summaryrefslogtreecommitdiff
path: root/controls
diff options
context:
space:
mode:
Diffstat (limited to 'controls')
-rw-r--r--controls/cf_agent.cf7
-rw-r--r--controls/cf_execd.cf10
-rw-r--r--controls/cf_monitord.cf8
-rw-r--r--controls/cf_runagent.cf5
-rw-r--r--controls/cf_serverd.cf30
5 files changed, 60 insertions, 0 deletions
diff --git a/controls/cf_agent.cf b/controls/cf_agent.cf
new file mode 100644
index 0000000..b3b1020
--- /dev/null
+++ b/controls/cf_agent.cf
@@ -0,0 +1,7 @@
+body agent control
+{
+ any::
+ ifelapsed => "1";
+ skipidentify => "true";
+ maxconnections => "30";
+}
diff --git a/controls/cf_execd.cf b/controls/cf_execd.cf
new file mode 100644
index 0000000..b960be3
--- /dev/null
+++ b/controls/cf_execd.cf
@@ -0,0 +1,10 @@
+body executor control
+{
+ any::
+ splaytime => "4"; # activity will be spread over this many time slices
+ exec_command => "$(sys.cf_agent) -Dfrom_cfexecd,cf_execd_initiated -f \"$(sys.failsafe_policy_path)\" ; $(sys.cf_agent) -Dfrom_cfexecd,cf_execd_initiated";
+ !cfengine_internal_disable_agent_email::
+ mailto => "root@adyxax.org";
+ mailfrom => "cfengine@adyxax.org";
+ smtpserver => "10.1.0.254";
+}
diff --git a/controls/cf_monitord.cf b/controls/cf_monitord.cf
new file mode 100644
index 0000000..f9f2634
--- /dev/null
+++ b/controls/cf_monitord.cf
@@ -0,0 +1,8 @@
+body monitor control
+{
+ any::
+ forgetrate => "0.7";
+ histograms => "true";
+ # tcpdump => "false";
+ # tcpdumpcommand => "/usr/sbin/tcpdump -t -n -v";
+}
diff --git a/controls/cf_runagent.cf b/controls/cf_runagent.cf
new file mode 100644
index 0000000..6219b00
--- /dev/null
+++ b/controls/cf_runagent.cf
@@ -0,0 +1,5 @@
+body runagent control
+{
+ any::
+ hosts => { "127.0.0.1" };
+}
diff --git a/controls/cf_serverd.cf b/controls/cf_serverd.cf
new file mode 100644
index 0000000..3b5a625
--- /dev/null
+++ b/controls/cf_serverd.cf
@@ -0,0 +1,30 @@
+body server control
+{
+ any::
+ allowconnects => { "127.0.0.1" , "::1", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
+ allowallconnects => { "127.0.0.1" , "::1", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
+ trustkeysfrom => { "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
+ maxconnections => "200";
+ denybadclocks => "false";
+ # last single quote in cfruncommand is left open, so that
+ # arguments (like -K and --remote-bundles) are properly appended.
+ cfruncommand => "$(def.cf_runagent_shell) -c \'
+ $(sys.cf_agent) -I -D cfruncommand -f $(sys.update_policy_path) ;
+ $(sys.cf_agent) -I -D cfruncommand";
+ !policy_server::
+ allowusers => { "root" };
+}
+
+bundle server access_rules()
+{
+ access:
+ any::
+ "$(def.dir_masterfiles)"
+ shortcut => "masterfiles",
+ admit => { "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
+ "$(def.cf_runagent_shell)"
+ admit => { "$(sys.policy_hub)" };
+ roles:
+ any::
+ ".*" authorize => { "root" };
+}