We assume that your server was installed (in our case Solaris 8) and patched with the up-to-date recommended patches.
We also assume that you did transfered to a local directory the tarball.tar.Z file needed for this install.
Last, we assume that no modifications were done to the system.
Command typed by the sysadmin are in bold, comments are in color.
zeta console login: root Password: Last login: Wed Jul 19 18:02:40 on console Sun Microsystems Inc. SunOS 5.8 Generic February 2000 # # ps -eaf Default running processes, for a full Solaris 8 installation. UID PID PPID C STIME TTY TIME CMD root 0 0 0 17:57:09 ? 0:15 sched root 1 0 0 17:57:10 ? 0:00 /etc/init - root 2 0 0 17:57:10 ? 0:00 pageout root 3 0 0 17:57:10 ? 0:09 fsflush root 264 1 0 17:58:12 ? 0:00 /usr/lib/saf/sac -t 300 root 127 1 0 17:57:56 ? 0:00 /usr/sbin/rpcbind root 48 1 0 17:57:20 ? 0:00 /usr/lib/devfsadm/devfseventd root 52 1 0 17:57:31 ? 0:00 /usr/lib/devfsadm/devfsadmd root 110 1 0 17:57:56 ? 0:00 /usr/sbin/in.routed -q daemon 167 1 0 17:57:58 ? 0:00 /usr/lib/nfs/statd root 166 1 0 17:57:58 ? 0:00 /usr/lib/nfs/lockd root 196 1 0 17:58:01 ? 0:00 /usr/sbin/nscd root 170 1 0 17:57:59 ? 0:00 /usr/lib/autofs/automountd root 202 1 0 17:58:02 ? 0:00 /usr/lib/lpsched root 181 1 0 17:58:00 ? 0:00 /usr/sbin/syslogd root 159 1 0 17:57:58 ? 0:00 /usr/sbin/inetd -s root 185 1 0 17:58:00 ? 0:00 /usr/sbin/cron root 215 1 0 17:58:03 ? 0:00 /usr/lib/power/powerd root 227 1 0 17:58:03 ? 0:00 /usr/sadm/lib/wbem/cimomboot start root 224 1 0 17:58:03 ? 0:00 /usr/lib/utmpd root 229 1 0 17:58:04 ? 0:00 /usr/sbin/vold root 278 1 0 17:59:05 ? 0:00 /usr/lib/sendmail -bd -q15m root 267 264 0 17:58:13 ? 0:00 /usr/lib/saf/ttymon root 286 1 1 18:10:19 console 0:00 -sh root 250 1 0 17:58:07 ? 0:00 /usr/lib/snmp/snmpdx -y -c /etc/snmp/conf root 300 286 1 19:07:12 console 0:00 ps -eaf root 253 250 0 17:58:08 ? 0:02 mibiisa -r -p 32781 root 296 159 0 19:00:36 ? 0:00 rpc.rusersd root 257 1 0 17:58:11 ? 0:00 /usr/lib/dmi/dmispd root 259 1 0 17:58:11 ? 0:00 /usr/dt/bin/dtlogin -daemon root 260 1 0 17:58:11 ? 0:00 /usr/lib/dmi/snmpXdmid -s zeta # netstat -an Default open networks ports, for a full Solaris 8 installation. UDP: IPv4 Local Address Remote Address State -------------------- -------------------- ------- *.520 Idle *.* Unbound *.111 Idle *.* Unbound *.32771 Idle *.42 Idle *.512 Idle *.517 Idle *.37 Idle *.7 Idle *.9 Idle *.13 Idle *.19 Idle *.32772 Idle *.32773 Idle *.32774 Idle *.32775 Idle *.* Unbound *.32776 Idle *.32777 Idle *.32778 Idle *.32779 Idle *.4045 Idle *.514 Idle *.* Unbound *.161 Idle *.32782 Idle *.32783 Idle *.32781 Idle *.* Unbound *.32784 Idle *.32785 Idle *.32786 Idle *.6500 Idle *.177 Idle *.* Unbound UDP: IPv6 Local Address Remote Address State If --------------------------------- --------------------------------- ---------- ----- *.37 Idle *.7 Idle *.9 Idle *.13 Idle *.19 Idle TCP: IPv4 Local Address Remote Address Swind Send-Q Rwind Recv-Q State -------------------- -------------------- ----- ------ ----- ------ ------- *.* *.* 0 0 24576 0 IDLE *.111 *.* 0 0 24576 0 LISTEN *.* *.* 0 0 24576 0 IDLE *.21 *.* 0 0 24576 0 LISTEN *.23 *.* 0 0 24576 0 LISTEN *.514 *.* 0 0 24576 0 LISTEN *.514 *.* 0 0 24576 0 LISTEN *.513 *.* 0 0 24576 0 LISTEN *.512 *.* 0 0 24576 0 LISTEN *.512 *.* 0 0 24576 0 LISTEN *.540 *.* 0 0 24576 0 LISTEN *.79 *.* 0 0 24576 0 LISTEN *.37 *.* 0 0 24576 0 LISTEN *.7 *.* 0 0 24576 0 LISTEN *.9 *.* 0 0 24576 0 LISTEN *.13 *.