From shawn at redhat.com Thu Aug 20 11:36:26 2015
Content-Type: multipart/mixed; boundary="===============4609042510241330632=="
MIME-Version: 1.0
From: Shawn Wells <shawn at redhat.com>
To: scap-security-guide at lists.fedorahosted.org
Subject: Re: [PATCH] [shared] sshd_set_idle_timeout - when doing the check be
 sure to check also the lower bound of ClientAliveInterval value.
Date: Mon, 24 Feb 2014 17:34:37 -0500
Message-ID: <530BC8FD.9040806@redhat.com>
In-Reply-To: 1854786431.15398757.1393261595885.JavaMail.zimbra@redhat.com

--===============4609042510241330632==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On 2/24/14, 12:06 PM, Jan Lieskovsky wrote:
> This improvement was originally proposed by Tomas Heinrich for USGCB cont=
ent.
> But it is applicable to SSG content too, therefore this post.
>
> Rationale:
> ----------
>
>    When checking the system for underlying value of ClientAliveInterval s=
shd config
> variable it's not sufficient to check just for upper bound (if the presen=
t value is
> less than required maximum), but it is necessary to check also for lower =
bound. Because
> from the sshd_config manual page:
>
>       ClientAliveInterval
>               Sets a timeout interval in seconds after which if no data h=
as been received from the client, sshd(8) will send a message through the
>               encrypted channel to request a response from the client.  T=
he default is 0, indicating that these messages will not be sent to the
>               client.  This option applies to protocol version 2 only.
>
> Conclusion:
> -----------
>
>    The current form worked only for instances, not having ClientAliveInte=
rval at all in the
> config. But having had that value set to zero, would still pass (which is=
 wrong, since as
> mentioned above these messages would still not be sent). Thus this patch =
adds also check
> if actual value is greater than zero.
>
>    Besides that it add some blank lines for better readability. Also remo=
ves Fedora version
> of sshd_set_idle_timeout.xml rule and links to shared one.
>
> Testing background:
> -------------------
>
>    Has been tested on RHEL-7 & Fedora-20 and seems to be working properly.
>
> Please review.
>
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Technologies Team
>
> 0001-shared-sshd_set_idle_timeout-when-doing-the-check-be.patch
>
>
>  From b8419800dd27abad20a5f631ea71944ceb43664f Mon Sep 17 00:00:00 2001
> From: Jan Lieskovsky<jlieskov(a)redhat.com>
> Date: Mon, 24 Feb 2014 17:52:03 +0100
> Subject: [PATCH] [shared] sshd_set_idle_timeout - when doing the check be=
 sure
>   to check also the lower bound of ClientAliveInterval value.
>
> Signed-off-by: Jan Lieskovsky<jlieskov(a)redhat.com>
> ---
>   Fedora/input/checks/sshd_set_idle_timeout.xml | 34 +-------------------=
-------
>   shared/oval/sshd_set_idle_timeout.xml         | 19 ++++++++++++---
>   2 files changed, 17 insertions(+), 36 deletions(-)
>   mode change 100644 =3D> 120000 Fedora/input/checks/sshd_set_idle_timeou=
t.xml
>
> diff --git a/Fedora/input/checks/sshd_set_idle_timeout.xml b/Fedora/input=
/checks/sshd_set_idle_timeout.xml
> deleted file mode 100644
> index df3336a..0000000
> --- a/Fedora/input/checks/sshd_set_idle_timeout.xml
> +++ /dev/null
> @@ -1,33 +0,0 @@
> -<def-group>
> -  <definition class=3D"compliance" id=3D"sshd_set_idle_timeout" version=
=3D"1">
> -    <metadata>
> -      <title>Set OpenSSH Idle Timeout Interval</title>
> -      <affected family=3D"unix">
> -        <platform>Fedora 19</platform>
> -      </affected>
> -      <description>The SSH idle timeout interval should be set to an app=
ropriate value.</description>
> -    </metadata>
> -    <criteria comment=3D"SSH is not being used or conditions are met" op=
erator=3D"OR">
> -      <extend_definition comment=3D"sshd service is disabled" definition=
_ref=3D"service_sshd_disabled" />
> -      <criterion comment=3D"Check ClientAliveInterval in /etc/ssh/sshd_c=
onfig" test_ref=3D"test_sshd_idle_timeout" />
> -    </criteria>
> -  </definition>
> -
> -  <ind:textfilecontent54_test check=3D"all" check_existence=3D"all_exist=
