ssg-nondebian 0.1.31-5 / usr / share / doc / ssg-nondebian / ssg-sl6-guide-default.html

<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta charset="utf-8"></meta><meta http-equiv="X-UA-Compatible" content="IE=edge"></meta><meta name="viewport" content="width=device-width, initial-scale=1"></meta><title>Guide to the Secure Configuration of Red Hat Enterprise Linux 6 | OpenSCAP Security Guide
        </title><style>
/*!
 * Bootstrap v3.3.7 (http://getbootstrap.com)
 * Copyright 2011-2016 Twitter, Inc.
 * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
 */

/*!
 * Generated using the Bootstrap Customizer (https://getbootstrap.com/customize/?id=8160adef040364fa8f688f6065765caf)
 * Config saved to config.json and https://gist.github.com/8160adef040364fa8f688f6065765caf
 *//*!
 * Bootstrap v3.3.7 (http://getbootstrap.com)
 * Copyright 2011-2016 Twitter, Inc.
 * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
 *//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:bold}dfn{font-style:italic}h1{font-size:2em;margin:0.67em 0}mark{background:#ff0;color:#000}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sup{top:-0.5em}sub{bottom:-0.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;height:0}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace, monospace;font-size:1em}button,input,optgroup,select,textarea{color:inherit;font:inherit;margin:0}button{overflow:visible}button,select{text-transform:none}button,html input[type="button"],input[type="reset"],input[type="submit"]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{border:0;padding:0}input{line-height:normal}input[type="checkbox"],input[type="radio"]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;padding:0}input[type="number"]::-webkit-inner-spin-button,input[type="number"]::-webkit-outer-spin-button{height:auto}input[type="search"]{-webkit-appearance:textfield;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}input[type="search"]::-webkit-search-cancel-button,input[type="search"]::-webkit-search-decoration{-webkit-appearance:none}fieldset{border:1px solid #c0c0c0;margin:0 2px;padding:0.35em 0.625em 0.75em}legend{border:0;padding:0}textarea{overflow:auto}optgroup{font-weight:bold}table{border-collapse:collapse;border-spacing:0}td,th{padding:0}/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */@media print{*,*:before,*:after{background:transparent !important;color:#000 !important;-webkit-box-shadow:none !important;box-shadow:none !important;text-shadow:none !important}a,a:visited{text-decoration:underline}a[href]:after{content:" (" attr(href) ")"}abbr[title]:after{content:" (" attr(title) ")"}a[href^="#"]:after,a[href^="javascript:"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100% !important}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}.navbar{display:none}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000 !important}.label{border:1px solid #000}.table{border-collapse:collapse !important}.table td,.table th{background-color:#fff !important}.table-bordered th,.table-bordered td{border:1px solid #ddd !important}}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}*:before,*:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.42857143;color:#333;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#428bca;text-decoration:none}a:hover,a:focus{color:#2a6496;text-decoration:underline}a:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}figure{margin:0}img{vertical-align:middle}.img-responsive{display:block;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{padding:4px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out;display:inline-block;max-width:100%;height:auto}.img-circle{border-radius:50%}hr{margin-top:20px;margin-bottom:20px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;margin:-1px;padding:0;overflow:hidden;clip:rect(0, 0, 0, 0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}[role="button"]{cursor:pointer}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small,.h1 small,.h2 small,.h3 small,.h4 small,.h5 small,.h6 small,h1 .small,h2 .small,h3 .small,h4 .small,h5 .small,h6 .small,.h1 .small,.h2 .small,.h3 .small,.h4 .small,.h5 .small,.h6 .small{font-weight:normal;line-height:1;color:#777}h1,.h1,h2,.h2,h3,.h3{margin-top:20px;margin-bottom:10px}h1 small,.h1 small,h2 small,.h2 small,h3 small,.h3 small,h1 .small,.h1 .small,h2 .small,.h2 .small,h3 .small,.h3 .small{font-size:65%}h4,.h4,h5,.h5,h6,.h6{margin-top:10px;margin-bottom:10px}h4 small,.h4 small,h5 small,.h5 small,h6 small,.h6 small,h4 .small,.h4 .small,h5 .small,.h5 .small,h6 .small,.h6 .small{font-size:75%}h1,.h1{font-size:36px}h2,.h2{font-size:30px}h3,.h3{font-size:24px}h4,.h4{font-size:18px}h5,.h5{font-size:14px}h6,.h6{font-size:12px}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:16px;font-weight:300;line-height:1.4}@media (min-width:768px){.lead{font-size:21px}}small,.small{font-size:85%}mark,.mark{background-color:#fcf8e3;padding:.2em}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#428bca}a.text-primary:hover,a.text-primary:focus{color:#3071a9}.text-success{color:#3c763d}a.text-success:hover,a.text-success:focus{color:#2b542c}.text-info{color:#31708f}a.text-info:hover,a.text-info:focus{color:#245269}.text-warning{color:#8a6d3b}a.text-warning:hover,a.text-warning:focus{color:#66512c}.text-danger{color:#a94442}a.text-danger:hover,a.text-danger:focus{color:#843534}.bg-primary{color:#fff;background-color:#428bca}a.bg-primary:hover,a.bg-primary:focus{background-color:#3071a9}.bg-success{background-color:#dff0d8}a.bg-success:hover,a.bg-success:focus{background-color:#c1e2b3}.bg-info{background-color:#d9edf7}a.bg-info:hover,a.bg-info:focus{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:hover,a.bg-warning:focus{background-color:#f7ecb5}.bg-danger{background-color:#f2dede}a.bg-danger:hover,a.bg-danger:focus{background-color:#e4b9b9}.page-header{padding-bottom:9px;margin:40px 0 20px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:10px}ul ul,ol ul,ul ol,ol ol{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;list-style:none;margin-left:-5px}.list-inline>li{display:inline-block;padding-left:5px;padding-right:5px}dl{margin-top:0;margin-bottom:20px}dt,dd{line-height:1.42857143}dt{font-weight:bold}dd{margin-left:0}@media (min-width:768px){.dl-horizontal dt{float:left;width:160px;clear:left;text-align:right;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10px 20px;margin:0 0 20px;font-size:17.5px;border-left:5px solid #eee}blockquote p:last-child,blockquote ul:last-child,blockquote ol:last-child{margin-bottom:0}blockquote footer,blockquote small,blockquote .small{display:block;font-size:80%;line-height:1.42857143;color:#777}blockquote footer:before,blockquote small:before,blockquote .small:before{content:'\2014 \00A0'}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;border-right:5px solid #eee;border-left:0;text-align:right}.blockquote-reverse footer:before,blockquote.pull-right footer:before,.blockquote-reverse small:before,blockquote.pull-right small:before,.blockquote-reverse .small:before,blockquote.pull-right .small:before{content:''}.blockquote-reverse footer:after,blockquote.pull-right footer:after,.blockquote-reverse small:after,blockquote.pull-right small:after,.blockquote-reverse .small:after,blockquote.pull-right .small:after{content:'\00A0 \2014'}address{margin-bottom:20px;font-style:normal;line-height:1.42857143}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:4px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,0.25);box-shadow:inset 0 -1px 0 rgba(0,0,0,0.25)}kbd kbd{padding:0;font-size:100%;font-weight:bold;-webkit-box-shadow:none;box-shadow:none}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:1.42857143;word-break:break-all;word-wrap:break-word;color:#333;background-color:#f5f5f5;border:1px solid #ccc;border-radius:4px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{margin-right:auto;margin-left:auto;padding-left:15px;padding-right:15px}@media (min-width:768px){.container{width:750px}}@media (min-width:992px){.container{width:970px}}@media (min-width:1200px){.container{width:1170px}}.container-fluid{margin-right:auto;margin-left:auto;padding-left:15px;padding-right:15px}.row{margin-left:-15px;margin-right:-15px}.col-xs-1, .col-sm-1, .col-md-1, .col-lg-1, .col-xs-2, .col-sm-2, .col-md-2, .col-lg-2, .col-xs-3, .col-sm-3, .col-md-3, .col-lg-3, .col-xs-4, .col-sm-4, .col-md-4, .col-lg-4, .col-xs-5, .col-sm-5, .col-md-5, .col-lg-5, .col-xs-6, .col-sm-6, .col-md-6, .col-lg-6, .col-xs-7, .col-sm-7, .col-md-7, .col-lg-7, .col-xs-8, .col-sm-8, .col-md-8, .col-lg-8, .col-xs-9, .col-sm-9, .col-md-9, .col-lg-9, .col-xs-10, .col-sm-10, .col-md-10, .col-lg-10, .col-xs-11, .col-sm-11, .col-md-11, .col-lg-11, .col-xs-12, .col-sm-12, .col-md-12, .col-lg-12{position:relative;min-height:1px;padding-left:15px;padding-right:15px}.col-xs-1, .col-xs-2, .col-xs-3, .col-xs-4, .col-xs-5, .col-xs-6, .col-xs-7, .col-xs-8, .col-xs-9, .col-xs-10, .col-xs-11, .col-xs-12{float:left}.col-xs-12{width:100%}.col-xs-11{width:91.66666667%}.col-xs-10{width:83.33333333%}.col-xs-9{width:75%}.col-xs-8{width:66.66666667%}.col-xs-7{width:58.33333333%}.col-xs-6{width:50%}.col-xs-5{width:41.66666667%}.col-xs-4{width:33.33333333%}.col-xs-3{width:25%}.col-xs-2{width:16.66666667%}.col-xs-1{width:8.33333333%}.col-xs-pull-12{right:100%}.col-xs-pull-11{right:91.66666667%}.col-xs-pull-10{right:83.33333333%}.col-xs-pull-9{right:75%}.col-xs-pull-8{right:66.66666667%}.col-xs-pull-7{right:58.33333333%}.col-xs-pull-6{right:50%}.col-xs-pull-5{right:41.66666667%}.col-xs-pull-4{right:33.33333333%}.col-xs-pull-3{right:25%}.col-xs-pull-2{right:16.66666667%}.col-xs-pull-1{right:8.33333333%}.col-xs-pull-0{right:auto}.col-xs-push-12{left:100%}.col-xs-push-11{left:91.66666667%}.col-xs-push-10{left:83.33333333%}.col-xs-push-9{left:75%}.col-xs-push-8{left:66.66666667%}.col-xs-push-7{left:58.33333333%}.col-xs-push-6{left:50%}.col-xs-push-5{left:41.66666667%}.col-xs-push-4{left:33.33333333%}.col-xs-push-3{left:25%}.col-xs-push-2{left:16.66666667%}.col-xs-push-1{left:8.33333333%}.col-xs-push-0{left:auto}.col-xs-offset-12{margin-left:100%}.col-xs-offset-11{margin-left:91.66666667%}.col-xs-offset-10{margin-left:83.33333333%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-8{margin-left:66.66666667%}.col-xs-offset-7{margin-left:58.33333333%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-5{margin-left:41.66666667%}.col-xs-offset-4{margin-left:33.33333333%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-2{margin-left:16.66666667%}.col-xs-offset-1{margin-left:8.33333333%}.col-xs-offset-0{margin-left:0}@media (min-width:768px){.col-sm-1, .col-sm-2, .col-sm-3, .col-sm-4, .col-sm-5, .col-sm-6, .col-sm-7, .col-sm-8, .col-sm-9, .col-sm-10, .col-sm-11, .col-sm-12{float:left}.col-sm-12{width:100%}.col-sm-11{width:91.66666667%}.col-sm-10{width:83.33333333%}.col-sm-9{width:75%}.col-sm-8{width:66.66666667%}.col-sm-7{width:58.33333333%}.col-sm-6{width:50%}.col-sm-5{width:41.66666667%}.col-sm-4{width:33.33333333%}.col-sm-3{width:25%}.col-sm-2{width:16.66666667%}.col-sm-1{width:8.33333333%}.col-sm-pull-12{right:100%}.col-sm-pull-11{right:91.66666667%}.col-sm-pull-10{right:83.33333333%}.col-sm-pull-9{right:75%}.col-sm-pull-8{right:66.66666667%}.col-sm-pull-7{right:58.33333333%}.col-sm-pull-6{right:50%}.col-sm-pull-5{right:41.66666667%}.col-sm-pull-4{right:33.33333333%}.col-sm-pull-3{right:25%}.col-sm-pull-2{right:16.66666667%}.col-sm-pull-1{right:8.33333333%}.col-sm-pull-0{right:auto}.col-sm-push-12{left:100%}.col-sm-push-11{left:91.66666667%}.col-sm-push-10{left:83.33333333%}.col-sm-push-9{left:75%}.col-sm-push-8{left:66.66666667%}.col-sm-push-7{left:58.33333333%}.col-sm-push-6{left:50%}.col-sm-push-5{left:41.66666667%}.col-sm-push-4{left:33.33333333%}.col-sm-push-3{left:25%}.col-sm-push-2{left:16.66666667%}.col-sm-push-1{left:8.33333333%}.col-sm-push-0{left:auto}.col-sm-offset-12{margin-left:100%}.col-sm-offset-11{margin-left:91.66666667%}.col-sm-offset-10{margin-left:83.33333333%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-8{margin-left:66.66666667%}.col-sm-offset-7{margin-left:58.33333333%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-5{margin-left:41.66666667%}.col-sm-offset-4{margin-left:33.33333333%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-2{margin-left:16.66666667%}.col-sm-offset-1{margin-left:8.33333333%}.col-sm-offset-0{margin-left:0}}@media (min-width:992px){.col-md-1, .col-md-2, .col-md-3, .col-md-4, .col-md-5, .col-md-6, .col-md-7, .col-md-8, .col-md-9, .col-md-10, .col-md-11, .col-md-12{float:left}.col-md-12{width:100%}.col-md-11{width:91.66666667%}.col-md-10{width:83.33333333%}.col-md-9{width:75%}.col-md-8{width:66.66666667%}.col-md-7{width:58.33333333%}.col-md-6{width:50%}.col-md-5{width:41.66666667%}.col-md-4{width:33.33333333%}.col-md-3{width:25%}.col-md-2{width:16.66666667%}.col-md-1{width:8.33333333%}.col-md-pull-12{right:100%}.col-md-pull-11{right:91.66666667%}.col-md-pull-10{right:83.33333333%}.col-md-pull-9{right:75%}.col-md-pull-8{right:66.66666667%}.col-md-pull-7{right:58.33333333%}.col-md-pull-6{right:50%}.col-md-pull-5{right:41.66666667%}.col-md-pull-4{right:33.33333333%}.col-md-pull-3{right:25%}.col-md-pull-2{right:16.66666667%}.col-md-pull-1{right:8.33333333%}.col-md-pull-0{right:auto}.col-md-push-12{left:100%}.col-md-push-11{left:91.66666667%}.col-md-push-10{left:83.33333333%}.col-md-push-9{left:75%}.col-md-push-8{left:66.66666667%}.col-md-push-7{left:58.33333333%}.col-md-push-6{left:50%}.col-md-push-5{left:41.66666667%}.col-md-push-4{left:33.33333333%}.col-md-push-3{left:25%}.col-md-push-2{left:16.66666667%}.col-md-push-1{left:8.33333333%}.col-md-push-0{left:auto}.col-md-offset-12{margin-left:100%}.col-md-offset-11{margin-left:91.66666667%}.col-md-offset-10{margin-left:83.33333333%}.col-md-offset-9{margin-left:75%}.col-md-offset-8{margin-left:66.66666667%}.col-md-offset-7{margin-left:58.33333333%}.col-md-offset-6{margin-left:50%}.col-md-offset-5{margin-left:41.66666667%}.col-md-offset-4{margin-left:33.33333333%}.col-md-offset-3{margin-left:25%}.col-md-offset-2{margin-left:16.66666667%}.col-md-offset-1{margin-left:8.33333333%}.col-md-offset-0{margin-left:0}}@media (min-width:1200px){.col-lg-1, .col-lg-2, .col-lg-3, .col-lg-4, .col-lg-5, .col-lg-6, .col-lg-7, .col-lg-8, .col-lg-9, .col-lg-10, .col-lg-11, .col-lg-12{float:left}.col-lg-12{width:100%}.col-lg-11{width:91.66666667%}.col-lg-10{width:83.33333333%}.col-lg-9{width:75%}.col-lg-8{width:66.66666667%}.col-lg-7{width:58.33333333%}.col-lg-6{width:50%}.col-lg-5{width:41.66666667%}.col-lg-4{width:33.33333333%}.col-lg-3{width:25%}.col-lg-2{width:16.66666667%}.col-lg-1{width:8.33333333%}.col-lg-pull-12{right:100%}.col-lg-pull-11{right:91.66666667%}.col-lg-pull-10{right:83.33333333%}.col-lg-pull-9{right:75%}.col-lg-pull-8{right:66.66666667%}.col-lg-pull-7{right:58.33333333%}.col-lg-pull-6{right:50%}.col-lg-pull-5{right:41.66666667%}.col-lg-pull-4{right:33.33333333%}.col-lg-pull-3{right:25%}.col-lg-pull-2{right:16.66666667%}.col-lg-pull-1{right:8.33333333%}.col-lg-pull-0{right:auto}.col-lg-push-12{left:100%}.col-lg-push-11{left:91.66666667%}.col-lg-push-10{left:83.33333333%}.col-lg-push-9{left:75%}.col-lg-push-8{left:66.66666667%}.col-lg-push-7{left:58.33333333%}.col-lg-push-6{left:50%}.col-lg-push-5{left:41.66666667%}.col-lg-push-4{left:33.33333333%}.col-lg-push-3{left:25%}.col-lg-push-2{left:16.66666667%}.col-lg-push-1{left:8.33333333%}.col-lg-push-0{left:auto}.col-lg-offset-12{margin-left:100%}.col-lg-offset-11{margin-left:91.66666667%}.col-lg-offset-10{margin-left:83.33333333%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-8{margin-left:66.66666667%}.col-lg-offset-7{margin-left:58.33333333%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-5{margin-left:41.66666667%}.col-lg-offset-4{margin-left:33.33333333%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-2{margin-left:16.66666667%}.col-lg-offset-1{margin-left:8.33333333%}.col-lg-offset-0{margin-left:0}}table{background-color:transparent}caption{padding-top:8px;padding-bottom:8px;color:#777;text-align:left}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:20px}.table>thead>tr>th,.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>td,.table>tbody>tr>td,.table>tfoot>tr>td{padding:8px;line-height:1.42857143;vertical-align:top;border-top:1px solid #ddd}.table>thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table>caption+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>th,.table>thead:first-child>tr:first-child>th,.table>caption+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>td,.table>thead:first-child>tr:first-child>td{border-top:0}.table>tbody+tbody{border-top:2px solid #ddd}.table .table{background-color:#fff}.table-condensed>thead>tr>th,.table-condensed>tbody>tr>th,.table-condensed>tfoot>tr>th,.table-condensed>thead>tr>td,.table-condensed>tbody>tr>td,.table-condensed>tfoot>tr>td{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>td{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-of-type(odd){background-color:#f9f9f9}.table-hover>tbody>tr:hover{background-color:#f5f5f5}table col[class*="col-"]{position:static;float:none;display:table-column}table td[class*="col-"],table th[class*="col-"]{position:static;float:none;display:table-cell}.table>thead>tr>td.active,.table>tbody>tr>td.active,.table>tfoot>tr>td.active,.table>thead>tr>th.active,.table>tbody>tr>th.active,.table>tfoot>tr>th.active,.table>thead>tr.active>td,.table>tbody>tr.active>td,.table>tfoot>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr.active>th,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover,.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr.active:hover>th{background-color:#e8e8e8}.table>thead>tr>td.success,.table>tbody>tr>td.success,.table>tfoot>tr>td.success,.table>thead>tr>th.success,.table>tbody>tr>th.success,.table>tfoot>tr>th.success,.table>thead>tr.success>td,.table>tbody>tr.success>td,.table>tfoot>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr.success>th,.table>tfoot>tr.success>th{background-color:#dff0d8}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr.success:hover>th{background-color:#d0e9c6}.table>thead>tr>td.info,.table>tbody>tr>td.info,.table>tfoot>tr>td.info,.table>thead>tr>th.info,.table>tbody>tr>th.info,.table>tfoot>tr>th.info,.table>thead>tr.info>td,.table>tbody>tr.info>td,.table>tfoot>tr.info>td,.table>thead>tr.info>th,.table>tbody>tr.info>th,.table>tfoot>tr.info>th{background-color:#d9edf7}.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover,.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr.info:hover>th{background-color:#c4e3f3}.table>thead>tr>td.warning,.table>tbody>tr>td.warning,.table>tfoot>tr>td.warning,.table>thead>tr>th.warning,.table>tbody>tr>th.warning,.table>tfoot>tr>th.warning,.table>thead>tr.warning>td,.table>tbody>tr.warning>td,.table>tfoot>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr.warning>th,.table>tfoot>tr.warning>th{background-color:#fcf8e3}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr.warning:hover>th{background-color:#faf2cc}.table>thead>tr>td.danger,.table>tbody>tr>td.danger,.table>tfoot>tr>td.danger,.table>thead>tr>th.danger,.table>tbody>tr>th.danger,.table>tfoot>tr>th.danger,.table>thead>tr.danger>td,.table>tbody>tr.danger>td,.table>tfoot>tr.danger>td,.table>thead>tr.danger>th,.table>tbody>tr.danger>th,.table>tfoot>tr.danger>th{background-color:#f2dede}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr.danger:hover>th{background-color:#ebcccc}.table-responsive{overflow-x:auto;min-height:0.01%}@media screen and (max-width:767px){.table-responsive{width:100%;margin-bottom:15px;overflow-y:hidden;-ms-overflow-style:-ms-autohiding-scrollbar;border:1px solid #ddd}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{padding:0;margin:0;border:0;min-width:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:bold}input[type="search"]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type="radio"],input[type="checkbox"]{margin:4px 0 0;margin-top:1px \9;line-height:normal}input[type="file"]{display:block}input[type="range"]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type="file"]:focus,input[type="radio"]:focus,input[type="checkbox"]:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}output{display:block;padding-top:7px;font-size:14px;line-height:1.42857143;color:#555}.form-control{display:block;width:100%;height:34px;padding:6px 12px;font-size:14px;line-height:1.42857143;color:#555;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-webkit-transition:border-color ease-in-out .15s, -webkit-box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s, box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s, box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075), 0 0 8px rgba(102, 175, 233, 0.6);box-shadow:inset 0 1px 1px rgba(0,0,0,.075), 0 0 8px rgba(102, 175, 233, 0.6)}.form-control::-moz-placeholder{color:#777;opacity:1}.form-control:-ms-input-placeholder{color:#777}.form-control::-webkit-input-placeholder{color:#777}.form-control::-ms-expand{border:0;background-color:transparent}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{background-color:#eee;opacity:1}.form-control[disabled],fieldset[disabled] .form-control{cursor:not-allowed}textarea.form-control{height:auto}input[type="search"]{-webkit-appearance:none}@media screen and (-webkit-min-device-pixel-ratio:0){input[type="date"].form-control,input[type="time"].form-control,input[type="datetime-local"].form-control,input[type="month"].form-control{line-height:34px}input[type="date"].input-sm,input[type="time"].input-sm,input[type="datetime-local"].input-sm,input[type="month"].input-sm,.input-group-sm input[type="date"],.input-group-sm input[type="time"],.input-group-sm input[type="datetime-local"],.input-group-sm input[type="month"]{line-height:30px}input[type="date"].input-lg,input[type="time"].input-lg,input[type="datetime-local"].input-lg,input[type="month"].input-lg,.input-group-lg input[type="date"],.input-group-lg input[type="time"],.input-group-lg input[type="datetime-local"],.input-group-lg input[type="month"]{line-height:46px}}.form-group{margin-bottom:15px}.radio,.checkbox{position:relative;display:block;margin-top:10px;margin-bottom:10px}.radio label,.checkbox label{min-height:20px;padding-left:20px;margin-bottom:0;font-weight:normal;cursor:pointer}.radio input[type="radio"],.radio-inline input[type="radio"],.checkbox input[type="checkbox"],.checkbox-inline input[type="checkbox"]{position:absolute;margin-left:-20px;margin-top:4px \9}.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{position:relative;display:inline-block;padding-left:20px;margin-bottom:0;vertical-align:middle;font-weight:normal;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type="radio"][disabled],input[type="checkbox"][disabled],input[type="radio"].disabled,input[type="checkbox"].disabled,fieldset[disabled] input[type="radio"],fieldset[disabled] input[type="checkbox"]{cursor:not-allowed}.radio-inline.disabled,.checkbox-inline.disabled,fieldset[disabled] .radio-inline,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.radio.disabled label,.checkbox.disabled label,fieldset[disabled] .radio label,fieldset[disabled] .checkbox label{cursor:not-allowed}.form-control-static{padding-top:7px;padding-bottom:7px;margin-bottom:0;min-height:34px}.form-control-static.input-lg,.form-control-static.input-sm{padding-left:0;padding-right:0}.input-sm{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm{height:30px;line-height:30px}textarea.input-sm,select[multiple].input-sm{height:auto}.form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.form-group-sm select.form-control{height:30px;line-height:30px}.form-group-sm textarea.form-control,.form-group-sm select[multiple].form-control{height:auto}.form-group-sm .form-control-static{height:30px;min-height:32px;padding:6px 10px;font-size:12px;line-height:1.5}.input-lg{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-lg{height:46px;line-height:46px}textarea.input-lg,select[multiple].input-lg{height:auto}.form-group-lg .form-control{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.form-group-lg select.form-control{height:46px;line-height:46px}.form-group-lg textarea.form-control,.form-group-lg select[multiple].form-control{height:auto}.form-group-lg .form-control-static{height:46px;min-height:38px;padding:11px 16px;font-size:18px;line-height:1.33}.has-feedback{position:relative}.has-feedback .form-control{padding-right:42.5px}.form-control-feedback{position:absolute;top:0;right:0;z-index:2;display:block;width:34px;height:34px;line-height:34px;text-align:center;pointer-events:none}.input-lg+.form-control-feedback,.input-group-lg+.form-control-feedback,.form-group-lg .form-control+.form-control-feedback{width:46px;height:46px;line-height:46px}.input-sm+.form-control-feedback,.input-group-sm+.form-control-feedback,.form-group-sm .form-control+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline,.has-success.radio label,.has-success.checkbox label,.has-success.radio-inline label,.has-success.checkbox-inline label{color:#3c763d}.has-success .form-control{border-color:#3c763d;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-success .form-control:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;border-color:#3c763d;background-color:#dff0d8}.has-success .form-control-feedback{color:#3c763d}.has-warning .help-block,.has-warning .control-label,.has-warning .radio,.has-warning .checkbox,.has-warning .radio-inline,.has-warning .checkbox-inline,.has-warning.radio label,.has-warning.checkbox label,.has-warning.radio-inline label,.has-warning.checkbox-inline label{color:#8a6d3b}.has-warning .form-control{border-color:#8a6d3b;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-warning .form-control:focus{border-color:#66512c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #c0a16b;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;border-color:#8a6d3b;background-color:#fcf8e3}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .checkbox,.has-error .radio-inline,.has-error .checkbox-inline,.has-error.radio label,.has-error.checkbox label,.has-error.radio-inline label,.has-error.checkbox-inline label{color:#a94442}.has-error .form-control{border-color:#a94442;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-error .form-control:focus{border-color:#843534;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #ce8483;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;border-color:#a94442;background-color:#f2dede}.has-error .form-control-feedback{color:#a94442}.has-feedback label~.form-control-feedback{top:25px}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media (min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .form-control-static{display:inline-block}.form-inline .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn,.form-inline .input-group .form-control{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline .radio,.form-inline .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .radio label,.form-inline .checkbox label{padding-left:0}.form-inline .radio input[type="radio"],.form-inline .checkbox input[type="checkbox"]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback{top:0}}.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{margin-top:0;margin-bottom:0;padding-top:7px}.form-horizontal .radio,.form-horizontal .checkbox{min-height:27px}.form-horizontal .form-group{margin-left:-15px;margin-right:-15px}@media (min-width:768px){.form-horizontal .control-label{text-align:right;margin-bottom:0;padding-top:7px}}.form-horizontal .has-feedback .form-control-feedback{right:15px}@media (min-width:768px){.form-horizontal .form-group-lg .control-label{padding-top:11px;font-size:18px}}@media (min-width:768px){.form-horizontal .form-group-sm .control-label{padding-top:6px;font-size:12px}}.btn{display:inline-block;margin-bottom:0;font-weight:normal;text-align:center;vertical-align:middle;-ms-touch-action:manipulation;touch-action:manipulation;cursor:pointer;background-image:none;border:1px solid transparent;white-space:nowrap;padding:6px 12px;font-size:14px;line-height:1.42857143;border-radius:4px;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none}.btn:focus,.btn:active:focus,.btn.active:focus,.btn.focus,.btn:active.focus,.btn.active.focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn:hover,.btn:focus,.btn.focus{color:#333;text-decoration:none}.btn:active,.btn.active{outline:0;background-image:none;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{cursor:not-allowed;opacity:.65;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none}a.btn.disabled,fieldset[disabled] a.btn{pointer-events:none}.btn-default{color:#333;background-color:#fff;border-color:#ccc}.btn-default:focus,.btn-default.focus{color:#333;background-color:#e6e6e6;border-color:#8c8c8c}.btn-default:hover{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active:hover,.btn-default.active:hover,.open>.dropdown-toggle.btn-default:hover,.btn-default:active:focus,.btn-default.active:focus,.open>.dropdown-toggle.btn-default:focus,.btn-default:active.focus,.btn-default.active.focus,.open>.dropdown-toggle.btn-default.focus{color:#333;background-color:#d4d4d4;border-color:#8c8c8c}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{background-image:none}.btn-default.disabled:hover,.btn-default[disabled]:hover,fieldset[disabled] .btn-default:hover,.btn-default.disabled:focus,.btn-default[disabled]:focus,fieldset[disabled] .btn-default:focus,.btn-default.disabled.focus,.btn-default[disabled].focus,fieldset[disabled] .btn-default.focus{background-color:#fff;border-color:#ccc}.btn-default .badge{color:#fff;background-color:#333}.btn-primary{color:#fff;background-color:#428bca;border-color:#357ebd}.btn-primary:focus,.btn-primary.focus{color:#fff;background-color:#3071a9;border-color:#193c5a}.btn-primary:hover{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active:hover,.btn-primary.active:hover,.open>.dropdown-toggle.btn-primary:hover,.btn-primary:active:focus,.btn-primary.active:focus,.open>.dropdown-toggle.btn-primary:focus,.btn-primary:active.focus,.btn-primary.active.focus,.open>.dropdown-toggle.btn-primary.focus{color:#fff;background-color:#285e8e;border-color:#193c5a}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled:hover,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary:hover,.btn-primary.disabled:focus,.btn-primary[disabled]:focus,fieldset[disabled] .btn-primary:focus,.btn-primary.disabled.focus,.btn-primary[disabled].focus,fieldset[disabled] .btn-primary.focus{background-color:#428bca;border-color:#357ebd}.btn-primary .badge{color:#428bca;background-color:#fff}.btn-success{color:#fff;background-color:#5cb85c;border-color:#4cae4c}.btn-success:focus,.btn-success.focus{color:#fff;background-color:#449d44;border-color:#255625}.btn-success:hover{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active:hover,.btn-success.active:hover,.open>.dropdown-toggle.btn-success:hover,.btn-success:active:focus,.btn-success.active:focus,.open>.dropdown-toggle.btn-success:focus,.btn-success:active.focus,.btn-success.active.focus,.open>.dropdown-toggle.btn-success.focus{color:#fff;background-color:#398439;border-color:#255625}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{background-image:none}.btn-success.disabled:hover,.btn-success[disabled]:hover,fieldset[disabled] .btn-success:hover,.btn-success.disabled:focus,.btn-success[disabled]:focus,fieldset[disabled] .btn-success:focus,.btn-success.disabled.focus,.btn-success[disabled].focus,fieldset[disabled] .btn-success.focus{background-color:#5cb85c;border-color:#4cae4c}.btn-success .badge{color:#5cb85c;background-color:#fff}.btn-info{color:#fff;background-color:#5bc0de;border-color:#46b8da}.btn-info:focus,.btn-info.focus{color:#fff;background-color:#31b0d5;border-color:#1b6d85}.btn-info:hover{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active:hover,.btn-info.active:hover,.open>.dropdown-toggle.btn-info:hover,.btn-info:active:focus,.btn-info.active:focus,.open>.dropdown-toggle.btn-info:focus,.btn-info:active.focus,.btn-info.active.focus,.open>.dropdown-toggle.btn-info.focus{color:#fff;background-color:#269abc;border-color:#1b6d85}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{background-image:none}.btn-info.disabled:hover,.btn-info[disabled]:hover,fieldset[disabled] .btn-info:hover,.btn-info.disabled:focus,.btn-info[disabled]:focus,fieldset[disabled] .btn-info:focus,.btn-info.disabled.focus,.btn-info[disabled].focus,fieldset[disabled] .btn-info.focus{background-color:#5bc0de;border-color:#46b8da}.btn-info .badge{color:#5bc0de;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:focus,.btn-warning.focus{color:#fff;background-color:#ec971f;border-color:#985f0d}.btn-warning:hover{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active:hover,.btn-warning.active:hover,.open>.dropdown-toggle.btn-warning:hover,.btn-warning:active:focus,.btn-warning.active:focus,.open>.dropdown-toggle.btn-warning:focus,.btn-warning:active.focus,.btn-warning.active.focus,.open>.dropdown-toggle.btn-warning.focus{color:#fff;background-color:#d58512;border-color:#985f0d}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{background-image:none}.btn-warning.disabled:hover,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning:hover,.btn-warning.disabled:focus,.btn-warning[disabled]:focus,fieldset[disabled] .btn-warning:focus,.btn-warning.disabled.focus,.btn-warning[disabled].focus,fieldset[disabled] .btn-warning.focus{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#d9534f;border-color:#d43f3a}.btn-danger:focus,.btn-danger.focus{color:#fff;background-color:#c9302c;border-color:#761c19}.btn-danger:hover{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active:hover,.btn-danger.active:hover,.open>.dropdown-toggle.btn-danger:hover,.btn-danger:active:focus,.btn-danger.active:focus,.open>.dropdown-toggle.btn-danger:focus,.btn-danger:active.focus,.btn-danger.active.focus,.open>.dropdown-toggle.btn-danger.focus{color:#fff;background-color:#ac2925;border-color:#761c19}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled:hover,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger:hover,.btn-danger.disabled:focus,.btn-danger[disabled]:focus,fieldset[disabled] .btn-danger:focus,.btn-danger.disabled.focus,.btn-danger[disabled].focus,fieldset[disabled] .btn-danger.focus{background-color:#d9534f;border-color:#d43f3a}.btn-danger .badge{color:#d9534f;background-color:#fff}.btn-link{color:#428bca;font-weight:normal;border-radius:0}.btn-link,.btn-link:active,.btn-link.active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:transparent}.btn-link:hover,.btn-link:focus{color:#2a6496;text-decoration:underline;background-color:transparent}.btn-link[disabled]:hover,fieldset[disabled] .btn-link:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:focus{color:#777;text-decoration:none}.btn-lg,.btn-group-lg>.btn{padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.btn-sm,.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs,.btn-group-xs>.btn{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type="submit"].btn-block,input[type="reset"].btn-block,input[type="button"].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition-property:height, visibility;-o-transition-property:height, visibility;transition-property:height, visibility;-webkit-transition-duration:.35s;-o-transition-duration:.35s;transition-duration:.35s;-webkit-transition-timing-function:ease;-o-transition-timing-function:ease;transition-timing-function:ease}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover,.btn-group>.btn:focus,.btn-group-vertical>.btn:focus,.btn-group>.btn:active,.btn-group-vertical>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn.active{z-index:2}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar .btn,.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-bottom-right-radius:0;border-top-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-bottom-left-radius:0;border-top-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-top-right-radius:0}.btn-group>.btn-group:last-child:not(:first-child)>.btn:first-child{border-bottom-left-radius:0;border-top-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-left:8px;padding-right:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-left:12px;padding-right:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:4px;border-top-left-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-top-right-radius:0;border-top-left-radius:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-right-radius:0;border-top-left-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{float:none;display:table-cell;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle="buttons"]>.btn input[type="radio"],[data-toggle="buttons"]>.btn-group>.btn input[type="radio"],[data-toggle="buttons"]>.btn input[type="checkbox"],[data-toggle="buttons"]>.btn-group>.btn input[type="checkbox"]{position:absolute;clip:rect(0, 0, 0, 0);pointer-events:none}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*="col-"]{float:none;padding-left:0;padding-right:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group .form-control:focus{z-index:3}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn,select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn,select[multiple].input-group-sm>.form-control,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn{height:auto}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:normal;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group-addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type="radio"],.input-group-addon input[type="checkbox"]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group-btn:last-child>.btn-group:not(:last-child)>.btn{border-bottom-right-radius:0;border-top-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:first-child>.btn-group:not(:first-child)>.btn{border-bottom-left-radius:0;border-top-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:hover,.input-group-btn>.btn:focus,.input-group-btn>.btn:active{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{z-index:2;margin-left:-1px}.nav{margin-bottom:0;padding-left:0;list-style:none}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#777;text-decoration:none;background-color:transparent;cursor:not-allowed}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#428bca}.nav .nav-divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.42857143;border:1px solid transparent;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent;cursor:default}.nav-tabs.nav-justified{width:100%;border-bottom:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{text-align:center;margin-bottom:5px}.nav-tabs.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border-bottom-color:#fff}}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:4px}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#428bca}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{text-align:center;margin-bottom:5px}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-right-radius:0;border-top-left-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:20px;border:1px solid transparent}@media (min-width:768px){.navbar{border-radius:4px}}@media (min-width:768px){.navbar-header{float:left}}.navbar-collapse{overflow-x:visible;padding-right:15px;padding-left:15px;border-top:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.1);box-shadow:inset 0 1px 0 rgba(255,255,255,0.1);-webkit-overflow-scrolling:touch}.navbar-collapse.in{overflow-y:auto}@media (min-width:768px){.navbar-collapse{width:auto;border-top:0;-webkit-box-shadow:none;box-shadow:none}.navbar-collapse.collapse{display:block !important;height:auto !important;padding-bottom:0;overflow:visible !important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{padding-left:0;padding-right:0}}.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:340px}@media (max-device-width:480px) and (orientation:landscape){.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:200px}}.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media (min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030}@media (min-width:768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;padding:15px 15px;font-size:18px;line-height:20px;height:50px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}.navbar-brand>img{display:block}@media (min-width:768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;margin-right:15px;padding:9px 10px;margin-top:8px;margin-bottom:8px;background-color:transparent;background-image:none;border:1px solid transparent;border-radius:4px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media (min-width:768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:20px}@media (max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:20px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media (min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}}.navbar-form{margin-left:-15px;margin-right:-15px;padding:10px 15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1);box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1);margin-top:8px;margin-bottom:8px}@media (min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.navbar-form .form-control-static{display:inline-block}.navbar-form .input-group{display:inline-table;vertical-align:middle}.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn,.navbar-form .input-group .form-control{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.navbar-form .radio,.navbar-form .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.navbar-form .radio label,.navbar-form .checkbox label{padding-left:0}.navbar-form .radio input[type="radio"],.navbar-form .checkbox input[type="checkbox"]{position:relative;margin-left:0}.navbar-form .has-feedback .form-control-feedback{top:0}}@media (max-width:767px){.navbar-form .form-group{margin-bottom:5px}.navbar-form .form-group:last-child{margin-bottom:0}}@media (min-width:768px){.navbar-form{width:auto;border:0;margin-left:0;margin-right:0;padding-top:0;padding-bottom:0;-webkit-box-shadow:none;box-shadow:none}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-right-radius:0;border-top-left-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{margin-bottom:0;border-top-right-radius:4px;border-top-left-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:8px;margin-bottom:8px}.navbar-btn.btn-sm{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:15px;margin-bottom:15px}@media (min-width:768px){.navbar-text{float:left;margin-left:15px;margin-right:15px}}@media (min-width:768px){.navbar-left{float:left !important}.navbar-right{float:right !important;margin-right:-15px}.navbar-right~.navbar-right{margin-right:0}}.navbar-default{background-color:#f8f8f8;border-color:#e7e7e7}.navbar-default .navbar-brand{color:#777}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#5e5e5e;background-color:transparent}.navbar-default .navbar-text{color:#777}.navbar-default .navbar-nav>li>a{color:#777}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:transparent}.navbar-default .navbar-toggle{border-color:#ddd}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#ddd}.navbar-default .navbar-toggle .icon-bar{background-color:#888}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#e7e7e7}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{background-color:#e7e7e7;color:#555}@media (max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#777}.navbar-default .navbar-link:hover{color:#333}.navbar-default .btn-link{color:#777}.navbar-default .btn-link:hover,.navbar-default .btn-link:focus{color:#333}.navbar-default .btn-link[disabled]:hover,fieldset[disabled] .navbar-default .btn-link:hover,.navbar-default .btn-link[disabled]:focus,fieldset[disabled] .navbar-default .btn-link:focus{color:#ccc}.navbar-inverse{background-color:#222;border-color:#080808}.navbar-inverse .navbar-brand{color:#777}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-text{color:#777}.navbar-inverse .navbar-nav>li>a{color:#777}.navbar-inverse .navbar-nav>li>a:hover,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{background-color:#080808;color:#fff}@media (max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#444;background-color:transparent}}.navbar-inverse .navbar-link{color:#777}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#777}.navbar-inverse .btn-link:hover,.navbar-inverse .btn-link:focus{color:#fff}.navbar-inverse .btn-link[disabled]:hover,fieldset[disabled] .navbar-inverse .btn-link:hover,.navbar-inverse .btn-link[disabled]:focus,fieldset[disabled] .navbar-inverse .btn-link:focus{color:#444}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:bold;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}a.label:hover,a.label:focus{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.btn .label{position:relative;top:-1px}.label-default{background-color:#777}.label-default[href]:hover,.label-default[href]:focus{background-color:#5e5e5e}.label-primary{background-color:#428bca}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#3071a9}.label-success{background-color:#5cb85c}.label-success[href]:hover,.label-success[href]:focus{background-color:#449d44}.label-info{background-color:#5bc0de}.label-info[href]:hover,.label-info[href]:focus{background-color:#31b0d5}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#d9534f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#c9302c}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:bold;color:#fff;line-height:1;vertical-align:middle;white-space:nowrap;text-align:center;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-xs .badge,.btn-group-xs>.btn .badge{top:0;padding:1px 5px}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#428bca;background-color:#fff}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}.nav-pills>li>a>.badge{margin-left:3px}.alert{padding:15px;margin-bottom:20px;border:1px solid transparent;border-radius:4px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:bold}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{background-color:#dff0d8;border-color:#d6e9c6;color:#3c763d}.alert-success hr{border-top-color:#c9e2b3}.alert-success .alert-link{color:#2b542c}.alert-info{background-color:#d9edf7;border-color:#bce8f1;color:#31708f}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#245269}.alert-warning{background-color:#fcf8e3;border-color:#faebcc;color:#8a6d3b}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#66512c}.alert-danger{background-color:#f2dede;border-color:#ebccd1;color:#a94442}.alert-danger hr{border-top-color:#e4b9c0}.alert-danger .alert-link{color:#843534}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{overflow:hidden;height:20px;margin-bottom:20px;background-color:#f5f5f5;border-radius:4px;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,0.1);box-shadow:inset 0 1px 2px rgba(0,0,0,0.1)}.progress-bar{float:left;width:0%;height:100%;font-size:12px;line-height:20px;color:#fff;text-align:center;background-color:#428bca;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-striped .progress-bar,.progress-bar-striped{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);-webkit-background-size:40px 40px;background-size:40px 40px}.progress.active .progress-bar,.progress-bar.active{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar-success{background-color:#5cb85c}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-info{background-color:#5bc0de}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-danger{background-color:#d9534f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.panel{margin-bottom:20px;background-color:#fff;border:1px solid transparent;border-radius:4px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,0.05);box-shadow:0 1px 1px rgba(0,0,0,0.05)}.panel-body{padding:15px}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-right-radius:3px;border-top-left-radius:3px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:16px;color:inherit}.panel-title>a,.panel-title>small,.panel-title>.small,.panel-title>small>a,.panel-title>.small>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.list-group,.panel>.panel-collapse>.list-group{margin-bottom:0}.panel>.list-group .list-group-item,.panel>.panel-collapse>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child,.panel>.panel-collapse>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-right-radius:3px;border-top-left-radius:3px}.panel>.list-group:last-child .list-group-item:last-child,.panel>.panel-collapse>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.panel-heading+.panel-collapse>.list-group .list-group-item:first-child{border-top-right-radius:0;border-top-left-radius:0}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.table,.panel>.table-responsive>.table,.panel>.panel-collapse>.table{margin-bottom:0}.panel>.table caption,.panel>.table-responsive>.table caption,.panel>.panel-collapse>.table caption{padding-left:15px;padding-right:15px}.panel>.table:first-child,.panel>.table-responsive:first-child>.table:first-child{border-top-right-radius:3px;border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child{border-top-left-radius:3px;border-top-right-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child{border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child{border-top-right-radius:3px}.panel>.table:last-child,.panel>.table-responsive:last-child>.table:last-child{border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child{border-bottom-left-radius:3px;border-bottom-right-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:3px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive,.panel>.table+.panel-body,.panel>.table-responsive+.panel-body{border-top:1px solid #ddd}.panel>.table>tbody:first-child>tr:first-child th,.panel>.table>tbody:first-child>tr:first-child td{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{border:0;margin-bottom:0}.panel-group{margin-bottom:20px}.panel-group .panel{margin-bottom:0;border-radius:4px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.panel-body,.panel-group .panel-heading+.panel-collapse>.list-group{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#428bca}.panel-primary>.panel-heading{color:#fff;background-color:#428bca;border-color:#428bca}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#428bca}.panel-primary>.panel-heading .badge{color:#428bca;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#428bca}.panel-success{border-color:#d6e9c6}.panel-success>.panel-heading{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#d6e9c6}.panel-success>.panel-heading .badge{color:#dff0d8;background-color:#3c763d}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#d6e9c6}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#8a6d3b}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ebccd1}.panel-danger>.panel-heading{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ebccd1}.panel-danger>.panel-heading .badge{color:#f2dede;background-color:#a94442}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ebccd1}.modal-open{overflow:hidden}.modal{display:none;overflow:hidden;position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transform:translate(0, -25%);-ms-transform:translate(0, -25%);-o-transform:translate(0, -25%);transform:translate(0, -25%);-webkit-transition:-webkit-transform 0.3s ease-out;-o-transition:-o-transform 0.3s ease-out;transition:transform 0.3s ease-out}.modal.in .modal-dialog{-webkit-transform:translate(0, 0);-ms-transform:translate(0, 0);-o-transform:translate(0, 0);transform:translate(0, 0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:10px}.modal-content{position:relative;background-color:#fff;border:1px solid #999;border:1px solid rgba(0,0,0,0.2);border-radius:6px;-webkit-box-shadow:0 3px 9px rgba(0,0,0,0.5);box-shadow:0 3px 9px rgba(0,0,0,0.5);-webkit-background-clip:padding-box;background-clip:padding-box;outline:0}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{opacity:0;filter:alpha(opacity=0)}.modal-backdrop.in{opacity:.5;filter:alpha(opacity=50)}.modal-header{padding:15px;border-bottom:1px solid #e5e5e5}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.42857143}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer .btn+.btn{margin-left:5px;margin-bottom:0}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width:768px){.modal-dialog{width:600px;margin:30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,0.5);box-shadow:0 5px 15px rgba(0,0,0,0.5)}.modal-sm{width:300px}}@media (min-width:992px){.modal-lg{width:900px}}.clearfix:before,.clearfix:after,.dl-horizontal dd:before,.dl-horizontal dd:after,.container:before,.container:after,.container-fluid:before,.container-fluid:after,.row:before,.row:after,.form-horizontal .form-group:before,.form-horizontal .form-group:after,.btn-toolbar:before,.btn-toolbar:after,.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after,.nav:before,.nav:after,.navbar:before,.navbar:after,.navbar-header:before,.navbar-header:after,.navbar-collapse:before,.navbar-collapse:after,.panel-body:before,.panel-body:after,.modal-header:before,.modal-header:after,.modal-footer:before,.modal-footer:after{content:" ";display:table}.clearfix:after,.dl-horizontal dd:after,.container:after,.container-fluid:after,.row:after,.form-horizontal .form-group:after,.btn-toolbar:after,.btn-group-vertical>.btn-group:after,.nav:after,.navbar:after,.navbar-header:after,.navbar-collapse:after,.panel-body:after,.modal-header:after,.modal-footer:after{clear:both}.center-block{display:block;margin-left:auto;margin-right:auto}.pull-right{float:right !important}.pull-left{float:left !important}.hide{display:none !important}.show{display:block !important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.hidden{display:none !important}.affix{position:fixed}@-ms-viewport{width:device-width}.visible-xs,.visible-sm,.visible-md,.visible-lg{display:none !important}.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block{display:none !important}@media (max-width:767px){.visible-xs{display:block !important}table.visible-xs{display:table !important}tr.visible-xs{display:table-row !important}th.visible-xs,td.visible-xs{display:table-cell !important}}@media (max-width:767px){.visible-xs-block{display:block !important}}@media (max-width:767px){.visible-xs-inline{display:inline !important}}@media (max-width:767px){.visible-xs-inline-block{display:inline-block !important}}@media (min-width:768px) and (max-width:991px){.visible-sm{display:block !important}table.visible-sm{display:table !important}tr.visible-sm{display:table-row !important}th.visible-sm,td.visible-sm{display:table-cell !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-block{display:block !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline{display:inline !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline-block{display:inline-block !important}}@media (min-width:992px) and (max-width:1199px){.visible-md{display:block !important}table.visible-md{display:table !important}tr.visible-md{display:table-row !important}th.visible-md,td.visible-md{display:table-cell !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-block{display:block !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline{display:inline !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline-block{display:inline-block !important}}@media (min-width:1200px){.visible-lg{display:block !important}table.visible-lg{display:table !important}tr.visible-lg{display:table-row !important}th.visible-lg,td.visible-lg{display:table-cell !important}}@media (min-width:1200px){.visible-lg-block{display:block !important}}@media (min-width:1200px){.visible-lg-inline{display:inline !important}}@media (min-width:1200px){.visible-lg-inline-block{display:inline-block !important}}@media (max-width:767px){.hidden-xs{display:none !important}}@media (min-width:768px) and (max-width:991px){.hidden-sm{display:none !important}}@media (min-width:992px) and (max-width:1199px){.hidden-md{display:none !important}}@media (min-width:1200px){.hidden-lg{display:none !important}}.visible-print{display:none !important}@media print{.visible-print{display:block !important}table.visible-print{display:table !important}tr.visible-print{display:table-row !important}th.visible-print,td.visible-print{display:table-cell !important}}.visible-print-block{display:none !important}@media print{.visible-print-block{display:block !important}}.visible-print-inline{display:none !important}@media print{.visible-print-inline{display:inline !important}}.visible-print-inline-block{display:none !important}@media print{.visible-print-inline-block{display:inline-block !important}}@media print{.hidden-print{display:none !important}}table.treetable span.indenter{display:inline-block;text-align:right;user-select:none;-khtml-user-select:none;-moz-user-select:none;-o-user-select:none;-webkit-user-select:none;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;width:19px;margin:0;padding:0;}table.treetable span.indenter a{background-position:left center;background-repeat:no-repeat;display:inline-block;text-decoration:none;width:19px;}table.treetable tr.collapsed span.indenter a{background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO/PLi8ZafJzs07P1SkVPRU+lQ27tLdtWHX+G7R7ht7vPY07NXbW7z3/T7JvttVAVVN1WbVZftJ+7P3P66Jqun4lvttXa1ObXHtxwPSA/0HIw6217nU1R3SPVRSj9Yr60cOxx++/p3vdy0NNg1VjZzG4iNwRHnk6fcJ3/ceDTradox7rOEH0x92HWcdL2pCmvKaRptTmvtbYlu6T8w+0dbq3nr8R9sfD5w0PFl5SvNUyWna6YLTk2fyz4ydlZ19fi753GDborZ752PO32oPb++6EHTh0kX/i+c7vDvOXPK4dPKy2+UTV7hXmq86X23qdOo8/pPTT8e7nLuarrlca7nuer21e2b36RueN87d9L158Rb/1tWeOT3dvfN6b/fF9/XfFt1+cif9zsu72Xcn7q28T7xf9EDtQdlD3YfVP1v+3Njv3H9qwHeg89HcR/cGhYPP/pH1jw9DBY+Zj8uGDYbrnjg+OTniP3L96fynQ89kzyaeF/6i/suuFxYvfvjV69fO0ZjRoZfyl5O/bXyl/erA6xmv28bCxh6+yXgzMV70VvvtwXfcdx3vo98PT+R8IH8o/2j5sfVT0Kf7kxmTk/8EA5jz/GMzLdsAAAAgY0hSTQAAeiUAAICDAAD5/wAAgOkAAHUwAADqYAAAOpgAABdvkl/FRgAAAHlJREFUeNrcU1sNgDAQ6wgmcAM2MICGGlg1gJnNzWQcvwQGy1j4oUl/7tH0mpwzM7SgQyO+EZAUWh2MkkzSWhJwuRAlHYsJwEwyvs1gABDuzqoJcTw5qxaIJN0bgQRgIjnlmn1heSO5PE6Y2YXe+5Cr5+h++gs12AcAS6FS+7YOsj4AAAAASUVORK5CYII=);}table.treetable tr.expanded span.indenter a{background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO/PLi8ZafJzs07P1SkVPRU+lQ27tLdtWHX+G7R7ht7vPY07NXbW7z3/T7JvttVAVVN1WbVZftJ+7P3P66Jqun4lvttXa1ObXHtxwPSA/0HIw6217nU1R3SPVRSj9Yr60cOxx++/p3vdy0NNg1VjZzG4iNwRHnk6fcJ3/ceDTradox7rOEH0x92HWcdL2pCmvKaRptTmvtbYlu6T8w+0dbq3nr8R9sfD5w0PFl5SvNUyWna6YLTk2fyz4ydlZ19fi753GDborZ752PO32oPb++6EHTh0kX/i+c7vDvOXPK4dPKy2+UTV7hXmq86X23qdOo8/pPTT8e7nLuarrlca7nuer21e2b36RueN87d9L158Rb/1tWeOT3dvfN6b/fF9/XfFt1+cif9zsu72Xcn7q28T7xf9EDtQdlD3YfVP1v+3Njv3H9qwHeg89HcR/cGhYPP/pH1jw9DBY+Zj8uGDYbrnjg+OTniP3L96fynQ89kzyaeF/6i/suuFxYvfvjV69fO0ZjRoZfyl5O/bXyl/erA6xmv28bCxh6+yXgzMV70VvvtwXfcdx3vo98PT+R8IH8o/2j5sfVT0Kf7kxmTk/8EA5jz/GMzLdsAAAAgY0hSTQAAeiUAAICDAAD5/wAAgOkAAHUwAADqYAAAOpgAABdvkl/FRgAAAHFJREFUeNpi/P//PwMlgImBQsA44C6gvhfa29v3MzAwOODRc6CystIRbxi0t7fjDJjKykpGYrwwi1hxnLHQ3t7+jIGBQRJJ6HllZaUUKYEYRYBPOB0gBShKwKGA////48VtbW3/8clTnBIH3gCKkzJgAGvBX0dDm0sCAAAAAElFTkSuQmCC);}table.treetable tr.branch{background-color:#f9f9f9;}table.treetable tr.selected{background-color:#3875d7;color:#fff;}table.treetable tr span.indenter a{outline:none;}tr.rule-overview-needs-attention td a{color:#d9534f;}td.rule-result div,span.rule-result{text-align:center;font-weight:700;color:#fff;background:gray;}td.rule-result-unknown div,span.rule-result-unknown{background:#f0ad4e;}.js-only{display:none;}.rule-detail-fail,.rule-detail-error,.rule-detail-unknown{border:2px solid #d9534f;}#footer{text-align:center;margin-top:50px;}pre{overflow:auto!important;word-wrap:normal!important;white-space:pre-wrap;}div.check-system-details,div.remediation,div.description{display:inline-block;width:0;min-width:100%;overflow-x:auto;}div.modal-body{margin:50px;padding:0;}div.horizontal-scroll{overflow-x:auto;}div.top-spacer-10{margin-top:10px;}td.rule-result-fail div,span.rule-result-fail,td.rule-result-error div,span.rule-result-error{background:#d9534f;}td.rule-result-pass div,span.rule-result-pass,td.rule-result-fixed div,span.rule-result-fixed{background:#5cb85c;}.rule-result-filtered,.rule-result-filtered > *,.search-no-match,.search-no-match > *{display:none!important;}@media print{.container{width:100%;}.rule-result abbr[title]:after,.identifiers abbr[title]:after,.identifiers a[href]:after{content:"";}}</style><script>
/*! jQuery v1.12.4 | (c) jQuery Foundation | jquery.org/license */