* 0 0 24576 0 LISTEN *.19 *.* 0 0 24576 0 LISTEN *.32771 *.* 0 0 24576 0 LISTEN *.32772 *.* 0 0 24576 0 LISTEN *.32773 *.* 0 0 24576 0 LISTEN *.7100 *.* 0 0 24576 0 LISTEN *.32774 *.* 0 0 24576 0 LISTEN *.515 *.* 0 0 24576 0 LISTEN *.6112 *.* 0 0 24576 0 LISTEN *.32775 *.* 0 0 24576 0 LISTEN *.4045 *.* 0 0 24576 0 LISTEN *.5987 *.* 0 0 24576 0 LISTEN *.* *.* 0 0 24576 0 IDLE *.32776 *.* 0 0 24576 0 LISTEN *.32777 *.* 0 0 24576 0 LISTEN *.32778 *.* 0 0 24576 0 LISTEN *.25 *.* 0 0 24576 0 LISTEN *.* *.* 0 0 24576 0 IDLE TCP: IPv6 Local Address Remote Address Swind Send-Q Rwind Recv-Q State If --------------------------------- --------------------------------- ----- ------ ----- ------ ----------- ----- *.* *.* 0 0 24576 0 IDLE *.21 *.* 0 0 24576 0 LISTEN *.23 *.* 0 0 24576 0 LISTEN *.514 *.* 0 0 24576 0 LISTEN *.513 *.* 0 0 24576 0 LISTEN *.512 *.* 0 0 24576 0 LISTEN *.79 *.* 0 0 24576 0 LISTEN *.37 *.* 0 0 24576 0 LISTEN *.7 *.* 0 0 24576 0 LISTEN *.9 *.* 0 0 24576 0 LISTEN *.13 *.* 0 0 24576 0 LISTEN *.19 *.* 0 0 24576 0 LISTEN *.515 *.* 0 0 24576 0 LISTEN *.25 *.* 0 0 24576 0 LISTEN # pkgchk -n Package database incoherences. ERROR: /etc/mnttab file size <0> expected <797> actual file cksum <0> expected <62927> actual ERROR: /etc/path_to_inst permissions <0644> expected <0444> actual group name <sys> expected <root> actual ERROR: /usr/openwin/server/etc/OWconfig group name <bin> expected <other> actual ERROR: /usr/share/lib/termcap file size <136663> expected <137359> actual file cksum <35225> expected <23929> actual # # # cd /var/tmp/Tempo We are in a temporally directory used for the installation and which may be removed after. # uncompress yassp.tar.Z # tar xvf yassp.tar x yassp, 0 bytes, 0 tape blocks x yassp/secclean, 1288192 bytes, 2516 tape blocks x yassp/parcdaily, 26112 bytes, 51 tape blocks x yassp/secclean_i386 symbolic link to secclean x yassp/admin, 66 bytes, 1 tape blocks x yassp/install.sh, 5235 bytes, 11 tape blocks x yassp/secclean_sparc symbolic link to secclean x yassp/parcdaily_i386 symbolic link to parcdaily x yassp/gnurcs_i386, 903168 bytes, 1764 tape blocks x yassp/RCS, 0 bytes, 0 tape blocks x yassp/RCS/install.sh,v, 15248 bytes, 30 tape blocks x yassp/RCS/deinstall.sh,v, 2908 bytes, 6 tape blocks x yassp/RCS/WhatIsNew,v, 11112 bytes, 22 tape blocks x yassp/RCS/README,v, 30139 bytes, 59 tape blocks x yassp/WhatIsNew, 7467 bytes, 15 tape blocks x yassp/README, 14482 bytes, 29 tape blocks x yassp/gnugzip_i386, 136192 bytes, 266 tape blocks x yassp/wvtcpd_i386, 271360 bytes, 530 tape blocks x yassp/prftripw_i386, 231936 bytes, 453 tape blocks x yassp/parcdaily_sparc symbolic link to parcdaily x yassp/gnurcs_sparc, 1021952 bytes, 1996 tape blocks x yassp/gnugzip_sparc, 147456 bytes, 288 tape blocks x yassp/wvtcpd_sparc, 609792 bytes, 1191 tape blocks x yassp/prftripw_sparc, 293888 bytes, 574 tape blocks x yassp/openssh_i386, 3180544 bytes, 6212 tape blocks x yassp/openssh_sparc, 4121600 bytes, 8050 tape blocks # cd yassp # ./install.sh Running YASSP installation script. YASSP v0 Beta#14 Are you ready to install YASSP? It will modify lot of system resources... and will prevent some non-essential services from running on your system. Do you really want to install YASSP? [y|n] (n) y Note: you can always overwrite YASSP package choices by setting up the environment variable PKGLIST before running YASSP to the list of packages you want to install. If PKGLIST is defined, yassp's