" comment=3D"timeout is configured" id=3D"test_sshd_idle_timeout" version=
=3D"1">
> -    <ind:object object_ref=3D"object_sshd_idle_timeout" />
> -    <ind:state state_ref=3D"state_timeout_value" />
> -  </ind:textfilecontent54_test>
> -
> -  <ind:textfilecontent54_object id=3D"object_sshd_idle_timeout" version=
=3D"1">
> -    <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
> -    <ind:pattern operation=3D"pattern match">^[\s]*(?i)ClientAliveInterv=
al[\s]+(\d+)[\s]*$</ind:pattern>
> -    <ind:instance datatype=3D"int">1</ind:instance>
> -  </ind:textfilecontent54_object>
> -
> -  <ind:textfilecontent54_state comment=3D"ClientAliveInterval in seconds=
" id=3D"state_timeout_value" version=3D"1">
> -    <ind:subexpression datatype=3D"int" operation=3D"less than or equal"=
 var_check=3D"all" var_ref=3D"sshd_idle_timeout_value" />
> -  </ind:textfilecontent54_state>
> -
> -  <external_variable comment=3D"timeout value" datatype=3D"int" id=3D"ss=
hd_idle_timeout_value" version=3D"1" />
> -
> -</def-group>
> diff --git a/Fedora/input/checks/sshd_set_idle_timeout.xml b/Fedora/input=
/checks/sshd_set_idle_timeout.xml
> new file mode 120000
> index 0000000..2fd18f6
> --- /dev/null
> +++ b/Fedora/input/checks/sshd_set_idle_timeout.xml
> @@ -0,0 +1 @@
> +../../../shared/oval/sshd_set_idle_timeout.xml
> \ No newline at end of file
> diff --git a/shared/oval/sshd_set_idle_timeout.xml b/shared/oval/sshd_set=
_idle_timeout.xml
> index ad63830..f891e65 100644
> --- a/shared/oval/sshd_set_idle_timeout.xml
> +++ b/shared/oval/sshd_set_idle_timeout.xml
> @@ -5,10 +5,12 @@
>         <affected family=3D"unix">
>           <platform>Red Hat Enterprise Linux 6</platform>
>           <platform>Red Hat Enterprise Linux 7</platform>
> +        <platform>Fedora 20</platform>
>         </affected>
>         <description>The SSH idle timeout interval should be set to an
>         appropriate value.</description>
>         <reference source=3D"MED" ref_id=3D"20130813" ref_url=3D"test_att=
estation" />
> +      <!-- Fedora 20: <reference source=3D"JL" ref_id=3D"20140224" ref_u=
rl=3D"test_attestation" /> -->
>       </metadata>
>       <criteria comment=3D"SSH is not being used or conditions are met"
>       operator=3D"OR">
> @@ -18,21 +20,32 @@
>         test_ref=3D"test_sshd_idle_timeout" />
>       </criteria>
>     </definition>
> +
>     <ind:textfilecontent54_test check=3D"all" check_existence=3D"all_exis=
t"
>     comment=3D"timeout is configured" id=3D"test_sshd_idle_timeout" versi=
on=3D"1">
>       <ind:object object_ref=3D"object_sshd_idle_timeout" />
> -    <ind:state state_ref=3D"state_timeout_value" />
> +    <ind:state state_ref=3D"state_timeout_value_upper_bound" />
> +    <ind:state state_ref=3D"state_timeout_value_lower_bound" />
>     </ind:textfilecontent54_test>
> +
>     <ind:textfilecontent54_object id=3D"object_sshd_idle_timeout" version=
=3D"1">
>       <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
>       <ind:pattern operation=3D"pattern match">^[\s]*(?i)ClientAliveInter=
val[\s]+(\d+)[\s]*$</ind:pattern>
>       <ind:instance datatype=3D"int">1</ind:instance>
>     </ind:textfilecontent54_object>
> -  <ind:textfilecontent54_state comment=3D"ClientAliveInterval in seconds"
> -  id=3D"state_timeout_value" version=3D"1">
> +
> +  <ind:textfilecontent54_state comment=3D"upper bound of ClientAliveInte=
rval in seconds"
> +  id=3D"state_timeout_value_upper_bound" version=3D"1">
>       <ind:subexpression datatype=3D"int" operation=3D"less than or equal=
" var_check=3D"all"
>       var_ref=3D"sshd_idle_timeout_value" />
>     </ind:textfilecontent54_state>
> +
> +  <ind:textfilecontent54_state comment=3D"lower bound of ClientAliveInte=
rval in seconds"
> +  id=3D"state_timeout_value_lower_bound" version=3D"1">
> +    <ind:subexpression datatype=3D"int" operation=3D"greater than">0</in=
d:subexpression>
> +  </ind:textfilecontent54_state>
> +
>     <external_variable comment=3D"timeout value" datatype=3D"int"
>     id=3D"sshd_idle_timeout_value" version=3D"1" />
> +
>   </def-group>



Good finding. Ack.

