y;7fP<+e#mU2gaCx$m zr-NNQ33f6+{O7;f1J1|hW-hWisGt5AbeoQYV@YyeVs-_X&|eS^^rZKtiOgZl22eQ0 zb3DOI1Cb(0CBi0xjq#2_#u@+0V@Y?%?>xL9*rgJ3J!G02{I~cIfKzt+Z}m|xL0aVP z$b?N&g9bD6tWa*-#p5u6owbHdV2D=qTQgFiuc%?Vh<>&9av$v`6 zzg-)0|ACe~TO#u$cW-nvQi^-p{{vcj>Q|MH`%SkQ8B)o&z^VCenijaHZ2`o{u4NQF z{Z{C7(BbZenA)-naSJ(+!_XDu{sc<}@Tc%xz1In+t^?OY@u6rSxF043yF(6Z#k@r= zL%=XuvP1#}b`r$SEq{8taQ_k*FJ~T;q00vr%l9;Uh70}fa$G$Txo!5dy>DjUy$ z>J7LKS8kWzhHh&a0oWyYuwYg`dQ%9VUit}=fv3PmHDlEZRa5Xxhp=hYjDuV17C1MT zfmhFml*p_Ie_ynBkD1k(F+lm4Mgm*Pe6?C)l=@R)7q{HXIWHjhzW1%X#;t@Xi6j8- z?z2AJY*&+{cS+$ahAbfb9k>HKK=ZW?tDfd*zNusipk;Fe=k|+5(kpq!4Zeii)GQDK zY;@IJO_Ga;x&v+&dOy%EdoeiYOwBKP4ZH6sXRs_Y~Qxx0JT2q<7R}u{wDi zCJ;h6R)?^bArE=Iiw${A%V;&Ik|pFn0dMJ#AmRwG0rfA~7#+PgDDj z2UQc*hMYqfl%U4Bj$6qcN7X>deT>DRn3?o$l)+aRHS%bR}R?a?+=Q#UtE1 z@J3;uf!O*&0BodC3)q4yhwwye zj}}gvGf-BsGZ(7a_=psd+w@*PLQL6)yMv3{j>i?Kd$l7)=H)4T6e53zBmt%B9)3v< zD=_>#;~_=2-pKPfHv8vj)VSQ7!U6%;?1W$ zBWsq7G~&lQWS&LD+Rn{y#|pQ(7ebKS3JH_rol~8c>bhE}y{GVpa{u|5vmu=y@b)d< z>b=0b36BcB8=!xkW{fG4Y*Qc6X9V~!s2!~OdBfa0E{-YdcgBLezdbN>)n-f9z2-Je&P>cBm*GStcb#zD{Q0ajNQALZ~b1ov83h1BE z-@xw`T6=FS1KuskfXx`;iq`b>m% zEq#Ie@&bps(I$G~z9`A6aC0-Q33}JG)%3I1(%C)XtoW={o8(niun$mHqf;Me=dbrm z^Vj>aS6ny&IOH#@!sc74PS6(x#)?I}HuQ1Lz+~w?xt>o4H5bZi=*UN&9j<=g25mz! zn*uSWRo>}mv(~K89#QJak2I(K&jno6h2hqX{_6bmPeUbeu`! z@5`z6X#_PX^0YMX=#pp);}yk@Q$HO)ehdUcqhL`*G5cotq{c4-f>Z+z%>?++vp)Jjnjf0lWW zjTL){d(Don5ULLh-NYPh9wm?>+bi#{9h+)-d_@G~b_()e#M{<*dTdW-2!z@ErLr*~uLRjD* zkrUj&yk&X%bn)#{Mohy94taS}@zFyAb zT{)aM6-cm%!}&lb!7sQ5uu2{YGE*>IguKB~AEOJzx3Xac?u%q#`cJFAC z=FuQ~FCBPAQB~;)gfV-5{JA^8xJ`3EXfuVcUbb9G&3Q0CxbwCr7uDV7Ct}(5*=uA4 zJfoapbeAhX#0>Gn^bF%=+5=lwoM^?riyUNbOM6V82>RCT7tn2DDl!j+IO=7?PufMf zPm;nZPd2Y|8>w8B_Sy*u;)@1~#{Rje28wp!H&qiGi=JcMz5m#Hm#WUUH2K5+y|!Ae z-H$`FUe05SSBckmcDW6ox5$nedmCsnl3TkFcQi-ZpeFymj7F49M(%i)Y>c?Vn3Pbf zDoL%Xz_D${O?Y=Jq;gPNUr1^$&<)=h)=pt9-$u$k?gj68C9BBwJk=8=1;}0CyXUF? z4)_7xgGwVsuf2x2F{a|4PWZ*pznsr0iX9I>81u&}0yJ82GL`lly-q;MwL z80qX=v+d63()@a@UqpTeqUjKK$c>WJ=~)NZyC=vT5l*~;bNl+^BQf`IpuTCnG07x_ z7xTpWQfMR-`NGn$Iq%OkLdvEoD>Z0{z0zu+NN@+B|9d*;{Aj^5r{q+mJ+l!9uk)#=M=oh+%C?l6Z>qJtYBS3ZKV6_rX=EGp=_~857jtX5wEW?bcvKyovqNk&WuZ1z9-1!XVyEvJVqLE7^nC*nwhy{ zBkBY4Js0ao=9!+(`Gj!Px#=~Zd{uYIt<@VzHeONj&t*Z;X7bz=hmkq~ z$~(g6j9>Fa<~OF1d$86gGej+4QBG2tI@Mprfs4J33{&8A=I%Nk^%aY0FbD+ehd=-L z`2^UOv9Lt#4Pk!qwQ|T#u-Al+Xe!a`=%PXIU>qMhM8q*oQ+?qUQ6DQycY7sAm&WiX z;=|g$2xxi$+l8ZDur#v3$bbF0SSCHatrK2^{zN2|@C#%HQ=!(;hURv{U z1QAk{NEPjQHTzWY|}p-Xp)V2|1* z3w>V=x>wKFIQMjEQw4^R2g@YN&~7}@MBMd_$o4ywIzLrootT>(Ti2lb&Yehof7dzx z$MzKdEB$(y?O5?liJUb{EQ?~NEQ`(%ap!dpJf z;rRte_wcM22A|-+CfiR_Z|#1QKWh=dv$I*sQ*5VS8E=men!G6V zdWluRJ$a#R?Uw08KkL=?