adminmpmcz/patchcenter
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity

feat(qualys/agents): check conf proxy agent (qagent-proxy.conf, drop-in systemd, sysconfig, /etc/environment) + suggestion config proxy

Browse Source
This commit is contained in:
Pierre & Lumière 2026-04-28 00:20:56 +02:00
parent 191c167423
commit 9d312f43a3
2 changed files with 44 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
app/services/realtime_audit_service.py
View File

@ -602,6 +602,21 @@ QUALYS_AGENT_CMDS = {
"echo; echo '=== Top 5 dossiers /var/log ==='; " "echo; echo '=== Top 5 dossiers /var/log ==='; "
"(du -sh /var/log/* 2>/dev/null | sort -rh | head -5) || (sudo -n du -sh /var/log/* 2>/dev/null | sort -rh | head -5) || echo '(non lisible)'" "(du -sh /var/log/* 2>/dev/null | sort -rh | head -5) || (sudo -n du -sh /var/log/* 2>/dev/null | sort -rh | head -5) || echo '(non lisible)'"
), ),
"qualys_proxy_config": (
"echo '=== /etc/qualys/cloud-agent/qagent-proxy.conf (conf proxy dediee Qualys) ==='; "
"(cat /etc/qualys/cloud-agent/qagent-proxy.conf 2>/dev/null || sudo -n cat /etc/qualys/cloud-agent/qagent-proxy.conf 2>/dev/null) || echo '(absent — proxy non configure ici)'; "
"echo; echo '=== systemd drop-in qualys-cloud-agent.service.d/ ==='; "
"if [ -d /etc/systemd/system/qualys-cloud-agent.service.d ]; then "
" ls /etc/systemd/system/qualys-cloud-agent.service.d/ 2>/dev/null; "
" (cat /etc/systemd/system/qualys-cloud-agent.service.d/*.conf 2>/dev/null || sudo -n cat /etc/systemd/system/qualys-cloud-agent.service.d/*.conf 2>/dev/null) || echo '(non lisible)'; "
"else echo '(pas de dossier drop-in)'; fi; "
"echo; echo '=== systemctl show qualys-cloud-agent (Environment) ==='; "
"(systemctl show qualys-cloud-agent -p Environment 2>/dev/null || sudo -n systemctl show qualys-cloud-agent -p Environment 2>/dev/null) || echo '(systemctl indispo)'; "
"echo; echo '=== /etc/sysconfig/qualys-cloud-agent ==='; "
"(cat /etc/sysconfig/qualys-cloud-agent 2>/dev/null || sudo -n cat /etc/sysconfig/qualys-cloud-agent 2>/dev/null) || echo '(absent)'; "
"echo; echo '=== Variables proxy globales (/etc/environment) ==='; "
"grep -iE 'http_proxy|https_proxy' /etc/environment 2>/dev/null || echo '(aucune)'"
),
"qualys_connectivity": ( "qualys_connectivity": (
# Proxy SANEF: FQDN puis fallback IP si DNS interne KO # Proxy SANEF: FQDN puis fallback IP si DNS interne KO
"PROXY=http://proxy.sanef.fr:8080; " "PROXY=http://proxy.sanef.fr:8080; "
@ -748,12 +763,29 @@ def _analyze_qualys_audit(r):
"severity": "high", "severity": "high",
"title": "Connectivité Qualys cloud KO", "title": "Connectivité Qualys cloud KO",
"fix": "Flux 443 vers Qualys passe via proxy SANEF (http://proxy.sanef.fr:8080, " "fix": "Flux 443 vers Qualys passe via proxy SANEF (http://proxy.sanef.fr:8080, "
"fallback IP 10.40.10.225). Vérifier :\n" "fallback IP 10.40.10.225). Tester :\n"
"1. Variables d'env de l'agent : /etc/qualys/cloud-agent/qagent-proxy.conf " "curl -v -x http://proxy.sanef.fr:8080 --connect-timeout 5 https://qualysagent.qualys.eu/\n\n"
"ou systemctl edit qualys-cloud-agent (Environment='https_proxy=http://proxy.sanef.fr:8080')\n" "Si proxy KO côté infra : ouvrir ticket réseau."
"2. Test depuis le serveur :\n" })
" curl -v -x http://proxy.sanef.fr:8080 --connect-timeout 5 https://qualysagent.qualys.eu/\n"
"3. Si proxy KO côté infra : ouvrir ticket réseau" # Proxy agent Qualys non configuré
s_pxc = (r.get("qualys_proxy_config") or "").lower()
if s_pxc and "proxy.sanef.fr" not in s_pxc and "10.40.10.225" not in s_pxc:
suggestions.append({
"severity": "high",
"title": "Agent Qualys : proxy SANEF non configuré",
"fix": "L'agent doit utiliser le proxy SANEF pour atteindre qualysagent.qualys.eu.\n\n"
"Méthode 1 — fichier dédié Qualys (recommandé, persiste aux màj agent) :\n"
"echo 'https_proxy=http://proxy.sanef.fr:8080' | sudo tee /etc/qualys/cloud-agent/qagent-proxy.conf\n"
"sudo systemctl restart qualys-cloud-agent\n\n"
"Méthode 2 — drop-in systemd :\n"
"sudo systemctl edit qualys-cloud-agent\n"
"# Ajouter :\n"
"[Service]\n"
"Environment=\"https_proxy=http://proxy.sanef.fr:8080\"\n"
"Environment=\"http_proxy=http://proxy.sanef.fr:8080\"\n"
"# Puis :\n"
"sudo systemctl daemon-reload && sudo systemctl restart qualys-cloud-agent"
}) })
if "certificate verify failed" in s_conn or "ssl" in s_conn and "verify" in s_conn: if "certificate verify failed" in s_conn or "ssl" in s_conn and "verify" in s_conn:
suggestions.append({ suggestions.append({

6
app/templates/qualys_agent_audit.html
View File

@ -135,6 +135,12 @@
<pre style="background:#0b0f1a;color:#e5e7eb;padding:10px;border-radius:4px;font-size:11px;overflow-x:auto;white-space:pre-wrap">{{ audit.logrotate_config or '(vide)' }}</pre> <pre style="background:#0b0f1a;color:#e5e7eb;padding:10px;border-radius:4px;font-size:11px;overflow-x:auto;white-space:pre-wrap">{{ audit.logrotate_config or '(vide)' }}</pre>
</div> </div>
<!-- Conf proxy de l'agent Qualys -->
<div class="card p-4 mb-4">
<h3 class="text-sm font-bold text-cyber-accent mb-2">Configuration proxy de l'agent Qualys</h3>
<pre style="background:#0b0f1a;color:#e5e7eb;padding:10px;border-radius:4px;font-size:11px;overflow-x:auto;white-space:pre-wrap">{{ audit.qualys_proxy_config or '(vide)' }}</pre>
</div>
<!-- Connectivité console Qualys --> <!-- Connectivité console Qualys -->
<div class="card p-4 mb-4"> <div class="card p-4 mb-4">
<h3 class="text-sm font-bold text-cyber-accent mb-2">Connectivité console Qualys</h3> <h3 class="text-sm font-bold text-cyber-accent mb-2">Connectivité console Qualys</h3>