• Reference
• /
• Components
• /
• cf-agent

cf-agent

cf-agent evaluates policy code and makes changes to the system. Policybundles are evaluated in the order of the providedbundlesequence (this is normally specified in thecommon control body). Foreach bundle,cf-agent groups promise statements according to their type.Promise types are then evaluated in a preset order to ensure fast systemconvergence to policy.

cf-agent keeps the promises made incommon andagent bundles, and isaffected bycommon andagent control bodies.

Notes:

• cf-agent always considers the classagent to be defined.

Command reference

  --bootstrap   , -B value - Bootstrap CFEngine to the given policy server IP, hostname or :avahi (automatic detection)  --bundlesequence, -b value - Set or override bundlesequence from command line  --workdir     , -w value - Override the default /var/cfengine work directory for testing (same as setting CFENGINE_TEST_OVERRIDE_WORKDIR)  --debug       , -d       - Enable debugging output  --define      , -D value - Define a list of comma separated classes to be defined at the start of execution  --self-diagnostics, -x value - Run checks to diagnose a CFEngine agent installation  --dry-run     , -n       - All talk and no action mode - make no changes, only inform of promises not kept  --file        , -f value - Specify an alternative input file than the default. This option is overridden by FILE if supplied as argument.  --help        , -h       - Print the help message  --inform      , -I       - Print basic information about changes made to the system, i.e. promises repaired  --log-level   , -g value - Specify how detailed logs should be. Possible values: 'error', 'warning', 'notice', 'info', 'verbose', 'debug'  --negate      , -N value - Define a list of comma separated classes to be undefined at the start of execution  --no-lock     , -K       - Ignore locking constraints during execution (ifelapsed/expireafter) if "too soon" to run  --verbose     , -v       - Output verbose information about the behaviour of the agent  --version     , -V       - Output the version of the software  --timing-output, -t       - Output timing information on console when in verbose mode  --trust-server, -T value - Possible values: 'yes' (default, trust the server when bootstrapping), 'no' (server key must already be trusted)  --color       , -C value - Enable colorized output. Possible values: 'always', 'auto', 'never'. If option is used, the default value is 'auto'  --no-extensions, -E       - Disable extension loading (used while upgrading)  --timestamp   , -l       - Log timestamps on each line of log output  --ignore-preferred-augments           - Ignore def_preferred.json file in favor of def.json  --log-modules  value - Enable even more detailed debug logging for specific areas of the implementation. Use together with '-d'. Use --log-modules=help for a list of available modules  --no-augments            - Do not load augments (def.json)  --no-host-specific-data           - Do not load host-specific data (host_specific.json)  --show-evaluated-classes value - Show *final* evaluated classes, including those defined in common bundles in policy. Optionally can take a regular expression.  --show-evaluated-vars value - Show *final* evaluated variables, including those defined without dependency to user-defined classes in policy. Optionally can take a regular expression.  --skip-bootstrap-policy-run           - Do not run policy as the last step of the bootstrap process  --skip-bootstrap-service-start           - Do not start CFEngine services as part of the bootstrap process  --skip-db-check value - Do not run database integrity checks and repairs at startup  --simulate     value - Run in simulate mode, either 'manifest', 'manifest-full' or 'diff'

--simulate

Like the--dry-run option, the--simulate option tries to identify changesto your system without making changes to the system, however it goes furtherthan--dry-run by making changes in achroot and making a distinctionbetweensafe andunsafe functions, e.g.execresult().

The agent will execute promises with unsafe functions when the--simulateoptions is given only if the promise using the function is taggedsimulate_safe.

For example:

bundleagent__main__{vars:"msg"string=>execresult("/bin/echo Hello world!","useshell"),meta=>{"simulate_safe"};}

The simulate option takes a parameter,diff,manifest, ormanifest-fullwhich is used to determine the summary output shown at the end of the run.

• diff - Show only things that changed during the simulated run.
• manifest - Show files and packages changed by the simulated run.

