adminmpmcz/patchcenter
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(qualys/agents): test connectivite via proxy SANEF (proxy.sanef.fr:8080, fallback IP 10.40.10.225) + suggestion conf agent

Browse Source
This commit is contained in:
Pierre & Lumière 2026-04-28 00:06:32 +02:00
parent 71a2927e15
commit b81343d5ca
1 changed files with 24 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
app/services/realtime_audit_service.py
View File

@ -603,19 +603,27 @@ QUALYS_AGENT_CMDS = {
"(du -sh /var/log/* 2>/dev/null | sort -rh | head -5) || (sudo -n du -sh /var/log/* 2>/dev/null | sort -rh | head -5) || echo '(non lisible)'" "(du -sh /var/log/* 2>/dev/null | sort -rh | head -5) || (sudo -n du -sh /var/log/* 2>/dev/null | sort -rh | head -5) || echo '(non lisible)'"
), ),
"qualys_connectivity": ( "qualys_connectivity": (
"for url in https://qualysagent.qualys.eu https://qualysguard.qualys.eu; do " # Proxy SANEF: FQDN puis fallback IP si DNS interne KO
" echo \"=== $url ===\"; " "PROXY=http://proxy.sanef.fr:8080; "
" if command -v curl >/dev/null 2>&1; then " "if ! getent hosts proxy.sanef.fr >/dev/null 2>&1; then "
" curl --connect-timeout 5 -sS -o /dev/null -w 'HTTP %{http_code} | IP %{remote_ip} | %{time_total}s\\n' \"$url\" 2>&1 || echo 'CONNEXION ECHEC (timeout / DNS / firewall ?)'; " " PROXY=http://10.40.10.225:8080; "
" elif command -v wget >/dev/null 2>&1; then " " echo '(DNS proxy.sanef.fr KO -> fallback IP 10.40.10.225)'; "
" wget --timeout=5 --tries=1 --spider \"$url\" 2>&1 | grep -E 'response|connecting|failed' | head -3; "
" elif command -v openssl >/dev/null 2>&1; then "
" host=${url#https://}; "
" timeout 5 openssl s_client -connect \"$host:443\" -servername \"$host\" </dev/null 2>&1 | grep -E 'CONNECTED|verify return|subject=' | head -3 || echo 'openssl FAIL'; "
" else "
" echo '(ni curl, ni wget, ni openssl disponibles)'; "
"fi; " "fi; "
"done" "echo \"Proxy utilise: $PROXY\"; echo; "
"for url in https://qualysagent.qualys.eu https://qualysguard.qualys.eu; do "
" echo \"=== $url (via proxy) ===\"; "
" if command -v curl >/dev/null 2>&1; then "
" curl --connect-timeout 5 -sS -x \"$PROXY\" -o /dev/null -w 'HTTP %{http_code} | %{time_total}s\\n' \"$url\" 2>&1 || echo 'ECHEC via proxy (proxy down ? auth requise ? URL bloquee ?)'; "
" elif command -v wget >/dev/null 2>&1; then "
" https_proxy=$PROXY wget --timeout=5 --tries=1 --spider \"$url\" 2>&1 | grep -E 'response|connecting|failed' | head -3; "
" else "
" echo '(ni curl ni wget disponibles)'; "
" fi; "
"done; "
"echo; echo '=== Test direct sans proxy (info diagnostic) ==='; "
"if command -v curl >/dev/null 2>&1; then "
" curl --connect-timeout 3 -sS -o /dev/null -w 'qualysagent direct: HTTP %{http_code} | %{time_total}s\\n' https://qualysagent.qualys.eu 2>&1 || echo 'route directe KO (normal sur LAN SANEF, sortie via proxy obligatoire)'; "
"fi"
), ),
"system_log": ( "system_log": (
"if command -v journalctl >/dev/null 2>&1; then " "if command -v journalctl >/dev/null 2>&1; then "
@ -683,15 +691,18 @@ def _analyze_qualys_audit(r):
}) })
# Connectivité KO # Connectivité KO
if any(k in s_conn for k in ["connexion echec", "connection refused", "timed out", if any(k in s_conn for k in ["echec via proxy", "connection refused", "timed out",
"could not resolve", "no route", "unreachable"]): "could not resolve", "no route", "unreachable"]):
suggestions.append({ suggestions.append({
"severity": "high", "severity": "high",
"title": "Connectivité Qualys cloud KO", "title": "Connectivité Qualys cloud KO",
"fix": "Flux sortant 443/TCP bloqué vers qualysagent.qualys.eu et qualysguard.qualys.eu. " "fix": "Flux 443 vers Qualys passe via proxy SANEF (http://proxy.sanef.fr:8080, "
"Vérifier : pfSense/firewall périmétrique, proxy HTTP(S) si configuré, NAT, " "fallback IP 10.40.10.225). Vérifier :\n"
"DNS interne (résolution *.qualys.eu). Test depuis le serveur :\n" "1. Variables d'env de l'agent : /etc/qualys/cloud-agent/qagent-proxy.conf "
"curl -v --connect-timeout 5 https://qualysagent.qualys.eu/" "ou systemctl edit qualys-cloud-agent (Environment='https_proxy=http://proxy.sanef.fr:8080')\n"
"2. Test depuis le serveur :\n"
" curl -v -x http://proxy.sanef.fr:8080 --connect-timeout 5 https://qualysagent.qualys.eu/\n"
"3. Si proxy KO côté infra : ouvrir ticket réseau"
}) })
if "certificate verify failed" in s_conn or "ssl" in s_conn and "verify" in s_conn: if "certificate verify failed" in s_conn or "ssl" in s_conn and "verify" in s_conn:
suggestions.append({ suggestions.append({