!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=a.document,e=c.slice,f=c.concat,g=c.push,h=c.indexOf,i={},j=i.toString,k=i.hasOwnProperty,l={},m="1.12.4",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return e.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:e.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a){return n.each(this,a)},map:function(a){return this.pushStack(n.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(e.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c=+a+(0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject||this.constructor()},push:g,sort:c.sort,splice:c.splice},n.extend=n.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]||{},h++),"object"==typeof g||n.isFunction(g)||(g={}),h===i&&(g=this,h--);i>h;h++)if(null!=(e=arguments[h]))for(d in e)a=g[d],c=e[d],g!==c&&(j&&c&&(n.isPlainObject(c)||(b=n.isArray(c)))?(b?(b=!1,f=a&&n.isArray(a)?a:[]):f=a&&n.isPlainObject(a)?a:{},g[d]=n.extend(j,f,c)):void 0!==c&&(g[d]=c));return g},n.extend({expando:"jQuery"+(m+Math.random()).replace(/\D/g,""),isReady:!0,error:function(a){throw new Error(a)},noop:function(){},isFunction:function(a){return"function"===n.type(a)},isArray:Array.isArray||function(a){return"array"===n.type(a)},isWindow:function(a){return null!=a&&a==a.window},isNumeric:function(a){var b=a&&a.toString();return!n.isArray(a)&&b-parseFloat(b)+1>=0},isEmptyObject:function(a){var b;for(b in a)return!1;return!0},isPlainObject:function(a){var b;if(!a||"object"!==n.type(a)||a.nodeType||n.isWindow(a))return!1;try{if(a.constructor&&!k.call(a,"constructor")&&!k.call(a.constructor.prototype,"isPrototypeOf"))return!1}catch(c){return!1}if(!l.ownFirst)for(b in a)return k.call(a,b);for(b in a);return void 0===b||k.call(a,b)},type:function(a){return null==a?a+"":"object"==typeof a||"function"==typeof a?i[j.call(a)]||"object":typeof a},globalEval:function(b){b&&n.trim(b)&&(a.execScript||function(b){a.eval.call(a,b)})(b)},camelCase:function(a){return a.replace(p,"ms-").replace(q,r)},nodeName:function(a,b){return a.nodeName&&a.nodeName.toLowerCase()===b.toLowerCase()},each:function(a,b){var c,d=0;if(s(a)){for(c=a.length;c>d;d++)if(b.call(a[d],d,a[d])===!1)break}else for(d in a)if(b.call(a[d],d,a[d])===!1)break;return a},trim:function(a){return null==a?"":(a+"").replace(o,"")},makeArray:function(a,b){var c=b||[];return null!=a&&(s(Object(a))?n.merge(c,"string"==typeof a?[a]:a):g.call(c,a)),c},inArray:function(a,b,c){var d;if(b){if(h)return h.call(b,a,c);for(d=b.length,c=c?0>c?Math.max(0,d+c):c:0;d>c;c++)if(c in b&&b[c]===a)return c}return-1},merge:function(a,b){var c=+b.length,d=0,e=a.length;while(c>d)a[e++]=b[d++];if(c!==c)while(void 0!==b[d])a[e++]=b[d++];return a.length=e,a},grep:function(a,b,c){for(var d,e=[],f=0,g=a.length,h=!c;g>f;f++)d=!b(a[f],f),d!==h&&e.push(a[f]);return e},map:function(a,b,c){var d,e,g=0,h=[];if(s(a))for(d=a.length;d>g;g++)e=b(a[g],g,c),null!=e&&h.push(e);else for(g in a)e=b(a[g],g,c),null!=e&&h.push(e);return f.apply([],h)},guid:1,proxy:function(a,b){var c,d,f;return"string"==typeof b&&(f=a[b],b=a,a=f),n.isFunction(a)?(c=e.call(arguments,2),d=function(){return a.apply(b||this,c.concat(e.call(arguments)))},d.guid=a.guid=a.guid||n.guid++,d):void 0},now:function(){return+new Date},support:l}),"function"==typeof Symbol&&(n.fn[Symbol.iterator]=c[Symbol.iterator]),n.each("Boolean Number String Function Array Date RegExp Object Error Symbol".split(" "),function(a,b){i["[object "+b+"]"]=b.toLowerCase()});function s(a){var b=!!a&&"length"in a&&a.length,c=n.type(a);return"function"===c||n.isWindow(a)?!1:"array"===c||0===b||"number"==typeof b&&b>0&&b-1 in a}var t=function(a){var b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u="sizzle"+1*new Date,v=a.document,w=0,x=0,y=ga(),z=ga(),A=ga(),B=function(a,b){return a===b&&(l=!0),0},C=1<<31,D={}.hasOwnProperty,E=[],F=E.pop,G=E.push,H=E.push,I=E.slice,J=function(a,b){for(var c=0,d=a.length;d>c;c++)if(a[c]===b)return c;return-1},K="checked|selected|async|autofocus|autoplay|controls|defer|disabled|hidden|ismap|loop|multiple|open|readonly|required|scoped",L="[\\x20\\t\\r\\n\\f]",M="(?:\\\\.|[\\w-]|[^\\x00-\\xa0])+",N="\\["+L+"*("+M+")(?:"+L+"*([*^$|!~]?=)"+L+"*(?:'((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\"|("+M+"))|)"+L+"*\\]",O=":("+M+")(?:\\((('((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\")|((?:\\\\.|[^\\\\()[\\]]|"+N+")*)|.*)\\)|)",P=new RegExp(L+"+","g"),Q=new RegExp("^"+L+"+|((?:^|[^\\\\])(?:\\\\.)*)"+L+"+$","g"),R=new RegExp("^"+L+"*,"+L+"*"),S=new RegExp("^"+L+"*([>+~]|"+L+")"+L+"*"),T=new RegExp("="+L+"*([^\\]'\"]*?)"+L+"*\\]","g"),U=new RegExp(O),V=new RegExp("^"+M+"$"),W={ID:new RegExp("^#("+M+")"),CLASS:new RegExp("^\\.("+M+")"),TAG:new RegExp("^("+M+"|[*])"),ATTR:new RegExp("^"+N),PSEUDO:new RegExp("^"+O),CHILD:new RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+L+"*(even|odd|(([+-]|)(\\d*)n|)"+L+"*(?:([+-]|)"+L+"*(\\d+)|))"+L+"*\\)|)","i"),bool:new RegExp("^(?:"+K+")$","i"),needsContext:new RegExp("^"+L+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+L+"*((?:-\\d)?\\d*)"+L+"*\\)|)(?=[^-]|$)","i")},X=/^(?:input|select|textarea|button)$/i,Y=/^h\d$/i,Z=/^[^{]+\{\s*\[native \w/,$=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,_=/[+~]/,aa=/'|\\/g,ba=new RegExp("\\\\([\\da-f]{1,6}"+L+"?|("+L+")|.)","ig"),ca=function(a,b,c){var d="0x"+b-65536;return d!==d||c?b:0>d?String.fromCharCode(d+65536):String.fromCharCode(d>>10|55296,1023&d|56320)},da=function(){m()};try{H.apply(E=I.call(v.childNodes),v.childNodes),E[v.childNodes.length].nodeType}catch(ea){H={apply:E.length?function(a,b){G.apply(a,I.call(b))}:function(a,b){var c=a.length,d=0;while(a[c++]=b[d++]);a.length=c-1}}}function fa(a,b,d,e){var f,h,j,k,l,o,r,s,w=b&&b.ownerDocument,x=b?b.nodeType:9;if(d=d||[],"string"!=typeof a||!a||1!==x&&9!==x&&11!==x)return d;if(!e&&((b?b.ownerDocument||b:v)!==n&&m(b),b=b||n,p)){if(11!==x&&(o=$.exec(a)))if(f=o[1]){if(9===x){if(!(j=b.getElementById(f)))return d;if(j.id===f)return d.push(j),d}else if(w&&(j=w.getElementById(f))&&t(b,j)&&j.id===f)return d.push(j),d}else{if(o[2])return H.apply(d,b.getElementsByTagName(a)),d;if((f=o[3])&&c.getElementsByClassName&&b.getElementsByClassName)return H.apply(d,b.getElementsByClassName(f)),d}if(c.qsa&&!A[a+" "]&&(!q||!q.test(a))){if(1!==x)w=b,s=a;else if("object"!==b.nodeName.toLowerCase()){(k=b.getAttribute("id"))?k=k.replace(aa,"\\$&"):b.setAttribute("id",k=u),r=g(a),h=r.length,l=V.test(k)?"#"+k:"[id='"+k+"']";while(h--)r[h]=l+" "+qa(r[h]);s=r.join(","),w=_.test(a)&&oa(b.parentNode)||b}if(s)try{return H.apply(d,w.querySelectorAll(s)),d}catch(y){}finally{k===u&&b.removeAttribute("id")}}}return i(a.replace(Q,"$1"),b,d,e)}function ga(){var a=[];function b(c,e){return a.push(c+" ")>d.cacheLength&&delete b[a.shift()],b[c+" "]=e}return b}function ha(a){return a[u]=!0,a}function ia(a){var b=n.createElement("div");try{return!!a(b)}catch(c){return!1}finally{b.parentNode&&b.parentNode.removeChild(b),b=null}}function ja(a,b){var c=a.split("|"),e=c.length;while(e--)d.attrHandle[c[e]]=b}function ka(a,b){var c=b&&a,d=c&&1===a.nodeType&&1===b.nodeType&&(~b.sourceIndex||C)-(~a.sourceIndex||C);if(d)return d;if(c)while(c=c.nextSibling)if(c===b)return-1;return a?1:-1}function la(a){return function(b){var c=b.nodeName.toLowerCase();return"input"===c&&b.type===a}}function ma(a){return function(b){var c=b.nodeName.toLowerCase();return("input"===c||"button"===c)&&b.type===a}}function na(a){return ha(function(b){return b=+b,ha(function(c,d){var e,f=a([],c.length,b),g=f.length;while(g--)c[e=f[g]]&&(c[e]=!(d[e]=c[e]))})})}function oa(a){return a&&"undefined"!=typeof a.getElementsByTagName&&a}c=fa.support={},f=fa.isXML=function(a){var b=a&&(a.ownerDocument||a).documentElement;return b?"HTML"!==b.nodeName:!1},m=fa.setDocument=function(a){var b,e,g=a?a.ownerDocument||a:v;return g!==n&&9===g.nodeType&&g.documentElement?(n=g,o=n.documentElement,p=!f(n),(e=n.defaultView)&&e.top!==e&&(e.addEventListener?e.addEventListener("unload",da,!1):e.attachEvent&&e.attachEvent("onunload",da)),c.attributes=ia(function(a){return a.className="i",!a.getAttribute("className")}),c.getElementsByTagName=ia(function(a){return a.appendChild(n.createComment("")),!a.getElementsByTagName("*").length}),c.getElementsByClassName=Z.test(n.getElementsByClassName),c.getById=ia(function(a){return o.appendChild(a).id=u,!n.getElementsByName||!n.getElementsByName(u).length}),c.getById?(d.find.ID=function(a,b){if("undefined"!=typeof b.getElementById&&p){var c=b.getElementById(a);return c?[c]:[]}},d.filter.ID=function(a){var b=a.replace(ba,ca);return function(a){return a.getAttribute("id")===b}}):(delete d.find.ID,d.filter.ID=function(a){var b=a.replace(ba,ca);return function(a){var c="undefined"!=typeof a.getAttributeNode&&a.getAttributeNode("id");return c&&c.value===b}}),d.find.TAG=c.getElementsByTagName?function(a,b){return"undefined"!=typeof b.getElementsByTagName?b.getElementsByTagName(a):c.qsa?b.querySelectorAll(a):void 0}:function(a,b){var c,d=[],e=0,f=b.getElementsByTagName(a);if("*"===a){while(c=f[e++])1===c.nodeType&&d.push(c);return d}return f},d.find.CLASS=c.getElementsByClassName&&function(a,b){return"undefined"!=typeof b.getElementsByClassName&&p?b.getElementsByClassName(a):void 0},r=[],q=[],(c.qsa=Z.test(n.querySelectorAll))&&(ia(function(a){o.appendChild(a).innerHTML="<a id='"+u+"'></a><select id='"+u+"-\r\\' msallowcapture=''><option selected=''></option></select>",a.querySelectorAll("[msallowcapture^='']").length&&q.push("[*^$]="+L+"*(?:''|\"\")"),a.querySelectorAll("[selected]").length||q.push("\\["+L+"*(?:value|"+K+")"),a.querySelectorAll("[id~="+u+"-]").length||q.push("~="),a.querySelectorAll(":checked").length||q.push(":checked"),a.querySelectorAll("a#"+u+"+*").length||q.push(".#.+[+~]")}),ia(function(a){var b=n.createElement("input");b.setAttribute("type","hidden"),a.appendChild(b).setAttribute("name","D"),a.querySelectorAll("[name=d]").length&&q.push("name"+L+"*[*^$|!~]?="),a.querySelectorAll(":enabled").length||q.push(":enabled",":disabled"),a.querySelectorAll("*,:x"),q.push(",.*:")})),(c.matchesSelector=Z.test(s=o.matches||o.webkitMatchesSelector||o.mozMatchesSelector||o.oMatchesSelector||o.msMatchesSelector))&&ia(function(a){c.disconnectedMatch=s.call(a,"div"),s.call(a,"[s!='']:x"),r.push("!=",O)}),q=q.length&&new RegExp(q.join("|")),r=r.length&&new RegExp(r.join("|")),b=Z.test(o.compareDocumentPosition),t=b||Z.test(o.contains)?function(a,b){var c=9===a.nodeType?a.documentElement:a,d=b&&b.parentNode;return a===d||!(!d||1!==d.nodeType||!(c.contains?c.contains(d):a.compareDocumentPosition&&16&a.compareDocumentPosition(d)))}:function(a,b){if(b)while(b=b.parentNode)if(b===a)return!0;return!1},B=b?function(a,b){if(a===b)return l=!0,0;var d=!a.compareDocumentPosition-!b.compareDocumentPosition;return d?d:(d=(a.ownerDocument||a)===(b.ownerDocument||b)?a.compareDocumentPosition(b):1,1&d||!c.sortDetached&&b.compareDocumentPosition(a)===d?a===n||a.ownerDocument===v&&t(v,a)?-1:b===n||b.ownerDocument===v&&t(v,b)?1:k?J(k,a)-J(k,b):0:4&d?-1:1)}:function(a,b){if(a===b)return l=!0,0;var c,d=0,e=a.parentNode,f=b.parentNode,g=[a],h=[b];if(!e||!f)return a===n?-1:b===n?1:e?-1:f?1:k?J(k,a)-J(k,b):0;if(e===f)return ka(a,b);c=a;while(c=c.parentNode)g.unshift(c);c=b;while(c=c.parentNode)h.unshift(c);while(g[d]===h[d])d++;return d?ka(g[d],h[d]):g[d]===v?-1:h[d]===v?1:0},n):n},fa.matches=function(a,b){return fa(a,null,null,b)},fa.matchesSelector=function(a,b){if((a.ownerDocument||a)!==n&&m(a),b=b.replace(T,"='$1']"),c.matchesSelector&&p&&!A[b+" "]&&(!r||!r.test(b))&&(!q||!q.test(b)))try{var d=s.call(a,b);if(d||c.disconnectedMatch||a.document&&11!==a.document.nodeType)return d}catch(e){}return fa(b,n,null,[a]).length>0},fa.contains=function(a,b){return(a.ownerDocument||a)!==n&&m(a),t(a,b)},fa.attr=function(a,b){(a.ownerDocument||a)!==n&&m(a);var e=d.attrHandle[b.toLowerCase()],f=e&&D.call(d.attrHandle,b.toLowerCase())?e(a,b,!p):void 0;return void 0!==f?f:c.attributes||!p?a.getAttribute(b):(f=a.getAttributeNode(b))&&f.specified?f.value:null},fa.error=function(a){throw new Error("Syntax error, unrecognized expression: "+a)},fa.uniqueSort=function(a){var b,d=[],e=0,f=0;if(l=!c.detectDuplicates,k=!c.sortStable&&a.slice(0),a.sort(B),l){while(b=a[f++])b===a[f]&&(e=d.push(f));while(e--)a.splice(d[e],1)}return k=null,a},e=fa.getText=function(a){var b,c="",d=0,f=a.nodeType;if(f){if(1===f||9===f||11===f){if("string"==typeof a.textContent)return a.textContent;for(a=a.firstChild;a;a=a.nextSibling)c+=e(a)}else if(3===f||4===f)return a.nodeValue}else while(b=a[d++])c+=e(b);return c},d=fa.selectors={cacheLength:50,createPseudo:ha,match:W,attrHandle:{},find:{},relative:{">":{dir:"parentNode",first:!0}," ":{dir:"parentNode"},"+":{dir:"previousSibling",first:!0},"~":{dir:"previousSibling"}},preFilter:{ATTR:function(a){return a[1]=a[1].replace(ba,ca),a[3]=(a[3]||a[4]||a[5]||"").replace(ba,ca),"~="===a[2]&&(a[3]=" "+a[3]+" "),a.slice(0,4)},CHILD:function(a){return a[1]=a[1].toLowerCase(),"nth"===a[1].slice(0,3)?(a[3]||fa.error(a[0]),a[4]=+(a[4]?a[5]+(a[6]||1):2*("even"===a[3]||"odd"===a[3])),a[5]=+(a[7]+a[8]||"odd"===a[3])):a[3]&&fa.error(a[0]),a},PSEUDO:function(a){var b,c=!a[6]&&a[2];return W.CHILD.test(a[0])?null:(a[3]?a[2]=a[4]||a[5]||"":c&&U.test(c)&&(b=g(c,!0))&&(b=c.indexOf(")",c.length-b)-c.length)&&(a[0]=a[0].slice(0,b),a[2]=c.slice(0,b)),a.slice(0,3))}},filter:{TAG:function(a){var b=a.replace(ba,ca).toLowerCase();return"*"===a?function(){return!0}:function(a){return a.nodeName&&a.nodeName.toLowerCase()===b}},CLASS:function(a){var b=y[a+" "];return b||(b=new RegExp("(^|"+L+")"+a+"("+L+"|$)"))&&y(a,function(a){return b.test("string"==typeof a.className&&a.className||"undefined"!=typeof a.getAttribute&&a.getAttribute("class")||"")})},ATTR:function(a,b,c){return function(d){var e=fa.attr(d,a);return null==e?"!="===b:b?(e+="","="===b?e===c:"!="===b?e!==c:"^="===b?c&&0===e.indexOf(c):"*="===b?c&&e.indexOf(c)>-1:"$="===b?c&&e.slice(-c.length)===c:"~="===b?(" "+e.replace(P," ")+" ").indexOf(c)>-1:"|="===b?e===c||e.slice(0,c.length+1)===c+"-":!1):!0}},CHILD:function(a,b,c,d,e){var f="nth"!==a.slice(0,3),g="last"!==a.slice(-4),h="of-type"===b;return 1===d&&0===e?function(a){return!!a.parentNode}:function(b,c,i){var j,k,l,m,n,o,p=f!==g?"nextSibling":"previousSibling",q=b.parentNode,r=h&&b.nodeName.toLowerCase(),s=!i&&!h,t=!1;if(q){if(f){while(p){m=b;while(m=m[p])if(h?m.nodeName.toLowerCase()===r:1===m.nodeType)return!1;o=p="only"===a&&!o&&"nextSibling"}return!0}if(o=[g?q.firstChild:q.lastChild],g&&s){m=q,l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),j=k[a]||[],n=j[0]===w&&j[1],t=n&&j[2],m=n&&q.childNodes[n];while(m=++n&&m&&m[p]||(t=n=0)||o.pop())if(1===m.nodeType&&++t&&m===b){k[a]=[w,n,t];break}}else if(s&&(m=b,l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),j=k[a]||[],n=j[0]===w&&j[1],t=n),t===!1)while(m=++n&&m&&m[p]||(t=n=0)||o.pop())if((h?m.nodeName.toLowerCase()===r:1===m.nodeType)&&++t&&(s&&(l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),k[a]=[w,t]),m===b))break;return t-=e,t===d||t%d===0&&t/d>=0}}},PSEUDO:function(a,b){var c,e=d.pseudos[a]||d.setFilters[a.toLowerCase()]||fa.error("unsupported pseudo: "+a);return e[u]?e(b):e.length>1?(c=[a,a,"",b],d.setFilters.hasOwnProperty(a.toLowerCase())?ha(function(a,c){var d,f=e(a,b),g=f.length;while(g--)d=J(a,f[g]),a[d]=!(c[d]=f[g])}):function(a){return e(a,0,c)}):e}},pseudos:{not:ha(function(a){var b=[],c=[],d=h(a.replace(Q,"$1"));return d[u]?ha(function(a,b,c,e){var f,g=d(a,null,e,[]),h=a.length;while(h--)(f=g[h])&&(a[h]=!(b[h]=f))}):function(a,e,f){return b[0]=a,d(b,null,f,c),b[0]=null,!c.pop()}}),has:ha(function(a){return function(b){return fa(a,b).length>0}}),contains:ha(function(a){return a=a.replace(ba,ca),function(b){return(b.textContent||b.innerText||e(b)).indexOf(a)>-1}}),lang:ha(function(a){return V.test(a||"")||fa.error("unsupported lang: "+a),a=a.replace(ba,ca).toLowerCase(),function(b){var c;do if(c=p?b.lang:b.getAttribute("xml:lang")||b.getAttribute("lang"))return c=c.toLowerCase(),c===a||0===c.indexOf(a+"-");while((b=b.parentNode)&&1===b.nodeType);return!1}}),target:function(b){var c=a.location&&a.location.hash;return c&&c.slice(1)===b.id},root:function(a){return a===o},focus:function(a){return a===n.activeElement&&(!n.hasFocus||n.hasFocus())&&!!(a.type||a.href||~a.tabIndex)},enabled:function(a){return a.disabled===!1},disabled:function(a){return a.disabled===!0},checked:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&!!a.checked||"option"===b&&!!a.selected},selected:function(a){return a.parentNode&&a.parentNode.selectedIndex,a.selected===!0},empty:function(a){for(a=a.firstChild;a;a=a.nextSibling)if(a.nodeType<6)return!1;return!0},parent:function(a){return!d.pseudos.empty(a)},header:function(a){return Y.test(a.nodeName)},input:function(a){return X.test(a.nodeName)},button:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&"button"===a.type||"button"===b},text:function(a){var b;return"input"===a.nodeName.toLowerCase()&&"text"===a.type&&(null==(b=a.getAttribute("type"))||"text"===b.toLowerCase())},first:na(function(){return[0]}),last:na(function(a,b){return[b-1]}),eq:na(function(a,b,c){return[0>c?c+b:c]}),even:na(function(a,b){for(var c=0;b>c;c+=2)a.push(c);return a}),odd:na(function(a,b){for(var c=1;b>c;c+=2)a.push(c);return a}),lt:na(function(a,b,c){for(var d=0>c?c+b:c;--d>=0;)a.push(d);return a}),gt:na(function(a,b,c){for(var d=0>c?c+b:c;++d<b;)a.push(d);return a})}},d.pseudos.nth=d.pseudos.eq;for(b in{radio:!0,checkbox:!0,file:!0,password:!0,image:!0})d.pseudos[b]=la(b);for(b in{submit:!0,reset:!0})d.pseudos[b]=ma(b);function pa(){}pa.prototype=d.filters=d.pseudos,d.setFilters=new pa,g=fa.tokenize=function(a,b){var c,e,f,g,h,i,j,k=z[a+" "];if(k)return b?0:k.slice(0);h=a,i=[],j=d.preFilter;while(h){c&&!(e=R.exec(h))||(e&&(h=h.slice(e[0].length)||h),i.push(f=[])),c=!1,(e=S.exec(h))&&(c=e.shift(),f.push({value:c,type:e[0].replace(Q," ")}),h=h.slice(c.length));for(g in d.filter)!(e=W[g].exec(h))||j[g]&&!(e=j[g](e))||(c=e.shift(),f.push({value:c,type:g,matches:e}),h=h.slice(c.length));if(!c)break}return b?h.length:h?fa.error(a):z(a,i).slice(0)};function qa(a){for(var b=0,c=a.length,d="";c>b;b++)d+=a[b].value;return d}function ra(a,b,c){var d=b.dir,e=c&&"parentNode"===d,f=x++;return b.first?function(b,c,f){while(b=b[d])if(1===b.nodeType||e)return a(b,c,f)}:function(b,c,g){var h,i,j,k=[w,f];if(g){while(b=b[d])if((1===b.nodeType||e)&&a(b,c,g))return!0}else while(b=b[d])if(1===b.nodeType||e){if(j=b[u]||(b[u]={}),i=j[b.uniqueID]||(j[b.uniqueID]={}),(h=i[d])&&h[0]===w&&h[1]===f)return k[2]=h[2];if(i[d]=k,k[2]=a(b,c,g))return!0}}}function sa(a){return a.length>1?function(b,c,d){var e=a.length;while(e--)if(!a[e](b,c,d))return!1;return!0}:a[0]}function ta(a,b,c){for(var d=0,e=b.length;e>d;d++)fa(a,b[d],c);return c}function ua(a,b,c,d,e){for(var f,g=[],h=0,i=a.length,j=null!=b;i>h;h++)(f=a[h])&&(c&&!c(f,d,e)||(g.push(f),j&&b.push(h)));return g}function va(a,b,c,d,e,f){return d&&!d[u]&&(d=va(d)),e&&!e[u]&&(e=va(e,f)),ha(function(f,g,h,i){var j,k,l,m=[],n=[],o=g.length,p=f||ta(b||"*",h.nodeType?[h]:h,[]),q=!a||!f&&b?p:ua(p,m,a,h,i),r=c?e||(f?a:o||d)?[]:g:q;if(c&&c(q,r,h,i),d){j=ua(r,n),d(j,[],h,i),k=j.length;while(k--)(l=j[k])&&(r[n[k]]=!(q[n[k]]=l))}if(f){if(e||a){if(e){j=[],k=r.length;while(k--)(l=r[k])&&j.push(q[k]=l);e(null,r=[],j,i)}k=r.length;while(k--)(l=r[k])&&(j=e?J(f,l):m[k])>-1&&(f[j]=!(g[j]=l))}}else r=ua(r===g?r.splice(o,r.length):r),e?e(null,g,r,i):H.apply(g,r)})}function wa(a){for(var b,c,e,f=a.length,g=d.relative[a[0].type],h=g||d.relative[" "],i=g?1:0,k=ra(function(a){return a===b},h,!0),l=ra(function(a){return J(b,a)>-1},h,!0),m=[function(a,c,d){var e=!g&&(d||c!==j)||((b=c).nodeType?k(a,c,d):l(a,c,d));return b=null,e}];f>i;i++)if(c=d.relative[a[i].type])m=[ra(sa(m),c)];else{if(c=d.filter[a[i].type].apply(null,a[i].matches),c[u]){for(e=++i;f>e;e++)if(d.relative[a[e].type])break;return va(i>1&&sa(m),i>1&&qa(a.slice(0,i-1).concat({value:" "===a[i-2].type?"*":""})).replace(Q,"$1"),c,e>i&&wa(a.slice(i,e)),f>e&&wa(a=a.slice(e)),f>e&&qa(a))}m.push(c)}return sa(m)}function xa(a,b){var c=b.length>0,e=a.length>0,f=function(f,g,h,i,k){var l,o,q,r=0,s="0",t=f&&[],u=[],v=j,x=f||e&&d.find.TAG("*",k),y=w+=null==v?1:Math.random()||.1,z=x.length;for(k&&(j=g===n||g||k);s!==z&&null!=(l=x[s]);s++){if(e&&l){o=0,g||l.ownerDocument===n||(m(l),h=!p);while(q=a[o++])if(q(l,g||n,h)){i.push(l);break}k&&(w=y)}c&&((l=!q&&l)&&r--,f&&t.push(l))}if(r+=s,c&&s!==r){o=0;while(q=b[o++])q(t,u,g,h);if(f){if(r>0)while(s--)t[s]||u[s]||(u[s]=F.call(i));u=ua(u)}H.apply(i,u),k&&!f&&u.length>0&&r+b.length>1&&fa.uniqueSort(i)}return k&&(w=y,j=v),t};return c?ha(f):f}return h=fa.compile=function(a,b){var c,d=[],e=[],f=A[a+" "];if(!f){b||(b=g(a)),c=b.length;while(c--)f=wa(b[c]),f[u]?d.push(f):e.push(f);f=A(a,xa(e,d)),f.selector=a}return f},i=fa.select=function(a,b,e,f){var i,j,k,l,m,n="function"==typeof a&&a,o=!f&&g(a=n.selector||a);if(e=e||[],1===o.length){if(j=o[0]=o[0].slice(0),j.length>2&&"ID"===(k=j[0]).type&&c.getById&&9===b.nodeType&&p&&d.relative[j[1].type]){if(b=(d.find.ID(k.matches[0].replace(ba,ca),b)||[])[0],!b)return e;n&&(b=b.parentNode),a=a.slice(j.shift().value.length)}i=W.needsContext.test(a)?0:j.length;while(i--){if(k=j[i],d.relative[l=k.type])break;if((m=d.find[l])&&(f=m(k.matches[0].replace(ba,ca),_.test(j[0].type)&&oa(b.parentNode)||b))){if(j.splice(i,1),a=f.length&&qa(j),!a)return H.apply(e,f),e;break}}}return(n||h(a,o))(f,b,!p,e,!b||_.test(a)&&oa(b.parentNode)||b),e},c.sortStable=u.split("").sort(B).join("")===u,c.detectDuplicates=!!l,m(),c.sortDetached=ia(function(a){return 1&a.compareDocumentPosition(n.createElement("div"))}),ia(function(a){return a.innerHTML="<a href='#'></a>","#"===a.firstChild.getAttribute("href")})||ja("type|href|height|width",function(a,b,c){return c?void 0:a.getAttribute(b,"type"===b.toLowerCase()?1:2)}),c.attributes&&ia(function(a){return a.innerHTML="<input/>",a.firstChild.setAttribute("value",""),""===a.firstChild.getAttribute("value")})||ja("value",function(a,b,c){return c||"input"!==a.nodeName.toLowerCase()?void 0:a.defaultValue}),ia(function(a){return null==a.getAttribute("disabled")})||ja(K,function(a,b,c){var d;return c?void 0:a[b]===!0?b.toLowerCase():(d=a.getAttributeNode(b))&&d.specified?d.value:null}),fa}(a);n.find=t,n.expr=t.selectors,n.expr[":"]=n.expr.pseudos,n.uniqueSort=n.unique=t.uniqueSort,n.text=t.getText,n.isXMLDoc=t.isXML,n.contains=t.contains;var u=function(a,b,c){var d=[],e=void 0!==c;while((a=a[b])&&9!==a.nodeType)if(1===a.nodeType){if(e&&n(a).is(c))break;d.push(a)}return d},v=function(a,b){for(var c=[];a;a=a.nextSibling)1===a.nodeType&&a!==b&&c.push(a);return c},w=n.expr.match.needsContext,x=/^<([\w-]+)\s*\/?>(?:<\/\1>|)$/,y=/^.[^:#\[\.,]*$/;function z(a,b,c){if(n.isFunction(b))return n.grep(a,function(a,d){return!!b.call(a,d,a)!==c});if(b.nodeType)return n.grep(a,function(a){return a===b!==c});if("string"==typeof b){if(y.test(b))return n.filter(b,a,c);b=n.filter(b,a)}return n.grep(a,function(a){return n.inArray(a,b)>-1!==c})}n.filter=function(a,b,c){var d=b[0];return c&&(a=":not("+a+")"),1===b.length&&1===d.nodeType?n.find.matchesSelector(d,a)?[d]:[]:n.find.matches(a,n.grep(b,function(a){return 1===a.nodeType}))},n.fn.extend({find:function(a){var b,c=[],d=this,e=d.length;if("string"!=typeof a)return this.pushStack(n(a).filter(function(){for(b=0;e>b;b++)if(n.contains(d[b],this))return!0}));for(b=0;e>b;b++)n.find(a,d[b],c);return c=this.pushStack(e>1?n.unique(c):c),c.selector=this.selector?this.selector+" "+a:a,c},filter:function(a){return this.pushStack(z(this,a||[],!1))},not:function(a){return this.pushStack(z(this,a||[],!0))},is:function(a){return!!z(this,"string"==typeof a&&w.test(a)?n(a):a||[],!1).length}});var A,B=/^(?:\s*(<[\w\W]+>)[^>]*|#([\w-]*))$/,C=n.fn.init=function(a,b,c){var e,f;if(!a)return this;if(c=c||A,"string"==typeof a){if(e="<"===a.charAt(0)&&">"===a.charAt(a.length-1)&&a.length>=3?[null,a,null]:B.exec(a),!e||!e[1]&&b)return!b||b.jquery?(b||c).find(a):this.constructor(b).find(a);if(e[1]){if(b=b instanceof n?b[0]:b,n.merge(this,n.parseHTML(e[1],b&&b.nodeType?b.ownerDocument||b:d,!0)),x.test(e[1])&&n.isPlainObject(b))for(e in b)n.isFunction(this[e])?this[e](b[e]):this.attr(e,b[e]);return this}if(f=d.getElementById(e[2]),f&&f.parentNode){if(f.id!==e[2])return A.find(a);this.length=1,this[0]=f}return this.context=d,this.selector=a,this}return a.nodeType?(this.context=this[0]=a,this.length=1,this):n.isFunction(a)?"undefined"!=typeof c.ready?c.ready(a):a(n):(void 0!==a.selector&&(this.selector=a.selector,this.context=a.context),n.makeArray(a,this))};C.prototype=n.fn,A=n(d);var D=/^(?:parents|prev(?:Until|All))/,E={children:!0,contents:!0,next:!0,prev:!0};n.fn.extend({has:function(a){var b,c=n(a,this),d=c.length;return this.filter(function(){for(b=0;d>b;b++)if(n.contains(this,c[b]))return!0})},closest:function(a,b){for(var c,d=0,e=this.length,f=[],g=w.test(a)||"string"!=typeof a?n(a,b||this.context):0;e>d;d++)for(c=this[d];c&&c!==b;c=c.parentNode)if(c.nodeType<11&&(g?g.index(c)>-1:1===c.nodeType&&n.find.matchesSelector(c,a))){f.push(c);break}return this.pushStack(f.length>1?n.uniqueSort(f):f)},index:function(a){return a?"string"==typeof a?n.inArray(this[0],n(a)):n.inArray(a.jquery?a[0]:a,this):this[0]&&this[0].parentNode?this.first().prevAll().length:-1},add:function(a,b){return this.pushStack(n.uniqueSort(n.merge(this.get(),n(a,b))))},addBack:function(a){return this.add(null==a?this.prevObject:this.prevObject.filter(a))}});function F(a,b){do a=a[b];while(a&&1!==a.nodeType);return a}n.each({parent:function(a){var b=a.parentNode;return b&&11!==b.nodeType?b:null},parents:function(a){return u(a,"parentNode")},parentsUntil:function(a,b,c){return u(a,"parentNode",c)},next:function(a){return F(a,"nextSibling")},prev:function(a){return F(a,"previousSibling")},nextAll:function(a){return u(a,"nextSibling")},prevAll:function(a){return u(a,"previousSibling")},nextUntil:function(a,b,c){return u(a,"nextSibling",c)},prevUntil:function(a,b,c){return u(a,"previousSibling",c)},siblings:function(a){return v((a.parentNode||{}).firstChild,a)},children:function(a){return v(a.firstChild)},contents:function(a){return n.nodeName(a,"iframe")?a.contentDocument||a.contentWindow.document:n.merge([],a.childNodes)}},function(a,b){n.fn[a]=function(c,d){var e=n.map(this,b,c);return"Until"!==a.slice(-5)&&(d=c),d&&"string"==typeof d&&(e=n.filter(d,e)),this.length>1&&(E[a]||(e=n.uniqueSort(e)),D.test(a)&&(e=e.reverse())),this.pushStack(e)}});var G=/\S+/g;function H(a){var b={};return n.each(a.match(G)||[],function(a,c){b[c]=!0}),b}n.Callbacks=function(a){a="string"==typeof a?H(a):n.extend({},a);var b,c,d,e,f=[],g=[],h=-1,i=function(){for(e=a.once,d=b=!0;g.length;h=-1){c=g.shift();while(++h<f.length)f[h].apply(c[0],c[1])===!1&&a.stopOnFalse&&(h=f.length,c=!1)}a.memory||(c=!1),b=!1,e&&(f=c?[]:"")},j={add:function(){return f&&(c&&!b&&(h=f.length-1,g.push(c)),function d(b){n.each(b,function(b,c){n.isFunction(c)?a.unique&&j.has(c)||f.push(c):c&&c.length&&"string"!==n.type(c)&&d(c)})}(arguments),c&&!b&&i()),this},remove:function(){return n.each(arguments,function(a,b){var c;while((c=n.inArray(b,f,c))>-1)f.splice(c,1),h>=c&&h--}),this},has:function(a){return a?n.inArray(a,f)>-1:f.length>0},empty:function(){return f&&(f=[]),this},disable:function(){return e=g=[],f=c="",this},disabled:function(){return!f},lock:function(){return e=!0,c||j.disable(),this},locked:function(){return!!e},fireWith:function(a,c){return e||(c=c||[],c=[a,c.slice?c.slice():c],g.push(c),b||i()),this},fire:function(){return j.fireWith(this,arguments),this},fired:function(){return!!d}};return j},n.extend({Deferred:function(a){var b=[["resolve","done",n.Callbacks("once memory"),"resolved"],["reject","fail",n.Callbacks("once memory"),"rejected"],["notify","progress",n.Callbacks("memory")]],c="pending",d={state:function(){return c},always:function(){return e.done(arguments).fail(arguments),this},then:function(){var a=arguments;return n.Deferred(function(c){n.each(b,function(b,f){var g=n.isFunction(a[b])&&a[b];e[f[1]](function(){var a=g&&g.apply(this,arguments);a&&n.isFunction(a.promise)?a.promise().progress(c.notify).done(c.resolve).fail(c.reject):c[f[0]+"With"](this===d?c.promise():this,g?[a]:arguments)})}),a=null}).promise()},promise:function(a){return null!=a?n.extend(a,d):d}},e={};return d.pipe=d.then,n.each(b,function(a,f){var g=f[2],h=f[3];d[f[1]]=g.add,h&&g.add(function(){c=h},b[1^a][2].disable,b[2][2].lock),e[f[0]]=function(){return e[f[0]+"With"](this===e?d:this,arguments),this},e[f[0]+"With"]=g.fireWith}),d.promise(e),a&&a.call(e,e),e},when:function(a){var b=0,c=e.call(arguments),d=c.length,f=1!==d||a&&n.isFunction(a.promise)?d:0,g=1===f?a:n.Deferred(),h=function(a,b,c){return function(d){b[a]=this,c[a]=arguments.length>1?e.call(arguments):d,c===i?g.notifyWith(b,c):--f||g.resolveWith(b,c)}},i,j,k;if(d>1)for(i=new Array(d),j=new Array(d),k=new Array(d);d>b;b++)c[b]&&n.isFunction(c[b].promise)?c[b].promise().progress(h(b,j,i)).done(h(b,k,c)).fail(g.reject):--f;return f||g.resolveWith(k,c),g.promise()}});var I;n.fn.ready=function(a){return n.ready.promise().done(a),this},n.extend({isReady:!1,readyWait:1,holdReady:function(a){a?n.readyWait++:n.ready(!0)},ready:function(a){(a===!0?--n.readyWait:n.isReady)||(n.isReady=!0,a!==!0&&--n.readyWait>0||(I.resolveWith(d,[n]),n.fn.triggerHandler&&(n(d).triggerHandler("ready"),n(d).off("ready"))))}});function J(){d.addEventListener?(d.removeEventListener("DOMContentLoaded",K),a.removeEventListener("load",K)):(d.detachEvent("onreadystatechange",K),a.detachEvent("onload",K))}function K(){(d.addEventListener||"load"===a.event.type||"complete"===d.readyState)&&(J(),n.ready())}n.ready.promise=function(b){if(!I)if(I=n.Deferred(),"complete"===d.readyState||"loading"!==d.readyState&&!d.documentElement.doScroll)a.setTimeout(n.ready);else if(d.addEventListener)d.addEventListener("DOMContentLoaded",K),a.addEventListener("load",K);else{d.attachEvent("onreadystatechange",K),a.attachEvent("onload",K);var c=!1;try{c=null==a.frameElement&&d.documentElement}catch(e){}c&&c.doScroll&&!function f(){if(!n.isReady){try{c.doScroll("left")}catch(b){return a.setTimeout(f,50)}J(),n.ready()}}()}return I.promise(b)},n.ready.promise();var L;for(L in n(l))break;l.ownFirst="0"===L,l.inlineBlockNeedsLayout=!1,n(function(){var a,b,c,e;c=d.getElementsByTagName("body")[0],c&&c.style&&(b=d.createElement("div"),e=d.createElement("div"),e.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(e).appendChild(b),"undefined"!=typeof b.style.zoom&&(b.style.cssText="display:inline;margin:0;border:0;padding:1px;width:1px;zoom:1",l.inlineBlockNeedsLayout=a=3===b.offsetWidth,a&&(c.style.zoom=1)),c.removeChild(e))}),function(){var a=d.createElement("div");l.deleteExpando=!0;try{delete a.test}catch(b){l.deleteExpando=!1}a=null}();var M=function(a){var b=n.noData[(a.nodeName+" ").toLowerCase()],c=+a.nodeType||1;return 1!==c&&9!==c?!1:!b||b!==!0&&a.getAttribute("classid")===b},N=/^(?:\{[\w\W]*\}|\[[\w\W]*\])$/,O=/([A-Z])/g;function P(a,b,c){if(void 0===c&&1===a.nodeType){var d="data-"+b.replace(O,"-$1").toLowerCase();if(c=a.getAttribute(d),"string"==typeof c){try{c="true"===c?!0:"false"===c?!1:"null"===c?null:+c+""===c?+c:N.test(c)?n.parseJSON(c):c}catch(e){}n.data(a,b,c)}else c=void 0;
}return c}function Q(a){var b;for(b in a)if(("data"!==b||!n.isEmptyObject(a[b]))&&"toJSON"!==b)return!1;return!0}function R(a,b,d,e){if(M(a)){var f,g,h=n.expando,i=a.nodeType,j=i?n.cache:a,k=i?a[h]:a[h]&&h;if(k&&j[k]&&(e||j[k].data)||void 0!==d||"string"!=typeof b)return k||(k=i?a[h]=c.pop()||n.guid++:h),j[k]||(j[k]=i?{}:{toJSON:n.noop}),"object"!=typeof b&&"function"!=typeof b||(e?j[k]=n.extend(j[k],b):j[k].data=n.extend(j[k].data,b)),g=j[k],e||(g.data||(g.data={}),g=g.data),void 0!==d&&(g[n.camelCase(b)]=d),"string"==typeof b?(f=g[b],null==f&&(f=g[n.camelCase(b)])):f=g,f}}function S(a,b,c){if(M(a)){var d,e,f=a.nodeType,g=f?n.cache:a,h=f?a[n.expando]:n.expando;if(g[h]){if(b&&(d=c?g[h]:g[h].data)){n.isArray(b)?b=b.concat(n.map(b,n.camelCase)):b in d?b=[b]:(b=n.camelCase(b),b=b in d?[b]:b.split(" ")),e=b.length;while(e--)delete d[b[e]];if(c?!Q(d):!n.isEmptyObject(d))return}(c||(delete g[h].data,Q(g[h])))&&(f?n.cleanData([a],!0):l.deleteExpando||g!=g.window?delete g[h]:g[h]=void 0)}}}n.extend({cache:{},noData:{"applet ":!0,"embed ":!0,"object ":"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"},hasData:function(a){return a=a.nodeType?n.cache[a[n.expando]]:a[n.expando],!!a&&!Q(a)},data:function(a,b,c){return R(a,b,c)},removeData:function(a,b){return S(a,b)},_data:function(a,b,c){return R(a,b,c,!0)},_removeData:function(a,b){return S(a,b,!0)}}),n.fn.extend({data:function(a,b){var c,d,e,f=this[0],g=f&&f.attributes;if(void 0===a){if(this.length&&(e=n.data(f),1===f.nodeType&&!n._data(f,"parsedAttrs"))){c=g.length;while(c--)g[c]&&(d=g[c].name,0===d.indexOf("data-")&&(d=n.camelCase(d.slice(5)),P(f,d,e[d])));n._data(f,"parsedAttrs",!0)}return e}return"object"==typeof a?this.each(function(){n.data(this,a)}):arguments.length>1?this.each(function(){n.data(this,a,b)}):f?P(f,a,n.data(f,a)):void 0},removeData:function(a){return this.each(function(){n.removeData(this,a)})}}),n.extend({queue:function(a,b,c){var d;return a?(b=(b||"fx")+"queue",d=n._data(a,b),c&&(!d||n.isArray(c)?d=n._data(a,b,n.makeArray(c)):d.push(c)),d||[]):void 0},dequeue:function(a,b){b=b||"fx";var c=n.queue(a,b),d=c.length,e=c.shift(),f=n._queueHooks(a,b),g=function(){n.dequeue(a,b)};"inprogress"===e&&(e=c.shift(),d--),e&&("fx"===b&&c.unshift("inprogress"),delete f.stop,e.call(a,g,f)),!d&&f&&f.empty.fire()},_queueHooks:function(a,b){var c=b+"queueHooks";return n._data(a,c)||n._data(a,c,{empty:n.Callbacks("once memory").add(function(){n._removeData(a,b+"queue"),n._removeData(a,c)})})}}),n.fn.extend({queue:function(a,b){var c=2;return"string"!=typeof a&&(b=a,a="fx",c--),arguments.length<c?n.queue(this[0],a):void 0===b?this:this.each(function(){var c=n.queue(this,a,b);n._queueHooks(this,a),"fx"===a&&"inprogress"!==c[0]&&n.dequeue(this,a)})},dequeue:function(a){return this.each(function(){n.dequeue(this,a)})},clearQueue:function(a){return this.queue(a||"fx",[])},promise:function(a,b){var c,d=1,e=n.Deferred(),f=this,g=this.length,h=function(){--d||e.resolveWith(f,[f])};"string"!=typeof a&&(b=a,a=void 0),a=a||"fx";while(g--)c=n._data(f[g],a+"queueHooks"),c&&c.empty&&(d++,c.empty.add(h));return h(),e.promise(b)}}),function(){var a;l.shrinkWrapBlocks=function(){if(null!=a)return a;a=!1;var b,c,e;return c=d.getElementsByTagName("body")[0],c&&c.style?(b=d.createElement("div"),e=d.createElement("div"),e.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(e).appendChild(b),"undefined"!=typeof b.style.zoom&&(b.style.cssText="-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;display:block;margin:0;border:0;padding:1px;width:1px;zoom:1",b.appendChild(d.createElement("div")).style.width="5px",a=3!==b.offsetWidth),c.removeChild(e),a):void 0}}();var T=/[+-]?(?:\d*\.|)\d+(?:[eE][+-]?\d+|)/.source,U=new RegExp("^(?:([+-])=|)("+T+")([a-z%]*)$","i"),V=["Top","Right","Bottom","Left"],W=function(a,b){return a=b||a,"none"===n.css(a,"display")||!n.contains(a.ownerDocument,a)};function X(a,b,c,d){var e,f=1,g=20,h=d?function(){return d.cur()}:function(){return n.css(a,b,"")},i=h(),j=c&&c[3]||(n.cssNumber[b]?"":"px"),k=(n.cssNumber[b]||"px"!==j&&+i)&&U.exec(n.css(a,b));if(k&&k[3]!==j){j=j||k[3],c=c||[],k=+i||1;do f=f||".5",k/=f,n.style(a,b,k+j);while(f!==(f=h()/i)&&1!==f&&--g)}return c&&(k=+k||+i||0,e=c[1]?k+(c[1]+1)*c[2]:+c[2],d&&(d.unit=j,d.start=k,d.end=e)),e}var Y=function(a,b,c,d,e,f,g){var h=0,i=a.length,j=null==c;if("object"===n.type(c)){e=!0;for(h in c)Y(a,b,h,c[h],!0,f,g)}else if(void 0!==d&&(e=!0,n.isFunction(d)||(g=!0),j&&(g?(b.call(a,d),b=null):(j=b,b=function(a,b,c){return j.call(n(a),c)})),b))for(;i>h;h++)b(a[h],c,g?d:d.call(a[h],h,b(a[h],c)));return e?a:j?b.call(a):i?b(a[0],c):f},Z=/^(?:checkbox|radio)$/i,$=/<([\w:-]+)/,_=/^$|\/(?:java|ecma)script/i,aa=/^\s+/,ba="abbr|article|aside|audio|bdi|canvas|data|datalist|details|dialog|figcaption|figure|footer|header|hgroup|main|mark|meter|nav|output|picture|progress|section|summary|template|time|video";function ca(a){var b=ba.split("|"),c=a.createDocumentFragment();if(c.createElement)while(b.length)c.createElement(b.pop());return c}!function(){var a=d.createElement("div"),b=d.createDocumentFragment(),c=d.createElement("input");a.innerHTML="  <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",l.leadingWhitespace=3===a.firstChild.nodeType,l.tbody=!a.getElementsByTagName("tbody").length,l.htmlSerialize=!!a.getElementsByTagName("link").length,l.html5Clone="<:nav></:nav>"!==d.createElement("nav").cloneNode(!0).outerHTML,c.type="checkbox",c.checked=!0,b.appendChild(c),l.appendChecked=c.checked,a.innerHTML="<textarea>x</textarea>",l.noCloneChecked=!!a.cloneNode(!0).lastChild.defaultValue,b.appendChild(a),c=d.createElement("input"),c.setAttribute("type","radio"),c.setAttribute("checked","checked"),c.setAttribute("name","t"),a.appendChild(c),l.checkClone=a.cloneNode(!0).cloneNode(!0).lastChild.checked,l.noCloneEvent=!!a.addEventListener,a[n.expando]=1,l.attributes=!a.getAttribute(n.expando)}();var da={option:[1,"<select multiple='multiple'>","</select>"],legend:[1,"<fieldset>","</fieldset>"],area:[1,"<map>","</map>"],param:[1,"<object>","</object>"],thead:[1,"<table>","</table>"],tr:[2,"<table><tbody>","</tbody></table>"],col:[2,"<table><tbody></tbody><colgroup>","</colgroup></table>"],td:[3,"<table><tbody><tr>","</tr></tbody></table>"],_default:l.htmlSerialize?[0,"",""]:[1,"X<div>","</div>"]};da.optgroup=da.option,da.tbody=da.tfoot=da.colgroup=da.caption=da.thead,da.th=da.td;function ea(a,b){var c,d,e=0,f="undefined"!=typeof a.getElementsByTagName?a.getElementsByTagName(b||"*"):"undefined"!=typeof a.querySelectorAll?a.querySelectorAll(b||"*"):void 0;if(!f)for(f=[],c=a.childNodes||a;null!=(d=c[e]);e++)!b||n.nodeName(d,b)?f.push(d):n.merge(f,ea(d,b));return void 0===b||b&&n.nodeName(a,b)?n.merge([a],f):f}function fa(a,b){for(var c,d=0;null!=(c=a[d]);d++)n._data(c,"globalEval",!b||n._data(b[d],"globalEval"))}var ga=/<|&#?\w+;/,ha=/<tbody/i;function ia(a){Z.test(a.type)&&(a.defaultChecked=a.checked)}function ja(a,b,c,d,e){for(var f,g,h,i,j,k,m,o=a.length,p=ca(b),q=[],r=0;o>r;r++)if(g=a[r],g||0===g)if("object"===n.type(g))n.merge(q,g.nodeType?[g]:g);else if(ga.test(g)){i=i||p.appendChild(b.createElement("div")),j=($.exec(g)||["",""])[1].toLowerCase(),m=da[j]||da._default,i.innerHTML=m[1]+n.htmlPrefilter(g)+m[2],f=m[0];while(f--)i=i.lastChild;if(!l.leadingWhitespace&&aa.test(g)&&q.push(b.createTextNode(aa.exec(g)[0])),!l.tbody){g="table"!==j||ha.test(g)?"<table>"!==m[1]||ha.test(g)?0:i:i.firstChild,f=g&&g.childNodes.length;while(f--)n.nodeName(k=g.childNodes[f],"tbody")&&!k.childNodes.length&&g.removeChild(k)}n.merge(q,i.childNodes),i.textContent="";while(i.firstChild)i.removeChild(i.firstChild);i=p.lastChild}else q.push(b.createTextNode(g));i&&p.removeChild(i),l.appendChecked||n.grep(ea(q,"input"),ia),r=0;while(g=q[r++])if(d&&n.inArray(g,d)>-1)e&&e.push(g);else if(h=n.contains(g.ownerDocument,g),i=ea(p.appendChild(g),"script"),h&&fa(i),c){f=0;while(g=i[f++])_.test(g.type||"")&&c.push(g)}return i=null,p}!function(){var b,c,e=d.createElement("div");for(b in{submit:!0,change:!0,focusin:!0})c="on"+b,(l[b]=c in a)||(e.setAttribute(c,"t"),l[b]=e.attributes[c].expando===!1);e=null}();var ka=/^(?:input|select|textarea)$/i,la=/^key/,ma=/^(?:mouse|pointer|contextmenu|drag|drop)|click/,na=/^(?:focusinfocus|focusoutblur)$/,oa=/^([^.]*)(?:\.(.+)|)/;function pa(){return!0}function qa(){return!1}function ra(){try{return d.activeElement}catch(a){}}function sa(a,b,c,d,e,f){var g,h;if("object"==typeof b){"string"!=typeof c&&(d=d||c,c=void 0);for(h in b)sa(a,h,c,d,b[h],f);return a}if(null==d&&null==e?(e=c,d=c=void 0):null==e&&("string"==typeof c?(e=d,d=void 0):(e=d,d=c,c=void 0)),e===!1)e=qa;else if(!e)return a;return 1===f&&(g=e,e=function(a){return n().off(a),g.apply(this,arguments)},e.guid=g.guid||(g.guid=n.guid++)),a.each(function(){n.event.add(this,b,e,d,c)})}n.event={global:{},add:function(a,b,c,d,e){var f,g,h,i,j,k,l,m,o,p,q,r=n._data(a);if(r){c.handler&&(i=c,c=i.handler,e=i.selector),c.guid||(c.guid=n.guid++),(g=r.events)||(g=r.events={}),(k=r.handle)||(k=r.handle=function(a){return"undefined"==typeof n||a&&n.event.triggered===a.type?void 0:n.event.dispatch.apply(k.elem,arguments)},k.elem=a),b=(b||"").match(G)||[""],h=b.length;while(h--)f=oa.exec(b[h])||[],o=q=f[1],p=(f[2]||"").split(".").sort(),o&&(j=n.event.special[o]||{},o=(e?j.delegateType:j.bindType)||o,j=n.event.special[o]||{},l=n.extend({type:o,origType:q,data:d,handler:c,guid:c.guid,selector:e,needsContext:e&&n.expr.match.needsContext.test(e),namespace:p.join(".")},i),(m=g[o])||(m=g[o]=[],m.delegateCount=0,j.setup&&j.setup.call(a,d,p,k)!==!1||(a.addEventListener?a.addEventListener(o,k,!1):a.attachEvent&&a.attachEvent("on"+o,k))),j.add&&(j.add.call(a,l),l.handler.guid||(l.handler.guid=c.guid)),e?m.splice(m.delegateCount++,0,l):m.push(l),n.event.global[o]=!0);a=null}},remove:function(a,b,c,d,e){var f,g,h,i,j,k,l,m,o,p,q,r=n.hasData(a)&&n._data(a);if(r&&(k=r.events)){b=(b||"").match(G)||[""],j=b.length;while(j--)if(h=oa.exec(b[j])||[],o=q=h[1],p=(h[2]||"").split(".").sort(),o){l=n.event.special[o]||{},o=(d?l.delegateType:l.bindType)||o,m=k[o]||[],h=h[2]&&new RegExp("(^|\\.)"+p.join("\\.(?:.*\\.|)")+"(\\.|$)"),i=f=m.length;while(f--)g=m[f],!e&&q!==g.origType||c&&c.guid!==g.guid||h&&!h.test(g.namespace)||d&&d!==g.selector&&("**"!==d||!g.selector)||(m.splice(f,1),g.selector&&m.delegateCount--,l.remove&&l.remove.call(a,g));i&&!m.length&&(l.teardown&&l.teardown.call(a,p,r.handle)!==!1||n.removeEvent(a,o,r.handle),delete k[o])}else for(o in k)n.event.remove(a,o+b[j],c,d,!0);n.isEmptyObject(k)&&(delete r.handle,n._removeData(a,"events"))}},trigger:function(b,c,e,f){var g,h,i,j,l,m,o,p=[e||d],q=k.call(b,"type")?b.type:b,r=k.call(b,"namespace")?b.namespace.split("."):[];if(i=m=e=e||d,3!==e.nodeType&&8!==e.nodeType&&!na.test(q+n.event.triggered)&&(q.indexOf(".")>-1&&(r=q.split("."),q=r.shift(),r.sort()),h=q.indexOf(":")<0&&"on"+q,b=b[n.expando]?b:new n.Event(q,"object"==typeof b&&b),b.isTrigger=f?2:3,b.namespace=r.join("."),b.rnamespace=b.namespace?new RegExp("(^|\\.)"+r.join("\\.(?:.*\\.|)")+"(\\.|$)"):null,b.result=void 0,b.target||(b.target=e),c=null==c?[b]:n.makeArray(c,[b]),l=n.event.special[q]||{},f||!l.trigger||l.trigger.apply(e,c)!==!1)){if(!f&&!l.noBubble&&!n.isWindow(e)){for(j=l.delegateType||q,na.test(j+q)||(i=i.parentNode);i;i=i.parentNode)p.push(i),m=i;m===(e.ownerDocument||d)&&p.push(m.defaultView||m.parentWindow||a)}o=0;while((i=p[o++])&&!b.isPropagationStopped())b.type=o>1?j:l.bindType||q,g=(n._data(i,"events")||{})[b.type]&&n._data(i,"handle"),g&&g.apply(i,c),g=h&&i[h],g&&g.apply&&M(i)&&(b.result=g.apply(i,c),b.result===!1&&b.preventDefault());if(b.type=q,!f&&!b.isDefaultPrevented()&&(!l._default||l._default.apply(p.pop(),c)===!1)&&M(e)&&h&&e[q]&&!n.isWindow(e)){m=e[h],m&&(e[h]=null),n.event.triggered=q;try{e[q]()}catch(s){}n.event.triggered=void 0,m&&(e[h]=m)}return b.result}},dispatch:function(a){a=n.event.fix(a);var b,c,d,f,g,h=[],i=e.call(arguments),j=(n._data(this,"events")||{})[a.type]||[],k=n.event.special[a.type]||{};if(i[0]=a,a.delegateTarget=this,!k.preDispatch||k.preDispatch.call(this,a)!==!1){h=n.event.handlers.call(this,a,j),b=0;while((f=h[b++])&&!a.isPropagationStopped()){a.currentTarget=f.elem,c=0;while((g=f.handlers[c++])&&!a.isImmediatePropagationStopped())a.rnamespace&&!a.rnamespace.test(g.namespace)||(a.handleObj=g,a.data=g.data,d=((n.event.special[g.origType]||{}).handle||g.handler).apply(f.elem,i),void 0!==d&&(a.result=d)===!1&&(a.preventDefault(),a.stopPropagation()))}return k.postDispatch&&k.postDispatch.call(this,a),a.result}},handlers:function(a,b){var c,d,e,f,g=[],h=b.delegateCount,i=a.target;if(h&&i.nodeType&&("click"!==a.type||isNaN(a.button)||a.button<1))for(;i!=this;i=i.parentNode||this)if(1===i.nodeType&&(i.disabled!==!0||"click"!==a.type)){for(d=[],c=0;h>c;c++)f=b[c],e=f.selector+" ",void 0===d[e]&&(d[e]=f.needsContext?n(e,this).index(i)>-1:n.find(e,this,null,[i]).length),d[e]&&d.push(f);d.length&&g.push({elem:i,handlers:d})}return h<b.length&&g.push({elem:this,handlers:b.slice(h)}),g},fix:function(a){if(a[n.expando])return a;var b,c,e,f=a.type,g=a,h=this.fixHooks[f];h||(this.fixHooks[f]=h=ma.test(f)?this.mouseHooks:la.test(f)?this.keyHooks:{}),e=h.props?this.props.concat(h.props):this.props,a=new n.Event(g),b=e.length;while(b--)c=e[b],a[c]=g[c];return a.target||(a.target=g.srcElement||d),3===a.target.nodeType&&(a.target=a.target.parentNode),a.metaKey=!!a.metaKey,h.filter?h.filter(a,g):a},props:"altKey bubbles cancelable ctrlKey currentTarget detail eventPhase metaKey relatedTarget shiftKey target timeStamp view which".split(" "),fixHooks:{},keyHooks:{props:"char charCode key keyCode".split(" "),filter:function(a,b){return null==a.which&&(a.which=null!=b.charCode?b.charCode:b.keyCode),a}},mouseHooks:{props:"button buttons clientX clientY fromElement offsetX offsetY pageX pageY screenX screenY toElement".split(" "),filter:function(a,b){var c,e,f,g=b.button,h=b.fromElement;return null==a.pageX&&null!=b.clientX&&(e=a.target.ownerDocument||d,f=e.documentElement,c=e.body,a.pageX=b.clientX+(f&&f.scrollLeft||c&&c.scrollLeft||0)-(f&&f.clientLeft||c&&c.clientLeft||0),a.pageY=b.clientY+(f&&f.scrollTop||c&&c.scrollTop||0)-(f&&f.clientTop||c&&c.clientTop||0)),!a.relatedTarget&&h&&(a.relatedTarget=h===a.target?b.toElement:h),a.which||void 0===g||(a.which=1&g?1:2&g?3:4&g?2:0),a}},special:{load:{noBubble:!0},focus:{trigger:function(){if(this!==ra()&&this.focus)try{return this.focus(),!1}catch(a){}},delegateType:"focusin"},blur:{trigger:function(){return this===ra()&&this.blur?(this.blur(),!1):void 0},delegateType:"focusout"},click:{trigger:function(){return n.nodeName(this,"input")&&"checkbox"===this.type&&this.click?(this.click(),!1):void 0},_default:function(a){return n.nodeName(a.target,"a")}},beforeunload:{postDispatch:function(a){void 0!==a.result&&a.originalEvent&&(a.originalEvent.returnValue=a.result)}}},simulate:function(a,b,c){var d=n.extend(new n.Event,c,{type:a,isSimulated:!0});n.event.trigger(d,null,b),d.isDefaultPrevented()&&c.preventDefault()}},n.removeEvent=d.removeEventListener?function(a,b,c){a.removeEventListener&&a.removeEventListener(b,c)}:function(a,b,c){var d="on"+b;a.detachEvent&&("undefined"==typeof a[d]&&(a[d]=null),a.detachEvent(d,c))},n.Event=function(a,b){return this instanceof n.Event?(a&&a.type?(this.originalEvent=a,this.type=a.type,this.isDefaultPrevented=a.defaultPrevented||void 0===a.defaultPrevented&&a.returnValue===!1?pa:qa):this.type=a,b&&n.extend(this,b),this.timeStamp=a&&a.timeStamp||n.now(),void(this[n.expando]=!0)):new n.Event(a,b)},n.Event.prototype={constructor:n.Event,isDefaultPrevented:qa,isPropagationStopped:qa,isImmediatePropagationStopped:qa,preventDefault:function(){var a=this.originalEvent;this.isDefaultPrevented=pa,a&&(a.preventDefault?a.preventDefault():a.returnValue=!1)},stopPropagation:function(){var a=this.originalEvent;this.isPropagationStopped=pa,a&&!this.isSimulated&&(a.stopPropagation&&a.stopPropagation(),a.cancelBubble=!0)},stopImmediatePropagation:function(){var a=this.originalEvent;this.isImmediatePropagationStopped=pa,a&&a.stopImmediatePropagation&&a.stopImmediatePropagation(),this.stopPropagation()}},n.each({mouseenter:"mouseover",mouseleave:"mouseout",pointerenter:"pointerover",pointerleave:"pointerout"},function(a,b){n.event.special[a]={delegateType:b,bindType:b,handle:function(a){var c,d=this,e=a.relatedTarget,f=a.handleObj;return e&&(e===d||n.contains(d,e))||(a.type=f.origType,c=f.handler.apply(this,arguments),a.type=b),c}}}),l.submit||(n.event.special.submit={setup:function(){return n.nodeName(this,"form")?!1:void n.event.add(this,"click._submit keypress._submit",function(a){var b=a.target,c=n.nodeName(b,"input")||n.nodeName(b,"button")?n.prop(b,"form"):void 0;c&&!n._data(c,"submit")&&(n.event.add(c,"submit._submit",function(a){a._submitBubble=!0}),n._data(c,"submit",!0))})},postDispatch:function(a){a._submitBubble&&(delete a._submitBubble,this.parentNode&&!a.isTrigger&&n.event.simulate("submit",this.parentNode,a))},teardown:function(){return n.nodeName(this,"form")?!1:void n.event.remove(this,"._submit")}}),l.change||(n.event.special.change={setup:function(){return ka.test(this.nodeName)?("checkbox"!==this.type&&"radio"!==this.type||(n.event.add(this,"propertychange._change",function(a){"checked"===a.originalEvent.propertyName&&(this._justChanged=!0)}),n.event.add(this,"click._change",function(a){this._justChanged&&!a.isTrigger&&(this._justChanged=!1),n.event.simulate("change",this,a)})),!1):void n.event.add(this,"beforeactivate._change",function(a){var b=a.target;ka.test(b.nodeName)&&!n._data(b,"change")&&(n.event.add(b,"change._change",function(a){!this.parentNode||a.isSimulated||a.isTrigger||n.event.simulate("change",this.parentNode,a)}),n._data(b,"change",!0))})},handle:function(a){var b=a.target;return this!==b||a.isSimulated||a.isTrigger||"radio"!==b.type&&"checkbox"!==b.type?a.handleObj.handler.apply(this,arguments):void 0},teardown:function(){return n.event.remove(this,"._change"),!ka.test(this.nodeName)}}),l.focusin||n.each({focus:"focusin",blur:"focusout"},function(a,b){var c=function(a){n.event.simulate(b,a.target,n.event.fix(a))};n.event.special[b]={setup:function(){var d=this.ownerDocument||this,e=n._data(d,b);e||d.addEventListener(a,c,!0),n._data(d,b,(e||0)+1)},teardown:function(){var d=this.ownerDocument||this,e=n._data(d,b)-1;e?n._data(d,b,e):(d.removeEventListener(a,c,!0),n._removeData(d,b))}}}),n.fn.extend({on:function(a,b,c,d){return sa(this,a,b,c,d)},one:function(a,b,c,d){return sa(this,a,b,c,d,1)},off:function(a,b,c){var d,e;if(a&&a.preventDefault&&a.handleObj)return d=a.handleObj,n(a.delegateTarget).off(d.namespace?d.origType+"."+d.namespace:d.origType,d.selector,d.handler),this;if("object"==typeof a){for(e in a)this.off(e,b,a[e]);return this}return b!==!1&&"function"!=typeof b||(c=b,b=void 0),c===!1&&(c=qa),this.each(function(){n.event.remove(this,a,c,b)})},trigger:function(a,b){return this.each(function(){n.event.trigger(a,b,this)})},triggerHandler:function(a,b){var c=this[0];return c?n.event.trigger(a,b,c,!0):void 0}});var ta=/ jQuery\d+="(?:null|\d+)"/g,ua=new RegExp("<(?:"+ba+")[\\s/>]","i"),va=/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:-]+)[^>]*)\/>/gi,wa=/<script|<style|<link/i,xa=/checked\s*(?:[^=]|=\s*.checked.)/i,ya=/^true\/(.*)/,za=/^\s*<!(?:\[CDATA\[|--)|(?:\]\]|--)>\s*$/g,Aa=ca(d),Ba=Aa.appendChild(d.createElement("div"));function Ca(a,b){return n.nodeName(a,"table")&&n.nodeName(11!==b.nodeType?b:b.firstChild,"tr")?a.getElementsByTagName("tbody")[0]||a.appendChild(a.ownerDocument.createElement("tbody")):a}function Da(a){return a.type=(null!==n.find.attr(a,"type"))+"/"+a.type,a}function Ea(a){var b=ya.exec(a.type);return b?a.type=b[1]:a.removeAttribute("type"),a}function Fa(a,b){if(1===b.nodeType&&n.hasData(a)){var c,d,e,f=n._data(a),g=n._data(b,f),h=f.events;if(h){delete g.handle,g.events={};for(c in h)for(d=0,e=h[c].length;e>d;d++)n.event.add(b,c,h[c][d])}g.data&&(g.data=n.extend({},g.data))}}function Ga(a,b){var c,d,e;if(1===b.nodeType){if(c=b.nodeName.toLowerCase(),!l.noCloneEvent&&b[n.expando]){e=n._data(b);for(d in e.events)n.removeEvent(b,d,e.handle);b.removeAttribute(n.expando)}"script"===c&&b.text!==a.text?(Da(b).text=a.text,Ea(b)):"object"===c?(b.parentNode&&(b.outerHTML=a.outerHTML),l.html5Clone&&a.innerHTML&&!n.trim(b.innerHTML)&&(b.innerHTML=a.innerHTML)):"input"===c&&Z.test(a.type)?(b.defaultChecked=b.checked=a.checked,b.value!==a.value&&(b.value=a.value)):"option"===c?b.defaultSelected=b.selected=a.defaultSelected:"input"!==c&&"textarea"!==c||(b.defaultValue=a.defaultValue)}}function Ha(a,b,c,d){b=f.apply([],b);var e,g,h,i,j,k,m=0,o=a.length,p=o-1,q=b[0],r=n.isFunction(q);if(r||o>1&&"string"==typeof q&&!l.checkClone&&xa.test(q))return a.each(function(e){var f=a.eq(e);r&&(b[0]=q.call(this,e,f.html())),Ha(f,b,c,d)});if(o&&(k=ja(b,a[0].ownerDocument,!1,a,d),e=k.firstChild,1===k.childNodes.length&&(k=e),e||d)){for(i=n.map(ea(k,"script"),Da),h=i.length;o>m;m++)g=k,m!==p&&(g=n.clone(g,!0,!0),h&&n.merge(i,ea(g,"script"))),c.call(a[m],g,m);if(h)for(j=i[i.length-1].ownerDocument,n.map(i,Ea),m=0;h>m;m++)g=i[m],_.test(g.type||"")&&!n._data(g,"globalEval")&&n.contains(j,g)&&(g.src?n._evalUrl&&n._evalUrl(g.src):n.globalEval((g.text||g.textContent||g.innerHTML||"").replace(za,"")));k=e=null}return a}function Ia(a,b,c){for(var d,e=b?n.filter(b,a):a,f=0;null!=(d=e[f]);f++)c||1!==d.nodeType||n.cleanData(ea(d)),d.parentNode&&(c&&n.contains(d.ownerDocument,d)&&fa(ea(d,"script")),d.parentNode.removeChild(d));return a}n.extend({htmlPrefilter:function(a){return a.replace(va,"<$1></$2>")},clone:function(a,b,c){var d,e,f,g,h,i=n.contains(a.ownerDocument,a);if(l.html5Clone||n.isXMLDoc(a)||!ua.test("<"+a.nodeName+">")?f=a.cloneNode(!0):(Ba.innerHTML=a.outerHTML,Ba.removeChild(f=Ba.firstChild)),!(l.noCloneEvent&&l.noCloneChecked||1!==a.nodeType&&11!==a.nodeType||n.isXMLDoc(a)))for(d=ea(f),h=ea(a),g=0;null!=(e=h[g]);++g)d[g]&&Ga(e,d[g]);if(b)if(c)for(h=h||ea(a),d=d||ea(f),g=0;null!=(e=h[g]);g++)Fa(e,d[g]);else Fa(a,f);return d=ea(f,"script"),d.length>0&&fa(d,!i&&ea(a,"script")),d=h=e=null,f},cleanData:function(a,b){for(var d,e,f,g,h=0,i=n.expando,j=n.cache,k=l.attributes,m=n.event.special;null!=(d=a[h]);h++)if((b||M(d))&&(f=d[i],g=f&&j[f])){if(g.events)for(e in g.events)m[e]?n.event.remove(d,e):n.removeEvent(d,e,g.handle);j[f]&&(delete j[f],k||"undefined"==typeof d.removeAttribute?d[i]=void 0:d.removeAttribute(i),c.push(f))}}}),n.fn.extend({domManip:Ha,detach:function(a){return Ia(this,a,!0)},remove:function(a){return Ia(this,a)},text:function(a){return Y(this,function(a){return void 0===a?n.text(this):this.empty().append((this[0]&&this[0].ownerDocument||d).createTextNode(a))},null,a,arguments.length)},append:function(){return Ha(this,arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=Ca(this,a);b.appendChild(a)}})},prepend:function(){return Ha(this,arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=Ca(this,a);b.insertBefore(a,b.firstChild)}})},before:function(){return Ha(this,arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this)})},after:function(){return Ha(this,arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this.nextSibling)})},empty:function(){for(var a,b=0;null!=(a=this[b]);b++){1===a.nodeType&&n.cleanData(ea(a,!1));while(a.firstChild)a.removeChild(a.firstChild);a.options&&n.nodeName(a,"select")&&(a.options.length=0)}return this},clone:function(a,b){return a=null==a?!1:a,b=null==b?a:b,this.map(function(){return n.clone(this,a,b)})},html:function(a){return Y(this,function(a){var b=this[0]||{},c=0,d=this.length;if(void 0===a)return 1===b.nodeType?b.innerHTML.replace(ta,""):void 0;if("string"==typeof a&&!wa.test(a)&&(l.htmlSerialize||!ua.test(a))&&(l.leadingWhitespace||!aa.test(a))&&!da[($.exec(a)||["",""])[1].toLowerCase()]){a=n.htmlPrefilter(a);try{for(;d>c;c++)b=this[c]||{},1===b.nodeType&&(n.cleanData(ea(b,!1)),b.innerHTML=a);b=0}catch(e){}}b&&this.empty().append(a)},null,a,arguments.length)},replaceWith:function(){var a=[];return Ha(this,arguments,function(b){var c=this.parentNode;n.inArray(this,a)<0&&(n.cleanData(ea(this)),c&&c.replaceChild(b,this))},a)}}),n.each({appendTo:"append",prependTo:"prepend",insertBefore:"before",insertAfter:"after",replaceAll:"replaceWith"},function(a,b){n.fn[a]=function(a){for(var c,d=0,e=[],f=n(a),h=f.length-1;h>=d;d++)c=d===h?this:this.clone(!0),n(f[d])[b](c),g.apply(e,c.get());return this.pushStack(e)}});var Ja,Ka={HTML:"block",BODY:"block"};function La(a,b){var c=n(b.createElement(a)).appendTo(b.body),d=n.css(c[0],"display");return c.detach(),d}function Ma(a){var b=d,c=Ka[a];return c||(c=La(a,b),"none"!==c&&c||(Ja=(Ja||n("<iframe frameborder='0' width='0' height='0'/>")).appendTo(b.documentElement),b=(Ja[0].contentWindow||Ja[0].contentDocument).document,b.write(),b.close(),c=La(a,b),Ja.detach()),Ka[a]=c),c}var Na=/^margin/,Oa=new RegExp("^("+T+")(?!px)[a-z%]+$","i"),Pa=function(a,b,c,d){var e,f,g={};for(f in b)g[f]=a.style[f],a.style[f]=b[f];e=c.apply(a,d||[]);for(f in b)a.style[f]=g[f];return e},Qa=d.documentElement;!function(){var b,c,e,f,g,h,i=d.createElement("div"),j=d.createElement("div");if(j.style){j.style.cssText="float:left;opacity:.5",l.opacity="0.5"===j.style.opacity,l.cssFloat=!!j.style.cssFloat,j.style.backgroundClip="content-box",j.cloneNode(!0).style.backgroundClip="",l.clearCloneStyle="content-box"===j.style.backgroundClip,i=d.createElement("div"),i.style.cssText="border:0;width:8px;height:0;top:0;left:-9999px;padding:0;margin-top:1px;position:absolute",j.innerHTML="",i.appendChild(j),l.boxSizing=""===j.style.boxSizing||""===j.style.MozBoxSizing||""===j.style.WebkitBoxSizing,n.extend(l,{reliableHiddenOffsets:function(){return null==b&&k(),f},boxSizingReliable:function(){return null==b&&k(),e},pixelMarginRight:function(){return null==b&&k(),c},pixelPosition:function(){return null==b&&k(),b},reliableMarginRight:function(){return null==b&&k(),g},reliableMarginLeft:function(){return null==b&&k(),h}});function k(){var k,l,m=d.documentElement;m.appendChild(i),j.style.cssText="-webkit-box-sizing:border-box;box-sizing:border-box;position:relative;display:block;margin:auto;border:1px;padding:1px;top:1%;width:50%",b=e=h=!1,c=g=!0,a.getComputedStyle&&(l=a.getComputedStyle(j),b="1%"!==(l||{}).top,h="2px"===(l||{}).marginLeft,e="4px"===(l||{width:"4px"}).width,j.style.marginRight="50%",c="4px"===(l||{marginRight:"4px"}).marginRight,k=j.appendChild(d.createElement("div")),k.style.cssText=j.style.cssText="-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;display:block;margin:0;border:0;padding:0",k.style.marginRight=k.style.width="0",j.style.width="1px",g=!parseFloat((a.getComputedStyle(k)||{}).marginRight),j.removeChild(k)),j.style.display="none",f=0===j.getClientRects().length,f&&(j.style.display="",j.innerHTML="<table><tr><td></td><td>t</td></tr></table>",j.childNodes[0].style.borderCollapse="separate",k=j.getElementsByTagName("td"),k[0].style.cssText="margin:0;border:0;padding:0;display:none",f=0===k[0].offsetHeight,f&&(k[0].style.display="",k[1].style.display="none",f=0===k[0].offsetHeight)),m.removeChild(i)}}}();var Ra,Sa,Ta=/^(top|right|bottom|left)$/;a.getComputedStyle?(Ra=function(b){var c=b.ownerDocument.defaultView;return c&&c.opener||(c=a),c.getComputedStyle(b)},Sa=function(a,b,c){var d,e,f,g,h=a.style;return c=c||Ra(a),g=c?c.getPropertyValue(b)||c[b]:void 0,""!==g&&void 0!==g||n.contains(a.ownerDocument,a)||(g=n.style(a,b)),c&&!l.pixelMarginRight()&&Oa.test(g)&&Na.test(b)&&(d=h.width,e=h.minWidth,f=h.maxWidth,h.minWidth=h.maxWidth=h.width=g,g=c.width,h.width=d,h.minWidth=e,h.maxWidth=f),void 0===g?g:g+""}):Qa.currentStyle&&(Ra=function(a){return a.currentStyle},Sa=function(a,b,c){var d,e,f,g,h=a.style;return c=c||Ra(a),g=c?c[b]:void 0,null==g&&h&&h[b]&&(g=h[b]),Oa.test(g)&&!Ta.test(b)&&(d=h.left,e=a.runtimeStyle,f=e&&e.left,f&&(e.left=a.currentStyle.left),h.left="fontSize"===b?"1em":g,g=h.pixelLeft+"px",h.left=d,f&&(e.left=f)),void 0===g?g:g+""||"auto"});function Ua(a,b){return{get:function(){return a()?void delete this.get:(this.get=b).apply(this,arguments)}}}var Va=/alpha\([^)]*\)/i,Wa=/opacity\s*=\s*([^)]*)/i,Xa=/^(none|table(?!-c[ea]).+)/,Ya=new RegExp("^("+T+")(.*)$","i"),Za={position:"absolute",visibility:"hidden",display:"block"},$a={letterSpacing:"0",fontWeight:"400"},_a=["Webkit","O","Moz","ms"],ab=d.createElement("div").style;function bb(a){if(a in ab)return a;var b=a.charAt(0).toUpperCase()+a.slice(1),c=_a.length;while(c--)if(a=_a[c]+b,a in ab)return a}function cb(a,b){for(var c,d,e,f=[],g=0,h=a.length;h>g;g++)d=a[g],d.style&&(f[g]=n._data(d,"olddisplay"),c=d.style.display,b?(f[g]||"none"!==c||(d.style.display=""),""===d.style.display&&W(d)&&(f[g]=n._data(d,"olddisplay",Ma(d.nodeName)))):(e=W(d),(c&&"none"!==c||!e)&&n._data(d,"olddisplay",e?c:n.css(d,"display"))));for(g=0;h>g;g++)d=a[g],d.style&&(b&&"none"!==d.style.display&&""!==d.style.display||(d.style.display=b?f[g]||"":"none"));return a}function db(a,b,c){var d=Ya.exec(b);return d?Math.max(0,d[1]-(c||0))+(d[2]||"px"):b}function eb(a,b,c,d,e){for(var f=c===(d?"border":"content")?4:"width"===b?1:0,g=0;4>f;f+=2)"margin"===c&&(g+=n.css(a,c+V[f],!0,e)),d?("content"===c&&(g-=n.css(a,"padding"+V[f],!0,e)),"margin"!==c&&(g-=n.css(a,"border"+V[f]+"Width",!0,e))):(g+=n.css(a,"padding"+V[f],!0,e),"padding"!==c&&(g+=n.css(a,"border"+V[f]+"Width",!0,e)));return g}function fb(a,b,c){var d=!0,e="width"===b?a.offsetWidth:a.offsetHeight,f=Ra(a),g=l.boxSizing&&"border-box"===n.css(a,"boxSizing",!1,f);if(0>=e||null==e){if(e=Sa(a,b,f),(0>e||null==e)&&(e=a.style[b]),Oa.test(e))return e;d=g&&(l.boxSizingReliable()||e===a.style[b]),e=parseFloat(e)||0}return e+eb(a,b,c||(g?"border":"content"),d,f)+"px"}n.extend({cssHooks:{opacity:{get:function(a,b){if(b){var c=Sa(a,"opacity");return""===c?"1":c}}}},cssNumber:{animationIterationCount:!0,columnCount:!0,fillOpacity:!0,flexGrow:!0,flexShrink:!0,fontWeight:!0,lineHeight:!0,opacity:!0,order:!0,orphans:!0,widows:!0,zIndex:!0,zoom:!0},cssProps:{"float":l.cssFloat?"cssFloat":"styleFloat"},style:function(a,b,c,d){if(a&&3!==a.nodeType&&8!==a.nodeType&&a.style){var e,f,g,h=n.camelCase(b),i=a.style;if(b=n.cssProps[h]||(n.cssProps[h]=bb(h)||h),g=n.cssHooks[b]||n.cssHooks[h],void 0===c)return g&&"get"in g&&void 0!==(e=g.get(a,!1,d))?e:i[b];if(f=typeof c,"string"===f&&(e=U.exec(c))&&e[1]&&(c=X(a,b,e),f="number"),null!=c&&c===c&&("number"===f&&(c+=e&&e[3]||(n.cssNumber[h]?"":"px")),l.clearCloneStyle||""!==c||0!==b.indexOf("background")||(i[b]="inherit"),!(g&&"set"in g&&void 0===(c=g.set(a,c,d)))))try{i[b]=c}catch(j){}}},css:function(a,b,c,d){var e,f,g,h=n.camelCase(b);return b=n.cssProps[h]||(n.cssProps[h]=bb(h)||h),g=n.cssHooks[b]||n.cssHooks[h],g&&"get"in g&&(f=g.get(a,!0,c)),void 0===f&&(f=Sa(a,b,d)),"normal"===f&&b in $a&&(f=$a[b]),""===c||c?(e=parseFloat(f),c===!0||isFinite(e)?e||0:f):f}}),n.each(["height","width"],function(a,b){n.cssHooks[b]={get:function(a,c,d){return c?Xa.test(n.css(a,"display"))&&0===a.offsetWidth?Pa(a,Za,function(){return fb(a,b,d)}):fb(a,b,d):void 0},set:function(a,c,d){var e=d&&Ra(a);return db(a,c,d?eb(a,b,d,l.boxSizing&&"border-box"===n.css(a,"boxSizing",!1,e),e):0)}}}),l.opacity||(n.cssHooks.opacity={get:function(a,b){return Wa.test((b&&a.currentStyle?a.currentStyle.filter:a.style.filter)||"")?.01*parseFloat(RegExp.$1)+"":b?"1":""},set:function(a,b){var c=a.style,d=a.currentStyle,e=n.isNumeric(b)?"alpha(opacity="+100*b+")":"",f=d&&d.filter||c.filter||"";c.zoom=1,(b>=1||""===b)&&""===n.trim(f.replace(Va,""))&&c.removeAttribute&&(c.removeAttribute("filter"),""===b||d&&!d.filter)||(c.filter=Va.test(f)?f.replace(Va,e):f+" "+e)}}),n.cssHooks.marginRight=Ua(l.reliableMarginRight,function(a,b){return b?Pa(a,{display:"inline-block"},Sa,[a,"marginRight"]):void 0}),n.cssHooks.marginLeft=Ua(l.reliableMarginLeft,function(a,b){return b?(parseFloat(Sa(a,"marginLeft"))||(n.contains(a.ownerDocument,a)?a.getBoundingClientRect().left-Pa(a,{