• manifest-full - Show all files evaluated by the simulated run (including unchanged ones)

  • cf-agent can now simulate the changes done to files in a chroot, printingdiff or manifest information about what it would do in a normal evaluation.Use the new command line option:--simulate=diff or--simulate=manifest.Please note that only files and packages promises are simulated currently.
  • Added a new --simulate=manifest-full modeNew simulation mode that manifests all changed files as well asall other files evaluated by the agent run which were not skipped(by file selection rules) (CFE-3506)

Notes

• Supported on Linux forfiles andpackages type promises

History

• Introduced in version 3.17.0
• --simulate=manifest-full introduced in version 3.18.0

Automatic bootstrapping

Automatic bootstrapping allows the user to connect a CFEngine Host to a PolicyServer without specifying the IP address manually. It uses theAvahi servicediscovery implementation ofzeroconf to locate the Policy Server, obtain its IPaddress, and then connect to it. To use automatic bootstrap, install thefollowing Avahi libraries:

• libavahi-client
• libavahi-common

To make the CFEngine Server discoverable, it needs to register itself as anAvahi service. Run the following command:

/var/cfengine/bin/cf-serverd -A

This generates the configuration file for Avahi in/etc/avahi/services andrestarts the Avahi daemon in order to register the new service.

From this point on, the Policy Server will be discovered with the Avahi service.To verify that the server is visible, run the following command (requiresavahi-utils):

avahi-browse -atr | grep cfenginehub

The sample output looks like this:

eth0 IPv4 CFEngine Community 3.5.0 Policy Server on policy_hub_debian7_cfenginehub._tcp local

Once the Policy Server is configured with the Avahi service, you canauto-bootstrap Hosts to it.

/var/cfengine/bin/cf-agent -B :avahi

The Hosts require Avahi libraries to be installed in order to use thisfunctionality. By defaultcf-agent looks for libraries in standard installlocations. Install locations vary from system to system. If Avahi isinstalled in a non-standard location (i.e. compiled from source), set theAVAHI_PATH environmental variable to specify the path.

AVAHI_PATH=/lib/libavahi-client.so.3 /var/cfengine/bin/cf-agent -B

If more than one server is found, or if the server has more than one IPaddress, the list of all available servers is printed and the user is asked tomanually specify the IP address of the correct server by running the standardbootstrap command of cf-agent:

/var/cfengine/bin/cf-agent --bootstrap <IP address>

If only one Policy Server is found in the network,cf-agent performs thebootstrap without further manual user intervention.

Note: Automatic bootstrapping support is ONLY for Linux, and it is limitedonly to one subnet.

Control promises

Settings describing the details of the fixed behavioral promisesmade bycf-agent.

bodyagentcontrol{# Agent email report settings based on their domain.alpha_cfengine_com::domain=>"alpha.cfengine.com";mailto=>"admins@alpha.cfengine.com";beta_domain_com::domain=>"beta.cfengine.com";mailto=>"admins@beta.cfengine.com";any::mailfrom=>"root";}

abortbundleclasses

Description: Theabortbundleclasses slist contains regular expressionsthat match classes which if defined lead to termination of current bundle.

Regular expressions are used for classes, or class expressionsthatcf-agent will watch out for. If any of these classes becomesdefined, it will cause the current bundle to be aborted. This maybe used for validation, for example.

Type:slist

Allowed input range:.*

Example:This example shows how to use the feature to validate input to amethod bundle.

bodycommoncontrol{bundlesequence=>{"testbundle"};version=>"1.2.3";}#################################bodyagentcontrol{abortbundleclasses=>{"invalid.*"};}#################################bundleagenttestbundle{vars:"userlist"slist=>{"xyz","mark","jeang","jonhenrik","thomas","eben"};methods:"any"usebundle=>subtest("$(userlist)");}#################################bundleagentsubtest(user){classes:"invalid"not=>regcmp("[a-z]{4}","$(user)");reports:!invalid::"User name$(user) is valid at exactly 4 letters";# abortbundleclasses will prevent this from being evaluatedinvalid::"User name$(user) is invalid";}

abortclasses

Description: Theabortclasses slist contains regular expressions thatmatch classes which if defined lead to termination of cf-agent.

