#!/bin/bash # # Security level implementation... # Writen by Vandoorselaere Yoann # # Thanks to : # - Bryan Paxton. # - Thomas Poindessous. # for their contributions. # ### clear echo "This script allows you to customize the security on your system." echo "If you feel at all you don't know what you're doing abort now!!!" # can't use ctrl-c, we trap all signal. echo -n "continue [yes/no] : " read answer; if [[ ${answer} != yes ]]; then exit 1 fi if [[ -f /usr/share/msec/lib.sh ]]; then . /usr/share/msec/lib.sh else echo "Can't find /usr/share/msec/lib.sh, exiting." exit 1 fi clear WRITE_CRON="false" ### echo "Do you want to only allow ctrl-alt-del if root is logged locally ?" echo "( or if an user present in /etc/shutdown.allow is logged locally )" WaitAnswer; clear tmpfile=`mktemp /tmp/secure.XXXXXX` cp /etc/inittab ${tmpfile} if [[ ${answer} == yes ]]; then cat ${tmpfile} | \ sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab else cat ${tmpfile} | \ sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab fi rm -f ${tmpfile} ### echo "Do you want to deny any machine to connect to yours ?" WaitAnswer if [[ ${answer} == yes ]]; then echo "Do you want only localhost to be allowed ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny else AddRules "ALL:ALL:DENY" /etc/hosts.deny fi fi ### echo "Do you want root console login to be allowed ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "tty1" /etc/securetty quiet AddRules "tty2" /etc/securetty quiet AddRules "tty3" /etc/securetty quiet AddRules "tty4" /etc/securetty quiet AddRules "tty5" /etc/securetty quiet AddRules "tty6" /etc/securetty AddRules "vc/1" /etc/securetty quiet AddRules "vc/2" /etc/securetty quiet AddRules "vc/3" /etc/securetty quiet AddRules "vc/4" /etc/securetty quiet AddRules "vc/5" /etc/securetty quiet AddRules "vc/6" /etc/securetty fi ### if [[ -f /lib/libsafe.so.2 ]]; then echo "Do you want to enable the libsafe stack overflow protection ?" echo "This stack overflow protection work by catching dangerous function call" echo "like strcpy, strcat, getwd, gets, [vf]scanf, realpath, [v]sprintf" echo "and verify the address & the size of the destination buffer in the stack" echo "this is done by searching in the stack frame the one which contain the" echo "destination address, and by substracting the frame address to the destination buffer one" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "/lib/libsafe.so.2" /etc/ld.so.preload fi fi ### echo "Do you want your system to daily check important security problem ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf WRITE_CRON="true" fi ### echo "Do you want your system to daily check new open port listening ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf WRITE_CRON="true" fi ### echo "Do you want your system to check for grave permission problem on sensibles files ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf WRITE_CRON="true" fi ### echo "Do you want your system to daily check SUID Root file change ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf WRITE_CRON="true" fi ### echo "Do you want your system to daily check suid files md5 checksum changes ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_SUID_MD5=yes" /etc/security/msec/security.conf WRITE_CRON="true" fi ### echo "Do you want your system to daily check SUID Group file change ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf WRITE_CRON="true" fi ### echo "Do you want your system to daily check Writable file change ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf WRITE_CRON="true" fi ### echo "Do you want your system to daily check Unowned file change ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf WRITE_CRON="true" fi ### echo "Do you want your system to verify every minutes if a network interface" echo "is in promiscuous state (which mean someone is probably running a sniffer on your machine ) ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf AddRules "*/1 * * * * root nice --adjustment=+19 /usr/share/msec/promisc_check.sh" /etc/crontab fi ### echo "Do you want security report to be done directly on the console ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "TTY_WARN=yes" /etc/security/msec/security.conf else AddRules "TTY_WARN=no" /etc/security/msec/security.conf fi ### echo "Do you want security report to be done in syslog ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf else AddRules "SYSLOG_WARN=no" /etc/security/msec/security.conf fi ### echo "Do you want security report to be done by mail ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "MAIL_WARN=yes" /etc/security/msec/security.conf AddRules "MAIL_USER=root" /etc/security/msec/security.conf else AddRules "MAIL_WARN=no" /etc/security/msec/security.conf fi ### if [[ ${WRITE_CRON} == "true" ]]; then AddRules "0 4 * * * root /usr/share/msec/security.sh" /etc/crontab fi LoaderUpdate; ### clear echo "Do you want to disable your running server ( except those specified in /etc/security/msec/server.4 )" echo "This is only valuable for server installed with rpm." WaitAnswer; clear if [[ ${answer} == yes ]]; then echo -n "Disabling all service, except : {" chkconfig --list | awk '{print $1}' | while read service; do if grep -qx ${service} /etc/security/msec/server.4; then echo -n " ${service}" fi done echo " } : " chkconfig --list | awk '{print $1}' | while read service; do chkconfig --del "${service}" if ! chkconfig --msec --add "${service}"; then echo -e "\t- Services ${service} is now disabled." fi done echo -e "done.\n"; fi ### echo "Do you want to disallow rpm to automatically enable a new installed server for run on next reboot ?" echo "yes = you will need to chkconfig (--add ) servername for the server to run on boot." echo "no = rpm will do it for you, but you have less control of what is running on your machine." WaitAnswer; clear if [[ ${answer} == yes ]]; then export SECURE_LEVEL=4 echo "Setting secure level variable to 4 :" AddRules "SECURE_LEVEL=4" /etc/sysconfig/msec else AddRules "SECURE_LEVEL=3" /etc/sysconfig/msec fi ### echo "Do you want an easy, normal, restricted, or paranoid umask ?" echo "easy ( 002 ) = user = rwx, group = rwx, other = rx" echo "normal ( 022 ) = user = rwx, group = rx, other = rx" echo "restricted ( for users ) ( 077 ) = user = rwx, group =, other =" echo "restricted ( for root ) ( 022 ) = user = rwx, = group = rx, other = rx" echo "paranoid ( 077 ) = user = rwx, group = , other =" answer="nothing" while [[ "${answer}" != "easy" && "${answer}" != "normal" && "${answer}" != "restricted" && "${answer}" != "paranoid" ]]; do echo -n "easy/normal/restricted/paranoid : " read answer done case "${answer}" in "easy") echo "Setting umask to 022 (u=rw,g=r,o=r) :" AddRules "UMASK_ROOT=022" /etc/sysconfig/msec AddRules "UMASK_USER=022" /etc/sysconfig/msec ;; "normal") echo "Setting umask to 022 (u=rw,g=r,o=r) :" AddRules "UMASK_ROOT=022" /etc/sysconfig/msec AddRules "UMASK_USER=022" /etc/sysconfig/msec ;; "restricted") echo "Setting umask to 022 (u=rw,g=rx) for root, 077 (u=rw) for user :" AddRules "UMASK_ROOT=022" /etc/sysconfig/msec AddRules "UMASK_USER=077" /etc/sysconfig/msec ;; "paranoid") AddRules "UMASK_ROOT=077" /etc/sysconfig/msec AddRules "UMASK_USER=077" /etc/sysconfig/msec ;; esac ### echo "Do you want easy, normal, restricted, or paranoid permission ?" answer="nothing" while [[ "${answer}" != "easy" && "${answer}" != "normal" && "${answer}" != "restricted" && "${answer}" != "paranoid" ]]; do echo -n "easy/normal/restricted/paranoid : " read answer done case "${answer}" in "easy") /usr/share/msec/file_perm.sh /etc/security/msec/perm.2 ;; "normal") /usr/share/msec/file_perm.sh /etc/security/msec/perm.3 ;; "restricted") /usr/share/msec/file_perm.sh /etc/security/msec/perm.4 ;; "paranoid") /usr/share/msec/file_perm.sh /etc/security/msec/perm.5 ;; esac #Logging clear echo "Would you like set to up additional logging ?" echo "Logging will still go to its respected places in /var/log as well." WaitAnswer; clear if [[ ${answer} == yes ]]; then echo "Would you like all system events to be logged on a specific tty ?" echo "please answer by \"no\" or the tty number." echo -n "no/ttynumber :" read answer if [[ ${answer} != no && ${anwer} != yes ]]; then AddRules "*.* /dev/tty${answer}" /etc/syslog.conf fi echo echo "Would you like for auth and warnings to a specific tty ?" echo "please answer by \"no\" or the tty number." echo -n "no/ttynumber :" read answer if [[ ${answer} != no && ${anwer} != yes ]]; then AddRules "authpriv.* /dev/tty${answer}" /etc/syslog.conf fi echo echo "Would you like kernel logging to go on a specific tty ?" echo "please answer by \"no\" or the tty number." echo -n "no/ttynumber :" read answer if [[ ${answer} != no && ${anwer} != yes ]]; then AddRules "kern.* /dev/tty${answer}" /etc/syslog.conf fi echo echo "Would you like mail logging to a specific tty ?" echo "This is only useful if you're running a mail server." echo "please answer by \"no\" or the tty number." echo -n "no/ttynumber :" read answer if [[ ${answer} != no && ${anwer} != yes ]]; then AddRules "mail.