marginLeft:0},function(){return a.getBoundingClientRect().left}):0))+"px":void 0}),n.each({margin:"",padding:"",border:"Width"},function(a,b){n.cssHooks[a+b]={expand:function(c){for(var d=0,e={},f="string"==typeof c?c.split(" "):[c];4>d;d++)e[a+V[d]+b]=f[d]||f[d-2]||f[0];return e}},Na.test(a)||(n.cssHooks[a+b].set=db)}),n.fn.extend({css:function(a,b){return Y(this,function(a,b,c){var d,e,f={},g=0;if(n.isArray(b)){for(d=Ra(a),e=b.length;e>g;g++)f[b[g]]=n.css(a,b[g],!1,d);return f}return void 0!==c?n.style(a,b,c):n.css(a,b)},a,b,arguments.length>1)},show:function(){return cb(this,!0)},hide:function(){return cb(this)},toggle:function(a){return"boolean"==typeof a?a?this.show():this.hide():this.each(function(){W(this)?n(this).show():n(this).hide()})}});function gb(a,b,c,d,e){return new gb.prototype.init(a,b,c,d,e)}n.Tween=gb,gb.prototype={constructor:gb,init:function(a,b,c,d,e,f){this.elem=a,this.prop=c,this.easing=e||n.easing._default,this.options=b,this.start=this.now=this.cur(),this.end=d,this.unit=f||(n.cssNumber[c]?"":"px")},cur:function(){var a=gb.propHooks[this.prop];return a&&a.get?a.get(this):gb.propHooks._default.get(this)},run:function(a){var b,c=gb.propHooks[this.prop];return this.options.duration?this.pos=b=n.easing[this.easing](a,this.options.duration*a,0,1,this.options.duration):this.pos=b=a,this.now=(this.end-this.start)*b+this.start,this.options.step&&this.options.step.call(this.elem,this.now,this),c&&c.set?c.set(this):gb.propHooks._default.set(this),this}},gb.prototype.init.prototype=gb.prototype,gb.propHooks={_default:{get:function(a){var b;return 1!==a.elem.nodeType||null!=a.elem[a.prop]&&null==a.elem.style[a.prop]?a.elem[a.prop]:(b=n.css(a.elem,a.prop,""),b&&"auto"!==b?b:0)},set:function(a){n.fx.step[a.prop]?n.fx.step[a.prop](a):1!==a.elem.nodeType||null==a.elem.style[n.cssProps[a.prop]]&&!n.cssHooks[a.prop]?a.elem[a.prop]=a.now:n.style(a.elem,a.prop,a.now+a.unit)}}},gb.propHooks.scrollTop=gb.propHooks.scrollLeft={set:function(a){a.elem.nodeType&&a.elem.parentNode&&(a.elem[a.prop]=a.now)}},n.easing={linear:function(a){return a},swing:function(a){return.5-Math.cos(a*Math.PI)/2},_default:"swing"},n.fx=gb.prototype.init,n.fx.step={};var hb,ib,jb=/^(?:toggle|show|hide)$/,kb=/queueHooks$/;function lb(){return a.setTimeout(function(){hb=void 0}),hb=n.now()}function mb(a,b){var c,d={height:a},e=0;for(b=b?1:0;4>e;e+=2-b)c=V[e],d["margin"+c]=d["padding"+c]=a;return b&&(d.opacity=d.width=a),d}function nb(a,b,c){for(var d,e=(qb.tweeners[b]||[]).concat(qb.tweeners["*"]),f=0,g=e.length;g>f;f++)if(d=e[f].call(c,b,a))return d}function ob(a,b,c){var d,e,f,g,h,i,j,k,m=this,o={},p=a.style,q=a.nodeType&&W(a),r=n._data(a,"fxshow");c.queue||(h=n._queueHooks(a,"fx"),null==h.unqueued&&(h.unqueued=0,i=h.empty.fire,h.empty.fire=function(){h.unqueued||i()}),h.unqueued++,m.always(function(){m.always(function(){h.unqueued--,n.queue(a,"fx").length||h.empty.fire()})})),1===a.nodeType&&("height"in b||"width"in b)&&(c.overflow=[p.overflow,p.overflowX,p.overflowY],j=n.css(a,"display"),k="none"===j?n._data(a,"olddisplay")||Ma(a.nodeName):j,"inline"===k&&"none"===n.css(a,"float")&&(l.inlineBlockNeedsLayout&&"inline"!==Ma(a.nodeName)?p.zoom=1:p.display="inline-block")),c.overflow&&(p.overflow="hidden",l.shrinkWrapBlocks()||m.always(function(){p.overflow=c.overflow[0],p.overflowX=c.overflow[1],p.overflowY=c.overflow[2]}));for(d in b)if(e=b[d],jb.exec(e)){if(delete b[d],f=f||"toggle"===e,e===(q?"hide":"show")){if("show"!==e||!r||void 0===r[d])continue;q=!0}o[d]=r&&r[d]||n.style(a,d)}else j=void 0;if(n.isEmptyObject(o))"inline"===("none"===j?Ma(a.nodeName):j)&&(p.display=j);else{r?"hidden"in r&&(q=r.hidden):r=n._data(a,"fxshow",{}),f&&(r.hidden=!q),q?n(a).show():m.done(function(){n(a).hide()}),m.done(function(){var b;n._removeData(a,"fxshow");for(b in o)n.style(a,b,o[b])});for(d in o)g=nb(q?r[d]:0,d,m),d in r||(r[d]=g.start,q&&(g.end=g.start,g.start="width"===d||"height"===d?1:0))}}function pb(a,b){var c,d,e,f,g;for(c in a)if(d=n.camelCase(c),e=b[d],f=a[c],n.isArray(f)&&(e=f[1],f=a[c]=f[0]),c!==d&&(a[d]=f,delete a[c]),g=n.cssHooks[d],g&&"expand"in g){f=g.expand(f),delete a[d];for(c in f)c in a||(a[c]=f[c],b[c]=e)}else b[d]=e}function qb(a,b,c){var d,e,f=0,g=qb.prefilters.length,h=n.Deferred().always(function(){delete i.elem}),i=function(){if(e)return!1;for(var b=hb||lb(),c=Math.max(0,j.startTime+j.duration-b),d=c/j.duration||0,f=1-d,g=0,i=j.tweens.length;i>g;g++)j.tweens[g].run(f);return h.notifyWith(a,[j,f,c]),1>f&&i?c:(h.resolveWith(a,[j]),!1)},j=h.promise({elem:a,props:n.extend({},b),opts:n.extend(!0,{specialEasing:{},easing:n.easing._default},c),originalProperties:b,originalOptions:c,startTime:hb||lb(),duration:c.duration,tweens:[],createTween:function(b,c){var d=n.Tween(a,j.opts,b,c,j.opts.specialEasing[b]||j.opts.easing);return j.tweens.push(d),d},stop:function(b){var c=0,d=b?j.tweens.length:0;if(e)return this;for(e=!0;d>c;c++)j.tweens[c].run(1);return b?(h.notifyWith(a,[j,1,0]),h.resolveWith(a,[j,b])):h.rejectWith(a,[j,b]),this}}),k=j.props;for(pb(k,j.opts.specialEasing);g>f;f++)if(d=qb.prefilters[f].call(j,a,k,j.opts))return n.isFunction(d.stop)&&(n._queueHooks(j.elem,j.opts.queue).stop=n.proxy(d.stop,d)),d;return n.map(k,nb,j),n.isFunction(j.opts.start)&&j.opts.start.call(a,j),n.fx.timer(n.extend(i,{elem:a,anim:j,queue:j.opts.queue})),j.progress(j.opts.progress).done(j.opts.done,j.opts.complete).fail(j.opts.fail).always(j.opts.always)}n.Animation=n.extend(qb,{tweeners:{"*":[function(a,b){var c=this.createTween(a,b);return X(c.elem,a,U.exec(b),c),c}]},tweener:function(a,b){n.isFunction(a)?(b=a,a=["*"]):a=a.match(G);for(var c,d=0,e=a.length;e>d;d++)c=a[d],qb.tweeners[c]=qb.tweeners[c]||[],qb.tweeners[c].unshift(b)},prefilters:[ob],prefilter:function(a,b){b?qb.prefilters.unshift(a):qb.prefilters.push(a)}}),n.speed=function(a,b,c){var d=a&&"object"==typeof a?n.extend({},a):{complete:c||!c&&b||n.isFunction(a)&&a,duration:a,easing:c&&b||b&&!n.isFunction(b)&&b};return d.duration=n.fx.off?0:"number"==typeof d.duration?d.duration:d.duration in n.fx.speeds?n.fx.speeds[d.duration]:n.fx.speeds._default,null!=d.queue&&d.queue!==!0||(d.queue="fx"),d.old=d.complete,d.complete=function(){n.isFunction(d.old)&&d.old.call(this),d.queue&&n.dequeue(this,d.queue)},d},n.fn.extend({fadeTo:function(a,b,c,d){return this.filter(W).css("opacity",0).show().end().animate({opacity:b},a,c,d)},animate:function(a,b,c,d){var e=n.isEmptyObject(a),f=n.speed(b,c,d),g=function(){var b=qb(this,n.extend({},a),f);(e||n._data(this,"finish"))&&b.stop(!0)};return g.finish=g,e||f.queue===!1?this.each(g):this.queue(f.queue,g)},stop:function(a,b,c){var d=function(a){var b=a.stop;delete a.stop,b(c)};return"string"!=typeof a&&(c=b,b=a,a=void 0),b&&a!==!1&&this.queue(a||"fx",[]),this.each(function(){var b=!0,e=null!=a&&a+"queueHooks",f=n.timers,g=n._data(this);if(e)g[e]&&g[e].stop&&d(g[e]);else for(e in g)g[e]&&g[e].stop&&kb.test(e)&&d(g[e]);for(e=f.length;e--;)f[e].elem!==this||null!=a&&f[e].queue!==a||(f[e].anim.stop(c),b=!1,f.splice(e,1));!b&&c||n.dequeue(this,a)})},finish:function(a){return a!==!1&&(a=a||"fx"),this.each(function(){var b,c=n._data(this),d=c[a+"queue"],e=c[a+"queueHooks"],f=n.timers,g=d?d.length:0;for(c.finish=!0,n.queue(this,a,[]),e&&e.stop&&e.stop.call(this,!0),b=f.length;b--;)f[b].elem===this&&f[b].queue===a&&(f[b].anim.stop(!0),f.splice(b,1));for(b=0;g>b;b++)d[b]&&d[b].finish&&d[b].finish.call(this);delete c.finish})}}),n.each(["toggle","show","hide"],function(a,b){var c=n.fn[b];n.fn[b]=function(a,d,e){return null==a||"boolean"==typeof a?c.apply(this,arguments):this.animate(mb(b,!0),a,d,e)}}),n.each({slideDown:mb("show"),slideUp:mb("hide"),slideToggle:mb("toggle"),fadeIn:{opacity:"show"},fadeOut:{opacity:"hide"},fadeToggle:{opacity:"toggle"}},function(a,b){n.fn[a]=function(a,c,d){return this.animate(b,a,c,d)}}),n.timers=[],n.fx.tick=function(){var a,b=n.timers,c=0;for(hb=n.now();c<b.length;c++)a=b[c],a()||b[c]!==a||b.splice(c--,1);b.length||n.fx.stop(),hb=void 0},n.fx.timer=function(a){n.timers.push(a),a()?n.fx.start():n.timers.pop()},n.fx.interval=13,n.fx.start=function(){ib||(ib=a.setInterval(n.fx.tick,n.fx.interval))},n.fx.stop=function(){a.clearInterval(ib),ib=null},n.fx.speeds={slow:600,fast:200,_default:400},n.fn.delay=function(b,c){return b=n.fx?n.fx.speeds[b]||b:b,c=c||"fx",this.queue(c,function(c,d){var e=a.setTimeout(c,b);d.stop=function(){a.clearTimeout(e)}})},function(){var a,b=d.createElement("input"),c=d.createElement("div"),e=d.createElement("select"),f=e.appendChild(d.createElement("option"));c=d.createElement("div"),c.setAttribute("className","t"),c.innerHTML="  <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",a=c.getElementsByTagName("a")[0],b.setAttribute("type","checkbox"),c.appendChild(b),a=c.getElementsByTagName("a")[0],a.style.cssText="top:1px",l.getSetAttribute="t"!==c.className,l.style=/top/.test(a.getAttribute("style")),l.hrefNormalized="/a"===a.getAttribute("href"),l.checkOn=!!b.value,l.optSelected=f.selected,l.enctype=!!d.createElement("form").enctype,e.disabled=!0,l.optDisabled=!f.disabled,b=d.createElement("input"),b.setAttribute("value",""),l.input=""===b.getAttribute("value"),b.value="t",b.setAttribute("type","radio"),l.radioValue="t"===b.value}();var rb=/\r/g,sb=/[\x20\t\r\n\f]+/g;n.fn.extend({val:function(a){var b,c,d,e=this[0];{if(arguments.length)return d=n.isFunction(a),this.each(function(c){var e;1===this.nodeType&&(e=d?a.call(this,c,n(this).val()):a,null==e?e="":"number"==typeof e?e+="":n.isArray(e)&&(e=n.map(e,function(a){return null==a?"":a+""})),b=n.valHooks[this.type]||n.valHooks[this.nodeName.toLowerCase()],b&&"set"in b&&void 0!==b.set(this,e,"value")||(this.value=e))});if(e)return b=n.valHooks[e.type]||n.valHooks[e.nodeName.toLowerCase()],b&&"get"in b&&void 0!==(c=b.get(e,"value"))?c:(c=e.value,"string"==typeof c?c.replace(rb,""):null==c?"":c)}}}),n.extend({valHooks:{option:{get:function(a){var b=n.find.attr(a,"value");return null!=b?b:n.trim(n.text(a)).replace(sb," ")}},select:{get:function(a){for(var b,c,d=a.options,e=a.selectedIndex,f="select-one"===a.type||0>e,g=f?null:[],h=f?e+1:d.length,i=0>e?h:f?e:0;h>i;i++)if(c=d[i],(c.selected||i===e)&&(l.optDisabled?!c.disabled:null===c.getAttribute("disabled"))&&(!c.parentNode.disabled||!n.nodeName(c.parentNode,"optgroup"))){if(b=n(c).val(),f)return b;g.push(b)}return g},set:function(a,b){var c,d,e=a.options,f=n.makeArray(b),g=e.length;while(g--)if(d=e[g],n.inArray(n.valHooks.option.get(d),f)>-1)try{d.selected=c=!0}catch(h){d.scrollHeight}else d.selected=!1;return c||(a.selectedIndex=-1),e}}}}),n.each(["radio","checkbox"],function(){n.valHooks[this]={set:function(a,b){return n.isArray(b)?a.checked=n.inArray(n(a).val(),b)>-1:void 0}},l.checkOn||(n.valHooks[this].get=function(a){return null===a.getAttribute("value")?"on":a.value})});var tb,ub,vb=n.expr.attrHandle,wb=/^(?:checked|selected)$/i,xb=l.getSetAttribute,yb=l.input;n.fn.extend({attr:function(a,b){return Y(this,n.attr,a,b,arguments.length>1)},removeAttr:function(a){return this.each(function(){n.removeAttr(this,a)})}}),n.extend({attr:function(a,b,c){var d,e,f=a.nodeType;if(3!==f&&8!==f&&2!==f)return"undefined"==typeof a.getAttribute?n.prop(a,b,c):(1===f&&n.isXMLDoc(a)||(b=b.toLowerCase(),e=n.attrHooks[b]||(n.expr.match.bool.test(b)?ub:tb)),void 0!==c?null===c?void n.removeAttr(a,b):e&&"set"in e&&void 0!==(d=e.set(a,c,b))?d:(a.setAttribute(b,c+""),c):e&&"get"in e&&null!==(d=e.get(a,b))?d:(d=n.find.attr(a,b),null==d?void 0:d))},attrHooks:{type:{set:function(a,b){if(!l.radioValue&&"radio"===b&&n.nodeName(a,"input")){var c=a.value;return a.setAttribute("type",b),c&&(a.value=c),b}}}},removeAttr:function(a,b){var c,d,e=0,f=b&&b.match(G);if(f&&1===a.nodeType)while(c=f[e++])d=n.propFix[c]||c,n.expr.match.bool.test(c)?yb&&xb||!wb.test(c)?a[d]=!1:a[n.camelCase("default-"+c)]=a[d]=!1:n.attr(a,c,""),a.removeAttribute(xb?c:d)}}),ub={set:function(a,b,c){return b===!1?n.removeAttr(a,c):yb&&xb||!wb.test(c)?a.setAttribute(!xb&&n.propFix[c]||c,c):a[n.camelCase("default-"+c)]=a[c]=!0,c}},n.each(n.expr.match.bool.source.match(/\w+/g),function(a,b){var c=vb[b]||n.find.attr;yb&&xb||!wb.test(b)?vb[b]=function(a,b,d){var e,f;return d||(f=vb[b],vb[b]=e,e=null!=c(a,b,d)?b.toLowerCase():null,vb[b]=f),e}:vb[b]=function(a,b,c){return c?void 0:a[n.camelCase("default-"+b)]?b.toLowerCase():null}}),yb&&xb||(n.attrHooks.value={set:function(a,b,c){return n.nodeName(a,"input")?void(a.defaultValue=b):tb&&tb.set(a,b,c)}}),xb||(tb={set:function(a,b,c){var d=a.getAttributeNode(c);return d||a.setAttributeNode(d=a.ownerDocument.createAttribute(c)),d.value=b+="","value"===c||b===a.getAttribute(c)?b:void 0}},vb.id=vb.name=vb.coords=function(a,b,c){var d;return c?void 0:(d=a.getAttributeNode(b))&&""!==d.value?d.value:null},n.valHooks.button={get:function(a,b){var c=a.getAttributeNode(b);return c&&c.specified?c.value:void 0},set:tb.set},n.attrHooks.contenteditable={set:function(a,b,c){tb.set(a,""===b?!1:b,c)}},n.each(["width","height"],function(a,b){n.attrHooks[b]={set:function(a,c){return""===c?(a.setAttribute(b,"auto"),c):void 0}}})),l.style||(n.attrHooks.style={get:function(a){return a.style.cssText||void 0},set:function(a,b){return a.style.cssText=b+""}});var zb=/^(?:input|select|textarea|button|object)$/i,Ab=/^(?:a|area)$/i;n.fn.extend({prop:function(a,b){return Y(this,n.prop,a,b,arguments.length>1)},removeProp:function(a){return a=n.propFix[a]||a,this.each(function(){try{this[a]=void 0,delete this[a]}catch(b){}})}}),n.extend({prop:function(a,b,c){var d,e,f=a.nodeType;if(3!==f&&8!==f&&2!==f)return 1===f&&n.isXMLDoc(a)||(b=n.propFix[b]||b,e=n.propHooks[b]),void 0!==c?e&&"set"in e&&void 0!==(d=e.set(a,c,b))?d:a[b]=c:e&&"get"in e&&null!==(d=e.get(a,b))?d:a[b]},propHooks:{tabIndex:{get:function(a){var b=n.find.attr(a,"tabindex");return b?parseInt(b,10):zb.test(a.nodeName)||Ab.test(a.nodeName)&&a.href?0:-1}}},propFix:{"for":"htmlFor","class":"className"}}),l.hrefNormalized||n.each(["href","src"],function(a,b){n.propHooks[b]={get:function(a){return a.getAttribute(b,4)}}}),l.optSelected||(n.propHooks.selected={get:function(a){var b=a.parentNode;return b&&(b.selectedIndex,b.parentNode&&b.parentNode.selectedIndex),null},set:function(a){var b=a.parentNode;b&&(b.selectedIndex,b.parentNode&&b.parentNode.selectedIndex)}}),n.each(["tabIndex","readOnly","maxLength","cellSpacing","cellPadding","rowSpan","colSpan","useMap","frameBorder","contentEditable"],function(){n.propFix[this.toLowerCase()]=this}),l.enctype||(n.propFix.enctype="encoding");var Bb=/[\t\r\n\f]/g;function Cb(a){return n.attr(a,"class")||""}n.fn.extend({addClass:function(a){var b,c,d,e,f,g,h,i=0;if(n.isFunction(a))return this.each(function(b){n(this).addClass(a.call(this,b,Cb(this)))});if("string"==typeof a&&a){b=a.match(G)||[];while(c=this[i++])if(e=Cb(c),d=1===c.nodeType&&(" "+e+" ").replace(Bb," ")){g=0;while(f=b[g++])d.indexOf(" "+f+" ")<0&&(d+=f+" ");h=n.trim(d),e!==h&&n.attr(c,"class",h)}}return this},removeClass:function(a){var b,c,d,e,f,g,h,i=0;if(n.isFunction(a))return this.each(function(b){n(this).removeClass(a.call(this,b,Cb(this)))});if(!arguments.length)return this.attr("class","");if("string"==typeof a&&a){b=a.match(G)||[];while(c=this[i++])if(e=Cb(c),d=1===c.nodeType&&(" "+e+" ").replace(Bb," ")){g=0;while(f=b[g++])while(d.indexOf(" "+f+" ")>-1)d=d.replace(" "+f+" "," ");h=n.trim(d),e!==h&&n.attr(c,"class",h)}}return this},toggleClass:function(a,b){var c=typeof a;return"boolean"==typeof b&&"string"===c?b?this.addClass(a):this.removeClass(a):n.isFunction(a)?this.each(function(c){n(this).toggleClass(a.call(this,c,Cb(this),b),b)}):this.each(function(){var b,d,e,f;if("string"===c){d=0,e=n(this),f=a.match(G)||[];while(b=f[d++])e.hasClass(b)?e.removeClass(b):e.addClass(b)}else void 0!==a&&"boolean"!==c||(b=Cb(this),b&&n._data(this,"__className__",b),n.attr(this,"class",b||a===!1?"":n._data(this,"__className__")||""))})},hasClass:function(a){var b,c,d=0;b=" "+a+" ";while(c=this[d++])if(1===c.nodeType&&(" "+Cb(c)+" ").replace(Bb," ").indexOf(b)>-1)return!0;return!1}}),n.each("blur focus focusin focusout load resize scroll unload click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup error contextmenu".split(" "),function(a,b){n.fn[b]=function(a,c){return arguments.length>0?this.on(b,null,a,c):this.trigger(b)}}),n.fn.extend({hover:function(a,b){return this.mouseenter(a).mouseleave(b||a)}});var Db=a.location,Eb=n.now(),Fb=/\?/,Gb=/(,)|(\[|{)|(}|])|"(?:[^"\\\r\n]|\\["\\\/bfnrt]|\\u[\da-fA-F]{4})*"\s*:?|true|false|null|-?(?!0\d)\d+(?:\.\d+|)(?:[eE][+-]?\d+|)/g;n.parseJSON=function(b){if(a.JSON&&a.JSON.parse)return a.JSON.parse(b+"");var c,d=null,e=n.trim(b+"");return e&&!n.trim(e.replace(Gb,function(a,b,e,f){return c&&b&&(d=0),0===d?a:(c=e||b,d+=!f-!e,"")}))?Function("return "+e)():n.error("Invalid JSON: "+b)},n.parseXML=function(b){var c,d;if(!b||"string"!=typeof b)return null;try{a.DOMParser?(d=new a.DOMParser,c=d.parseFromString(b,"text/xml")):(c=new a.ActiveXObject("Microsoft.XMLDOM"),c.async="false",c.loadXML(b))}catch(e){c=void 0}return c&&c.documentElement&&!c.getElementsByTagName("parsererror").length||n.error("Invalid XML: "+b),c};var Hb=/#.*$/,Ib=/([?&])_=[^&]*/,Jb=/^(.*?):[ \t]*([^\r\n]*)\r?$/gm,Kb=/^(?:about|app|app-storage|.+-extension|file|res|widget):$/,Lb=/^(?:GET|HEAD)$/,Mb=/^\/\//,Nb=/^([\w.+-]+:)(?:\/\/(?:[^\/?#]*@|)([^\/?#:]*)(?::(\d+)|)|)/,Ob={},Pb={},Qb="*/".concat("*"),Rb=Db.href,Sb=Nb.exec(Rb.toLowerCase())||[];function Tb(a){return function(b,c){"string"!=typeof b&&(c=b,b="*");var d,e=0,f=b.toLowerCase().match(G)||[];if(n.isFunction(c))while(d=f[e++])"+"===d.charAt(0)?(d=d.slice(1)||"*",(a[d]=a[d]||[]).unshift(c)):(a[d]=a[d]||[]).push(c)}}function Ub(a,b,c,d){var e={},f=a===Pb;function g(h){var i;return e[h]=!0,n.each(a[h]||[],function(a,h){var j=h(b,c,d);return"string"!=typeof j||f||e[j]?f?!(i=j):void 0:(b.dataTypes.unshift(j),g(j),!1)}),i}return g(b.dataTypes[0])||!e["*"]&&g("*")}function Vb(a,b){var c,d,e=n.ajaxSettings.flatOptions||{};for(d in b)void 0!==b[d]&&((e[d]?a:c||(c={}))[d]=b[d]);return c&&n.extend(!0,a,c),a}function Wb(a,b,c){var d,e,f,g,h=a.contents,i=a.dataTypes;while("*"===i[0])i.shift(),void 0===e&&(e=a.mimeType||b.getResponseHeader("Content-Type"));if(e)for(g in h)if(h[g]&&h[g].test(e)){i.unshift(g);break}if(i[0]in c)f=i[0];else{for(g in c){if(!i[0]||a.converters[g+" "+i[0]]){f=g;break}d||(d=g)}f=f||d}return f?(f!==i[0]&&i.unshift(f),c[f]):void 0}function Xb(a,b,c,d){var e,f,g,h,i,j={},k=a.dataTypes.slice();if(k[1])for(g in a.converters)j[g.toLowerCase()]=a.converters[g];f=k.shift();while(f)if(a.responseFields[f]&&(c[a.responseFields[f]]=b),!i&&d&&a.dataFilter&&(b=a.dataFilter(b,a.dataType)),i=f,f=k.shift())if("*"===f)f=i;else if("*"!==i&&i!==f){if(g=j[i+" "+f]||j["* "+f],!g)for(e in j)if(h=e.split(" "),h[1]===f&&(g=j[i+" "+h[0]]||j["* "+h[0]])){g===!0?g=j[e]:j[e]!==!0&&(f=h[0],k.unshift(h[1]));break}if(g!==!0)if(g&&a["throws"])b=g(b);else try{b=g(b)}catch(l){return{state:"parsererror",error:g?l:"No conversion from "+i+" to "+f}}}return{state:"success",data:b}}n.extend({active:0,lastModified:{},etag:{},ajaxSettings:{url:Rb,type:"GET",isLocal:Kb.test(Sb[1]),global:!0,processData:!0,async:!0,contentType:"application/x-www-form-urlencoded; charset=UTF-8",accepts:{"*":Qb,text:"text/plain",html:"text/html",xml:"application/xml, text/xml",json:"application/json, text/javascript"},contents:{xml:/\bxml\b/,html:/\bhtml/,json:/\bjson\b/},responseFields:{xml:"responseXML",text:"responseText",json:"responseJSON"},converters:{"* text":String,"text html":!0,"text json":n.parseJSON,"text xml":n.parseXML},flatOptions:{url:!0,context:!0}},ajaxSetup:function(a,b){return b?Vb(Vb(a,n.ajaxSettings),b):Vb(n.ajaxSettings,a)},ajaxPrefilter:Tb(Ob),ajaxTransport:Tb(Pb),ajax:function(b,c){"object"==typeof b&&(c=b,b=void 0),c=c||{};var d,e,f,g,h,i,j,k,l=n.ajaxSetup({},c),m=l.context||l,o=l.context&&(m.nodeType||m.jquery)?n(m):n.event,p=n.Deferred(),q=n.Callbacks("once memory"),r=l.statusCode||{},s={},t={},u=0,v="canceled",w={readyState:0,getResponseHeader:function(a){var b;if(2===u){if(!k){k={};while(b=Jb.exec(g))k[b[1].toLowerCase()]=b[2]}b=k[a.toLowerCase()]}return null==b?null:b},getAllResponseHeaders:function(){return 2===u?g:null},setRequestHeader:function(a,b){var c=a.toLowerCase();return u||(a=t[c]=t[c]||a,s[a]=b),this},overrideMimeType:function(a){return u||(l.mimeType=a),this},statusCode:function(a){var b;if(a)if(2>u)for(b in a)r[b]=[r[b],a[b]];else w.always(a[w.status]);return this},abort:function(a){var b=a||v;return j&&j.abort(b),y(0,b),this}};if(p.promise(w).complete=q.add,w.success=w.done,w.error=w.fail,l.url=((b||l.url||Rb)+"").replace(Hb,"").replace(Mb,Sb[1]+"//"),l.type=c.method||c.type||l.method||l.type,l.dataTypes=n.trim(l.dataType||"*").toLowerCase().match(G)||[""],null==l.crossDomain&&(d=Nb.exec(l.url.toLowerCase()),l.crossDomain=!(!d||d[1]===Sb[1]&&d[2]===Sb[2]&&(d[3]||("http:"===d[1]?"80":"443"))===(Sb[3]||("http:"===Sb[1]?"80":"443")))),l.data&&l.processData&&"string"!=typeof l.data&&(l.data=n.param(l.data,l.traditional)),Ub(Ob,l,c,w),2===u)return w;i=n.event&&l.global,i&&0===n.active++&&n.event.trigger("ajaxStart"),l.type=l.type.toUpperCase(),l.hasContent=!Lb.test(l.type),f=l.url,l.hasContent||(l.data&&(f=l.url+=(Fb.test(f)?"&":"?")+l.data,delete l.data),l.cache===!1&&(l.url=Ib.test(f)?f.replace(Ib,"$1_="+Eb++):f+(Fb.test(f)?"&":"?")+"_="+Eb++)),l.ifModified&&(n.lastModified[f]&&w.setRequestHeader("If-Modified-Since",n.lastModified[f]),n.etag[f]&&w.setRequestHeader("If-None-Match",n.etag[f])),(l.data&&l.hasContent&&l.contentType!==!1||c.contentType)&&w.setRequestHeader("Content-Type",l.contentType),w.setRequestHeader("Accept",l.dataTypes[0]&&l.accepts[l.dataTypes[0]]?l.accepts[l.dataTypes[0]]+("*"!==l.dataTypes[0]?", "+Qb+"; q=0.01":""):l.accepts["*"]);for(e in l.headers)w.setRequestHeader(e,l.headers[e]);if(l.beforeSend&&(l.beforeSend.call(m,w,l)===!1||2===u))return w.abort();v="abort";for(e in{success:1,error:1,complete:1})w[e](l[e]);if(j=Ub(Pb,l,c,w)){if(w.readyState=1,i&&o.trigger("ajaxSend",[w,l]),2===u)return w;l.async&&l.timeout>0&&(h=a.setTimeout(function(){w.abort("timeout")},l.timeout));try{u=1,j.send(s,y)}catch(x){if(!(2>u))throw x;y(-1,x)}}else y(-1,"No Transport");function y(b,c,d,e){var k,s,t,v,x,y=c;2!==u&&(u=2,h&&a.clearTimeout(h),j=void 0,g=e||"",w.readyState=b>0?4:0,k=b>=200&&300>b||304===b,d&&(v=Wb(l,w,d)),v=Xb(l,v,w,k),k?(l.ifModified&&(x=w.getResponseHeader("Last-Modified"),x&&(n.lastModified[f]=x),x=w.getResponseHeader("etag"),x&&(n.etag[f]=x)),204===b||"HEAD"===l.type?y="nocontent":304===b?y="notmodified":(y=v.state,s=v.data,t=v.error,k=!t)):(t=y,!b&&y||(y="error",0>b&&(b=0))),w.status=b,w.statusText=(c||y)+"",k?p.resolveWith(m,[s,y,w]):p.rejectWith(m,[w,y,t]),w.statusCode(r),r=void 0,i&&o.trigger(k?"ajaxSuccess":"ajaxError",[w,l,k?s:t]),q.fireWith(m,[w,y]),i&&(o.trigger("ajaxComplete",[w,l]),--n.active||n.event.trigger("ajaxStop")))}return w},getJSON:function(a,b,c){return n.get(a,b,c,"json")},getScript:function(a,b){return n.get(a,void 0,b,"script")}}),n.each(["get","post"],function(a,b){n[b]=function(a,c,d,e){return n.isFunction(c)&&(e=e||d,d=c,c=void 0),n.ajax(n.extend({url:a,type:b,dataType:e,data:c,success:d},n.isPlainObject(a)&&a))}}),n._evalUrl=function(a){return n.ajax({url:a,type:"GET",dataType:"script",cache:!0,async:!1,global:!1,"throws":!0})},n.fn.extend({wrapAll:function(a){if(n.isFunction(a))return this.each(function(b){n(this).wrapAll(a.call(this,b))});if(this[0]){var b=n(a,this[0].ownerDocument).eq(0).clone(!0);this[0].parentNode&&b.insertBefore(this[0]),b.map(function(){var a=this;while(a.firstChild&&1===a.firstChild.nodeType)a=a.firstChild;return a}).append(this)}return this},wrapInner:function(a){return n.isFunction(a)?this.each(function(b){n(this).wrapInner(a.call(this,b))}):this.each(function(){var b=n(this),c=b.contents();c.length?c.wrapAll(a):b.append(a)})},wrap:function(a){var b=n.isFunction(a);return this.each(function(c){n(this).wrapAll(b?a.call(this,c):a)})},unwrap:function(){return this.parent().each(function(){n.nodeName(this,"body")||n(this).replaceWith(this.childNodes)}).end()}});function Yb(a){return a.style&&a.style.display||n.css(a,"display")}function Zb(a){if(!n.contains(a.ownerDocument||d,a))return!0;while(a&&1===a.nodeType){if("none"===Yb(a)||"hidden"===a.type)return!0;a=a.parentNode}return!1}n.expr.filters.hidden=function(a){return l.reliableHiddenOffsets()?a.offsetWidth<=0&&a.offsetHeight<=0&&!a.getClientRects().length:Zb(a)},n.expr.filters.visible=function(a){return!n.expr.filters.hidden(a)};var $b=/%20/g,_b=/\[\]$/,ac=/\r?\n/g,bc=/^(?:submit|button|image|reset|file)$/i,cc=/^(?:input|select|textarea|keygen)/i;function dc(a,b,c,d){var e;if(n.isArray(b))n.each(b,function(b,e){c||_b.test(a)?d(a,e):dc(a+"["+("object"==typeof e&&null!=e?b:"")+"]",e,c,d)});else if(c||"object"!==n.type(b))d(a,b);else for(e in b)dc(a+"["+e+"]",b[e],c,d)}n.param=function(a,b){var c,d=[],e=function(a,b){b=n.isFunction(b)?b():null==b?"":b,d[d.length]=encodeURIComponent(a)+"="+encodeURIComponent(b)};if(void 0===b&&(b=n.ajaxSettings&&n.ajaxSettings.traditional),n.isArray(a)||a.jquery&&!n.isPlainObject(a))n.each(a,function(){e(this.name,this.value)});else for(c in a)dc(c,a[c],b,e);return d.join("&").replace($b,"+")},n.fn.extend({serialize:function(){return n.param(this.serializeArray())},serializeArray:function(){return this.map(function(){var a=n.prop(this,"elements");return a?n.makeArray(a):this}).filter(function(){var a=this.type;return this.name&&!n(this).is(":disabled")&&cc.test(this.nodeName)&&!bc.test(a)&&(this.checked||!Z.test(a))}).map(function(a,b){var c=n(this).val();return null==c?null:n.isArray(c)?n.map(c,function(a){return{name:b.name,value:a.replace(ac,"\r\n")}}):{name:b.name,value:c.replace(ac,"\r\n")}}).get()}}),n.ajaxSettings.xhr=void 0!==a.ActiveXObject?function(){return this.isLocal?ic():d.documentMode>8?hc():/^(get|post|head|put|delete|options)$/i.test(this.type)&&hc()||ic()}:hc;var ec=0,fc={},gc=n.ajaxSettings.xhr();a.attachEvent&&a.attachEvent("onunload",function(){for(var a in fc)fc[a](void 0,!0)}),l.cors=!!gc&&"withCredentials"in gc,gc=l.ajax=!!gc,gc&&n.ajaxTransport(function(b){if(!b.crossDomain||l.cors){var c;return{send:function(d,e){var f,g=b.xhr(),h=++ec;if(g.open(b.type,b.url,b.async,b.username,b.password),b.xhrFields)for(f in b.xhrFields)g[f]=b.xhrFields[f];b.mimeType&&g.overrideMimeType&&g.overrideMimeType(b.mimeType),b.crossDomain||d["X-Requested-With"]||(d["X-Requested-With"]="XMLHttpRequest");for(f in d)void 0!==d[f]&&g.setRequestHeader(f,d[f]+"");g.send(b.hasContent&&b.data||null),c=function(a,d){var f,i,j;if(c&&(d||4===g.readyState))if(delete fc[h],c=void 0,g.onreadystatechange=n.noop,d)4!==g.readyState&&g.abort();else{j={},f=g.status,"string"==typeof g.responseText&&(j.text=g.responseText);try{i=g.statusText}catch(k){i=""}f||!b.isLocal||b.crossDomain?1223===f&&(f=204):f=j.text?200:404}j&&e(f,i,j,g.getAllResponseHeaders())},b.async?4===g.readyState?a.setTimeout(c):g.onreadystatechange=fc[h]=c:c()},abort:function(){c&&c(void 0,!0)}}}});function hc(){try{return new a.XMLHttpRequest}catch(b){}}function ic(){try{return new a.ActiveXObject("Microsoft.XMLHTTP")}catch(b){}}n.ajaxSetup({accepts:{script:"text/javascript, application/javascript, application/ecmascript, application/x-ecmascript"},contents:{script:/\b(?:java|ecma)script\b/},converters:{"text script":function(a){return n.globalEval(a),a}}}),n.ajaxPrefilter("script",function(a){void 0===a.cache&&(a.cache=!1),a.crossDomain&&(a.type="GET",a.global=!1)}),n.ajaxTransport("script",function(a){if(a.crossDomain){var b,c=d.head||n("head")[0]||d.documentElement;return{send:function(e,f){b=d.createElement("script"),b.async=!0,a.scriptCharset&&(b.charset=a.scriptCharset),b.src=a.url,b.onload=b.onreadystatechange=function(a,c){(c||!b.readyState||/loaded|complete/.test(b.readyState))&&(b.onload=b.onreadystatechange=null,b.parentNode&&b.parentNode.removeChild(b),b=null,c||f(200,"success"))},c.insertBefore(b,c.firstChild)},abort:function(){b&&b.onload(void 0,!0)}}}});var jc=[],kc=/(=)\?(?=&|$)|\?\?/;n.ajaxSetup({jsonp:"callback",jsonpCallback:function(){var a=jc.pop()||n.expando+"_"+Eb++;return this[a]=!0,a}}),n.ajaxPrefilter("json jsonp",function(b,c,d){var e,f,g,h=b.jsonp!==!1&&(kc.test(b.url)?"url":"string"==typeof b.data&&0===(b.contentType||"").indexOf("application/x-www-form-urlencoded")&&kc.test(b.data)&&"data");return h||"jsonp"===b.dataTypes[0]?(e=b.jsonpCallback=n.isFunction(b.jsonpCallback)?b.jsonpCallback():b.jsonpCallback,h?b[h]=b[h].replace(kc,"$1"+e):b.jsonp!==!1&&(b.url+=(Fb.test(b.url)?"&":"?")+b.jsonp+"="+e),b.converters["script json"]=function(){return g||n.error(e+" was not called"),g[0]},b.dataTypes[0]="json",f=a[e],a[e]=function(){g=arguments},d.always(function(){void 0===f?n(a).removeProp(e):a[e]=f,b[e]&&(b.jsonpCallback=c.jsonpCallback,jc.push(e)),g&&n.isFunction(f)&&f(g[0]),g=f=void 0}),"script"):void 0}),n.parseHTML=function(a,b,c){if(!a||"string"!=typeof a)return null;"boolean"==typeof b&&(c=b,b=!1),b=b||d;var e=x.exec(a),f=!c&&[];return e?[b.createElement(e[1])]:(e=ja([a],b,f),f&&f.length&&n(f).remove(),n.merge([],e.childNodes))};var lc=n.fn.load;n.fn.load=function(a,b,c){if("string"!=typeof a&&lc)return lc.apply(this,arguments);var d,e,f,g=this,h=a.indexOf(" ");return h>-1&&(d=n.trim(a.slice(h,a.length)),a=a.slice(0,h)),n.isFunction(b)?(c=b,b=void 0):b&&"object"==typeof b&&(e="POST"),g.length>0&&n.ajax({url:a,type:e||"GET",dataType:"html",data:b}).done(function(a){f=arguments,g.html(d?n("<div>").append(n.parseHTML(a)).find(d):a)}).always(c&&function(a,b){g.each(function(){c.apply(this,f||[a.responseText,b,a])})}),this},n.each(["ajaxStart","ajaxStop","ajaxComplete","ajaxError","ajaxSuccess","ajaxSend"],function(a,b){n.fn[b]=function(a){return this.on(b,a)}}),n.expr.filters.animated=function(a){return n.grep(n.timers,function(b){return a===b.elem}).length};function mc(a){return n.isWindow(a)?a:9===a.nodeType?a.defaultView||a.parentWindow:!1}n.offset={setOffset:function(a,b,c){var d,e,f,g,h,i,j,k=n.css(a,"position"),l=n(a),m={};"static"===k&&(a.style.position="relative"),h=l.offset(),f=n.css(a,"top"),i=n.css(a,"left"),j=("absolute"===k||"fixed"===k)&&n.inArray("auto",[f,i])>-1,j?(d=l.position(),g=d.top,e=d.left):(g=parseFloat(f)||0,e=parseFloat(i)||0),n.isFunction(b)&&(b=b.call(a,c,n.extend({},h))),null!=b.top&&(m.top=b.top-h.top+g),null!=b.left&&(m.left=b.left-h.left+e),"using"in b?b.using.call(a,m):l.css(m)}},n.fn.extend({offset:function(a){if(arguments.length)return void 0===a?this:this.each(function(b){n.offset.setOffset(this,a,b)});var b,c,d={top:0,left:0},e=this[0],f=e&&e.ownerDocument;if(f)return b=f.documentElement,n.contains(b,e)?("undefined"!=typeof e.getBoundingClientRect&&(d=e.getBoundingClientRect()),c=mc(f),{top:d.top+(c.pageYOffset||b.scrollTop)-(b.clientTop||0),left:d.left+(c.pageXOffset||b.scrollLeft)-(b.clientLeft||0)}):d},position:function(){if(this[0]){var a,b,c={top:0,left:0},d=this[0];return"fixed"===n.css(d,"position")?b=d.getBoundingClientRect():(a=this.offsetParent(),b=this.offset(),n.nodeName(a[0],"html")||(c=a.offset()),c.top+=n.css(a[0],"borderTopWidth",!0),c.left+=n.css(a[0],"borderLeftWidth",!0)),{top:b.top-c.top-n.css(d,"marginTop",!0),left:b.left-c.left-n.css(d,"marginLeft",!0)}}},offsetParent:function(){return this.map(function(){var a=this.offsetParent;while(a&&!n.nodeName(a,"html")&&"static"===n.css(a,"position"))a=a.offsetParent;return a||Qa})}}),n.each({scrollLeft:"pageXOffset",scrollTop:"pageYOffset"},function(a,b){var c=/Y/.test(b);n.fn[a]=function(d){return Y(this,function(a,d,e){var f=mc(a);return void 0===e?f?b in f?f[b]:f.document.documentElement[d]:a[d]:void(f?f.scrollTo(c?n(f).scrollLeft():e,c?e:n(f).scrollTop()):a[d]=e)},a,d,arguments.length,null)}}),n.each(["top","left"],function(a,b){n.cssHooks[b]=Ua(l.pixelPosition,function(a,c){return c?(c=Sa(a,b),Oa.test(c)?n(a).position()[b]+"px":c):void 0})}),n.each({Height:"height",Width:"width"},function(a,b){n.each({
padding:"inner"+a,content:b,"":"outer"+a},function(c,d){n.fn[d]=function(d,e){var f=arguments.length&&(c||"boolean"!=typeof d),g=c||(d===!0||e===!0?"margin":"border");return Y(this,function(b,c,d){var e;return n.isWindow(b)?b.document.documentElement["client"+a]:9===b.nodeType?(e=b.documentElement,Math.max(b.body["scroll"+a],e["scroll"+a],b.body["offset"+a],e["offset"+a],e["client"+a])):void 0===d?n.css(b,c,g):n.style(b,c,d,g)},b,f?d:void 0,f,null)}})}),n.fn.extend({bind:function(a,b,c){return this.on(a,null,b,c)},unbind:function(a,b){return this.off(a,null,b)},delegate:function(a,b,c,d){return this.on(b,a,c,d)},undelegate:function(a,b,c){return 1===arguments.length?this.off(a,"**"):this.off(b,a||"**",c)}}),n.fn.size=function(){return this.length},n.fn.andSelf=n.fn.addBack,"function"==typeof define&&define.amd&&define("jquery",[],function(){return n});var nc=a.jQuery,oc=a.$;return n.noConflict=function(b){return a.$===n&&(a.$=oc),b&&a.jQuery===n&&(a.jQuery=nc),n},b||(a.jQuery=a.$=n),n});
(function($){var Node,Tree,methods;Node=(function(){function Node(row,tree,settings){var parentId;this.row=row;this.tree=tree;this.settings=settings;this.id=this.row.data(this.settings.nodeIdAttr);parentId=this.row.data(this.settings.parentIdAttr);if(parentId!=null&&parentId!=="")this.parentId=parentId;this.treeCell=$(this.row.children(this.settings.columnElType)[this.settings.column]);this.expander=$(this.settings.expanderTemplate);this.indenter=$(this.settings.indenterTemplate);this.children=[];this.initialized=false;this.treeCell.prepend(this.indenter);}Node.prototype.addChild=function(child){return this.children.push(child);};Node.prototype.ancestors=function(){var ancestors,node;node=this;ancestors=[];while(node=node.parentNode())ancestors.push(node);return ancestors;};Node.prototype.collapse=function(){if(this.collapsed())return this;this.row.removeClass("expanded").addClass("collapsed");this._hideChildren();this.expander.attr("title",this.settings.stringExpand);if(this.initialized&&this.settings.onNodeCollapse!=null)this.settings.onNodeCollapse.apply(this);return this;};Node.prototype.collapsed=function(){return this.row.hasClass("collapsed");};Node.prototype.expand=function(){if(this.expanded())return this;this.row.removeClass("collapsed").addClass("expanded");if(this.initialized&&this.settings.onNodeExpand!=null)this.settings.onNodeExpand.apply(this);if($(this.row).is(":visible"))this._showChildren();this.expander.attr("title",this.settings.stringCollapse);return this;};Node.prototype.expanded=function(){return this.row.hasClass("expanded");};Node.prototype.hide=function(){this._hideChildren();this.row.hide();return this;};Node.prototype.isBranchNode=function(){if(this.children.length>0||this.row.data(this.settings.branchAttr)===true)return true;else return false;};Node.prototype.updateBranchLeafClass=function(){this.row.removeClass('branch');this.row.removeClass('leaf');this.row.addClass(this.isBranchNode()?'branch':'leaf');};Node.prototype.level=function(){return this.ancestors().length;};Node.prototype.parentNode=function(){if(this.parentId!=null)return this.tree[this.parentId];else return null;};Node.prototype.removeChild=function(child){var i=$.inArray(child,this.children);return this.children.splice(i,1);};Node.prototype.render=function(){var handler,settings=this.settings,target;if(settings.expandable===true&&this.isBranchNode()){handler=function(e){$(this).parents("table").treetable("node",$(this).parents("tr").data(settings.nodeIdAttr)).toggle();return e.preventDefault();};this.indenter.html(this.expander);target=settings.clickableNodeNames===true?this.treeCell:this.expander;target.off("click.treetable").on("click.treetable",handler);target.off("keydown.treetable").on("keydown.treetable",function(e){if(e.keyCode==13)handler.apply(this,[e]);});}this.indenter[0].style.paddingLeft=""+(this.level()*settings.indent)+"px";return this;};Node.prototype.reveal=function(){if(this.parentId!=null)this.parentNode().reveal();return this.expand();};Node.prototype.setParent=function(node){if(this.parentId!=null)this.tree[this.parentId].removeChild(this);this.parentId=node.id;this.row.data(this.settings.parentIdAttr,node.id);return node.addChild(this);};Node.prototype.show=function(){if(!this.initialized)this._initialize();this.row.show();if(this.expanded())this._showChildren();return this;};Node.prototype.toggle=function(){if(this.expanded())this.collapse();else this.expand();return this;};Node.prototype._hideChildren=function(){var child,_i,_len,_ref,_results;_ref=this.children;_results=[];for(_i=0,_len=_ref.length;_i<_len;_i++){child=_ref[_i];_results.push(child.hide());}return _results;};Node.prototype._initialize=function(){var settings=this.settings;this.render();if(settings.expandable===true&&settings.initialState==="collapsed")this.collapse();else this.expand();if(settings.onNodeInitialized!=null)settings.onNodeInitialized.apply(this);return this.initialized=true;};Node.prototype._showChildren=function(){var child,_i,_len,_ref,_results;_ref=this.children;_results=[];for(_i=0,_len=_ref.length;_i<_len;_i++){child=_ref[_i];_results.push(child.show());}return _results;};return Node;})();Tree=(function(){function Tree(table,settings){this.table=table;this.settings=settings;this.tree={};this.nodes=[];this.roots=[];}Tree.prototype.collapseAll=function(){var node,_i,_len,_ref,_results;_ref=this.nodes;_results=[];for(_i=0,_len=_ref.length;_i<_len;_i++){node=_ref[_i];_results.push(node.collapse());}return _results;};Tree.prototype.expandAll=function(){var node,_i,_len,_ref,_results;_ref=this.nodes;_results=[];for(_i=0,_len=_ref.length;_i<_len;_i++){node=_ref[_i];_results.push(node.expand());}return _results;};Tree.prototype.findLastNode=function(node){if(node.children.length>0)return this.findLastNode(node.children[node.children.length-1]);else return node;};Tree.prototype.loadRows=function(rows){var node,row,i;if(rows!=null)for(i=0;i<rows.length;i++){row=$(rows[i]);if(row.data(this.settings.nodeIdAttr)!=null){node=new Node(row,this.tree,this.settings);this.nodes.push(node);this.tree[node.id]=node;if(node.parentId!=null&&this.tree[node.parentId])this.tree[node.parentId].addChild(node);else this.roots.push(node);}}for(i=0;i<this.nodes.length;i++)node=this.nodes[i].updateBranchLeafClass();return this;};Tree.prototype.move=function(node,destination){var nodeParent=node.parentNode();if(node!==destination&&destination.id!==node.parentId&&$.inArray(node,destination.ancestors())===-1){node.setParent(destination);this._moveRows(node,destination);if(node.parentNode().children.length===1)node.parentNode().render();}if(nodeParent)nodeParent.updateBranchLeafClass();if(node.parentNode())node.parentNode().updateBranchLeafClass();node.updateBranchLeafClass();return this;};Tree.prototype.removeNode=function(node){this.unloadBranch(node);node.row.remove();if(node.parentId!=null)node.parentNode().removeChild(node);delete this.tree[node.id];this.nodes.splice($.inArray(node,this.nodes),1);return this;};Tree.prototype.render=function(){var root,_i,_len,_ref;_ref=this.roots;for(_i=0,_len=_ref.length;_i<_len;_i++){root=_ref[_i];root.show();}return this;};Tree.prototype.sortBranch=function(node,sortFun){node.children.sort(sortFun);this._sortChildRows(node);return this;};Tree.prototype.unloadBranch=function(node){var children=node.children.slice(0),i;for(i=0;i<children.length;i++)this.removeNode(children[i]);node.children=[];node.updateBranchLeafClass();return this;};Tree.prototype._moveRows=function(node,destination){var children=node.children,i;node.row.insertAfter(destination.row);node.render();for(i=children.length-1;i>=0;i--)this._moveRows(children[i],node);};Tree.prototype._sortChildRows=function(parentNode){return this._moveRows(parentNode,parentNode);};return Tree;})();methods={init:function(options,force){var settings;settings=$.extend({branchAttr:"ttBranch",clickableNodeNames:false,column:0,columnElType:"td",expandable:false,expanderTemplate:"<a href='#'>&nbsp;</a>",indent:19,indenterTemplate:"<span class='indenter'></span>",initialState:"collapsed",nodeIdAttr:"ttId",parentIdAttr:"ttParentId",stringExpand:"Expand",stringCollapse:"Collapse",onInitialized:null,onNodeCollapse:null,onNodeExpand:null,onNodeInitialized:null},options);return this.each(function(){var el=$(this),tree;if(force||el.data("treetable")===undefined){tree=new Tree(this,settings);tree.loadRows(this.rows).render();el.addClass("treetable").data("treetable",tree);if(settings.onInitialized!=null)settings.onInitialized.apply(tree);}return el;});},destroy:function(){return this.each(function(){return $(this).removeData("treetable").removeClass("treetable");});},collapseAll:function(){this.data("treetable").collapseAll();return this;},collapseNode:function(id){var node=this.data("treetable").tree[id];if(node)node.collapse();else throw new Error("Unknown node '"+id+"'");return this;},expandAll:function(){this.data("treetable").expandAll();return this;},expandNode:function(id){var node=this.data("treetable").tree[id];if(node){if(!node.initialized)node._initialize();node.expand();}else throw new Error("Unknown node '"+id+"'");return this;},loadBranch:function(node,rows){var settings=this.data("treetable").settings,tree=this.data("treetable").tree;rows=$(rows);if(node==null)this.append(rows);else{var lastNode=this.data("treetable").findLastNode(node);rows.insertAfter(lastNode.row);}this.data("treetable").loadRows(rows);rows.filter("tr").each(function(){tree[$(this).data(settings.nodeIdAttr)].show();});if(node!=null)node.render().expand();return this;},move:function(nodeId,destinationId){var destination,node;node=this.data("treetable").tree[nodeId];destination=this.data("treetable").tree[destinationId];this.data("treetable").move(node,destination);return this;},node:function(id){return this.data("treetable").tree[id];},removeNode:function(id){var node=this.data("treetable").tree[id];if(node)this.data("treetable").removeNode(node);else throw new Error("Unknown node '"+id+"'");return this;},reveal:function(id){var node=this.data("treetable").tree[id];if(node)node.reveal();else throw new Error("Unknown node '"+id+"'");return this;},sortBranch:function(node,columnOrFunction){var settings=this.data("treetable").settings,prepValue,sortFun;columnOrFunction=columnOrFunction||settings.column;sortFun=columnOrFunction;if($.isNumeric(columnOrFunction))sortFun=function(a,b){var extractValue,valA,valB;extractValue=function(node){var val=node.row.find("td:eq("+columnOrFunction+")").text();return $.trim(val).toUpperCase();};valA=extractValue(a);valB=extractValue(b);if(valA<valB)return -1;if(valA>valB)return 1;return 0;};this.data("treetable").sortBranch(node,sortFun);return this;},unloadBranch:function(node){this.data("treetable").unloadBranch(node);return this;}};$.fn.treetable=function(method){if(methods[method])return methods[method].apply(this,Array.prototype.slice.call(arguments,1));else if(typeof method==='object'||!method)return methods.init.apply(this,arguments);else return $.error("Method "+method+" does not exist on jQuery.treetable");};this.TreeTable||(this.TreeTable={});this.TreeTable.Node=Node;this.TreeTable.Tree=Tree;})(jQuery);if("undefined"==typeof jQuery)throw new Error("Bootstrap's JavaScript requires jQuery");+function(t){"use strict";var e=t.fn.jquery.split(" ")[0].split(".");if(e[0]<2&&e[1]<9||1==e[0]&&9==e[1]&&e[2]<1||e[0]>3)throw new Error("Bootstrap's JavaScript requires jQuery version 1.9.1 or higher, but lower than version 4");}(jQuery),+function(t){"use strict";function e(e){return this.each(function(){var i=t(this),o=i.data("bs.alert");o||i.data("bs.alert",o=new n(this)),"string"==typeof e&&o[e].call(i);});}var i='[data-dismiss="alert"]',n=function(e){t(e).on("click",i,this.close);};n.VERSION="3.3.7",n.TRANSITION_DURATION=150,n.prototype.close=function(e){function i(){a.detach().trigger("closed.bs.alert").remove();}var o=t(this),s=o.attr("data-target");s||(s=o.attr("href"),s=s&&s.replace(/.*(?=#[^\s]*$)/,""));var a=t("#"===s?[]:s);e&&e.preventDefault(),a.length||(a=o.closest(".alert")),a.trigger(e=t.Event("close.bs.alert")),e.isDefaultPrevented()||(a.removeClass("in"),t.support.transition&&a.hasClass("fade")?a.one("bsTransitionEnd",i).emulateTransitionEnd(n.TRANSITION_DURATION):i());};var o=t.fn.alert;t.fn.alert=e,t.fn.alert.Constructor=n,t.fn.alert.noConflict=function(){return t.fn.alert=o,this;},t(document).on("click.bs.alert.data-api",i,n.prototype.close);}(jQuery),+function(t){"use strict";function e(e){var i=e.attr("data-target");i||(i=e.attr("href"),i=i&&/#[A-Za-z]/.test(i)&&i.replace(/.*(?=#[^\s]*$)/,""));var n=i&&t(i);return n&&n.length?n:e.parent();}function i(i){i&&3===i.which||(t(o).remove(),t(s).each(function(){var n=t(this),o=e(n),s={relatedTarget:this};o.hasClass("open")&&(i&&"click"==i.type&&/input|textarea/i.test(i.target.tagName)&&t.contains(o[0],i.target)||(o.trigger(i=t.Event("hide.bs.dropdown",s)),i.isDefaultPrevented()||(n.attr("aria-expanded","false"),o.removeClass("open").trigger(t.Event("hidden.bs.dropdown",s)))));}));}function n(e){return this.each(function(){var i=t(this),n=i.data("bs.dropdown");n||i.data("bs.dropdown",n=new a(this)),"string"==typeof e&&n[e].call(i);});}var o=".dropdown-backdrop",s='[data-toggle="dropdown"]',a=function(e){t(e).on("click.bs.dropdown",this.toggle);};a.VERSION="3.3.7",a.prototype.toggle=function(n){var o=t(this);if(!o.is(".disabled, :disabled")){var s=e(o),a=s.hasClass("open");if(i(),!a){"ontouchstart" in document.documentElement&&!s.closest(".navbar-nav").length&&t(document.createElement("div")).addClass("dropdown-backdrop").insertAfter(t(this)).on("click",i);var r={relatedTarget:this};if(s.trigger(n=t.Event("show.bs.dropdown",r)),n.isDefaultPrevented())return;o.trigger("focus").attr("aria-expanded","true"),s.toggleClass("open").trigger(t.Event("shown.bs.dropdown",r));}return !1;}},a.prototype.keydown=function(i){if(/(38|40|27|32)/.test(i.which)&&!/input|textarea/i.test(i.target.tagName)){var n=t(this);if(i.preventDefault(),i.stopPropagation(),!n.is(".disabled, :disabled")){var o=e(n),a=o.hasClass("open");if(!a&&27!=i.which||a&&27==i.which)return 27==i.which&&o.find(s).trigger("focus"),n.trigger("click");var r=" li:not(.disabled):visible a",d=o.find(".dropdown-menu"+r);if(d.length){var l=d.index(i.target);38==i.which&&l>0&&l--,40==i.which&&l<d.length-1&&l++,~l||(l=0),d.eq(l).trigger("focus");}}}};var r=t.fn.dropdown;t.fn.dropdown=n,t.fn.dropdown.Constructor=a,t.fn.dropdown.noConflict=function(){return t.fn.dropdown=r,this;},t(document).on("click.bs.dropdown.data-api",i).on("click.bs.dropdown.data-api",".dropdown form",function(t){t.stopPropagation();}).on("click.bs.dropdown.data-api",s,a.prototype.toggle).on("keydown.bs.dropdown.data-api",s,a.prototype.keydown).on("keydown.bs.dropdown.data-api",".dropdown-menu",a.prototype.keydown);}(jQuery),+function(t){"use strict";function e(e,n){return this.each(function(){var o=t(this),s=o.data("bs.modal"),a=t.extend({},i.DEFAULTS,o.data(),"object"==typeof e&&e);s||o.data("bs.modal",s=new i(this,a)),"string"==typeof e?s[e](n):a.show&&s.show(n);});}var i=function(e,i){this.options=i,this.$body=t(document.body),this.$element=t(e),this.$dialog=this.$element.find(".modal-dialog"),this.$backdrop=null,this.isShown=null,this.originalBodyPad=null,this.scrollbarWidth=0,this.ignoreBackdropClick=!1,this.options.remote&&this.$element.find(".modal-content").load(this.options.remote,t.proxy(function(){this.$element.trigger("loaded.bs.modal");},this));};i.VERSION="3.3.7",i.TRANSITION_DURATION=300,i.BACKDROP_TRANSITION_DURATION=150,i.DEFAULTS={backdrop:!0,keyboard:!0,show:!0},i.prototype.toggle=function(t){return this.isShown?this.hide():this.show(t);},i.prototype.show=function(e){var n=this,o=t.Event("show.bs.modal",{relatedTarget:e});this.$element.trigger(o),this.isShown||o.isDefaultPrevented()||(this.isShown=!0,this.checkScrollbar(),this.setScrollbar(),this.$body.addClass("modal-open"),this.escape(),this.resize(),this.$element.on("click.dismiss.bs.modal",'[data-dismiss="modal"]',t.proxy(this.hide,this)),this.$dialog.on("mousedown.dismiss.bs.modal",function(){n.$element.one("mouseup.dismiss.bs.modal",function(e){t(e.target).is(n.$element)&&(n.ignoreBackdropClick=!0);});}),this.backdrop(function(){var o=t.support.transition&&n.$element.hasClass("fade");n.$element.parent().length||n.$element.appendTo(n.$body),n.$element.show().scrollTop(0),n.adjustDialog(),o&&n.$element[0].offsetWidth,n.$element.addClass("in"),n.enforceFocus();var s=t.Event("shown.bs.modal",{relatedTarget:e});o?n.$dialog.one("bsTransitionEnd",function(){n.$element.trigger("focus").trigger(s);}).emulateTransitionEnd(i.TRANSITION_DURATION):n.$element.trigger("focus").trigger(s);}));},i.prototype.hide=function(e){e&&e.preventDefault(),e=t.Event("hide.bs.modal"),this.$element.trigger(e),this.isShown&&!e.isDefaultPrevented()&&(this.isShown=!1,this.escape(),this.resize(),t(document).off("focusin.bs.modal"),this.$element.removeClass("in").off("click.dismiss.bs.modal").off("mouseup.dismiss.bs.modal"),this.$dialog.off("mousedown.dismiss.bs.modal"),t.support.transition&&this.$element.hasClass("fade")?this.$element.one("bsTransitionEnd",t.proxy(this.hideModal,this)).emulateTransitionEnd(i.TRANSITION_DURATION):this.hideModal());},i.prototype.enforceFocus=function(){t(document).off("focusin.bs.modal").on("focusin.bs.modal",t.proxy(function(t){document===t.target||this.$element[0]===t.target||this.$element.has(t.target).length||this.$element.trigger("focus");},this));},i.prototype.escape=function(){this.isShown&&this.options.keyboard?this.$element.on("keydown.dismiss.bs.modal",t.proxy(function(t){27==t.which&&this.hide();},this)):this.isShown||this.$element.off("keydown.dismiss.bs.modal");},i.prototype.resize=function(){this.isShown?t(window).on("resize.bs.modal",t.proxy(this.handleUpdate,this)):t(window).off("resize.bs.modal");},i.prototype.hideModal=function(){var t=this;this.$element.hide(),this.backdrop(function(){t.$body.removeClass("modal-open"),t.resetAdjustments(),t.resetScrollbar(),t.$element.trigger("hidden.bs.modal");});},i.prototype.removeBackdrop=function(){this.$backdrop&&this.$backdrop.remove(),this.$backdrop=null;},i.prototype.backdrop=function(e){var n=this,o=this.$element.hasClass("fade")?"fade":"";if(this.isShown&&this.options.backdrop){var s=t.support.transition&&o;if(this.$backdrop=t(document.createElement("div")).addClass("modal-backdrop "+o).appendTo(this.$body),this.$element.on("click.dismiss.bs.modal",t.proxy(function(t){return this.ignoreBackdropClick?void (this.ignoreBackdropClick=!1):void (t.target===t.currentTarget&&("static"==this.options.backdrop?this.$element[0].focus():this.hide()));},this)),s&&this.$backdrop[0].offsetWidth,this.$backdrop.addClass("in"),!e)return;s?this.$backdrop.one("bsTransitionEnd",e).emulateTransitionEnd(i.BACKDROP_TRANSITION_DURATION):e();}else if(!this.isShown&&this.$backdrop){this.$backdrop.removeClass("in");var a=function(){n.removeBackdrop(),e&&e();};t.support.transition&&this.$element.hasClass("fade")?this.$backdrop.one("bsTransitionEnd",a).emulateTransitionEnd(i.BACKDROP_TRANSITION_DURATION):a();}else e&&e();},i.prototype.handleUpdate=function(){this.adjustDialog();},i.prototype.adjustDialog=function(){var t=this.$element[0].scrollHeight>document.documentElement.clientHeight;this.$element.css({paddingLeft:!this.bodyIsOverflowing&&t?this.scrollbarWidth:"",paddingRight:this.bodyIsOverflowing&&!t?this.scrollbarWidth:""});},i.prototype.resetAdjustments=function(){this.$element.css({paddingLeft:"",paddingRight:""});},i.prototype.checkScrollbar=function(){var t=window.innerWidth;if(!t){var e=document.documentElement.getBoundingClientRect();t=e.right-Math.abs(e.left);}this.bodyIsOverflowing=document.body.clientWidth<t,this.scrollbarWidth=this.measureScrollbar();},i.prototype.setScrollbar=function(){var t=parseInt(this.$body.css("padding-right")||0,10);this.originalBodyPad=document.body.style.paddingRight||"",this.bodyIsOverflowing&&this.$body.css("padding-right",t+this.scrollbarWidth);},i.prototype.resetScrollbar=function(){this.$body.css("padding-right",this.originalBodyPad);},i.prototype.measureScrollbar=function(){var t=document.createElement("div");t.className="modal-scrollbar-measure",this.$body.append(t);var e=t.offsetWidth-t.clientWidth;return this.$body[0].removeChild(t),e;};var n=t.fn.modal;t.fn.modal=e,t.fn.modal.Constructor=i,t.fn.modal.noConflict=function(){return t.fn.modal=n,this;},t(document).on("click.bs.modal.data-api",'[data-toggle="modal"]',function(i){var n=t(this),o=n.attr("href"),s=t(n.attr("data-target")||o&&o.replace(/.*(?=#[^\s]+$)/,"")),a=s.data("bs.modal")?"toggle":t.extend({remote:!/#/.test(o)&&o},s.data(),n.data());n.is("a")&&i.preventDefault(),s.one("show.bs.modal",function(t){t.isDefaultPrevented()||s.one("hidden.bs.modal",function(){n.is(":visible")&&n.trigger("focus");});}),e.call(s,a,this);});}(jQuery),+function(t){"use strict";function e(e){var i,n=e.attr("data-target")||(i=e.attr("href"))&&i.replace(/.*(?=#[^\s]+$)/,"");return t(n);}function i(e){return this.each(function(){var i=t(this),o=i.data("bs.collapse"),s=t.extend({},n.DEFAULTS,i.data(),"object"==typeof e&&e);!o&&s.toggle&&/show|hide/.test(e)&&(s.toggle=!1),o||i.data("bs.collapse",o=new n(this,s)),"string"==typeof e&&o[e]();});}var n=function(e,i){this.$element=t(e),this.options=t.extend({},n.DEFAULTS,i),this.$trigger=t('[data-toggle="collapse"][href="#'+e.id+'"],[data-toggle="collapse"][data-target="#'+e.id+'"]'),this.transitioning=null,this.options.parent?this.$parent=this.getParent():this.addAriaAndCollapsedClass(this.$element,this.$trigger),this.options.toggle&&this.toggle();};n.VERSION="3.3.7",n.TRANSITION_DURATION=350,n.DEFAULTS={toggle:!0},n.prototype.dimension=function(){var t=this.$element.hasClass("width");return t?"width":"height";},n.prototype.show=function(){if(!this.transitioning&&!this.$element.hasClass("in")){var e,o=this.$parent&&this.$parent.children(".panel").children(".in, .collapsing");if(!(o&&o.length&&(e=o.data("bs.collapse"),e&&e.transitioning))){var s=t.Event("show.bs.collapse");if(this.$element.trigger(s),!s.isDefaultPrevented()){o&&o.length&&(i.call(o,"hide"),e||o.data("bs.collapse",null));var a=this.dimension();this.$element.removeClass("collapse").addClass("collapsing")[a](0).attr("aria-expanded",!0),this.$trigger.removeClass("collapsed").attr("aria-expanded",!0),this.transitioning=1;var r=function(){this.$element.removeClass("collapsing").addClass("collapse in")[a](""),this.transitioning=0,this.$element.trigger("shown.bs.collapse");};if(!t.support.transition)return r.call(this);var d=t.camelCase(["scroll",a].join("-"));this.$element.one("bsTransitionEnd",t.proxy(r,this)).emulateTransitionEnd(n.TRANSITION_DURATION)[a](this.$element[0][d]);}}}},n.prototype.hide=function(){if(!this.transitioning&&this.$element.hasClass("in")){var e=t.Event("hide.bs.collapse");if(this.$element.trigger(e),!e.isDefaultPrevented()){var i=this.dimension();this.$element[i](this.$element[i]())[0].offsetHeight,this.$element.addClass("collapsing").removeClass("collapse in").attr("aria-expanded",!1),this.$trigger.addClass("collapsed").attr("aria-expanded",!1),this.transitioning=1;var o=function(){this.transitioning=0,this.$element.removeClass("collapsing").addClass("collapse").trigger("hidden.bs.collapse");};return t.support.transition?void this.$element[i](0).one("bsTransitionEnd",t.proxy(o,this)).emulateTransitionEnd(n.TRANSITION_DURATION):o.call(this);}}},n.prototype.toggle=function(){this[this.$element.hasClass("in")?"hide":"show"]();},n.prototype.getParent=function(){return t(this.options.parent).find('[data-toggle="collapse"][data-parent="'+this.options.parent+'"]').each(t.proxy(function(i,n){var o=t(n);this.addAriaAndCollapsedClass(e(o),o);},this)).end();},n.prototype.addAriaAndCollapsedClass=function(t,e){var i=t.hasClass("in");t.attr("aria-expanded",i),e.toggleClass("collapsed",!i).attr("aria-expanded",i);};var o=t.fn.collapse;t.fn.collapse=i,t.fn.collapse.Constructor=n,t.fn.collapse.noConflict=function(){return t.fn.collapse=o,this;},t(document).on("click.bs.collapse.data-api",'[data-toggle="collapse"]',function(n){var o=t(this);o.attr("data-target")||n.preventDefault();var s=e(o),a=s.data("bs.collapse"),r=a?"toggle":o.data();i.call(s,r);});}(jQuery),+function(t){"use strict";function e(){var t=document.createElement("bootstrap"),e={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd otransitionend",transition:"transitionend"};for(var i in e)if(void 0!==t.style[i])return{end:e[i]};return !1;}t.fn.emulateTransitionEnd=function(e){var i=!1,n=this;t(this).one("bsTransitionEnd",function(){i=!0;});var o=function(){i||t(n).trigger(t.support.transition.end);};return setTimeout(o,e),this;},t(function(){t.support.transition=e(),t.support.transition&&(t.event.special.bsTransitionEnd={bindType:t.support.transition.end,delegateType:t.support.transition.end,handle:function(e){return t(e.target).is(this)?e.handleObj.handler.apply(this,arguments):void 0;}});});}(jQuery);function openRuleDetailsDialog(rule_result_id){$("#detail-modal").remove();var closebutton=$('<button type="button" class="close btn btn-sm btn-default" data-dismiss="modal" aria-hidden="true" title="Close">&#x274c;</button>');var modal=$('<div id="detail-modal" class="modal fade" tabindex="-1" role="dialog" aria-hidden="true"><div id="detail-modal-body" class="modal-body"></div></div>');$("body").prepend(modal);var clone=$("#rule-detail-"+rule_result_id).clone();clone.attr("id","");clone.children(".panel-heading").append(closebutton);closebutton.css({"float":"right"});closebutton.css({"margin-top":"-=23px"});$("#detail-modal-body").append(clone);$("#detail-modal").modal();return false;}function toggleRuleDisplay(checkbox){var result=checkbox.value;if(checkbox.checked){$(".rule-overview-leaf-"+result).removeClass("rule-result-filtered");$(".rule-detail-"+result).removeClass("rule-result-filtered");}else{$(".rule-overview-leaf-"+result).addClass("rule-result-filtered");$(".rule-detail-"+result).addClass("rule-result-filtered");}stripeTreeTable();}function toggleResultDetails(button){var result_details=$("#result-details");if(result_details.is(":visible")){result_details.hide();$(button).html("Show all result details");}else{result_details.show();$(button).html("Hide all result details");}return false;}function ruleSearchMatches(detail_leaf,keywords){if(keywords.length==0)return true;var match=true;var checked_keywords=detail_leaf.children(".keywords").text().toLowerCase();var index;for(index=0;index<keywords.length;++index)if(checked_keywords.indexOf(keywords[index].toLowerCase())<0){match=false;break;}return match;}function ruleSearch(){var search_input=$("#search-input").val();var keywords=search_input.split(/[\s,\.;]+/);var matches=0;$(".rule-detail").each(function(){var rrid=$(this).attr("id").substring(12);var overview_leaf=$("#rule-overview-leaf-"+rrid);var detail_leaf=$(this);if(ruleSearchMatches(detail_leaf,keywords)){overview_leaf.removeClass("search-no-match");detail_leaf.removeClass("search-no-match");++matches;}else{overview_leaf.addClass("search-no-match");detail_leaf.addClass("search-no-match");}});if(!search_input)$("#search-matches").html("");else if(matches>0)$("#search-matches").html(matches.toString()+" rules match.");else $("#search-matches").html("No rules match your search criteria!");}var is_original=true;var original_treetable=null;$(document).ready(function(){$("#result-details").hide();$(".js-only").show();$(".form-group select").val("default");$(".toggle-rule-display").each(function(){toggleRuleDisplay(this);});original_treetable=$(".treetable").clone();$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});is_original=true;stripeTreeTable();});function resetTreetable(){if(!is_original){$(".treetable").remove();$("#rule-overview").append(original_treetable.clone());$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});$(".toggle-rule-display").each(function(){toggleRuleDisplay(this);});is_original=true;}}function newGroupLine(key,group_name){var maxKeyLength=24;if(key.length>maxKeyLength)key=key.substring(0,maxKeyLength-1)+"…";return "<tr class=\"rule-overview-inner-node\" data-tt-id=\""+group_name+"\">"+"<td colspan=\"3\"><small>"+key+"</small> = <strong>"+group_name+"</strong></td></tr>";}var KeysEnum={DEFAULT:"default",SEVERITY:"severity",RESULT:"result",NIST:"NIST SP 800-53 ID",DISA_CCI:"DISA CCI",DISA_SRG:"DISA SRG",DISA_STIG_ID:"DISA STIG ID",PCI_DSS:"PCI DSS Requirement",CIS:"CIS Recommendation"};function getTargetGroupsList(rule,key){switch(key){case KeysEnum.SEVERITY:var severity=rule.children(".rule-severity").text();return [severity];case KeysEnum.RESULT:var result=rule.children(".rule-result").text();return [result];default:try{var references=JSON.parse(rule.attr("data-references"));}catch(err){return ["unknown"];}if(!references.hasOwnProperty(key))return ["unknown"];return references[key];}}function sortGroups(groups,key){switch(key){case KeysEnum.SEVERITY:return ["high","medium","low"];case KeysEnum.RESULT:return groups.sort();default:return groups.sort(function(a,b){var a_parts=a.split(/[.()-]/);var b_parts=b.split(/[.()-]/);var result=0;var min_length=Math.min(a_parts.length,b_parts.length);var number=/^[1-9][0-9]*$/;for(i=0;i<min_length&&result==0;i++)if(a_parts[i].match(number)==null||a_parts[i].match(number)==null)result=a_parts[i].localeCompare(b_parts[i]);else result=parseInt(a_parts[i])-parseInt(b_parts[i]);if(result==0)result=a_parts.length-b_parts.length;return result;});}}function groupRulesBy(key){resetTreetable();if(key==KeysEnum.DEFAULT)return;var lines={};$(".rule-overview-leaf").each(function(){$(this).children("td:first").css("padding-left","0px");var id=$(this).attr("data-tt-id");var target_groups=getTargetGroupsList($(this),key);for(i=0;i<target_groups.length;i++){var target_group=target_groups[i];if(!lines.hasOwnProperty(target_group))lines[target_group]=[newGroupLine(key,target_group)];var clone=$(this).clone();clone.attr("data-tt-id",id+"copy"+i);clone.attr("data-tt-parent-id",target_group);var new_line=clone.wrap("<div>").parent().html();lines[target_group].push(new_line);}});$(".treetable").remove();var groups=sortGroups(Object.keys(lines),key);var html_text="";for(i=0;i<groups.length;i++)html_text+=lines[groups[i]].join("\n");new_table="<table class=\"treetable table table-bordered\"><thead><tr><th>Group</th> <th style=\"width: 120px; text-align: center\">Severity</th><th style=\"width: 120px; text-align: center\">Result</th></tr></thead><tbody>"+html_text+"</tbody></table>";$("#rule-overview").append(new_table);is_original=false;$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});stripeTreeTable();}function stripeTreeTable(){var rows=$(".rule-overview-leaf:not(.rule-result-filtered)");var even=false;$(rows).each(function(){$(this).css("background-color",even?"#F9F9F9":"inherit");even=!even;});}</script></head><body><nav class="navbar navbar-default" role="navigation"><div class="navbar-header" style="float: none"><a class="navbar-brand" href="#"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="52" height="52" id="svg2"><g transform="matrix(0.75266991,0,0,0.75266991,-17.752968,-104.57468)" id="g32"><path d="m 24.7,173.5 c 0,-9 3.5,-17.5 9.9,-23.9 6.8,-6.8 15.7,-10.4 25,-10 8.6,0.3 16.9,3.9 22.9,9.8 6.4,6.4 9.9,14.9 10,23.8 0.1,9.1 -3.5,17.8 -10,24.3 -13.2,13.2 -34.7,13.1 -48,-0.1 -1.5,-1.5 -1.9,-4.2 0.2,-6.2 l 9,-9 c -2,-3.6 -4.9,-13.1 2.6,-20.7 7.6,-7.6 18.6,-6 24.4,-0.2 3.3,3.3 5.1,7.6 5.1,12.1 0.1,4.6 -1.8,9.1 -5.3,12.5 -4.2,4.2 -10.2,5.8 -16.1,4.4 -1.5,-0.4 -2.4,-1.9 -2.1,-3.4 0.4,-1.5 1.9,-2.4 3.4,-2.1 4.1,1 8,-0.1 10.9,-2.9 2.3,-2.3 3.6,-5.3 3.6,-8.4 0,0 0,-0.1 0,-0.1 0,-3 -1.3,-5.9 -3.5,-8.2 -3.9,-3.9 -11.3,-4.9 -16.5,0.2 -6.3,6.3 -1.6,14.1 -1.6,14.2 1.5,2.4 0.7,5 -0.9,6.3 l -8.4,8.4 c 9.9,8.9 27.2,11.2 39.1,-0.8 5.4,-5.4 8.4,-12.5 8.4,-20 0,-0.1 0,-0.2 0,-0.3 -0.1,-7.5 -3,-14.6 -8.4,-19.9 -5,-5 -11.9,-8 -19.1,-8.2 -7.8,-0.3 -15.2,2.7 -20.9,8.4 -8.7,8.7 -8.7,19 -7.9,24.3 0.3,2.4 1.1,4.9 2.2,7.3 0.6,1.4 0,3.1 -1.4,3.7 -1.4,0.6 -3.1,0 -3.7,-1.4 -1.3,-2.9 -2.2,-5.8 -2.6,-8.7 -0.3,-1.7 -0.4,-3.5 -0.4,-5.2 z" id="path34" style="fill:#12497f"></path></g></svg></a><div><h1>OpenSCAP Security Guide</h1></div></div></nav><div class="container"><div id="content"><div id="introduction"><div class="row"><div class="col-md-8 well well-lg"><h2>Guide to the Secure Configuration of Red Hat Enterprise Linux 6</h2><div class="col-md-12 well well-lg horizontal-scroll"><div class="front-matter">The SCAP Security Guide Project<br>
<a href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</a></div><div class="description">This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 6. It is a rendering of
content structured in the eXtensible Configuration Checklist Description Format (XCCDF)
in order to support security automation.  The SCAP content is
is available in the <code>scap-security-guide</code> package which is developed at
<a href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</a>.
<br>
<br>
Providing system administrators with such guidance informs them how to securely
configure systems under their control in a variety of network roles. Policy
makers and baseline creators can use this catalog of settings, with its
associated references to higher-level security control catalogs, in order to
assist them in security baseline creation. This guide is a <i>catalog, not a
checklist,</i> and satisfaction of every item is not likely to be possible or
sensible in many operational scenarios. However, the XCCDF format enables
granular selection and adjustment of settings, and their association with OVAL
and OCIL content provides an automated checking capability. Transformations of
this document, and its associated automated checking content, are capable of
providing baselines that meet a diverse set of policy objectives. Some example
XCCDF <i>Profiles</i>, which are selections of items that form checklists and
can be used as baselines, are available with this guide. They can be
processed, in an automated fashion, with tools that support the Security
Content Automation Protocol (SCAP). The DISA STIG for Red Hat Enterprise Linux 6,
which provides required settings for US Department of Defense systems, is
one example of a baseline created from this guidance.
</div><div class="top-spacer-10"><div class="alert alert-info"><div>
<p>This benchmark is a direct port of a <i>SCAP Security Guide </i> benchmark developed for <i>Red Hat Enterprise Linux</i>. It has been modified through an automated process to remove specific dependencies on <i>Red Hat Enterprise Linux</i> and to function with <i>Scientifc Linux</i>. The result is a generally useful <i>SCAP Security Guide</i> benchmark with the following caveats:</p>
<ul>
<li><i>Scientifc Linux</i> is not an exact copy of <i>Red Hat Enterprise Linux</i>. Scientific Linux is a Linux distribution produced by <i>Fermi National Accelerator Laboratory</i>. It is a free and open source operating system based on <i>Red Hat Enterprise Linux</i> and aims to be "as close to the commercial enterprise distribution as we can get it." There may be configuration differences that produce false positives and/or false negatives. If this occurs please file a bug report.</li>