Regular expressions are used for classes thatcf-agent will watch outfor. If any matching class becomes defined, it will cause thecurrent execution ofcf-agent to be aborted. This may be used forvalidation, for example.

Type:slist

Allowed input range:.*

Example:

bodyagentcontrol{abortclasses=>{"danger.*","should_not_continue"};}bundleagentmain{methods:"bundle_a";"bundle_b";"bundle_c";}bundleagentbundle_a{classes:"abort_condition_a"expression=>"any",scope=>"namespace";}bundlecommonbundle_b{classes:"abort_condition_b"expression=>"any";}bundleagentbundle_c{classes:# Here we define a class that will match the abortclasses under more complex# conditions"should_not_continue"expression=>"(abort_condition_a.abort_condition_b).!something_else",scope=>"namespace";}

Output:

error: Fatal CFEngine error: cf-agent aborted on defined class 'should_not_continue'

Note: CFEngine class expressions arenot supported. To handle classexpressions, simply create an alias for the expression with a single name.

addclasses

Description: Theaddclasses slist contains classes to be definedalways in the current context.

This adds global, literal classes. The only predicates available duringthe control section are hard-classes.

Type:slist

Allowed input range:.*

Example:

any::addclasses=>{"My_Organization"}solaris::addclasses=>{"some_solaris_alive","running_on_sunshine"};

Notes:

Another place to make global aliases for system hardclasses.Classes here are added unequivocally to the system. If classes areused to predicate definition, then they must be defined in terms ofglobal hard classes.

agentaccess

Description: Aagentaccess slist contains user names that areallowed to execute cf-agent.

This represents a list of user names that will be allowed to attemptexecution of the current configuration. This is mainly a sanity checkrather than a security measure.

Type:slist

Allowed input range:.*

Example:

agentaccess=>{"mark","root","sudo"};

agentfacility

Type: (menu option)

Allowed input range:

   LOG_USER   LOG_DAEMON   LOG_LOCAL0   LOG_LOCAL1   LOG_LOCAL2   LOG_LOCAL3   LOG_LOCAL4   LOG_LOCAL5   LOG_LOCAL6   LOG_LOCAL7

Default value:LOG_USER

Description: Theagentfacility menu option policy sets the agent'ssyslog facility level.

Example:

agentfacility=>"LOG_USER";

Notes:

This is ignored on Windows, as CFEngine Enterprise creates event logs.

See also: Manual pages for syslog.

allclassesreport

Description: Theallclassesreport menu option policy determineswhether to generate theallclasses.txt report.

If set to true, thestate/allclasses.txt file will be written to diskduring agent execution.

Type:boolean

Default value: false

Example:

bodyagentcontrol{allclassesreport=>"true";}

Notes:

This functionality is retained only for CFEngine 2 compatibility. As ofCFEngine 3.5, theclassesmatching() function providesa more convenient way to retrieve a list of set classes at execution time.

History: Was introduced in 3.2.4, Enterprise 2.1.4 (2011)

alwaysvalidate

Description: Thealwaysvalidate menu option policy is a true/falseflag to determine whether configurations will always be checked beforeexecuting, or only after updates.

Type:boolean

Example:

bodyagentcontrol{Min00_05::# revalidate once per hour, regardless of change in configurationalwaysvalidate=>"true";}

Notes:

The agentscf-agent andcfserverd can runcf-promises tovalidate inputs before attempting to execute a configuration. As ofversion 3.1.2 core, this only happens if the configuration file haschanged to save CPU cycles. When this attribute is set,cf-agentwill force a revalidation of the input.

History: Was introduced in version 3.1.2,Enterprise 2.0.1 (2010)

auditing

Deprecated: This menu option policy is deprecated, doesnothing and is kept for backward compatibility.

binarypaddingchar

Deprecated: This attribute was deprecated in 3.6.0.

bindtointerface

Description: Thebindtointerface string describes the interfaceto be used for outgoing connections.