(a)Fho-e{@scdWY?A|EhYelCWVS+ONqgs@ z-rtXUJwf5v5dU}2T471*XQ=M>w^V8(G6|4b^FNWc20bQcA14l9wl4r~{=yxT{1jMx z+{0I~isfvPK8})dUJ8%7eN_;rw=F=5Z*!5N^|7hndJ`K67ybG`jR{2uw~k%pj$;`M ztag5ZmMb$x)|g`b2b7gg>>)0la~{67dRxk%D_* ze4Yv}G?kekqBGe>4g(?gOFQrC)%7`9?vEVkl3q()!^Vr26L@C{}NJi#8jm!6>=6T z6}dQ@qnULvP5RgEvkO;LjbZ98sqd*snoBXqIW=#^ox4L1o@d>7OX%%+u&Cd;VuW`B zMJIjF4P`_gEz~J-{(@;La^jJCK&)gs9JY5AKYxmPh1`x=HBdjKBRyM<=`2soNZdTXmH?>;u{4L^jb|sm|rcKsO#*EgRZSvFzTGl6wpH9tf zZk=JsWxgnP{^>fE{l@53X^nMs$|LuiJ6PL(THFd6 z+}B^hp)a+A=0o>J)P@mvHhvRZyjE%z>P?mzDAGgjzcPz$}sz#I(f zu~>M#i0m}Dl-NuggPIIySx3=A#h6u_XctT517eub*!jOYzj0b0ZYvLBa=l$>BCr`n zc)B3n5nmk~M8c4w3mVyH$m^}!hThA#`f-IJ1^;m#Vr!$NQ4AHLA*MRj7Mtzp9-y{2 z2pT{ElLl;tD>vV9&rd1V;-3-wz9|d3C$ydo!yS1toXVv{9U}V#M`uMBSc#2$S)!_i zd5M#8oL@*uRYg7}LrOD?Gb_#x;Va;y9J{l=UPTFG3J$g?Z6xa_Fr=A3H)!G-ogTUr zL1?tTfM?a)+{3OYO*Pq3pFnk{{Fw4?jRBr;ss(w;Xdm*OP)a48^#wZXQ^zyC&HRY# zu@uxk)bCxu#2dyz-S#c0>>V#bwi&taq2ILIW$ZN8r9X)U!xFM@+ce`ow$0SQP{+;w zY}H&p|0b)G2nTz=5EfY~8ZY%Ua2++|U0eb;fYydX>d}A9V2A17&C5qWzNw6gP0rT` zBcEl}*b&ZiG^kc{(`k>g^=1ho#(Pf+)r}=?e4V(@aUi|Vu6yaq&xyXYX+B$8=lzN9 zYiIs+z0qLZy5Sw1aE{(2IkBb?71)+;m9%bD`Dm3if-q@dy$?h3#m7Wos< zlY0YtsBw@v#SIK|4<^lu94vsrRUmm@p5+Zy#)o++<8qxw&mBsmLZg*x>hQq7`$%SmahWZj z5wCX4qnduvd#2hxPh+~y%dO9_-BglUHEyfj^#ii$PC-5mc&G{OL2U=;j!?30N> z%xqX&@-a4Qt{E@Ab&)p7Q;&X+ZZ7ZD+fo-Ky(^@I505;4aquzjSUEc{P$E$T@C*k= zVy504RIgS^<5pMm)WLoV1I^IjKK{Q>kPSvb!7Xh^-0 zWGDAirsM|XA@JtLtDQXmD<<#%p$xpY=tSEQKC#x(`}g*9hEyf3<8C`pJVPxF6!pwW zDNyZK|K>AI@G8dOEasKpF*Bu&07Uhj2w>?~n&!~dRO^IoJ*Cs=M1d+rd+hfK&P>2gT* zVC?fliNothp9P9mgfjRlaYD4~NJh1|Ela7J_1*jiHoT`Be?Q8D$CDG4 zpn*)1)rBa3gLVAtDfi|S1CFkQ(}W)~fBWBnmsoTAuLJwv`MVnxx_&JhtJ41Kod19R zv(M<>V1IMOiw8}aj@=&|9%Mn^)dYT9`*4ZC!%Ynw~_xm*Zxy; z`LDnAfBYX&6%e2v%sKRTNY#J*_E_n_2OZ0c;EC+tWhM~mOyJicnP3w7_g@zg-p8ht z_aYw>{|?>yk56MX2wcvTFOxz=%C?FC=eks{&bs9)j;CZboD?M(SW9Vi*h;JA?7nsg9Bh4= zdugOa_LKT={HDEop&#x~6G%6jce#$2QLt5g8|I5E+WU{l_VT{ozxJOvKhm)A>>2&_ zs_0~e@NLhw)s-n)MxNzg`>p6c%w(YZ})y~hqHC9~0j1VHte_-;%LrqE6eHF|jo zY?qC2mrd%=HG(XG<9>nNswG6K#HV|ppv{hq>y3Qx#)r)+4xD&NvXy}}D=5(o>dghP ziG-}>@985!&&yNm2fmFe&PMmKK#^K0;7^4@g}xcYnb#@;zRb{R+D7^{FG!|Jze^=7 zXqgZ>8NcQtU_CDiGK`iYE$@wOK*S%Yij#4rA_SN_gcW-mV$dDjn3p<0SvI1!z)SK- zRgT{y3USr^OEXs$de%WN37s{uhyjHdYWF?wkK%QQ-m}Li&tHyjgbSlr3Y-L(R%AOV zy&7DA_vpN?@j(sUxM+5NRaRO&F6?sr*3DvZ(K@O8BOmhS=vS`W6VTj?CmpJN|5K=U zc6OE^5crnm1QqgCAgKNN=Ba!SAl*L0p?TZW1)w=9q&8ZrZ$R9mWJMaF2`#4p)uU}V z1wcnD@D9|c*tC;MR`jI`O>Gks6fiwD?8Kciiqi^lYa#1_(gGptxo6A;$SnBu#bCP1 zX5nZ*OqRxrEg8pw5`@k9zk@xV;~tL850O7Edf_bT=suAVWxtBu4+uubr>4GfeG};U zbaQdBtr+n1%3ew7d3}b@y6;pJqf!MR$wr~r)rKA>{=(WF{v=)-ef9~4xm3U#8I*&t z6y(iW+>2134#*60O71-Gtw?hPf^%CBgf6zeId(JWww_>3<^fNAio>V|)O_I+Nw}Wu zwR48u1E7Q5!V735mG)Wr0=$V4930#HR zM*cDIyE7OOTna~o+h)z;%VJ^DI|FbeS=H@uZRoi1=4ycD`Da6b=+;<#>*LOdmYhm? zVixPRS_UF&OweLeH<)^NRtmYXbnk=ybb8EB|BRQlL zGLbR$#sO|c*MJ8NR^#LXU+ass|>b6~LFn+x8RC6%~=J5D=mlC3936KQurjF{qT-uG<3OkoFhAi9Ty>$NFH=gq|uk0azTL zT9*na71|7d(pR9?