install won't ask you to choose which package you want to install. By default, YASSP will install the following packages: SECclean : The core package, securing your Solaris installation. GNUrcs : RCS 5.7 and diff 2.7 [GNU] GNUgzip : gzip 1.2.4a [GNU] PARCdaily : Some daily script, loggs rotation, backup and RCS for systems files... Need GNUgzip and GNUrcs WVtcpd : tcp_wrappers 7.6 + rpcbind 2.1 [Wietse Venema] PRFtripw : Tripwire 1.2 [Purdue Research Foundation of Purdue University] OPENssh : OpenSSH 2.3.0p1 [OpenSSH.com] Type the package list you want to install or hit return to accept the default: SECclean GNUrcs GNUgzip PARCdaily WVtcpd PRFtripw OPENssh <return> We chose to install all packages proposed. YASSP will install: SECclean GNUrcs GNUgzip PARCdaily WVtcpd PRFtripw OPENssh Installing the various package: ========== SECclean ========== SECclean installation start. The pre-install runs, initialize some variable and back-up files it will modify. Using /opt/local as the root dir. Linking /usr/local to it. Backing up all files under /yassp.bk/Before_2000.11.18-12.33.44:/etc/auto_home /etc/auto_master /etc/dfs/dfstab /var/spool/cron/crontabs/adm /var/spool/cron/crontabs/lp /var/spool/cron/crontabs/uucp /etc/profile /etc/default/login /etc/default/su /etc/default/inetinit /etc/motd /etc/default/passwd /etc/default/sys-suspend /etc/skel/local.cshrc /etc/skel/local.profile /usr/dt/config/Xaccess /etc/ftpusers /etc/syslog.conf /etc/.login /var/spool/cron/crontabs/root /etc/passwd /etc/shadow /etc/init.d/inetsvc /etc/init.d/inetinit /etc/init.d/network /etc/init.d/xntpd /etc/init.d/nfs.client /etc/init.d/autofs /etc/init.d/nscd /etc/init.d/nfs.server /etc/init.d/volmgt /etc/init.d/sendmail /etc/init.d/dtlogin /etc/init.d/cacheos /etc/init.d/cachefs.root /etc/init.d/asppp /etc/init.d/uucp /etc/init.d/cachefs.daemon /etc/init.d/spc /etc/init.d/autoinstall /etc/init.d/lp /etc/init.d/PRESERVE /etc/init.d/cacheos.finish /etc/init.d/sysid.sys /etc/init.d/sysid.net /etc/init.d/power /etc/init.d/init.dmi /etc/init.d/init.snmpdx /etc/init.d/utmpd /etc/init.d/devfsadm /etc/init.d/devlinks /etc/init.d/apache /etc/init.d/dhcp /etc/init.d/dhcpagent /etc/init.d/ldap.client /etc/init.d/llc2 /etc/init.d/ncakmod /etc/init.d/ncalogd /etc/init.d/slpd /etc/init.d/webstart /etc/init.d/init.wbem /etc/init.d/rpc /etc/init.d/syslog /etc/inet/inetd.conf /etc/inet/services /etc/system /etc/rmmount.conf /etc/inittab /etc/pam.conf
Pre-install is done. The install runs: files declared in the prototype are installed silently. Files part of the sed class in the prototype are modify bu the associated sed script. Modifying /etc/inet/inetd.conf Modifying /etc/inet/services Modifying /etc/inittab Modifying /etc/pam.conf Modifying /etc/rmmount.conf Modifying /etc/system The postinstall start. It first reads the variables stored by the pre-install. The postinstall script is silently running. It may take a while on slow machine. Just be patient Disabling init files we will replace later. Disabling startup files: inetsvc inetinit network Modifying startup files to be controlled by yassp.conf.Modifying Startup files to use /etc/yassp.conf: xntpd nfs.client autofs nscd nfs.server volmgt sendmail dtlogin cacheos cachefs.root asppp uucp cachefs.daemon spc autoinstall lp PRESERVE cacheos.finish sysid.sys sysid.net snmpdx dmi power init.dmi init.snmpdx utmpd devfsadm devlinks apache dhcp dhcpagent ldap.client llc2 ncakmod ncalogd slpd webstart init.wbem rpc
