diff options
Diffstat (limited to '')
-rw-r--r-- | controls/cf_agent.cf | 7 | ||||
-rw-r--r-- | controls/cf_execd.cf | 10 | ||||
-rw-r--r-- | controls/cf_monitord.cf | 8 | ||||
-rw-r--r-- | controls/cf_runagent.cf | 5 | ||||
-rw-r--r-- | controls/cf_serverd.cf | 30 |
5 files changed, 60 insertions, 0 deletions
diff --git a/controls/cf_agent.cf b/controls/cf_agent.cf new file mode 100644 index 0000000..b3b1020 --- /dev/null +++ b/controls/cf_agent.cf @@ -0,0 +1,7 @@ +body agent control +{ + any:: + ifelapsed => "1"; + skipidentify => "true"; + maxconnections => "30"; +} diff --git a/controls/cf_execd.cf b/controls/cf_execd.cf new file mode 100644 index 0000000..b960be3 --- /dev/null +++ b/controls/cf_execd.cf @@ -0,0 +1,10 @@ +body executor control +{ + any:: + splaytime => "4"; # activity will be spread over this many time slices + exec_command => "$(sys.cf_agent) -Dfrom_cfexecd,cf_execd_initiated -f \"$(sys.failsafe_policy_path)\" ; $(sys.cf_agent) -Dfrom_cfexecd,cf_execd_initiated"; + !cfengine_internal_disable_agent_email:: + mailto => "root@adyxax.org"; + mailfrom => "cfengine@adyxax.org"; + smtpserver => "10.1.0.254"; +} diff --git a/controls/cf_monitord.cf b/controls/cf_monitord.cf new file mode 100644 index 0000000..f9f2634 --- /dev/null +++ b/controls/cf_monitord.cf @@ -0,0 +1,8 @@ +body monitor control +{ + any:: + forgetrate => "0.7"; + histograms => "true"; + # tcpdump => "false"; + # tcpdumpcommand => "/usr/sbin/tcpdump -t -n -v"; +} diff --git a/controls/cf_runagent.cf b/controls/cf_runagent.cf new file mode 100644 index 0000000..6219b00 --- /dev/null +++ b/controls/cf_runagent.cf @@ -0,0 +1,5 @@ +body runagent control +{ + any:: + hosts => { "127.0.0.1" }; +} diff --git a/controls/cf_serverd.cf b/controls/cf_serverd.cf new file mode 100644 index 0000000..3b5a625 --- /dev/null +++ b/controls/cf_serverd.cf @@ -0,0 +1,30 @@ +body server control +{ + any:: + allowconnects => { "127.0.0.1" , "::1", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" }; + allowallconnects => { "127.0.0.1" , "::1", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" }; + trustkeysfrom => { "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" }; + maxconnections => "200"; + denybadclocks => "false"; + # last single quote in cfruncommand is left open, so that + # arguments (like -K and --remote-bundles) are properly appended. + cfruncommand => "$(def.cf_runagent_shell) -c \' + $(sys.cf_agent) -I -D cfruncommand -f $(sys.update_policy_path) ; + $(sys.cf_agent) -I -D cfruncommand"; + !policy_server:: + allowusers => { "root" }; +} + +bundle server access_rules() +{ + access: + any:: + "$(def.dir_masterfiles)" + shortcut => "masterfiles", + admit => { "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" }; + "$(def.cf_runagent_shell)" + admit => { "$(sys.policy_hub)" }; + roles: + any:: + ".*" authorize => { "root" }; +} |