--===============4609042510241330632==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGh0bWw+CiAgPGhlYWQ+CiAgICA8bWV0YSBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9VVRG
LTgiIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSI+CiAgPC9oZWFkPgogIDxib2R5IGJnY29sb3I9
IiNGRkZGRkYiIHRleHQ9IiMwMDAwMDAiPgogICAgPGRpdiBjbGFzcz0ibW96LWNpdGUtcHJlZml4
Ij5PbiAyLzI0LzE0LCAxMjowNiBQTSwgSmFuIExpZXNrb3Zza3kKICAgICAgd3JvdGU6PGJyPgog
ICAgPC9kaXY+CiAgICA8YmxvY2txdW90ZQogICAgICBjaXRlPSJtaWQ6MTg1NDc4NjQzMS4xNTM5
ODc1Ny4xMzkzMjYxNTk1ODg1LkphdmFNYWlsLnppbWJyYUByZWRoYXQuY29tIgogICAgICB0eXBl
PSJjaXRlIj4KICAgICAgPGRpdiBjbGFzcz0ibW96LXRleHQtcGxhaW4iIHdyYXA9InRydWUiIGdy
YXBoaWNhbC1xdW90ZT0idHJ1ZSIKICAgICAgICBzdHlsZT0iZm9udC1mYW1pbHk6IC1tb3otZml4
ZWQ7IGZvbnQtc2l6ZTogMTJweDsiCiAgICAgICAgbGFuZz0ieC11bmljb2RlIj4KICAgICAgICA8
cHJlIHdyYXA9IiI+VGhpcyBpbXByb3ZlbWVudCB3YXMgb3JpZ2luYWxseSBwcm9wb3NlZCBieSBU
b21hcyBIZWlucmljaCBmb3IgVVNHQ0IgY29udGVudC4KQnV0IGl0IGlzIGFwcGxpY2FibGUgdG8g
U1NHIGNvbnRlbnQgdG9vLCB0aGVyZWZvcmUgdGhpcyBwb3N0LgoKUmF0aW9uYWxlOgotLS0tLS0t
LS0tCgogIFdoZW4gY2hlY2tpbmcgdGhlIHN5c3RlbSBmb3IgdW5kZXJseWluZyB2YWx1ZSBvZiBD
bGllbnRBbGl2ZUludGVydmFsIHNzaGQgY29uZmlnCnZhcmlhYmxlIGl0J3Mgbm90IHN1ZmZpY2ll
bnQgdG8gY2hlY2sganVzdCBmb3IgdXBwZXIgYm91bmQgKGlmIHRoZSBwcmVzZW50IHZhbHVlIGlz
Cmxlc3MgdGhhbiByZXF1aXJlZCBtYXhpbXVtKSwgYnV0IGl0IGlzIG5lY2Vzc2FyeSB0byBjaGVj
ayBhbHNvIGZvciBsb3dlciBib3VuZC4gQmVjYXVzZQpmcm9tIHRoZSBzc2hkX2NvbmZpZyBtYW51
YWwgcGFnZToKCiAgICAgQ2xpZW50QWxpdmVJbnRlcnZhbAogICAgICAgICAgICAgU2V0cyBhIHRp
bWVvdXQgaW50ZXJ2YWwgaW4gc2Vjb25kcyBhZnRlciB3aGljaCBpZiBubyBkYXRhIGhhcyBiZWVu
IHJlY2VpdmVkIGZyb20gdGhlIGNsaWVudCwgc3NoZCg4KSB3aWxsIHNlbmQgYSBtZXNzYWdlIHRo
cm91Z2ggdGhlCiAgICAgICAgICAgICBlbmNyeXB0ZWQgY2hhbm5lbCB0byByZXF1ZXN0IGEgcmVz
cG9uc2UgZnJvbSB0aGUgY2xpZW50LiAgVGhlIGRlZmF1bHQgaXMgMCwgaW5kaWNhdGluZyB0aGF0
IHRoZXNlIG1lc3NhZ2VzIHdpbGwgbm90IGJlIHNlbnQgdG8gdGhlCiAgICAgICAgICAgICBjbGll
bnQuICBUaGlzIG9wdGlvbiBhcHBsaWVzIHRvIHByb3RvY29sIHZlcnNpb24gMiBvbmx5LgoKQ29u
