-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message ######################################################################## # # FreeBSD Configuration file for samhain. # # This template has hooks for a generic 5.x userland # and some addition info for common services on desktop/server machines # including Apache, PostgresSQL, CUPS, Net-SNMP, ######################################################################## [Misc] ## ## Add or subtract tests from the policies ## - if you want to change their definitions, ## you need to do that before using the policies ## # RedefReadOnly = (no default) # RedefAttributes=(no default) # RedefLogFiles=(no default) # RedefGrowingLogFiles=(no default) # RedefIgnoreAll=(no default) # RedefIgnoreNone=(no default) # RedefUser0=(no default) # RedefUser1=(no default) # User0 will be for /dev/tty* and other devices where Owner/Group/Mode can change # but Inode/Size/Device/Checksum should not change. RedefUser0=+INO RedefUser0=+SIZ RedefUser0=+RDEV RedefUser0=+CHK RedefUser0=-MOD RedefUser0=-MTM RedefUser0=-ATM RedefUser0=-CTM RedefUser0=-GRP RedefUser0=-USR # this file comes and goes with portaudit(1)/portversion(1)/pkg_version(1) IgnoreAdded=/var/db/pkgdb.fixme IgnoreMissing=/var/db/pkgdb.fixme # Per the notes in [GrowingLogFile] and per discussion on the forum # This is needed due to the behavior of newsyslog(8) rotation method # File sizes will get smaller, inodes will change as they rotate RedefGrowingLogFiles=-INO RedefGrowingLogFiles=-SIZ # Log files that may not be there within X number of days after the install # or after the admin prunes excess logs # FreeBSD defaults IgnoreAdded = /var/log/(cron|messages|maillog|security|sendmail\.st|auth\.log|wtmp)\.[0-9](\.bz2)? IgnoreMissing= /var/log/(cron|messages|maillog|security|sendmail\.st|auth\.log|wtmp)\.[0-9](\.bz2)? # Local services IgnoreAdded = /var/log/(snmpd\.log|postgresq\.log|samhain\.log|httpd-error\.log|httpd-access\.log|httpd-ssl_request\.log)\.[0-9](\.bz2)? IgnoreMissing = /var/log/(snmpd\.log|postgresq\.log|samhain\.log|httpd-error\.log|httpd-access\.log|httpd-ssl_request\.log)\.[0-9](\.bz2)? # Other candidates # debug.log|lpd-errs|ppp.log|security|slip.log|xferlog|debug.log|pflog| # FreeBSD uses compressed man pages # The formatted ones get cached in cat[#]/* in gzip(1) unless mandoc is run # without flags. IgnoreAdded = /usr/(local|share|X11R6)/man/cat[[:digit:]]/[[:alnum:]_-]+\.[[:digit:]]+\.gz IgnoreMissing = /usr/(local|share|X11R6)/man/cat[[:digit:]]/[[:alnum:]_-]+\.[[:digit:]]+\.gz # FreeBSD devfs(8)/devd(8) automaticall generate new tty/pty devs on demand in # /dev but the naming convention is still screwy despite killing off MAKEDEV.sh IgnoreAdded = /dev/(p|t)ty[[:alnum:]]{2,2} IgnoreMissing = /dev/(p|t)ty[[:alnum:]]{2,2} [Attributes] # NOTE: Remember, directories monitored as file= in [Attributes] will only be # watched for perms/ownership. Files inside said dirs will be gracefully # ignored EVEN IF a higher level directory is watched with a specified # recursion that "reaches" the file=dirname/ in question BECAUSE the file= # IS A MORE SPECIFIC DESIGNATION. # This is nice for directories containing files that come and go when not # needed (cron, mail, tmp) # ex.: # /var/mail, /tmp, /var/tmp, /var/spool/mqueue, # /var/spool/clientmqueue, /var/cron/tabs, etc, etc. ## ## for these files, only changes in permissions and ownership are checked ## # Uncomment these if you have Linux Emulation / Compat installed file=/usr/compat/linux/etc file=/usr/compat/linux/etc/ld.so.cache # Why is this here? It's not in the default FreeBSD tree or CUPS installation # dir=/var/spool/lp/tmp ############ BEGIN /VAR ANNEX ##################### #### SEE NOTES ON /VAR in [ReadOnly] ############# dir=/var/log dir=/var/account dir=1/var/at dir=/var/cron dir=2/var/crash # The pkg_db's are in here along with many other important # things including /var/db/portaudit/auditfile.tbz dir=5/var/db ######### # NOTE: this file seems to come and go # So it may need to be added to the IgnoreMissing/IgnoreAdded # file=/var/db/pkgdb.fixme # More /var dir=2/var/lib dir=3/var/named