* /dev/tty${answer}" /etc/syslog.conf fi /etc/rc.d/init.d/syslog restart >& /dev/null fi clear ### clear echo "We can setup your system to log who does what commands and when..." echo "May we set up proccess accounting ?" echo "The log file (/var/log/security/psacct.log) will get filled up VERY quickly..." echo "You need the psacct package." WaitAnswer; if [[ ${answer} == yes ]]; then AddRules "touch /var/log/security/pacct.log" /etc/rc.d/rc.local AddRules "/sbin/accton /var/log/security/pacct.log" /etc/rc.d/rc.local AddRules "/var/log/security/pacct.log {" /etc/logrotate.conf AddRules " postrotate" /etc/logrotate.conf AddRules " /sbin/accton /var/log/security/pacct.log" /etc/logrotate.conf AddRules " }" /etc/logrotate.conf touch /var/log/security/pacct.log chown root.root /var/log/security/pacct.log chmod 600 /var/log/security/pacct.log /sbin/accton /var/log/security/pacct.log fi ### Pam clear dfsize=40000 echo "We help prevent certain types of DoS attacks through the use of PAM(Pluggable Authentication Modules.)" echo "By setting a limit on how big user files may get and how many processes a user may run." echo "Would you like to set up some PAM configuration ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "# Limit user processes" /etc/security/limits.conf AddRules "* soft nproc 100" /etc/security/limits.conf AddRules "* hard nproc 150" /etc/security/limits.conf echo "Would you like to set a maximum file size a user is allowed ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then echo "What shall be the maximum file size(default is $(dfsize))" echo -n "Size : " read fsize if [[ -z ${fsize} ]]; then AddRules "# limits size of any one of users' files" /etc/security/limits.conf AddRules "* hard $dfsize" /etc/security/limits.conf else AddRules "# limits size of any one of users' files" /etc/security/limits.conf AddRules "* hard $fsize" /etc/security/limits.conf fi fi fi n"m:X`TVoKH.#̦Dv[-|0/hÆlvلakyHHaעvآ4Y* ro"'LX٢j|{!DtE]i%_E4[X+5˜Bots-AxPEzt͒csQI Iy=ڍ^隂ؖ]bzr~*M^W|l3n ZzIA4C$*vJ|co{ i|ս}Ch8E;0ܗ+,EϱX3TWgLzsҏ5)fTI۴G8Fde2=yx'"T><@AS̠ύ@h ;Zi0+jjf?/:%eNzܪZHк`?̝ riT!)cע@UɞܮqشbXt,n0TiYy/?")ȍkTZ)fa!@냡w:\ dIsOB]P2vg9g{hG(AV*v# k迿Fed!1k sBrC QS 㴃qsa1ik;Qg)xSBAY2.S1|JzS?BTӅOC~zZK96a(c^9Uc}ynM+/#W\no9eȔ`nYђe8vi᣽j}PzĆ+lj һpTxVP~vsrWR'P /zN[A͏"&VQ|p9,1JedOSl@9b-pݔMOÅ$ 35J2[吗Tڌ^R[Eyö8X(sv%pn]|#lHVg*##C:Mt6 d$rWO{9a{-5b8!aZ&J CR襸 2!nd LFsVk8'D ˯2Q3:H]UȸA7R?+)^+h36t AcJa-<_6♮z#P-VsL~d&^(1ˡ)9h\.GHMTgIϙur5C`*z 8;20raSg_Ɵ̀ $$>9{ak U MFLMx<j d Use4=~:&Ѓ1iHY\E$| vio|#QPxz6K q{Q>Y8^,hەnu^IE{tnBכv_-+^!YũάSvz Q(dǣW$g9uUiuCso(S1$u u<#\AQ Ѥmش}׳(dsM2pG!&B{ySA".4!9E+Sf6a08BQ$99Ў?jEocV 4$y•ZJ9h(j;\B$ŸNNP34 ngo}9I8z*9 nP}Kׄ| hwC+i_gI]LX=8Y3+$~j=4F#c+8S7 ج#"~ƽ@1+F7~{nf^(mslCVЦqK~Y!=QWD?*Rq $T]h)q2ۋG}pm࢒>F*/Ƶ gF79^HvªݤUVar+dv=HF ,YP4O5wEV|cm\͍9C HsldEh++(P_7o.!4)7-ntf pt\^g+Jim\N2(| )/ltC|b$}uh iaWBH[&}Pl3neaq_&ISӁ>-!P/ހ5࿨^0㷓*TE݃좓୻zX& HOuc ]^;6AAYo ,l/$c]BMn*HZƙԵU}-hü6c ǗTkD82m`N P/m Hk[kEc?\}!y(H"8؇>>q~]g;bSy6nlxSD0p,#%@ӭgM䈒[ZR +MI= V#T ;]f_hwłΟۃ=J  e0j@CMBfWCM̔z((POZ)M NВpY>`Rwr Ɗx96vXSJҴVkkȘCd dBJF'=N L[8 ` ~T`TzH%!o,tȚ^ 40[ACfi']:W{Cn OF rfdTg-`aMmBvmM.