Y2x1c2lvbjoKLS0tLS0tLS0tLS0KCiAgVGhlIGN1cnJlbnQgZm9ybSB3b3JrZWQgb25seSBmb3Ig
aW5zdGFuY2VzLCBub3QgaGF2aW5nIENsaWVudEFsaXZlSW50ZXJ2YWwgYXQgYWxsIGluIHRoZQpj
b25maWcuIEJ1dCBoYXZpbmcgaGFkIHRoYXQgdmFsdWUgc2V0IHRvIHplcm8sIHdvdWxkIHN0aWxs
IHBhc3MgKHdoaWNoIGlzIHdyb25nLCBzaW5jZSBhcwptZW50aW9uZWQgYWJvdmUgdGhlc2UgbWVz
c2FnZXMgd291bGQgc3RpbGwgbm90IGJlIHNlbnQpLiBUaHVzIHRoaXMgcGF0Y2ggYWRkcyBhbHNv
IGNoZWNrCmlmIGFjdHVhbCB2YWx1ZSBpcyBncmVhdGVyIHRoYW4gemVyby4KCiAgQmVzaWRlcyB0
aGF0IGl0IGFkZCBzb21lIGJsYW5rIGxpbmVzIGZvciBiZXR0ZXIgcmVhZGFiaWxpdHkuIEFsc28g
cmVtb3ZlcyBGZWRvcmEgdmVyc2lvbgpvZiBzc2hkX3NldF9pZGxlX3RpbWVvdXQueG1sIHJ1bGUg
YW5kIGxpbmtzIHRvIHNoYXJlZCBvbmUuCgpUZXN0aW5nIGJhY2tncm91bmQ6Ci0tLS0tLS0tLS0t
LS0tLS0tLS0KCiAgSGFzIGJlZW4gdGVzdGVkIG9uIFJIRUwtNyAmYW1wOyBGZWRvcmEtMjAgYW5k
IHNlZW1zIHRvIGJlIHdvcmtpbmcgcHJvcGVybHkuCgpQbGVhc2UgcmV2aWV3LgoKVGhhbmsgeW91
ICZhbXA7JmFtcDsgUmVnYXJkcywgSmFuLgotLQpKYW4gaWFua2tvIExpZXNrb3Zza3kgLyBSZWQg
SGF0IFNlY3VyaXR5IFRlY2hub2xvZ2llcyBUZWFtCjwvcHJlPgogICAgICA8L2Rpdj4KICAgICAg
PGJyPgogICAgICA8ZmllbGRzZXQgY2xhc3M9Im1pbWVBdHRhY2htZW50SGVhZGVyIj48bGVnZW5k
CiAgICAgICAgICBjbGFzcz0ibWltZUF0dGFjaG1lbnRIZWFkZXJOYW1lIj4wMDAxLXNoYXJlZC1z
c2hkX3NldF9pZGxlX3RpbWVvdXQtd2hlbi1kb2luZy10aGUtY2hlY2stYmUucGF0Y2g8L2xlZ2Vu
ZD48L2ZpZWxkc2V0PgogICAgICA8YnI+CiAgICAgIDxkaXYgY2xhc3M9Im1vei10ZXh0LXBsYWlu
IiB3cmFwPSJ0cnVlIiBncmFwaGljYWwtcXVvdGU9InRydWUiCiAgICAgICAgc3R5bGU9ImZvbnQt
ZmFtaWx5OiAtbW96LWZpeGVkOyBmb250LXNpemU6IDEycHg7IgogICAgICAgIGxhbmc9Ingtd2Vz
dGVybiI+CiAgICAgICAgPHByZSB3cmFwPSIiPkZyb20gYjg0MTk4MDBkZDI3YWJhZDIwYTVmNjMx
ZWE3MTk0NGNlYjQzNjY0ZiBNb24gU2VwIDE3IDAwOjAwOjAwIDIwMDEKRnJvbTogSmFuIExpZXNr
b3Zza3kgPGEgbW96LWRvLW5vdC1zZW5kPSJ0cnVlIiBjbGFzcz0ibW96LXR4dC1saW5rLXJmYzIz
OTZFIiBocmVmPSJtYWlsdG86amxpZXNrb3ZAcmVkaGF0LmNvbSI+Jmx0O2psaWVza292QHJlZGhh
dC5jb20mZ3Q7PC9hPgpEYXRlOiBNb24sIDI0IEZlYiAyMDE0IDE3OjUyOjAzICswMTAwClN1Ympl
Y3Q6IFtQQVRDSF0gW3NoYXJlZF0gc3NoZF9zZXRfaWRsZV90aW1lb3V0IC0gd2hlbiBkb2luZyB0
