From 2e10db484bcaab6f3adcba226c9211df0d80620e Mon Sep 17 00:00:00 2001 From: "a869920004@163.com" Date: Thu, 17 Sep 2020 17:16:28 +0800 Subject: [PATCH] Change SPEC file, Add Source0 and Upstream information --- LICENSE | 127 ---- openEuler-security.service | 30 - security | 17 - security-tool-2.0/csh.precmd | 24 - security-tool-2.0/password-auth-crond | 45 -- security-tool-2.0/su-local | 29 - security-tool.sh | 1004 ------------------------- security-tool.spec | 31 +- security.conf | 218 ------ usr-security.conf | 14 - v2.0.tar.gz | Bin 0 -> 16122 bytes 11 files changed, 15 insertions(+), 1524 deletions(-) delete mode 100644 LICENSE delete mode 100644 openEuler-security.service delete mode 100644 security delete mode 100644 security-tool-2.0/csh.precmd delete mode 100644 security-tool-2.0/password-auth-crond delete mode 100644 security-tool-2.0/su-local delete mode 100644 security-tool.sh delete mode 100644 security.conf delete mode 100644 usr-security.conf create mode 100644 v2.0.tar.gz diff --git a/LICENSE b/LICENSE deleted file mode 100644 index 9e32cde..0000000 --- a/LICENSE +++ /dev/null @@ -1,127 +0,0 @@ - 木兰宽松许可证, 第2版 - - 木兰宽松许可证, 第2版 - 2020年1月 http://license.coscl.org.cn/MulanPSL2 - - - 您对“软件”的复制、使用、修改及分发受木兰宽松许可证,第2版(“本许可证”)的如下条款的约束: - - 0. 定义 - - “软件”是指由“贡献”构成的许可在“本许可证”下的程序和相关文档的集合。 - - “贡献”是指由任一“贡献者”许可在“本许可证”下的受版权法保护的作品。 - - “贡献者”是指将受版权法保护的作品许可在“本许可证”下的自然人或“法人实体”。 - - “法人实体”是指提交贡献的机构及其“关联实体”。 - - “关联实体”是指,对“本许可证”下的行为方而言,控制、受控制或与其共同受控制的机构,此处的控制是指有受控方或共同受控方至少50%直接或间接的投票权、资金或其他有价证券。 - - 1. 授予版权许可 - - 每个“贡献者”根据“本许可证”授予您永久性的、全球性的、免费的、非独占的、不可撤销的版权许可,您可以复制、使用、修改、分发其“贡献”,不论修改与否。 - - 2. 授予专利许可 - - 每个“贡献者”根据“本许可证”授予您永久性的、全球性的、免费的、非独占的、不可撤销的(根据本条规定撤销除外)专利许可,供您制造、委托制造、使用、许诺销售、销售、进口其“贡献”或以其他方式转移其“贡献”。前述专利许可仅限于“贡献者”现在或将来拥有或控制的其“贡献”本身或其“贡献”与许可“贡献”时的“软件”结合而将必然会侵犯的专利权利要求,不包括对“贡献”的修改或包含“贡献”的其他结合。如果您或您的“关联实体”直接或间接地,就“软件”或其中的“贡献”对任何人发起专利侵权诉讼(包括反诉或交叉诉讼)或其他专利维权行动,指控其侵犯专利权,则“本许可证”授予您对“软件”的专利许可自您提起诉讼或发起维权行动之日终止。 - - 3. 无商标许可 - - “本许可证”不提供对“贡献者”的商品名称、商标、服务标志或产品名称的商标许可,但您为满足第4条规定的声明义务而必须使用除外。 - - 4. 分发限制 - - 您可以在任何媒介中将“软件”以源程序形式或可执行形式重新分发,不论修改与否,但您必须向接收者提供“本许可证”的副本,并保留“软件”中的版权、商标、专利及免责声明。 - - 5. 免责声明与责任限制 - - “软件”及其中的“贡献”在提供时不带任何明示或默示的担保。在任何情况下,“贡献者”或版权所有者不对任何人因使用“软件”或其中的“贡献”而引发的任何直接或间接损失承担责任,不论因何种原因导致或者基于何种法律理论,即使其曾被建议有此种损失的可能性。 - - 6. 语言 - “本许可证”以中英文双语表述,中英文版本具有同等法律效力。如果中英文版本存在任何冲突不一致,以中文版为准。 - - 条款结束 - - 如何将木兰宽松许可证,第2版,应用到您的软件 - - 如果您希望将木兰宽松许可证,第2版,应用到您的新软件,为了方便接收者查阅,建议您完成如下三步: - - 1, 请您补充如下声明中的空白,包括软件名、软件的首次发表年份以及您作为版权人的名字; - - 2, 请您在软件包的一级目录下创建以“LICENSE”为名的文件,将整个许可证文本放入该文件中; - - 3, 请将如下声明文本放入每个源文件的头部注释中。 - - Copyright (c) [Year] [name of copyright holder] - [Software Name] is licensed under Mulan PSL v2. - You can use this software according to the terms and conditions of the Mulan PSL v2. - You may obtain a copy of Mulan PSL v2 at: - http://license.coscl.org.cn/MulanPSL2 - THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. - See the Mulan PSL v2 for more details. - - - Mulan Permissive Software License,Version 2 - - Mulan Permissive Software License,Version 2 (Mulan PSL v2) - January 2020 http://license.coscl.org.cn/MulanPSL2 - - Your reproduction, use, modification and distribution of the Software shall be subject to Mulan PSL v2 (this License) with the following terms and conditions: - - 0. Definition - - Software means the program and related documents which are licensed under this License and comprise all Contribution(s). - - Contribution means the copyrightable work licensed by a particular Contributor under this License. - - Contributor means the Individual or Legal Entity who licenses its copyrightable work under this License. - - Legal Entity means the entity making a Contribution and all its Affiliates. - - Affiliates means entities that control, are controlled by, or are under common control with the acting entity under this License, ‘control’ means direct or indirect ownership of at least fifty percent (50%) of the voting power, capital or other securities of controlled or commonly controlled entity. - - 1. Grant of Copyright License - - Subject to the terms and conditions of this License, each Contributor hereby grants to you a perpetual, worldwide, royalty-free, non-exclusive, irrevocable copyright license to reproduce, use, modify, or distribute its Contribution, with modification or not. - - 2. Grant of Patent License - - Subject to the terms and conditions of this License, each Contributor hereby grants to you a perpetual, worldwide, royalty-free, non-exclusive, irrevocable (except for revocation under this Section) patent license to make, have made, use, offer for sale, sell, import or otherwise transfer its Contribution, where such patent license is only limited to the patent claims owned or controlled by such Contributor now or in future which will be necessarily infringed by its Contribution alone, or by combination of the Contribution with the Software to which the Contribution was contributed. The patent license shall not apply to any modification of the Contribution, and any other combination which includes the Contribution. If you or your Affiliates directly or indirectly institute patent litigation (including a cross claim or counterclaim in a litigation) or other patent enforcement activities against any individual or entity by alleging that the Software or any Contribution in it infringes patents, then any patent license granted to you under this License for the Software shall terminate as of the date such litigation or activity is filed or taken. - - 3. No Trademark License - - No trademark license is granted to use the trade names, trademarks, service marks, or product names of Contributor, except as required to fulfill notice requirements in Section 4. - - 4. Distribution Restriction - - You may distribute the Software in any medium with or without modification, whether in source or executable forms, provided that you provide recipients with a copy of this License and retain copyright, patent, trademark and disclaimer statements in the Software. - - 5. Disclaimer of Warranty and Limitation of Liability - - THE SOFTWARE AND CONTRIBUTION IN IT ARE PROVIDED WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL ANY CONTRIBUTOR OR COPYRIGHT HOLDER BE LIABLE TO YOU FOR ANY DAMAGES, INCLUDING, BUT NOT LIMITED TO ANY DIRECT, OR INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING FROM YOUR USE OR INABILITY TO USE THE SOFTWARE OR THE CONTRIBUTION IN IT, NO MATTER HOW IT’S CAUSED OR BASED ON WHICH LEGAL THEORY, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. - - 6. Language - - THIS LICENSE IS WRITTEN IN BOTH CHINESE AND ENGLISH, AND THE CHINESE VERSION AND ENGLISH VERSION SHALL HAVE THE SAME LEGAL EFFECT. IN THE CASE OF DIVERGENCE BETWEEN THE CHINESE AND ENGLISH VERSIONS, THE CHINESE VERSION SHALL PREVAIL. - - END OF THE TERMS AND CONDITIONS - - How to Apply the Mulan Permissive Software License,Version 2 (Mulan PSL v2) to Your Software - - To apply the Mulan PSL v2 to your work, for easy identification by recipients, you are suggested to complete following three steps: - - i Fill in the blanks in following statement, including insert your software name, the year of the first publication of your software, and your name identified as the copyright owner; - - ii Create a file named “LICENSE” which contains the whole context of this License in the first directory of your software package; - - iii Attach the statement to the appropriate annotated syntax at the beginning of each source file. - - - Copyright (c) [Year] [name of copyright holder] - [Software Name] is licensed under Mulan PSL v2. - You can use this software according to the terms and conditions of the Mulan PSL v2. - You may obtain a copy of Mulan PSL v2 at: - http://license.coscl.org.cn/MulanPSL2 - THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. - See the Mulan PSL v2 for more details. diff --git a/openEuler-security.service b/openEuler-security.service deleted file mode 100644 index ab60920..0000000 --- a/openEuler-security.service +++ /dev/null @@ -1,30 +0,0 @@ -####################################################################################### -# -# Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved. -# security-tool licensed under the Mulan PSL v2. -# You can use this software according to the terms and conditions of the Mulan PSL v2. -# You may obtain a copy of Mulan PSL v2 at: -# http://license.coscl.org.cn/MulanPSL -# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR -# PURPOSE. -# See the Mulan PSL v2 for more details. -# Description: Security Tool Activation Service -# -####################################################################################### - -[Unit] -Description=OpenEuler Security Tool -After=network.target sshd.service auditd.service crond.service tuned.service NetworkManager.service -Wants=sshd.service auditd.service rsyslog.service tuned.service NetworkManager.service -ConditionFileIsExecutable=/usr/sbin/security-tool.sh - -[Service] -Type=oneshot -RemainAfterExit=yes -EnvironmentFile=/etc/openEuler_security/security -ExecStart=/usr/sbin/security-tool.sh -d / -c /etc/openEuler_security/security.conf -u /etc/openEuler_security/usr-security.conf -l /var/log/openEuler-security.log -s -TimeoutSec=0 - -[Install] -WantedBy=multi-user.target diff --git a/security b/security deleted file mode 100644 index a3d87ac..0000000 --- a/security +++ /dev/null @@ -1,17 +0,0 @@ -####################################################################################### -# -# Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved. -# security-tool licensed under the Mulan PSL v2. -# You can use this software according to the terms and conditions of the Mulan PSL v2. -# You may obtain a copy of Mulan PSL v2 at: -# http://license.coscl.org.cn/MulanPSL -# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR -# PURPOSE. -# See the Mulan PSL v2 for more details. -# Description: Configuration file for the openEuler-security service. -# -####################################################################################### - -OPENEULER_SECURITY=0 - diff --git a/security-tool-2.0/csh.precmd b/security-tool-2.0/csh.precmd deleted file mode 100644 index ee59457..0000000 --- a/security-tool-2.0/csh.precmd +++ /dev/null @@ -1,24 +0,0 @@ -####################################################################################### -# -# Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved. -# security-tool licensed under the Mulan PSL v2. -# You can use this software according to the terms and conditions of the Mulan PSL v2. -# You may obtain a copy of Mulan PSL v2 at: -# http://license.coscl.org.cn/MulanPSL -# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR -# PURPOSE. -# See the Mulan PSL v2 for more details. -# Description: Append the history list to the history file. -# -####################################################################################### - -set el_precmd_msg = `history 1|cut -f3-|sed -e "s|{||g" | sed -e "s|}||g"` -set el_precmd_user = `whoami` -set el_precmd_loginuser = `who -m | awk '{print $2" "$NF}'` -set el_precmd_num = `history 1| awk -F" " '{print $1}'` - -if ((${el_precmd_num} != ${LastComandNum_for_history}) && (${LastComandNum_for_history} != "" || ${el_precmd_num} == 1)) then - logger -t "[/bin/csh]" "[${el_precmd_msg}]" "by [${el_precmd_user}] from [${el_precmd_loginuser}]" > /dev/null -endif -set LastComandNum_for_history = ${el_precmd_num} diff --git a/security-tool-2.0/password-auth-crond b/security-tool-2.0/password-auth-crond deleted file mode 100644 index 11ddabf..0000000 --- a/security-tool-2.0/password-auth-crond +++ /dev/null @@ -1,45 +0,0 @@ -####################################################################################### -# -# Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved. -# security-tool licensed under the Mulan PSL v2. -# You can use this software according to the terms and conditions of the Mulan PSL v2. -# You may obtain a copy of Mulan PSL v2 at: -# http://license.coscl.org.cn/MulanPSL -# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR -# PURPOSE. -# See the Mulan PSL v2 for more details. -# Description: Configuration File for PAMified Services -# -####################################################################################### - -#%PAM-1.0 -# User changes will be destroyed the next time authconfig is run. -auth required pam_env.so -auth required pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=60 --auth sufficient pam_fprintd.so -auth sufficient pam_unix.so nullok try_first_pass --auth sufficient pam_sss.so use_first_pass -auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60 -auth sufficient pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=60 -auth requisite pam_succeed_if.so uid >= 1000 quiet_success -auth required pam_deny.so - -account required pam_unix.so -#account required pam_faillock.so -account sufficient pam_localuser.so -account sufficient pam_succeed_if.so uid < 1000 quiet --account [default=bad success=ok user_unknown=ignore] pam_sss.so -account required pam_permit.so - -password requisite pam_pwquality.so try_first_pass local_users_only -password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok --password sufficient pam_sss.so use_authtok -password required pam_deny.so - -session optional pam_keyinit.so revoke -session required pam_limits.so --session optional pam_systemd.so -session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid -session required pam_unix.so --session optional pam_sss.so diff --git a/security-tool-2.0/su-local b/security-tool-2.0/su-local deleted file mode 100644 index 9913ebd..0000000 --- a/security-tool-2.0/su-local +++ /dev/null @@ -1,29 +0,0 @@ -####################################################################################### -# -# Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved. -# security-tool licensed under the Mulan PSL v2. -# You can use this software according to the terms and conditions of the Mulan PSL v2. -# You may obtain a copy of Mulan PSL v2 at: -# http://license.coscl.org.cn/MulanPSL -# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR -# PURPOSE. -# See the Mulan PSL v2 for more details. -# Description: Configuration File for PAMified Services -# -####################################################################################### - -#%PAM-1.0 -auth sufficient pam_rootok.so -# Uncomment the following line to implicitly trust users in the "wheel" group. -#auth sufficient pam_wheel.so trust use_uid -# Uncomment the following line to require a user to be in the "wheel" group. -auth required pam_wheel.so use_uid -auth substack system-auth -auth include postlogin -account sufficient pam_succeed_if.so uid = 0 use_uid quiet -account include system-auth -password include system-auth -session include system-auth -session include postlogin -session optional pam_xauth.so diff --git a/security-tool.sh b/security-tool.sh deleted file mode 100644 index c6bc4e7..0000000 --- a/security-tool.sh +++ /dev/null @@ -1,1004 +0,0 @@ -#!