rules/Azure.VNET.Rule.ps1
|
# Copyright (c) Microsoft Corporation. # Licensed under the MIT License. # # Validation rules for virtual networking # #region Virtual Network # Synopsis: Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned. Rule 'Azure.VNET.UseNSGs' -Ref 'AZR-000263' -Type 'Microsoft.Network/virtualNetworks', 'Microsoft.Network/virtualNetworks/subnets' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; 'Azure.ASB.v3/control' = 'NS-1' } { $excludedSubnets = @('GatewaySubnet', 'AzureFirewallSubnet', 'AzureFirewallManagementSubnet', 'RouteServerSubnet'); $subnet = @($TargetObject); if ($PSRule.TargetType -eq 'Microsoft.Network/virtualNetworks') { # Get subnets $subnet = @($TargetObject.properties.subnets | Where-Object { $_.Name -notin $excludedSubnets -and @($_.properties.delegations | Where-Object { $_.properties.serviceName -eq 'Microsoft.HardwareSecurityModules/dedicatedHSMs' }).Length -eq 0 }); if ($subnet.Length -eq 0 -or !$Assert.HasFieldValue($TargetObject, 'properties.subnets').Result) { return $Assert.Pass(); } } elseif ($PSRule.TargetType -eq 'Microsoft.Network/virtualNetworks/subnets' -and ($PSRule.TargetName -in $excludedSubnets -or @($TargetObject.properties.delegations | Where-Object { $_.properties.serviceName -eq 'Microsoft.HardwareSecurityModules/dedicatedHSMs' }).Length -gt 0)) { return $Assert.Pass(); } foreach ($sn in $subnet) { $Assert. HasFieldValue($sn, 'properties.networkSecurityGroup.id'). WithReason(($LocalizedData.SubnetNSGNotConfigured -f $sn.Name), $True); } } # TODO: Check that NSG on GatewaySubnet is not defined # Synopsis: VNETs should have at least two DNS servers assigned Rule 'Azure.VNET.SingleDNS' -Ref 'AZR-000264' -Type 'Microsoft.Network/virtualNetworks' -Tag @{ release = 'GA'; ruleSet = '2020_06' } { # If DNS servers are customized, at least two IP addresses should be defined if ($Assert.NullOrEmpty($TargetObject, 'properties.dhcpOptions.dnsServers').Result) { $True; } else { $Assert.GreaterOrEqual($TargetObject, 'properties.dhcpOptions.dnsServers', 2); } } # Synopsis: VNETs should use Azure local DNS servers Rule 'Azure.VNET.LocalDNS' -Ref 'AZR-000265' -Type 'Microsoft.Network/virtualNetworks' -Tag @{ release = 'GA'; ruleSet = '2020_06' } { # If DNS servers are customized, check what range the IPs are in if ($Assert.NullOrEmpty($TargetObject, 'properties.dhcpOptions.dnsServers').Result) { $True; } else { # Primary DNS server must be within VNET address space or peered VNET $dnsServers = @($TargetObject.Properties.dhcpOptions.dnsServers) $primary = $dnsServers[0] $localRanges = @(); $localRanges += $TargetObject.Properties.addressSpace.addressPrefixes if ($Assert.HasFieldValue($TargetObject, 'Properties.virtualNetworkPeerings').Result) { $localRanges += $TargetObject.Properties.virtualNetworkPeerings.properties.remoteAddressSpace.addressPrefixes } # Determine if the primary is in range WithinCIDR -IP $primary -CIDR $localRanges } } # Synopsis: VNET peers should be connected Rule 'Azure.VNET.PeerState' -Ref 'AZR-000266' -If { (HasPeerNetwork) } -Tag @{ release = 'GA'; ruleSet = '2020_06' } { $peers = @($TargetObject.Properties.virtualNetworkPeerings); foreach ($peer in $peers) { $Assert.HasFieldValue($peer, 'Properties.peeringState', 'Connected'); } } # Synopsis: Use subnets naming requirements Rule 'Azure.VNET.SubnetName' -Ref 'AZR-000267' -Type 'Microsoft.Network/virtualNetworks', 'Microsoft.Network/virtualNetworks/subnets' -Tag @{ release = 'GA'; ruleSet = '2020_06' } { # https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules#microsoftnetwork if ($PSRule.TargetType -eq 'Microsoft.Network/virtualNetworks') { $subnets = @($TargetObject.Properties.subnets) if ($subnets.Length -eq 0 -or !$Assert.HasFieldValue($TargetObject, 'properties.subnets').Result) { $Assert.Pass(); } else { foreach ($subnet in $subnets) { # Between 1 and 80 characters long $Assert.GreaterOrEqual($subnet, 'Name', 1) $Assert.LessOrEqual($subnet, 'Name', 80) # Alphanumerics, underscores, periods, and hyphens. # Start with alphanumeric. End alphanumeric or underscore. $subnet | Match 'Name' '^[A-Za-z0-9]((-|\.)*\w){0,79}$' } } } elseif ($PSRule.TargetType -eq 'Microsoft.Network/virtualNetworks/subnets') { $nameParts = $PSRule.TargetName.Split('/'); $name = $nameParts[-1]; # Between 1 and 80 characters long $Assert.GreaterOrEqual($name, '.', 1) $Assert.LessOrEqual($name, '.', 80) # Alphanumerics, underscores, periods, and hyphens. # Start with alphanumeric. End alphanumeric or underscore. $name | Match '.' '^[A-Za-z0-9]((-|\.)*\w){0,79}$' } } # Synopsis: VNETs with a GatewaySubnet should have an AzureBastionSubnet to allow for out of band remote access to VMs. Rule 'Azure.VNET.BastionSubnet' -Ref 'AZR-000314' -Type 'Microsoft.Network/virtualNetworks' -If { HasGatewaySubnet } -Tag @{ release = 'GA'; ruleSet = '2022_12' } { $subnets = @(GetVirtualNetworkSubnets) $Assert.In($subnets, '.', @('AzureBastionSubnet')).Reason($LocalizedData.BastionSubnetNotFound, $PSRule.TargetName) } #endregion Virtual Network #region Helper functions function global:HasGatewaySubnet { [CmdletBinding()] [OutputType([System.Boolean])] param () process { ($TargetObject.Properties.subnets | Where-Object { $_.name -eq 'GatewaySubnet' }) -or (@(GetSubResources -ResourceType 'Microsoft.Network/virtualNetworks/subnets' | Where-Object { $_.name -eq 'GatewaySubnet' })) } } function global:GetVirtualNetworkSubnets { [CmdletBinding()] [OutputType([PSObject])] param () process { $TargetObject.Properties.subnets | ForEach-Object { $_.name } GetSubResources -ResourceType 'Microsoft.Network/virtualNetworks/subnets' | ForEach-Object { $_.name } } } #endregion Helper functions # SIG # Begin signature