<li><i>Scientifc Linux</i> is derived from the free and open source software made available by Red Hat, but it is not produced, maintained or supported by <i>Red Hat</i>. <i>Scientifc Linux</i> has its own build system, compiler options, patchsets, and is a community supported, non-commercial operating system. <i>Scientifc Linux</i> does not inherit certifications or evaluations from <i>Red Hat Enterprise Linux</i>. As such, some configuration rules (such as those requiring <i>FIPS 140-2</i> encryption) will continue to fail on <i>Scientifc Linux</i>.</li>
</ul>

<p>Members of the <i>Scientifc Linux</i> community are invited to participate in <a href="http://open-scap.org">OpenSCAP</a> and <a href="https://github.com/OpenSCAP/scap-security-guide">SCAP Security Guide</a> development. Bug reports and patches can be sent to GitHub: <a href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>. The mailing list is at <a href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div class="alert alert-info">Do not attempt to implement any of the settings in
this guide without first testing them in a non-operational environment. The
creators of this guidance assume no responsibility whatsoever for its use by
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.</div></div></div><table class="table table-bordered"><tr><th>Profile ID</th><td><abbr title="No profile was selected.">(default)</abbr></td></tr></table></div><div class="col-md-4"><h2>Revision History</h2><p>Current version: <strong>0.1.31</strong></p><ul><li><strong>draft</strong>
                            (as of 2017-08-11)
                        </li></ul><h2>Platforms</h2><ul class="list-group"><li class="list-group-item"><span class="label label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li class="list-group-item"><span class="label label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li class="list-group-item"><span class="label label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li class="list-group-item"><span class="label label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation functions used by the SCAP Security Guide Project</a></li><li><a href="#xccdf_org.ssgproject.content_group_intro">Introduction</a></li><ol><li><a href="#xccdf_org.ssgproject.content_group_general-principles">General Principles</a></li><li><a href="#xccdf_org.ssgproject.content_group_how-to-use">How to Use This Guide</a></li></ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a></li><ol><li><a href="#xccdf_org.ssgproject.content_group_entropy">Protect Random-Number Entropy Pool</a></li><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li></ol><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li></ol><li><a href="#xccdf_org.ssgproject.content_group_srg_support">Documentation to Support DISA OS SRG Mapping</a></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td style="padding-left: 0px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td style="padding-left: 19px"><h3 id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation functions used by the SCAP Security Guide Project
                          <a class="small" href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span class="label label-default pull-right">group</span></h3><p>XCCDF form of the various remediation functions as used by
remediation scripts from the SCAP Security Guide Project</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td style="padding-left: 19px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_intro" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_intro" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td style="padding-left: 19px"><h3 id="xccdf_org.ssgproject.content_group_intro">Introduction
                          <a class="small" href="#xccdf_org.ssgproject.content_group_intro">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
The purpose of this guidance is to provide security configuration
recommendations and baselines for the Red Hat Enterprise Linux 6 operating
system. Recommended settings for the basic operating system are provided,
as well as for many network services that the system can provide to other systems.
The guide is intended for system administrators. Readers are assumed to
possess basic system administration skills for Unix-like systems, as well
as some familiarity with the product's documentation and administration
conventions. Some instructions within this guide are complex.
All directions should be followed completely and with understanding of
their effects in order to avoid serious adverse effects on the system
and its security.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_intro" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td style="padding-left: 19px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_general-principles" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_general-principles" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_intro"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_general-principles">General Principles
                          <a class="small" href="#xccdf_org.ssgproject.content_group_general-principles">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
The following general principles motivate much of the advice in this
guide and should also influence any configuration decisions that are
not explicitly covered.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_general-principles" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_intro"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data">Encrypt Transmitted Data Whenever Possible
                          <a class="small" href="#xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
Data transmitted over a network, whether wired or wireless, is susceptible
to passive monitoring. Whenever practical solutions for encrypting
such data exist, they should be applied. Even if data is expected to
be transmitted only over a local network, it should still be encrypted.
Encrypting authentication data, such as passwords, is particularly
important. Networks of Red Hat Enterprise Linux 6 machines can and should be configured
so that no unencrypted authentication data is ever transmitted between
machines.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_principle-minimize-software" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-minimize-software" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_principle-minimize-software">Minimize Software to Minimize Vulnerability
                          <a class="small" href="#xccdf_org.ssgproject.content_group_principle-minimize-software">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
The simplest way to avoid vulnerabilities in software is to avoid
installing that software. On Red Hat Enterprise Linux 6,
the RPM Package Manager (originally Red Hat
Package Manager, abbreviated RPM)
allows for careful management of
the set of software packages installed on a system. Installed software
contributes to system vulnerability in several ways. Packages that
include setuid programs may provide local attackers a potential path to
privilege escalation. Packages that include network services may give
this opportunity to network-based attackers. Packages that include
programs which are predictably executed by local users (e.g. after
graphical login) may provide opportunities for trojan horses or other
attack code to be run undetected. The number of software packages
installed on a system can almost always be significantly pruned to include
only the software for which there is an environmental or operational need.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_principle-minimize-software" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_principle-separate-servers" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-separate-servers" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_principle-separate-servers">Run Different Network Services on Separate Systems
                          <a class="small" href="#xccdf_org.ssgproject.content_group_principle-separate-servers">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
Whenever possible, a server should be dedicated to serving exactly one
network service. This limits the number of other services that can
be compromised in the event that an attacker is able to successfully
exploit a software flaw in one network service.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_principle-separate-servers" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_principle-use-security-tools" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-use-security-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_principle-use-security-tools">Configure Security Tools to Improve System Robustness
                          <a class="small" href="#xccdf_org.ssgproject.content_group_principle-use-security-tools">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
Several tools exist which can be effectively used to improve a system's
resistance to and detection of unknown attacks. These tools can improve
robustness against attack at the cost of relatively little configuration
effort. In particular, this guide recommends and discusses the use of
host-based firewalling, SELinux for protection against
vulnerable services, and a logging and auditing infrastructure for
detection of problems.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_principle-use-security-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_principle-least-privilege" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_principle-least-privilege" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_principle-least-privilege">Least Privilege
                          <a class="small" href="#xccdf_org.ssgproject.content_group_principle-least-privilege">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
Grant the least privilege necessary for user accounts and software to perform tasks.
For example, <code>sudo</code> can be implemented to limit authorization to super user
accounts on the system only to designated personnel. Another example is to limit
logins on server systems to only those administrators who need to log into them in
order to perform administration tasks. Using SELinux also follows the principle of
least privilege: SELinux policy can confine software to perform only actions on the
system that are specifically allowed. This can be far more restrictive than the
actions permissible by the traditional Unix permissions model.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_principle-least-privilege" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_general-principles"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_how-to-use" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_how-to-use" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_intro"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_how-to-use">How to Use This Guide
                          <a class="small" href="#xccdf_org.ssgproject.content_group_how-to-use">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
Readers should heed the following points when using the guide.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_how-to-use" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_intro"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_intro-read-sections-completely" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_intro-read-sections-completely" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_how-to-use"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_intro-read-sections-completely">Read Sections Completely and in Order
                          <a class="small" href="#xccdf_org.ssgproject.content_group_intro-read-sections-completely">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
Each section may build on information and recommendations discussed in
prior sections. Each section should be read and understood completely;
instructions should never be blindly applied. Relevant discussion may
occur after instructions for an action. 
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_intro-read-sections-completely" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_how-to-use"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_intro-test-non-production" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_intro-test-non-production" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_how-to-use"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_intro-test-non-production">Test in Non-Production Environment
                          <a class="small" href="#xccdf_org.ssgproject.content_group_intro-test-non-production">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
This guidance should always be tested in a non-production environment
before deployment. This test environment should simulate the setup in
which the system will be deployed as closely as possible.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_intro-test-non-production" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_how-to-use"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_intro-root-shell-assumed" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_how-to-use"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_intro-root-shell-assumed">Root Shell Environment Assumed
                          <a class="small" href="#xccdf_org.ssgproject.content_group_intro-root-shell-assumed">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
Most of the actions listed in this document are written with the
assumption that they will be executed by the root user running the
<code>/bin/bash</code> shell. Commands preceded with a hash mark (#)
assume that the administrator will execute the commands as root, i.e.
apply the command via <code>sudo</code> whenever possible, or use
<code>su</code> to gain root privileges if <code>sudo</code> cannot be
used. Commands which can be executed as a non-root user are are preceded
by a dollar sign ($) prompt.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_intro-root-shell-assumed" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_how-to-use"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_intro-formatting-conventions" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_intro-formatting-conventions" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_how-to-use"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_intro-formatting-conventions">Formatting Conventions
                          <a class="small" href="#xccdf_org.ssgproject.content_group_intro-formatting-conventions">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
Commands intended for shell execution, as well as configuration file text,
are featured in a <code>monospace font</code>. <i>Italics</i> are used
to indicate instances where the system administrator must substitute
the appropriate information into a command or configuration file.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_intro-formatting-conventions" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_how-to-use"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_intro-reboot-required" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_intro-reboot-required" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_how-to-use"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_intro-reboot-required">Reboot Required
                          <a class="small" href="#xccdf_org.ssgproject.content_group_intro-reboot-required">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
A system reboot is implicitly required after some actions in order to
complete the reconfiguration of the system. In many cases, the changes
will not take effect until a reboot is performed. In order to ensure
that changes are applied properly and to test functionality, always
reboot the system after applying a set of recommendations from this guide.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_intro-reboot-required" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_how-to-use"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_system" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td style="padding-left: 19px"><h3 id="xccdf_org.ssgproject.content_group_system">System Settings
                          <a class="small" href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Contains rules that check correct system settings.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td style="padding-left: 19px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_entropy" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_entropy" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_entropy">Protect Random-Number Entropy Pool
                          <a class="small" href="#xccdf_org.ssgproject.content_group_entropy">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
The I/O operations of the Linux kernel block layer due to their inherently
unpredictable execution times have been traditionally considered as a reliable
source to contribute to random-number entropy pool of the Linux kernel. This
has changed with introduction of solid-state storage devices (SSDs) though.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_entropy" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_software" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_software" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software
                          <a class="small" href="#xccdf_org.ssgproject.content_group_software">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The following sections contain information on
security-relevant choices during the initial operating system
installation process and the setup of software
updates.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_software" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disk_partitioning" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_disk_partitioning">Disk Partitioning
                          <a class="small" href="#xccdf_org.ssgproject.content_group_disk_partitioning">[ref]</a><span class="label label-default pull-right">group</span></h3><p>To ensure separation and protection of data, there
are top-level system directories which should be placed on their
own physical partition or logical volume. The installer's default
partitioning scheme creates separate logical volumes for 
<code>/</code>, <code>/boot</code>, and <code>swap</code>.
<ul><li>If starting with any of the default layouts, check the box to
"Review and modify partitioning." This allows for the easy creation
of additional logical volumes inside the volume group already
created, though it may require making <code>/</code>'s logical volume smaller to
create space. In general, using logical volumes is preferable to
using partitions because they can be more easily adjusted
later.</li><li>If creating a custom layout, create the partitions mentioned in
the previous paragraph (which the installer will require anyway),
as well as separate ones described in the following sections.</li></ul>
If a system has already been installed, and the default
partitioning scheme was used, it is possible but nontrivial to
modify it to create separate logical volumes for the directories
listed above. The Logical Volume Manager (LVM) makes this possible.
See the LVM HOWTO at <a href="http://tldp.org/HOWTO/LVM-HOWTO/">http://tldp.org/HOWTO/LVM-HOWTO/</a> for more
detailed information on LVM.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_updating" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_updating">Updating Software
                          <a class="small" href="#xccdf_org.ssgproject.content_group_updating">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The <code>yum</code> command line tool is used to install and
update software packages. The system also provides a graphical
software update tool in the <b>System</b> menu, in the <b>Administration</b> submenu,
called <b>Software Update</b>.
<br><br>
Red Hat Enterprise Linux systems contain an installed software catalog called
the RPM database, which records metadata of installed packages. Consistently using
<code>yum</code> or the graphical <b>Software Update</b> for all software installation
allows for insight into the current inventory of installed software on the system.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_integrity" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_integrity" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_integrity">Software Integrity Checking
                          <a class="small" href="#xccdf_org.ssgproject.content_group_integrity">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
Both the AIDE (Advanced Intrusion Detection Environment)
software and the RPM package management system provide
mechanisms for verifying the integrity of installed software.
AIDE uses snapshots of file metadata (such as hashes) and compares these
to current system files in order to detect changes.
The RPM package management system can conduct integrity
checks by comparing information in its metadata database with
files installed on the system.
<br><br>
Integrity checking cannot <i>prevent</i> intrusions,
but can detect that they have occurred. Requirements
for software integrity checking may be highly dependent on
the environment in which the system will be used. Snapshot-based
approaches such as AIDE may induce considerable overhead
in the presence of frequent software updates.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_integrity" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_aide" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_aide" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_aide">Verify Integrity with AIDE
                          <a class="small" href="#xccdf_org.ssgproject.content_group_aide">[ref]</a><span class="label label-default pull-right">group</span></h3><p>AIDE conducts integrity checks by comparing information about
files with previously-gathered information. Ideally, the AIDE database is
created immediately after initial system configuration, and then again after any
software update.  AIDE is highly configurable, with further configuration
information located in <code>/usr/share/doc/aide-<i>VERSION</i></code>.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_aide" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_rpm_verification" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_rpm_verification" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_rpm_verification">Verify Integrity with RPM
                          <a class="small" href="#xccdf_org.ssgproject.content_group_rpm_verification">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The RPM package management system includes the ability
to verify the integrity of installed packages by comparing the
installed files with information about the files taken from the
package metadata stored in the RPM database. Although an attacker
could corrupt the RPM database (analogous to attacking the AIDE
database as described above), this check can still reveal
modification of important files. To list which files on the system differ from what is expected by the RPM database:
<pre>$ rpm -qVa</pre>
See the man page for <code>rpm</code> to see a complete explanation of each column.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_rpm_verification" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_additional_security_software" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_additional_security_software" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_additional_security_software">Additional Security Software
                          <a class="small" href="#xccdf_org.ssgproject.content_group_additional_security_software">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
Additional security software that is not provided or supported
by Red Hat can be installed to provide complementary or duplicative
security capabilities to those provided by the base platform.  Add-on
software may not be appropriate for some specialized systems.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_additional_security_software" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_fips" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_fips">Federal Information Processing Standard (FIPS)
                          <a class="small" href="#xccdf_org.ssgproject.content_group_fips">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
The Federal Information Processing Standard (FIPS) is a computer security standard which
is developed by the U.S. Government and industry working groups to validate the quality
of cryptographic modules. The FIPS standard provides four security levels to ensure
adequate coverage of different industries, implementation of cryptographic modules, and
organizational sizes and requirements.
<br><br>
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules
utilize authentication that meets industry and government requirements. For government systems, this allows
Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux.
<br><br>
See <b><a href="http://csrc.nist.gov/publications/PubsFIPS.html">http://csrc.nist.gov/publications/PubsFIPS.html</a></b> for more information.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_certified-vendor" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_certified-vendor" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_certified-vendor">Operating System Vendor Support and Certification
                          <a class="small" href="#xccdf_org.ssgproject.content_group_certified-vendor">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
The assurance of a vendor to provide operating system support and maintenance
for their product is an important criterion to ensure product stability and
security over the life of the product. A certified product that follows the
necessary standards and government certification requirements guarantees that
known software vulnerabilities will be remediated, and proper guidance for
protecting and securing the operating system will be given.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_certified-vendor" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_gnome" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_gnome" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_gnome">GNOME Desktop Environment
                          <a class="small" href="#xccdf_org.ssgproject.content_group_gnome">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
GNOME is a graphical desktop environment bundled with many Linux distributions that
allow users to easily interact with the operating system graphically rather than
textually. The GNOME Graphical Display Manager (GDM) provides login, logout, and user
switching contexts as well as display server management.
<br><br>
GNOME is developed by the GNOME Project and is considered the default
Red Hat Graphical environment.
<br><br>
For more information on GNOME and the GNOME Project, see <b><a href="https://www.gnome.org">https://www.gnome.org</a></b>
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_gnome" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_gnome_login_screen" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_gnome_login_screen" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_gnome"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_gnome_login_screen">Configure GNOME Login Screen
                          <a class="small" href="#xccdf_org.ssgproject.content_group_gnome_login_screen">[ref]</a><span class="label label-default pull-right">group</span></h3><p>In the default GNOME desktop, the login is displayed after system boot
and can display user accounts, allow users to reboot the system, and allow users to
login automatically and/or with a guest account. The login screen should be configured
to prevent such behavior.
<br><br>
For more information about enforcing preferences in the GNOME environment using the GConf
configuration system, see <b><a href="http://projects.gnome.org/gconf">http://projects.gnome.org/gconf</a></b> and
the man page <code>gconftool-2(1)</code>.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_gnome_login_screen" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_gnome"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_gnome_screen_locking" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_gnome_screen_locking" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_gnome"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_gnome_screen_locking">Configure GNOME Screen Locking
                          <a class="small" href="#xccdf_org.ssgproject.content_group_gnome_screen_locking">[ref]</a><span class="label label-default pull-right">group</span></h3><p>In the default GNOME desktop, the screen can be locked
by choosing <b>Lock Screen</b> from the <b>System</b> menu.
<br><br>
The <code>gconftool-2</code> program can be used to enforce mandatory
screen locking settings for the default GNOME environment.
The
following sections detail commands to enforce idle activation of the screensaver,
screen locking, a blank-screen screensaver, and an idle
activation time.