/bin/sh -####################################################################################### -# -# Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved. -# security-tool licensed under the Mulan PSL v1. -# You can use this software according to the terms and conditions of the Mulan PSL v1. -# You may obtain a copy of Mulan PSL v1 at: -# http://license.coscl.org.cn/MulanPSL -# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR -# PURPOSE. -# See the Mulan PSL v1 for more details. -# Description: openEuler Security Tool -# -####################################################################################### -# name of this script -readonly NAME=`basename $0` -# working directory -readonly WORKD=`pwd`/ -# the separator of fields of security configration file -readonly FIELD_SEP='@' - -# distinction -DST="" -# security configuration file -SCONF="" -# USER security configuration file -USR_SCONF="" -# File where to write log -LOGFILE="" -# flag -SILENT=0 -# execute configure item's id -EXECID=0 -# temporary target of decompress and compress -TMPTARGET="openEuler" - -# distinction type(rootfs, ar, cpio.gz) -DST_TYPE="rootfs" -# directory of decompressed rootfs -ROOTFS="" -# distinction name when it's not rootfs -AR_F="" -GZ_F="" - -############################################################################## - -#============================================================================= -# Function Name: pushd/popd -# Description : the same to standard pushd/popd except that no info printed -# Returns : 0 on success, otherwise on fail -#============================================================================= -function pushd() -{ - builtin pushd "$@" > /dev/null - return $? -} -function popd() -{ - builtin popd "$@" > /dev/null - return $? -} - -#============================================================================= -# Function Name: fn_test_params_num -# Description : test if the num of params is the right num(do not support flexible parameters), quit otherwise -# Parameter : params_num -# Returns : none -#============================================================================= -function _fn_test_params_num() -{ - if [ $# -lt 3 ] || [ $2 -ne $3 ]; then - echo "Line $1: num of params $2 not equals to $3" - exit 1 - fi -} -alias fn_test_params_num='_fn_test_params_num $LINENO $#' - -#============================================================================= -# Function Name: fn_test_type -# Description : test if the specific file type by a keyword -# Parameter : file, keyword(directory, cpio archive, gzip compressed, ar archive, ...) -# Returns : 0 on success, otherwise on fail -#============================================================================= -function fn_test_type() -{ - fn_test_params_num 2 - - file "$1"| awk -F: '{print $2}' |grep "$2" >/dev/null - return $? -} - -#============================================================================= -# Function Name: fn_get_fullpath -# Description : get absolute path name of file -# Parameter : file -# Returns : fullpath -#============================================================================= -function fn_get_fullpath() -{ - fn_test_params_num 1 - - local p=$1 - local out - - if [ "${p:0:1}" = "/" ]; then - echo $p - return - fi - - pushd `dirname $p` - out=`pwd` - popd - echo $out"/"`basename $p` -} - -#============================================================================= -# Function Name: fn_escape_string -# Description : set special character(/) in the string to be escaped -# Parameter : string -# Returns : escaped string -#============================================================================= -function fn_escape_string() -{ - fn_test_params_num 1 - - echo "$1"| sed 's/\//\\\//g'| sed 's/\./\\\./g'| sed 's/\[/\\[/g'| sed 's/\]/\\]/g' | sed 's/\$/\\\$/g' | sed 's/\*/\\\*/g' -} - -#============================================================================= -# Function Name: fn_log -# Description : write a message to log file or console -# Parameter : lineno level(error, warn, info) message -# Returns : none -#============================================================================= -function fn_log() -{ - fn_test_params_num 3 - - local lno=$1 - local level=$2 - shift 2 - - if [ $SILENT -eq 0 ] || [ "$level" = "error" ]; then - output=$@ - opt=`echo $output | grep -e "success$"` - if [ $? -eq 0 ];then - output=`echo $opt | sed -r 's/success$/\\\033\\[32;1msuccess\\\033\\[0m/g'` - fi - opt=`echo $output | grep -e "fail$"` - if [ $? -eq 0 ];then - output=`echo $opt | sed -r 's/fail$/\\\033\\[31;1mfail\\\033\\[0m/g'` - fi - echo -e "[$NAME:$lno] [$level] $output" - fi - - echo "`date +%Y-%m-%d\ %H:%M:%S` [$NAME:$lno] [$level] $@" >> $LOGFILE -} -alias fn_error='fn_log $LINENO error' -alias fn_warn='fn_log $LINENO warn' -alias fn_info='fn_log $LINENO info' - -#============================================================================= -# Function Name: fn_exit -# Description : to be excuted when exit with return value(0 ok, 1 params error, 2 hardening error) -# Parameter : status(0 ok, otherwise error), [message] -# Returns : none -#============================================================================= -function fn_exit() -{ - fn_test_params_num 1 - local s=$1 - # cleanup when destination is cpio.gz - if [ "$DST_TYPE" = "tar.gz" ]; then - if [ $s -eq 0 ]; then - local new_initrd=$WORKD`basename $GZ_F`".secure" - pushd $ROOTFS - tar -cf -- "$ROOTFS/$TMPTARGET" * - gzip <"$ROOTFS/$TMPTARGET" > $new_initrd - fn_info "hardened initrd is $new_initrd" - popd - fi - - # cleanup rootfs - rm -rf $ROOTFS - fi - - # cleanup when destination is cpio.gz - if [ "$DST_TYPE" = "cpio.gz" ]; then - if [ $s -eq 0 ]; then - local new_initrd=$WORKD`basename $GZ_F`".secure" - pushd $ROOTFS - find . |cpio --quiet -co |gzip > $new_initrd - fn_info "hardened initrd is $new_initrd" - popd - fi - - # cleanup rootfs - rm -rf $ROOTFS - fi - - # cleanup when destination is ar target - if [ "$DST_TYPE" = "ar" ]; then - if [ $s -eq 0 ]; then - local new_ar=$WORKD`basename $AR_F`".secure" - cp $AR_F $new_ar - - pushd $ROOTFS - find . |cpio --quiet -co|gzip > $GZ_F - popd - ar -r $new_ar $GZ_F - if [ $? -eq 0 ]; then - fn_info "initrd.cpio.gz updated" - else - fn_error "fail to replace initrd.cpio.gz in $AR_F by $GZ_F" - fn_exit 1 - fi - - # update checksum in new ar target - rm -f checksum - ar -x $new_ar checksum - if [ -f checksum ]; then - local sum=`cksum $GZ_F | awk '{print $1}'` - sed -i "s/^initrd\.cpio\.gz.*/initrd\.cpio\.gz $sum/" checksum - ar -r $new_ar checksum - rm checksum - fn_info "checksum updated" - fi - - fn_info "finish updating, new target is $new_ar" - fi - - # cleanup initrd and rootfs - fn_info "cleanup GZ [$GZ_F] and ROOTFS [$ROOTFS]" - rm -f $GZ_F - rm -rf $ROOTFS - fi - - # log - fn_info "========exit, status is [$s]========" - exit $s -} - -#============================================================================= -# Function Name: fn_usage -# Description : print help messages to console -# Parameter : none -# Returns : none -#============================================================================= -function fn_usage() -{ - cat < "$ROOTFS/$TMPTARGET" - if [ $? -ne 0 ]; then - fn_error "fail to extract [$GZ_F] to $ROOTFS/$TMPTARGET" - fn_exit 2 - fi - - fn_test_type "$ROOTFS/$TMPTARGET" "cpio archive" - if [ $? -eq 0 ]; then - cpio --quiet -id <"$ROOTFS/$TMPTARGET" >/dev/null - if [ $? -ne 0 ]; then - fn_error "fail to extract [$GZ_F] to $ROOTFS" - fn_exit 2 - fi - if [ "$DST_TYPE" != "ar" ];then - DST_TYPE="cpio.gz" - fi - else - tar -xvf "$ROOTFS/$TMPTARGET" >/dev/null - if [ $? -ne 0 ]; then - fn_error "fail to extract [$GZ_F] to $ROOTFS" - fn_exit 2 - fi - DST_TYPE="tar.gz" - fi - rm -f "$ROOTFS/$TMPTARGET" - popd - - fn_info "pre_hardening done" -} - -#============================================================================= -# Function Name: fn_check_rootfs -# Description : examine if rootfs is a standard hiberarchy -# Parameter : none -# Returns : none -#============================================================================= -function