block # MIInogYJKoZIhvcNAQcCoIInkzCCJ48CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCD6hvvbaw2W8rT9 # WNp3tpCV2B7I+NvzEN6A2ivRBk2cIaCCDYUwggYDMIID66ADAgECAhMzAAACzfNk # v/jUTF1RAAAAAALNMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjIwNTEyMjA0NjAyWhcNMjMwNTExMjA0NjAyWjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDrIzsY62MmKrzergm7Ucnu+DuSHdgzRZVCIGi9CalFrhwtiK+3FIDzlOYbs/zz # HwuLC3hir55wVgHoaC4liQwQ60wVyR17EZPa4BQ28C5ARlxqftdp3H8RrXWbVyvQ # aUnBQVZM73XDyGV1oUPZGHGWtgdqtBUd60VjnFPICSf8pnFiit6hvSxH5IVWI0iO # nfqdXYoPWUtVUMmVqW1yBX0NtbQlSHIU6hlPvo9/uqKvkjFUFA2LbC9AWQbJmH+1 # uM0l4nDSKfCqccvdI5l3zjEk9yUSUmh1IQhDFn+5SL2JmnCF0jZEZ4f5HE7ykDP+ # oiA3Q+fhKCseg+0aEHi+DRPZAgMBAAGjggGCMIIBfjAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQU0WymH4CP7s1+yQktEwbcLQuR9Zww # VAYDVR0RBE0wS6RJMEcxLTArBgNVBAsTJE1pY3Jvc29mdCBJcmVsYW5kIE9wZXJh # dGlvbnMgTGltaXRlZDEWMBQGA1UEBRMNMjMwMDEyKzQ3MDUzMDAfBgNVHSMEGDAW # gBRIbmTlUAXTgqoXNzcitW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8v # d3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIw # MTEtMDctMDguY3JsMGEGCCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDov # L3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDEx # XzIwMTEtMDctMDguY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIB # AE7LSuuNObCBWYuttxJAgilXJ92GpyV/fTiyXHZ/9LbzXs/MfKnPwRydlmA2ak0r # GWLDFh89zAWHFI8t9JLwpd/VRoVE3+WyzTIskdbBnHbf1yjo/+0tpHlnroFJdcDS # MIsH+T7z3ClY+6WnjSTetpg1Y/pLOLXZpZjYeXQiFwo9G5lzUcSd8YVQNPQAGICl # 2JRSaCNlzAdIFCF5PNKoXbJtEqDcPZ8oDrM9KdO7TqUE5VqeBe6DggY1sZYnQD+/ # LWlz5D0wCriNgGQ/TWWexMwwnEqlIwfkIcNFxo0QND/6Ya9DTAUykk2SKGSPt0kL # tHxNEn2GJvcNtfohVY/b0tuyF05eXE3cdtYZbeGoU1xQixPZAlTdtLmeFNly82uB # VbybAZ4Ut18F//UrugVQ9UUdK1uYmc+2SdRQQCccKwXGOuYgZ1ULW2u5PyfWxzo4 # BR++53OB/tZXQpz4OkgBZeqs9YaYLFfKRlQHVtmQghFHzB5v/WFonxDVlvPxy2go # a0u9Z+ZlIpvooZRvm6OtXxdAjMBcWBAsnBRr/Oj5s356EDdf2l/sLwLFYE61t+ME # iNYdy0pXL6gN3DxTVf2qjJxXFkFfjjTisndudHsguEMk8mEtnvwo9fOSKT6oRHhM # 9sZ4HTg/TTMjUljmN3mBYWAWI5ExdC1inuog0xrKmOWVMIIHejCCBWKgAwIBAgIK # YQ6Q0gAAAAAAAzANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNV # BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv # c29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlm # aWNhdGUgQXV0aG9yaXR5IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEw # OTA5WjB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE # BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYD # VQQDEx9NaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG # 9w0BAQEFAAOCAg8AMIICCgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+la # UKq4BjgaBEm6f8MMHt03a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc # 6Whe0t+bU7IKLMOv2akrrnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4D # dato88tt8zpcoRb0RrrgOGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+ # lD3v++MrWhAfTVYoonpy4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nk # kDstrjNYxbc+/jLTswM9sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6 # A4aN91/w0FK/jJSHvMAhdCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmd # X4jiJV3TIUs+UsS1Vz8kA/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL # 5zmhD+kjSbwYuER8ReTBw3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zd # sGbiwZeBe+3W7UvnSSmnEyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3 # T8HhhUSJxAlMxdSlQy90lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS # 4NaIjAsCAwEAAaOCAe0wggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRI # bmTlUAXTgqoXNzcitW2oynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTAL # BgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBD # uRQFTuHqp8cx0SOJNDBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jv # c29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFf # MDNfMjIuY3JsMF4GCCsGAQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3 # dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFf # MDNfMjIuY3J0MIGfBgNVHSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEF # BQcCARYzaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1h # cnljcHMuaHRtMEAGCCsGAQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkA # YwB5AF8AcwB0AGEAdABlAG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn # 8oalmOBUeRou09h0ZyKbC5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7 # v0epo/Np22O/IjWll11lhJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0b # pdS1HXeUOeLpZMlEPXh6I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/ # KmtYSWMfCWluWpiW5IP0wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvy # CInWH8MyGOLwxS3OW560STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBp # mLJZiWhub6e3dMNABQamASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJi # hsMdYzaXht/a8/jyFqGaJ+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYb # BL7fQccOKO7eZS/sl/ahXJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbS # oqKfenoi+kiVH6v7RyOA9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sL # gOppO6/8MO0ETI7f33VtY5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtX # cVZOSEXAQsmbdlsKgEhr/Xmfwb1tbWrJUnMTDXpQzTGCGXMwghlvAgEBMIGVMH4x # CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt # b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01p # Y3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTECEzMAAALN82S/+NRMXVEAAAAA # As0wDQYJYIZIAWUDBAIBBQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQw # HAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEIEk7 # 7W7I8egoNpEOev5ke5M5sigoOiE/V9fiKAVF954tMEIGCisGAQQBgjcCAQwxNDAy # oBSAEgBNAGkAYwByAG8AcwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20wDQYJKoZIhvcNAQEBBQAEggEADWezLeTncRHhcXtCYKCBzV8f97OpGf3Z1+9m # gPFpJcAOJUBJJgugnX/pH+pTDjzxqPGAOmU8rMfIFdpcR4FGLS0Cpg3SylkZMJXU # D0athbvDW5FqtdlUCxF2GMO9s984GTKmaBGrdk3u71oa/bOWZwCiW66Qs3R8+SvZ # j3DbohQRJfAhnDN5CPz1sU5g3GbcfHmEumt3rt4CCw3PA3wgV2BZYz8WbQNqP84M # xcM0kJlxy4Kz3SyMKolQhf1jsa5o/UwLTqmy22YKqbd7tBH7YKkpIuUZqNfRcsCf # wG1ZJ2Y1MmtBATS0cYj4SpiU2OPpFuC0+bKWYagwuZIRVa+1CKGCFv0wghb5Bgor # BgEEAYI3AwMBMYIW6TCCFuUGCSqGSIb3DQEHAqCCFtYwghbSAgEDMQ8wDQYJYIZI # AWUDBAIBBQAwggFRBgsqhkiG9w0BCRABBKCCAUAEggE8MIIBOAIBAQYKKwYBBAGE # WQoDATAxMA0GCWCGSAFlAwQCAQUABCAY5YFaMdvmzVVGrIXDmtdN4F4hgU1H7R5J # L8jbLsIXmgIGY0hAHozsGBMyMDIyMTAzMTE2MTgxMi4yMjJaMASAAgH0oIHQpIHN # MIHKMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH # UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQL # ExxNaWNyb3NvZnQgQW1lcmljYSBPcGVyYXRpb25zMSYwJAYDVQQLEx1UaGFsZXMg # VFNTIEVTTjpBRTJDLUUzMkItMUFGQzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUt # U3RhbXAgU2VydmljZaCCEVQwggcMMIIE9KADAgECAhMzAAABlklbYuEv3fdPAAEA # AAGWMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo # aW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y # cG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEw # MB4XDTIxMTIwMjE5MDUxM1oXDTIzMDIyODE5MDUxM1owgcoxCzAJBgNVBAYTAlVT # MRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQK # ExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVy # aWNhIE9wZXJhdGlvbnMxJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOkFFMkMtRTMy # Qi0xQUZDMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNlMIIC # IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0h9sEAtvrf48wOoy+i2TIQzS # RtJ79XFKnvh+DBishIEWVMKdWLB5dSExsovCva5D0SiigItJU/ING9RiIqZFnPKg # rRN8Im8aDUeJgsq74BLF7rZ28SNaG8fHDH2tl4HIRv1wRmXBbRndFEL15MVGL6JH # xtU8gTKpyGb0Ni7XJho/OpWj0TbkaHZBDO1VVDtqDEhyW2kzY9W9pAAvLKpcrR9c # 5n60KUwN62TshJssE+Nw0X7DZV5pDSjIluwWnzZx2SxhxmnKYphOHaAzLq98oh/6 # ggsdjzuKSKpAOlixkjfMoWGr3EGURVbbJf8fyIri9H8TxqUJkXPOJuNcmrp3L3jY # f+f9eDKrGe7oGNYsfH5DmICQZS7LPJsj4WjAOqnBAf0VlqnAn4cgETYwnJgTRjV3 # jICsmf/nt2wjpV5lng7VSQy5jrcxAwS5pINv3rad0/YTl/i6HWMHQZGNp6AgxMz1 # lWvN+AJpCb0espxHgRo+qLlon6V8WqGwXWrG9Pq//XmK/k9NMqyxZ9eq601C51c5 # Fu5S8l1hKLrL82J7pdxzwkKKEEuC2NRwSk8k0n7Rl+emYDs+0ZPnrL23K/jYy7wQ # cu13qJoJLsNRf1K7u5WfQEfhEG6YNqbwh0mqzEEB239Rlz4ZQ0x8JHrJEYs+Yz40 # 69Vs/3/vQmceaL7UxdECAwEAAaOCATYwggEyMB0GA1UdDgQWBBTS3wjZLC5lrSBh # LImLhCqa0c10sjAfBgNVHSMEGDAWgBSfpxVdAF5iXYP05dJlpxtTNRnpcjBfBgNV # HR8EWDBWMFSgUqBQhk5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2Ny # bC9NaWNyb3NvZnQlMjBUaW1lLVN0YW1wJTIwUENBJTIwMjAxMCgxKS5jcmwwbAYI # KwYBBQUHAQEEYDBeMFwGCCsGAQUFBzAChlBodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpb3BzL2NlcnRzL01pY3Jvc29mdCUyMFRpbWUtU3RhbXAlMjBQQ0ElMjAy # MDEwKDEpLmNydDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMIMA0G # CSqGSIb3DQEBCwUAA4ICAQCvYAsQuCFW2ClUARz+c7SXP5H4Erm3C+YU0XlRNbsE # lSqfdkn3fyCLxYBkHMFZQGXPA7mzoU7IZUdn0hXyuvrFM6DDrn/SLShe5t+PPkqW # eOeYiEw8k4BI6l4U5k07wX8hBwOoMRxs1aOe/JNkLHO6krl5j6/GZHrkTRzTsRUU # Jp1FpnUzixiZWyavc0x/imG5yWdrSuccE9ndoq7Qbu1Pxa7swsUm5zNNMunaWGXD # FAnS7s8RxJ1/P3qTtZ0Ja6VE6SeoHpdj7/hPuKJLXV/M89GNFn8HUDmVW5+YK/8D # y7yKHHiiSd+ugAN+pW3PA6OYek0ryW1QKzbrW4P9SXAk+U5faXjBJoitW98+ZERW # X387VHvaTWJ4Yo5BmkJ0U27Aal2ggi5j1PYuDxB3DsofM+7ebc4zgJ0GF4u6DQW0 # V4rc/F2zytl2rDQfUGlPtNUymUZVbWJbFqw64je8QsAnMeG1J8ohxjYlea3iLAzG # wime4dbMSyEHoObVvzIN0d9BJ84xVeXKvET176GhY/PS6RTJZiW5PPihZh88F3Je # cEvhlct/FbpQPt+mhDOBQAyqjI1tdBQlBFVX85xWd1JRnUkuxqshXqFwcxKr8GiF # sb9AV7y7TT30fmMTs3gmnojFQt3MdD5Q3M/gBf1TdlhyiPNXTgJhP6iyZHfxKZi2 # czCCB3EwggVZoAMCAQICEzMAAAAVxedrngKbSZkAAAAAABUwDQYJKoZIhvcNAQEL # BQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH # EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNV # BAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDEwMB4X # DTIxMDkzMDE4MjIyNVoXDTMwMDkzMDE4MzIyNVowfDELMAkGA1UEBhMCVVMxEzAR # BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p # Y3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3Rh # bXAgUENBIDIwMTAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDk4aZM # 57RyIQt5osvXJHm9DtWC0/3unAcH0qlsTnXIyjVX9gF/bErg4r25PhdgM/9cT8dm # 95VTcVrifkpa/rg2Z4VGIwy1jRPPdzLAEBjoYH1qUoNEt6aORmsHFPPFdvWGUNzB # RMhxXFExN6AKOG6N7dcP2CZTfDlhAnrEqv1yaa8dq6z2Nr41JmTamDu6GnszrYBb # fowQHJ1S/rboYiXcag/PXfT+jlPP1uyFVk3v3byNpOORj7I5LFGc6XBpDco2LXCO # Mcg1KL3jtIckw+DJj361VI/c+gVVmG1oO5pGve2krnopN6zL64NF50ZuyjLVwIYw # XE8s4mKyzbnijYjklqwBSru+cakXW2dg3viSkR4dPf0gz3N9QZpGdc3EXzTdEonW # /aUgfX782Z5F37ZyL9t9X4C626p+Nuw2TPYrbqgSUei/BQOj0XOmTTd0lBw0gg/w # EPK3Rxjtp+iZfD9M269ewvPV2HM9Q07BMzlMjgK8QmguEOqEUUbi0b1qGFphAXPK # Z6Je1yh2AuIzGHLXpyDwwvoSCtdjbwzJNmSLW6CmgyFdXzB0kZSU2LlQ+QuJYfM2 # BjUYhEfb3BvR/bLUHMVr9lxSUV0S2yW6r1AFemzFER1y7435UsSFF5PAPBXbGjfH # CBUYP3irRbb1Hode2o+eFnJpxq57t7c+auIurQIDAQABo4IB3TCCAdkwEgYJKwYB # BAGCNxUBBAUCAwEAATAjBgkrBgEEAYI3FQIEFgQUKqdS/mTEmr6CkTxGNSnPEP8v # BO4wHQYDVR0OBBYEFJ+nFV0AXmJdg/Tl0mWnG1M1GelyMFwGA1UdIARVMFMwUQYM # KwYBBAGCN0yDfQEBMEEwPwYIKwYBBQUHAgEWM2h0dHA6Ly93d3cubWljcm9zb2Z0 # LmNvbS9wa2lvcHMvRG9jcy9SZXBvc2l0b3J5Lmh0bTATBgNVHSUEDDAKBggrBgEF # BQcDCDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD # VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbLj+iiXGJo0T2UkFvXzpoYxDBW # BgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny # bC9wcm9kdWN0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcmwwWgYIKwYBBQUH # AQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtp # L2NlcnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNydDANBgkqhkiG9w0BAQsF # AAOCAgEAnVV9/Cqt4SwfZwExJFvhnnJL/Klv6lwUtj5OR2R4sQaTlz0xM7U518Jx # Nj/aZGx80HU5bbsPMeTCj/ts0aGUGCLu6WZnOlNN3Zi6th542DYunKmCVgADsAW+ # iehp4LoJ7nvfam++Kctu2D9IdQHZGN5tggz1bSNU5HhTdSRXud2f8449xvNo32X2 # pFaq95W2KFUn0CS9QKC/GbYSEhFdPSfgQJY4rPf5KYnDvBewVIVCs/wMnosZiefw # C2qBwoEZQhlSdYo2wh3DYXMuLGt7bj8sCXgU6ZGyqVvfSaN0DLzskYDSPeZKPmY7 # T7uG+jIa2Zb0j/aRAfbOxnT99kxybxCrdTDFNLB62FD+CljdQDzHVG2dY3RILLFO # Ry3BFARxv2T5JL5zbcqOCb2zAVdJVGTZc9d/HltEAY5aGZFrDZ+kKNxnGSgkujhL # mm77IVRrakURR6nxt67I6IleT53S0Ex2tVdUCbFpAUR+fKFhbHP+CrvsQWY9af3L # wUFJfn6Tvsv4O+S3Fb+0zj6lMVGEvL8CwYKiexcdFYmNcP7ntdAoGokLjzbaukz5 # m/8K6TT4JDVnK+ANuOaMmdbhIurwJ0I9JZTmdHRbatGePu1+oDEzfbzL6Xu/OHBE # 0ZDxyKs6ijoIYn/ZcGNTTY3ugm2lBRDBcQZqELQdVTNYs6FwZvKhggLLMIICNAIB # ATCB+KGB0KSBzTCByjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x # EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv # bjElMCMGA1UECxMcTWljcm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEmMCQGA1UE # CxMdVGhhbGVzIFRTUyBFU046QUUyQy1FMzJCLTFBRkMxJTAjBgNVBAMTHE1pY3Jv # c29mdCBUaW1lLVN0YW1wIFNlcnZpY2WiIwoBATAHBgUrDgMCGgMVAND6JppVWWnb # irQx4Ic7QWQ35lb+oIGDMIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldh # c2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBD # b3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIw # MTAwDQYJKoZIhvcNAQEFBQACBQDnCdCmMCIYDzIwMjIxMDMxMTI0MjE0WhgPMjAy # MjExMDExMjQyMTRaMHQwOgYKKwYBBAGEWQoEATEsMCowCgIFAOcJ0KYCAQAwBwIB # AAICFIswBwIBAAICEV4wCgIFAOcLIiYCAQAwNgYKKwYBBAGEWQoEAjEoMCYwDAYK # KwYBBAGEWQoDAqAKMAgCAQACAwehIKEKMAgCAQACAwGGoDANBgkqhkiG9w0BAQUF # AAOBgQB0oXDzPo/tAnTTxGfkkKAvTI2XJSMhm69MrtPH8bcHlDH5ovLj0D7dPmYk # uzAqdWnaGvyWnoAICyIRW0t6REPf98e7UeXdJNH5GbkbN5WuZ+GX2xVzxPHrtFBi # jjqJSug3+gD7/xzMqFKeTXII1IUa4j0+QESj6ohI1SZyXriuqjGCBA0wggQJAgEB # MIGTMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH # EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNV # BAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAABlklbYuEv3fdP # AAEAAAGWMA0GCWCGSAFlAwQCAQUAoIIBSjAaBgkqhkiG9w0BCQMxDQYLKoZIhvcN # AQkQAQQwLwYJKoZIhvcNAQkEMSIEIApgkzJ8vT1Be0JIF/D49nCsUneW07QtqSKM # h5iRxNOVMIH6BgsqhkiG9w0BCRACLzGB6jCB5zCB5DCBvQQgdgTWAvgdNdOSdkcu # gn52dCQPCX5WUEOrC6RyNy2yvZAwgZgwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEG # A1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWlj # cm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFt # cCBQQ0EgMjAxMAITMwAAAZZJW2LhL933TwABAAABljAiBCBwkQ4mY8zG5iu+1hF9 # kcwM6FzSTyAmou9XIn7qMc9HfjANBgkqhkiG9w0BAQsFAASCAgAwAdNm0v6KbhYW # 0e7TCdWKX+QHhGz50JGDFi8RZi56VZfW6pogOBxje1G6fxQguaiwln79ftlT5Ll+ # YWDUFIofye8jTNJAyi+mz0jI0Njoy0e/7zISuN80UXQIUg8z42MZH5UrOmdpcod4 # m9NhLFgyn1pzd80xXLKVcJ63+HeTXy5TnqX4p8is55wer/BtrkLQ7ts/eERbBgyZ # kDTcoaEkT74Zd7Ackz/6a1mEa/dRPsAOjqpRBtr5GKUML/T5s15yFdy9F5Rs7li4 # Samr9Z7Ajqs5QVq8Qr2tVP+/0h7SABqUBuuqad5FQFpCalFWKfzdHIK+LMiLNt/c # ZtlIY2ZPgLTr7md70HbhKGiTF718LtKLdXCoIeEz7qutiSBN9YvNpfftH8fzq+QZ # IThCWBM7a/bqX5D7VbxrqBHBiis825lUd0yzJrnSrW+dEQ06JyHbuyXaWF6tsHyg # AEkfZqGfjetz+2Luk9tBkRjc8cCY2LPlhMBb6JEc8v9g5P8DsAszKe7gDh/DjWJv # Hy2e5TsGtycyt4G+y2WSuf2pYc3kL79MZ9pvxGw1Fv9dOfHj7o2m08zOqVTI+3DF # EOdVpDCChhELSi09BNa0Bri5ZQbbvf1CeZqR6RVziqkIXuBqSHVKdva23fdU0hPG # izrWbHvm1G7xeHYCpL22zOAxgg0C/Q== # SIG # End signature block |