dir=1/var/preserve dir=/var/heimdal dir=/var/msgs dir=/var/rwho # Easy come, easy go, no worries file=/var/cron/tabs file=/var/spool/mqueue file=/var/spool/clientmqueue file=/tmp file=/var/mail file=/var/tmp # Per section 5.4.2.1 of the manual, Rule #5 # There are lock file written here that change the mtime/ctime # of the dir, so we want to watch perms/ownership, ignore # ctime/mtime/size, etc., but still watch the critical files # inside, see notes in [ReadOnly] # Note: in theory, /root should never change if you use sudo(8) w/o "-H" file=/root/.gnupg file=/root/.gnupg/random_seed # We want to know about all new PID files, so adds/removals should come in # NOTE: /var/spool is important: lock/ and spamd/ and cups/ (ports/print/cups*) # But sendmail is always adding/removing files from it's queue, so # let it do so gracefully while keeping an eye on /var/spool # especially since # Samhain itself can cause mail to be sent dir=/var/spool #dir=/var/spool/cups #dir=/var/spool/samba #dir=/var/spool/spamd #dir=/var/spool/lock #dir=/var/spool/lpd #file=/var/spool/mqueue #file=/var/spool/clientmqueue ########### # These two are empty...no idea what writes to them /var/empty is the homedir # of the sshd/openntpd user so probably an OpenBSD legacy thing dir=/var/games dir=/var/empty ################ END /VAR ANNEX ################ # Ownership and permissions generally stay the same except TTYs! # See notes in [ReadOnly] and [Misc] ! dir=1/dev # If you're running dhclient(8), resolv.conf will get re-written at renewal # time so pray that he dhcpd(8) on your network doesn't get owned. file=/etc/resolv.conf # Updatedb per /etc/periodic/weekly/310.locate file=/var/db/locate.database # if you run CUPS, /etc/printcab gets re-written if you have # "Browsing On" in cupsd.conf file=/etc/printcap # CUPS SSL certificate cache # NOTE: need to investigate further, file is overwritten periodically dir=/usr/local/etc/cups/certs file=/usr/local/etc/cups/certs/0 ## # if You are running PostgreSQL, these 6 dirs ## # will be constantly be changing contents, size, etc. ## # so watch the dir but not the files inside ## # handle RDBMS security otherwise ## # NOTE: defaults to /usr/local/pgsql/data/*/* ## file=/var/db/pgsql/data/base ## file=/var/db/pgsql/data/global ## file=/var/db/pgsql/data/pg_tblspc ## file=/var/db/pgsql/data/pg_xlog ## file=/var/db/pgsql/data/pg_clog ## file=/var/db/pgsql/data/pg_subtrans [LogFiles] ## ## for these files, changes in signature, timestamps, and size are ignored ## file=/var/run/utmp [GrowingLogFiles] ## ## for these files, changes in signature, timestamps, and increase in size ## are ignored ## # NOTE: Keep these in sync with /etc/syslog.conf, /etc/newsyslog.conf, # syslog-ng.conf, xinetd.conf file=/var/log/wtmp file=/var/log/messages # NOTE: /var/log/maillog is 0600 by default, for some stupid reason it's marked # mode 640 in newsyslog.conf(5) by default, i should send-pr(1) # Be sure to change it, then find the culprit and spank them with a wet noodle file=/var/log/maillog file=/var/log/lastlog file=/var/log/cron file=/var/log/auth.log ## # If you are running Apache, watch the perms of these files ## file=/var/log/httpd-error.log ## file=/var/log/httpd-access.log ## file=/var/log/httpd-ssl_request.log ## ## # Other common services ## # If you are running PostgreSQL with Syslog logging ## file=/var/log/postgresql.log ## ## # If you are running Net-SNMP ## file=/var/log/snmpd.log # the pw(8) log, not via syslog, no rotation by default file=/var/log/userlog # NOTES ON LOG ROTATION BEHAVIOR: # See comments about modifications to [GrowingLogFiles] to ignore INODE changes # As newsyslog(8)/newsyslog.conf(5) has the default behavior of: # - First move logfile.log to logfile.log.0 # - then bzip2 -v9 logfile.log.0 # - then touch(1) logfile.log # - then HUP if applicable & reopen the new file (new inode) # - Therefore, Ignore Singature, Size (if grow), and Inode changes # But also, there's [IgnoreMissing] regexp to account for log file pruing # from the filesystem, and [IgnoreAdded] for the first Nth rotations of the # logfile per