<br><br>
Because users should be trained to lock the screen when they
step away from the computer, the automatic locking feature is only
meant as a backup. The <b>Lock Screen</b> icon from the <b>System</b> menu can
also be dragged to the taskbar in order to facilitate even more
convenient screen-locking.
<br><br>
The root account cannot be screen-locked, but this should
have no practical effect as the root account should <i>never</i> be used
to log into an X Windows environment, and should only be used to
for direct login via console in emergency circumstances.
<br><br>
For more information about configuring GNOME screensaver, see
<b><a href="http://live.gnome.org/GnomeScreensaver">http://live.gnome.org/GnomeScreensaver</a></b>. For more information about
enforcing preferences in the GNOME environment using the GConf
configuration system, see <b><a href="http://projects.gnome.org/gconf">http://projects.gnome.org/gconf</a></b> and
the man page <code>gconftool-2(1)</code>.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_gnome_screen_locking" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_gnome"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_gnome_system_settings" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_gnome_system_settings" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_gnome"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_gnome_system_settings">GNOME System Settings
                          <a class="small" href="#xccdf_org.ssgproject.content_group_gnome_system_settings">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
GNOME provides configuration and functionality to a graphical desktop environment
that changes grahical configurations or allow a user to perform
actions that users normally would not be able to do in non-graphical mode such as
remote access configuration, power policies, Geo-location, etc.
Configuring such settings in GNOME will prevent accidential graphical configuration
changes by users from taking place.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_gnome_system_settings" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_gnome"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_gnome_network_settings" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_gnome_network_settings" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_gnome"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_gnome_network_settings">GNOME Network Settings
                          <a class="small" href="#xccdf_org.ssgproject.content_group_gnome_network_settings">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
GNOME network settings that apply to the graphical interface.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_gnome_network_settings" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_gnome"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_gnome_remote_access_settings" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_gnome_remote_access_settings" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_gnome"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_gnome_remote_access_settings">GNOME Remote Access Settings
                          <a class="small" href="#xccdf_org.ssgproject.content_group_gnome_remote_access_settings">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
GNOME remote access settings that apply to the graphical interface.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_gnome_remote_access_settings" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_gnome"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_gnome_media_settings" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_gnome_media_settings" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_gnome"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_gnome_media_settings">GNOME Media Settings
                          <a class="small" href="#xccdf_org.ssgproject.content_group_gnome_media_settings">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
GNOME media settings that apply to the graphical interface.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_gnome_media_settings" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_gnome"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_permissions" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_permissions" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks
                          <a class="small" href="#xccdf_org.ssgproject.content_group_permissions">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Traditional Unix security relies heavily on file and
directory permissions to prevent unauthorized users from reading or
modifying files to which they should not have access. 
<br><br>
Several of the commands in this section search filesystems
for files or directories with certain characteristics, and are
intended to be run on every local partition on a given system.
When the variable <i>PART</i> appears in one of the commands below,
it means that the command is intended to be run repeatedly, with the
name of each local partition substituted for <i>PART</i> in turn.
<br><br>
The following command prints a list of all xfs partitions on the local
system, which is the default filesystem for Red Hat Enterprise Linux
7 installations:
<pre>$ mount -t xfs | awk '{print $3}'</pre>
For any systems that use a different
local filesystem type, modify this command as appropriate.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_permissions" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_partitions" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_partitions" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_permissions"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_partitions">Restrict Partition Mount Options
                          <a class="small" href="#xccdf_org.ssgproject.content_group_partitions">[ref]</a><span class="label label-default pull-right">group</span></h3><p>System partitions can be mounted with certain options
that limit what files on those partitions can do. These options
are set in the <code>/etc/fstab</code> configuration file, and can be
used to make certain types of malicious behavior more difficult.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_partitions" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_permissions"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mounting" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mounting" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_permissions"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_mounting">Restrict Dynamic Mounting and Unmounting of
Filesystems
                          <a class="small" href="#xccdf_org.ssgproject.content_group_mounting">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Linux includes a number of facilities for the automated addition
and removal of filesystems on a running system.  These facilities may be
necessary in many environments, but this capability also carries some risk -- whether direct
risk from allowing users to introduce arbitrary filesystems,
or risk that software flaws in the automated mount facility itself could
allow an attacker to compromise the system.
<br><br>
This command can be used to list the types of filesystems that are
available to the currently executing kernel:
<pre>$ find /lib/modules/`uname -r`/kernel/fs -type f -name '*.ko'</pre>
If these filesystems are not required then they can be explicitly disabled
in a configuratio file in  <code>/etc/modprobe.d</code>.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_mounting" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_permissions"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_files" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_files" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_permissions"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_files">Verify Permissions on Important Files and
Directories
                          <a class="small" href="#xccdf_org.ssgproject.content_group_files">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Permissions for many files on a system must be set
restrictively to ensure sensitive information is properly protected.
This section discusses important
permission restrictions which can be verified
to ensure that no harmful discrepancies have
arisen.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_files" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_permissions"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_permissions_important_account_files" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_permissions_important_account_files" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_files"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_permissions_important_account_files">Verify Permissions on Files with Local Account Information and Credentials
                          <a class="small" href="#xccdf_org.ssgproject.content_group_permissions_important_account_files">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The default restrictive permissions for files which act as
important security databases such as <code>passwd</code>, <code>shadow</code>,
<code>group</code>, and <code>gshadow</code> files must be maintained.  Many utilities
need read access to the <code>passwd</code> file in order to function properly, but
read access to the <code>shadow</code> file allows malicious attacks against system
passwords, and should never be enabled.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_permissions_important_account_files" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_files"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_permissions_within_important_dirs" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_files"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_permissions_within_important_dirs">Verify File Permissions Within Some Important Directories
                          <a class="small" href="#xccdf_org.ssgproject.content_group_permissions_within_important_dirs">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Some directories contain files whose confidentiality or integrity
is notably important and may also be susceptible to misconfiguration over time, particularly if
unpackaged software is installed. As such,
an argument exists to verify that files' permissions within these directories remain
configured correctly and restrictively.   
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_permissions_within_important_dirs" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_files"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_restrictions" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_restrictions" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_permissions"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_restrictions">Restrict Programs from Dangerous Execution Patterns
                          <a class="small" href="#xccdf_org.ssgproject.content_group_restrictions">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The recommendations in this section are designed to
ensure that the system's features to protect against potentially
dangerous program execution are activated.
These protections are applied at the system initialization or
kernel level, and defend against certain types of badly-configured
or compromised programs.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_restrictions" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_permissions"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_daemon_umask" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_daemon_umask" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_restrictions"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_daemon_umask">Daemon Umask
                          <a class="small" href="#xccdf_org.ssgproject.content_group_daemon_umask">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The umask is a per-process setting which limits
the default permissions for creation of new files and directories.
The system includes initialization scripts which set the default umask
for system daemons.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_daemon_umask" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_restrictions"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_coredumps" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_coredumps" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_restrictions"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_coredumps">Disable Core Dumps
                          <a class="small" href="#xccdf_org.ssgproject.content_group_coredumps">[ref]</a><span class="label label-default pull-right">group</span></h3><p>A core dump file is the memory image of an executable
program when it was terminated by the operating system due to
errant behavior. In most cases, only software developers
legitimately need to access these files. The core dump files may
also contain sensitive information, or unnecessarily occupy large
amounts of disk space.
<br><br>
Once a hard limit is set in <code>/etc/security/limits.conf</code>, a
user cannot increase that limit within his or her own session. If access
to core dumps is required, consider restricting them to only
certain users or groups. See the <code>limits.conf</code> man page for more
information.
<br><br>
The core dumps of setuid programs are further protected. The
<code>sysctl</code> variable <code>fs.suid_dumpable</code> controls whether
the kernel allows core dumps from these programs at all. The default
value of 0 is recommended.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_coredumps" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_restrictions"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_enable_execshield_settings" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_restrictions"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_enable_execshield_settings">Enable ExecShield
                          <a class="small" href="#xccdf_org.ssgproject.content_group_enable_execshield_settings">[ref]</a><span class="label label-default pull-right">group</span></h3><p>ExecShield describes kernel features that provide
protection against exploitation of memory corruption errors such as buffer
overflows. These features include random placement of the stack and other
memory regions, prevention of execution in memory that should only hold data,
and special handling of text buffers. These protections are enabled by default and
controlled through <code>sysctl</code> variables <code>kernel.exec-shield</code> and
<code>kernel.randomize_va_space</code>.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_enable_execshield_settings" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_restrictions"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_enable_nx" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_enable_nx" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_restrictions"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_enable_nx">Enable Execute Disable (XD) or No Execute (NX) Support on
x86 Systems
                          <a class="small" href="#xccdf_org.ssgproject.content_group_enable_nx">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Recent processors in the x86 family support the
ability to prevent code execution on a per memory page basis.
Generically and on AMD processors, this ability is called No
Execute (NX), while on Intel processors it is called Execute
Disable (XD). This ability can help prevent exploitation of buffer
overflow vulnerabilities and should be activated whenever possible.
Extra steps must be taken to ensure that this protection is
enabled, particularly on 32-bit x86 systems. Other processors, such
as Itanium and POWER, have included such support since inception
and the standard kernel for those platforms supports the
feature.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_enable_nx" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_restrictions"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_selinux" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_selinux" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_selinux">SELinux
                          <a class="small" href="#xccdf_org.ssgproject.content_group_selinux">[ref]</a><span class="label label-default pull-right">group</span></h3><p>SELinux is a feature of the Linux kernel which can be
used to guard against misconfigured or compromised programs.
SELinux enforces the idea that programs should be limited in what
files they can access and what actions they can take.
<br><br>
The default SELinux policy, as configured on Red Hat Enterprise Linux 6, has been
sufficiently developed and debugged that it should be usable on
almost any Red Hat machine with minimal configuration and a small
amount of system administrator training. This policy prevents
system services - including most of the common network-visible
services such as mail servers, FTP servers, and DNS servers - from
accessing files which those services have no valid reason to
access. This action alone prevents a huge amount of possible damage
from network attacks against services, from trojaned software, and
so forth.
<br><br>
This guide recommends that SELinux be enabled using the
default (targeted) policy on every Red Hat system, unless that
system has unusual requirements which make a stronger policy
appropriate.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_selinux" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_accounts">Account and Access Control
                          <a class="small" href="#xccdf_org.ssgproject.content_group_accounts">[ref]</a><span class="label label-default pull-right">group</span></h3><p>In traditional Unix security, if an attacker gains
shell access to a certain login account, they can perform any action
or access any file to which that account has access. Therefore,
making it more difficult for unauthorized people to gain shell
access to accounts, particularly to privileged accounts, is a
necessary part of securing a system. This section introduces
mechanisms for restricting access to accounts under
Red Hat Enterprise Linux 6.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-restrictions" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-restrictions" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_accounts-restrictions">Protect Accounts by Restricting Password-Based Login
                          <a class="small" href="#xccdf_org.ssgproject.content_group_accounts-restrictions">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Conventionally, Unix shell accounts are accessed by
providing a username and password to a login program, which tests
these values for correctness using the <code>/etc/passwd</code> and
<code>/etc/shadow</code> files. Password-based login is vulnerable to
guessing of weak passwords, and to sniffing and man-in-the-middle
attacks against passwords entered over a network or at an insecure
console. Therefore, mechanisms for accessing accounts by entering
usernames and passwords should be restricted to those which are
operationally necessary.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_root_logins">Restrict Root Logins
                          <a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
Direct root logins should be allowed only for emergency use.
In normal situations, the administrator should access the system
via a unique unprivileged account, and then use <code>su</code> or <code>sudo</code> to execute
privileged commands. Discouraging administrators from accessing the
root account directly ensures an audit trail in organizations with
multiple administrators. Locking down the channels through which
root can connect directly also reduces opportunities for
password-guessing against the root account. The <code>login</code> program
uses the file <code>/etc/securetty</code> to determine which interfaces
should allow root logins.