Creating /etc/yassp.conf, as we know now which startup file were modified. Creating your default /etc/yassp.conf Saving (in the package's save directory) and deleting files. Some of them will be replaced by SECclean's own version later.Saving files: /etc/auto_home /etc/auto_master /etc/dfs/dfstab /var/spool/cron/crontabs/adm /var/spool/cron/crontabs/lp /var/spool/cron/crontabs/uucp /etc/profile /etc/default/login /etc/default/su /etc/default/inetinit /etc/motd /etc/default/passwd /etc/default/sys-suspend /etc/skel/local.cshrc /etc/skel/local.profile /usr/dt/config/Xaccess /etc/dt/config/Xaccess /etc/ftpusers /etc/syslog.conf /etc/.login /etc/cron.d/at.allow /etc/cron.d/cron.allow /etc/hosts.equiv /.rhosts /etc/issue /etc/ftp-banner /etc/default/ftpd /etc/default/telnetd /var/spool/cron/crontabs/root /etc/init.d/inetsvc /etc/init.d/inetinit /etc/init.d/network
We have unregistered (removef) all the files we deleted from the package database. We must now close (removef -f) these open packages.Closing the package we touched: SUNWftpr SUNWdtdte SUNWpmowr SUNWwbcor SUNWslpr SUNWncar SUNWllcr SUNWdhcsr SUNWapchr SUNWsacom SUNWpmr SUNWpsr SUNWadmr SUNWpcr SUNWbnur SUNWapppr SUNWdtlog SUNWsndmr SUNWvolr SUNWatfsr SUNWntpr SUNWcsr SUNWcsr
Binaries files need special care as they are achitecture dependent Choosing architecture dependent binaries: /usr/sbin/noshell_sparc -> /usr/sbin/noshell /opt/local/bin/md5_sparc -> /opt/local/bin/md5 These are the files that will be replaced by SECclean version. They have been installed (as part of SECclean's prototype file) as /path/name/SECclean_{name_of_the_file}, and are registered under this name as part of SECclean package. We must first unregistered (removef on SECclean) them.Updating SECclean package DB: /etc/profile /etc/default/login /etc/default/su /etc/default/inetinit /etc/motd /etc/default/passwd /etc/default/sys-suspend /etc/skel/local.cshrc /etc/skel/local.profile /usr/dt/config/Xaccess /etc/dt/config/Xaccess /etc/ftpusers /etc/syslog.conf /etc/.login /etc/cron.d/at.allow /etc/cron.d/cron.allow /etc/hosts.equiv /.rhosts /etc/issue /etc/ftp-banner /etc/default/ftpd /etc/default/telnetd /var/spool/cron/crontabs/root /etc/shells /etc/init.d/inetsvc_5.6 /etc/init.d/inetsvc_5.7 /etc/init.d/inetsvc_5.8 /etc/init.d/inetinit_5.6 /etc/init.d/inetinit_5.7 /etc/init.d/inetinit_5.8 /etc/init.d/network_5.8 /usr/sbin/noshell_sparc /usr/sbin/noshell_i386 /opt/local/bin/md5_sparc /opt/local/bin/md5_i386
and close SECclean (removef -f SECclean) Closing SECclean DB Move the files from their SECclean_{name} to {name} and register them as part of SECclean (installf)Replacing: /etc/profile /etc/default/login /etc/default/su /etc/default/inetinit /etc/motd /etc/default/passwd /etc/default/sys-suspend /etc/skel/local.cshrc /etc/skel/local.profile /usr/dt/config/Xaccess /etc/dt/config/Xaccess /etc/ftpusers /etc/syslog.conf /etc/.login /etc/cron.d/at.allow /etc/cron.d/cron.allow /etc/hosts.equiv /.rhosts /etc/issue /etc/ftp-banner /etc/default/ftpd /etc/default/telnetd /var/spool/cron/crontabs/root