&C=;ϴx# SǪ͍u`;䣕펫WgCz:"&MZ'YwKv)x͋&!Fg,X75?m+cɠQ:-?8 ev;P$HR؏{njsE.;,̘L J ui/I"n!EN=_ilzڔ~MŜi^DxEkI\*T[\ CGDK%iI"5+0ts)ы:Q ~:`($2*3hmK]ȠđkX$H;e-ǿUJ$%ͷP"U[ڠӣw)ߐMqӛ7 EZ  hAn` vLJi 挵dnr/|<& I2|яZwOU^N?}}\$l6e\4)&X%@,J'QaYNwY!HuMZ#y,k@<{}*pVk&Y[wz#T5^^ZCo4@"Wʲצ@U.'wz_DgJj NF[ئ(ZXpwv[ o9ιqyPkoPl_ wZ @=sfF..]&^W;=gMez\61KnC$1M3nkܙ < M_E4_ot좘xrHɺl؉W82Ȅ2=1fa>fIGW)7" LU?a|  $pt; (A)cttS"x^#"7T#x`,W *f[AGJ2ݽC8bMA?A\/ƋV6ٺI;RQ1۳zM2vywrD:F%33% {ŌN7g`)9;@-W.ާM4d C2䭰&z)3j5{ =b0`(4JajQvU=@% N3׵rky^4nGcqv~gcʏ!:`ٚ(7孵t*iLi5xoRޘ9aTGVyo\>l1h T["]KJ\#1=f h"tK  Bb5].XuFX?)fo2 K/#!ViMJtT^EGgs- {}m>)^*d:£vIavΰ,v.4i- e2T5uJA4Ҋ{6aA=K΀vVV7_ SZ"^Q!٤*W7^b "KRL/XW5<>,:)ohtIp-wFb8bͲU}呹0$R']1fMux$M]=[ٌ2e@nE \w£ECuTΪ$~Smdzu(Lȡcqu9톒Y ' <3;3Q`i8!LRߍdw#9S/<߈;b,0c*b|sBwܒx;SoSe+z]-vau 3zxU LFHN vPڲ^q}Cqi Z,)Qe.Z tYzb/ށCok>)a$r]8-s{z Vi)UV2k reM5|+kHnb,li_o;˽o82Ң p+cըȓFmPw}Xcu(xKO2-0`lL*M(:yRI&]Yg(RCTI}ܟ;aF#$˜s(ksDձ3g[.Y(%4!V&`YaNVfPM1Κq&I·h˧ C9,8)Ɍf'F$O9V7xrȝfjAѣ*@b!G1YDAL:P8T"5Ӳ){<~=U,Z$>Fdf`jv Od/O(>^~oѭR.JSGa܇X6x%֣ڄmg@XosHz$~-g 8-wkT|7JfU HL؇SP039ΜuG&WKd feQwpҳAti!I1~(Q ʨ.{uK;q09".>JG'#X7!D3g#& A"pnw*Sy"(:AZzg`(OiGB\6{ kZmXf5C?WƟY$>56* CȲ~d0M")4{˭ӗ\@=e:4}>y̕}lXTTin[191`&T;zCKJXB6IoxDyM8z =]`8ו(ٶ S&_頡!/:OԀC8柘+CuCٷ+erҙnMZ!iӊxފ@Q[~0 77\'>b[ψkDzJ -Sv)[C:V;ZE/ '쭍ɤ6,jqM :%3[ |*/U>v /F):֑]4Z >b$O,G1_+^Z{eIJ:]:/X\>*3(m~uܥE81]Qv&{@ǿ:ec&ܒZ~wn&Sn|Vrfّj+\3y (DœD(6ĤaHoh-*ҀN ȯA\۴q^g3E@',lUأwIHH!UOҔ+sQԯx͏x<̠bε6KgA8 킰|>r"QW1aLlpQ歩'{ԯ#pcϝ7K:#v_x .Uw!l^Óqk9zpݫ yI}]Z$k,rN,zH'mދk2]Rn>ht HN¯\zrG%egx)c+]bcO1(o =T& i^s?7Npl ?-z&*R k ŷtaXæa 1rU{@^Vkœz:e$sod+/a717߉Z}Vޱ;eFSh=z 3s*f;OgyR妹TS޴Oa ȳVMl?b.mlSR#uQ>CbZQҪ1^ A] I;n|L0/?3Ěnٵo}( aL}B7hXb.jLp #Y2Rm5w=/!_֍\- 4'6(qh+4K./I Jp1H\ο..i^3E%7džq2F 34'ty[MK\aL AmW@D> s5bY.4NNlZY(ylp'жjׯdOs8>noZ9_켬/03od&pK amҏ(pwd  ~0V ( /1>tqla<B|.gТ QS048ތg5 ?c:mSuHJҵ-4ˁB{2XOyC)biSS0L7NfFNv`%R.h~{`Nθ3ctzRgXqޏ l=D"B` 6FDm ~9jYnCj$8^hŀ{>nY569PDؔ5pAsWJ!kB}ܮXwJF:@{|m_uEw2\~A|T[Gj raP^eBx,p14D?,ZHV`'Aͽ1 <#](8h(&:t Gg#8D8R'O.+A_Hd_ѥi_U4od{u2cY3nE"f-ԕƫ]iy|-OlY[*D8<ڜ(h:N\Rb/)atݛ+2pU/av,.^0B 'KB6(5z[b%vB*/(w2sRfVD #ş4{Gn'5bX;>TFTHf` Q™֘O;9'M}%Zg? 5NՁ-BPtI/#wi]vf+2mQt\nk5 s!tl*5.*eBR=G9.GX Ê5 0J{pCD3Z QJ 6k!4Oj-YF=U!Kρ:^!`lZ Kd-ʸoYxBHk /xkG@O OV+_Q6\s8B7c8jL%(c_QN3A ݺ)Dm52чTqIlY$YàȉP&ԓ# g^.`֠Dt\AwNnj4m&Mkq;ߖ]S,PRj;6}so9co_V|S );bZd[l8ھ@D h/NDz*djZUޔ{#]Ry+tI3!'UlIm<oNh|Rkd=[?>>H,!/rHGNRFK|؈qe0J4ʭ K-'H&SZ;f?~#(\r[m{ Yڈ)&>ؘrh$"Q iQU>+{Xn~T4]e˘ԮFrpS,naB*U.X!dLO[C[{X@bKІ8E72ՏxkNzsR|p/S1Ŭ5([h$wש6d4 &>[x(X;MXs3F,p-l߁TKEln v-`lurB)5X;+b +I`oh'E Ny@&F~5s 5Q,bxhi;ಙ1]k e\ ":IzcH9җC|}f$0Oeҕgoe</TARCص+xMI *}C]:HEÂ6Q+z o}ƫFR|*BCP}"PhPz78i}ksiy~tr >X ^tifdmy&BA9JOm}jng ;i9^YbO'4ܦH3:߉~$&L 6ңV3>H1do\qⶼZ)q'nB*alᅹR$AMd%} Vy[<9VrnPRtˡ357|ZtM,` OnU1=ڗ$t> $L3}љ 8,-6h8̈́X)c$ڕWYg$qO.|t"DLc;͂((PWʬG&La*sxv%˞J=n+Yzdjdkؔ2\ſ!#NfQΪJ8$v9#)qlEZ{4Skؽyى&P/a9DTb7Q6\[Acpd"HDs2iz|VdVU/8tEa: 4v=^/R9U=ppϝdĢ LN3]Cu^0CEz[̆BPK"0@2~UvJ'MPjG 8f ~9=jak`gK$>l`=!"1#2RfbCA`@L4QׄP-bRʮC~ak,Dz^7ѾX<l~Z+1iW4ɚ5RCgġawm5JYa%5Fۿ`%|!;<"2Ѣ0L dPR=4Z6'euiA̋񠅊Zby, t>/n!