On multi-homed hosts, the server and client can bind to a specificinterface for server traffic. The IP address of the interface mustbe given as the argument, not the device name.

Type:string

Allowed input range:.*

Example:

bindtointerface=>"192.168.1.1";

checksum_alert_time

Description: The value of checksum_alert_time represents thepersistence time for the checksum_alert class.

When checksum changes trigger an alert, this is registered as apersistent class. This value determines the longevity of thatclass.

Type:int

Allowed input range:0,60

Default value: 10 mins

Example:

bodyagentcontrol{checksum_alert_time=>"30";}

childlibpath

Description: Thechildlibpath string contains the LD_LIBRARY_PATHfor child processes.

This string may be used to set the internalLD_LIBRARY_PATH environmentof the agent.

Type:string

Allowed input range:.*

Example:

bodyagentcontrol{childlibpath=>"/usr/local/lib:/usr/local/gnu/lib";}

copyfrom_restrict_keys

This attribute restrictscf-agent to copying files from hosts that have a key explicitly defined in this list.

Example:

bodyagentcontrol{copyfrom_restrict_keys=>{"SHA=6565a8e647e61e4a7ff2c709e0fe772acce2e45aaa294b2bb713de0ba5a6d8c3","SHA=727dd7f6f8b2344c6d69cf1d3ed0446c0f9f095ce1a114481d691bf1cb2b300d",}}

See also:admit_keys,controls/cf_agent.cf

History:* Introduced in 3.20.0

default_repository

Description: Thedefault_repository string contains the path to thedefault file repository.

If defined the default repository is the location where versions offiles altered by CFEngine are stored. This should be understood inrelation to the policy for 'backup' in copying, editing etc. If thebackups are time-stamped, this becomes effective a version controlrepository.

Type:string

Allowed input range:"?(/.*)

Default value: unset

Example:

bodyagentcontrol{default_repository=>"/var/cfengine/repository";}

Notes: When a repository is specified, the files are stored using thecanonified directory name of the original file, concatenated with the name ofthe file. So, for example,/usr/local/etc/postfix.conf would ordinarily bestored in an alternative repository as_usr_local_etc_postfix.conf.cfsaved. Ifunset then backups are stored in the same directory as the original file with anidentifying suffix.

See also:edit_backup inbody edit_defaults,copy_backup inbody copy_from

default_timeout

Description: The value ofdefault_timeout represents the maximumtime a network connection should attempt to connect or read from server.

The time is in seconds. It is not a guaranteed number, since itdepends on system behavior.

Type:int

Allowed input range:0,99999999999

Default value: 30 seconds

Example:

bodyagentcontrol{default_timeout=>"10";}

See also:bodycopy_from timeout,cf-runagent timeout

Notes:

• cf-serverd will time out any transfer that takes longer than 10 minutes(this is not currently tunable).

defaultcopytype

Description: Thedefaultcopytype menu option policy sets the globaldefault policy for comparing source and image in copy transactions.

Type: (menu option)

Allowed input range:

   mtime   atime   ctime   digest   hash   binary

Example:

bodyagentcontrol{#...defaultcopytype=>"digest";}

dryrun

Description: Thedryrun menu option, if set, makes no changes tothe system, and will only report what it needs to do.

Type:boolean

Default value: false

Example:

bodyagentcontrol{dryrun=>"true";}

editbinaryfilesize

Description: The value ofeditbinaryfilesize represents the limiton maximum binary file size to be edited.

This is a global setting for the file-editing safety-net for binary files,and may be overridden on a per-promise basis withmax_file_size.

Type:int

Allowed input range:0,99999999999

Default value:100k

Example:

bodyagentcontrol{edibinaryfilesize=>"10M";}

Notes:When setting limits, the limit on editing binary files shouldgenerally be set higher than for text files.

editfilesize

Description: The value ofeditfilesize is the limit on maximum textfile size to be edited.

This is a global setting for the file-editing safety-net, and may beoverridden on a per-promise basis withmax_file_size.

Type:int

Allowed input range:0,99999999999

Default value: 100000

Example:

bodyagentcontrol{editfilesize=>"120k";}

environment

Description: Theenvironment slist contains environment variablesto be inherited by children.

