From 0b3908ea518f371237642dec2790be6b1c25db95 Mon Sep 17 00:00:00 2001
From: Julien Dessaux
Date: Sun, 5 Mar 2017 14:43:06 +0000
Subject: Initial import

---
 controls/cf_serverd.cf | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 controls/cf_serverd.cf

(limited to 'controls/cf_serverd.cf')

diff --git a/controls/cf_serverd.cf b/controls/cf_serverd.cf
new file mode 100644
index 0000000..3b5a625
--- /dev/null
+++ b/controls/cf_serverd.cf
@@ -0,0 +1,30 @@
+body server control
+{
+    any::
+        allowconnects         => { "127.0.0.1" , "::1", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
+        allowallconnects      => { "127.0.0.1" , "::1", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
+        trustkeysfrom         => { "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
+        maxconnections        => "200";
+        denybadclocks         => "false";
+        # last single quote in cfruncommand is left open, so that
+        # arguments (like -K and --remote-bundles) are properly appended.
+        cfruncommand => "$(def.cf_runagent_shell) -c \'
+                             $(sys.cf_agent) -I -D cfruncommand -f $(sys.update_policy_path)  ;
+                             $(sys.cf_agent) -I -D cfruncommand";
+    !policy_server::
+        allowusers            => { "root" };
+}
+
+bundle server access_rules()
+{
+    access:
+        any::
+            "$(def.dir_masterfiles)"
+            shortcut => "masterfiles",
+            admit => { "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
+            "$(def.cf_runagent_shell)"
+            admit => { "$(sys.policy_hub)" };
+    roles:
+        any::
+            ".*" authorize => { "root" };
+}
-- 
cgit v1.2.3