summaryrefslogtreecommitdiff
path: root/controls/cf_serverd.cf
blob: 5e09ae7e5d710091b4bc917a5a469e78e58d9512 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
body server control
{
    any::
        allowconnects         => { "127.0.0.1" , "::1", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
        allowallconnects      => { "127.0.0.1" , "::1", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
        trustkeysfrom         => { "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
        maxconnections        => "200";
        denybadclocks         => "false";
        # last single quote in cfruncommand is left open, so that
        # arguments (like -K and --remote-bundles) are properly appended.
        cfruncommand => "$(def.cf_runagent_shell) -c \'
                             $(sys.cf_agent) -I -D cfruncommand -f $(sys.update_policy_path)  ;
                             $(sys.cf_agent) -I -D cfruncommand";
    !policy_server::
        allowusers            => { "root" };
}

bundle server access_rules()
{
    access:
        any::
            "$(sys.masterdir)"
                shortcut => "masterfiles",
                admit => { "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
            "$(sys.masterdir)/modules"
                shortcut => "modules",
                admit => { "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
            "$(sys.workdir)/inventory"
                shortcut => "inventory",
                admit => { "10.1.0.204/32" };
            "/bin/sh"
                admit => { "$(sys.policy_hub)" };
    roles:
        any::
            ".*" authorize => { "root" };
}