+@3O|cB?cPI3FP~UGK;KV(_CCS)Kb%%B;d5#iVvezm8aOC{%NjC;rTJD-%&b{eEX{y}Kkq7&zck60f~0J(m%E2oyUOkh1Hx4ClQEBg855us9oQa`=ZvTjnh<`j& zAD%XyWN_{ay!uhW)Cd+iPhuL+6k5WZaKLdCAisM zm+Z|iLMdY&YuV7Roj04msukuZI-AbfEEvc;YkThS{^1Ewx*aLSoiQL|TJd!&KUrHU z0(F>1IZNv9s!Om_>CJZ(QnZq})hG`F?`8ug7kmuL6v1$31veKE8k*d};7_6_<`P!A z34&&w7PJ7fa%3IZc?E$>%t?Ebhb_k-mwG3C31Rr5n1S|}y&JT-XaKBq#5=SfP>x!`W< zrpy#x+yxHujn6*fF3^w+A-$(d9ZHsN4%es1F^Zm#2s?S;bLY{31ei2sMcz+sm^Q<{ zWkThSLAYI?wcjtfA1+;UVlFKksGB?jcCJ;cDkxS$~0M zr=DA-@OLsjejV!>nV_?^;Ch})R&vBgp6ETsVZGG@KM{_trlt3r+3wNSAh9TnQLg+R zflHjWYrcU8D7>aWN>qGdRfptdVV&lD?9A=rFZdEpEO>P|QfL{u$lPPsX@xuX{aZlB z?RL_xRz2rDFzA})AfccC`ZGt4_~afxz#~&=Fy|UGpYqzX>{4wk)dVTxKQ4Q!M(qEx zc;TYg3Vp1vHV;gEA+Gex>*~^;Znwx27>rBV=Q|I{kT0T3-EZpF%h@j^9n=fB%lUO# zrxc%X;+_)tSzk^5RmKJ!X_)6)t32_ZhRSP7BT5I0aYrst=?QP(oEP1tK&|-%=a|)Z z-S9b0Y;00r8WO5m>+g5>nQW4=j;q(^MphRq`%lW(l<0d_F~>w;dAg{h9kEe{g75eB z)#ehe-?C4V-LCcQqCamsG|P%zr+EwWc-^ohtc51=rH2q0;!set=h;wrWEBX!6~uIp z;&fWesJ)cl5UH(p+XRg*voh(Z40v!FCEUF+H9((A{K+zr^m6-+Rprb~YJ>Hv^N><# ziWL`eQRuE&)*7lZ6FYNo0E>A1GJtZ~2B<67%JWcROoB+e5kX^&KKkBI)UsN_<#Aao z{+R_}m)cB``ksjbRF%u;vNj!16YBXefw97KA^^KH370 z%PK*NhK5Fi?7q^jLj$1Fa`W`@g1T~3h1@1VW!J&`+pW~P5F>7?JdaJz%dW)aK(Gjr zJ}hN*kDv$%>7G1I{^&kny!n<;2o^!cmv@q%pI3CY zsueHQ0Lg7809)Qmv%R>k4&m=|B42i>5%&;lvp7u<^&SVcA}7=71%{ci=yyChiQdz7 zd!|y|gg|-LXxv%s=Ik<}XZOQ~m31XC6rpNK1$kIa+AdeO%1*8q@t!9*XZgBWR=oi; zBCG)i+OFSoAO^CZDaiIr8+YOTi9~evdDw!RzxUl;wON|WeeyS|%D3?glZ=CQF?Uk{ zo<0fcEAU>RU}0OZUj}m4EG8Vjh615qvfaKfe?Jp-RpX>xIKOl+bU~;K4}Y4GxRdGQ_kK>p^JL9fm$ze=S1N1vG|rQ` z{X0pDzPn6g;+$f)L||#F?NgGWGht$>rmo-br!qWXz!)7!AWao5{8%cJWQk!z;9v$} zs^GdJ&#vBFMfVw}*Zo%e!^0R-Io#5`T4w*!Kf6oN3DNg;*O>Xtd=5O2i?}lrC<;8|4mJ~3sa#30^ zJylkzn$=ri`#!Y>{Ub6U zk?3K@x~`rRy5|cQA0qFEFQyMkoF-6X3rpSglar2jUZ%`K50KW&W;d^MdeXx~@Lato zc{Og%8ru!Gu%`!H4t5ACNTjF*MV!0v-$XlUm0p$+ayRt)wCv=bhtaV3dnuk38mKj0 zJdANFYb-QOV;V?EHh$>PSclTR=Ci|ve<=l|pjd4V#JXACGMKpGP)m&}-?0l|_@tXfH`R?Y@Na+)eJ>Dw+hx z`H?oeYfhS!*Vpv9i~ffS?{+XtvXwl zj2M#Epy7u{SXLI%#Lg_~@7fJ;-VZ_*R(|J+P({(8Ug@12c%)(q)AZ@9I_HvSbpIb^ zUjbFswzjQEgCGr3g2W~yr8@)(fsH8LAktk@k`kLxP(Zpx=`KmBjj|Px?v#{}2Kndm z1ZGK*0IRy3a^DASsVy$AK2P{5ayB24*1w3{d4;iQXR!g&S_XBrdS;ZdGbWu@G zo5an%T&aqU;A%&NSpu<~+OfWdf0sAn@W^48?vV@UmqYQdp7?ZnGIJ6sFc&!k$wb7<*BR=hBQH?WEG`c+~*{6J7>&G$TQ089$h*!