This may be used to set the runtime environment of the agent process.The values of environment variables are inherited by child commands.

Type:slist

Allowed input range:[A-Za-z0-9_]+=.*

Example:

bodycommoncontrol{bundlesequence=>{"one"};}bodyagentcontrol{environment=>{"A=123","B=456","PGK_PATH=/tmp"};}bundleagentone{commands:"/usr/bin/env";}

Some interactive programs insist on values being set, for example:

# Required by apt-cache, debianenvironment=>{"LANG=C"};

expireafter

Description: The value ofexpireafter is a global default for timebefore on-going promise repairs are interrupted.

This represents the locking time after which CFEngine will attempt tokill and restart its attempt to keep a promise.

Type:int

Allowed input range:0,99999999999

Default value: 1 min

Example:

bodyactionexample{ifelapsed=>"120";# 2 hoursexpireafter=>"240";# 4 hours}

See also:body action expireafter,body contain exec_timeout,body executor control agent_expireafter

files_auto_define

Description: Thefiles_auto_define slist contains a list of regular expressions matching filenames. When a file matching one of these regular expressions iscopied to classes prefixed withauto_ are defined.

Classes are automatically defined by the files that are copied. Thefile is named according to the prefixed 'canonization' of the filename. Canonization means that non-identifier characters areconverted into underscores. Thus/etc/passwd would canonize to_etc_passwd. The prefixauto_ is added to clarify the originof the class. Thus in the example the copying of/etc/passwd wouldlead to the classauto__etc_passwd being definedautomatically.

Type:slist

Allowed input range: (arbitrary string)

Example:

rm -f /tmp/example_files_auto_define.txtrm -f /tmp/source_file.txt

bodyagentcontrol{inform=>"true";# So that we can easily see class definitionfiles_auto_define=>{".*"};# Trigger for any copied file}bundleagentmain{files:"/tmp/source_file.txt"content=>"Hello World!";"/tmp/example_files_auto_define.txt"copy_from=>local_dcp("/tmp/source_file.txt");reports:"Defined '$(with)', the canonified form of 'auto_/tmp/example_files_auto_define.txt'"with=>canonify("auto_/tmp/example_files_auto_define.txt"),if=>canonify("auto_/tmp/example_files_auto_define.txt");}bodycopy_fromlocal_dcp(from){source=>"$(from)";compare=>"digest";}

    info: Created file '/tmp/source_file.txt', mode 0600    info: Updated file '/tmp/source_file.txt' with content 'Hello World!'    info: Copied file '/tmp/source_file.txt' to '/tmp/example_files_auto_define.txt.cfnew' (mode '600')    info: Moved '/tmp/example_files_auto_define.txt.cfnew' to '/tmp/example_files_auto_define.txt'    info: Updated file '/tmp/example_files_auto_define.txt' from 'localhost:/tmp/source_file.txt'    info: Auto defining class 'auto__tmp_example_files_auto_define_txt'R: Defined 'auto__tmp_example_files_auto_define_txt', the canonified form of 'auto_/tmp/example_files_auto_define.txt'

This policy can be found in/var/cfengine/share/doc/examples/files_auto_define.cfand downloaded directly fromgithub.

files_single_copy

Description: Thefiles_single_copy slist contains filenames to bewatched for multiple-source conflicts.

This list of regular expressions will ensure that files matchingthe patterns of the list are never copied from more than one sourceduring a single run ofcf-agent. This may be considered aprotection against accidental overlap of copies from diverseremote sources, or as a first-come-first-served disambiguation toolfor lazy-evaluation of overlapping file-copy promises.

Type:slist

Allowed input range: (arbitrary string)

Example:

bodyagentcontrol{files_single_copy=>{"/etc/.*","/special/file"};}

hashupdates

Description: Thehashupdates determines whether stored hashes areupdated when change is detected in source.

If 'true' the stored reference value is updated as soon as a warningmessage has been given. As most changes are benign (package updatesetc) this is a common setting.