The virtual devices <code>/dev/console</code>
and <code>/dev/tty*</code> represent the system consoles (accessible via
the Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default
installation). The default securetty file also contains <code>/dev/vc/*</code>.
These are likely to be deprecated in most environments, but may be retained
for compatibility. Root should also be prohibited from connecting
via network protocols. Other sections of this document
include guidance describing how to prevent root from logging in via SSH.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_storage" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_password_storage" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_password_storage">Verify Proper Storage and Existence of Password
Hashes
                          <a class="small" href="#xccdf_org.ssgproject.content_group_password_storage">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
By default, password hashes for local accounts are stored
in the second field (colon-separated) in
<code>/etc/shadow</code>. This file should be readable only by
processes running with root credentials, preventing users from
casually accessing others' password hashes and attempting
to crack them.
However, it remains possible to misconfigure the system
and store password hashes
in world-readable files such as <code>/etc/passwd</code>, or
to even store passwords themselves in plaintext on the system.
Using system-provided tools for password change/creation
should allow administrators to avoid such misconfiguration.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_password_storage" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_expiration" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_password_expiration" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_password_expiration">Set Password Expiration Parameters
                          <a class="small" href="#xccdf_org.ssgproject.content_group_password_expiration">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The file <code>/etc/login.defs</code> controls several
password-related settings. Programs such as <code>passwd</code>,
<code>su</code>, and
<code>login</code> consult <code>/etc/login.defs</code> to determine
behavior with regard to password aging, expiration warnings,
and length. See the man page <code>login.defs(5)</code> for more information.
<br><br>
Users should be forced to change their passwords, in order to
decrease the utility of compromised passwords. However, the need to
change passwords often should be balanced against the risk that
users will reuse or write down passwords if forced to change them
too often. Forcing password changes every 90-360 days, depending on
the environment, is recommended. Set the appropriate value as
<code>PASS_MAX_DAYS</code> and apply it to existing accounts with the
<code>-M</code> flag.
<br><br>
The <code>PASS_MIN_DAYS</code> (<code>-m</code>) setting prevents password
changes for 7 days after the first change, to discourage password
cycling. If you use this setting, train users to contact an administrator
for an emergency password change in case a new password becomes
compromised. The <code>PASS_WARN_AGE</code> (<code>-W</code>) setting gives
users 7 days of warnings at login time that their passwords are about to expire.
<br><br>
For example, for each existing human user <i>USER</i>, expiration parameters
could be adjusted to a 180 day maximum password age, 7 day minimum password
age, and 7 day warning period with the following command:
<pre>$ sudo chage -M 180 -m 7 -W 7 USER</pre>
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_password_expiration" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_account_expiration" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_account_expiration" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_account_expiration">Set Account Expiration Parameters
                          <a class="small" href="#xccdf_org.ssgproject.content_group_account_expiration">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Accounts can be configured to be automatically disabled
after a certain time period,
meaning that they will require administrator interaction to become usable again.
Expiration of accounts after inactivity can be set for all accounts by default
and also on a per-account basis, such as for accounts that are known to be temporary.
To configure automatic expiration of an account following
the expiration of its password (that is, after the password has expired and not been changed),
run the following command, substituting <code><i>NUM_DAYS</i></code> and <code><i>USER</i></code> appropriately:
<pre>$ sudo chage -I <i>NUM_DAYS USER</i></pre>
Accounts, such as temporary accounts, can also be configured to expire on an explicitly-set date with the
<code>-E</code> option.
The file <code>/etc/default/useradd</code> controls
default settings for all newly-created accounts created with the system's
normal command line utilities.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_account_expiration" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-pam" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-pam" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_accounts-pam">Protect Accounts by Configuring PAM
                          <a class="small" href="#xccdf_org.ssgproject.content_group_accounts-pam">[ref]</a><span class="label label-default pull-right">group</span></h3><p>PAM, or Pluggable Authentication Modules, is a system
which implements modular authentication for Linux programs. PAM provides
a flexible and configurable architecture for authentication, and it should be configured
to minimize exposure to unnecessary risk. This section contains
guidance on how to accomplish that.
<br><br>
PAM is implemented as a set of shared objects which are
loaded and invoked whenever an application wishes to authenticate a
user. Typically, the application must be running as root in order
to take advantage of PAM, because PAM's modules often need to be able
to access sensitive stores of account information, such as /etc/shadow.
Traditional privileged network listeners
(e.g. sshd) or SUID programs (e.g. sudo) already meet this
requirement. An SUID root application, userhelper, is provided so
that programs which are not SUID or privileged themselves can still
take advantage of PAM.
<br><br>
PAM looks in the directory <code>/etc/pam.d</code> for
application-specific configuration information. For instance, if
the program login attempts to authenticate a user, then PAM's
libraries follow the instructions in the file <code>/etc/pam.d/login</code>
to determine what actions should be taken.
<br><br>
One very important file in <code>/etc/pam.d</code> is
<code>/etc/pam.d/system-auth</code>. This file, which is included by
many other PAM configuration files, defines 'default' system authentication
measures. Modifying this file is a good way to make far-reaching
authentication changes, for instance when implementing a
centralized authentication service.</p><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">Warning:</span> 
                                Be careful when making changes to PAM's
configuration files. The syntax for these files is complex, and
modifications can have unexpected consequences. The default
configurations shipped with applications should be sufficient for
most users.</div></div><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">Warning:</span> 
                                Running <code>authconfig</code> or
<code>system-config-authentication</code> will re-write the PAM configuration
files, destroying any manually made changes and replacing them with
a series of system defaults. One reference to the configuration
file syntax can be found at
<a href="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html">http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html</a>.</div></div></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-pam" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_quality" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_password_quality" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-pam"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_password_quality">Set Password Quality Requirements
                          <a class="small" href="#xccdf_org.ssgproject.content_group_password_quality">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The default <code>pam_cracklib</code> PAM module provides strength
checking for passwords. It performs a number of checks, such as
making sure passwords are not similar to dictionary words, are of
at least a certain length, are not the previous password reversed,
and are not simply a change of case from the previous password. It
can also require passwords to be in certain character classes.
<br><br>
The man page <code>pam_cracklib(8)</code> provides information on the
capabilities and configuration of each.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_password_quality" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-pam"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_quality_pamcracklib" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_password_quality_pamcracklib" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_quality"><td style="padding-left: 95px"><h3 id="xccdf_org.ssgproject.content_group_password_quality_pamcracklib">Set Password Quality Requirements, if using
pam_cracklib
                          <a class="small" href="#xccdf_org.ssgproject.content_group_password_quality_pamcracklib">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The <code>pam_cracklib</code> PAM module can be configured to meet
requirements for a variety of policies.
<br><br>
For example, to configure <code>pam_cracklib</code> to require at least one uppercase
character, lowercase character, digit, and other (special)
character, locate the following line in <code>/etc/pam.d/system-auth</code>:
<pre>password requisite pam_cracklib.so try_first_pass retry=3</pre>
and then alter it to read:
<pre>password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4</pre>
If no such line exists, add one as the first line of the password section in <code>/etc/pam.d/system-auth</code>.
The arguments can be modified to ensure compliance with
your organization's security policy. Discussion of each parameter follows.
</p><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">Warning:</span> 
                                Note that the password quality
requirements are not enforced for the root account for some
reason.</div></div></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_password_quality_pamcracklib" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_quality"><td style="padding-left: 95px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-pam"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_locking_out_password_attempts">Set Lockouts for Failed Password Attempts
                          <a class="small" href="#xccdf_org.ssgproject.content_group_locking_out_password_attempts">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The <code>pam_faillock</code> PAM module provides the capability to
lock out user accounts after a number of failed login attempts. Its
documentation is available in
<code>/usr/share/doc/pam-VERSION/txts/README.pam_faillock</code>.
<br><br>
</p><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">Warning:</span> 
                                Locking out user accounts presents the
risk of a denial-of-service attack. The lockout policy
must weigh whether the risk of such a
denial-of-service attack outweighs the benefits of thwarting
password guessing attacks.</div></div></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-pam"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-pam"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm">Set Password Hashing Algorithm
                          <a class="small" href="#xccdf_org.ssgproject.content_group_set_password_hashing_algorithm">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The system's default algorithm for storing password hashes in
<code>/etc/shadow</code> is SHA-512. This can be configured in several
locations.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-pam"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_accounts-session">Secure Session Configuration Files for Login Accounts
                          <a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a><span class="label label-default pull-right">group</span></h3><p>When a user logs into a Unix account, the system
configures the user's session by reading a number of files. Many of
these files are located in the user's home directory, and may have
weak permissions as a result of user error or misconfiguration. If
an attacker can modify or even read certain types of account
configuration information, they can often gain full access to the
affected user's account. Therefore, it is important to test and
correct configuration file permissions for interactive accounts,
particularly those of privileged users such as root or system
administrators.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_paths" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_paths" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-session"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_root_paths">Ensure that No Dangerous Directories Exist in Root's Path
                          <a class="small" href="#xccdf_org.ssgproject.content_group_root_paths">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The active path of the root account can be obtained by
starting a new root shell and running:
<pre>$ sudo echo $PATH</pre>
This will produce a colon-separated list of
directories in the path.
<br><br>
Certain path elements could be considered dangerous, as they could lead
to root executing unknown or
untrusted programs, which could contain malicious
code.
Since root may sometimes work inside
untrusted directories, the <code>.</code> character, which represents the
current directory, should never be in the root path, nor should any
directory which can be written to by an unprivileged or
semi-privileged (system) user.
<br><br>
It is a good practice for administrators to always execute
privileged commands by typing the full path to the
command.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_paths" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-session"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_user_umask" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_user_umask" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-session"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_user_umask">Ensure that Users Have Sensible Umask Values
                          <a class="small" href="#xccdf_org.ssgproject.content_group_user_umask">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
The umask setting controls the default permissions
for the creation of new files.
With a default <code>umask</code> setting of 077, files and directories
created by users will not be readable by any other user on the
system. Users who wish to make specific files group- or
world-readable can accomplish this by using the chmod command.
Additionally, users can make all their files readable to their
group by default by setting a <code>umask</code> of 027 in their shell
configuration files. If default per-user groups exist (that is, if
every user has a default group whose name is the same as that
user's username and whose only member is the user), then it may
even be safe for users to select a <code>umask</code> of 007, making it very
easy to intentionally share files with groups of which the user is
a member.
<br><br>

</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_user_umask" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-session"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-physical" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-physical" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_accounts-physical">Protect Physical Console Access
                          <a class="small" href="#xccdf_org.ssgproject.content_group_accounts-physical">[ref]</a><span class="label label-default pull-right">group</span></h3><p>It is impossible to fully protect a system from an
attacker with physical access, so securing the space in which the
system is located should be considered a necessary step. However,
there are some steps which, if taken, make it more difficult for an
attacker to quickly or undetectably modify a system from its
console.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-physical" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_bootloader" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_bootloader" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_bootloader">Set Boot Loader Password
                          <a class="small" href="#xccdf_org.ssgproject.content_group_bootloader">[ref]</a><span class="label label-default pull-right">group</span></h3><p>During the boot process, the boot loader is
responsible for starting the execution of the kernel and passing
options to it. The boot loader allows for the selection of
different kernels - possibly on different partitions or media.
The default Red Hat Enterprise Linux boot loader for x86 systems is called GRUB.
Options it can pass to the kernel include <i>single-user mode</i>, which
provides root access without any authentication, and the ability to
disable SELinux. To prevent local users from modifying the boot
parameters and endangering security, protect the boot loader configuration
with a password and ensure its configuration file's permissions
are set properly.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_bootloader" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_screen_locking" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_screen_locking" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_screen_locking">Configure Screen Locking
                          <a class="small" href="#xccdf_org.ssgproject.content_group_screen_locking">[ref]</a><span class="label label-default pull-right">group</span></h3><p>When a user must temporarily leave an account
logged-in, screen locking should be employed to prevent passersby
from abusing the account. User education and training is
particularly important for screen locking to be effective, and policies
can be implemented to reinforce this.
<br><br>
Automatic screen locking is only meant as a safeguard for
those cases where a user forgot to lock the screen.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_screen_locking" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_console_screen_locking" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_console_screen_locking" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px"><h3 id="xccdf_org.ssgproject.content_group_console_screen_locking">Configure Console Screen Locking
                          <a class="small" href="#xccdf_org.ssgproject.content_group_console_screen_locking">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
A console screen locking mechanism is provided in the
<code>screen</code> package, which is not installed by default.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_console_screen_locking" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_smart_card_login" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px"><h3 id="xccdf_org.ssgproject.content_group_smart_card_login">Hardware Tokens for Authentication
                          <a class="small" href="#xccdf_org.ssgproject.content_group_smart_card_login">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
The use of hardware tokens such as smart cards for system login
provides stronger, two-factor authentication than using a username and password.
In Red Hat Enterprise Linux servers and workstations, hardware token login
is not enabled by default and must be enabled in the system settings.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-banners" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-banners" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_accounts-banners">Warning Banners for System Accesses
                          <a class="small" href="#xccdf_org.ssgproject.content_group_accounts-banners">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Each system should expose as little information about
itself as possible.
<br><br>
System banners, which are typically displayed just before a
login prompt, give out information about the service or the host's
operating system. This might include the distribution name and the
system kernel version, and the particular version of a network
service. This information can assist intruders in gaining access to
the system as it can reveal whether the system is running
vulnerable software. Most network services can be configured to
limit what information is displayed.
<br><br>
Many organizations implement security policies that require a
system banner provide notice of the system's ownership, provide
warning to unauthorized users, and remind authorized users of their
consent to monitoring.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-banners" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_gui_login_banner" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_gui_login_banner" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-banners"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_gui_login_banner">Implement a GUI Warning Banner
                          <a class="small" href="#xccdf_org.ssgproject.content_group_gui_login_banner">[ref]</a><span class="label label-default pull-right">group</span></h3><p>In the default graphical environment, users logging
directly into the system are greeted with a login screen provided
by the GNOME Display Manager (GDM). The warning banner should be
displayed in this graphical environment for these users.
The following sections describe how to configure the GDM login
banner.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_gui_login_banner" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-banners"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_network" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls
                          <a class="small" href="#xccdf_org.ssgproject.content_group_network">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Most machines must be connected to a network of some
sort, and this brings with it the substantial risk of network
attack. This section discusses the security impact of decisions
about networking which must be made when configuring a system.
<br><br>
This section also discusses firewalls, network access
controls, and other network security frameworks, which allow
system-level rules to be written that can limit an attackers' ability
to connect to your system. These rules can specify that network
traffic should be allowed or denied from certain IP addresses,
hosts, and networks. The rules can also specify which of the
system's network services are available to particular hosts or
networks.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_network" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_network_disable_unused_interfaces" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces">Disable Unused Interfaces
                          <a class="small" href="#xccdf_org.ssgproject.content_group_network_disable_unused_interfaces">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Network interfaces expand the attack surface of the 
system.  Unused interfaces are not monitored or controlled, and 
should be disabled.
<br><br>
If the system does not require network communications but still
needs to use the loopback interface, remove all files of the form
<code>ifcfg-<i>interface</i></code> except for <code>ifcfg-lo</code> from
<code>/etc/sysconfig/network-scripts</code>:
<pre>$ sudo rm /etc/sysconfig/network-scripts/ifcfg-<i>interface</i></pre>
If the system is a standalone machine with no need for network access or even
communication over the loopback device, then disable this service.