~}FCvYw zkM{eg3Wm+YQLTIU+QuaZIQJvnt22IB#UVfN7#V9iCBD-)+@M$(ndOR!q;#6IS56Wm zeHYRWmfHiE9sGmWjxru;8C+R0BSxLYbz9>Db(*i&)0fl>)(u%S4&H73r= z3~brC5Klf538VTAT*SFtA@WH>VfbN@eAc`~63LQEZmWu0s*AW(OEjyHFODvv;D+r0 zv7q=@p6!V7<=C8rMM7?mX_cX8Ut}w6Rqp8aWYS{Xo*UP|J_&3lET#J)yR)gZPm+Uo zGVV(VSyA|o&FW}*RFTMCZN`GXh!D+2-h1e%MVGFEuen{K))|$;gYsgz)=V5~%RYZq zA?c|lad!Z#-!x?RY&Er_vQo)o=UWv5LIXc!w7IR}=Py0+N<;vDrZ=g0*Y85@-1&acZFe>w*2F|2O9c+({B8{B;^I^66pX>FCyd?v2pKg4Uy zt$Z2(saInDEyZz7R6NU~o!#;5C!i@3|c*#?gbn%GlX0_)~M(zS~=K^x!_2Q@-= z#Ir*AnKS#dj&Uur7t{-f$A~pK3=~#3R@;Ib*pi>x{07G-I@K00abNU7g>06o;ti=VgiwSkvunFntc=Bn{LuR)y41Yv6MK4u^H z;|U*QF8!L1%sEBbO(_~7!~{v6bdh4iZ1QC`hglm_fwE@{lAk4qh4xINf;&mW40)s` zbjB)cxTb%=U#QW}ovIE6$!8_Uf2ICPjv#@80@^1O(+*M0D@W5%u%ZL;ZL-d6ZWJ}b zBxyc_KY(j3etjXC5ckxJ^jQE_ur=;D7d~}!lq${MRBr;0_s8q~l#Uvb-=)y=tQk>f zCQ}i+@tDmaw^>63*W>w*X_!GjoxS_$g!1q@p?ku6BOVt$J?R8Sd?OxFv$Xa%ZoakN z-R;4r6uz&7V;BhV(Ssq{Vxutb5KF=sSWJW%lhu6UzKX7)Rmh{A7ZbydwILPubSa3JEFP|U~I98~1 zTB*P*QS^shgf_oIev#OLbwMcy1K!&K8#%4pw2^^Vu*N|;*7C50`BU0d@l;{w?7alD z_9FmgI+LU<65^#_Q5|>@Q>|CFn+Oo}1o1$DnNHH{)+O)Wn{9VRe3^GR{~iBfH*R;o zWzg)rxp{}<=ff`a!AT*zm|~rH@7N3z+9kh~najg<%=na9rU6l*o-Fum@x^f49|@jx z4b9m^(#f44?rd{^$yGG9ku7Y^Rm`sTRs^t6LR1K>OGWgkyP*+g8FWtF{s3zNDQNl@ zZnMCw*3#wUG-y<_dXqPKfoyVhn5x;K=|-VY(bGs9eGLXmPOLk9R|v&tNxv6W_Pw~0 z0Qm%t0Y_c?i}UXRhAvHp@Xw!T%;Wk*zx33G-o?rs;|iHO01jm*CMI`<>wW$aiRT(%^p{5ii zhftnn5wGT*dQ7}6em_T2@71BUMmlca_FE)qbX)%ScHP#m7FcCqqZheOS6Znz0>g)? z^ANTcfwD0E_QPEuE_8k_A6_=w5`RW#srTj(V3nQ<1PQ34XG?e>fAp=a_REcQc`^hA zrtK~Bvin+dv{9ZzAvh$dvWY8!-?`%Tu@9e`7u8-3NVjh)@DjSwyL(!l2PcT9zd~Utw4V7~HT{^{H)r9N#PF~vE%~88_gn~iqmcG6KH>F%}+Y@`ri#_V-^gAs59b_I{EqC$Tq>7z9(4u9X z(^57gu$-XX5%avw4fG{6dEZ)M=_JPYm2^px%C7|N+-S){NL)MV@jsg-`0&$|Q$-B& zbQ&pL5fXgqD+vbY(&)P+Ch0+sA5#+UNt#T4Jj(cKYkKv`-bnUMsKP5-#kMHWBzyH! zr*N;`d|O?ZnsbAal0PDnY3#PKXkCBXxfM#DOzKAruQ{iC~W0k<5N<8w{w%4VnceoXLJl!Qv6>DChNnZ z&nB90|QI;^WRk}lbv6BEDc)lE?MvdMM>-rsWbs-nQS5j}}h<~a>% zyFewTU4Cw+z1-Su^Q5Po`poNs6T{Yx?TwMF%AsU4;~{C4)7q^l(@ADIYn zolfpfi*bDw)uk3vK5Cv@MZWF;kvFld5jND_00AXYCz;GdDLgil)h3Ba@~1`0COkGW z4caC7ZrQvy6p>BAtX9WGIt?q)ueMoAD5S*q!Vrq2$H(_FzUFa_yon>JRhbF)0dA6w zFH5A7R+L6V-jtqfBKJk^6sH`|l{6P*_qg@es|{pn)KJ zhz^l24dK0OS8E5qn;QgXQ^$@1@U)-p`mtIT><7|~k<-LW_WaDdEfXEXjb$mxJfAsH2bm^UbdBHPy5D7+y zqMh&pf`5{kwJ-KE_Kg1U@!o=57XtobO^k)zF+a8~;gA6()aSG#85ouESzU{Mh7}>z z6QxN_Na=rnTPv7>;UiJH70bN0|7^eTF_1#J#_y-9Ct@f&bPY729*dc8mgVlom@$&% zkOc&ESUxuXtt#*(xqHy4W*j@Cu*~l z%q>63We`8?u<>e5hH5L+U)YawfT!yONbl|=SN0$l$PKAL6Z$0PddlzHw4Fpm%(cIo zZshgAA|2M7nyw#AQVFnvotw-lc}{uabhf{&&SHEk9tcjqs%ld~z!Kl6n$5?1*GNi6 zz8izXH3B<<98L8HkCNd)5Ce9+sgX z^|w9hS1A{QeQlV&v><4>lshZGaGX#1(oH=^rm~R0KOpg6KV?STs{7nBG`uw=J*-Dg zm`%CfkT(O%uo^qT9Zg9tAt#j80Dqm57>Q|`;`9PLqlkl?v|lk4+p;(TSnxDNTsO)O z(KY`h5dk3eUZOY7CsbX=*6}0FdKM%rMarX`!