diff options
| author | Julien Dessaux | 2017-03-05 14:43:06 +0000 |
|---|---|---|
| committer | Julien Dessaux | 2017-03-05 14:43:06 +0000 |
| commit | 0b3908ea518f371237642dec2790be6b1c25db95 (patch) | |
| tree | e4f3ae69b69009cfec8f727c604694f0b33adab5 /controls/cf_serverd.cf | |
| download | masterfiles-0b3908ea518f371237642dec2790be6b1c25db95.tar.gz masterfiles-0b3908ea518f371237642dec2790be6b1c25db95.tar.bz2 masterfiles-0b3908ea518f371237642dec2790be6b1c25db95.zip | |
Initial import
Diffstat (limited to 'controls/cf_serverd.cf')
| -rw-r--r-- | controls/cf_serverd.cf | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/controls/cf_serverd.cf b/controls/cf_serverd.cf new file mode 100644 index 0000000..3b5a625 --- /dev/null +++ b/controls/cf_serverd.cf @@ -0,0 +1,30 @@ +body server control +{ + any:: + allowconnects => { "127.0.0.1" , "::1", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" }; + allowallconnects => { "127.0.0.1" , "::1", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" }; + trustkeysfrom => { "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" }; + maxconnections => "200"; + denybadclocks => "false"; + # last single quote in cfruncommand is left open, so that + # arguments (like -K and --remote-bundles) are properly appended. + cfruncommand => "$(def.cf_runagent_shell) -c \' + $(sys.cf_agent) -I -D cfruncommand -f $(sys.update_policy_path) ; + $(sys.cf_agent) -I -D cfruncommand"; + !policy_server:: + allowusers => { "root" }; +} + +bundle server access_rules() +{ + access: + any:: + "$(def.dir_masterfiles)" + shortcut => "masterfiles", + admit => { "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" }; + "$(def.cf_runagent_shell)" + admit => { "$(sys.policy_hub)" }; + roles: + any:: + ".*" authorize => { "root" }; +} |