diff options
Diffstat (limited to 'controls/cf_serverd.cf')
-rw-r--r-- | controls/cf_serverd.cf | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/controls/cf_serverd.cf b/controls/cf_serverd.cf new file mode 100644 index 0000000..3b5a625 --- /dev/null +++ b/controls/cf_serverd.cf @@ -0,0 +1,30 @@ +body server control +{ + any:: + allowconnects => { "127.0.0.1" , "::1", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" }; + allowallconnects => { "127.0.0.1" , "::1", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" }; + trustkeysfrom => { "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" }; + maxconnections => "200"; + denybadclocks => "false"; + # last single quote in cfruncommand is left open, so that + # arguments (like -K and --remote-bundles) are properly appended. + cfruncommand => "$(def.cf_runagent_shell) -c \' + $(sys.cf_agent) -I -D cfruncommand -f $(sys.update_policy_path) ; + $(sys.cf_agent) -I -D cfruncommand"; + !policy_server:: + allowusers => { "root" }; +} + +bundle server access_rules() +{ + access: + any:: + "$(def.dir_masterfiles)" + shortcut => "masterfiles", + admit => { "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" }; + "$(def.cf_runagent_shell)" + admit => { "$(sys.policy_hub)" }; + roles: + any:: + ".*" authorize => { "root" }; +} |