fn_check_rootfs() -{ - for i in bin usr/bin sbin usr/sbin etc boot lib home root opt var tmp proc sys mnt - do - if [ ! -d "$ROOTFS/$i" ]; then - if [ $i == "boot" ];then - continue - fi - fn_error "[$ROOTFS] is not a standard openEuler rootfs" - fn_exit 2 - fi - done - if [ ! -d "$ROOTFS"/boot ]; then - fn_info "[$ROOTFS] is a openEuler iSula rootfs" - fi -} - -#============================================================================= -# Function Name: fn_handle_key -# Description : deal with configurations referred to key and value -# Parameter : operator, file, key, f4, f5 -# Returns : 0 on success, otherwise on fail -#============================================================================= -function fn_handle_key() -{ - fn_test_params_num 5 - - local op file - op=$1 - file=$2 - - file=$ROOTFS$file - if [ ! -w "$file" ]; then - fn_warn "file [$file] not existed or writable" - return 1 - fi - - # key and value with string escaped - local key f4 f5 - key=`fn_escape_string "$3"` - f4=`fn_escape_string "$4"` - f5=`fn_escape_string "$5"` - - # to ingore the differences of key caused by blank characters - echo "$key" | egrep "^-e.*" - if [[ $? == 0 ]] - then - local grepkey="[[:blank:]]*"`echo "$key" | sed -r 's/[[:blank:]]+/[[:blank:]]\+/g'` - else - local grepkey="[[:blank:]]*"`echo $key | sed -r 's/[[:blank:]]+/[[:blank:]]\+/g'` - fi - - case "$op" in - # d@file@key - d) - grep -E "$grepkey" $file >/dev/null - if [ $? -eq 0 ]; then - # comment a line - sed -ri "s/^[^#]*$grepkey/#&/" $file - return $? - else - return 0 - fi - ;; - # m@file@key[@value] - m) - grep -E "^$grepkey" $file >/dev/null - if [ $? -eq 0 ]; then - sed -ri "s/^$grepkey.*/$key$f4/g" $file - else - # add a blank line to file because sed cannot deal with empty file by 'a' - if [ ! -s $file ]; then - echo >> $file - fi - - sed -i "\$a $key$f4" $file - fi - - return $? - ;; - # sm@file@key[@value] similar to m: strict modify on the origin position - sm) - grep -E "^$grepkey" $file >/dev/null - if [ $? -eq 0 ]; then - sed -ri "s/$key.*/$key$f4/g" $file - else - # add a blank line to file because sed cannot deal with empty file by 'a' - if [ ! -s $file ]; then - echo >> $file - fi - sed -i "\$a $key$f4" $file - fi - - return $? - ;; - # M@file@key@key2[@value2] - M) - grep -E "^$grepkey" $file >/dev/null - if [ $? -eq 0 ]; then - grep "^$grepkey.*$f4" $file >/dev/null - if [ $? -eq 0 ]; then - sed -ri "/^$grepkey/ s/$f4[^[:space:]]*/$f4$f5/g" $file - else - sed -ri "s/^$grepkey.*/&$f4$f5/g" $file - fi - - return $? - else - fn_warn "key [$key] not found in [$file]" - return 1 - fi - ;; - *) - fn_error "bad operator [$op]" - return 1 - ;; - esac -} - -#============================================================================= -# Function Name: fn_handle_command -# Description : deal with configurations referred to operations to files -# Parameter : command[option], files -# Returns : 0 on success, otherwise on fail -#============================================================================= -function fn_handle_command() -{ - fn_test_params_num 2 - - local op=$1 - local files=$2 - local status=0 - - # add ROOTFS path for every file - for file in `echo "$files" | awk -v rf="$ROOTFS" '{ - for(i=1; i<=NF; i++) { - printf "%s%s\n",rf,$i - } - }'`; do - ${op} ${file} >/dev/null 2>&1 - if [ $? -ne 0 ]; then - status=1 - fi - done - unset f - - return $status -} - -#============================================================================= -# Function Name: fn_handle_cp -# Description : deal with configurations referred to operations to files -# Parameter : src_file dst_file -# Returns : 0 on success, otherwise on fail -#============================================================================= -function fn_handle_cp() -{ - fn_test_params_num 2 - - src_file=$1 - dst_file=$2 - - cp -p $src_file $ROOTFS/$dst_file - if [ $? -ne 0 ]; then - return 1 - else - return 0 - fi -} - -#============================================================================= -# Function Name: fn_handle_systemctl -# Description : start or stop services -# Parameter : service_name service_status -# Returns : 0 on success, otherwise on fail -#============================================================================= -function fn_handle_systemctl() -{ - fn_test_params_num 2 - - syetem_service_name=$1 - syetem_service_status=$2 - - systemctl ${syetem_service_status} ${syetem_service_name} - - return $? -} - -#============================================================================= -# Function Name: fn_handle_umask -# Returns : 0 on success, otherwise on fail -#============================================================================= -function fn_handle_umask() -{ - fn_test_params_num 2 - - local target=$1 - local value=$2 - local ret=0 - - if [ "$target" == "user" ] - then - echo "umask $value" >> "$ROOTFS/etc/bashrc" - echo "umask $value" >> "$ROOTFS/etc/csh.cshrc" - for file in $(find "$ROOTFS/etc/profile.d/" -type f) - do - echo '' >> $file # 防止配置文件末尾没有换行符的情况 - echo "umask $value" >> $file - done - elif [ "$target" == "deamon" ] - then - echo "umask $value" >> "$ROOTFS/etc/sysconfig/init" - else - ret=1 - fi - - return $ret -} - -#============================================================================= -# Function Name: fn_handle_ln -# Returns : 0 on success, otherwise on fail -#============================================================================= -function fn_handle_ln() -{ - fn_test_params_num 3 - - local arg=$1 - local target=$2 - local link_file=$3 - chroot $ROOTFS ln "$arg" "$target" "$link_file" - return $? -} - - -#============================================================================= -# Function Name: fn_harden_rootfs -# Description : harden the rootfs, according to configuration file -# Parameter : none -# Returns : none -#============================================================================= -function fn_harden_rootfs() -{ - fn_check_rootfs - - fn_info "---begin hardening rootfs by [$SCONF]---" - local status - local f1 f2 f3 f4 f5 f6 - - # do configuration traversal, with comments and lines starting with blankspace ignored - grep -v '^#' $SCONF| grep -v '^$'| grep -Ev '^[[:space:]]+'| while read line - do - f1=`echo "$line" | awk -F$FIELD_SEP '{print $1}'` - if [ $EXECID -ne 0 ] && [ "$EXECID" -ne "$f1" ];then - continue - fi - - if [[ $line =~ "@@" ]] - then - PRE_IFS=$IFS - IFS='@' - arr=($line) - IFS=$PRE_IFS - pos=1 - for ((i=2;i<${#arr[*]};i++)) - do - if [[ x${arr[$i]} = x ]] - then - tem="${arr[$((i-1))]}@${arr[$((i+1))]}" - i=$((i+1)) - arr[$pos]=$tem - arr[$i]=$tem - else - pos=$((pos+1)) - arr[$pos]=${arr[$i]} - fi - done - - pos=$((pos+1)) - for ((j=$pos;j<${#arr[*]};j++)) - do - arr[$j]= - done - - f2=${arr[1]} - f3=${arr[2]} - f4=${arr[3]} - f5=${arr[4]} - f6=${arr[5]} - else - f2=`echo "$line" | awk -F$FIELD_SEP '{print $2}'` - f3=`echo "$line" | awk -F$FIELD_SEP '{print $3}'` - f4=`echo "$line" | awk -F$FIELD_SEP '{print $4}'` - f5=`echo "$line" | awk -F$FIELD_SEP '{print $5}'` - f6=`echo "$line" | awk -F$FIELD_SEP '{print $6}'` - fi - - case "$f2" in - d|m|sm|M) - fn_handle_key "$f2" "$f3" "$f4" "$f5" "$f6" - status=$? - ;; - cp) - fn_handle_cp "$f3" "$f4" - status=$? - ;; - systemctl) - fn_handle_systemctl "$f3" "$f4" - status=$? - ;; - umask) - fn_handle_umask "$f3" "$f4" - status=$? - ;; - ln) - fn_handle_ln "$f3" "$f4" "$f5" - status=$? - ;; - *) - fn_handle_command "$f2" "$f3" - status=$? - ;; - esac - - if [ $status -eq 0 ]; then - fn_info "-harden [$line]: success" - else - fn_warn "-harden [$line]: fail" - fi - done - unset line - fn_info "---end hardening rootfs---" - - fn_check_rootfs -} - -#============================================================================= -# Function Name: fn_harden_usr_conf -# Description : harden the user conf, according to configuration file usr_security.conf -# Parameter : none -# Returns : none -#============================================================================= -function fn_harden_usr_conf() -{ - fn_check_rootfs - - fn_info "---begin hardening SUER CONF by [$USR_SCONF]---" - local status - local f1 f2 f3 f4 f5 f6 - - # do configuration traversal, with comments and lines starting with blankspace ignored - grep -v '^#' $USR_SCONF| grep -v '^$'| grep -Ev '^[[:space:]]+'| while read line - do - f1=`echo "$line" | awk -F$FIELD_SEP '{print $1}'` - if [ $EXECID -ne 0 ] && [ "$EXECID" -ne "$f1" ];then - continue - fi - - if [[ $line =~ "@@" ]] - then - #eval $(echo $line | awk '{split($0, filearray, "@");for(i in filearray)print "arr["i"]="filearray[i]}') -PRE_IFS=$IFS -IFS='@' - arr=($line) -IFS=$PRE_IFS - pos=1 - for ((i=2;i<${#arr[*]};i++)) - do - if [[ x${arr[$i]} = x ]] - then - tem="${arr[$((i-1))]}@${arr[$((i+1))]}" - i=$((i+1)) - arr[$pos]=$tem - arr[$i]=$tem - else - pos=$((pos+1)) - arr[$pos]=${arr[$i]} - fi - done - - pos=$((pos+1)) - for ((j=$pos;j<${#arr[*]};j++)) - do - arr[$j]= - done - - f2=${arr[1]} - f3=${arr[2]} - f4=${arr[3]} - f5=${arr[4]} - f6=${arr[5]} - else - f2=`echo "$line" | awk -F$FIELD_SEP '{print $2}'` - f3=`echo "$line" | awk -F$FIELD_SEP '{print $3}'` - f4=`echo "$line" | awk -F$FIELD_SEP '{print $4}'` - f5=`echo "$line" | awk -F$FIELD_SEP '{print $5}'` - f6=`echo "$line" | awk -F$FIELD_SEP '{print $6}'` - fi - - case "$f2" in - d|m|sm|M) - fn_handle_key "$f2" "$f3" "$f4" "$f5" "$f6" - status=$? - ;; - cp) - fn_handle_cp "$f3" "$f4" - status=$? - ;; - systemctl) - fn_handle_systemctl "$f3" "$f4" - status=$? - ;; - umask) - fn_handle_umask "$f3" "$f4" - status=$? - ;; - ln) - fn_handle_ln "$f3" "$f4" "$f5" - status=$? - ;; - *) - fn_handle_command "$f2" "$f3" - status=$? - ;; - esac - - if [ $status -eq 0 ]; then - fn_info "-harden [$line]: success" - else - fn_warn "-harden [$line]: fail" - fi - done - unset line - fn_info "---end hardening USER CONF---" - - fn_check_rootfs -} - -#============================================================================= -# Function Name: fn_harden_nouser_nogroup -# Description : Remove nouser and nogroup files -# Parameter : none -# Returns : 0 on success, otherwise on fail -#============================================================================= -function fn_harden_nouser_nogroup() -{ - local option="" - local command="chown -R root.root" - local dir="" - local file="" - local dirs=`mount | awk '{ if($5!="proc" && $1!="/proc")print $3}'` - - for option in -nouser -nogroup; do - for dir in ${dirs}; do - for file in `find $dir -xdev $option`; do - fn_handle_command "$command" "$file" - done - done - done -} - -#============================================================================= -# Function Name: fn_harden_grub2 -# Returns : 0 on success, otherwise on fail -#============================================================================= -function fn_harden_grub2() -{ - echo -e "cat <> /etc/grub.d/00_header - if [ -d /boot/efi/EFI/openEuler -a -d /sys/firmware/efi ]; then - grub2-mkconfig -o /boot/efi/EFI/openEuler/grub.cfg - fi -} -# Function Name: fn_harden_sysctl -# Returns : 0 on success, otherwise on fail -#============================================================================= -function fn_harden_sysctl() -{ - /sbin/sysctl -p /etc/sysctl.conf -} - -#============================================================================ -# Function Name: fn_baseStripInvalidLink -# Description : removing invalidlink -#============================================================================ -function fn_baseStripInvalidLink() -{ - echo ' -#!/bin/bash - -for path in /etc /lib /lib64 /usr /var -do - find $path -type l -follow -exec ls {} \; | while read link_file - do - if [ ! -z "$(ls -l $link_file | grep -v '/boot/')" ];then - stat -L $link_file 1>/dev/null 2>&1 - [ "$?" != 0 ] && rm -f $link_file && echo "Removing invalidlink:$link_file" - fi - done -done ' > $ROOTFS/baseStripInvalidLink.sh - echo $ROOTFS - chroot $ROOTFS chmod u+x baseStripInvalidLink.sh - chroot $ROOTFS sh baseStripInvalidLink.sh - chroot $ROOTFS rm -rf baseStripInvalidLink.sh -} - -#============================================================================= -# Function Name: fn_main -# Description : main function -# Parameter : command line params -# Returns : 0 on success, otherwise on fail -#============================================================================= -function fn_main() -{ - # operator must be root - if [ `id -u` -ne 0 ]; then - echo "You must be logged in as root." - exit 1 - fi - - # parse user params - fn_parse_params "$@" - - # pre-process - fn_pre_hardening - - if [ "x${OPENEULER_SECURITY}" = "x0" ] - then - # harden rootfs - fn_harden_rootfs - - # harden grub2 - fn_harden_grub2 - - fn_harden_sysctl - - sed -i "s/^OPENEULER_SECURITY=.*$/OPENEULER_SECURITY=1/g" /etc/openEuler_security/security - elif [ "x${OPENEULER_SECURITY}" = "x1" ] - then - fn_harden_sysctl - else - echo "the value of OPENEULER_SECURITY is unexpected! please check it." - fi - - # harden user conf - fn_harden_usr_conf - - # disable the service in system start - systemctl disable openEuler-security.service - - # do cleanup and exit - fn_exit 0 -} - -# check cancel action and do cleanup -trap "echo 'canceled by user...'; fn_exit 1" INT TERM -# main entrance - -fn_main "$@" - -exit 0 - diff --git a/security-tool.spec b/security-tool.spec index ca31514..cba2394 100644 --- a/security-tool.spec +++ b/security-tool.spec @@ -1,14 +1,10 @@ Summary: openEuler Security Tool Name : security-tool Version: 2.0 -Release: 1.48 -Source0: %{name}-%{version}.tar.bz2 -Source1: security -Source2: security.conf -Source3: security-tool.sh -Source4: openEuler-security.service -Source5: usr-security.conf +Release: 1.49 +Source0: https://gitee.com/openeuler/security-tool/repository/archive/v2.0.tar.gz License: Mulan PSL v2 +URL: https://gitee.com/openeuler/security-tool BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: bash setup pam util-linux binutils sudo crontabs cronie Requires: shadow initscripts ca-certificates openssh rsyslog dbus-daemon @@ -23,7 +19,7 @@ openEuler Security Tool %global debug_package %{nil} %prep -%setup -q +%autosetup -n security-tool -p1 %build @@ -32,18 +28,18 @@ openEuler Security Tool %install rm -rf $RPM_BUILD_ROOT install -d -m0700 $RPM_BUILD_ROOT%{_sysconfdir}/openEuler_security -install -m0600 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/openEuler_security/security -install -m0400 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/openEuler_security/security.conf -install -m0600 %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir}/openEuler_security/usr-security.conf +install -m0600 security $RPM_BUILD_ROOT%{_sysconfdir}/openEuler_security/security +install -m0400 security.conf $RPM_BUILD_ROOT%{_sysconfdir}/openEuler_security/security.conf +install -m0600 usr-security.conf $RPM_BUILD_ROOT%{_sysconfdir}/openEuler_security/usr-security.conf install -d -m0755 $RPM_BUILD_ROOT/%{_unitdir} -install -m0644 %{SOURCE4} $RPM_BUILD_ROOT/%{_unitdir}/openEuler-security.service +install -m0644 openEuler-security.service $RPM_BUILD_ROOT/%{_unitdir}/openEuler-security.service install -d -m0755 $RPM_BUILD_ROOT/%{_sbindir} -install -m0500 %{SOURCE3} $RPM_BUILD_ROOT/%{_sbindir}/security-tool.sh -install -m0644 csh.precmd $RPM_BUILD_ROOT%{_sysconfdir}/csh.precmd +install -m0500 security-tool.sh $RPM_BUILD_ROOT/%{_sbindir}/security-tool.sh +install -m0644 security-tool-%{version}/csh.precmd $RPM_BUILD_ROOT%{_sysconfdir}/csh.precmd install -d -m0755 $RPM_BUILD_ROOT/%{_sysconfdir}/profile.d install -d -m0755 $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d -install -m0644 password-auth-crond $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/password-auth-crond -install -m0644 su-local $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/su-local +install -m0644 security-tool-%{version}/password-auth-crond $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/password-auth-crond +install -m0644 security-tool-%{version}/su-local $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/su-local %clean rm -rf $RPM_BUILD_ROOT @@ -120,6 +116,9 @@ fi %attr(0500,root,root) %{_sbindir}/security-tool.sh %changelog +* Thu Sep 17 2020 gaoyusong - 2.0-1.49 +- Upgrade to v2.0 + * Fri Jul 3 2020 openEuler Buildteam - 2.0-1.48 - rm zzz_openEuler_history.sh diff --git a/security.conf b/security.conf deleted file mode 100644 index e5d39e2..0000000 --- a/security.conf +++ /dev/null @@ -1,218 +0,0 @@ -####################################################################################### -# -# Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved. -# security-tool licensed under the Mulan PSL v2. -# You can use this software according to the terms and conditions of the Mulan PSL v2. -# You may obtain a copy of Mulan PSL v2 at: -# http://license.coscl.org.cn/MulanPSL -# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR -# PURPOSE. -# See the Mulan PSL v2 for more details. -# Description: Configuration file for the security-tool. -# -####################################################################################### - -######################################################################## -# -# HowTo: -# # delete key, and difference caused by blankspace/tab on key is ignored -# id@d@file@key -# -# # modify option: find line started with key, and get the value changed -# id@m@file@key[@value] -# -# # modify sub-option: find line started with key, and then change the value of key2 to value2(prepostive seperator should not be blank characters) in the line -# id@M@file@key@key2[@value2] -# -# # check existence of commands -# id@which@command1 [command2 ...] -# -# # execute command on the files found -# id@find@dir@condition@command -# -# # any command(with or without parameter), such as 'rm -f','chmod 700','which','touch', used to extend functions, return 0 is ok -# id@command@file1 [file2 ...] -# -# Notes: -# 1. The comment line should start with '#' -# 2. "value" related with "key" should contain prepositive separator("="," " and so on), if there is any. -# 3. When item starts with "d", "m" or "M", "file" should be a single normal file, otherwise multi-objects(separated by blankspace) are allowed. -# -######################################################################## - -######################################################################## -# SSH server settting -######################################################################## -# Set sshd Protocol version -101@m@/etc/ssh/sshd_config@Protocol @2 - -102@m@/etc/ssh/sshd_config@SyslogFacility @AUTH -102@m@/etc/ssh/sshd_config@LogLevel @VERBOSE - -103@m@/etc/ssh/sshd_config@X11Forwarding @no - -105@m@/etc/ssh/sshd_config@PubkeyAuthentication @yes -105@m@/etc/ssh/sshd_config@RSAAuthentication @yes -# Don't read the user's ~/.rhosts and ~/.shosts files -105@m@/etc/ssh/sshd_config@IgnoreRhosts @yes -105@m@/etc/ssh/sshd_config@RhostsRSAAuthentication @no - -# To disable host authentication -106@m@/etc/ssh/sshd_config@HostbasedAuthentication @no - -108@m@/etc/ssh/sshd_config@PermitEmptyPasswords @no - -109@m@/etc/ssh/sshd_config@PermitUserEnvironment @no - -# Set sshd password algorithm -110@m@/etc/ssh/sshd_config@Ciphers @aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@@openssh.com,aes256-gcm@@openssh.com,chacha20-poly1305@@openssh.com - -111@m@/etc/ssh/sshd_config@ClientAliveCountMax @0 - -# Make sshd print warning banner -112@m@/etc/ssh/sshd_config@Banner @/etc/issue.net - -# Set sshd message authentication code algorithm -113@m@/etc/ssh/sshd_config@MACs @hmac-sha2-512,hmac-sha2-512-etm@@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@@openssh.com,hmac-sha1,hmac-sha1-etm@@openssh.com - -# Make sshd check file modes and ownership of the user's files and home directory before accepting login -114@m@/etc/ssh/sshd_config@StrictModes @yes - -# Set this to 'yes' to enable PAM authentication, account processing, and session processing. -115@m@/etc/ssh/sshd_config@UsePAM @yes - -# Set this to 'no', do not allowed TCP forwarding. -116@m@/etc/ssh/sshd_config@AllowTcpForwarding @no - -# Log on sftp. -117@m@/etc/ssh/sshd_config@Subsystem sftp @/usr/libexec/openssh/sftp-server -l INFO -f AUTH - -118@m@/etc/ssh/sshd_config@AllowAgentForwarding @no - -119@m@/etc/ssh/sshd_config@GatewayPorts @no - -120@m@/etc/ssh/sshd_config@PermitTunnel @no - -#CVE-2015-4000 -121@m@/etc/ssh/sshd_config@KexAlgorithms@ curve25519-sha256,curve25519-sha256@@libssh.org,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256 - -130@systemctl@sshd.service@restart - -######################################################################## -# System access and authorization -######################################################################## - -# close the kernel request debugging functionality -204@m@/etc/sysctl.conf@kernel.sysrq@=0 - -206@rm -f @/etc/motd -206@touch @/etc/motd -206@chown root:root @/etc/motd -206@chmod 644 @/etc/motd -206@m@/etc/motd@Authorized users only. All activities may be monitored and reported. -206@rm -f @/etc/issue -206@touch @/etc/issue -206@chown root:root @/etc/issue -206@chmod 644 @/etc/issue -206@m@/etc/issue@Authorized users only. All activities may be monitored and reported. -206@rm -f @/etc/issue.net -206@touch @/etc/issue.net -206@chown root:root @/etc/issue.net -206@chmod 644 @/etc/issue.net -206@m@/etc/issue.net@Authorized users only. All activities may be monitored and reported. - -208@chown root:root @/etc/crontab -208@chmod og-rwx @/etc/crontab - -209@chown root:root @/etc/cron.d -209@chmod og-rwx @/etc/cron.d - -210@chown root:root @/etc/cron.hourly -210@chmod og-rwx @/etc/cron.hourly - -211@chown root:root @/etc/cron.daily -211@chmod og-rwx @/etc/cron.daily - -212@chown root:root @/etc/cron.weekly -212@chmod og-rwx @/etc/cron.weekly - -213@chown root:root @/etc/cron.monthly -213@chmod og-rwx @/etc/cron.monthly - -214@rm -f @/etc/at.deny -214@touch @/etc/at.allow -214@chown root:root @/etc/at.allow -214@chmod og-rwx @/etc/at.allow - -215@rm -f @/etc/cron.deny -215@touch @/etc/cron.allow -215@chown root:root @/etc/cron.allow -215@chmod og-rwx @/etc/cron.allow - -#rpm initscripts drop /etc/sysconfig/init defaultly -216@touch @/etc/sysconfig/init -217@m@/etc/sysconfig/init@PROMPT=@no - -######################################################################## -# Kernel parameters -######################################################################## -# Disable IP forwarding -301@m@/etc/sysctl.conf@net.ipv4.ip_forward=@0 - -# Disable sending ICMP redirects -302@m@/etc/sysctl.conf@net.ipv4.conf.all.send_redirects=@0 -302@m@/etc/sysctl.conf@net.ipv4.conf.default.send_redirects=@0 - -# Disable IP source routing -303@m@/etc/sysctl.conf@net.ipv4.conf.all.accept_source_route=@0 -303@m@/etc/sysctl.conf@net.ipv4.conf.default.accept_source_route=@0 - -# Disable ICMP redirects acceptance -304@m@/etc/sysctl.conf@net.ipv4.conf.all.accept_redirects=@0 -304@m@/etc/sysctl.conf@net.ipv4.conf.default.accept_redirects=@0 - -# Disable ICMP redirect messages only for gateways -305@m@/etc/sysctl.conf@net.ipv4.conf.all.secure_redirects=@0 -305@m@/etc/sysctl.conf@net.ipv4.conf.default.secure_redirects=@0 - -# Disable response to broadcasts. -306@m@/etc/sysctl.conf@net.ipv4.icmp_echo_ignore_broadcasts=@1 - -# Enable ignoring bogus error responses -307@m@/etc/sysctl.conf@net.ipv4.icmp_ignore_bogus_error_responses=@1 - -# Enable route verification on all interfaces -308@m@/etc/sysctl.conf@net.ipv4.conf.all.rp_filter=@1 -308@m@/etc/sysctl.conf@net.ipv4.conf.default.rp_filter=@1 - -# Enable TCP-SYN cookie protection -309@m@/etc/sysctl.conf@net.ipv4.tcp_syncookies=@1 - -# Enable preventing normal users from getting dmesg output -310@m@/etc/sysctl.conf@kernel.dmesg_restrict=@1 - -######################################################################## -# Only Wants NetworkManager -######################################################################## -401@m@/usr/lib/systemd/system/openEuler-security.service@Wants=@NetworkManager.service - -#del SHA1 pem -402@rm -f @/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem - -#limit user environment variables when used su -403@m@/etc/login.defs@ALWAYS_SET_PATH=@yes - -#add umask 077 to /etc/csh.login -404@m@/etc/csh.login@umask@ 077 - -#disable ICMP redirects acceptance -407@m@/etc/sysctl.conf@net.ipv6.conf.all.accept_redirects=@0 -407@m@/etc/sysctl.conf@net.ipv6.conf.default.accept_redirects=@0 - -#set LOG_UNKFAIL_ENAB to no -622@m@/etc/login.defs@LOG_UNKFAIL_ENAB @no - -#fix the problem of -700@chown root:dbus @/usr/libexec/dbus-1/dbus-daemon-launch-helper -700@chmod 4750 @/usr/libexec/dbus-1/dbus-daemon-launch-helper diff --git a/usr-security.conf b/usr-security.conf deleted file mode 100644 index 2f5bf38..0000000 --- a/usr-security.conf +++ /dev/null @@ -1,14 +0,0 @@ -####################################################################################### -# -# Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved. -# security-tool licensed under the Mulan PSL v1. -# You can use this software according to the terms and conditions of the Mulan PSL v1. -# You may obtain a copy of Mulan PSL v1 at: -# http://license.coscl.org.cn/MulanPSL -# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR -# PURPOSE. -# See the Mulan PSL v1 for more details. -# Description: Configuration file for the usr hardening. -# -####################################################################################### diff --git a/v2.0.tar.gz b/v2.0.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..5246bc6286e2f0710745768c5e53d3d3c32d3cbe GIT binary patch literal 16122 zcmVvls4L0t zjh$3Y_c_mb-d~$GEu9<~N@{~ra$s1N;sp$zUf5pq`lS)ih4LK0gj94G ze){v+LSbV$xBleku^aiX&RVx;tjQ;TANw@7@gjd|k#1fr*_WPLv*)eJ32XLqYxe5P zm~wdf<=G^V+6(u+J)r*O*%V>FdnUJf!M<_JzW*GL`L(>Hoik1pq4+_2Bz z#$s+`!TR#ktq2ONf~K`HvCZinDHqOtpFjH~x3*?aULhD@SX;A}zRqoY37AsiWt)P& zJv*0MyDj(vK6_yeswNj0hb{Gl~B?X7#<(WwWwt=ng5MH~^LEKCVt;0F@_aiVzck+t%9 zbKQse`N#IfI{?_cN;ib${N?fe>;};oe!~8L_*09WHYP$;r<($@zSq)HL~I zbL=M3x_8N*y5>E4`T~4mc@221OH0ItdsBEZZ_R#Jrap3EC|!8am8aIT*}}&C{Jr%u zFeucTnkl?k@w1d$AK$!=n7mk~!~De+)|l+B&~Tfro4ay8wV|%u^RJIeC4XK&UL!e&0a0C$-GZfoH)9vB5>~Gmv|F!M=JY zzdmU{_|^^DMg;BEo7UwC`{udQh}|kz&rn%-KJPcA;@B0d37rH_V2BxnftQ86#J8|0Y;Ar2MQ;59oB{sq*Dzr0wK=D0*!UKq%2m2- zPu(MB@|DeVGxn7gL1)X%=m{hkwdOu2=e+a;IunYl)G-M;wTwk_iKkCc_w$#pmoUct zRwQ)4nuR~`3XQDzozRr4j%KLCw@k7A_&X?|R6Bk$qSS8@Bnyjzb)*Ig?A5zMkHDJ0 zP2I-k`Ze58^}H|+?kR3vUE80HTN6K`;zPFbN-%lF>2;>YkiW1<$o&C1e^c1`RU(;O z%s1BUhxXJ9FexTydhjJe71oC2DLD*_Wc1? zSbl(>=jBnieg_g3E<8lbYRyg)^sPk{2hOpxPP$vTZ;k&%z0TZp{=t;s&%QiqouBt| zXF2?XYsEO2_}~2ZR5sD(LSRD9=?Y*3q;+n>^(Lo#U;h%VyO4sqdf-3>+G#MDw$?7e ziq_r7V~z8wPak@kJFK3Q7vJPO1jJ<06WeUgE>QPoMlu%F+Sch%(rZ$AwWlt zY8e*8QpS*(IgA5_i$aRUG(E1UL(J5$g>6|+8B9{+Ag;z0Q_)m|SfRZVyv#+MlCn%2 zG$lo466ct}{h&-TKd$nR`>!;bbNqds;V6stbo3nw_J$bl5B2sO4!4KeSxrKrkAPR+}y)5+Khk8R%?Dev6 z_o1$E2wUMuTUUR3IC7930D?$QAL|Nthx+cHovP1p7hkBx+fQaj;ELSL!B{ZF-G}t08Ly1X) zV5>^>m`E`UWkhD4D|886!ZQ!cx&foH29D#kPO!ax#`e+q|B%#-q-Xh?l~;YG zBK$&Ux}4UvcqT?ZR878D4LRdVLWxPV#GNdz7^bcaX83~RW*&>iu#`-)LEK~p|3{9Q zzxE!_EI=H}VD0Be^MiptmBMY5C2K}we3{)7^u z4CzveqtfN1WFp$)S}a3<$uQXHuo4?)bfPR2{R}#6q|&-V4-l* z$A^~^q`{=jMm7CJk>p?&5tx>AQ;9)KdJzRYtdgC;R>a5`Jz8OCY($A?q$I<7mpp`< zkZLMs76NN7U4tpmz!rRMPqGAEk*4e{NGHgAQmGn9fuuJg7)&ITqyjq_eyqh+2Pem; z$b?)n$q7tdOICAJIS)y$xoQ%TRt4AeH!2WxK#HCv!JEOC!)2v})#zNVIj4ReyY4U% zS9Ee;P*7C&epE%+4J&E#dT^GMCBtM1B>}W)SqCzdgyy;r_qkCqqH)S;ZB*8)k+?D)3RxNB@lBjS()y#nVcE{7zA^4f_XT>LOf{N$E6L1vW{|micTYAJrm%0#c+5Kih&E zMTOJEWuxL~fQ1v>0U>afYP&Dbii8F>eCdtr&p?Ku5c9YTZn4VV{4g*Ftom4q^nU#3t3Wp`lZP5=<%xux{P{JU)pxSt?cbp!%JNwi~ zYzmpP6eh5U2m%vvss`NmS`m%)=?K@9gqmEI)UjuJd%lSC@h)ZtS->%xOh{(;kU{aT zkKiP89zow}`vkBkDqaX8(}@fO*>w4@8Mq54lgK0!ituVe=4^@X3aWRq5^D;$@3q?f zonx;|4;;i5%^gjAxxPf#iZEJAjw_jz2vM+3zgosDi6x$$xYOZ`0q>7-50OuzV?3 zU&?^{+N-??4WdURoeZ4ih`K1TdP$>8kp>ajX4cgsCZ^&97L2sBww_2|Zx~Zj7&BNH z|MxN4@+Px49>M~IEz-k6hcRNYXlJmiiy!j{0u=wZ^&C3d8$Q_C$2xnu+JWgn2(w!7 zKv#%HwWB@#VhY2-_F#ALU?}Pv?y9$%?l@?;H`Io?j<|`q579%Rws5dZ5RF7b|J4u1 zXu&}Yxx-N!89RD=x`}cx>yL&64tFpFep)NhA^_;QQjygpes{314^nmZ9Ki~D$S7+I z0!2F=!<;K--y@yjwocX+ItXrntEcy9HP;&pL)Gnv!yK%GlfnEM4ZCA%2aEROpd&!Q zefQQSsY4lQNG=*3v$pf%gvRb8ychq(B_Ar?y%3(UuIUr31MZqo3@NYC(6DB?)yJtMT zYi>y|e@h^$h|VXgYF;@oFd*&6si1jPA7!nWYN|!c$or}xlq@Hq(*&B7&5|j37=0ts zh@3V)c3Dwa2jycYp$vkR6Fj{XPkCvlnicCg%C4-Nf>-Y?6BPnpC|OpPbhoA@6dffx zof%B}nwFA-qGRDp{FRt1Ed-Iu#$ho~{mE;>6@|6wGB2XMFmeQOR`Nd3>3XQ$qIQ8J z#9*5gqoI7#tVqy~HU#IQ)zS291>Z>7u@eZVKNY!ASkN>jr{nW9=XSF&x~`>lh4ZVT z2J-g{Miz{nWKMT7NZpD`ItDpDE;zM_#0ymYeqSfPd!zUYZxny)@4not^!q<8EvunS zQr2tS^?=h({v$ND|NgJ8p}C=@?EAk4@%y%f-0u3FfB*OX?p#&)uPpm@W~5PBVSRFJ zSk;o+5Y2^cTA-SBnHZ}Z>gqoVuplZNKS9F?c^)QiAS!Xv%2&E&sS5{oBO^L!Uo9WL z|H^3)pu3#|L1LG)ASk$b5VxY;k&+u3O&5$Dq(NGAAyJWm$fb74 zS*woqtBQHN%EwP@kDCfh8LJ8=;4!VLY*ObJK<*flO=cLwaW_*k37wZ&e2nSvEAPq7 zsB-ZsBG7b8D!LQhU9LJp?-*ORL#i8D12Ob^Xxm%|M<*$VjgU7mx7KD1z1A31)Y_6z z3mC)DjidkLRejmC+^VUvF|3(Yy%>EJm1`q(QZZYzvQZUMM-)g)ofMI1t(DDKv8D{T zxIH3O#6lE0G`Hb^)x=pXtBJ9lupz$G1gpus6c8k8%7Bxsc0|%^p~|glAC_5-QPqbz zUCWs8gVs9eBdnriB$LOvndJC^Y-=i$G?f}88{Kh;f12{X<5gP!-KV!pV~6@*-?YD> z{QLjrrk0j>_5WA6b}Oa6tN-un|LfI%RHuY8l+i`e=kEyI7xI;<*?r3$*v+n>=TImT z>hB8m4n#w3{k@Q%^8argv2XX`}cpp!nKqAW5#eG zt;?}g{LN|XH2*g>mfODp{!;(0{{ITsZY9rm_5WS{f4%x2Ory%j`9WBWzsFDF*R_+o zCf=^^V%0Y=&&$aHk@N;q#t>^|e{reTpTfw@Y7&h#r^o|qWVXjR^~tGILwndMR$Mtv zD}O0NMe`xy8XeZ8lv2J+5uy4(SWOBjrO^}YkDsJ|5$!j&7?}1 zPdydu8z>gAh9Go8WpM=^^)8b&3m8_G3 zP9J9pT}zd2c z+s)$t{)eDfQy-`Ucl}h1W5W{vywLq5HBMi)X<1n`Dk^=HU@9qkKW`4lxCHbUdp)BD zs%XjmgShu;9lz32YCu*;0*1B&Py(7tYOxc5WT;LYnExdJe5l#hMkbHQ>HysjP<}#0 z5cB|X)VjZ}s>YAq$RrXYAKlu4ScaYa5}AvZzN^Xmw{gWP4~}e`xao1Wvbra9?U0k3BpR<07^>ozhvwP zS}Ewi`{aaM_)dE!9+cwD(LgI)i6}vc6RI|gJj{gqinv9g zNFE|&8Tp{0uTZ)ztq(oc=E?(63!{O?b4G(mn$9XIO#D#e)o zue|cf{%0DWkANq`1oQ#GO4~8PKI!eQcMHWEI;>~r-#S$2l6p9dX z?4;Dp6|2=XT&=25HSQQhW&7*_ul$7iWt6<9_TYgx^v9%$Q@}0Or#NV=iGr$0B1fH9 zmupt3U{P|c1Oq8~Fp$Mx&~YO%0fiJ$+XzvvHB z{q>(e_VxcE>EQj-k0w-qG9*y^I7py)TO?5Ygai_hK=EcIFibJM{df!itWbAym`A8B zGb0D~_ITI*`R21m?dZ7WJCw{W96=7Wuto0C*N%epfBItgPwKTJ@4L=X9#Ya3Bgbn2 zv>DQEE5I|o4)K<@XJXx1YquaIhy_Yr1GG>M> z$+V-I+1q~ce20_0+5?8TF72zm-9sZi;V||FfS2S)s8xX}JM;9#S36IhHaJnY*E*Tm zgP+e|)=+cGS8*L(Ji2vo`WZk!oteg;HMXDBDH()$!x6f(k!I8|ARUK1vcOs#xMx9a z*~@2NzuesYssX*#>|sR)LyRvyXC4K0*GHEki=yqh!=;n&vp7tLFTeR3+RM=vvPjyN5JxU;Ui_|G*3j<<&mq2kASJ zox zTi9RDTp6W6f8&MVAlz8SM<-!-a5#2I137B-eLT%hASEOaE-!6pJOC4bljGq92J&JJ zQS+T4F}OeR$bm?==UljW$DYzVux9$%Ma1pnfQYyTs92_Us4Wpr7z_u_M67P;=P#h8ndvbPO494u#`l~yUUX(lT};pZ zuFjlG+?~aF0Mjk1=y@%CSxAGlZl98OoRjZePXw|U<#-Uew6v7HKeEIeEX`F36l5Q4 zJW!Thw3K;H)iCY3%80ioBgcaTB@iG#t^9zs_^=C=do9>A$G8Aj>ejJ8>`7-bry4vF zfJh{KoM=J$AGSXxb)gt~bPUg6b%CNm<& zjGsTq=MN6x&q*c-TEd{EP|!XE?T12|5YmJY5d_(o&klzzVAukLO^NV`@?+%Y4M0ou z(J$8tK|#DEN1~10eSus^kO8Qf1Wed-&Yj-8Ga8}eA=rfv76~S1Re4iJ2i(i+sJ(1T zhTdQpmJQUMnq8tG|J3b{m8@rM!CNAcbN(FGCCF@W zh#Y`Dn)@a<*U!y$4#eEgs&mh(b9+Z3r7YYQd;wsN_su2>Brd3Bm>D(PqtHx{3TI0! z5e6D*a4yBtVBmC+BjVfy(8!