Type:boolean

Default value: false

Example:

bodyagentcontrol{hashupdates=>"true";}

hostnamekeys

Deprecated: Host identification is now handled transparently.

Description: Thehostnamekeys menu option policy determines whetherto label ppkeys by hostname not IP address.

This represents a client side choice to base key associations on hostnames rather than IP address. This is useful for hosts with dynamicaddresses.

Type:boolean

Default value: false

Example:

bodyservercontrol{hostnamekeys=>"true";}

ifelapsed

Description: The value ofifelapsed is a global default representingthe time that must elapse before a promise will be rechecked.

This configures the default setting forcf-agent. Promises which take a long timeto verify should usually be protected with a long value for thisparameter. This serves as a resource 'spam' protection. A CFEnginecheck could easily run every 5 minutes provided resource intensiveoperations are not performed on every run. Using time classes likeHr12 etc., is one part of this strategy; usingifelapsed isanother which is not tied to a specific time.

Type:int

Allowed input range:0,99999999999

Default value: 1

Example:

bodyagentcontrol{ifelapsed=>"180";# 3 hours}

Notes:

• A value of0 means no locking, all promises will be executed each execution if in context. This also disables function caching.
• This is not a reliable way to control frequency over a long period of time.
• Locks provide simple but weak frequency control.
• Locks older than 4 weeks are automatically purged.

See also:Promise locking,ifelapsed action body attribute

inform

Description: Theinform menu option policy sets the default outputlevel 'permanently' within the class context indicated.

It is equivalent to (and when present, overrides) the command line option'-I'.

Type:boolean

Default value: false

Example:

bodyagentcontrol{inform=>"true";}

intermittency

Deprecated: This attribute does nothing and is kept for backwardcompatibility.

Type:boolean

Default value: false

max_children

Description: The value ofmax_children represents the maximum numberof background tasks that should be allowed concurrently.

For the run-agent this is the maximum number of forked backgroundprocesses allowed when parallelizing connections to servers.For the agent it represents the number of background jobs allowedconcurrently. Background jobs often lead to contention of the diskresources slowing down tasks considerably; there is thus a law ofdiminishing returns.

Type:int

Allowed input range:0,99999999999

Default value: 1 concurrent agent promise

Example:

bodyagentcontrol{max_children=>"10";}

See also:background in action bodies

maxconnections

Description: The value ofmaxconnections represents the maximumnumber of outgoing connections tocf-serverd.

Type:int

Allowed input range:0,99999999999

Default value: 30 remote queries

Example:

# client sidebodyagentcontrol{maxconnections=>"1000";}

Notes:

Watch out for kernel limitations for maximum numbers of open filedescriptors which can limit this.

mountfilesystems

Description: Themountfilesystems menu option policy determineswhether to mount any filesystems promised.

It issues the generic command to mount file systems defined in thefile system table.

Type:boolean

Default value: false

Example:

bodyagentcontrol{mountfilesystems=>"true";}

nonalphanumfiles

Description: Thenonalphanumfiles menu option policy determineswhether to warn about filenames with no alphanumeric content.

This test is applied in all recursive/depth searches.

Type:boolean

Default value: false

Example:

bodyagentcontrol{nonalphanumfiles=>"true";}

refresh_processes

Description: Therefresh_processes slist contains bundles to reloadthe process table before verifying the bundles named in this list(lazy evaluation).

If this list of regular expressions is non-null and an existingbundle is mentioned or matched in this list, CFEngine will reloadthe process table at the start of the named bundle, each time is isscheduled. If the list is null, the process list will be reloadedat the start of every scheduled bundle.

Type:slist

Allowed input range:[a-zA-Z0-9_$(){}\[\].:]+

Example:

bodyagentcontrol{refresh_processes=>{"mybundle"};# refresh_processes => { "none" };}

This examples uses a non-empty list with the name 'none'. This is not areserved word, but as long as there are no bundles with the name 'none' thishas the effect ofnever reloading the process table. This keeps improves theefficiency of the agent.

