From 0b3908ea518f371237642dec2790be6b1c25db95 Mon Sep 17 00:00:00 2001
From: Julien Dessaux
Date: Sun, 5 Mar 2017 14:43:06 +0000
Subject: Initial import

---
 controls/cf_agent.cf    |  7 +++++++
 controls/cf_execd.cf    | 10 ++++++++++
 controls/cf_monitord.cf |  8 ++++++++
 controls/cf_runagent.cf |  5 +++++
 controls/cf_serverd.cf  | 30 ++++++++++++++++++++++++++++++
 5 files changed, 60 insertions(+)
 create mode 100644 controls/cf_agent.cf
 create mode 100644 controls/cf_execd.cf
 create mode 100644 controls/cf_monitord.cf
 create mode 100644 controls/cf_runagent.cf
 create mode 100644 controls/cf_serverd.cf

(limited to 'controls')

diff --git a/controls/cf_agent.cf b/controls/cf_agent.cf
new file mode 100644
index 0000000..b3b1020
--- /dev/null
+++ b/controls/cf_agent.cf
@@ -0,0 +1,7 @@
+body agent control
+{
+    any::
+        ifelapsed => "1";
+        skipidentify => "true";
+        maxconnections => "30";
+}
diff --git a/controls/cf_execd.cf b/controls/cf_execd.cf
new file mode 100644
index 0000000..b960be3
--- /dev/null
+++ b/controls/cf_execd.cf
@@ -0,0 +1,10 @@
+body executor control
+{
+    any::
+        splaytime  => "4"; # activity will be spread over this many time slices
+        exec_command => "$(sys.cf_agent) -Dfrom_cfexecd,cf_execd_initiated -f \"$(sys.failsafe_policy_path)\" ; $(sys.cf_agent) -Dfrom_cfexecd,cf_execd_initiated";
+    !cfengine_internal_disable_agent_email::
+        mailto     => "root@adyxax.org";
+        mailfrom   => "cfengine@adyxax.org";
+        smtpserver => "10.1.0.254";
+}
diff --git a/controls/cf_monitord.cf b/controls/cf_monitord.cf
new file mode 100644
index 0000000..f9f2634
--- /dev/null
+++ b/controls/cf_monitord.cf
@@ -0,0 +1,8 @@
+body monitor control
+{
+    any::
+        forgetrate => "0.7";
+        histograms => "true";
+        #  tcpdump => "false";
+        #  tcpdumpcommand => "/usr/sbin/tcpdump -t -n -v";
+}
diff --git a/controls/cf_runagent.cf b/controls/cf_runagent.cf
new file mode 100644
index 0000000..6219b00
--- /dev/null
+++ b/controls/cf_runagent.cf
@@ -0,0 +1,5 @@
+body runagent control
+{
+    any::
+        hosts => { "127.0.0.1" };
+}
diff --git a/controls/cf_serverd.cf b/controls/cf_serverd.cf
new file mode 100644
index 0000000..3b5a625
--- /dev/null
+++ b/controls/cf_serverd.cf
@@ -0,0 +1,30 @@
+body server control
+{
+    any::
+        allowconnects         => { "127.0.0.1" , "::1", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
+        allowallconnects      => { "127.0.0.1" , "::1", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
+        trustkeysfrom         => { "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
+        maxconnections        => "200";
+        denybadclocks         => "false";
+        # last single quote in cfruncommand is left open, so that
+        # arguments (like -K and --remote-bundles) are properly appended.
+        cfruncommand => "$(def.cf_runagent_shell) -c \'
+                             $(sys.cf_agent) -I -D cfruncommand -f $(sys.update_policy_path)  ;
+                             $(sys.cf_agent) -I -D cfruncommand";
+    !policy_server::
+        allowusers            => { "root" };
+}
+
+bundle server access_rules()
+{
+    access:
+        any::
+            "$(def.dir_masterfiles)"
+            shortcut => "masterfiles",
+            admit => { "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
+            "$(def.cf_runagent_shell)"
+            admit => { "$(sys.policy_hub)" };
+    roles:
+        any::
+            ".*" authorize => { "root" };
+}
-- 
cgit v1.2.3