^{4UCedum9q;+rY@CIx3h#jCb7L*% zq259osYtf8hUlNp-5NI7JYPQ0+X~Tx5$5wv*~>8u<%H3+Y9GcAfTjSOo-6)zUZZLv z%u<5E>UW6f_pUqfQs2roKToK+3g~EEOUMXZKwG!Z z5eP}U`UuB>$NE%#1PSXeXPn{Lt_2@3t8!a8m)b2~rWlrnebjZ0m#G1lDwC8r{NAg6 z(Vvu2x;Y=HwF?y0-+3&;ch2XhDFsAWt;sw)hgX)l$*2xhVn`D4;e1HyR>n4I-MY3GoF{=V6>%TW5ck@phWils)agW)M~C8AZ!_Jasd z(wWL+@5XA%bf(MU0&%O zZ26E*=uKc4E`02?-HaVIhBI-z@{ZkntCw~?k`hiDgZ#HR&p$a6f4uR94p9o#iU*Dl`Hg@CCDm2)T9J5eGw|abx5T>pyc%!qy_j{0Cfs-v;C0w%|da zH=d`G{a-u7AK&{w9Jz?%uxiu)+t2*nltW=Cl>D#p*&meszc!!$?JLR*m)Yu6=I+7c|MSoN{kyv)aY15IB+$0{ z*9H5JuVJCk{R$PjbMK!JNq+mKJ?hf9TW6|nf8QAYw@>ibI|G|STu>wF^#2dp=7tpb z{CoUgh``cq!Pe3fn`AG2B3@HlGQ`_EWiq@vRqyc_Rd}#i7n)b%XA}2N9>-;zyKQOS z`Rs6XFlSXy)-UI&)qZlszh#i zEG$X;x1$_fr5oV9ml`Ee7cW;b1q6Zq29M}-fAXA3V9W;GENaR0ukwfigRiJ!U$Va& z)oJ|1wu|(4I?l=GAP&qX`g~aO_$&eRiJ2QDJzS@WnH=DD_0R-f4IA;u6ZpQ!#%FuZ z)E9GZuOl`(JY0w3w0$SOBDAme9gb%=x7&m~_-<8FAv1HUypnokeCQL~;eHzM_y)@C zD&G-rFnfk98eV;`BM6sfL<7cT6;KMXCUOWAyPt6-hU9#lj2_>YA~0-%7(DB(cZb!EuR@g{HEz7&lkCQBeG~;O8+HU?Zo&epKgLg)l1>l0VU;^Gq?!^ zIhxOBdoYGwT5c70Jz^fL@sdN1VJh1tI2b`BDv0Nj<~1MjGY+V6*aCqZVFJpViK;4V zlaPW&9a-{eU~mm(JkYiP--`Jq1E)3&u5;u|jR6$zUEi}j+X~;W*7%vL^es1j9u z8`vULn*-Y?%oTZA>Ysq(F$#D&j&k)zdCFu~O}l_8u-q3UOLr&W83FD5%5=bm-^8O7 z`}r=c9g^~Bw^D&5p*q9Qeu`P2yhCtG-ye+kNeE>G{H%vUfnu)W9)QU}r{8j7BXeh)L4J8!?QOb#FD}*>ASP)PB=C@Ui+a(-IyIFCclRuk zO@g}_WqbuW3VdLwl}F@(>0{|Acv!8$wRsIOXb`M&fzjEo%7(mJa_qW;>w&k6cT@Gw z8?L)YTiJEZK<~TI`&eu#B-AH}j~=z7{8I4x)hyVum)7WaaJ3CGX1KpKvpxx{+X5k0 ztXovEiD$pa9JAX@qOG8OTY49M_TlJ~c@*$}WcT-ntOvk&R!rT4z%1!0s}zb?;WFjp zRKV}@0B&IQ_5-c&fEBfK&NJ{fsEp3#30ie7U%?(o1>`Lz&oDx;8D#o!g+F#0P+}Fy z!4N+rS_2M!DW}tRAk^x4RtN9(Rltb#ao|C_!H#C1XCDz_H3z|GU8D((AU|0LxD*?n z`ldtn3{-GVAT}cq+u#`?pg+HK6RpIyJp`w}F6cWu5dp;T%9uI;j4i9XZHKSiv<;j? zqfDepFXI=$t_0&`hqwXH6^W6ZkAcxzYeAR4T;joGU`IiI5Mpvss0zmCEL;lQ91fx;gV zRCu2~+qaW`@?mZxoCj91N_EQHL0Bx;h@x?sNgxRF#^1aNH$|w>V#D8E>(WGs;38Lu z*D|oROwfc2c={oqvB{%&Z|p7>|J1I!dO!>AU%jNt8F1%E9WXo-3HD#6eGNicx*p0u ziH9m9X=_$+CR(@1*<@hbF`~URTX#q~-^|n3sD3%@ug8eHr5<4DK(D5^{2F-SF#DX$ z?3?38bEafe_K&|8?4u1h7z{o5&Qe|EZ|@yJ=0=F;L%`e)Vu&|@w~+c91k7#>sqK%G zxhTgFHBUsi4BIhn%;|T=52Z&oXJcQf2Rp+!9biMQgJdmuq%sHhOv=te_rzjvd>S7& z{1N6Wuj^PZCnRst_2DaAfDS;Ua}1obD=aSn1;Wa%fHBt`Z51F2u|+p^x`-5M=9j<8N zwB&1~Z(#g8;~ApvZ}-Bw7o^y;F*r+_Pi!b2riEVuj^XdJ@H^M(=ZpZ4t!wE{#Jy2} z;o}qD0Zci`U{>hryrMDcwcJP z7AGm&4U(laCtX|d1rbt3Agj`O0UJ4c`oRJR*Cm_hT5~{89D_GPG5q#tK;ENxl;P8{ z7bSCPiKvSh(}077t?e#$Gp%pFCWZaYp$o`7g2h6Ipp817XB8R3HuDaWRlE<@sOz9o z8qT+9;t`)~+y_E0G4lKQsuA3^v+SRx{wg_P%wV2ot7*@2evj1ZhfJ{F-3%#RsU&}$ zV9cxdrH-!-vm6zSbW>6j??