-)ØA RĸMOl63_N>edeGԜ%c};+ Ccu |HYqN)c^X0У?1d썮)JSxw56IZsĖ9 /_KuF 6c& 7) ks@`Q2k eb8g~]b {CG7;nxP |B+2^ns5]:n]&@Vkk˷jq0ۑia'rf_5Zp׷w$cWrT1.ckQ'[nXCG̥Z(ҷW0YL埱}A\nCL6 U@ ɘŷ-gL8%:UCL $ ,H@!1'>4o"~5fMd#~W8|u-c| _>[M >тta(môkvFşQuʶ S@{l{3TKް)p9_mDk\D9S֤k:L%0;;D40QNU^-jCKOyȣ ݗug}}0,Le 8P/Waױ{k˟^n7anB`dĎ W6[#b &&<6䚐p5;ߴy釫wU[hcK&vI5%bPz)؁gx c̕(/ 7Kk>퀻2NHi@Uμ:b l B cܙ,EƆ-Av_EUr H uiwN- H|\>XE @(@#Ʌy֞=3 -EHP9UI*. X 1(%B'H͵4GV>aI}}˾28QyuYv<./޳ބ3oT{*RF@cX5Ο deegK10'7C畴Lt)vsҜdamdoEs\I*t8. I~IЪraMXeZTvm}3B, t{cz=iٿJ@9B`X!Bl~t|vSjAG`2sfE 2j eܽσUHt5zEm1ES{GA**LlfcȣHaxlr(X]ޔ"% 4}ujL<8|+5@W ĠMG!%J2wlr}4M7T~GHP1am0 6>Ucʹ2G̚B%ӫ;t)|;,7GJ_9 3 !u/+q`'tV<#fWGΜ\)GXnXIpXoo~P~<  duxqȉ1jX:4A1 -0`T!&t%qƙܪ }VNk_D&K$m 73S'B[)iֲUnU0Q}/]`?GGH4=tv {R]JLX9 A˧ 2̈́^2y1 FXǛC1$ɌOۏ͢!MqDY2!]g6BC k.bZ nRɋB7T2F3ZQj]xO;a [p"0+R uȼD'1.Q4 Nb/Ts|i6(IN0mYrv5]33{sG$׀9,-WYѭ,{ѭj89\h*tlX | evv'%9ŵnÏTakEIߕ`'<4R^?pl&Y[JQѸ?8wVfo%Y{,n}g.Y*)pa ID ÿ`oiY-]@֩(ȋ&J˨S<2K=)+؃Iq׮l#Y3sr96쭖I'$Cr񩾒3{/Gf@+ 16&X<1nk[)n#:!IO2c *X&kiz)n\OGEza̺ޝVsfJ›i@OjQVQVocd׼J`Đ`LReO$ L-4Q $aD.ݺ&+ ֑_cϔdKzuE+RzMtT [)V{/95FCN}-HwD(qPs|1ʱE+<"J:(ˢ~y᠉_R%{@yV\̲ niT \ +Ryugy]kQpHW ChN3>"/1 `Xi2X0҅ȟ@P3 !I2WU+`Ԡ Yf0sA3IS3uֵEX2n?ߧ:eZtCvfrE>&W~<hz]sJݴQ<` '̶ɀ,ڨGۉhτ FC;8N=ښ )@ \ -' /7&tF]/Mwmh1S0Њtjc4/rl[‡ 5!9^ mtAvo  v6Ԡ]n1EIM-|Tԏ\+y[2U6"`-3" [l.JV:c~nt~M'13r~˹ɤBV{NO=+] gCӍ̗\C³QiU?_/C x ";NB|_FC'.ٟ1uy!5r٧RzES5nA[3㳱5,bq[z4P%Z,@~E=N4 'vXK#B8;b7ϣD4V+|ʒI2 K$LkCk0Ed9tv=$sE1bp!"ρ j5fUftAkb89a-N鳬1.՜Wρ)qs񀬢i?лv#BqI!L3#[m.^?i-e0a F}DѴH`'+o1{G-)&'nLC@oWe2פʠ״&pޟY% cy+ K1:^R6I# ~K8ƹ`3MLu>gelo3a{~Hw˔]hjc&EzI:Rڕ&޺C 6j]ȻDozb˭?vX Ar]CTl*~9W:u@oIdP[aDE}+B\v݈~7䒠!ln"3j0#x{:oʞ;𹤧 Rї:fV?+hN!:ppYu L8I1X&y V-KONC##G 5Yͦ]?H=B)>!>l=ոskeΓtFU/tovf3H@mқD"5)ynlT+R$"<麘m@z`WsW}y#FCX:Uf]h*=; 4[ p,7xh?2B9&vp}ˣ*1$b@A7LPF'XeRkqWZ[b79/+`\$l UdM_ڱ@_DmX%#nI 9̱3pR4WX.I&]2K""Q)~9-IX|^fr,}xP&N -^lÿ CcUP6g^S|ȾB^6c~;'CV*pR #Х&-gmm?j%wlw +ҀTuT}PŸ`Dg kdUao#u˞#Puݴ %p.eA]]-hw1/8YMA=u'a]+p8;1_)8k|s+`Sڣ aNqoHN:J4qvfm= -q (eVԴpٻ=I8HdrLlYR"3TC8d9m'+zkWCP4KXqm~34RZA)Mm<`E{CpB&Y2U[ mZXj.D^nFI{}1t+H"@Ø2*mZF"`ӈֺ8Vޕ䯽*KjBoZX\U3ʛ_PIp| ܥ,0,ǽ`<}k*il^%Ҿ>Խ2I^\D\}u=r(б/X8>X[~|.: K\٘3Y~y筳 %޶zeR(F~FiwᅷK,RF4v'Y̛ZJ '3kȄ=*1y"#y|&g1.a'B|ܺ2>7ТܳZ#:>ܞkl.h ZV!9೑yyvՅ5^#].[;| bRr?{犟]&N~s*-0k y49E@ON5 HzSb 782@/G1410= N5]&9H#Oj=5%rQ߇meG^9Ef(:4u((-R[iK_i8SCRL}bəwQw)q?Jݻ]+H|[aK%z߉DOAݼf]d 5 ̧V7RYVI,~T>\1b@m&9a+k@@Qm>{ ݌-È<mP85d <OV?S}som^$%$>]4zs#bi70MuU8o(WГA|V?R, `-(xs F&LQ8 D+'/l3BN _kKwPF,1a)OA)ɫ+u޺@-N$A# @sEpya#$iֽ<fX+m69.ʈ[7_ ԑ"WkG {ѹfld Φo§\ex,j (/; jm;` Yj?}M50 ~KK1@â ;e$U*|7I&Ioi9gX7`|5N=/W:coB> {F*d Yjs]bʅ5 $dH7$,&!zi _.Nk:$ޤS$yCll3ew="5hʤ>(gUF(i_ iŽ#7OEߘdEre g\@5jďY%d28sTƮv=)ԡgkwЕE= XC @_.k5Pq5PyUXL K0v2=F1NsmRa%룛U43Cb}3`.O\y5|[ /˦F5#"Du5cwK<M -yQgf([gö%:L:a;T{4BX#+u$NK=H{ a[߳qpH=H!Yf%ǁ~g%.(So# ?HVj9$U8؁ *5j )e-nA]#eN6ugteLb@A&AC{m{'dX\_HzTT t4OR߯Ls(9%~C[P _D iEEÝFqZe L;Y*o) gj:ܔGy tJX!D}Mt럫yʹܾ끔s-7* FNN*'Ԙ$5M"D*o2zoPUEo1(D*1a$H/]\Dsi.֪EL,[یDV%D\\;ηwTImrLSwࢀxͣZPBPq_IiP?+ M%4po1KwdtYͰ|cQлn{h_>c DgQ4S֑)&ONOI]/aw} 8)QQ*({0E-gT1~+R5Za$lt asi!$%7=NtdM'QpYj`nSoLSZ+,Yq*ws)y^))@#P!rsS*zuPeڇ%/8oev ; ;5>uǙh0"И[mRg/loqGpkR)R5F[JuBuUEO"mI __,H_EO2yuW*:}&P. d\xY ޸}Opt[l'#!kF*oóAJ358 E_ nk+)`|@L-4i':Z]OҎN#ǿt-00VO8=c9j_%ʷdnB vcO0zs$u(clx#g>Sx*=Q>cY/If2  v.Wz7KYņr /py˭'[wc~t^ri=7c]-G\?