aGUgY2hlY2sgYmUgc3VyZQogdG8gY2hlY2sgYWxzbyB0aGUgbG93ZXIgYm91bmQgb2YgQ2xpZW50
QWxpdmVJbnRlcnZhbCB2YWx1ZS4KClNpZ25lZC1vZmYtYnk6IEphbiBMaWVza292c2t5IDxhIG1v
ei1kby1ub3Qtc2VuZD0idHJ1ZSIgY2xhc3M9Im1vei10eHQtbGluay1yZmMyMzk2RSIgaHJlZj0i
bWFpbHRvOmpsaWVza292QHJlZGhhdC5jb20iPiZsdDtqbGllc2tvdkByZWRoYXQuY29tJmd0Ozwv
YT4KLS0tCiBGZWRvcmEvaW5wdXQvY2hlY2tzL3NzaGRfc2V0X2lkbGVfdGltZW91dC54bWwgfCAz
NCArLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KIHNoYXJlZC9vdmFsL3NzaGRfc2V0X2lkbGVf
dGltZW91dC54bWwgICAgICAgICB8IDE5ICsrKysrKysrKysrKy0tLQogMiBmaWxlcyBjaGFuZ2Vk
LCAxNyBpbnNlcnRpb25zKCspLCAzNiBkZWxldGlvbnMoLSkKIG1vZGUgY2hhbmdlIDEwMDY0NCA9
Jmd0OyAxMjAwMDAgRmVkb3JhL2lucHV0L2NoZWNrcy9zc2hkX3NldF9pZGxlX3RpbWVvdXQueG1s
CgpkaWZmIC0tZ2l0IGEvRmVkb3JhL2lucHV0L2NoZWNrcy9zc2hkX3NldF9pZGxlX3RpbWVvdXQu
eG1sIGIvRmVkb3JhL2lucHV0L2NoZWNrcy9zc2hkX3NldF9pZGxlX3RpbWVvdXQueG1sCmRlbGV0
ZWQgZmlsZSBtb2RlIDEwMDY0NAppbmRleCBkZjMzMzZhLi4wMDAwMDAwCi0tLSBhL0ZlZG9yYS9p
bnB1dC9jaGVja3Mvc3NoZF9zZXRfaWRsZV90aW1lb3V0LnhtbAorKysgL2Rldi9udWxsCkBAIC0x
LDMzICswLDAgQEAKLSZsdDtkZWYtZ3JvdXAmZ3Q7Ci0gICZsdDtkZWZpbml0aW9uIGNsYXNzPSJj
b21wbGlhbmNlIiBpZD0ic3NoZF9zZXRfaWRsZV90aW1lb3V0IiB2ZXJzaW9uPSIxIiZndDsKLSAg
ICAmbHQ7bWV0YWRhdGEmZ3Q7Ci0gICAgICAmbHQ7dGl0bGUmZ3Q7U2V0IE9wZW5TU0ggSWRsZSBU
aW1lb3V0IEludGVydmFsJmx0Oy90aXRsZSZndDsKLSAgICAgICZsdDthZmZlY3RlZCBmYW1pbHk9
InVuaXgiJmd0OwotICAgICAgICAmbHQ7cGxhdGZvcm0mZ3Q7RmVkb3JhIDE5Jmx0Oy9wbGF0Zm9y
bSZndDsKLSAgICAgICZsdDsvYWZmZWN0ZWQmZ3Q7Ci0gICAgICAmbHQ7ZGVzY3JpcHRpb24mZ3Q7
VGhlIFNTSCBpZGxlIHRpbWVvdXQgaW50ZXJ2YWwgc2hvdWxkIGJlIHNldCB0byBhbiBhcHByb3By
aWF0ZSB2YWx1ZS4mbHQ7L2Rlc2NyaXB0aW9uJmd0OwotICAgICZsdDsvbWV0YWRhdGEmZ3Q7Ci0g
ICAgJmx0O2NyaXRlcmlhIGNvbW1lbnQ9IlNTSCBpcyBub3QgYmVpbmcgdXNlZCBvciBjb25kaXRp
b25zIGFyZSBtZXQiIG9wZXJhdG9yPSJPUiImZ3Q7Ci0gICAgICAmbHQ7ZXh0ZW5kX2RlZmluaXRp
b24gY29tbWVudD0ic3NoZCBzZXJ2aWNlIGlzIGRpc2FibGVkIiBkZWZpbml0aW9uX3JlZj0ic2Vy
dmljZV9zc2hkX2Rpc2FibGVkIiAvJmd0OwotICAgICAgJmx0O2NyaXRlcmlvbiBjb21tZW50PSJD
aGVjayBDbGllbnRBbGl2ZUludGVydmFsIGluIC9ldGMvc3NoL3NzaGRfY29uZmlnIiB0ZXN0X3Jl