        The <code>network</code> service can be disabled with the following command:
        <pre>$ sudo chkconfig network off</pre>
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_network_disable_unused_interfaces" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-kernel" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_network-kernel" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_network-kernel">Kernel Parameters Which Affect Networking
                          <a class="small" href="#xccdf_org.ssgproject.content_group_network-kernel">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The <code>sysctl</code> utility is used to set
parameters which affect the operation of the Linux kernel. Kernel parameters
which affect networking and have security implications are described here.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_network-kernel" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network_host_parameters" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_network_host_parameters" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-kernel"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_network_host_parameters">Network Parameters for Hosts Only
                          <a class="small" href="#xccdf_org.ssgproject.content_group_network_host_parameters">[ref]</a><span class="label label-default pull-right">group</span></h3><p>If the system is not going to be used as a router, then setting certain
kernel parameters ensure that the host will not perform routing
of network traffic.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_network_host_parameters" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-kernel"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-kernel"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters">Network Related Kernel Runtime Parameters for Hosts and Routers
                          <a class="small" href="#xccdf_org.ssgproject.content_group_network_host_and_router_parameters">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Certain kernel parameters should be set for systems which are
acting as either hosts or routers to improve the system's ability defend
against certain types of IPv4 protocol attacks.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-kernel"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-wireless" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_network-wireless" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_network-wireless">Wireless Networking
                          <a class="small" href="#xccdf_org.ssgproject.content_group_network-wireless">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Wireless networking, such as 802.11
(WiFi) and Bluetooth, can present a security risk to sensitive or
classified systems and networks. Wireless networking hardware is
much more likely to be included in laptop or portable systems than
in desktops or servers. 
<br><br>
Removal of hardware provides the greatest assurance that the wireless
capability remains disabled. Acquisition policies often include provisions to
prevent the purchase of equipment that will be used in sensitive spaces and
includes wireless capabilities. If it is impractical to remove the wireless
hardware, and policy permits the device to enter sensitive spaces as long
as wireless is disabled, efforts should instead focus on disabling wireless capability
via software.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_network-wireless" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_wireless_software" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_wireless_software" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-wireless"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_wireless_software">Disable Wireless Through Software Configuration
                          <a class="small" href="#xccdf_org.ssgproject.content_group_wireless_software">[ref]</a><span class="label label-default pull-right">group</span></h3><p>If it is impossible to remove the wireless hardware
from the device in question, disable as much of it as possible
through software. The following methods can disable software
support for wireless networking, but note that these methods do not
prevent malicious software or careless users from re-activating the
devices.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_wireless_software" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-wireless"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-ipv6" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_network-ipv6" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_network-ipv6">IPv6
                          <a class="small" href="#xccdf_org.ssgproject.content_group_network-ipv6">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The system includes support for Internet Protocol
version 6. A major and often-mentioned improvement over IPv4 is its
enormous increase in the number of available addresses. Another
important feature is its support for automatic configuration of
many network settings.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_network-ipv6" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_ipv6" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_ipv6" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-ipv6"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_disabling_ipv6">Disable Support for IPv6 Unless Needed
                          <a class="small" href="#xccdf_org.ssgproject.content_group_disabling_ipv6">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
Despite configuration that suggests support for IPv6 has
been disabled, link-local IPv6 address auto-configuration occurs
even when only an IPv4 address is assigned. The only way to
effectively prevent execution of the IPv6 networking stack is to
instruct the system not to activate the IPv6 kernel module.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_ipv6" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-ipv6"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_configuring_ipv6" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configuring_ipv6" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-ipv6"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_configuring_ipv6">Configure IPv6 Settings if Necessary
                          <a class="small" href="#xccdf_org.ssgproject.content_group_configuring_ipv6">[ref]</a><span class="label label-default pull-right">group</span></h3><p>A major feature of IPv6 is the extent to which systems
implementing it can automatically configure their networking
devices using information from the network. From a security
perspective, manually configuring important configuration
information is preferable to accepting it from the network
in an unauthenticated fashion.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_ipv6" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-ipv6"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_ipv6"><td style="padding-left: 95px"><h3 id="xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig">Disable Automatic Configuration
                          <a class="small" href="#xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Disable the system's acceptance of router
advertisements and redirects by adding or correcting the following
line in <code>/etc/sysconfig/network</code> (note that this does not disable
sending router solicitations):
<pre>IPV6_AUTOCONF=no</pre>
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_ipv6"><td style="padding-left: 95px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_network_ipv6_limit_requests" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_ipv6"><td style="padding-left: 95px"><h3 id="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests">Limit Network-Transmitted Configuration if Using Static IPv6 Addresses
                          <a class="small" href="#xccdf_org.ssgproject.content_group_network_ipv6_limit_requests">[ref]</a><span class="label label-default pull-right">group</span></h3><p>To limit the configuration information requested from other
systems and accepted from the network on a system that uses
statically-configured IPv6 addresses, add the following lines to
<code>/etc/sysctl.conf</code>:
<pre>net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1</pre>
The <code>router_solicitations</code> setting determines how many router
solicitations are sent when bringing up the interface. If addresses are
statically assigned, there is no need to send any solicitations.
<br><br>
The <code>accept_ra_pinfo</code> setting controls whether the system will accept
prefix info from the router.
<br><br>
The <code>accept_ra_defrtr</code> setting controls whether the system will accept
Hop Limit settings from a router advertisement. Setting it to 0 prevents a
router from changing your default IPv6 Hop Limit for outgoing packets.
<br><br>
The <code>autoconf</code> setting controls whether router advertisements can cause
the system to assign a global unicast address to an interface.
<br><br>
The <code>dad_transmits</code> setting determines how many neighbor solicitations
to send out per address (global and link-local) when bringing up an interface
to ensure the desired address is unique on the network.
<br><br>
The <code>max_addresses</code> setting determines how many global unicast IPv6
addresses can be assigned to each interface.  The default is 16, but it should
be set to exactly the number of statically configured global addresses
required.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_network_ipv6_limit_requests" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_ipv6"><td style="padding-left: 95px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-iptables" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_network-iptables" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_network-iptables">iptables and ip6tables
                          <a class="small" href="#xccdf_org.ssgproject.content_group_network-iptables">[ref]</a><span class="label label-default pull-right">group</span></h3><p>A host-based firewall called <code>netfilter</code> is included as
part of the Linux kernel distributed with the system. It is
activated by default. This firewall is controlled by the program
<code>iptables</code>, and the entire capability is frequently referred to by
this name. An analogous program called <code>ip6tables</code> handles filtering
for IPv6.
<br><br>
Unlike TCP Wrappers, which depends on the network server
program to support and respect the rules written, <code>netfilter</code>
filtering occurs at the kernel level, before a program can even
process the data from the network packet. As such, any program on
the system is affected by the rules written.
<br><br>
This section provides basic information about strengthening
the <code>iptables</code> and <code>ip6tables</code> configurations included with the system.
For more complete information that may allow the construction of a
sophisticated ruleset tailored to your environment, please consult
the references at the end of this section.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_network-iptables" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_iptables_activation" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_iptables_activation" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-iptables"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_iptables_activation">Inspect and Activate Default Rules
                          <a class="small" href="#xccdf_org.ssgproject.content_group_iptables_activation">[ref]</a><span class="label label-default pull-right">group</span></h3><p>View the currently-enforced <code>iptables</code> rules by running
the command:
<pre>$ sudo iptables -nL --line-numbers</pre>
The command is analogous for <code>ip6tables</code>.
<br><br>
If the firewall does not appear to be active (i.e., no rules
appear), activate it and ensure that it starts at boot by issuing
the following commands (and analogously for <code>ip6tables</code>):
<pre>$ sudo service iptables restart</pre>
The default iptables rules are:
<pre>Chain INPUT (policy ACCEPT)
num  target     prot opt source       destination
1    ACCEPT     all  --  0.0.0.0/0    0.0.0.0/0    state RELATED,ESTABLISHED 
2    ACCEPT     icmp --  0.0.0.0/0    0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0    0.0.0.0/0
4    ACCEPT     tcp  --  0.0.0.0/0    0.0.0.0/0    state NEW tcp dpt:22 
5    REJECT     all  --  0.0.0.0/0    0.0.0.0/0    reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source       destination
1    REJECT     all  --  0.0.0.0/0    0.0.0.0/0    reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source       destination</pre>
The <code>ip6tables</code> default rules are essentially the same.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_iptables_activation" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-iptables"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ruleset_modifications" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ruleset_modifications" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-iptables"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_ruleset_modifications">Strengthen the Default Ruleset
                          <a class="small" href="#xccdf_org.ssgproject.content_group_ruleset_modifications">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The default rules can be strengthened. The system
scripts that activate the firewall rules expect them to be defined
in the configuration files <code>iptables</code> and <code>ip6tables</code> in the directory
<code>/etc/sysconfig</code>. Many of the lines in these files are similar
to the command line arguments that would be provided to the programs
<code>/sbin/iptables</code> or <code>/sbin/ip6tables</code> - but some are quite
different.
<br><br>
The following recommendations describe how to strengthen the
default ruleset configuration file. An alternative to editing this
configuration file is to create a shell script that makes calls to
the iptables program to load in rules, and then invokes service
iptables save to write those loaded rules to
<code>/etc/sysconfig/iptables.</code>
<br><br>
The following alterations can be made directly to
<code>/etc/sysconfig/iptables</code> and <code>/etc/sysconfig/ip6tables</code>.
Instructions apply to both unless otherwise noted. Language and address
conventions for regular iptables are used throughout this section;
configuration for ip6tables will be either analogous or explicitly
covered.</p><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">Warning:</span> 
                                The program <code>system-config-securitylevel</code>
allows additional services to penetrate the default firewall rules
and automatically adjusts <code>/etc/sysconfig/iptables</code>. This program
is only useful if the default ruleset meets your security
requirements. Otherwise, this program should not be used to make
changes to the firewall configuration because it re-writes the
saved configuration file.</div></div></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_ruleset_modifications" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-iptables"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_iptables_icmp_disabled" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_iptables_icmp_disabled" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ruleset_modifications"><td style="padding-left: 95px"><h3 id="xccdf_org.ssgproject.content_group_iptables_icmp_disabled">Restrict ICMP Message Types
                          <a class="small" href="#xccdf_org.ssgproject.content_group_iptables_icmp_disabled">[ref]</a><span class="label label-default pull-right">group</span></h3><p>In <code>/etc/sysconfig/iptables</code>, the accepted ICMP messages
types can be restricted. To accept only ICMP echo reply, destination
unreachable, and time exceeded messages, remove the line:<br>
<pre>-A INPUT -p icmp --icmp-type any -j ACCEPT</pre>
and insert the lines:
<pre>-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT</pre>
To allow the system to respond to pings, also insert the following line:
<pre>-A INPUT -p icmp --icmp-type echo-request -j ACCEPT</pre>
Ping responses can also be limited to certain networks or hosts by using the -s
option in the previous rule.  Because IPv6 depends so heavily on ICMPv6, it is
preferable to deny the ICMPv6 packets you know you don't need (e.g. ping
requests) in <code>/etc/sysconfig/ip6tables</code>, while letting everything else
through:
<pre>-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP</pre>
If you are going to statically configure the machine's address, it should
ignore Router Advertisements which could add another IPv6 address to the
interface or alter important network settings:
<pre>-A INPUT -p icmpv6 --icmpv6-type router-advertisement -j DROP</pre>
Restricting ICMPv6 message types in <code>/etc/sysconfig/ip6tables</code> is not
recommended because the operation of IPv6 depends heavily on ICMPv6. Thus, great
care must be taken if any other ICMPv6 types are blocked.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_iptables_icmp_disabled" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ruleset_modifications"><td style="padding-left: 95px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ruleset_modifications"><td style="padding-left: 95px"><h3 id="xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious">Log and Drop Packets with Suspicious Source Addresses
                          <a class="small" href="#xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Packets with non-routable source addresses should be rejected, as they may indicate spoofing. Because the
modified policy will reject non-matching packets, you only need to add these rules if you are interested in also
logging these spoofing or suspicious attempts before they are dropped. If you do choose to log various suspicious
traffic, add identical rules with a target of <code>DROP</code> after each <i>LOG</i>.
To log and then drop these IPv4 packets, insert the following rules in <code>/etc/sysconfig/iptables</code> (excepting
any that are intentionally used):
<pre>-A INPUT -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF A: "
-A INPUT -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: "
-A INPUT -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: "
-A INPUT -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: "
-A INPUT -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: "
-A INPUT -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: "</pre>
Similarly, you might wish to log packets containing some IPv6 reserved addresses if they are not expected
on your network:
<pre>-A INPUT -i eth0 -s ::1 -j LOG --log-prefix "IPv6 DROP LOOPBACK: "
-A INPUT -s 2002:E000::/20 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
-A INPUT -s 2002:7F00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
-A INPUT -s 2002:0000::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
-A INPUT -s 2002:FF00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
-A INPUT -s 2002:0A00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
-A INPUT -s 2002:AC10::/28 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
-A INPUT -s 2002:C0A8::/32 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "</pre>
If you are not expecting to see site-local multicast or auto-tunneled traffic, you can log those:
<pre>-A INPUT -s FF05::/16 -j LOG --log-prefix "IPv6 SITE-LOCAL MULTICAST: "
-A INPUT -s ::0.0.0.0/96 -j LOG --log-prefix "IPv4 COMPATIBLE IPv6 ADDR: "</pre>
If you wish to block multicasts to all link-local nodes (e.g. if you are not using router auto-configuration and
do not plan to have any services that multicast to the entire local network), you can block the link-local
all-nodes multicast address (before accepting incoming ICMPv6):
<pre>-A INPUT -d FF02::1 -j LOG --log-prefix "Link-local All-Nodes Multicast: "</pre>
However, if you're going to allow IPv4 compatible IPv6 addresses (of the form ::0.0.0.0/96), you should
then consider logging the non-routable IPv4-compatible addresses:
<pre>-A INPUT -s ::0.0.0.0/104 -j LOG --log-prefix "IP NON-ROUTABLE ADDR: "
-A INPUT -s ::127.0.0.0/104 -j LOG --log-prefix "IP DROP LOOPBACK: "
-A INPUT -s ::224.0.0.0.0/100 -j LOG --log-prefix "IP DROP MULTICAST D: "
-A INPUT -s ::255.0.0.0/104 -j LOG --log-prefix "IP BROADCAST: "</pre>
If you are not expecting to see any IPv4 (or IPv4-compatible) traffic on your network, consider logging it before it gets dropped:
<pre>-A INPUT -s ::FFFF:0.0.0.0/96 -j LOG --log-prefix "IPv4 MAPPED IPv6 ADDR: "
-A INPUT -s 2002::/16 -j LOG --log-prefix "IPv6 6to4 ADDR: "</pre>
The following rule will log all traffic originating from a site-local address, which is deprecated address space:
<pre>-A INPUT -s FEC0::/10 -j LOG --log-prefix "SITE-LOCAL ADDRESS TRAFFIC: "</pre>
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ruleset_modifications"><td style="padding-left: 95px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network_ssl" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_network_ssl" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_network_ssl">Transport Layer Security Support
                          <a class="small" href="#xccdf_org.ssgproject.content_group_network_ssl">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
Support for Transport Layer Security (TLS), and its predecessor, the Secure
Sockets Layer (SSL), is included in Red Hat Enterprise Linux in the OpenSSL software (RPM package
<code>openssl</code>).  TLS provides encrypted and authenticated network
communications, and many network services include support for it.  TLS or SSL
can be leveraged to avoid any plaintext transmission of sensitive data.
<br>
For information on how to use OpenSSL, see
<b><a href="http://www.openssl.org/docs/HOWTO/">http://www.openssl.org/docs/HOWTO/</a></b>.  Information on FIPS validation
of OpenSSL is available at <b><a href="http://www.openssl.org/docs/fips/fipsvalidation.html">http://www.openssl.org/docs/fips/fipsvalidation.html</a></b>
and <b><a href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm">http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm</a></b>.

</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_network_ssl" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-uncommon" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_network-uncommon" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_network-uncommon">Uncommon Network Protocols
                          <a class="small" href="#xccdf_org.ssgproject.content_group_network-uncommon">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The system includes support for several network
protocols which are not commonly used. Although security vulnerabilities 
in kernel networking code are not frequently
discovered, the consequences can be dramatic. Ensuring uncommon
network protocols are disabled reduces the system's risk to attacks
targeted at its implementation of those protocols.</p><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">Warning:</span> 
                                
Although these protocols are not commonly used, avoid disruption
in your network environment by ensuring they are not needed
prior to disabling them.
</div></div></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_network-uncommon" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-ipsec" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_network-ipsec" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_network-ipsec">IPSec Support
                          <a class="small" href="#xccdf_org.ssgproject.content_group_network-ipsec">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Support for Internet Protocol Security (IPsec)
is provided in Red Hat Enterprise Linux 6 with openswan
and libreswan packages respectively.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_network-ipsec" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_logging" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_logging" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_logging">Configure Syslog
                          <a class="small" href="#xccdf_org.ssgproject.content_group_logging">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The syslog service has been the default Unix logging mechanism for
many years. It has a number of downsides, including inconsistent log format,
lack of authentication for received messages, and lack of authentication,
encryption, or reliable transport for messages sent over a network. However,
due to its long history, syslog is a de facto standard which is supported by
almost all Unix applications.
<br>
<br>
In Red Hat Enterprise Linux 6, rsyslog has replaced ksyslogd as the
syslog daemon of choice, and it includes some additional security features
such as reliable, connection-oriented (i.e. TCP) transmission of logs, the
option to log to database formats, and the encryption of log data en route to
a central logging server.
This section discusses how to configure rsyslog for
best effect, and how to use tools provided with the system to maintain and
monitor logs.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_logging" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration">Ensure Proper Configuration of Log Files
                          <a class="small" href="#xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
The file <code>/etc/rsyslog.conf</code> controls where log message are written.
These are controlled by lines called <i>rules</i>, which consist of a
<i>selector</i> and an <i>action</i>.
These rules are often customized depending on the role of the system, the
requirements of the environment, and whatever may enable
the administrator to most effectively make use of log data.
The default rules in Red Hat Enterprise Linux 6 are:
<pre>*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log</pre>
See the man page <code>rsyslog.conf(5)</code> for more information.
<i>Note that the <code>rsyslog</code> daemon can be configured to use a timestamp format that
some log processing programs may not understand. If this occurs, 
edit the file <code>/etc/rsyslog.conf</code> and add or edit the following line:</i>
<pre>$ ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat</pre>
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages">Rsyslog Logs Sent To Remote Host
                          <a class="small" href="#xccdf_org.ssgproject.content_group_rsyslog_sending_messages">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
If system logs are to be useful in detecting malicious
activities, it is necessary to send logs to a remote server. An
intruder who has compromised the root account on a machine may
delete the log entries which indicate that the system was attacked
before they are seen by an administrator.
<br><br>
However, it is recommended that logs be stored on the local
host in addition to being sent to the loghost, especially if
<code>rsyslog</code> has been configured to use the UDP protocol to send
messages over a network. UDP does not guarantee reliable delivery,
and moderately busy sites will lose log messages occasionally,
especially in periods of high traffic which may be the result of an
attack. In addition, remote <code>rsyslog</code> messages are not
authenticated in any way by default, so it is easy for an attacker to
introduce spurious messages to the central log server. Also, some
problems cause loss of network connectivity, which will prevent the
sending of messages to the central server. For all of these reasons, it is
better to store log messages both centrally and on each host, so
that they can be correlated if necessary.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages">Configure rsyslogd to Accept Remote Messages If Acting as a Log Server
                          <a class="small" href="#xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
By default, <code>rsyslog</code> does not listen over the network
for log messages. If needed, modules can be enabled to allow
the rsyslog daemon to receive messages from other systems and for the system
thus to act as a log server.
If the machine is not a log server, then lines concerning these modules
should remain commented out.
<br><br>
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_log_rotation" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_log_rotation" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_log_rotation">Ensure All Logs are Rotated by logrotate
                          <a class="small" href="#xccdf_org.ssgproject.content_group_log_rotation">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Edit the file <code>/etc/logrotate.d/syslog</code>. Find the first
line, which should look like this (wrapped for clarity):
<pre>/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler \
  /var/log/boot.log /var/log/cron {</pre>
Edit this line so that it contains a one-space-separated
listing of each log file referenced in <code>/etc/rsyslog.conf</code>.
<br><br>
All logs in use on a system must be rotated regularly, or the
log files will consume disk space over time, eventually interfering
with system operation. The file <code>/etc/logrotate.d/syslog</code> is the
configuration file used by the <code>logrotate</code> program to maintain all
log files written by <code>syslog</code>. By default, it rotates logs weekly and
stores four archival copies of each log. These settings can be
modified by editing <code>/etc/logrotate.conf</code>, but the defaults are
sufficient for purposes of this guide.
<br><br>
Note that <code>logrotate</code> is run nightly by the cron job
<code>/etc/cron.daily/logrotate</code>. If particularly active logs need to be
rotated more often than once a day, some other mechanism must be
used.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_log_rotation" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver"> Configure Logwatch on the Central Log Server
                          <a class="small" href="#xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver">[ref]</a><span class="label label-default pull-right">group</span></h3><p> 
Is this machine the central log server? If so, edit the file <code>/etc/logwatch/conf/logwatch.conf</code> as shown below.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_auditing" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_auditing" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd
                          <a class="small" href="#xccdf_org.ssgproject.content_group_auditing">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The audit service provides substantial capabilities
for recording system activities. By default, the service audits about
SELinux AVC denials and certain types of security-relevant events
such as system logins, account modifications, and authentication
events performed by programs such as sudo.
Under its default configuration, <code>auditd</code> has modest disk space
requirements, and should not noticeably impact system performance.
<br><br>
Government networks often have substantial auditing
requirements and <code>auditd</code> can be configured to meet these
requirements.
Examining some example audit records demonstrates how the Linux audit system
satisfies common requirements.  
The following example from Fedora Documentation available at 
<code><a href="http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html">http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html</a></code>
shows the substantial amount of information captured in a
two typical "raw" audit messages, followed by a breakdown of the most important
fields. In this example the message is SELinux-related and reports an AVC
denial (and the associated system call) that occurred when the Apache HTTP
Server attempted to access the <code>/var/www/html/file1</code> file (labeled with
the <code>samba_share_t</code> type):
<pre>type=AVC msg=audit(1226874073.147:96): avc:  denied  { getattr } for pid=2465 comm="httpd"
path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file

type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13 
a0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48
gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd"
exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
</pre>
<ul><li><code>msg=audit(1226874073.147:96)</code><ul><li>The number in parentheses is the unformatted time stamp (Epoch time)
for the event, which can be converted to standard time by using the
<code>date</code> command.
</li></ul></li><li><code>{ getattr }</code><ul><li>The item in braces indicates the permission that was denied. <code>getattr</code>
indicates the source process was trying to read the target file's status information.
This occurs before reading files. This action is denied due to the file being
accessed having the wrong label. Commonly seen permissions include <code>getattr</code>,
<code>read</code>, and <code>write</code>.</li></ul></li><li><code>comm="httpd"</code><ul><li>The executable that launched the process. The full path of the executable is
found in the <code>exe=</code> section of the system call (<code>SYSCALL</code>) message,
which in this case, is <code>exe="/usr/sbin/httpd"</code>.
</li></ul></li><li><code>path="/var/www/html/file1"</code><ul><li>The path to the object (target) the process attempted to access.
</li></ul></li><li><code>scontext="unconfined_u:system_r:httpd_t:s0"</code><ul><li>The SELinux context of the process that attempted the denied action. In
this case, it is the SELinux context of the Apache HTTP Server, which is running
in the <code>httpd_t</code> domain.
</li></ul></li><li><code>tcontext="unconfined_u:object_r:samba_share_t:s0"</code><ul><li>The SELinux context of the object (target) the process attempted to access.
In this case, it is the SELinux context of <code>file1</code>. Note: the <code>samba_share_t</code>
type is not accessible to processes running in the <code>httpd_t</code> domain.</li></ul></li><li> From the system call (<code>SYSCALL</code>) message, two items are of interest:
<ul><li><code>success=no</code>: indicates whether the denial (AVC) was enforced or not.
<code>success=no</code> indicates the system call was not successful (SELinux denied
access). <code>success=yes</code> indicates the system call was successful - this can
be seen for permissive domains or unconfined domains, such as <code>initrc_t</code>
and <code>kernel_t</code>.
</li><li><code>exe="/usr/sbin/httpd"</code>: the full path to the executable that launched
the process, which in this case, is <code>exe="/usr/sbin/httpd"</code>.
</li></ul>
</li></ul>
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_auditing" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditing"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention">Configure auditd Data Retention
                          <a class="small" href="#xccdf_org.ssgproject.content_group_configure_auditd_data_retention">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
The audit system writes data to <code>/var/log/audit/audit.log</code>. By default,
<code>auditd</code> rotates 5 logs by size (6MB), retaining a maximum of 30MB of
data in total, and refuses to write entries when the disk is too
full. This minimizes the risk of audit data filling its partition
and impacting other services. This also minimizes the risk of the audit
daemon temporarily disabling the system if it cannot write audit log (which
it can be configured to do).

For a busy
system or a system which is thoroughly auditing system activity, the default settings
for data retention may be
 insufficient. The log file size needed will depend heavily on what types
of events are being audited. First configure auditing to log all the events of
interest. Then monitor the log size manually for awhile to determine what file
size will allow you to keep the required data for the correct time period.
<br><br>
Using a dedicated partition for <code>/var/log/audit</code> prevents the
<code>auditd</code> logs from disrupting system functionality if they fill, and,
more importantly, prevents other activity in <code>/var</code> from filling the
partition and stopping the audit trail. (The audit logs are size-limited and
therefore unlikely to grow without bound unless configured to do so.) Some
machines may have requirements that no actions occur which cannot be audited.
If this is the case, then <code>auditd</code> can be configured to halt the machine
if it runs out of space. <b>Note:</b> Since older logs are rotated,
configuring <code>auditd</code> this way does not prevent older logs from being
rotated away before they can be viewed.

<i>If your system is configured to halt when logging cannot be performed, make
sure this can never happen under normal circumstances! Ensure that
<code>/var/log/audit</code> is on its own partition, and that this partition is
larger than the maximum amount of data <code>auditd</code> will retain
normally.</i>
</p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
            <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-11</a>, <a href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">138</a></p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditing"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_auditd_configure_rules" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditing"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_auditd_configure_rules">Configure auditd Rules for Comprehensive Auditing
                          <a class="small" href="#xccdf_org.ssgproject.content_group_auditd_configure_rules">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The <code>auditd</code> program can perform comprehensive
monitoring of system activity. This section describes recommended
configuration settings for comprehensive auditing, but a full
description of the auditing system's capabilities is beyond the
scope of this guide. The mailing list <i>linux-audit@redhat.com</i> exists
to facilitate community discussion of the auditing system.
<br><br>
The audit subsystem supports extensive collection of events, including:
<br>
<ul><li>Tracing of arbitrary system calls (identified by name or number)
on entry or exit.</li><li>Filtering by PID, UID, call success, system call argument (with
some limitations), etc.</li><li>Monitoring of specific files for modifications to the file's
contents or metadata.</li></ul>
<br>
Auditing rules at startup are controlled by the file <code>/etc/audit/audit.rules</code>.
Add rules to it to meet the auditing requirements for your organization.
Each line in <code>/etc/audit/audit.rules</code> represents a series of arguments
that can be passed to <code>auditctl</code> and can be individually tested
during runtime. See documentation in <code>/usr/share/doc/audit-<i>VERSION</i></code> and
in the related man pages for more details.
<br><br>
If copying any example audit rulesets from <code>/usr/share/doc/audit-VERSION</code>,
be sure to comment out the
lines containing <code>arch=</code> which are not appropriate for your system's
architecture. Then review and understand the following rules,
ensuring rules are activated as needed for the appropriate
architecture.
<br><br>
After reviewing all the rules, reading the following sections, and
editing as needed, the new rules can be activated as follows:
<pre>$ sudo service auditd restart</pre>
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_auditd_configure_rules" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditing"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_time_rules" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_audit_time_rules" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditd_configure_rules"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_audit_time_rules">Records Events that Modify Date and Time Information
                          <a class="small" href="#xccdf_org.ssgproject.content_group_audit_time_rules">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Arbitrary changes to the system time can be used to obfuscate 
nefarious activities in log files, as well as to confuse network services that 
are highly dependent upon an accurate system time. All changes to the system 
time should be audited.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_audit_time_rules" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditd_configure_rules"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_dac_actions" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_audit_dac_actions" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditd_configure_rules"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_audit_dac_actions">Record Events that Modify the System's Discretionary Access Controls
                          <a class="small" href="#xccdf_org.ssgproject.content_group_audit_dac_actions">[ref]</a><span class="label label-default pull-right">group</span></h3><p>At a minimum, the audit system should collect file permission 
changes for all users and root.  Note that the "-F arch=b32" lines should be 
present even on a 64 bit system.  These commands identify system calls for 
auditing.  Even if the system is 64 bit it can still execute 32 bit system 
calls.  Additionally, these rules can be configured in a number of ways while 
still achieving the desired effect.  An example of this is that the "-S" calls 
could be split up and placed on separate lines, however, this is less efficient.
Add the following to <code>/etc/audit/audit.rules</code>:
<pre>-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid&gt;=500 -F auid!=4294967295 -k perm_mod
    -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid&gt;=500 -F auid!=4294967295 -k perm_mod
    -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</pre>
If your system is 64 bit then these lines should be duplicated and the 
arch=b32 replaced with arch=b64 as follows:
<pre>-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid&gt;=500 -F auid!=4294967295 -k perm_mod
    -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid&gt;=500 -F auid!=4294967295 -k perm_mod
    -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</pre>
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_audit_dac_actions" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditd_configure_rules"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_services" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td style="padding-left: 19px"><h3 id="xccdf_org.ssgproject.content_group_services">Services
                          <a class="small" href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
The best protection against vulnerable software is running less software. This section describes how to review
the software which Red Hat Enterprise Linux 6 installs on a system and disable software which is not needed. It
then enumerates the software packages installed on a default Red Hat Enterprise Linux 6 system and provides guidance about which
ones can be safely disabled.
<br><br>
Red Hat Enterprise Linux 6 provides a convenient minimal install option that essentially installs the bare necessities for a functional
system. When building Red Hat Enterprise Linux 6 systems, it is highly recommended to select the minimal packages and then build up
the system from there.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td style="padding-left: 19px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_obsolete" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_obsolete">Obsolete Services
                          <a class="small" href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a><span class="label label-default pull-right">group</span></h3><p>This section discusses a number of network-visible
services which have historically caused problems for system
security, and for which disabling or severely limiting the service
has been the best available guidance for some time. As a result of
this, many of these services are not installed as part of Red Hat Enterprise Linux 6
by default.
<br><br>
Organizations which are running these services should
switch to more secure equivalents as soon as possible.
If it remains absolutely necessary to run one of
these services for legacy reasons, care should be taken to restrict
the service as much as possible, for instance by configuring host
firewall software such as <code>iptables</code> to restrict access to the
vulnerable service to only those remote hosts which have a known
need to use it.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd
                          <a class="small" href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The <code>xinetd</code> service acts as a dedicated listener for some
network services (mostly, obsolete ones) and can be used to provide access
controls and perform some logging. It has been largely obsoleted by other
features, and it is not installed by default. The older Inetd service
is not even available as part of Red Hat Enterprise Linux 6.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_telnet" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_telnet">Telnet
                          <a class="small" href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The telnet protocol does not provide confidentiality or integrity
for information transmitted on the network. This includes authentication
information such as passwords. Organizations which use telnet should be
actively working to migrate to a more secure protocol.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_telnet" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_r_services" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_r_services">Rlogin, Rsh, and Rexec
                          <a class="small" href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The Berkeley r-commands are legacy services which
allow cleartext remote access and have an insecure trust
model.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nis" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nis" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_nis">NIS
                          <a class="small" href="#xccdf_org.ssgproject.content_group_nis">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The Network Information Service (NIS), also known as 'Yellow
Pages' (YP), and its successor NIS+ have been made obsolete by
Kerberos, LDAP, and other modern centralized authentication
services. NIS should not be used because it suffers from security
problems inherent in its design, such as inadequate protection of
important authentication information.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_nis" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_tftp" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_tftp" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_tftp">TFTP Server
                          <a class="small" href="#xccdf_org.ssgproject.content_group_tftp">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
TFTP is a lightweight version of the FTP protocol which has
traditionally been used to configure networking equipment. However,
TFTP provides little security, and modern versions of networking
operating systems frequently support configuration via SSH or other
more secure protocols. A TFTP server should be run only if no more
secure method of supporting existing equipment can be
found.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_tftp" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_talk" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_talk">Chat/Messaging Services
                          <a class="small" href="#xccdf_org.ssgproject.content_group_talk">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
The talk software makes it possible for users to send and receive messages
across systems through a terminal session.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_talk" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_base" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_base" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_base">Base Services
                          <a class="small" href="#xccdf_org.ssgproject.content_group_base">[ref]</a><span class="label label-default pull-right">group</span></h3><p>This section addresses the base services that are installed on a
Red Hat Enterprise Linux 6 default installation which are not covered in other
sections. Some of these services listen on the network and
should be treated with particular discretion. Other services are local
system utilities that may or may not be extraneous. In general, system services
should be disabled if not required.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_base" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons
                          <a class="small" href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The cron and at services are used to allow commands to
be executed at a later time. The cron service is required by almost
all systems to perform necessary maintenance tasks, while at may or
may not be required on a given system. Both daemons should be
configured defensively.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_restrict_at_cron_users" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_restrict_at_cron_users" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_restrict_at_cron_users">Restrict at and cron to Authorized Users if Necessary
                          <a class="small" href="#xccdf_org.ssgproject.content_group_restrict_at_cron_users">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
The <code>/etc/cron.allow</code> and <code>/etc/at.allow</code> files contain lists of users who are allowed
to use cron and at to delay execution of processes. If these files exist and
if the corresponding files <code>/etc/cron.deny</code> and <code>/etc/at.deny</code> do not exist,
then only users listed in the relevant allow files can run the crontab and at
commands to submit jobs to be run at scheduled intervals.
On many systems, only the system administrator needs the ability to schedule
jobs. Note that even if a given user is not listed in <code>cron.allow</code>, cron jobs can
still be run as that user. The <code>cron.allow</code> file controls only administrative access
to the crontab command for scheduling and modifying cron jobs.
<br>
<br>
To restrict at and cron to only authorized users:
<ul><li>Remove the cron.deny file:<pre>$ sudo rm /etc/cron.deny</pre></li><li>Edit <code>/etc/cron.allow</code>, adding one line for each user allowed to use the crontab command to create cron jobs.</li><li>Remove the <code>at.deny</code> file:<pre>$ sudo rm /etc/at.deny</pre></li><li>Edit <code>/etc/at.allow</code>, adding one line for each user allowed to use the at command to create at jobs.</li></ul>
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_restrict_at_cron_users" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ssh" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_ssh">SSH Server
                          <a class="small" href="#xccdf_org.ssgproject.content_group_ssh">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The SSH protocol is recommended for remote login and
remote file transfer. SSH provides confidentiality and integrity
for data exchanged between two systems, as well as server
authentication, through the use of public key cryptography. The
implementation included with the system is called OpenSSH, and more
detailed documentation is available from its website,
<a href="http://www.openssh.org">http://www.openssh.org</a>. Its server program is called <code>sshd</code> and
provided by the RPM package <code>openssh-server</code>.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_ssh" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ssh_server" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_ssh_server">Configure OpenSSH Server if Necessary
                          <a class="small" href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span class="label label-default pull-right">group</span></h3><p>If the system needs to act as an SSH server, then
certain changes should be made to the OpenSSH daemon configuration
file <code>/etc/ssh/sshd_config</code>. The following recommendations can be
applied to this file. See the <code>sshd_config(5)</code> man page for more
detailed information.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sshd_strengthen_firewall" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall">Strengthen Firewall Configuration if Possible
                          <a class="small" href="#xccdf_org.ssgproject.content_group_sshd_strengthen_firewall">[ref]</a><span class="label label-default pull-right">group</span></h3><p>If the SSH server is expected to only receive connections from 
the local network, then strengthen the default firewall rule for the SSH service
to only accept connections from the appropriate network segment(s).
<br><br>
Determine an appropriate network block, <code>netwk</code>, and network mask, <code>mask</code>, 
representing the machines on your network which will be allowed to access this SSH server.
<br><br>
Edit the files <code>etc/sysconfig/iptables</code> and <code>/etc/sysconfig/ip6tables</code>
(if IPv6 is in use). In each file, locate the line:
<pre>-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT</pre>
and replace it with:
<pre>-A INPUT -s netwk/mask -m state --state NEW -p tcp --dport 22 -j ACCEPT</pre>
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_sshd_strengthen_firewall" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_sssd" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sssd" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon
                          <a class="small" href="#xccdf_org.ssgproject.content_group_sssd">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
The System Security Services Daemon (SSSD) is a system daemon that provides access
to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD,
openLDAP, MIT Kerberos, etc. It uses a common framework that can provide caching and offline
support to systems utilizing SSSD. SSSD using caching to reduce load on authentication
servers permit offline authentication as well as store extended user user data.
<br><br>
For more information, see
<b><a href="https://access.redhat.com/documentation/en_US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html">https://access.redhat.com/documentation/en_US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html</a></b>

</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_sssd" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_xwindows" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_xwindows" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_xwindows">X Window System
                          <a class="small" href="#xccdf_org.ssgproject.content_group_xwindows">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The X Window System implementation included with the
system is called X.org.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_xwindows" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_xwindows" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_xwindows" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_xwindows"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_disabling_xwindows">Disable X Windows
                          <a class="small" href="#xccdf_org.ssgproject.content_group_disabling_xwindows">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Unless there is a mission-critical reason for the
system to run a graphical user interface, ensure X is not set to start
automatically at boot and remove the X Windows software packages.
There is usually no reason to run X Windows
on a dedicated server machine, as it increases the system's attack surface and consumes
system resources. Administrators of server systems should instead login via
SSH or on the text console.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_xwindows" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_xwindows"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_avahi" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_avahi" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_avahi">Avahi Server
                          <a class="small" href="#xccdf_org.ssgproject.content_group_avahi">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The Avahi daemon implements the DNS Service Discovery
and Multicast DNS protocols, which provide service and host
discovery on a network. It allows a system to automatically
identify resources on the network, such as printers or web servers.
This capability is also known as mDNSresponder and is a major part
of Zeroconf networking. </p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_avahi" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_service_avahi-daemon_disabled_group" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_service_avahi-daemon_disabled_group" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_avahi"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_service_avahi-daemon_disabled_group">Disable Avahi Server if Possible
                          <a class="small" href="#xccdf_org.ssgproject.content_group_service_avahi-daemon_disabled_group">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Because the Avahi daemon service keeps an open network
port, it is subject to network attacks.
Disabling it can reduce the system's vulnerability to such attacks.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_service_avahi-daemon_disabled_group" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_avahi"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_avahi_configuration" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_avahi_configuration" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_avahi"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_avahi_configuration">Configure Avahi if Necessary
                          <a class="small" href="#xccdf_org.ssgproject.content_group_avahi_configuration">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
If your system requires the Avahi daemon, its configuration can be restricted
to improve security. The Avahi daemon configuration file is
<code>/etc/avahi/avahi-daemon.conf</code>. The following security recommendations
should be applied to this file:
See the <code>avahi-daemon.conf(5)</code> man page, or documentation at
<a href="http://www.avahi.org">http://www.avahi.org</a>, for more detailed information about the configuration options.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_avahi_configuration" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_avahi"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_printing" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_printing" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_printing">Print Support
                          <a class="small" href="#xccdf_org.ssgproject.content_group_printing">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The Common Unix Printing System (CUPS) service provides both local
and network printing support. A system running the CUPS service can accept
print jobs from other systems, process them, and send them to the appropriate
printer. It also provides an interface for remote administration through a web
browser. The CUPS service is installed and activated by default. The project
homepage and more detailed documentation are available at <a href="http://www.cups.org">http://www.cups.org</a>.
<br><br> </p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_printing" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_configure_printing" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configure_printing" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_printing"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_configure_printing">Configure the CUPS Service if Necessary
                          <a class="small" href="#xccdf_org.ssgproject.content_group_configure_printing">[ref]</a><span class="label label-default pull-right">group</span></h3><p>CUPS provides the ability to easily share local printers with
other machines over the network. It does this by allowing machines to share
lists of available printers. Additionally, each machine that runs the CUPS
service can potentially act as a print server. Whenever possible, the printer
sharing and print server capabilities of CUPS should be limited or disabled.
The following recommendations should demonstrate how to do just that.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_configure_printing" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_printing"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dhcp" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_dhcp">DHCP
                          <a class="small" href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The Dynamic Host Configuration Protocol (DHCP) allows
systems to request and obtain an IP address and other configuration
parameters from a server.
<br><br>
This guide recommends configuring networking on clients by manually editing
the appropriate files under <code>/etc/sysconfig</code>.  Use of DHCP can make client 
systems vulnerable to compromise by rogue DHCP servers, and should be avoided 
unless necessary.  If using DHCP is necessary, however, there are best practices 
that should be followed to minimize security risk.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_server" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_server" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_disabling_dhcp_server">Disable DHCP Server
                          <a class="small" href="#xccdf_org.ssgproject.content_group_disabling_dhcp_server">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
The DHCP server <code>dhcpd</code> is not installed or activated by
default. If the software was installed and activated, but the
system does not need to act as a DHCP server, it should be disabled
and removed.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_server" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dhcp_server_configuration" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp_server_configuration" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_dhcp_server_configuration">Disable DHCP Server
                          <a class="small" href="#xccdf_org.ssgproject.content_group_dhcp_server_configuration">[ref]</a><span class="label label-default pull-right">group</span></h3><p>If the system must act as a DHCP server, the configuration
information it serves should be minimized. Also, support for other protocols
and DNS-updating schemes should be explicitly disabled unless needed. The
configuration file for dhcpd is called <code>/etc/dhcp/dhcpd.conf</code>. The file
begins with a number of global configuration options. The remainder of the file
is divided into sections, one for each block of addresses offered by dhcpd,
each of which contains configuration options specific to that address
block.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_server_configuration" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable DHCP Client
                          <a class="small" href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
DHCP is the default network configuration method provided by the system
installer, and common on many networks. Nevertheless, manual management
of IP addresses for systems implies a greater degree of management and
accountability for network activity.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dhcp_client_configuration" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp_client_configuration" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_dhcp_client_configuration">Configure DHCP Client if Necessary
                          <a class="small" href="#xccdf_org.ssgproject.content_group_dhcp_client_configuration">[ref]</a><span class="label label-default pull-right">group</span></h3><p>If DHCP must be used, then certain configuration changes can
minimize the amount of information it receives and applies from the network,
and thus the amount of incorrect information a rogue DHCP server could
successfully distribute.  For more information on configuring dhclient, see the
<code>dhclient(8)</code> and <code>dhclient.conf(5)</code> man pages.  </p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_client_configuration" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ntp" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_ntp">Network Time Protocol
                          <a class="small" href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The Network Time Protocol is used to manage the system
clock over a network. Computer clocks are not very accurate, so
time will drift unpredictably on unmanaged systems. Central time
protocols can be used both to ensure that time is consistent among
a network of machines, and that their time is consistent with the
outside world.
<br><br>
If every system on a network reliably reports the same time, then it is much
easier to correlate log messages in case of an attack. In addition, a number of
cryptographic protocols (such as Kerberos) use timestamps to prevent certain
types of attacks. If your network does not have synchronized time, these
protocols may be unreliable or even unusable.
<br><br>
Depending on the specifics of the network, global time accuracy may be just as
important as local synchronization, or not very important at all. If your
network is connected to the Internet, using a
public timeserver (or one provided by your enterprise) provides globally
accurate timestamps which may be essential in investigating or responding to
an attack which originated outside of your network.
<br><br>
A typical network setup involves a small number of internal systems operating as NTP
servers, and the remainder obtaining time information from those
internal servers.
<br><br>
More information on how to configure the NTP server software,
including configuration of cryptographic authentication for
time data, is available at <a href="http://www.ntp.org">http://www.ntp.org</a>.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_ntp" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mail" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_mail">Mail Server Software
                          <a class="small" href="#xccdf_org.ssgproject.content_group_mail">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
Mail servers are used to send and receive email over the network.
Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious
targets of network attack.
Ensure that machines are not running MTAs unnecessarily,
and configure needed MTAs as defensively as possible.
<br><br>
Very few systems at any site should be configured to directly receive email over the
network. Users should instead use mail client programs to retrieve email
from a central server that supports protocols such as IMAP or POP3.
However, it is normal for most systems to be independently capable of sending email,
for instance so that cron jobs can report output to an administrator.
Most MTAs, including Postfix, support a submission-only mode in which mail can be sent from
the local system to a central site MTA (or directly delivered to a local account),
but the system still cannot receive mail directly over a network.
<br><br>
The <code>alternatives</code> program in Red Hat Enterprise Linux permits selection of other mail server software
(such as Sendmail), but Postfix is the default and is preferred.
Postfix was coded with security in mind and can also be more effectively contained by
SELinux as its modular design has resulted in separate processes performing specific actions.
More information is available on its website, <a href="http://www.postfix.org">http://www.postfix.org</a>.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_client" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_client" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_postfix_client">Configure SMTP For Mail Clients
                          <a class="small" href="#xccdf_org.ssgproject.content_group_postfix_client">[ref]</a><span class="label label-default pull-right">group</span></h3><p>This section discusses settings for Postfix in a submission-only
e-mail configuration.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_client" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_harden_os" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_harden_os" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_postfix_harden_os">Configure Operating System to Protect Mail Server

                          <a class="small" href="#xccdf_org.ssgproject.content_group_postfix_harden_os">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The guidance in this section is appropriate for any host which is
operating as a site MTA, whether the mail server runs using Sendmail, Postfix,
or some other software.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_harden_os" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_harden_os"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs">Configure SSL Certificates for Use with SMTP AUTH
                          <a class="small" href="#xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
If SMTP AUTH is to be used, the use of SSL to protect credentials in transit is strongly recommended.
There are also configurations for which it may be desirable to encrypt all mail in transit from one MTA to another,
though such configurations are beyond the scope of this guide. In either event, the steps for creating and installing
an SSL certificate are independent of the MTA in use, and are described here.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_harden_os"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_install_ssl_cert" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs"><td style="padding-left: 95px"><h3 id="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert">Ensure Security of Postfix SSL Certificate
                          <a class="small" href="#xccdf_org.ssgproject.content_group_postfix_install_ssl_cert">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Create the PKI directory for mail certificates, if it does not already exist:
<pre>$ sudo mkdir /etc/pki/tls/mail
$ sudo chown root:root /etc/pki/tls/mail
$ sudo chmod 755 /etc/pki/tls/mail</pre>
Using removable media or some other secure transmission format, install the files generated in the previous
step onto the mail server:
<pre>/etc/pki/tls/mail/serverkey.pem: the private key mailserverkey.pem
/etc/pki/tls/mail/servercert.pem: the certificate file mailservercert.pem</pre>
Verify the ownership and permissions of these files:
<pre>$ sudo chown root:root /etc/pki/tls/mail/serverkey.pem
$ sudo chown root:root /etc/pki/tls/mail/servercert.pem
$ sudo chmod 600 /etc/pki/tls/mail/serverkey.pem
$ sudo chmod 644 /etc/pki/tls/mail/servercert.pem</pre>
Verify that the CA's public certificate file has been installed as <code>/etc/pki/tls/CA/cacert.pem</code>, and has the
correct permissions:
<pre>$ sudo chown root:root /etc/pki/tls/CA/cacert.pem
$ sudo chmod 644 /etc/pki/tls/CA/cacert.pem</pre>
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_install_ssl_cert" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs"><td style="padding-left: 95px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_server_configuration" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_server_configuration" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_harden_os"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_postfix_server_configuration">Configure Postfix if Necessary
                          <a class="small" href="#xccdf_org.ssgproject.content_group_postfix_server_configuration">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Postfix stores its configuration files in the directory
/etc/postfix by default. The primary configuration file is
<code>/etc/postfix/main.cf</code>.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_server_configuration" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_harden_os"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_server_denial_of_service" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_server_denial_of_service" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_server_configuration"><td style="padding-left: 95px"><h3 id="xccdf_org.ssgproject.content_group_postfix_server_denial_of_service">Configure Postfix Resource Usage to Limit Denial of Service Attacks
                          <a class="small" href="#xccdf_org.ssgproject.content_group_postfix_server_denial_of_service">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Edit <code>/etc/postfix/main.cf</code>. Edit the following lines to
configure the amount of system resources Postfix can consume:
<pre>default_process_limit = 100
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 30
queue_minfree = 20971520
header_size_limit = 51200
message_size_limit = 10485760
smtpd_recipient_limit = 100</pre>
The values here are examples.
</p><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">Warning:</span> 
                                Note: The values given here are examples, and may
need to be modified for any particular site. By default, the Postfix anvil
process gathers mail receipt statistics. To get information about about what
connection rates are typical at your site, look in <code>/var/log/maillog</code>
for lines with the daemon name postfix/anvil.
</div></div></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_server_denial_of_service" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_server_configuration"><td style="padding-left: 95px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_server_mail_relay" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_server_mail_relay" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_server_configuration"><td style="padding-left: 95px"><h3 id="xccdf_org.ssgproject.content_group_postfix_server_mail_relay">Control Mail Relaying
                          <a class="small" href="#xccdf_org.ssgproject.content_group_postfix_server_mail_relay">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Postfix's mail relay controls are implemented with the help of the
smtpd recipient restrictions option, which controls the restrictions placed on
the SMTP dialogue once the sender and recipient envelope addresses are known.
The guidance in the following sections should be applied to all machines. If
there are machines which must be allowed to relay mail, but which cannot be
trusted to relay unconditionally, configure SMTP AUTH with SSL support.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_server_mail_relay" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_server_configuration"><td style="padding-left: 95px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_server_mail_relay_set_trusted_networks" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_server_mail_relay_set_trusted_networks" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_server_mail_relay"><td style="padding-left: 114px"><h3 id="xccdf_org.ssgproject.content_group_postfix_server_mail_relay_set_trusted_networks">Configure Trusted Networks and Hosts
                          <a class="small" href="#xccdf_org.ssgproject.content_group_postfix_server_mail_relay_set_trusted_networks">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Edit <code>/etc/postfix/main.cf</code>, and configure the contents of
the <code>mynetworks</code> variable in one of the following ways:
<ul><li>If any machine in the subnet containing the MTA may be trusted to relay
messages, add or correct the following line:
<pre>mynetworks_style = subnet</pre>
This is also the default setting, and is in effect if all
<code>my_networks_style</code> directives are commented.</li><li>If only the MTA host itself is trusted to relay messages, add or correct
the following line:
<pre>mynetworks_style = host</pre></li><li>If the set of machines which can relay is more complicated, manually
specify an entry for each netblock or IP address which is trusted to relay by
setting the <code>mynetworks</code> variable directly:
<pre>mynetworks = 10.0.0.0/16, 192.168.1.0/24, 127.0.0.1</pre></li></ul>
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_server_mail_relay_set_trusted_networks" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_server_mail_relay"><td style="padding-left: 114px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_server_mail_relay"><td style="padding-left: 114px"><h3 id="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions">Enact SMTP Relay Restrictions
                          <a class="small" href="#xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
To configure Postfix to restrict addresses to which it
will send mail, see:
<a href="http://www.postfix.org/SMTPD_ACCESS_README.html#danger">http://www.postfix.org/SMTPD_ACCESS_README.html#danger</a>
<br>
The full contents of <code>smtpd_recipient_restrictions</code> will
vary by site, since this is a common place to put spam restrictions and other
site-specific options. The <code>permit_mynetworks</code> option allows all mail to
be relayed from the machines in <code>mynetworks</code>. Then, the
<code>reject_unauth_destination</code> option denies all mail whose destination
address is not local, preventing any other machines from relaying. These two
options should always appear in this order, and should usually follow one
another immediately unless SMTP AUTH is used.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_server_mail_relay"><td style="padding-left: 114px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_server_mail_relay"><td style="padding-left: 114px"><h3 id="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions">Enact SMTP Recipient Restrictions
                          <a class="small" href="#xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
To configure Postfix to restrict addresses to which it
will send mail, see:
<a href="http://www.postfix.org/SMTPD_ACCESS_README.html#danger">http://www.postfix.org/SMTPD_ACCESS_README.html#danger</a>
<br>
The full contents of <code>smtpd_recipient_restrictions</code> will
vary by site, since this is a common place to put spam restrictions and other
site-specific options. The <code>permit_mynetworks</code> option allows all mail to
be relayed from the machines in <code>mynetworks</code>. Then, the
<code>reject_unauth_destination</code> option denies all mail whose destination
address is not local, preventing any other machines from relaying. These two
options should always appear in this order, and should usually follow one
another immediately unless SMTP AUTH is used.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_server_mail_relay"><td style="padding-left: 114px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_server_mail_relay_smtp_auth_for_untrusted_networks" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_server_mail_relay_smtp_auth_for_untrusted_networks" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_server_mail_relay"><td style="padding-left: 114px"><h3 id="xccdf_org.ssgproject.content_group_postfix_server_mail_relay_smtp_auth_for_untrusted_networks">Require SMTP AUTH Before Relaying from Untrusted Clients
                          <a class="small" href="#xccdf_org.ssgproject.content_group_postfix_server_mail_relay_smtp_auth_for_untrusted_networks">[ref]</a><span class="label label-default pull-right">group</span></h3><p>SMTP authentication allows remote clients to relay mail safely by
requiring them to authenticate before submitting mail. Postfix's SMTP AUTH uses
an authentication library called SASL, which is not part of Postfix itself.  To
enable the use of SASL authentication, see
<a href="http://www.postfix.org/SASL_README.html">http://www.postfix.org/SASL_README.html</a>
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_server_mail_relay_smtp_auth_for_untrusted_networks" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_server_mail_relay"><td style="padding-left: 114px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_postfix_server_mail_relay_require_tls_for_smtp_auth" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_server_mail_relay_require_tls_for_smtp_auth" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_server_mail_relay"><td style="padding-left: 114px"><h3 id="xccdf_org.ssgproject.content_group_postfix_server_mail_relay_require_tls_for_smtp_auth">Use TLS for SMTP AUTH
                          <a class="small" href="#xccdf_org.ssgproject.content_group_postfix_server_mail_relay_require_tls_for_smtp_auth">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
Postfix provides options to use TLS for certificate-based
authentication and encrypted sessions. An encrypted session protects the
information that is transmitted with SMTP mail or with SASL authentication.
To configure Postfix to protect all SMTP AUTH transactions
using TLS, see <a href="http://www.postfix.org/TLS_README.html">http://www.postfix.org/TLS_README.html</a>.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_server_mail_relay_require_tls_for_smtp_auth" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_server_mail_relay"><td style="padding-left: 114px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ldap" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ldap" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_ldap">LDAP
                          <a class="small" href="#xccdf_org.ssgproject.content_group_ldap">[ref]</a><span class="label label-default pull-right">group</span></h3><p>LDAP is a popular directory service, that is, a
standardized way of looking up information from a central database.
Red Hat Enterprise Linux 6 includes software that enables a system to act as both
an LDAP client and server.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_ldap" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_openldap_client" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_openldap_client" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ldap"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_openldap_client">Configure OpenLDAP Clients
                          <a class="small" href="#xccdf_org.ssgproject.content_group_openldap_client">[ref]</a><span class="label label-default pull-right">group</span></h3><p>This section provides information on which security settings are
important to configure in OpenLDAP clients by manually editing the appropriate
configuration files.  Red Hat Enterprise Linux 6 provides an automated configuration tool called
authconfig and a graphical wrapper for authconfig called
<code>system-config-authentication</code>. However, these tools do not provide as
much control over configuration as manual editing of configuration files. The
authconfig tools do not allow you to specify locations of SSL certificate
files, which is useful when trying to use SSL cleanly across several protocols.
Installation and configuration of OpenLDAP on Red Hat Enterprise Linux 6 is available at
<a href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Directory_Servers.html">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Directory_Servers.html</a>.
</p><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">Warning:</span> 
                                Before configuring any system to be an
LDAP client, ensure that a working LDAP server is present on the
network.</div></div></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_openldap_client" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ldap"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_openldap_server" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_openldap_server" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ldap"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_openldap_server">Configure OpenLDAP Server
                          <a class="small" href="#xccdf_org.ssgproject.content_group_openldap_server">[ref]</a><span class="label label-default pull-right">group</span></h3><p>This section details some security-relevant settings
for an OpenLDAP server.  Installation and configuration of OpenLDAP on Red Hat Enterprise Linux 6 is available at:
<a href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Directory_Servers.html">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Directory_Servers.html</a>.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_openldap_server" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ldap"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openldap_server"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files">Install and Protect LDAP Certificate Files
                          <a class="small" href="#xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Create the PKI directory for LDAP certificates if it does not already exist:
<pre>$ sudo mkdir /etc/pki/tls/ldap
$ sudo chown root:root /etc/pki/tls/ldap
$ sudo chmod 755 /etc/pki/tls/ldap</pre>
Using removable media or some other secure transmission format, install the certificate files
onto the LDAP server:
<ul><li><code>/etc/pki/tls/ldap/serverkey.pem</code>: the private key <code>ldapserverkey.pem</code></li><li><code>/etc/pki/tls/ldap/servercert.pem</code>: the certificate file <code>ldapservercert.pem</code></li></ul>
Verify the ownership and permissions of these files:
<pre>$ sudo chown root:ldap /etc/pki/tls/ldap/serverkey.pem
$ sudo chown root:ldap /etc/pki/tls/ldap/servercert.pem
$ sudo chmod 640 /etc/pki/tls/ldap/serverkey.pem
$ sudo chmod 640 /etc/pki/tls/ldap/servercert.pem</pre>
Verify that the CA's public certificate file has been installed as
<code>/etc/pki/tls/CA/cacert.pem</code>, and has the correct permissions:
<pre>$ sudo mkdir /etc/pki/tls/CA
$ sudo chown root:root /etc/pki/tls/CA/cacert.pem
$ sudo chmod 644 /etc/pki/tls/CA/cacert.pem</pre>