OS specific startup files: chose the right version. Choosing the right startup files: /etc/init.d/inetsvc /etc/init.d/inetinit /etc/init.d/network for your OS: Solaris 5.8 Replacing them, registering (installf) as part of SECclean package, and creating the sym-link. Replacing Special startup files: /etc/init.d/inetsvc /etc/init.d/inetinit /etc/init.d/network and creating the symlink Binsries files installed need to be registered. Registrating binaries : /usr/sbin/noshell /opt/local/bin/md5 for your architecture: sparc Closing (installf -f SECclean) SECclean. Closing again SECclean DB Specific OS tuning: for Solaris 8, no priority_paging tuning /etc/system to comment out priority_paging Running clean_passwd Cleaning the passwd file... Disabling UID 0 account(s): Disabling system account(s): daemon bin sys adm lp uucp nuucp listen nobody noaccess nobody4 Deleting account(s): root identity will be changed to "Root at zeta" password and shadow files saved under /etc/passwd.Old and /etc/shadow.Old Doing the OS cleanup: fix-mode is run first... Doing the OS Clean-up Running fix-modes 2.6 2000/01/13 14:13:35 casper fix-modes done, log file under: /var/sadm/clean-up/clean_up.log Then we correct well-known incoherences in the SUN installation clean-up the contents database cleanup done, log file under: /var/sadm/clean-up/clean_up.log Running /usr/lib/makewhatis /opt/local/man We are done with SECclean, echo the summary. ====================================================== SECclean installation has finished. Changes to the file-system and package database are documented in: /var/sadm/clean-up/clean_up.log All changed or replaced files are archived in /yassp.bk If crontabs for the users: lp adm uucp root exists, they have been deleted. Please, re-enable manually the entries needed Backup for the crontab files are under: /yassp.bk/var/spool/cron/crontabs/ To finish hardening, this host must be rebooted. However, you should first check that /etc/yassp.conf is configured to your requirements. See also yassp(1) and yassp.conf(4). ====================================================== Installation of <SECclean> was successful. ========== GNUrcs ========== Installation of <GNUrcs> was successful. ========== GNUgzip ========== Installation of <GNUgzip> was successful. ========== PARCdaily ========== Modifying /usr/lib/newsyslog Installation of <PARCdaily> was successful. ========== WVtcpd ========== tcp_wrappers add some example of how to use it in comment in /etc/inetd.conf Modifying /etc/inet/inetd.conf and install some default configuration file if they were not present. Creating /etc/hosts.deny from the distribution file *** Please configure it! Creating /etc/hosts.allow from the distribution file *** Please configure it! Installation of <WVtcpd> was successful. ========== PRFtripw ========== Default configuration file is created if it was not present. Creating /secure/tripwire/tw.config from the distribution one: /secure/tripwire/tw.config.Dist *** Please configure it! you may use tripwire now. Type: "cd /secure/tripwire/; ./tripwire -i 2 -initialise -c tw.config" to create a new database, Use "cd /secure/tripwire/; ./tripwire -q -i 2 -c tw.config" to check, ***** SAVE YOUR DATABASE IN A SECURE PLACE ***** Installation of <PRFtripw> was successful. Creating /etc/ssh_config from the distribution file *** Please configure it! Creating /etc/sshd_config from the distribution file *** Please configure it! ssh has been installed. run '/etc/init.d/sshd stop;/etc/init.d/sshd start' to use the new binaries/configuration Installation of <OPENssh> was successful. YASSP install is done, now recreate the whatis database if it was present. Rebuilding the whatis database YASSP is installed. Most of these changes will take action at the next reboot. **** YOUR WORK IS NOT DONE YET **** *) Edit