adminmpmcz/patchcenter
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(qualys/agents): test connectivite DIRECT vers qagpublic.qg1.apps.qualys.eu (pod EU1 SANEF) - pas de proxy car agent sort en direct

Browse Source
This commit is contained in:
Pierre & Lumière 2026-04-28 00:26:29 +02:00
parent 9d312f43a3
commit c54ec0ba0c
1 changed files with 24 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
app/services/realtime_audit_service.py
View File

@ -618,27 +618,20 @@ QUALYS_AGENT_CMDS = {
"grep -iE 'http_proxy|https_proxy' /etc/environment 2>/dev/null || echo '(aucune)'"
),
"qualys_connectivity": (
# Proxy SANEF: FQDN puis fallback IP si DNS interne KO
"PROXY=http://proxy.sanef.fr:8080; "
"if ! getent hosts proxy.sanef.fr >/dev/null 2>&1; then "
" PROXY=http://10.40.10.225:8080; "
" echo '(DNS proxy.sanef.fr KO -> fallback IP 10.40.10.225)'; "
"fi; "
"echo \"Proxy utilise: $PROXY\"; echo; "
"for url in https://qualysagent.qualys.eu https://qualysguard.qualys.eu; do "
" echo \"=== $url (via proxy) ===\"; "
# L'agent Qualys SANEF sort en DIRECT (pas via proxy). Endpoint reel: qagpublic.qg1.apps.qualys.eu (pod EU1)
"echo '=== DNS resolution qagpublic.qg1.apps.qualys.eu ==='; "
"(getent hosts qagpublic.qg1.apps.qualys.eu 2>/dev/null || nslookup qagpublic.qg1.apps.qualys.eu 2>/dev/null | tail -3) || echo 'DNS KO'; "
"echo; echo '=== TCP/443 direct vers qagpublic.qg1.apps.qualys.eu (endpoint reel agent) ==='; "
"if command -v curl >/dev/null 2>&1; then "
" curl --connect-timeout 5 -sS -x \"$PROXY\" -o /dev/null -w 'HTTP %{http_code} | %{time_total}s\\n' \"$url\" 2>&1 || echo 'ECHEC via proxy (proxy down ? auth requise ? URL bloquee ?)'; "
" elif command -v wget >/dev/null 2>&1; then "
" https_proxy=$PROXY wget --timeout=5 --tries=1 --spider \"$url\" 2>&1 | grep -E 'response|connecting|failed' | head -3; "
" else "
" echo '(ni curl ni wget disponibles)'; "
" fi; "
"done; "
"echo; echo '=== Test direct sans proxy (info diagnostic) ==='; "
"if command -v curl >/dev/null 2>&1; then "
" curl --connect-timeout 3 -sS -o /dev/null -w 'qualysagent direct: HTTP %{http_code} | %{time_total}s\\n' https://qualysagent.qualys.eu 2>&1 || echo 'route directe KO (normal sur LAN SANEF, sortie via proxy obligatoire)'; "
"fi"
" curl --connect-timeout 5 -sS -o /dev/null -w 'HTTP %{http_code} | IP %{remote_ip} | %{time_total}s\\n' "
" https://qagpublic.qg1.apps.qualys.eu/ 2>&1 || echo 'CONNEXION DIRECTE ECHEC (flux 443 sortant bloque ?)'; "
"elif command -v openssl >/dev/null 2>&1; then "
" timeout 5 openssl s_client -connect qagpublic.qg1.apps.qualys.eu:443 -servername qagpublic.qg1.apps.qualys.eu </dev/null 2>&1 | grep -E 'CONNECTED|verify return|subject=' | head -3 || echo 'openssl FAIL'; "
"else echo '(curl/openssl absents)'; fi; "
"echo; echo '=== Test fallback qualysguard.qualys.eu (console UI) ==='; "
"command -v curl >/dev/null 2>&1 && curl --connect-timeout 5 -sS -o /dev/null -w 'HTTP %{http_code} | %{time_total}s\\n' https://qualysguard.qualys.eu/ 2>&1 || echo 'KO ou curl absent'; "
"echo; echo '=== Connexions actives Qualys (process en cours) ==='; "
"(sudo -n ss -tnp 2>/dev/null || ss -tnp 2>/dev/null) | grep -i qualys | head -5 || echo '(aucune connexion active de l agent Qualys)'"
),
"lvm_info": (
"echo '=== Volume Groups (espace libre dans le VG) ==='; "
@ -757,35 +750,19 @@ def _analyze_qualys_audit(r):
})
# Connectivité KO
if any(k in s_conn for k in ["echec via proxy", "connection refused", "timed out",
"could not resolve", "no route", "unreachable"]):
if any(k in s_conn for k in ["connexion directe echec", "connection refused", "timed out",
"could not resolve", "no route", "unreachable", "dns ko"]):
suggestions.append({
"severity": "high",
"title": "Connectivité Qualys cloud KO",
"fix": "Flux 443 vers Qualys passe via proxy SANEF (http://proxy.sanef.fr:8080, "
"fallback IP 10.40.10.225). Tester :\n"
"curl -v -x http://proxy.sanef.fr:8080 --connect-timeout 5 https://qualysagent.qualys.eu/\n\n"
"Si proxy KO côté infra : ouvrir ticket réseau."
})
# Proxy agent Qualys non configuré
s_pxc = (r.get("qualys_proxy_config") or "").lower()
if s_pxc and "proxy.sanef.fr" not in s_pxc and "10.40.10.225" not in s_pxc:
suggestions.append({
"severity": "high",
"title": "Agent Qualys : proxy SANEF non configuré",
"fix": "L'agent doit utiliser le proxy SANEF pour atteindre qualysagent.qualys.eu.\n\n"
"Méthode 1 — fichier dédié Qualys (recommandé, persiste aux màj agent) :\n"
"echo 'https_proxy=http://proxy.sanef.fr:8080' | sudo tee /etc/qualys/cloud-agent/qagent-proxy.conf\n"
"sudo systemctl restart qualys-cloud-agent\n\n"
"Méthode 2 — drop-in systemd :\n"
"sudo systemctl edit qualys-cloud-agent\n"
"# Ajouter :\n"
"[Service]\n"
"Environment=\"https_proxy=http://proxy.sanef.fr:8080\"\n"
"Environment=\"http_proxy=http://proxy.sanef.fr:8080\"\n"
"# Puis :\n"
"sudo systemctl daemon-reload && sudo systemctl restart qualys-cloud-agent"
"title": "Connectivité Qualys cloud KO (flux direct bloqué)",
"fix": "L'agent Qualys SANEF se connecte EN DIRECT (pas via proxy) à "
"qagpublic.qg1.apps.qualys.eu:443 (pod EU1). Si la connexion échoue :\n\n"
"1. Vérifier route directe sortante 443/TCP depuis ce serveur vers cet endpoint.\n"
"2. Test depuis le serveur :\n"
" curl -v --connect-timeout 5 https://qagpublic.qg1.apps.qualys.eu/\n"
"3. Comparer avec un serveur où l'agent fonctionne (mêmes flux ouverts ?).\n"
"4. Si bloqué côté infra : ouvrir ticket réseau pour ouvrir 443/TCP "
"vers *.apps.qualys.eu (ou IP 64.39.x.x range Qualys EU)."
})
if "certificate verify failed" in s_conn or "ssl" in s_conn and "verify" in s_conn:
suggestions.append({