1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
body server control
{
any::
allowconnects => { "127.0.0.1" , "::1", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
allowallconnects => { "127.0.0.1" , "::1", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
trustkeysfrom => { "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
maxconnections => "200";
denybadclocks => "false";
# last single quote in cfruncommand is left open, so that
# arguments (like -K and --remote-bundles) are properly appended.
cfruncommand => "$(def.cf_runagent_shell) -c \'
$(sys.cf_agent) -I -D cfruncommand -f $(sys.update_policy_path) ;
$(sys.cf_agent) -I -D cfruncommand";
!policy_server::
allowusers => { "root" };
}
bundle server access_rules()
{
access:
any::
"$(sys.masterdir)"
shortcut => "masterfiles",
admit => { "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
"$(sys.masterdir)/modules"
shortcut => "modules",
admit => { "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" };
"/bin/sh"
admit => { "$(sys.policy_hub)" };
roles:
any::
".*" authorize => { "root" };
}
|