Zj0idGVzdF9zc2hkX2lkbGVfdGltZW91dCIgLyZndDsKLSAgICAmbHQ7L2NyaXRlcmlhJmd0Owot
ICAmbHQ7L2RlZmluaXRpb24mZ3Q7Ci0KLSAgJmx0O2luZDp0ZXh0ZmlsZWNvbnRlbnQ1NF90ZXN0
IGNoZWNrPSJhbGwiIGNoZWNrX2V4aXN0ZW5jZT0iYWxsX2V4aXN0IiBjb21tZW50PSJ0aW1lb3V0
IGlzIGNvbmZpZ3VyZWQiIGlkPSJ0ZXN0X3NzaGRfaWRsZV90aW1lb3V0IiB2ZXJzaW9uPSIxIiZn
dDsKLSAgICAmbHQ7aW5kOm9iamVjdCBvYmplY3RfcmVmPSJvYmplY3Rfc3NoZF9pZGxlX3RpbWVv
dXQiIC8mZ3Q7Ci0gICAgJmx0O2luZDpzdGF0ZSBzdGF0ZV9yZWY9InN0YXRlX3RpbWVvdXRfdmFs
dWUiIC8mZ3Q7Ci0gICZsdDsvaW5kOnRleHRmaWxlY29udGVudDU0X3Rlc3QmZ3Q7Ci0KLSAgJmx0
O2luZDp0ZXh0ZmlsZWNvbnRlbnQ1NF9vYmplY3QgaWQ9Im9iamVjdF9zc2hkX2lkbGVfdGltZW91
dCIgdmVyc2lvbj0iMSImZ3Q7Ci0gICAgJmx0O2luZDpmaWxlcGF0aCZndDsvZXRjL3NzaC9zc2hk
X2NvbmZpZyZsdDsvaW5kOmZpbGVwYXRoJmd0OwotICAgICZsdDtpbmQ6cGF0dGVybiBvcGVyYXRp
b249InBhdHRlcm4gbWF0Y2giJmd0O15bXHNdKig/aSlDbGllbnRBbGl2ZUludGVydmFsW1xzXSso
XGQrKVtcc10qJCZsdDsvaW5kOnBhdHRlcm4mZ3Q7Ci0gICAgJmx0O2luZDppbnN0YW5jZSBkYXRh
dHlwZT0iaW50IiZndDsxJmx0Oy9pbmQ6aW5zdGFuY2UmZ3Q7Ci0gICZsdDsvaW5kOnRleHRmaWxl
Y29udGVudDU0X29iamVjdCZndDsKLQotICAmbHQ7aW5kOnRleHRmaWxlY29udGVudDU0X3N0YXRl
IGNvbW1lbnQ9IkNsaWVudEFsaXZlSW50ZXJ2YWwgaW4gc2Vjb25kcyIgaWQ9InN0YXRlX3RpbWVv
dXRfdmFsdWUiIHZlcnNpb249IjEiJmd0OwotICAgICZsdDtpbmQ6c3ViZXhwcmVzc2lvbiBkYXRh
dHlwZT0iaW50IiBvcGVyYXRpb249Imxlc3MgdGhhbiBvciBlcXVhbCIgdmFyX2NoZWNrPSJhbGwi
IHZhcl9yZWY9InNzaGRfaWRsZV90aW1lb3V0X3ZhbHVlIiAvJmd0OwotICAmbHQ7L2luZDp0ZXh0
ZmlsZWNvbnRlbnQ1NF9zdGF0ZSZndDsKLQotICAmbHQ7ZXh0ZXJuYWxfdmFyaWFibGUgY29tbWVu
dD0idGltZW91dCB2YWx1ZSIgZGF0YXR5cGU9ImludCIgaWQ9InNzaGRfaWRsZV90aW1lb3V0X3Zh
bHVlIiB2ZXJzaW9uPSIxIiAvJmd0OwotCi0mbHQ7L2RlZi1ncm91cCZndDsKZGlmZiAtLWdpdCBh
L0ZlZG9yYS9pbnB1dC9jaGVja3Mvc3NoZF9zZXRfaWRsZV90aW1lb3V0LnhtbCBiL0ZlZG9yYS9p
bnB1dC9jaGVja3Mvc3NoZF9zZXRfaWRsZV90aW1lb3V0LnhtbApuZXcgZmlsZSBtb2RlIDEyMDAw
MAppbmRleCAwMDAwMDAwLi4yZmQxOGY2Ci0tLSAvZGV2L251bGwKKysrIGIvRmVkb3JhL2lucHV0
L2NoZWNrcy9zc2hkX3NldF9pZGxlX3RpbWVvdXQueG1sCkBAIC0wLDAgKzEgQEAKKy4uLy4uLy4u