=CR40k0ads$cl6+CXB?rn6Np|4g$7o-X-y1J)X z!eQGnnK1Z>-PGZub>qb6T?fYhJV=Nw zo)6xB1Lfm!vgg&2J*uh*y3Wm}jO5l{kkbY%YbMyniC+fpk`S)K+B(Q(cCa~`EH6%H zE*k9n=Wqf5&uRj&J*i(#(dPJMBf$oeH(gQ0v$?_Eo@Z9Wv=?ZxeP z=we@hZSpN*wtU-9{RckAURm^^M6mM~8D~%*N5~-gBYJWp-53fU+ZQ=EqBWgJL}`O@ zi&k)YV|kQTFf2vrzNkv_M6~*S&=2*AB2MyY4?$ngF?V`;w7zSZ$*E`^^)tWx)}Oc#pQlLYiWuBytzpaXC0&3jdt;wHR&cRxh^NNyOGKcxMBs1>>{v#OH9i``m@j!~rj zHeXLos{xov-9nibP0f)os}9%$qiLL(M6VNKqqLO?Jful8UKRBcAMTUVH_TUY^<)ox z+M;Nfg>dJ~&|j{$xx!j^n!9E%=Ly5FB;EaB4mh<|rIX8)S(`gG2SJC3L#_-lPlvP9 zzC#We~v;i+k_-%FF4`iMGO=ZW=%sbhif}L8)UM*&u0V?81ZKM_rflt z+wD_Rvvg2&z z059Z(;eT=Nd1$zc*=0bzhlXIK@?k`b95oXOT+VrXfMe_rDHr!(b;;b%f1Odf4BLkY zJzeW^PFE#1+FQ3Lc{53l=y7x$8?Paxc zejsx(cuilzCyAfmP{!2@7Gw9zHm{m6zKP4-9em))K{oMOZeN-zaRew&bkSC~kMiTcX* zobh7wzZ#o3YqTG{cxxl*r6k-qYGX|r`2F4keR8l+W(}-ROUH0NzpqJ9A%Rb0n~l6rW*LSN=cW5Yp-cJ z9GdC}Uj~&3z;z?G#8B55s&NX)_wk9=ByAX@eT!ODj~vAT4|?D10|_bS(H$Zd0_-ct zpjT8RmrKz}p;a^5{=lj#)P>>IWr9ug5hY+|{T<^9?sQ)Wrn)xvQorbANJhae$}73- zUKb?rK%NU&Ezs?z6c|Pz1C<)=?>$Vkit8~64acYSn_Z%1F03iMVboL*&ewLButb>T z`|{5n85DKQac_*{3niT^{CWKN8F9)DUc_Gi@Ip(*6rXZ~)s^d|ZyR6LEfBTylwN9A zVyFFR2cqIFNCY6<>muIX(GsemQr}fG;mp~um0*U9m=eg)0FULRSe{3uG%s z(0li4j$*2Zh+8L(-+pgcf1XO4*nWwORu1gs*z<9U-)MV|XV>}qn`@w1RWjq{gd1MI z+4%9{(hcZ3rx8lH;sv_eNir0}Z6WU!v#6K8q!tm#&R|>&;FwQk$zc@;;}iV!^@I5Y zFICWL@twH!N`kw#*)$BlO8|N$D3gYCD56;o;*a9xA+!YydY-kD;H^O>zWa$gj}@^M zV-7n(_r5kTC!zdp2Y}5i>UY;os55+bm1^lmfNASu$+HUGTFND-?CQpPW3N2ou=*QH zhkAJI9A89+@fWDth1;ZrU{W}qpBf`@coK%ZY;!&;WJS!s{QM=PoC~(d5OziCY&-bA z@cj$W_gDhLuS0fzu3Ks^nyk5NX} zA57mWZQ70GSO(56t|+v_K+mfy@MV(MG{1_(aGQ2?A|pZr5=;h3m*98OzfXiASTHl; z+TG#OUabsaP#6BBHJ3SQ?*SI@2Dejhuw?U?;w#T2HuLzMYwcq6eXhaQVnTzx*EbJM1K_M0c)cuFt)e|n0UblV*C zmVQZp=9*Yi$=bzLMIAfCqI63%4RHxcM=Bqp{VH7A6dT0R67;`&E-(m!SZ5PtLVTe7 zgf!w(o;hD&um4f}o{SRR(s?TD7h|!Ip-0=#21Gbv&Fz*s@*TS(v@&yu+2<-cPVJOA z7Aj0t^cXDmj0SGC4pXTw;++;?>t$~b27tV+;3;#JFx@9Fvm8}Ri9MiyI*t2nMG z(Qw1cF5hG!g$M0zY}@h8J@3DMxZMQ$RYMERW@;!A#U4+Kq`o(oZ4L%6%V}CUZr6Vg z)P2uaMUs>ai);z$z07By9zN%G1z&0y zTQGBkougNn#oK>*oii}wQLTZ_r*H|C=XWs1YQ98PbA!b&8DU)Sl9!UnZ6~t2*k|;0 zkiA$*g3~&^qS9vU^{tsmS|rj{_`X=i&xT2^jf>g>y|T%*2NiY}-G;^fo9quY8s3iS z9_&<84`S@ug7yY_UVKSf<&p*RJ8Yv8zrP#)`j^i9k9zs{Z5l`_Z`d#r5K7 zsOf|i0SHXWucWsg6^y?g1tU+PW?i%RJ>?Si|)awht-ICE{f zW@IQoH!Q9Hw@;ctk5*J~__<+XX+`-@7VV7V^jU#zuD9+R-DA)4la?sODbcV?^@04x)L-g*uabKV)zdfh^dM0g-m{z@0wjQO?OUH-CSMw(RZT41q?33u3RGJTKy;W< z{rC%`(FT|Ukk1T<0hDJAeb~{XrWhs3SJQsLH=$u&tJ5{FYbyqi(i0dTAQ-n6N~yOn z%w}SvE%@5#*qHpa5H6DUL;0U*p*5c1_ zwkZ?