|y0yP31-Zm2;CdXS6*_^j}6K5W9+}WZiDoicKL`lH1 z(s9Vs3I%18){oYB;>!X80LaM~#l93T&FRY*?CSN)Ngz&qC0%AkyXUk96OV@rZO)Wq zK-iy2rAB!EShiAekYpLRMvx>fTEcVA*K;m8mHKe=2F`bfXiGBc)NIml8E^y@9!J&^ zDV7{7wIGH*HY-+AQ$gcJuH6;69CVA*=54J2vcy7aPTD+to|p;dUeJNm0^}qT7V{i1 zEN8%RH}YT8LxtNyrMhtk(gBU7?kJjI)CU3AjSZG6>-Id7#2+#~&LB54#*bo#bOz|U zgN|4dZ)rD}%dsU;u04cp5fU|>eD6iF5SdK!q>?3p9JeDyYb4d1sl;d{V1T>Op*4!r z05y>*G-!Jq&7;#A&HP9TX#yeL(?=OUII%~n-h>QMD3C0cG{u>+OOlzz#KToNLTRVx zJ4q$b+Q48$dMEC+$P_J9BY{{8 z*r|QnZ>l)1k9gVkr?knO$X#CqGcx0yIz3PA41IQ$n6kZO6gO>bM~&CuuH71o&p&Ux zU=pRBVPf1X%vYsG(q2LAzo4G`4$m`a+6RQ z5AKke&TGkdDQHnAbOvd*Xmgjm@1l=Hd8Ri~U_?dmw2=D(wP*)r_mF$jyDHsB;u#b= zK8LjaqH>q*E1Tm4j}c31PEaKmbRv1^c2bAa?IfJfs&T>0sU0{Cm05RvSXnN^%p4>R zT&d>pXn2*a^$voqM&LF`EEK>7B(-wBeyUKGZ$m&Q3&=5 zuMUa$$|kZ=eD;!&nl5n4li2Kzp3A&00t5S~g$bV)g_Su)LU6g$ID*sCO$Cr-ErcXB z@GbB%Op~F9Z+28C)lRiny{IB;gdIFKfYNn_x|B9RJg66ZZprOHSlJ>Gf*#_Juxex7T!-1j^dXW{v|z z1`AZ6Bm-tcUfcgB|GZfZV_&o>!mUnxw_w>2Od~$90_mp0o~LV)G{j`!NO%S|OLT>7 zX(@fXREX@-BCWVgXvH__tvH6Bokd}OFr0&6Y$pRevQlH9SW_EY!N7$Bh{wZ0CNBi( zh{oYCmSHntC~nw|F#;z(ZZ48z1dN~wMlrG?xf9SO;F3je57DBvPol3$y|ku<0Y=WD zX1F*Am<$3Vu91lVrH5?XZ}Z;ho*?;9e@t~P4>-B{7NJCzAwYATv}HhAklBi>LZt>X zHmWgF5E)q{X*(D{Q#MTzRAa2ba>6o%QJQuoFp)Dixn$86YCqYwG1EpAFhMS*fUsC+ zk~nRXHnp-Vc&tGJg?!|*PGaQrhv()3V{X5t(ux|T1Er#bRb8QK^gs-p0LwkRsljoj zk#jM|1MjHPNO~v1iknuf2o!!LvlqG(`pDl@StU|7VkBe5dzPv|WAd2^dmP$3bsM@Y;?B}~F_|4fL3mg~X%rDHA>>3k1m#$Z>Yao?l%fEoRZ#6yqp z1ZKXyvGIyOm6i$Z(o%{}?^1*T6OL9a(}L?Zq9&|C#*5?0M>b(AsGCRNuA^{=$r;nz zKh%o*SQ7$C8WW7N#L$$ZimdGTbPbcRl?`$UkFv>;@o5odVlB;9LS3=DkX zYZ?Ak?vz5V^mCguc0Tj8hWVBLNN$!zKkDCbz3J^obw%U4hALy4FcqGi+YCiLJ0Z+p?Ri7q})>I~Za4k5Os-I~a^lIcyWz=)JJpVH0}Qlf`NhfSnk z=bWX50BF!+Si^h7O+G;h4K;TgGh%10{rxIcRBbjFtfO%8fl--}>XG^5;E}c^3$5Wd zSAuoiwF*UHsq-CrTID+{I**ZO9^1jVMDtHWRUH#1o79kP$G4|Fe}tu^A=fg zh9bE)dDz44_? zcPTQhOng}dN#o1DrRm3r1=0R6Mv>@oxH{KAuvFK821u zD>nOX%f~%0aSF0}n+_gRu4=5KTW0NuOzo;=ht4Yl$b{vyVn2DfNSS z7xW;hz}poXB7QKb^8y&5Ti$=YU-i9K+d&bI0d}_%=LjN0l7Uf*xcKb4f}%6=7P3;q z2wYtDk+uvXy2Hr;?cfx$h@Ju%C_>h(zDiOr1hfpmHu`Q;a1TlzdNG}(QKl@24%nuO zbaAkJcKV{ zU>J))X}Uy*y!008xg%Y5>zyc{Y7B&eTvW0pP0e!WV$`h#db!M-fc=J}dAC;F5bo!- z=R5Gh()z$5BFX7G~zSxEvRDTRxWMBK` ziZKGm9MX}y`XTxK9N7 zEQe;&Z~15Uk!IAeTd!_xk{Dj$2*HL|I2dHLyh*h`XS7IriIxqPNKiCLt0ZiZu&G$O z@}*Uy_$uLX%Re2ptvltxCwSW7Z03S$&y!((D2q25(mNR)*o5ck;HDb@y0CQ#wIGwx z8wps^fBz4^efO`w`TZ|``NMzz+q=L2oB#c<|9tnWfBxOS|IfSM{`%do{`TE3fAfF8 z{<|Ok<)41|$G>{_m%sSkU;js}xOj)cXjiX@+U&y|U|5Oz!@+wGG0ZSt!N>^RN))TL zum(-dD)@i8^Qt$vkCUo5xb>A-AX|7ksVQd8C)gOD$#rv?m(5c)s*W|9+Q{W{Yy}e>*vYdo zdZL9b0U?nU+bNj4iK6J1M0c4L(4xDd_7G^v79Owhs0Dinztvk*pp=x5>=g<%Ek45# zYzQSF9SrT*1v{K(r8jFL&PC?+Y({W1-x`5-M*V8w&;4N2{|I8(G>?qtwCdB4p50p^iiYDZ=T)W|H$mD{{qb zwt4k92zW#R$(K0Yno5xvO+`R|n>AZmb0j8lQxYU+P5{VWaC?taNpjBaMY%6o3$Gn&@IXK7bDH@F3X5gG@>jcmZK3B8BvZ#tjLIp z5fN9PmF_TsOVL|!(A?YSUXJB1-ywH7mb-F?+?81Fl{@5Kxe7Z^(BI{$RJRnmh|qc4 zf9v<(K8tXcc>pUj!QW;2Tc*Di`nwXIm1_6&Whm4z;BR|r6}3IHhP#!jcWG&b2iv&! zu7gl)TKNod-@EMIAgy46T9I+TTiFY#1J1fele%{+nRLaGHBw$xOjqLv2t@+2ed6h6 zRbgmjvz4kokL5+A9kbesDDpHUFhLSNVHkx-1d9?e*0eSog!d-?=nz5HwNRGsVqvNq z(JWdK9qKz5vf%rKZ&iQaAK~u3YU~Pxj0|#vD=+sR=<23^0=rRr2Im|IWY4ov24z#% z-F>g;j_2(HpXUI2Xk9KsfmU{d4k1w4q9d~0QwuSM)6US7f%8v#G?38Ih`$6jhe5yhL6~ITn#DJ&bGx)BTEahOvW`0n=cD5SE0V;o z9rfusNQKydndj}w!1WnlBbZ0<`2{8lV7Z(mM^5%8WE6r)>4xq= z*l)1vtBvT|9I|SmGdP>Bon3UCb8=G&^&G`=rOj>m%~B@g@zp-|gT73a&re2^L8uXGE@S_#FuAV4z-;I`oduIgDEU+i367SozEqF*tD=z z*(_I9%WL(u_0q~}X{WwfDAnuBTPr)On~ml5!shl$W2IhME^V$93ia~lc6oKRUaD-b z)(dN^E9LUa`f7b`v#_>auJ1JJ>-Dvj`gUovw7OGn6pHnANLgMf7gsk+rOM8BVSRnO zSgLQ;m+Pzb^7`g#xl~yyZPiOVm93rfdSSJ`y}i7)zP(+k7gs9vt+fjLZj`py%iC)^ z>zm7kEhuwydvkMryI!f3wpN#mTbo5}?&|h-X?u00vRWuZ%+}g=eSM`=FKsqC}}@TWP2|`9k6F6n2izXhttFxsIUg zGI^)#<{LXt^1*eOT#I61vCpHs1bmJMQ^nRHqH3;xCLdPL4bw{GX0*G~>lK>HT*Jk9 zLQHlo_l}LZWtxxal2)Dr(a=brZ;yMdaQV=aKXKI1so>riR24hek}O8YH$5T8C6DinjKS{(Bo zgEUuJKcW1>=IiM<8(4|=@!`s2wvY&xh9kEla+9MJgGgpbdSOlGM$ahZ*HyH9#*a7n z8DcMFre84$yG(Ci0^jP5%ojmtf63?Jf#d&7Ai-AODb7_E_)(m4{!BH5L8YtVLjqQ#R9(+AmS#-o-eEMD+9Az!AH{+BWvfqz;{JbC_7 zylm_~gQ7{^I0MK&z-GxQ{QvD8Yjfg8@^knVQ}(&MP9Z=7?6vFmO4!CRS@S5syUE=L zN}ySzGa#aez24N`Z@=!Ik5M$ukM+iY1t(t5C5+*PhX$SQyBjh zde$yz6vuy6HC3&r;=k5UUgN+18PCWE#lm^Y54wqZ3lrY_k+xC#07f(g>(nZ>(vZ{8 zd&bmC<85g~mweUE*un4Qxvm`i{ve>gR`A}C=@(7Hs2i;Ejkb9sEFAH=o*<9fnn-D! z6%DrnrioXKMp6m!jR?hh7K>6|I`^%GImB!KfcuHJT%!r_wVEyoe04;rzbe=?l!G^r zVPcsR|10PxnY9ofey_=YXl%enQ_O%5Nw8r$LT=|E)a5HKEm)H=G1o;(*U)86(YjjDeve^ zPFbenBfdzg!~Io3GGxw37a|K;rGVL`(t)|rZ%cV?t8{R;u&21T$EW@ssAaQz3@QZD zwiYk}9<1@2z5^jT20AylAUmzZq3E3uhyOQ+okU(WY~lZTn$HMy1GpvMk-XvAjX#jpSVpr6rh^qu1v{pKW6N{g6Pjv9z9eebSH#-IRpnjl3M=ZvS?i0ghIOSOuL&d2;!)2O!gwH+Mm+3kY(d$R3CxH>m+KRW}uJD!I)(cN;RTb zrpV59qLrj@7ow2Hei3`y3L>4WkaB@|L=}INa3WdqMU%i=kUdi@(d=8djzpdUnjjEr z=wj#i03#lFp7Ta2qZ&$oj!Fmg3N@a{TXulklh3O>GV^gFv)F`rgC2(zD(C2VRMjNT zMkda0KqOR=LJqgUmR4>8jEzPNWA3b;1OKdy@~769VGJkN+=6VQW68|Tgj|a>B-F)? z)g8y^8b7it$6`PG3sz@ZO{+z0N-`2W4(89_r@>b}Os?3@-9MOuwxmKPq=G&7%a<>c zP36rk7sEvpO+lz@JTdL`MU+l}QWrfl6opOsC)+V-k7$P!j)B6Z457|F;hcp2)U}fn z3hc48QQ7&Cjpsg*J9!bcCQ!Q-ai(rM7wz7t9fW0ek;q4wVOwkGrDbZQsX&RMc66l{ zi13O}nWnyoTph@@XzT59&N<$)hK@5pk?vPQ%X#_~1bzuh`7^MhX)hwH0og0-GhToR zI?$3XtP>_}V%{qY!(Ywj3PzaW z&Y>#>gglHu6+<4>m+?@;M$8wS;(bSlE_nzT1Q4CTq?#|tU-Fq~Z|dnEBws(p24G?w zj`fpc-OW96z1i3kqW2&n^<{+KZp!JesEX15Oonp+GF{xqvmcnMzKDz%b?DABxe65^ zAMrKQnlD0rEQRIB6`3e%_4q}oada8TH5y!slKxZ@_;t77fAPs)|0ktrXEdH!|35j= zQtSW6jk@-_{{JUD``_m&!GG)`9IxNZj@Y$tJaUVT`E0(jL0z=C3lNnuyYb8ljY}1r z<{9O{Yo|~vMKt8nzjH9}N2+I+yKB*6*=akL|Ta@OF=#w?>^&nSJbxulu)S z2GGM+Z`^5*SpN#(er4}Fy~{FdLwbA2+P@5j?GdC6fkdY}xaqVZvD3S_xxMW4eq!f< zqSqgT3fJw7f!4SWKYL22cQu6McDLOdmsz(xytoD;t@F+eZn^h|?5ZyvhkX6r^qT3E0>VVc8ob%iN!7}y8#lQQ6 zJGeeo%8^{x$WMqCyD;WD9vcivWAv?!XN9odBx4f2wRt2G=_zb{2Ewz>7n% z^NFiNanlKx=&T2<=D=;po!kDxB&%u4Qx`)Yp&tg~q>}=~dG5uef`8#iA+FX&nFAZr zqskTeDS)Id->K|h@|(sgl}dmF{r-H6;46Kxgs$0~JSV<-J5BCoNR;#c* zc_ov>7e?43_UQIknG26{8X}gGxZqb*yFu0dX7Alzd5;N;%C$kjAOwqsVuvDPf#9I` z|4^^6kJ!4b&=JR#q|CiC+gt9TK=-=%UEIDdi9=H|7)H)o;86@`DUTUMUFFD*Q|#%# z`OI_QNY0YI^N7(*f+i`=PrDm6b~yg9(de4|mSBo>x#v-o&|RWOe|ijKGjMFrp255< zx5i6qO@)y}_$s?|{AW(YGL{~~>RJilv^=;G?O|UTGi!mH#d_;@d|d>8W8dBI2M%~Y zw1?*~4I%b=9`rA&dSyGH4v-$8uWW>F=JM=Mp#`^m9MC-6Y{%(Ie*(*@Ak%Qv%E|## zp1nHsgtKsP+#W3U|5Pi^97aK*h`=vb{1PiS1#~(zGYkdvvrG|K25Tq*P($p{gADfji_0%;!GrfkT>>Br67L$%R z;bA*$%2Q*t0z+I?b34j8K`@bMxvtMEEAGW4Cu0;RsvkyflgEUa+r7H23y|b|Y0MNC zimo(OtsMKMa4#XHO)>~E{wp6?-F!;{#ib;se^Mziw6f@B_9IBbom=Zb+n0S&%;yL} z0dZg=hq=IZp2Pw%SrB|p*D;_G1N}m6O**UNRzhMXC1V< z39*Y?IPl1ubWWzg^fW)>4|^4PUtz#YZs&&%gXlBaSlOUJm|~S$PHSv@F+lxWj*=BX zo!k9sadtdgCkNGi2IDgMq<`|(h~XqxQ2sRVs|8SKo*1EMVNFrxs>*7uVv-_fG-Uyn z%vB$E(P(Y}Y<-9ss=|^+wl0GT6?+k}RVkVR2mhU4TNT z(9*Bk5ZxmyP2rz~Qobb!(1W7aYkKGupd)6 z{Vaf&wrA2y5p6i}G8u0;l}r(b8;xYba`RhnNg?6N2%d3d=%FIkRM2<)0kmxxhj9I3 zisRtQ^3bRx`Jy(CHe4meHq8+!zBg~P8IPvNIp3r#BQL%q?=-(<@*k!Ylpz9>QI0Tm znRvOI@&M|$Im}64Q3-*p*>{Tb_&Jdb>8Ax4Dy9U;L;$HJ4Rof0{9so(izf+{jYNU~ zj9SQvVG$xVpBsVz5UmK$Bj@*oNXtbeK>(&+gb8ZJn-i*fE~)?qfEux;XLuEpub$|A zwBf;fnqVm*n|J~wML0|cfM$%S5R)L=jFF|30Bf_T)KQ@9GE3t7&UzVhNH!fiazb@; z19Px7OQMW-!#E%$pG1e&O^QAk_Pc}eJ2AEHYV_Y{@5PWGuDQ6oM1Co4sZLanD%B&# zab)^{F{5Iw9~$syBB9?2T|YqM@)apAor~@O#t5O7x`0nB#D~AI$|{(D66QnXTV<7% zmytbQL>bu|^aoEAv%Vc$LYtn5>=Vq+1#esA4|vPL5oItYG^xVV$)|eube_v-LV{al zPH>qk!zhb^5hmshS_i)q3MtljbK4pR)sZJT-Xim+&eI4Y9E0k&wpT92yqY?;Va^QK zb1OjOxVVYWmg@&7Du=*HMowW)uqFS>w5B$cIF>$`wdGmUF`%*kj7* z*B;p6_Ps@}ARZToh3k>Ek}T}rY&~(GRw84f&})Z3ptT7?mMfw{U7-->cbrxYnF*~C z>^R?B`(CLYSw%_fzXVEtwrKeZTDu!k``8&i8hATmk9&`{bKf;q&`q4(5ow6=S=yh{ z`7&_AEbyJviLG~foUe^r@xBQY&FH$NvNc}<6)iS%ukWqu%uqbXcfG0%)y&N*fL8eu z^d1Egr#{{oQ^D+|{e=Yvr#Q;WBdcH!hGSv9y67sk5_A)8#%9n9U+R=W#~fJHXGh&eVb?t_9(A|M zTs-QcE8b22r^#*a{Z*@TGimo)=U7zGFOD@WLsltZp^AJ;J7$$mYB7}=9kmh*8sxjB zR&!mrBnni&8Yj)#x90w){r|ZCN6ImFCq4$n{vS29p&qBse`P6EKK>u-w*DXLtN%xa|A+b_{|~&KC%lQ{d-{L;)xGicd3|1=*XQ+leO{l}=lehZ M1?nP{-2fN?07+wAtN;K2 literal 0 HcmV?d00001