and configure /etc/yassp.conf *) Edit and configure /etc/hosts.deny /etc/hosts.allow *) Edit and configure /etc/sshd_config /etc/ssh_config *) Read http://www.yassp.org/after.html and the papers linked under http://www.yassp.org/ref.html *) make any additional changes/software installation *) CREATE YOUR tripwire DATABASE AND SAVE IT!!! Type:vi /etc/yassp.conf /etc/hosts.deny /etc/hosts.allow /etc/sshd_config /etc/ssh_config ; cd /secure/tripwire; ./tripwire -i 2 -initialise -c tw.config; cp /secure/tripwire/databases/tw.db_zeta TO_A_SECURE_PLACE
***YOUR feedback*** is important: please send comments or flame to: sansro@sans.org, chouanard@parc.xerox.com with "YASSP" in the subject # reboot Jul 19 22:48:16 zeta reboot: rebooted by root Jul 19 22:48:16 zeta syslogd: going down on signal 15 Jul 19 22:48:16 rpcbind: rpcbind terminating on signal. syncing file systems... done rebooting... Resetting ... Sun Ultra 5/10 UPA/PCI (UltraSPARC-IIi 270MHz), No Keyboard OpenBoot 3.11, 256 MB memory installed, Serial #XXXXXXXX. Ethernet address 8:0:20:XXXXXXXX, Host ID: XXXXXXXX. Initializing Memory Rebooting with command: boot Boot device: disk File and args: SunOS Release 5.8 Version Generic 64-bit Copyright 1983-2000 Sun Microsystems, Inc. All rights reserved. configuring IPv4 interfaces: hme0. Hostname: zeta Tweaking Solaris TCP/IP: Solaris 7 or above (excellent) tweaking separate connection queues tweaking against SYN flood symptoms tweaking timeouts tweaking pMTU discovery interval and common timers tweaking misc. parameters applying security tweaks... tweaking windows, buffers and watermarks done. The system is coming up. Please wait. checking ufs filesystems /dev/rdsk/c0t0d0s5: is clean. Setting netmask of hme0 to 255.255.255.0 syslog service starting. If they don't exist, RSA and DSA keys for SSH are generated. ssh-keygen: generating new DSA host key... done. ssh-keygen: generating new RSA host key... done. sshd starting. The system is ready. WARNING: To protect the system from unauthorized use and to ensure that the system is functioning properly, activities on this system are monitored and recorded and subject to audit. Use of this system is expressed consent to such monitoring and recording. Any unauthorized access or use of this Automated Information System is prohibited and could be subject to criminal and civil penalties. zeta console login: root Password: Last login: XXXXX on console This computer system for authorized use only # ps -eaf UID PID PPID C STIME TTY TIME CMD root 0 0 0 22:49:18 ? 0:15 sched root 1 0 0 22:49:19 ? 0:00 /etc/init - root 2 0 0 22:49:19 ? 0:00 pageout root 3 0 0 22:49:19 ? 0:00 fsflush root 212 1 0 22:49:45 console 0:00 -sh root 173 1 0 22:49:43 ? 0:00 /usr/sbin/syslogd -t root 185 1 0 22:49:44 ? 0:04 /opt/local/sbin/sshd root 227 212 0 22:53:42 console 0:00 ps -eaf root 168 1 0 22:49:42 ? 0:00 /usr/sbin/cron # netstat -an UDP: IPv4 Local Address Remote Address State -------------------- -------------------- ------- *.* Unbound TCP: IPv4 Local Address Remote Address Swind Send-Q Rwind Recv-Q State -------------------- -------------------- ----- ------ ----- ------ ------- *.* *.* 0 0 24576 0 IDLE *.22 *.* 0 0 32768 0 LISTEN *.* *.* 0 0 32768 0 IDLE TCP: IPv6 Local Address Remote Address Swind Send-Q Rwind Recv-Q State If --------------------------------- --------------------------------- ----- ------ ----- ------ ----------- ----- *.* *.* 0 0 24576 0 IDLE # pkgchk -n #