~bCphfbhyNjI;{{J9J@c@KC5|&ML=N*DLxn3BCaigA~*<`8uOx@#ot5cGq9&k zrvRRZWN!W!XDr(36K)40n!pZAXU_9bJ_o=c{h%s5rv*f-k&=YwafNp*qkGshPqzlx7 zcg(9!OVctNgqM1Fv@up`nB+0OK(@9xWfpZS)y22(RxNl=@~P~@;??5|q&NS=JN>tB z$rJay2@+GTk1pUt+K23y9rq<@&@=P^0j)1!gYRi_k*lu(Ac<=$v>5>RkO=dU+%p3A z3{v@?y-Y~8%k@J9cMXX71pFhLAb;^wFRO(w5_Y3yb-PbMd;;&!rdgaAMW0fm_w&|g zAmRCcT)KaILx28}i6xE~LkPJH`JhAoLpE{|Q7(|aRNcUb2&MJz;U@^8^#N;q6T#nK z24)-iT8wjFgBgZ#?ll9rcNCE7=5ZZlBc=8}@(a4JY3Wy3C^Z>~e-6go0@C1aR5`rG z->>6T3;TXJUiYJX82fIzkIzQwFMl#_7Efv38!4&X_xlL z3l(Lud^iSW!@M9bOuC`4}*~E zb!XE}5L??HJexWo!FztJE0&%f+DDie<5u_ANWSJQ{G)3Whj?oIN>sODUecHeLns|N zSGEYN)r}hOgOYK8jI#oWh;@ZiYt`=$sgsU}kU%4<)D?GN)^)YhlaXOVIKU`N0%UNf z@L5KF@j%Zz2QELg+}$W>i0`e?EWW>r#Jb$R{Es$w`OMqbdU|`=u6`h`$Y$O!}2X8NlAZU|U_F zW#IoT1pddPVaKGwgy9K76|Uy-&<(+noA<8PgAvd$K!c&!jw!&It^w1x9u~-aez?Ki z)(1e)km-31NGWOHS%JKaR|&z8qY+FRHUhEe%D~Wi5=yB8qZAVh-ChD>!SkM*v2MP= zz`+!FsOJEX$-cK@wdpTV@6YG)e}5qzF8z=*OM9|D~)h~IFnSQO<(W0rloUvdcGAmTzXomKG6rkW~fJw7!NwFf$j|NUS1``26Z znWU@M0G&f0FmY~iaM<2|m{w52= zgGt>En&#LIavxxMp{extHh3d>;jNJj^rPd({^fd`qDhto`wg&zcRf=k9)0@!n+v@n z9>=Eo`lseKw+=)f01KJFU#kE0wRA7>T@~|AvpJA^$2~^=&I4=`_Y_QeJ0$EoBFP?Z zZr?1jiO)|dn$}`}a=aIMuuFkwINE;t}FIhv9H`;ALK0bdcke@(pEy@WAFVVNIY|ux76X+ zk()q)2Jye3$?cuyROk>;6J5<^OuV0j2BJS%0mov>ZmvBVQz?{9&RZEP5UP1-JtyJ0 zU1tmQ7iFOJCoM$GfAj@|#W4WLUN4=`PjRT2e(&>Jz4+($eeK?j`{s$?2Hdp(aWk^D zlfu}JP<&f@sPL%#3W0EI7y<3|8FkB?s@Mt5dQ9lUzo7*5n-a=HU2QhBLZWc%@I>(+ zPtV87(~8f$EW}ac5mICGSX-6H+C~obQOZV2Uu+i*^y|b+EBwyrIX0sm$vY>CqCXOO zZIpMX2H`TlyvPaWBnouH&V=ov)VE1G*THz2#+xf?3yRh#asXxu2N@S<-2~u?odEoe zjW;}IqNwXkZl4xxoWWe)VqNSDK+ckYv8nz?zRDqr$DG1;pt+$`fl3Z z$PO49FN++4IIw!#BoKd?zR*USk%%gr1ao_?3*aO|F69o~&Gi<#q8Cm>r)KrQo8&YxQ{d`l-b=Y z3`7B>`L1f1{aiP`KzjP#r-gl^n$WTbZX!VomB9Za_d)+_fj-F86I6eO;+vo^w4VDe zb7mnj_RC>rb7BO<+n`)r?lj>4wc=oOXvxsQW4khrES!%v7nN$ZU!~Zk6r>Bh)8aee9sFrv zel8i6{`g;AGZ^YzoXo%!wFVUTU8T8zqOxOeA1?hC9X#t6ke^5TBCyG?1PgIk5=i5Z zoCk{Zs*zj3z5S^C&1EX(5m3E-KA3b>_gQ?dXb1c*Y9Lw$z*X&c<~w&}Xd-P$BO&H( zn&J;o)|#oj;&jFxfLIfN0@LXwvA6sQ;IF42!G?+p8Fy@eVDRvaJ!+UO{0aOJ=noeN z3x3o?ejMwoP>!)680REf0W*;UP;#v3W3s&2h+(H$`T_V6+zNq`L*V?O%I4>-to8Z5(h?PiJ*S2P6r%VL zz#Rj_Rc7{t-y;DufC8X`yX{1cefe-+`(I{PnViI#C}Y6aP!aTCiyFxn1j?x!pFu9) zt`k+mFJ59e(~VmiOysnrfsu+ggz`6fsXj}shL#?i1{GhIV7G3VSN^;oJXYi3=f=5P zuQH;W0grgk8ujiTS(ZUUoR{-S3m|s9V>GBK;q5>NZ3R(4*cnj%-a_7QL9w2~0)o2% z?IgKW07PuQpW}^|Jp;H8e|n#Jj7XOT-NIZ{=Hn))S8&+^k3uzYj1dhbTUB~yCJqB9 zeg!0ixc3=BBQgN8aOkPf9GyvxLvaidLIME*e2CE&vl)Uxt|@!DG4u%gkd8AVe?;7p z*He18&oVnoxlnt7!cE`d^g2!lSs7ti zzQ8P~7*y_IS?yrDw3@TmX8ng30RH75Dr|F*S{YDq#QF&^%}gQBgoF4xJ!!Bx}xMUiMgbt&q>m^mi0JF9Mj>0D;t*lTgk4Nr!nNV2ac)+4H=}CA^oh2ACGE zZ@%@-085CHjAhh&z!GytAUwl&?-=(h?w>$uI+U52zB_1D3}|HGttX={FF0A<0k^E7 z$D^&BpOO*}LoPu*Lvkv5?0AbepnVd3@8(>O6(@h#b8gHQ;1bdPRt0j2xCs$3Zwe`Y zA`P5pDLd)oHhZ1f!n%(4)^Vxsg|5_IJX@dLkvg?p;c(Hz-svVAA)m(0t%Dz-V%;gH zL!