L3NoYXJlZC9vdmFsL3NzaGRfc2V0X2lkbGVfdGltZW91dC54bWwKXCBObyBuZXdsaW5lIGF0IGVu
ZCBvZiBmaWxlCmRpZmYgLS1naXQgYS9zaGFyZWQvb3ZhbC9zc2hkX3NldF9pZGxlX3RpbWVvdXQu
eG1sIGIvc2hhcmVkL292YWwvc3NoZF9zZXRfaWRsZV90aW1lb3V0LnhtbAppbmRleCBhZDYzODMw
Li5mODkxZTY1IDEwMDY0NAotLS0gYS9zaGFyZWQvb3ZhbC9zc2hkX3NldF9pZGxlX3RpbWVvdXQu
eG1sCisrKyBiL3NoYXJlZC9vdmFsL3NzaGRfc2V0X2lkbGVfdGltZW91dC54bWwKQEAgLTUsMTAg
KzUsMTIgQEAKICAgICAgICZsdDthZmZlY3RlZCBmYW1pbHk9InVuaXgiJmd0OwogICAgICAgICAm
bHQ7cGxhdGZvcm0mZ3Q7UmVkIEhhdCBFbnRlcnByaXNlIExpbnV4IDYmbHQ7L3BsYXRmb3JtJmd0
OwogICAgICAgICAmbHQ7cGxhdGZvcm0mZ3Q7UmVkIEhhdCBFbnRlcnByaXNlIExpbnV4IDcmbHQ7
L3BsYXRmb3JtJmd0OworICAgICAgICAmbHQ7cGxhdGZvcm0mZ3Q7RmVkb3JhIDIwJmx0Oy9wbGF0
Zm9ybSZndDsKICAgICAgICZsdDsvYWZmZWN0ZWQmZ3Q7CiAgICAgICAmbHQ7ZGVzY3JpcHRpb24m
Z3Q7VGhlIFNTSCBpZGxlIHRpbWVvdXQgaW50ZXJ2YWwgc2hvdWxkIGJlIHNldCB0byBhbgogICAg
ICAgYXBwcm9wcmlhdGUgdmFsdWUuJmx0Oy9kZXNjcmlwdGlvbiZndDsKICAgICAgICZsdDtyZWZl
cmVuY2Ugc291cmNlPSJNRUQiIHJlZl9pZD0iMjAxMzA4MTMiIHJlZl91cmw9InRlc3RfYXR0ZXN0
YXRpb24iIC8mZ3Q7CisgICAgICAmbHQ7IS0tIEZlZG9yYSAyMDogJmx0O3JlZmVyZW5jZSBzb3Vy
Y2U9IkpMIiByZWZfaWQ9IjIwMTQwMjI0IiByZWZfdXJsPSJ0ZXN0X2F0dGVzdGF0aW9uIiAvJmd0
OyAtLSZndDsKICAgICAmbHQ7L21ldGFkYXRhJmd0OwogICAgICZsdDtjcml0ZXJpYSBjb21tZW50
PSJTU0ggaXMgbm90IGJlaW5nIHVzZWQgb3IgY29uZGl0aW9ucyBhcmUgbWV0IgogICAgIG9wZXJh
dG9yPSJPUiImZ3Q7CkBAIC0xOCwyMSArMjAsMzIgQEAKICAgICAgIHRlc3RfcmVmPSJ0ZXN0X3Nz
aGRfaWRsZV90aW1lb3V0IiAvJmd0OwogICAgICZsdDsvY3JpdGVyaWEmZ3Q7CiAgICZsdDsvZGVm
aW5pdGlvbiZndDsKKwogICAmbHQ7aW5kOnRleHRmaWxlY29udGVudDU0X3Rlc3QgY2hlY2s9ImFs
bCIgY2hlY2tfZXhpc3RlbmNlPSJhbGxfZXhpc3QiCiAgIGNvbW1lbnQ9InRpbWVvdXQgaXMgY29u
ZmlndXJlZCIgaWQ9InRlc3Rfc3NoZF9pZGxlX3RpbWVvdXQiIHZlcnNpb249IjEiJmd0OwogICAg
ICZsdDtpbmQ6b2JqZWN0IG9iamVjdF9yZWY9Im9iamVjdF9zc2hkX2lkbGVfdGltZW91dCIgLyZn
dDsKLSAgICAmbHQ7aW5kOnN0YXRlIHN0YXRlX3JlZj0ic3RhdGVfdGltZW91dF92YWx1ZSIgLyZn
dDsKKyAgICAmbHQ7aW5kOnN0YXRlIHN0YXRlX3JlZj0ic3RhdGVfdGltZW91dF92YWx1ZV91cHBl
cl9ib3VuZCIgLyZndDsKKyAgICAmbHQ7aW5kOnN0YXRlIHN0YXRlX3JlZj0ic3RhdGVfdGltZW91