\rkY>M&c^hi,"z}Yt>0]4)QLIQ, |Y0F$G^WUd$B%#xy mVkw[ژ,k~ƯL-3ԕ[[$|>V*ݖT4BwiB ] Z|̲ h(y'-f&#ds3%0D0)3z[[P? !,pf)- R%(jXW=«jE}q/h3nFV y>P0~*SHGZ4X-zYwUJ @AAKp 'S6 `eDEGɍr Ku c؍mT@!0 _4CcDx> l@|mP[jEIC%*2ubdz $l,kKxL$ϭ8FvJz0ˌ8\W28;>h!f6 { Bmz E! 9s3wq lN .qHZ318ޔp O\J`L:&shO cX[9~"o.gt氹18%;)&i$؛Nǘc=k ci[e1eǖ֧ JsL5+c~tB2,#oiI]{1<$q[M%T)fIIQcfuZo=29%V7Q2&~N)AiB|-'mb <Qx(c&aD/]T! 6xYLtX 8{K_phrtO= T)T3Ws F(DteZGp+mGp8ZEr*y jdF9Z{-++|wRtElޞ(%~U %cA&%:Dj9pL41޸DjcVo/M]qJ/{X!g 9F>TLWG 1Lxxa`z q:-hqvSB,E}jfROhKLQs\UG bbd-& ?&Hq(\Cyab l[5Q: -4yfa293cG`._ČZ>ᑖ?#6Q BiyKvm ]}b'usx[k}14 \kY9Yg/d&`eE IBLEr "3= i6]6n%mWQ&n@_L-Ch,fHQhs2TpG{vu-[?"WϭZ\9CT~(RG8my8(lBu3oɘyM).kZ :Y =ոpy<1EęRd}/~7@j4cIi^}$AnzB,\(OH'ح'Ig@ ǻp] loG`7A(`֞8 OwqSXO&-d0#Wz iI|icF%qyh[8 l8RLz0ժcnɻQ檱 M ;.zD6EC鋤|t&Hd/S[G|W[/1"jTZU'R#)} iRbc;R[zPkFe7NҤKd=+E2 r\&YbާgRER!^| `OY&o's~]Aw`1>p'To, q}pd㗐o` [CHCCJFt2 MǯLsj5s`;}F-eh!:B!~ky*du@Bj,  fΧ6,ǘBi=3$pр5Ta$dj|RWٶ0ZDVu#}Cƞ~5H^:NAY07K:b"VxqHՙ¾=d-S[d%<eheO*!ZdA+dZjT2DjX[-P;lxU ::a^ታ G9~% ?Y_@KԷ"FZ*0T0AX SlsCґUxN^,"0+3p߸A|ƆL$j$Imzf\uBdd[Xဲ@? TPWy=P,5r5 0䊙.( ia#Z9v!w&oU_tîD%12sF6jՊQ”{L==䯮(cӀ6 vgBG(-0_Lzz6zD_Hπv/eAEM>ddQO͗.iƵ;mR-+S~ ZN߹{jU)ΦYJQ0S ڠ]Xgg*%>JѲmzkU\[`Nab$+_sSw&$=L6qy _77!PWO(쾞 !}8.esMj(sTWb-e z`q:]P6Ρ"v!gGj,qQ0ŷ(.1WyT]isuHCӥn+NC1' ^n`JJo n̦j\~ b]Ƕ|:rLJj;-Cbᓹ.I * Uu ,(²+ĦV|4C59v@ v=إ_RWCBil2ApOփBF3#UrC*6 `O$󜯸ELǀNtT27ajXeD Bk_ʪRte279tN=UIk?qesI-sN&k肏NW 6$fHv,3\f|}5~/ 0[d0%|9K߫3ۃj7.qYvl63ÀfZ@]25(拢U}yyoO3[#*P6:aG]z"+".-}9J3, =\=T?߻h%+ = H ~9eBZ$XCK&h9pퟷ8L8#SӉ@"*kQb4LYtj珛P%B&_ˌ"ZSMYYJ&_NDl/%M: bu&.Yc_Y~aD4ÓyvY&-8cAZ+)' /: aOBPdpZ)]`s%&G#w=>FB?(n2 <_ٵg%2?VO>gs֍w;VTPPr%bWOE:A7p%Ř6mnnd&/#_-h$ DhyD\B,iwI~s-[9:r-AZh^| :R_84BXwl<90K$42kvWbrbΕgȉؒ{U sI1d$B[Q}8\?|Jk 5rP u:>2q \x', ߱*ήtL_KGfJwfV{OjEef-xyUCqtTDJ>&!` ݪg*Mp}A uMq\pIu4(5@ zq'7']aJ:CV3tSп(1ʰ~Fp8(mP؈s< ;_1B@$B>%2an-w %)Q{\_|1{"':a92aF Ylldyid1KyTPY5-c@\Bm^BɝLDvVTgN5G5$0E~I hovɇ>6s.fO;hVDfLH!1D@Uw{ӯRpFV 61u=#ND߭'ApRK_Zn_ČI!T1b/ CQZж{Yw|R;qcXyoX>Y-ԦE Rc&?hm=|[q?u_;;5D|9Vr;ڔ%m=iKCA\ˍPXQ aHg Zn"F.z|J\+luoc)9Уw(g5_k $<­a]YTMq\eH zqs }3L_[N_x6YP{9\C 4:vI_VΌY,d/<(;/O*^6l·=$r Տ4-=ycׂqrJؒ ah_쐻NbP޺庤~)X`N<L\_v(C5Wձ:4n+i>q )0&&:id]+QA@u#*Z>x [,O,ܴ] %Eqt1q&$e(1JdsKsP5$cT}n>Ao^ߛ.sݓVJ teOayo0wYoM5ŝ<+g*l~J%;-r%T_虸'k:J݉lSIwtAŜLNo| v%)ON,MV+ꄂsr_>[ϒ#$rjahLR/fH?? piQ"lVor,[Jan;]z+ӅÀ& 8 yӤsO~L4'*_[ȚX!ŸIr!_KE7OA k \@YSWE)i*Wqoų\SaO}"N&)6Rrw9!vD@"r)e;)eWE؋{aAjt SXgV-NS.}RQ^ܧqFdpEJK CrpѬSSMX}d58dz`jf(bk[jQvGHXqʕ];oY͖xOcs"Ӏ'ti{@\gl ‰4fmQ1>|+/邖gXn>}Ź'y76Suĸx}4l se'>0׶θ&ʮ08p#;klH2nBj(_t63| #ZmNkN':-2-#;xG 2A6a>k]Gvq )HW^TOg;?0bqCe6:^YYyI-gy vk+}>h ҥKU_EO++jI*"k,.э$3\H*yژ)- 8,e`Ǭn(bg34f mQI,ZJ$]T"->(bٲI/DkPXg alUrTGt3|}Lkmگ%0uaſ'97pqgMzшrU36xS=O#;DnMNNyguMc$%|DlFb$<$jRAt`=̮vMΡl, "5ݽgj09JCV!+9}dnpWb$ZyP"]"nxs(|mO} xxs/ vn!iDl1!3VZBZHW[q$ Qj":猡޽`.ߺX&GxĽG[tcE U4_bd; `x"ΰwRUӈ8HO=7hgF#k7ۄ02tmJg-7xmGPz= A. 1,{Mj԰}~wQ,P*n'i!#q LF+{G,bCo,z?9S}hݝ~TUW*އm:m!>X*W6Uq6dG|ϥɓE*2OM`TmK!j ŗ6R j!Ǯ$1oxwn5A HNk&iFsJ5%+e;`).׀hD#[̎ʹQU32pD Q6HʚV-Ҩ:O/, .u?6^>Rd5ߺ~9)?JQ@6:i0|ȯ錣-AO8.w^qa:r^uG03AEt&ɓ&E곊37&ǑH˳od'O5JV(ֳ0?2NYBwdj妄+oeHqT< n9-eP A}wALNdu"C+ !62h1Mm+e/}1 ZqƦ_B+g[pAG |#FtA%&$ Ckb90H KيftEkKulD/B]hRɥ_] j0wq=RYgBf``I,Z~3`d박)OgCh5toE1EIVm2xI.Y38-^[EHNJמΐi+Ɠ/J}]!TjwDq~7P74U9iq7BܒHut62fj`C:-Y ecҚsT=q`㮢/pSH/ t k{ +Myd,UZ my (`a^v/\煜K~;gjfF濏px5ogf#ei0G/PVs`N~1Y-ndHUhZKʈd#O oUE"_IA=*mھ\o U콲4Ì.c6RUK^D p_ %͚ƌ_YT7VaMZ+7Z܊ل=>z iy5B~@L4PX Kb\?"N:8M煩3"|S֥<#쾟!V1Q>WS 4JmV NR\ߢ:(A9|h~ŵkLp8a$$FN#|&l_ ,vZ'28V衲/Jnv? :h-/. @,cJ~sNH23I)z莵Fa٭lic Zjel0AdмzX-yjF)ӣ762#'Oz6B.Um!