-xnt~=vL&4PS#m-4W)Uf_I3RJ3s@@!fAwCJJmPYTctY-RR_IWj_&5ndf74E zo7=fQfoGY?B){`)h4)I^_Kn!81Xu77Q{(P|wR60|7LYC8X+DnU4%}kL{A*j)*W`Q8 z0C5V%Cai?$MvsSwZ1{t%eFF$B?=}!X}CG2?>14c=SLtK;Zv5Q=Ua*s>t z#-gG0x3x^jfJBWdYDY!~N2x)p4~o^9bkBAxQ2QB1NWb+KKryMNoI6AJ)yDw&duktZ zB5q62-fR|X6etz0dJP%_cG=EKsMQmNClIw2B0bA|K53_(qxXHqD_t`a~HV*ri z(=D-X-sf$Ya3YOx^Qt&i+y+NUZWL^WcZ)SOIrl>xS|H&e+5#Gjh$(Urh9V{rTE*@n zqjYF}7GaS7U@MJ+#h>Sr7g%Ofm1=3G{kfgOv!K8j7Tu*w{mY#j$r)&IKCQ*Q0nTGL z%*ibM&7ky?XtpCFDx$P9xpoSOPYul*pupZZ87Ebcie}D( z;L8#9JQR4ljrtY7$Jev3Flt=JzUCbxg4<e97GMw`zz5n!4mSX4QmC;}Gje0S+kgg!tR%#jezv@4f*ZsT#jI zHl*lRVhR+El~8w_xwrrnaM*r(W_6yb3jP=<;IqX$_({}thiy9-_=`r_-7t_krr5sV z?l|N5I!2)MdP2!aD`Bs_xprDDh%rhZlDZf{9-Xxjp3ZzS$;yvizvDz=!IYU5CY6Lnd&xN3U$)Jp6GvX(z-E0A)a9);uV~UZYhGk#oq)! zA%9lZ%*U_;r4->)C)st#(cZ*D$AHmw!|HY>S57oI_v{vzm%CC(-5uvyFUId4Am-kG zLdQS}Jp54=8t0;KSAM4nHjZ@dcTWGB<}u!@)0d7TP1-J#MbjQ>Wo0E6d!ZE1G8Tk^ z7o_yU!AIT0QA1NBOlyl8WMmdYDahV)@mP1n+r`YFfaD4^1qv@G63f8v&I!BqnKdTp zUw{t@1#K2U1h;e#P}lHxPP)Xf2_2^uRht!x$yz`|Rc|ByENE>=j^2~E6NwQ0gtK8pb935XD+{_lO!;&Y%@ayEBnJf7)`l` z+5-(8zWVu*Y6a`Ncb$-T#>mOr?~>HK-dn{ckx|{6?ffKYdfLP%peq9N=?I!9Wab2a z40?S#xof0!k;`WnH*Mp+UewQ&`yB)gHkhp{CDzA7f=C^)rdxfup zpDAbn_wfbso#1Z1>gb@P(?D5TOV&usVcJ7nLj+M0_6>Y<9TRw|k%XtP*QP453F)FG z@O^WL-nT$eX4Ua>VM{u~3UJc4LQfHlGF8L$@D4J`D<%4cq0@` zdHwPP!~&}eduzX3f`3Dxk!Zhmn9@LhaurTyV#d|aGn|jD`RR+XZ_3V~%pzV}XpZ{! zBENbQ!QP>t?b?2PQJrm8pC=x9+D=ua$9WLEIm4cQe z9bXgI{hIhzFD<}Xp{4}f;Iy}9wV6*S5vFc|Z5Zo{bH$$;hOp_%dVp2Ryd=rF+)gCc zUTfeLLw}_7PM8a!c??X3DomCJg>u8NeVnipl6hb>P?$jUkdL?|wmK9pPx6+QIn$Aw z;Y^dPd8Fv;Mn^(Ucxa*a?lkcGQh>DsYn|(J-Gvl)w#Tcz6GO0TxeWr|F3r}{zRIk1 zJ2DuO48yH@=0i;$V`}hp);?zUb(}+yT$djMQ?`&nrqQs#%Il7Rwur#lYICo)y~T?p z{JTq3DxEhvTuo@JoqVwCX%kePCT-po8$55@e;4eIUds=sKfI}Y=6pe=x{!<>%Zo$u zif1MhEwyUSFNWyr88uhM2YNQTtH>I4e6{^o90E5(X&*OiQ1;+5@V;(RjkDM6D~@^kj3%PC!u=7{)Am z?kCHj6-|UzeCBB8)2WIi4rC;eE_?t`%@sdYQz+5d=b^4XyA6**l4OX}WKnl?&{;5{ zWcWpSKVSEDSPZeOyC1+))j-_0T z(6cmD_wYE)ib(6^xA{Au#gahaQvo04+wL8?QK zL&i+N2@c-(=W{ThfG1dA~fy!%0^Nv6#H_8&6i33Giff zn`~_=u`QBXUw?0|b{qL>#Ot;2As{T}MQI(xfbh?-*OCrZ=Q3#iBIf)h@(k%XF#Vef zf2L8)Am#v%rBzR|XeCM$jTr@*rHg_R`>+MC|4k+1HO8kek|LsJjkA?vHHLc(hX>yS z+IHH!6Cfz7Su4G9XnJ&h;s7hB^P0U}Tf=P&gCbwQ#-dR;&O^VW#7_Jbj*=SX`&oKh zjGWsFy|m1*_prm`m5f-?v~5bH_BbDCMZE6*2#LTG4n!kkmKcd`jo;n~B@!QoKgzD^ zej4h&+oXX4B;iyu>QGxC`JPWNmb}NFk<9*VJ9080A#1ur@U4G3;k2MlO zCg!>y30JxmCc`Jti*1%zgBezdL{*eP-YHglHmfZ)SWO1zpIiCmY2iWbX-*eKIY~IC z_MNpe{u9_FKcVsyv;*_Qgavl(`}}i}ScF~Vll;v&Kuqamw4cl1atYNagqCTTkQiff z15~6Gb^Gt(uW}|?MB5%WnO4oR{c>~=X>II@Ad6+kInJ1 zZ=;$LlpF(|^Z@$J=}5YCQw!lo)OBa>u6)s_djYXOsm=uwrV1BbF#rQQT$<@J{-&