newsyslog.conf(5) [IgnoreAll] ## ## for these files, no modifications are reported ## # NOTE: why are these here? Because of compressed man pages? #dir=/usr/share/man #dir=/usr/share/games #dir=/usr/share/misc #dir=/usr/X11R6/man # Uncomment if you have Linux Emulation Installed/Setup/Mounted file=/usr/compat/linux/proc dir=-1/usr/compat/linux/proc # If you cvsup(1) /usr/ports on a regular basis (cron job) and don't want to # know about every change, uncomment this also works for /usr/src, but not rec'd file=/usr/ports dir=-1/usr/ports # Same as above buf if you monitor package changes via periodic(8) scripts # instead of file system then uncomment these: file=/var/db/pkg dir=-1/var/db/pkg # Think very carefully about uncommenting this. If someone can poison your # /usr/src, you might as well pack up and head home. #file=/usr/src #dir=-1/usr/ports [IgnoreNone] ## ## for these files, all modifications (even access time) are reported ## - you may create some interesting-looking file (like /etc/safe_passwd), ## just to watch whether someone will access it ... ## [ReadOnly] ## ## for these files, only access time is ignored ## ############# BEGIN / (SLASH) DEFINITIONS ################################### # Note: about dir=/ with no recursion # 18 dirs and 6 files (.profile, .cshrc, /compat, /sys, /COPYRIGHT, /entropy) # Dirs: bin,sbin,boot,etc,mnt,stand,usr,var,rescue,lib,libexec,dist should never change # /root and /dev will rarely change, /home will change when users are added # NOTE: /tmp and /proc will change contents constantly so do not add to # [ReadOnly], the dir attributes will get picked up by dir=/ # May need to add them to [Attributes] as file= or dir= instead # /mnt may change if removeable media/nfs share are mouned/unmouned # Look into # NOTE: /sys and /compat are symlinks and are special files # NOTE: /var and /usr are special and are blocked off below # NOTE: We might not be able to use this because of /tmp and /proc # So we may need to list each dir/file in / separately (which we're basically # doing anyway), but each real file and symlink will need a file= entry if # that's the case dir=/ # Per the previous remarks, enforce strict policies on the following: dir=/bin dir=/sbin dir=/mnt # NOTE: /dev is handled by devfs(8)/devd(8) # Move to [Attributes] as a dir= or file= since contents are constantly changing # Example as you're playing an mp3 or typing in a terminal: # *** NOTE: We want to watch ownership and permissions OF FILES IN THE DIR # *** PLUS WE WANT TO MONITOR FOR THE PRESENCE AND REMOVAL OF FILES FROM THE DIR # CRIT : [2005-08-23T11:06:26-0400] msg=, # path=, ctime_old=<[2005-08-23T11:05:26]>, ctime_new=<[2005- # 08-23T11:06:26]>, mtime_old=<[2005-08-23T11:05:26]>, mtime_new=<[2005-08-23T11 # :06:26]>, # # dir=1/dev dir=/root # Per section 5.4.2.1 of the manual, Rule #5 # When using GPG support, at each read/signing of the config or DB # There are lock file written here that change the mtime/ctime # of the dir, so we want to watch perms/ownership, ignore # ctime/mtime/size, etc., but still watch the critical files # inside, see notes in [ReadOnly] dir=/root/.gnupg # Note: /boot has at most a depth of two - /boot/[modules] and /boot/[kernname] dir=2/boot # Note: This is correct, max depth in /etc is 3 from # /etc/periodic/{daily,weekly,monthly,security} dir=3/etc dir=1/lib dir=/libexec # Note: /rescue and /stand max depth 1, the following two lines are uneeded # from the previous config dir=/rescue dir=1/stand #dir=/stand/etc #dir=/stand/modules ################ END / (SLASH) DEFINITIONS ################################### ################ BEGIN /VAR SECTION ########################## # Note: /var is special, each subdir needs individual consideration # because by virtue, the nature is constant change this may need to become # file=/var, so that we can watch attributes and for the addition/removal # of subdirs (such as things from ports) # We can't actually monitor /var directly, as the contents of subdirs # are constantly changing attribs and files are coming/going, ex /var/log # so /var/log's speciail directory file ctime/mtime is always