dF92YWx1ZV9sb3dlcl9ib3VuZCIgLyZndDsKICAgJmx0Oy9pbmQ6dGV4dGZpbGVjb250ZW50NTRf
dGVzdCZndDsKKwogICAmbHQ7aW5kOnRleHRmaWxlY29udGVudDU0X29iamVjdCBpZD0ib2JqZWN0
X3NzaGRfaWRsZV90aW1lb3V0IiB2ZXJzaW9uPSIxIiZndDsKICAgICAmbHQ7aW5kOmZpbGVwYXRo
Jmd0Oy9ldGMvc3NoL3NzaGRfY29uZmlnJmx0Oy9pbmQ6ZmlsZXBhdGgmZ3Q7CiAgICAgJmx0O2lu
ZDpwYXR0ZXJuIG9wZXJhdGlvbj0icGF0dGVybiBtYXRjaCImZ3Q7Xltcc10qKD9pKUNsaWVudEFs
aXZlSW50ZXJ2YWxbXHNdKyhcZCspW1xzXSokJmx0Oy9pbmQ6cGF0dGVybiZndDsKICAgICAmbHQ7
aW5kOmluc3RhbmNlIGRhdGF0eXBlPSJpbnQiJmd0OzEmbHQ7L2luZDppbnN0YW5jZSZndDsKICAg
Jmx0Oy9pbmQ6dGV4dGZpbGVjb250ZW50NTRfb2JqZWN0Jmd0OwotICAmbHQ7aW5kOnRleHRmaWxl
Y29udGVudDU0X3N0YXRlIGNvbW1lbnQ9IkNsaWVudEFsaXZlSW50ZXJ2YWwgaW4gc2Vjb25kcyIK
LSAgaWQ9InN0YXRlX3RpbWVvdXRfdmFsdWUiIHZlcnNpb249IjEiJmd0OworCisgICZsdDtpbmQ6
dGV4dGZpbGVjb250ZW50NTRfc3RhdGUgY29tbWVudD0idXBwZXIgYm91bmQgb2YgQ2xpZW50QWxp
dmVJbnRlcnZhbCBpbiBzZWNvbmRzIgorICBpZD0ic3RhdGVfdGltZW91dF92YWx1ZV91cHBlcl9i
b3VuZCIgdmVyc2lvbj0iMSImZ3Q7CiAgICAgJmx0O2luZDpzdWJleHByZXNzaW9uIGRhdGF0eXBl
PSJpbnQiIG9wZXJhdGlvbj0ibGVzcyB0aGFuIG9yIGVxdWFsIiB2YXJfY2hlY2s9ImFsbCIKICAg
ICB2YXJfcmVmPSJzc2hkX2lkbGVfdGltZW91dF92YWx1ZSIgLyZndDsKICAgJmx0Oy9pbmQ6dGV4
dGZpbGVjb250ZW50NTRfc3RhdGUmZ3Q7CisKKyAgJmx0O2luZDp0ZXh0ZmlsZWNvbnRlbnQ1NF9z
dGF0ZSBjb21tZW50PSJsb3dlciBib3VuZCBvZiBDbGllbnRBbGl2ZUludGVydmFsIGluIHNlY29u
ZHMiCisgIGlkPSJzdGF0ZV90aW1lb3V0X3ZhbHVlX2xvd2VyX2JvdW5kIiB2ZXJzaW9uPSIxIiZn
dDsKKyAgICAmbHQ7aW5kOnN1YmV4cHJlc3Npb24gZGF0YXR5cGU9ImludCIgb3BlcmF0aW9uPSJn
cmVhdGVyIHRoYW4iJmd0OzAmbHQ7L2luZDpzdWJleHByZXNzaW9uJmd0OworICAmbHQ7L2luZDp0
ZXh0ZmlsZWNvbnRlbnQ1NF9zdGF0ZSZndDsKKwogICAmbHQ7ZXh0ZXJuYWxfdmFyaWFibGUgY29t
bWVudD0idGltZW91dCB2YWx1ZSIgZGF0YXR5cGU9ImludCIKICAgaWQ9InNzaGRfaWRsZV90aW1l
b3V0X3ZhbHVlIiB2ZXJzaW9uPSIxIiAvJmd0OworCiAmbHQ7L2RlZi1ncm91cCZndDs8L3ByZT4K
ICAgICAgPC9kaXY+CiAgICA8L2Jsb2NrcXVvdGU+CiAgICA8YnI+CiAgICA8YnI+CiAgICA8YnI+
CiAgICBHb29kIGZpbmRpbmcuIEFjay48YnI+CiAgPC9ib2R5Pgo8L2h0bWw+Cg==

--===============4609042510241330632==--