cfengine 3 security

Below is my security configuration in promises.cf
Cfengine server distributes it to all the clinets. But I do not want to allow 195.168.1.* on the clients I only want allow 192.168.1.10 on the clients and 192.168.1.* on the server.
What is the best way to have different security settings on cfengine server and cfengine client?
body server control

{
allowconnects         => { "192.168.1.*" };
allowallconnects      => { "192.168.1.*" };
trustkeysfrom         => { "192.168.1.*" };

# Make updates and runs happen in one

cfruncommand          => "$(sys.workdir)/bin/cf-agent -f failsafe.cf &&
$(sys.workdir)/bin/cf-agent";
allowusers            => { "root" , "aleksey" };
}

Open in new window

LVL 4
1oo4Asked:
Who is Participating?
 
1oo4Connect With a Mentor Author Commented:
body server control
{
    policy_server::
allowconnects         => { "192.168.1.*" };
allowallconnects      => { "192.168.1.*" };
trustkeysfrom         => { "192.168.1.*" };

   !policy_server::
allowconnects         => { "192.168.1.10" };
allowallconnects      => { "192.168.1.10" };
trustkeysfrom         => { "192.168.1.10" };

allowusers            => { "root" , "aleksey" };
}

Open in new window


Policy server class can be defined in a common bundle:
bundle common g
{
# Define some global variables
vars:
        "masterfiles" string => "/var/cfengine/masterfiles";
        "inputs" string => "/var/cfengine/inputs";
        "workdir" string => "/var/cfengine";
        "phost" string => "192.168.1.10";
        "crontab" string => "/etc/crontab";

classes:

"policy_server" expression => classify("$(g.phost)");

}

Open in new window

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.