chaning # Causing alerts when dir=/var is set in [ReadOnly], HOWEVER, file=/ will # catch additions and changes to /var itself (but not it's members) # what we'll have to do, since only additions/removals in /var are detected # by dir=/, is we'll have to break up /var between [ReadOnly] and [Attributes] dir=/var # SEE /VAR section in [Attributes] # /var/account # /var/at # /var/backups # /var/crash # /var/cron # /var/db # /var/empty # /var/games # /var/heimdal # /var/lib # /var/log # /var/mail # /var/msgs # /var/named # /var/preserve # /var/run # /var/rwho # /var/spool # #NOTE: This will cause an alert every time someone modifies #dir=2/var/cron ################ END /VAR SECTION ############################ ################ BEGIN /USR SECTION ########################## # Note: /usr is special. Generally nothing should ever change by nature of # historical purpose, but because of FBSD Ports and FBSD compat/emul, some # special exceptions will need to be made. Also some legacy things like # /usr/home and /usr/tmp as symlinks -- REMOVE THESE! # Also /usr/ojb and /usr/ports tend to not get cleaned as they should # Normally we would do dir=15/usr to be safe dir=15/usr #/usr/X11R6 max depth can be as deep as 10 because of GNOME crap from ports #/usr/bin max depth 0/1 #NOTE: compat only if linux emul (on i386, different on other archs) is installed #/usr/compat max depth can be as deeo as 10 because it's a [not so]micro FS #NOTE: /usr/compat/linux/proc has to be an exception in [IgnoreAll] #/usr/games max depth 0/1 #/usr/include max depth 3/4 #/usr/lib max depth 2/3 #/usr/libexec max depth 2/3 #/usr/obj should be max depth 0 since it should be cleaned after use # but could be as deep as [/usr/src]+1 if not # NOTE: /usr/ports should be watched for activity, especially # /usr/ports/distfiles, since a modified "distinfo" could install # malicious code # NOTE: /usr/ports should be cleaned "make -k clean NOCLEANDEPENDS=YES" # before running "-t init" baseline #/usr/ports max depth is 4 when "clean": ./ports/{cat}/{package}/{files,scripts} #/usr/ports should only change during system administration changes #/usr/share max depth 5 @ /usr/share/docs/* #/usr/sbin max depth 0/1 #/usr/src should only change when a cvsup is run #/usr/src max depth 8 or 9 in contrib/ ################ END /USR SECTION ############################ # NOTE: WTF did these come from? # Why are they in the original Samhian FreeBSD template? #file=/kernel #dir=/modules [User0] file=/dev/tty* file=/dev/pty* [User1] ## User0 and User1 are sections for files/dirs with user-definable checking ## (see the manual) [EventSeverity] ## ## Here you can assign severities to policy violations. ## If this severity exceeds the treshold of a log facility (see below), ## a policy violation will be logged to that facility. ## # # Severity for verification failures. # # SeverityReadOnly=crit # SeverityLogFiles=crit # SeverityGrowingLogs=crit # SeverityIgnoreNone=crit # SeverityAttributes=crit # SeverityUser0=crit # SeverityUser1=crit ## We have a file in IgnoreAll that might or might not be present. ## Setting the severity to 'info' prevents messages about deleted/new file. ## # SeverityIgnoreAll=crit SeverityIgnoreAll=info # NOTE: Enable these two while testing a FreeBSD template on # systems with different functions! ## Files : file access problems # SeverityFiles=crit ## Dirs : directory access problems # SeverityDirs=crit ## Names : suspect (non-printable) characters in a pathname # ALSO (per the discussion forum), any unknown GID/UIDs in file inodes # i.e., files not owned by any user # SeverityNames=crit SeverityNames=info [Log] ## ## Switch on/OFF log facilities and set their threshold severity ## ## Values: debug, info, notice, warn, mark, err, crit, alert, none. ## 'mark' is used for timestamps. ## ## Use 'none' to SWITCH OFF a log facility ## ## By default, everything equal to and above the threshold is logged. ## The specifiers '*', '!', and '=' are interpreted as ## 'all', 'all but', and 'only', respectively (like syslogd(8) does, ## at least on Linux). Examples: ## MailSeverity=* ## MailSeverity=!warn ## MailSeverity==crit ## E-mail ## MailSeverity=crit ## Console ## # PrintSeverity=info ## Logfile ## # LogSeverity=mark ## Syslog ## SyslogSeverity=warn # If you have network log server support # uncomment this.! ## Remote server (yule) ## #ExportSeverity=warn ## External script or program ## # ExternalSeverity = none ## Logging to a database ## # DatabaseSeverity = none ## Logging to a Prelude-IDS ## # PreludeSeverity = crit ##################################################### # # Optional modules # ##################################################### [SuidCheck] ## ## --- Check the filesystem for SUID/SGID binaries ## ## Switch on # SuidCheckActive = yes ## Interval for check (seconds) # # SuidCheckInterval = 7200 ## Alternative: crontab-like schedule # # SuidCheckSchedule = NULL ## Directory to exclude # # SuidCheckExclude = NULL ## Limit on files per second (0 == no limit) # # SuidCheckFps = 0 ## Alternative: yield after every file # # SuidCheckYield = no ## Severity of a detection # # SeveritySuidCheck = crit ## Quarantine SUID/SGID files if found # # SuidCheckQuarantineFiles = yes ## Method for Quarantining files: # 0 - Delete the file. # 1 - Remove SUID/SGID permissions from file. # 2 - Move SUID/SGID file to quarantine dir. # # SuidCheckQuarantineMethod = 0 ## For method 1 and 3, really delete instead of truncating # # SuidCheckQuarantineDelete = yes [Kernel] ## ## --- Check for loadable kernel module rootkits (Linux/FreeBSD only) ## ## Switch on/off # KernelCheckActive = yes ## Check interval (seconds); btw., the check is VERY fast # # KernelCheckInterval = 300 ## Severity # # SeverityKernel = crit [Utmp] ## ## --- Logging of login/logout events ## ## Switch on/off # LoginCheckActive = no ## Severity for logins, multiple logins, logouts # # SeverityLogin=info # SeverityLoginMulti=warn # SeverityLogout=info ## Interval for login/logout checks # # LoginCheckInterval = 300 # [Database] ## ## --- Logging to a relational database ## ## Database name # # SetDBName = samhain ## Database table # # SetDBTable = log ## Database user # # SetDBUser = samhain ## Database password # # SetDBPassword = (default: none) ## Database host # # SetDBHost = localhost ## Log the server timestamp for received messages # # SetDBServerTstamp = True ## Use a persistent connection # # UsePersistent = True # [External] ## ## Interface to call external scripts/programs for logging ## ## The absolute path to the command ## - Each invocation of this directive will end the definition of the ## preceding command, and start the definition of ## an additional, new command # # OpenCommand = (no default) ## Type (log or srv) ## - log for log messages, srv for messages received by the server # #SetType = log ## The command (full command line) to execute # # SetCommandLine = (no default) ## The environment (KEY=value; repeat for more) # # SetEnviron = TZ=(your timezone) ## The TIGER192 checksum (optional) # # SetChecksum = (no default) ## User who runs the command # # SetCredentials = (default: samhain process uid) ## Words not allowed in message # # SetFilterNot = (none) ## Words required (ALL of them) # # SetFilterAnd = (none) ## Words required (at least one) # # SetFilterOr = (none) ## Deadtime between consecutive calls # # SetDeadtime = 0 ## Add default environment (HOME, PATH, SHELL) # # SetDefault = no ##################################################### # # Miscellaneous configuration options # ##################################################### [Misc] ## whether to become a daemon process ## (this is not honoured on database initialisation) # # Daemon = no Daemon = yes # whether to test signature of files (init/check/none) # - if 'none', then we have to decide this on the command line - # # ChecksumTest = none ChecksumTest=check # Set nice level (-19 to 19, see 'man nice'), # and I/O limit (kilobytes per second; 0 == off) # to reduce load on host. # # SetNiceLevel = 0 # SetIOLimit = 0 ## The version string to embed in file signature databases # # VersionString = NULL ## Interval between time stamp messages # # SetLoopTime = 60 SetLoopTime = 600 ## Interval between