҂ &%+3]1G\U4uGnnbaNlk3byg(ْZJ%,]YwO1uА(zd,J­f0`:yM7$(G(@d8]v&tp{lk*i)qy&pTEPS( reH&G?M=P6 &<#UwzfT{_N}M,i"")"NT1Vx/[(i{? <ǿo&1k(_**;nq]HI *2JmoMOP9-.Ƈ x1w:L!X@Tqg&;'>`ٰԪFM$.ג_R9""" <'Rfۃ(Enw~8d4!Toa;Ws9߻  Fj>c, ȘQx;mv5(n0/Vk&=V<ʫ†byPĿgc1= NӭGxԘjv8;Lhf߸\)C7_,#iɦD[2~2 (R{V<߇'ƙ3V*%CÊjJ@MBƛ002=52s&j)GgM6J g,\'džΒS@nqp]oAM3?3GBI !A[@z0.3γ&d@Fw}cʸc"xrR4z Q؛lqf" $bN6qÕM9Vy uMvVx>Y5`Jc,.+V=guRπՐAcG+3T,M 4-碌Y0]S90ʫ[|i`@0&|94Da6EPXCr G bnxH ꃊt V'\l5Q :27b=x2HU{Eg?s4Сjd"<T\uJu>gӵIj yQ3s5"6Ĕg+,+mqIocb:Nr)F:ssv'bYT =L"PmM/hѢu`&G2I*`HORFC xJi &geU9vXp<~W1@%16q7yXQ;5f<L|̔8oDq{Ʊё9W^>2c@`jЋfxk"fe,u (TeJ~P뿴?5Ǜ24b#]Вf[o/5Pxƞ\Yil uQʵlqwBjbZ>hb8߄PQWI_Hb5ZGٖ6+O:]tVcQק+smY!wsLʣe>qҰi~Xx)WLkQ$ !T:˖0/0({ C_T?62-t|h=e}eH&v,JLzf qv$hO߭D3l%mXNS,^j4ƾe=mEGTsZ`y Sq?Qd}Ĭ"Ӗ0YP oAї>v_*Z ECV:kewf*,If1C'=6n WsrٌzZyyZB?޼=n-+ebW^7WH%Yaٚ E=UzjBXl:fߘg砼O7{U $a>3Q?;&ZVxujh4>8]}Մ0;kgvuc q2C<&sވ W-,5$:+jМGGAy,(͍fcMyw Z)u6~J\؎z>6w3U5nCJ{m58 GOb*|8ˠ֥{Y-YdYȂFYQ^U0L_tzĘ.%聖z*l }֔0j$ Y6Cz!f3&@ztR\]Xu2zaz)GM(k63 Fꒀ(>Qff*uwVä3؝".fSǾȺ#MIQ|\ ms:%{pi¬{*܂-b>M4wS',6OecN2gt,~O:nMdBiNO d+Zű(8  XJyA? Iߋ' (''̛LǦ7ARn(ApK}zLH]0v:4NFx{en&@ ,߈|Ky{t KfO;4ˢnJwf}Iq5A/%URY";3uۘ1lx[ -`ǿ.A苾(bIJh9!B1 98n[,{\q]W2ח9K hȚcʧρ[?H)i5X;b$0؁ (񯩵~A͜vo+|L:t(}MbO24+ Gs Z5 @OrWY:t.WvPӠgXSR˛1úLWQ*WM'w֔»QNʟj#$b U8j~rp3emG7f+دcDZy| hZL;/S*SJfm c5&5iS+"OH7uFg} ۬ 9>x"OuMQt/UC7 M#*= m_YPZz2po Vgq„v4|IWK8!Ǭ[2.ѮhC^gjoOi̞^ޠ%H(e FӨD؍c 8 <4l$Cf/@OX|X?.T*6ޝ)D(JRܘ0X}S眔BOR2E3dt_l꞊+qcC0:^XNK6 Cc\c1GO \T(@OVboU*T_BDMC!L|NZOE|)ST b} l;ǀ^}*m!wНڥ?S<)сԙ>pp +{d{ /iVȌ"BΙD ;0sGoFcoo'G{2E{ވgh7LF÷ 8S`}V g^$lW.̮:\^u2wb>`yZEG8C 7;H!`/YK*x0tŀʮcYHmMq;cs>bL`f+jcP3g6U|ɋVs?G\Л¾\HhE7'i%I3, Mbk&Ձw|Lza9Xs<,YG, ze\_t9ˡ0;> P},)_Մv({`Sim=G3P/@8?a` Z~ēBD&*e:1Pl1~|)ML蒣J1ݸ<է6nܯcG%F ֖7Y#zH(\rO1bI용Gy4:ic(+X!jWV7_!0Ekxryt@7pAK7W RP9yZvPKs,7D7/MG7^O!ZǠ ĔRXrSvysCҪg%'/4[i5y s&k/_aeB@ /Bo' 11z؇LZGWѱ0v|0Om1A(>~~1!JMvٖK $ضv5-r=7p%VƈӞGRs3?/ 7¤=y! ͐&_E 6^ptj R$/^6E$r~"E玹.?p /lIt1ywmʐ7uC^IA{ɯ8}:z&܋*!] boLwG>,煓%qBGA8'eZQ$ؙ]i]a8(3.4ʐnnsU9HMɀjYW :X(&ôOJXK +;ӛ-K y=wl̬UA=UO!-4E!` cJ,A88xpjD\@(P[ ռCv[m\$~ q$;3~=.S5r[炁rs5(cenMhJ-ܰ1g"õBb%\9 B rg%xa w>4hcJ)BXˤ0Ix!x ;m 7b,"e2z\fRXmPRL[UA/IĤ+7mpbO2a!|_88ahPI<BE@^pk6J[I߆ 4:'vɋE/l7@j\qa37Dݙ{}qAKbt [ѥےmR [wB;ǩV7/^ O#OH{OvuM3y%W 3P7P"8iS$q&UJ9%PF=s(6'XQ>וve@MNs .>DS.b:c4Bq{l6& 8Tt.|ѿ!>v6}+8RK.?1\tFV"Z4GnB'& fH: ܛ"Azcd*2LM-.Y&ba!w wy)f08S? LӘ 0~fFP n1&os{r9;R.5Q>6𧬺]F1y9zĂf!ŊǘA\>Fo-MDREܸRk)gff"i> %&x aP؍^IWn|uD֔?kP!,9qGLor4kmhj;֚x> [vp55N m,YTԱQeۛ:bY hr;7k;l+Â#&yh0P38gHxF"4J^/p%i%cyߩT&|; ` 6vE$`ԫُ[=l[:,nJA:mokiAot,]GVpbpKZ79FfnJ) <8^n \GʚLqd~f=Q:oKtA", 9`ͱ֊Q뛀_/{  q1{V/bjU5*Fd[%hZ|v)ˤ|"k}JN֜s|8XDm𠮐.-쫈@nJd4.! [/2#)ŸC=0% :Ħf)p+99'] O@c|XD2xcX(SO UEʰ.0h5چrO\Y@ϩu@_ʻ:;Jl^zQ.~qQ7|ظwpsœk2m < O_܁tucq$i_੘wlFxő'pi@A>G1.\^q3[/Cn+dF}.B< ,df]9e;TA KfKL;Mgwz)̖ۯ&ga>G@4#1H6 /]J~>Jr#4vYT;jPN?{2۱XwN뫸`}FjO@sيznEk/:ְ$sXCemx-hr{ݪZRD2U<[c QM/cHs5ntT?U. ȸ\$E`bďQS6 Qu%b/|cQ&R9޳