As a result of these steps, the LDAP server will have access to its own private
certificate and the key with which that certificate is encrypted, and to the
public certificate file belonging to the CA. Note that it would be possible for
the key to be protected further, so that processes running as ldap could not
read it. If this were done, the LDAP server process would need to be restarted
manually whenever the server rebooted.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openldap_server"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nfs_and_rpc" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nfs_and_rpc" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC
                          <a class="small" href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The Network File System is a popular distributed filesystem for
the Unix environment, and is very widely deployed.  This section discusses the
circumstances under which it is possible to disable NFS and its dependencies,
and then details steps which should be taken to secure
NFS's configuration. This section is relevant to machines operating as NFS
clients, as well as to those operating as NFS servers.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_nfs_and_rpc" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_nfs" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_nfs" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nfs_and_rpc"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_disabling_nfs">Disable All NFS Services if Possible
                          <a class="small" href="#xccdf_org.ssgproject.content_group_disabling_nfs">[ref]</a><span class="label label-default pull-right">group</span></h3><p>If there is not a reason for the system to operate as either an
NFS client or an NFS server, follow all instructions in this section to disable
subsystems required by NFS.
</p><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">Warning:</span> 
                                The steps in this section will prevent a machine
from operating as either an NFS client or an NFS server. Only perform these
steps on machines which do not need NFS at all.</div></div></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_nfs" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nfs_and_rpc"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_nfs_services" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_nfs_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_nfs"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_disabling_nfs_services">Disable Services Used Only by NFS
                          <a class="small" href="#xccdf_org.ssgproject.content_group_disabling_nfs_services">[ref]</a><span class="label label-default pull-right">group</span></h3><p>If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd.
<br><br>
All of these daemons run with elevated privileges, and many listen for network
connections. If they are not needed, they should be disabled to improve system
security posture.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_nfs_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_nfs"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_netfs" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_netfs" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_nfs"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_disabling_netfs">Disable netfs if Possible
                          <a class="small" href="#xccdf_org.ssgproject.content_group_disabling_netfs">[ref]</a><span class="label label-default pull-right">group</span></h3><p>To determine if any network filesystems handled by netfs are
currently mounted on the system execute the following command:
<pre>$ mount -t nfs,nfs4,smbfs,cifs,ncpfs</pre>
If the command did not return any output then disable netfs.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_netfs" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_nfs"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nfs_and_rpc"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines">Configure All Machines which Use NFS
                          <a class="small" href="#xccdf_org.ssgproject.content_group_nfs_configuring_all_machines">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The steps in this section are appropriate for all machines which
run NFS, whether they operate as clients or as servers.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nfs_and_rpc"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nfs_configuring_all_machines"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both">Make Each Machine a Client or a Server, not Both
                          <a class="small" href="#xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both">[ref]</a><span class="label label-default pull-right">group</span></h3><p>If NFS must be used, it should be deployed in the simplest
configuration possible to avoid maintainability problems which may lead to
unnecessary security exposure. Due to the reliability and security problems
caused by NFS (specially NFSv3 and NFSv2), it is not a good idea for machines
which act as NFS servers to also mount filesystems via NFS. At the least,
crossed mounts (the situation in which each of two servers mounts a filesystem
from the other) should never be used.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nfs_configuring_all_machines"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nfs_configuring_all_machines"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports">Configure NFS Services to Use Fixed Ports (NFSv3 and NFSv2)
                          <a class="small" href="#xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Firewalling should be done at each host and at the border
firewalls to protect the NFS daemons from remote access, since NFS servers
should never be accessible from outside the organization. However, by default
for NFSv3 and NFSv2, the RPC Bind service assigns each NFS service to a port
dynamically at service startup time. Dynamic ports cannot be protected by port
filtering firewalls such as iptables.
<br><br>
Therefore, restrict each service to always use a given port, so that
firewalling can be done effectively. Note that, because of the way RPC is
implemented, it is not possible to disable the RPC Bind service even if ports
are assigned statically to all RPC services.
<br><br>
In NFSv4, the mounting and locking protocols have been incorporated into the
protocol, and the server listens on the the well-known TCP port 2049. As such,
NFSv4 does not need to interact with the <code>rpcbind, lockd, and rpc.statd</code>
daemons, which can and should be disabled in a pure NFSv4 environment. The
<code>rpc.mountd</code> daemon is still required on the NFS server to setup
exports, but is not involved in any over-the-wire operations.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nfs_configuring_all_machines"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nfs_configuring_clients" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nfs_configuring_clients" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nfs_and_rpc"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_nfs_configuring_clients">Configure NFS Clients
                          <a class="small" href="#xccdf_org.ssgproject.content_group_nfs_configuring_clients">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The steps in this section are appropriate for machines which operate as NFS clients.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_nfs_configuring_clients" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nfs_and_rpc"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_nfsd" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_nfsd" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nfs_configuring_clients"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_disabling_nfsd">Disable NFS Server Daemons
                          <a class="small" href="#xccdf_org.ssgproject.content_group_disabling_nfsd">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
There is no need to run the NFS server daemons <code>nfs</code> and
<code>rpcsvcgssd</code> except on a small number of properly secured machines
designated as NFS servers. Ensure that these daemons are turned off on
clients.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_nfsd" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nfs_configuring_clients"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mounting_remote_filesystems" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nfs_configuring_clients"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_mounting_remote_filesystems">Mount Remote Filesystems with Restrictive Options
                          <a class="small" href="#xccdf_org.ssgproject.content_group_mounting_remote_filesystems">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Edit the file <code>/etc/fstab</code>. For each filesystem whose type
(column 3) is <code>nfs</code> or <code>nfs4</code>, add the text
<code>,nodev,nosuid</code> to the list of mount options in column 4. If
appropriate, also add <code>,noexec</code>.
<br><br>
See the section titled "Restrict Partition Mount Options" for a description of
the effects of these options. In general, execution of files mounted via NFS
should be considered risky because of the possibility that an adversary could
intercept the request and substitute a malicious file. Allowing setuid files to
be executed from remote servers is particularly risky, both for this reason and
because it requires the clients to extend root-level trust to the NFS
server.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_mounting_remote_filesystems" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nfs_configuring_clients"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nfs_configuring_servers" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nfs_configuring_servers" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nfs_and_rpc"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_nfs_configuring_servers">Configure NFS Servers
                          <a class="small" href="#xccdf_org.ssgproject.content_group_nfs_configuring_servers">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The steps in this section are appropriate for machines which operate as NFS servers.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_nfs_configuring_servers" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nfs_and_rpc"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_configure_exports_restrictively" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configure_exports_restrictively" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nfs_configuring_servers"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_configure_exports_restrictively">Configure the Exports File Restrictively
                          <a class="small" href="#xccdf_org.ssgproject.content_group_configure_exports_restrictively">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Linux's NFS implementation uses the file <code>/etc/exports</code> to control what filesystems
and directories may be accessed via NFS. (See the <code>exports(5)</code> manpage for more information about the
format of this file.)
<br><br>
The syntax of the <code>exports</code> file is not necessarily checked fully on reload, and syntax errors
can leave your NFS configuration more open than intended. Therefore, exercise caution when modifying
the file.
<br><br>
The syntax of each line in <code>/etc/exports</code> is:
<pre>/DIR	host1(opt1,opt2) host2(opt3)</pre>
where <code>/DIR</code> is a directory or filesystem to export, <code>hostN</code> is an IP address, netblock,
hostname, domain, or netgroup to which to export, and <code>optN</code> is an option.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_configure_exports_restrictively" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nfs_configuring_servers"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nfs_configuring_servers"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions">Use Access Lists to Enforce Authorization Restrictions
                          <a class="small" href="#xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions">[ref]</a><span class="label label-default pull-right">group</span></h3><p>When configuring NFS exports, ensure that each export line in <code>/etc/exports</code> contains
a list of hosts which are allowed to access that export. If no hosts are specified on an export line,
then that export is available to any remote host which requests it. All lines of the exports file should
specify the hosts (or subnets, if needed) which are allowed to access the exported directory, so that
unknown or remote hosts will be denied.
<br><br>
Authorized hosts can be specified in several different formats:
<ul><li>Name or alias that is recognized by the resolver</li><li>Fully qualified domain name</li><li>IP address</li><li>IP subnets in the format <code>address/netmask</code> or <code>address/CIDR</code></li></ul>
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nfs_configuring_servers"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_export_filesystems_read_only" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_export_filesystems_read_only" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nfs_configuring_servers"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_export_filesystems_read_only">Export Filesystems Read-Only if Possible
                          <a class="small" href="#xccdf_org.ssgproject.content_group_export_filesystems_read_only">[ref]</a><span class="label label-default pull-right">group</span></h3><p>If a filesystem is being exported so that users can view the files in a convenient
fashion, but there is no need for users to edit those files, exporting the filesystem read-only
removes an attack vector against the server. The default filesystem export mode is <code>ro</code>,
so do not specify <code>rw</code> without a good reason.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_export_filesystems_read_only" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nfs_configuring_servers"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dns" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_dns">DNS Server
                          <a class="small" href="#xccdf_org.ssgproject.content_group_dns">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Most organizations have an operational need to run at
least one nameserver. However, there are many common attacks
involving DNS server software, and this server software should
be disabled on any system
on which it is not needed.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_dns" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_dns_server" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dns_server" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_disabling_dns_server">Disable DNS Server
                          <a class="small" href="#xccdf_org.ssgproject.content_group_disabling_dns_server">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
DNS software should be disabled on any machine which does not
need to be a nameserver. Note that the BIND DNS server software is
not installed on Red Hat Enterprise Linux 6 by default. The remainder of this section
discusses secure configuration of machines which must be
nameservers.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dns_server" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dns_server_isolation" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_isolation" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_dns_server_isolation">Isolate DNS from Other Services
                          <a class="small" href="#xccdf_org.ssgproject.content_group_dns_server_isolation">[ref]</a><span class="label label-default pull-right">group</span></h3><p>This section discusses mechanisms for preventing the DNS server
from interfering with other services. This is done both to protect the
remainder of the network should a nameserver be compromised, and to make direct
attacks on nameservers more difficult.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dns_server_dedicated" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_dedicated" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_dns_server_dedicated">Run DNS Software on Dedicated Servers
                          <a class="small" href="#xccdf_org.ssgproject.content_group_dns_server_dedicated">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Since DNS is
a high-risk service which must frequently be made available to the entire
Internet, it is strongly recommended that no other services be offered by
machines which act as organizational DNS servers.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_dedicated" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dns_server_chroot" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_chroot" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_dns_server_chroot">Run DNS Software in a chroot Jail
                          <a class="small" href="#xccdf_org.ssgproject.content_group_dns_server_chroot">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Install the <code>bind-chroot</code> package:
<pre>$ sudo yum install bind-chroot</pre>
Place a valid named.conf file inside the chroot jail:
<pre>$ sudo cp /etc/named.conf /var/named/chroot/etc/named.conf
$ sudo chown root:root /var/named/chroot/etc/named.conf
$ sudo chmod 644 /var/named/chroot/etc/named.conf</pre>
Create and populate an appropriate zone directory within the jail, based on the
options directive. If your <code>named.conf</code> includes:
<pre>options {
directory "/path/to/DIRNAME ";
...
}</pre>
then copy that directory and its contents from the original zone directory:
<pre>$ sudo cp -r /path/to/DIRNAME /var/named/chroot/DIRNAME</pre>
Add or correct the following line within <code>/etc/sysconfig/named</code>:
<pre>ROOTDIR=/var/named/chroot</pre>
</p><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">Warning:</span> 
                                If you are running BIND in a chroot jail, then you
should use the jailed <code>named.conf</code> as the primary nameserver
configuration file. That is, when this guide recommends editing
<code>/etc/named.conf</code>, you should instead edit
<code>/var/named/chroot/etc/named.conf</code>.
</div></div></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_chroot" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dns_server_protection" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_protection" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_dns_server_protection">Protect DNS Data from Tampering or Attack
                          <a class="small" href="#xccdf_org.ssgproject.content_group_dns_server_protection">[ref]</a><span class="label label-default pull-right">group</span></h3><p>This section discusses DNS configuration options which make it
more difficult for attackers to gain access to private DNS data or to modify
DNS data.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_protection" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_separate_internal_external" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external">Run Separate DNS Servers for External and Internal Queries
                          <a class="small" href="#xccdf_org.ssgproject.content_group_dns_server_separate_internal_external">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Is it possible to run external and internal nameservers on
separate machines? If so, follow the configuration guidance in this section. On
the external nameserver, edit <code>/etc/named.conf</code> to add or correct the
following directives:
<pre>options {
  allow-query { any; };
  recursion no;
  ...
};
zone "example.com " IN {
  ...
};</pre>
On the internal nameserver, edit <code>/etc/named.conf</code>. Add or correct the
following directives, where SUBNET is the numerical IP representation of your
organization in the form xxx.xxx.xxx.xxx/xx:
<pre>acl internal {
  SUBNET ;
  localhost;
};
options {
  allow-query { internal; };
  ...
};
zone "internal.example.com " IN {
  ...
};</pre>
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_separate_internal_external" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dns_server_partition_with_views" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_partition_with_views" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_dns_server_partition_with_views">Use Views to Partition External and Internal Information
                          <a class="small" href="#xccdf_org.ssgproject.content_group_dns_server_partition_with_views">[ref]</a><span class="label label-default pull-right">group</span></h3><p>If it is not possible to run external and internal nameservers on
separate physical machines, run BIND9 and simulate this feature using views.
Edit <code>/etc/named.conf</code>. Add or correct the following directives (where
SUBNET is the numerical IP representation of your organization in the form
xxx.xxx.xxx.xxx/xx):
<pre>acl internal {
  SUBNET ;
  localhost;
};
view "internal-view" {
  match-clients { internal; };
  zone "." IN {
    type hint;
    file "db.cache";
  };
  zone "internal.example.com " IN {
    ...
  };
};

view "external-view" {
  match-clients { any; };
  recursion no;
  zone "example.com " IN {
    ...
  };
};</pre>
</p><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">Warning:</span> 
                                As shown in the example, database files which are
required for recursion, such as the root hints file, must be available to any
clients which are allowed to make recursive queries. Under typical
circumstances, this includes only the internal clients which are allowed to use
this server as a general-purpose nameserver.</div></div></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_partition_with_views" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_protection"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ftp" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_ftp">FTP Server
                          <a class="small" href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span class="label label-default pull-right">group</span></h3><p>FTP is a common method for allowing remote access to
files. Like telnet, the FTP protocol is unencrypted, which means
that passwords and other data transmitted during the session can be
captured and that the session is vulnerable to hijacking.
Therefore, running the FTP server software is not recommended.
<br><br>
However, there are some FTP server configurations which may
be appropriate for some environments, particularly those which
allow only read-only anonymous access as a means of downloading
data available to the public.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_ftp" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable vsftpd if Possible
                          <a class="small" href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span class="label label-default pull-right">group</span></h3><p>To minimize attack surface, disable vsftpd if at all
possible.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_use_vsftpd" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd">Use vsftpd to Provide FTP Service if Necessary
                          <a class="small" href="#xccdf_org.ssgproject.content_group_ftp_use_vsftpd">[ref]</a><span class="label label-default pull-right">group</span></h3><p>If your use-case requires FTP service, install and
set-up vsftpd to provide it.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use vsftpd to Provide FTP Service if Necessary
                          <a class="small" href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The primary vsftpd configuration file is
<code>/etc/vsftpd.conf</code>, if that file exists, or
<code>/etc/vsftpd/vsftpd.conf</code> if it does not. 
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ftp_restrict_users" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_restrict_users" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_ftp_restrict_users">Restrict the Set of Users Allowed to Access FTP
                          <a class="small" href="#xccdf_org.ssgproject.content_group_ftp_restrict_users">[ref]</a><span class="label label-default pull-right">group</span></h3><p>This section describes how to disable non-anonymous (password-based) FTP logins, or, if it is not possible to
do this entirely due to legacy applications, how to restrict insecure FTP login to only those users who have an
identified need for this access.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_http" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_http">Web Server
                          <a class="small" href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The web server is responsible for providing access to
content via the HTTP protocol. Web servers represent a significant
security risk because:
<br><br>
<ul><li>The HTTP port is commonly probed by malicious sources</li><li>Web server software is very complex, and includes a long
history of vulnerabilities</li><li>The HTTP protocol is unencrypted and vulnerable to passive
monitoring</li></ul>
<br><br>
The system's default web server software is Apache 2 and is
provided in the RPM package <code>httpd</code>.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_http" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_httpd" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_httpd" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_disabling_httpd">Disable Apache if Possible
                          <a class="small" href="#xccdf_org.ssgproject.content_group_disabling_httpd">[ref]</a><span class="label label-default pull-right">group</span></h3><p>If Apache was installed and activated, but the system
does not need to act as a web server, then it should be disabled
and removed from the system.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_httpd" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_installing_httpd" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_installing_httpd" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_installing_httpd">Install Apache if Necessary
                          <a class="small" href="#xccdf_org.ssgproject.content_group_installing_httpd">[ref]</a><span class="label label-default pull-right">group</span></h3><p>If <code>httpd</code> was not installed and activated, but the system
needs to act as a web server, then it should be installed on the system. Follow these
guidelines to install it defensively. The <code>httpd</code> package can be installed with
the following command:
<pre>$ sudo yum install httpd</pre>
This method of installation is recommended over installing the "Web Server"
package group during the system installation process. The Web Server package
group includes many packages which are likely extraneous, while the
command-line method installs only the required <code>httpd</code> package itself.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_installing_httpd" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_installing_httpd"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed">Confirm Minimal Built-in Modules Installed
                          <a class="small" href="#xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The default <code>httpd</code> installation minimizes the number of
modules that are compiled directly into the binary (<code>core prefork http_core
mod_so</code>). This minimizes risk by limiting the capabilities allowed by the
web server.

Query the set of compiled-in modules using the following command:
<pre>$ httpd -l</pre>
If the number of compiled-in modules is significantly larger than the
aforementioned set, this guide recommends re-installing <code>httpd</code> with a
reduced configuration. Minimizing the number of modules that are compiled into
the <code>httpd</code> binary, reduces risk by limiting the capabilities allowed by
the webserver.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_installing_httpd"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_securing_httpd" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_securing_httpd" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_securing_httpd">Secure Apache Configuration
                          <a class="small" href="#xccdf_org.ssgproject.content_group_securing_httpd">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The <code>httpd</code> configuration file is
<code>/etc/httpd/conf/httpd.conf</code>. Apply the recommendations in the remainder
of this section to this file.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_securing_httpd" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage">Restrict Web Server Information Leakage
                          <a class="small" href="#xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
The <code>ServerTokens</code> and <code>ServerSignature</code> directives determine how
much information the web server discloses about the configuration of the
system.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules">Minimize Web Server Loadable Modules
                          <a class="small" href="#xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
A default installation of <code>httpd</code> includes a plethora of dynamically shared objects (DSO)
that are loaded at run-time. Unlike the aforementioned compiled-in modules, a DSO can be
disabled in the configuration file by removing the corresponding LoadModule directive.
<br><br>
Note: A DSO only provides additional functionality if associated directives are included
in the <code>httpd</code> configuration file. It should also be noted that removing a DSO will produce
errors on <code>httpd</code> startup if the configuration file contains directives that apply to that
module. Refer to <code><a href="http://httpd.apache.org/docs/">http://httpd.apache.org/docs/</a></code> for details on which directives
are associated with each DSO.
<br><br>
Following each DSO removal, the configuration can be tested with the following command
to check if everything still works:
<pre>$ sudo service httpd configtest</pre>
The purpose of each of the modules loaded by default will now be addressed one at a time.
If none of a module's directives are being used, remove it.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_core_modules" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_core_modules" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules"><td style="padding-left: 95px"><h3 id="xccdf_org.ssgproject.content_group_httpd_core_modules">httpd Core Modules
                          <a class="small" href="#xccdf_org.ssgproject.content_group_httpd_core_modules">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
These modules comprise a basic subset of modules that are likely needed for base <code>httpd</code>
functionality; ensure they are not commented out in <code>/etc/httpd/conf/httpd.conf</code>:
<pre>LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mome.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so</pre>
Minimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules"><td style="padding-left: 95px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_basic_authentication" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_basic_authentication" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td style="padding-left: 114px"><h3 id="xccdf_org.ssgproject.content_group_httpd_basic_authentication">Minimize Modules for HTTP Basic Authentication
                          <a class="small" href="#xccdf_org.ssgproject.content_group_httpd_basic_authentication">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
The following modules are necessary if this web server will provide content that will
be restricted by a password.
<br><br>
Authentication can be performed using local plain text password files (<code>authn_file</code>),
local DBM password files (<code>authn_dbm</code>) or an LDAP directory. The only module required by
the web server depends on your choice of authentication. Comment out the modules you don't
need from the following:
<pre>LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so</pre>
<code>authn_alias</code> allows for authentication based on aliases. <code>authn_anon</code>
allows anonymous authentication similar to that of anonymous ftp sites. <code>authz_owner</code>
allows authorization based on file ownership. <code>authz_dbm</code> allows for authorization
based on group membership if the web server is using DBM authentication.
<br><br>
If the above functionality is unnecessary, comment out the related module:
<pre>#LoadModule authn_alias_module modules/mod_authn_alias.so
#LoadModule authn_anon_module modules/mod_authn_anon.so
#LoadModule authz_owner_module modules/mod_authz_owner.so
#LoadModule authz_dbm_module modules/mod_authz_dbm.so</pre>
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_basic_authentication" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td style="padding-left: 114px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_optional_components" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_optional_components" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td style="padding-left: 114px"><h3 id="xccdf_org.ssgproject.content_group_httpd_optional_components">Minimize Various Optional Components
                          <a class="small" href="#xccdf_org.ssgproject.content_group_httpd_optional_components">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
The following modules perform very specific tasks, sometimes providing access to
just a few additional directives. If such functionality is not required (or if you
are not using these directives), comment out the associated module:
<ul><li>External filtering (response passed through external program prior to client delivery)
<pre>#LoadModule ext_filter_module modules/mod_ext_filter.so</pre></li><li>User-specified Cache Control and Expiration
<pre>#LoadModule expires_module modules/mod_expires.so</pre></li><li>Compression Output Filter (provides content compression prior to client delivery)
<pre>#LoadModule deflate_module modules/mod_deflate.so</pre></li><li>HTTP Response/Request Header Customization
<pre>#LoadModule headers_module modules/mod_headers.so</pre></li><li>User activity monitoring via cookies
<pre>#LoadModule usertrack_module modules/mod_usertrack.so</pre></li><li>Dynamically configured mass virtual hosting
<pre>#LoadModule vhost_alias_module modules/mod_vhost_alias.so</pre></li></ul>
Minimizing the number of loadable modules available to the web server reduces risk
by limiting the capabilities allowed by the web server.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_optional_components" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td style="padding-left: 114px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td style="padding-left: 114px"><h3 id="xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included">Minimize Configuration Files Included
                          <a class="small" href="#xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
The <code>Include</code> directive directs <code>httpd</code> to load supplementary configuration files
from a provided path. The default configuration loads all files that end in <code>.conf</code>
from the <code>/etc/httpd/conf.d</code> directory.
<br><br>
To restrict excess configuration, the following line should be commented out and
replaced with <code>Include</code> directives that only reference required configuration files:
<pre>#Include conf.d/*.conf</pre>
If the above change was made, ensure that the SSL encryption remains loaded by
explicitly including the corresponding configuration file:
<pre>Include conf.d/ssl.conf</pre>
If PHP is necessary, a similar alteration must be made:
<pre>Include conf.d/php.conf</pre>

Explicitly listing the configuration files to be loaded during web server start-up avoids
the possibility of unwanted or malicious configuration files to be automatically included as
part of the server's running configuration.

</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td style="padding-left: 114px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_directory_restrictions" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_directory_restrictions" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_httpd_directory_restrictions">Directory Restrictions
                          <a class="small" href="#xccdf_org.ssgproject.content_group_httpd_directory_restrictions">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
The Directory tags in the web server configuration file allow finer grained access
control for a specified directory. All web directories should be configured on a
case-by-case basis, allowing access only where needed.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_directory_restrictions" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_modules_improve_security" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_modules_improve_security" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_httpd_modules_improve_security">Use Appropriate Modules to Improve httpd's Security
                          <a class="small" href="#xccdf_org.ssgproject.content_group_httpd_modules_improve_security">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
Among the modules available for <code>httpd</code> are several whose use may improve the
security of the web server installation. This section recommends and discusses
the deployment of security-relevant modules.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_modules_improve_security" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_modules_improve_security"><td style="padding-left: 95px"><h3 id="xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl">Deploy mod_ssl
                          <a class="small" href="#xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
Because HTTP is a plain text protocol, all traffic is susceptible to passive
monitoring. If there is a need for confidentiality, SSL should be configured
and enabled to encrypt content.
<br><br>
Note: <code>mod_nss</code> is a FIPS 140-2 certified alternative to <code>mod_ssl</code>.
The modules share a considerable amount of code and should be nearly identical
in functionality. If FIPS 140-2 validation is required, then <code>mod_nss</code> should
be used. If it provides some feature or its greater compatibility is required,
then <code>mod_ssl</code> should be used.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_modules_improve_security"><td style="padding-left: 95px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_deploy_mod_security" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_deploy_mod_security" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_modules_improve_security"><td style="padding-left: 95px"><h3 id="xccdf_org.ssgproject.content_group_httpd_deploy_mod_security">Deploy mod_security
                          <a class="small" href="#xccdf_org.ssgproject.content_group_httpd_deploy_mod_security">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
The <code>security</code> module provides an application level firewall for <code>httpd</code>.
Following its installation with the base ruleset, specific configuration advice can be found at
<a href="http://www.modsecurity.org/">http://www.modsecurity.org/</a> to design a policy that best matches the security needs of
the web applications. Usage of <code>mod_security</code> is highly recommended for some environments,
but it should be noted this module does not ship with Red Hat Enterprise Linux itself,
and instead is provided via Extra Packages for Enterprise Linux (EPEL).
For more information on EPEL please refer to <a href="http://fedoraproject.org/wiki/EPEL">http://fedoraproject.org/wiki/EPEL</a>.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_deploy_mod_security" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_modules_improve_security"><td style="padding-left: 95px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules">Use Denial-of-Service Protection Modules
                          <a class="small" href="#xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
Denial-of-service attacks are difficult to detect and prevent while maintaining
acceptable access to authorized users. However, some traffic-shaping
modules can be used to address the problem. Well-known DoS protection modules include:
<pre>mod_cband mod_bwshare mod_limitipconn mod_evasive</pre>
Denial-of-service prevention should be implemented for a web server if such a threat exists.
However, specific configuration details are very dependent on the environment and often best left
at the discretion of the administrator.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_configure_php_securely" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_configure_php_securely" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_httpd_configure_php_securely">Configure PHP Securely
                          <a class="small" href="#xccdf_org.ssgproject.content_group_httpd_configure_php_securely">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
PHP is a widely-used and often misconfigured server-side scripting language. It should
be used with caution, but configured appropriately when needed.
<br><br>
Review <code>/etc/php.ini</code> and make the following changes if possible:
<pre># Do not expose PHP error messages to external users
display_errors = Off

# Enable safe mode
safe_mode = On

# Only allow access to executables in isolated directory
safe_mode_exec_dir = php-required-executables-path

# Limit external access to PHP environment
safe_mode_allowed_env_vars = PHP_

# Restrict PHP information leakage
expose_php = Off

# Log all errors
log_errors = On

# Do not register globals for input data
register_globals = Off

# Minimize allowable PHP post size
post_max_size = 1K

# Ensure PHP redirects appropriately
cgi.force_redirect = 0

# Disallow uploading unless necessary
file_uploads = Off

# Disallow treatment of file requests as fopen calls
allow_url_fopen = Off

# Enable SQL safe mode
sql.safe_mode = On
</pre>
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_configure_php_securely" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server">Configure Operating System to Protect Web Server
                          <a class="small" href="#xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
The following configuration steps should be taken on the machine which hosts the
web server, in order to provide as safe an environment as possible for the web server.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server"><td style="padding-left: 95px"><h3 id="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access">Restrict File and Directory Access
                          <a class="small" href="#xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
Minimize access to critical <code>httpd</code> files and directories.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server"><td style="padding-left: 95px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_configure_iptables" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_configure_iptables" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server"><td style="padding-left: 95px"><h3 id="xccdf_org.ssgproject.content_group_httpd_configure_iptables">Configure iptables to Allow Access to the Web Server
                          <a class="small" href="#xccdf_org.ssgproject.content_group_httpd_configure_iptables">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
By default, <code>iptables</code>
blocks access to the ports used by the web server.

        To configure <code>iptables</code> to allow port
        80 traffic one must edit
        <code>/etc/sysconfig/iptables</code> and
        <code>/etc/sysconfig/ip6tables</code> (if IPv6 is in use).
        Add the following line, ensuring that it appears before the final LOG
        and DROP lines for the INPUT chain:
        <pre xml:space="preserve">-A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT</pre>

        To configure <code>iptables</code> to allow port
        443 traffic one must edit
        <code>/etc/sysconfig/iptables</code> and
        <code>/etc/sysconfig/ip6tables</code> (if IPv6 is in use).
        Add the following line, ensuring that it appears before the final LOG
        and DROP lines for the INPUT chain:
        <pre xml:space="preserve">-A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT</pre>
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_configure_iptables" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server"><td style="padding-left: 95px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_httpd_chroot" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_chroot" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server"><td style="padding-left: 95px"><h3 id="xccdf_org.ssgproject.content_group_httpd_chroot">Run httpd in a chroot Jail if Practical
                          <a class="small" href="#xccdf_org.ssgproject.content_group_httpd_chroot">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
Running <code>httpd</code> inside a <code>chroot</code> jail is designed to isolate the
web server process to a small section of the filesystem, limiting the damage if
it is compromised. Versions of Apache greater than 2.2.10 (such as the one
included with Red Hat Enterprise Linux 6) provide the <code>ChrootDir</code> directive. To run Apache
inside a chroot jail in <code>/chroot/apache</code>, add the following line to
<code>/etc/httpd/conf/httpd.conf</code>: <pre>ChrootDir /chroot/apache</pre> This
necessitates placing all files required by <code>httpd</code> inside
<code>/chroot/apache</code> , including <code>httpd</code>'s binaries, modules,
configuration files, and served web pages. The details of this configuration
are beyond the scope of this guide. This may also require additional SELinux
configuration.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_chroot" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server"><td style="padding-left: 95px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_imap" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_imap" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server
                          <a class="small" href="#xccdf_org.ssgproject.content_group_imap">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Dovecot provides IMAP and POP3 services. It is not
installed by default. The project page at <a href="http://www.dovecot.org">http://www.dovecot.org</a>
contains more detailed information about Dovecot
configuration.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_imap" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_dovecot" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dovecot" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_disabling_dovecot">Disable Dovecot
                          <a class="small" href="#xccdf_org.ssgproject.content_group_disabling_dovecot">[ref]</a><span class="label label-default pull-right">group</span></h3><p>If the system does not need to operate as an IMAP or
POP3 server, the dovecot software should be disabled and removed.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dovecot" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_configure_dovecot" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configure_dovecot" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_configure_dovecot">Configure Dovecot if Necessary
                          <a class="small" href="#xccdf_org.ssgproject.content_group_configure_dovecot">[ref]</a><span class="label label-default pull-right">group</span></h3><p>If the system will operate as an IMAP or
POP3 server, the dovecot software should be configured securely by following
the recommendations below.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_configure_dovecot" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">Support Only the Necessary Protocols
                          <a class="small" href="#xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Dovecot supports the IMAP and POP3 protocols, as well as 
SSL-protected versions of those protocols. Configure the Dovecot server 
to support only the protocols needed by your site. Edit <code>/etc/dovecot/dovecot.conf</code>. 
Add or correct the following lines, replacing <code>PROTOCOL</code> with 
only the subset of protocols (<code>imap</code>, <code>imaps</code>, 
<code>pop3</code>, <code>pop3s</code>) required:
<pre>protocols = PROTOCOL</pre>
If possible, require SSL protection for all transactions. The SSL 
protocol variants listen on alternate ports (995 instead of 110 for 
pop3s, and 993 instead of 143 for imaps), and require SSL-aware clients. 
An alternate approach is to listen on the standard port and require the 
client to use the STARTTLS command before authenticating.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">Enable SSL Support
                          <a class="small" href="#xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">[ref]</a><span class="label label-default pull-right">group</span></h3><p>SSL should be used to encrypt network traffic between the 
Dovecot server and its clients. Users must authenticate to the Dovecot 
server in order to read their mail, and passwords should never be 
transmitted in clear text. In addition, protecting mail as it is 
downloaded is a privacy measure, and clients may use SSL certificates 
to authenticate the server, preventing another system from impersonating 
the server.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">Allow IMAP Clients to Access the Server
                          <a class="small" href="#xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The default iptables configuration does not allow inbound 
access to any services. This modification will allow remote hosts to 
initiate connections to the IMAP daemon, while keeping all other ports 
on the server in their default protected state. 

        To configure <code>iptables</code> to allow port
        143 traffic one must edit
        <code>/etc/sysconfig/iptables</code> and
        <code>/etc/sysconfig/ip6tables</code> (if IPv6 is in use).
        Add the following line, ensuring that it appears before the final LOG
        and DROP lines for the INPUT chain:
        <pre xml:space="preserve">-A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT</pre>
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_smb" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server
                          <a class="small" href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span class="label label-default pull-right">group</span></h3><p>When properly configured, the Samba service allows
Linux machines to provide file and print sharing to Microsoft
Windows machines. There are two software packages that provide
Samba support. The first, <code>samba-client</code>, provides a series of
command line tools that enable a client machine to access Samba
shares. The second, simply labeled <code>samba</code>, provides the Samba
service. It is this second package that allows a Linux machine to
act as an Active Directory server, a domain controller, or as a
domain member. Only the <code>samba-client</code> package is installed by
default.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_smb" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_samba" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_samba" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_disabling_samba">Disable Samba if Possible
                          <a class="small" href="#xccdf_org.ssgproject.content_group_disabling_samba">[ref]</a><span class="label label-default pull-right">group</span></h3><p>
Even after the Samba server package has been installed, it
will remain disabled. Do not enable this service unless it is
absolutely necessary to provide Microsoft Windows file and print
sharing functionality.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_samba" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_configuring_samba" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configuring_samba" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_configuring_samba">Configure Samba if Necessary
                          <a class="small" href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span class="label label-default pull-right">group</span></h3><p>All settings for the Samba daemon can be found in
<code>/etc/samba/smb.conf</code>. Settings are divided between a
<code>[global]</code> configuration section and a series of user
created share definition sections meant to describe file or print
shares on the system. By default, Samba will operate in user mode
and allow client machines to access local home directories and
printers. It is recommended that these settings be changed or that
additional limitations be set in place.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb_restrict_file_sharing" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing">Restrict SMB File Sharing to Configured Networks
                          <a class="small" href="#xccdf_org.ssgproject.content_group_smb_restrict_file_sharing">[ref]</a><span class="label label-default pull-right">group</span></h3><p>Only users with local user accounts will be able to log in to
Samba shares by default. Shares can be limited to particular users or network
addresses. Use the <code>hosts allow</code> and <code>hosts deny</code> directives
accordingly, and consider setting the valid users directive to a limited subset
of users or to a group of users. Separate each address, user, or user group
with a space as follows for a particular <i>share</i> or global:
<pre>[<i>share</i>]
  hosts allow = 192.168.1. 127.0.0.1
  valid users = userone usertwo @usergroup</pre>
It is also possible to limit read and write access to particular users with the
read list and write list options, though the permissions set by the system
itself will override these settings. Set the read only attribute for each share
to ensure that global settings will not accidentally override the individual
share settings. Then, as with the valid users directive, separate each user or
group of users with a space:
<pre>[<i>share</i>]
  read only = yes
  write list = userone usertwo @usergroup</pre>
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_smb_restrict_file_sharing" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_smb_disable_printing" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb_disable_printing" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td style="padding-left: 76px"><h3 id="xccdf_org.ssgproject.content_group_smb_disable_printing">Restrict Printer Sharing
                          <a class="small" href="#xccdf_org.ssgproject.content_group_smb_disable_printing">[ref]</a><span class="label label-default pull-right">group</span></h3><p>By default, Samba utilizes the CUPS printing service to enable
printer sharing with Microsoft Windows workstations. If there are no printers
on the local machine, or if printer sharing with Microsoft Windows is not
required, disable the printer sharing capability by commenting out the
following lines, found in <code>/etc/samba/smb.conf</code>:
<pre>[global]
  load printers = yes
  cups options = raw
[printers]
  comment = All Printers
  path = /usr/spool/samba
  browseable = no
  guest ok = no
  writable = no
  printable = yes</pre>
There may be other options present, but these are the only options enabled and
uncommented by default. Removing the <code>[printers]</code> share should be enough
for most users.  If the Samba printer sharing capability is needed, consider
disabling the Samba network browsing capability or restricting access to a
particular set of users or network addresses. Set the <code>valid users</code>
parameter to a small subset of users or restrict it to a particular group of
users with the shorthand <code>@</code>. Separate each user or group of users with
a space. For example, under the <code>[printers]</code> share:
<pre>[printers]
  valid users = user @printerusers</pre>
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_smb_disable_printing" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td style="padding-left: 76px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_proxy" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_proxy" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_proxy">Proxy Server
                          <a class="small" href="#xccdf_org.ssgproject.content_group_proxy">[ref]</a><span class="label label-default pull-right">group</span></h3><p>A proxy server is a very desirable target for a
potential adversary because much (or all) sensitive data for a
given infrastructure may flow through it. Therefore, if one is
required, the machine acting as a proxy server should be dedicated
to that purpose alone and be stored in a physically secure
location. The system's default proxy server software is Squid, and
provided in an RPM package of the same name.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_proxy" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_squid" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_squid" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_proxy"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_disabling_squid">Disable Squid if Possible
                          <a class="small" href="#xccdf_org.ssgproject.content_group_disabling_squid">[ref]</a><span class="label label-default pull-right">group</span></h3><p>If Squid was installed and activated, but the system
does not need to act as a proxy server, then it should be disabled
and removed.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_squid" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_proxy"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_snmp" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_snmp" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><h3 id="xccdf_org.ssgproject.content_group_snmp">SNMP Server
                          <a class="small" href="#xccdf_org.ssgproject.content_group_snmp">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The Simple Network Management Protocol allows
administrators to monitor the state of network devices, including
computers. Older versions of SNMP were well-known for weak
security, such as plaintext transmission of the community string
(used for authentication) and usage of easily-guessable
choices for the community string.</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_snmp" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disabling_snmp_service" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_snmp_service" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_snmp"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_disabling_snmp_service">Disable SNMP Server if Possible
                          <a class="small" href="#xccdf_org.ssgproject.content_group_disabling_snmp_service">[ref]</a><span class="label label-default pull-right">group</span></h3><p>The system includes an SNMP daemon that allows for its remote
monitoring, though it not installed by default. If it was installed and
activated but is not needed, the software should be disabled and removed.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_snmp_service" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_snmp"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_snmp_configure_server" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_snmp_configure_server" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_snmp"><td style="padding-left: 57px"><h3 id="xccdf_org.ssgproject.content_group_snmp_configure_server">Configure SNMP Server if Necessary
                          <a class="small" href="#xccdf_org.ssgproject.content_group_snmp_configure_server">[ref]</a><span class="label label-default pull-right">group</span></h3><p>If it is necessary to run the snmpd agent on the system, some best
practices should be followed to minimize the security risk from the
installation. The multiple security models implemented by SNMP cannot be fully
covered here so only the following general configuration advice can be offered:
<ul><li>use only SNMP version 3 security models and enable the use of authentication and encryption</li><li>write access to the MIB (Management Information Base) should be allowed only if necessary</li><li>all access to the MIB should be restricted following a principle of least privilege</li><li>network access should be limited to the maximum extent possible including restricting to expected network
addresses both in the configuration files and in the system firewall rules</li><li>ensure SNMP agents send traps only to, and accept SNMP queries only from, authorized management
stations</li><li>ensure that permissions on the <code>snmpd.conf</code> configuration file (by default, in <code>/etc/snmp</code>) are 640 or more restrictive</li><li>ensure that any MIB files' permissions are also 640 or more restrictive</li></ul>
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_snmp_configure_server" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_snmp"><td style="padding-left: 57px"></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_srg_support" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_srg_support" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td style="padding-left: 19px"><h3 id="xccdf_org.ssgproject.content_group_srg_support">Documentation to Support DISA OS SRG Mapping
                          <a class="small" href="#xccdf_org.ssgproject.content_group_srg_support">[ref]</a><span class="label label-default pull-right">group</span></h3><p>These groups exist to document how the Red Hat Enterprise Linux
product meets (or does not meet) requirements listed in the DISA OS SRG, for
those cases where Groups or Rules elsewhere in scap-security-guide do
not clearly relate.
</p></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_srg_support" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td style="padding-left: 19px"></td></tr></tbody></table></div><div id="rear-matter"><div class="row top-spacer-10"><div class="col-md-12 well well-lg"><div class="rear-matter">Red Hat and Red Hat Enterprise Linux are either registered
trademarks or trademarks of Red Hat, Inc. in the United States and other
countries. All other names are registered trademarks or trademarks of their
respective companies.</div></div></div></div></div></div><footer id="footer"><div class="container"><p class="muted credit">
                Generated using <a href="http://open-scap.org">OpenSCAP</a> 1.2.14</p></div></footer></body></html>