file checks # # SetFileCheckTime = 600 SetFileCheckTime = 7200 ## Alternative: crontab-like schedule # # FileCheckScheduleOne = NULL ## Alternative: crontab-like schedule(2) # # FileCheckScheduleTwo = NULL ## Report only once on modified fles ## Setting this to 'FALSE' will generate a report for any policy ## violation (old and new ones) each time the daemon checks the file system. # # ReportOnlyOnce = True ## Report in full detail # # ReportFullDetail = False ## Report file timestamps in local time rather than GMT # # UseLocalTime = No UseLocalTime = Yes ## The console device (can also be a file or named pipe) ## - There are two console devices. Accordingly, you can use ## this directive a second time to set the second console device. ## If you have not defined the second device at compile time, ## and you don't want to use it, then: ## setting it to /dev/null is less effective than just leaving ## it alone (setting to /dev/null will waste time by opening ## /dev/null and writing to it) # # SetConsole = /dev/console ## Activate the SysV IPC message queue # # MessageQueueActive = False ## If false, skip reverse lookup when connecting to a host known ## by name rather than IP address (i.e. trust the DNS) # # SetReverseLookup = True ## --- E-Mail --- # Only highest-level (alert) reports will be mailed immediately, # others will be queued. Here you can define, when the queue will # be flushed (Note: the queue is automatically flushed after # completing a file check). # # SetMailTime = 86400 ## Maximum number of mails to queue # SetMailNum = 6 ## Recipient (max. 8) # SetMailAddress=lavalamp@digitalfreaks.org ## Mail relay (IP address) # # SetMailRelay = NULL ## Custom subject format # MailSubject = Samhain @ Soundwave ## --- end E-Mail --- ## Path to the executable. If set, will be checksummed after startup ## and before exit. # # SamhainPath = (no default) ## The IP address of the log server # # SetLogServer = (default: compiled-in) ## The IP address of the time server # # SetTimeServer = (default: compiled-in) ## Trusted Users (comma delimited list of user names) # # TrustedUser = (no default; this adds to the compiled-in list) ## Path to the file signature database # # SetDatabasePath = (default: compiled-in) ## Path to the log file # # SetLogfilePath = (default: compiled-in) ## Path to the PID file # # SetLockPath = (default: compiled-in) ## The digest/checksum/hash algorithm # # DigestAlgo = TIGER192 ## Custom format for message header. ## CAREFUL if you use XML logfile format. ## ## %S severity ## %T timestamp ## %C class ## ## %F source file ## %L source line # # MessageHeader="%S %T " ## Don't log path to config/database file on startup # # HideSetup = False ## The syslog facility, if you log to syslog # # SyslogFacility = LOG_AUTHPRIV SyslogFacility=LOG_LOCAL2 ## The message authentication method ## - If you change this, you *must* change it ## on client *and* server # # MACType = HMAC-TIGER ## The Prelude-IDS profile to use for reporting ## default value is "samhain" # # PreludeProfile = samhain # everything below is ignored [EOF] ##################################################################### # This would be the proper syntax for parts that should only be # included for certain hosts. # You may enclose anything in a @HOSTNAME/@end bracket, as long as the # result still has the proper syntax for the config file. # You may have any number of @HOSTNAME/@end brackets. # HOSTNAME should be the fully qualified 'official' name # (e.g. 'nixon.watergate.com', not 'nixon'), no aliases. # No IP number - except if samhain cannot determine the # fully qualified hostname. # # @HOSTNAME # file=/foo/bar # @end # # These are two examples for conditional inclusion/exclusion # of a machine based on the output from 'uname -srm' # $Linux:2.*.7:i666 # file=/foo/bar3 # $end # # !$Linux:2.*.7:i686 # file=/foo/bar2 # $end # ##################################################################### -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDMAiG7bkt67MW+aERAlOVAKDXdk2qXLfFCAncWIpQ8FKeu33VtACgjQ9K o1izxfrqrYYA1lYRVTfU6N0= =c47A -----END PGP SIGNATURE-----