File: cf_serverd.cf

package info (click to toggle)
cfengine3 3.6.2-4
  • links: PTS, VCS
  • area: main
  • in suites: jessie, jessie-kfreebsd
  • size: 20,256 kB
  • ctags: 9,613
  • sloc: ansic: 116,129; sh: 12,366; yacc: 1,088; makefile: 1,006; lex: 391; perl: 197; xml: 21; sed: 4
file content (136 lines) | stat: -rw-r--r-- 4,887 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
 
###############################################################################
# This part is for cf-serverd
#
# General IP access policy for the connection protocol
#  i.e. access to the server itself.
# Access to specific files must be granted in addition.
# 
# This file should be for 3.4 client hosts only.
#  (No report_data_select attributes)
###############################################################################

body server control

{
      # List of ciphers the server accepts. For Syntax help see man page
      # for "openssl ciphers". Default is "AES256-GCM-SHA384:AES256-SHA"
      #allowciphers          => "AES256-GCM-SHA384:AES256-SHA";

      # Allow connections from nodes which are out-of-sync
      denybadclocks         => "false";

      # By default deny all connections but the following:
      ## List of hosts that may connect
      allowconnects         => { "127.0.0.1" , "::1", @(def.acl) };
      ## List of hosts that may have more than one connection established at the same time
      allowallconnects      => { "127.0.0.1" , "::1", @(def.acl) };
      ## List of hosts that we'll accept any key they present (open this only for bootstrapping)
      trustkeysfrom         => { "127.0.0.1" , "::1", @(def.acl) };

      allowusers            => { "root" };

      maxconnections        => "100";

    windows::
      cfruncommand => "$(sys.cf_twin) -f \"$(sys.update_policy_path)\" & $(sys.cf_agent)";

    hpux::
      cfruncommand => "$(def.cf_runagent_shell) -c \"SHLIB_PATH=\"/var/cfengine/lib-twin\" $(sys.cf_twin) -f $(sys.update_policy_path)\" ; $(sys.cf_agent)";

    aix::
      cfruncommand => "$(def.cf_runagent_shell) -c \"LIBPATH=\"/var/cfengine/lib-twin\" $(sys.cf_twin) -f $(sys.update_policy_path)\" ; $(sys.cf_agent)";

    solaris::
      cfruncommand => "$(def.cf_runagent_shell) -c \"LD_LIBRARY_PATH=\"/var/cfengine/lib-twin\" $(sys.cf_twin) -f $(sys.update_policy_path)\" ; $(sys.cf_agent)"; 

    !(windows|hpux|aix|solaris)::
      cfruncommand => "$(def.cf_runagent_shell) -c \"LD_LIBRARY_PATH=\"/var/cfengine/lib-twin\" $(sys.cf_twin) -f $(sys.update_policy_path)\" ; $(sys.cf_agent)";

}

###############################################################################

bundle server access_rules()

{

  access:

    any::

      "$(def.dir_masterfiles)"
      handle => "server_access_grant_access_policy",
      comment => "Grant access to the policy updates",
      admit => { ".*$(def.domain)", @(def.acl) };

      "$(def.dir_software)"
      handle => "server_access_grant_access_datafiles",
      comment => "Grant access to software updates",
      admit => { ".*$(def.domain)", @(def.acl) };

      "$(def.dir_bin)"
      handle => "server_access_grant_access_binary",
      comment => "Grant access to binary for cf-runagent",
      admit => { ".*$(def.domain)", @(def.acl) };

      "$(def.dir_modules)"
      handle => "server_access_grant_access_modules",
      comment => "Grant access to modules directory",
      admit => { ".*$(def.domain)", @(def.acl) };

      "$(def.dir_plugins)"
      handle => "server_access_grant_access_plugins",
      comment => "Grant access to plugins directory",
      admit => { ".*$(def.domain)", @(def.acl) };

      "$(def.cf_runagent_shell)"
      handle => "server_access_grant_access_shell_cmd",
      comment => "Grant access to shell for cfruncommand",
      admit => { "$(sys.policy_hub)" };

    !am_policy_hub.enterprise::

      "delta"
      handle => "server_access_grant_delta_for_hosts",
      comment => "Grant delta reporting query for the hub on the hosts",
      resource_type => "query",
      admit => { "$(sys.policy_hub)" };

      "full"
      handle => "server_access_grant_full_for_hosts",
      comment => "Grant full reporting query for the hub on the hosts",
      resource_type => "query",
      admit => { "$(sys.policy_hub)" };

    am_policy_hub.enterprise::

      "delta"
      handle => "server_access_grant_delta_for_hub",
      comment => "Grant delta reporting query for the hub on the policy server",
      resource_type => "query",
      admit => { "$(sys.policy_hub)" };

      "full"
      handle => "server_access_grant_full_for_hub",
      comment => "Grant full reporting query for the hub on the policy server",
      resource_type => "query",
      admit => { "$(sys.policy_hub)" };


      # Uncomment the promise below to allow cf-runagent to
      # access cf-agent on Windows machines
      #
      #  "c:\program files\cfengine\bin\cf-agent.exe"
      #
      #    handle => "grant_access_policy_agent",
      #    comment => "Grant access to the agent (for cf-runagent)",
      #    admit   => { ".*$(def.domain)", @(def.acl) };

  roles:

      # Use roles to allow specific remote cf-runagent users to
      # define certain soft-classes when running cf-agent on this host

      ".*" authorize => { "root" };

}