From b81343d5ca58b501a62f1d4263e00f6f6f1ec54e Mon Sep 17 00:00:00 2001 From: Admin MPCZ Date: Tue, 28 Apr 2026 00:06:32 +0200 Subject: [PATCH] fix(qualys/agents): test connectivite via proxy SANEF (proxy.sanef.fr:8080, fallback IP 10.40.10.225) + suggestion conf agent --- app/services/realtime_audit_service.py | 37 +++++++++++++++++--------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/app/services/realtime_audit_service.py b/app/services/realtime_audit_service.py index 45243f5..6baba86 100644 --- a/app/services/realtime_audit_service.py +++ b/app/services/realtime_audit_service.py @@ -603,19 +603,27 @@ QUALYS_AGENT_CMDS = { "(du -sh /var/log/* 2>/dev/null | sort -rh | head -5) || (sudo -n du -sh /var/log/* 2>/dev/null | sort -rh | head -5) || echo '(non lisible)'" ), "qualys_connectivity": ( + # Proxy SANEF: FQDN puis fallback IP si DNS interne KO + "PROXY=http://proxy.sanef.fr:8080; " + "if ! getent hosts proxy.sanef.fr >/dev/null 2>&1; then " + " PROXY=http://10.40.10.225:8080; " + " echo '(DNS proxy.sanef.fr KO -> fallback IP 10.40.10.225)'; " + "fi; " + "echo \"Proxy utilise: $PROXY\"; echo; " "for url in https://qualysagent.qualys.eu https://qualysguard.qualys.eu; do " - " echo \"=== $url ===\"; " + " echo \"=== $url (via proxy) ===\"; " " if command -v curl >/dev/null 2>&1; then " - " curl --connect-timeout 5 -sS -o /dev/null -w 'HTTP %{http_code} | IP %{remote_ip} | %{time_total}s\\n' \"$url\" 2>&1 || echo 'CONNEXION ECHEC (timeout / DNS / firewall ?)'; " + " curl --connect-timeout 5 -sS -x \"$PROXY\" -o /dev/null -w 'HTTP %{http_code} | %{time_total}s\\n' \"$url\" 2>&1 || echo 'ECHEC via proxy (proxy down ? auth requise ? URL bloquee ?)'; " " elif command -v wget >/dev/null 2>&1; then " - " wget --timeout=5 --tries=1 --spider \"$url\" 2>&1 | grep -E 'response|connecting|failed' | head -3; " - " elif command -v openssl >/dev/null 2>&1; then " - " host=${url#https://}; " - " timeout 5 openssl s_client -connect \"$host:443\" -servername \"$host\" &1 | grep -E 'CONNECTED|verify return|subject=' | head -3 || echo 'openssl FAIL'; " + " https_proxy=$PROXY wget --timeout=5 --tries=1 --spider \"$url\" 2>&1 | grep -E 'response|connecting|failed' | head -3; " " else " - " echo '(ni curl, ni wget, ni openssl disponibles)'; " + " echo '(ni curl ni wget disponibles)'; " " fi; " - "done" + "done; " + "echo; echo '=== Test direct sans proxy (info diagnostic) ==='; " + "if command -v curl >/dev/null 2>&1; then " + " curl --connect-timeout 3 -sS -o /dev/null -w 'qualysagent direct: HTTP %{http_code} | %{time_total}s\\n' https://qualysagent.qualys.eu 2>&1 || echo 'route directe KO (normal sur LAN SANEF, sortie via proxy obligatoire)'; " + "fi" ), "system_log": ( "if command -v journalctl >/dev/null 2>&1; then " @@ -683,15 +691,18 @@ def _analyze_qualys_audit(r): }) # Connectivité KO - if any(k in s_conn for k in ["connexion echec", "connection refused", "timed out", + if any(k in s_conn for k in ["echec via proxy", "connection refused", "timed out", "could not resolve", "no route", "unreachable"]): suggestions.append({ "severity": "high", "title": "Connectivité Qualys cloud KO", - "fix": "Flux sortant 443/TCP bloqué vers qualysagent.qualys.eu et qualysguard.qualys.eu. " - "Vérifier : pfSense/firewall périmétrique, proxy HTTP(S) si configuré, NAT, " - "DNS interne (résolution *.qualys.eu). Test depuis le serveur :\n" - "curl -v --connect-timeout 5 https://qualysagent.qualys.eu/" + "fix": "Flux 443 vers Qualys passe via proxy SANEF (http://proxy.sanef.fr:8080, " + "fallback IP 10.40.10.225). Vérifier :\n" + "1. Variables d'env de l'agent : /etc/qualys/cloud-agent/qagent-proxy.conf " + "ou systemctl edit qualys-cloud-agent (Environment='https_proxy=http://proxy.sanef.fr:8080')\n" + "2. Test depuis le serveur :\n" + " curl -v -x http://proxy.sanef.fr:8080 --connect-timeout 5 https://qualysagent.qualys.eu/\n" + "3. Si proxy KO côté infra : ouvrir ticket réseau" }) if "certificate verify failed" in s_conn or "ssl" in s_conn and "verify" in s_conn: suggestions.append({