History: Was introduced in version 3.1.3, Enterprise 2.0.2 (2010)

repchar

Description: Therepchar string represents a character used tocanonize pathnames in the file repository.

Type:string

Allowed input range:.

Default value:_

Example:

bodyagentcontrol{repchar=>"_";}

Notes:

report_class_log

Description: Thereport_class_log option enables logging of classes set bycf-agent. Each class set by cf-agent will be logged at the end of agentexecution (all classes defined during the same cf-agent execution will have thesame timestamp).

Time classes are ignored.Destination: '/var/cfengine/state/classes.jsonl'

Format(jsonl):

{"name":"class_123","timestamp":1456933993}\r\n{"name":"pk_sha_123","timestamp":1456933993}\r\n

Type:boolean

Default value: false

Example:

bodyagentcontrol{report_class_log=>"true";}

History:

• Added in 3.9.0

Notes:

• Available in CFEngine Enterprise.
• Persistent classes are logged with the timestamp of each agent run.

The following classes are excluded from logging:

• Time based classes (Hr01,Tuesday,Morning, etc ...)
• license_expired
• any
• from_cfexecd
• Life cycle (Lcycle_0,GMT_Lcycle_3)

secureinput

Description: Thesecureinput menu option policy checks whetherinput files are writable by unauthorized users.

If this is set, the agent will not accept an input file that is notowned by a privileged user.

Type:boolean

Default value: false

Example:

bodyagentcontrol{secureinput=>"true";}

select_end_match_eof

Description: Whentrue this sets the default behavior foredit_linepromises to allow the end of a file to mark the end of a region whenselect_endis defined, but not found.

It is useful for configuration files with sections that do not have end markers,so the end could be the start of another section, or the end of a file.

Type:boolean

Default value: false

Example:

bodyagentcontrol{select_end_match_eof=>"true";}

See also:select_end_match_eof in delete_lines,select_end_match_eof in field_edits,select_end_match_eof in insert_lines,select_end_match_eof in replace_patterns

sensiblecount

Description: The value ofsensiblecount represents the minimumnumber of files a mounted filesystem is expected to have.

Type:int

Allowed input range:0,99999999999

Default value: 2 files

Example:

bodyagentcontrol{sensiblecount=>"20";}

sensiblesize

Description: The value ofsensiblesize represents the minimumnumber of bytes a mounted filesystem is expected to have.

Type:int

Allowed input range:0,99999999999

Default value: 1000 bytes

Example:

bodyagentcontrol{sensiblesize=>"20K";}

skipidentify

Description: Theskipidentify menu option policy determines whetherto send an IP/name during server connection because address resolution isbroken.

Hosts that are not registered in DNS cannot supply reasonablecredentials for a secondary confirmation of their identity to aCFEngine server. This causes the agent to ignore its missing DNScredentials.

Type:boolean

Default value: false

Example:

bodyagentcontrol{skipidentify=>"true";}

suspiciousnames

Description: Thesuspiciousnames slist contains names to skip and warnabout if found during any file search.

If CFEngine sees these names during recursive (depth) file searches,it will skip them and output a warning message.

Type:slist

Allowed input range: (arbitrary string)

Example:

bodyagentcontrol{suspiciousnames=>{".mo","lrk3","rootkit"};}

syslog

Deprecated: This menu option policy is deprecated as of 3.6.0. It performsno action and is kept for backward compatibility.

timezone

Description: Thetimezone slist contains allowed timezones thismachine must comply with.

Type:slist

Allowed input range: (arbitrary string)

Example:

bodyagentcontrol{timezone=>{"MET","CET","GMT+1"};}

track_value

Deprecated: This menu option policy is deprecated as of 3.6.0. It performsno action and is kept for backward compatibility.

verbose

Description: Theverbose menu option policy determines whether toswitch on verbose standard output.

It is equivalent to (and when present, overrides) the command line option'-v'. Sets the default output level 'permanently' for thispromise.

Type:boolean

Default value: false

Example:

bodyagentcontrol{verbose=>"true";}

Still need help?

Chat

Ask a question on Github

Mailing list