From 9d312f43a323f20f7c33eabc7fcbea809d4403a4 Mon Sep 17 00:00:00 2001
From: Admin MPCZ <admin@mpcz.fr>
Date: Tue, 28 Apr 2026 00:20:56 +0200
Subject: [PATCH] feat(qualys/agents): check conf proxy agent
 (qagent-proxy.conf, drop-in systemd, sysconfig, /etc/environment) +
 suggestion config proxy

---
 app/services/realtime_audit_service.py | 44 ++++++++++++++++++++++----
 app/templates/qualys_agent_audit.html  |  6 ++++
 2 files changed, 44 insertions(+), 6 deletions(-)

diff --git a/app/services/realtime_audit_service.py b/app/services/realtime_audit_service.py
index d5e7854..9cc813a 100644
--- a/app/services/realtime_audit_service.py
+++ b/app/services/realtime_audit_service.py
@@ -602,6 +602,21 @@ QUALYS_AGENT_CMDS = {
         "echo; echo '=== Top 5 dossiers /var/log ==='; "
         "(du -sh /var/log/* 2>/dev/null | sort -rh | head -5) || (sudo -n du -sh /var/log/* 2>/dev/null | sort -rh | head -5) || echo '(non lisible)'"
     ),
+    "qualys_proxy_config": (
+        "echo '=== /etc/qualys/cloud-agent/qagent-proxy.conf (conf proxy dediee Qualys) ==='; "
+        "(cat /etc/qualys/cloud-agent/qagent-proxy.conf 2>/dev/null || sudo -n cat /etc/qualys/cloud-agent/qagent-proxy.conf 2>/dev/null) || echo '(absent — proxy non configure ici)'; "
+        "echo; echo '=== systemd drop-in qualys-cloud-agent.service.d/ ==='; "
+        "if [ -d /etc/systemd/system/qualys-cloud-agent.service.d ]; then "
+        "  ls /etc/systemd/system/qualys-cloud-agent.service.d/ 2>/dev/null; "
+        "  (cat /etc/systemd/system/qualys-cloud-agent.service.d/*.conf 2>/dev/null || sudo -n cat /etc/systemd/system/qualys-cloud-agent.service.d/*.conf 2>/dev/null) || echo '(non lisible)'; "
+        "else echo '(pas de dossier drop-in)'; fi; "
+        "echo; echo '=== systemctl show qualys-cloud-agent (Environment) ==='; "
+        "(systemctl show qualys-cloud-agent -p Environment 2>/dev/null || sudo -n systemctl show qualys-cloud-agent -p Environment 2>/dev/null) || echo '(systemctl indispo)'; "
+        "echo; echo '=== /etc/sysconfig/qualys-cloud-agent ==='; "
+        "(cat /etc/sysconfig/qualys-cloud-agent 2>/dev/null || sudo -n cat /etc/sysconfig/qualys-cloud-agent 2>/dev/null) || echo '(absent)'; "
+        "echo; echo '=== Variables proxy globales (/etc/environment) ==='; "
+        "grep -iE 'http_proxy|https_proxy' /etc/environment 2>/dev/null || echo '(aucune)'"
+    ),
     "qualys_connectivity": (
         # Proxy SANEF: FQDN puis fallback IP si DNS interne KO
         "PROXY=http://proxy.sanef.fr:8080; "
@@ -748,12 +763,29 @@ def _analyze_qualys_audit(r):
             "severity": "high",
             "title": "Connectivité Qualys cloud KO",
             "fix": "Flux 443 vers Qualys passe via proxy SANEF (http://proxy.sanef.fr:8080, "
-                   "fallback IP 10.40.10.225). Vérifier :\n"
-                   "1. Variables d'env de l'agent : /etc/qualys/cloud-agent/qagent-proxy.conf "
-                   "ou systemctl edit qualys-cloud-agent (Environment='https_proxy=http://proxy.sanef.fr:8080')\n"
-                   "2. Test depuis le serveur :\n"
-                   "   curl -v -x http://proxy.sanef.fr:8080 --connect-timeout 5 https://qualysagent.qualys.eu/\n"
-                   "3. Si proxy KO côté infra : ouvrir ticket réseau"
+                   "fallback IP 10.40.10.225). Tester :\n"
+                   "curl -v -x http://proxy.sanef.fr:8080 --connect-timeout 5 https://qualysagent.qualys.eu/\n\n"
+                   "Si proxy KO côté infra : ouvrir ticket réseau."
+        })
+
+    # Proxy agent Qualys non configuré
+    s_pxc = (r.get("qualys_proxy_config") or "").lower()
+    if s_pxc and "proxy.sanef.fr" not in s_pxc and "10.40.10.225" not in s_pxc:
+        suggestions.append({
+            "severity": "high",
+            "title": "Agent Qualys : proxy SANEF non configuré",
+            "fix": "L'agent doit utiliser le proxy SANEF pour atteindre qualysagent.qualys.eu.\n\n"
+                   "Méthode 1 — fichier dédié Qualys (recommandé, persiste aux màj agent) :\n"
+                   "echo 'https_proxy=http://proxy.sanef.fr:8080' | sudo tee /etc/qualys/cloud-agent/qagent-proxy.conf\n"
+                   "sudo systemctl restart qualys-cloud-agent\n\n"
+                   "Méthode 2 — drop-in systemd :\n"
+                   "sudo systemctl edit qualys-cloud-agent\n"
+                   "# Ajouter :\n"
+                   "[Service]\n"
+                   "Environment=\"https_proxy=http://proxy.sanef.fr:8080\"\n"
+                   "Environment=\"http_proxy=http://proxy.sanef.fr:8080\"\n"
+                   "# Puis :\n"
+                   "sudo systemctl daemon-reload && sudo systemctl restart qualys-cloud-agent"
         })
     if "certificate verify failed" in s_conn or "ssl" in s_conn and "verify" in s_conn:
         suggestions.append({
diff --git a/app/templates/qualys_agent_audit.html b/app/templates/qualys_agent_audit.html
index 0905eec..10c4d1f 100644
--- a/app/templates/qualys_agent_audit.html
+++ b/app/templates/qualys_agent_audit.html
@@ -135,6 +135,12 @@
     <pre style="background:#0b0f1a;color:#e5e7eb;padding:10px;border-radius:4px;font-size:11px;overflow-x:auto;white-space:pre-wrap">{{ audit.logrotate_config or '(vide)' }}</pre>
 </div>
 
+<!-- Conf proxy de l'agent Qualys -->
+<div class="card p-4 mb-4">
+    <h3 class="text-sm font-bold text-cyber-accent mb-2">Configuration proxy de l'agent Qualys</h3>
+    <pre style="background:#0b0f1a;color:#e5e7eb;padding:10px;border-radius:4px;font-size:11px;overflow-x:auto;white-space:pre-wrap">{{ audit.qualys_proxy_config or '(vide)' }}</pre>
+</div>
+
 <!-- Connectivité console Qualys -->
 <div class="card p-4 mb-4">
     <h3 class="text-sm font-bold text-cyber-accent mb-2">Connectivité console Qualys</h3>