adminmpmcz/patchcenter
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity
249 Commits 1 Branch 2 Tags 7.1 MiB
b55e8d4e26
Commit Graph

249 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Admin MPCZ
b55e8d4e26 Import IODA applications + table qualys_missing_servers 
- Migration deploy/migrations/2026-04-16_ioda_qualys_missing.sql:
  * ALTER applications: 13 colonnes ioda_* (libelle, code_pos, type, statut,
    perimetre, dept_domaine, resp_metier, resp_dsi, nb_components, etc.)
  * Index unique sur ioda_libelle (cle d'upsert idempotente)
  * Nouvelle table qualys_missing_servers avec server_id FK,
    reason_category enum (appliance/ot_scada/virtualisation/oubli/...),
    status (a_traiter/a_enroler/exempt/enrole/decom), priority 1-5,
    trigger updated_at

- tools/import_applications_ioda.py: lit deploy/ServeursAssoci*IODA*.xlsx
  sheet "Services Metiers", upsert sur ioda_libelle

- tools/import_qualys_missing.py: lit deploy/comparaison*.xlsx sheet
  RECAP, filtre col J (COMP1) sans 'Qualys', categorise auto via
  heuristique nom (BAC_/BEU_/... = ot_scada, esx*/vp*esx = virtu,
  presence 3 sources sans Qualys = oubli urgent), lien auto vers
  servers.id si match hostname/fqdn

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-16 13:59:53 +02:00
Admin MPCZ
f1a1ca9c7b Qualys Tags V3: unescape entites XML dans ruleText/name 
Qualys renvoie les entites XML dans ruleText deja echappees (Bip&amp;Go,
&lt;?xml...). Jinja auto-escape les ressortait en double (&amp;lt;...).
Unescape iteratif (jusqu'a 3 passes) pour couvrir le double-escape.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-04-15 15:40:04 +02:00
Admin MPCZ
79a2cc896e Qualys diff: format ISO sans microsec YYYY-MM-DDTHH:MM:SSZ (compat API QPS) 2026-04-15 14:28:57 +02:00
Admin MPCZ
7924e64616 Qualys diff: filtre 'updated' (searchable) au lieu de 'lastCheckedIn' (non recunu API) 2026-04-15 14:06:27 +02:00
Admin MPCZ
8b212df7a1 Qualys 'sans agent': match via server_id (couvre alias hostname Qualys != iTop) 2026-04-15 13:54:07 +02:00
Admin MPCZ
245777fd46 Qualys agents: exclut Win10/11/Workstation de la liste 'Sans agent' 2026-04-15 13:49:05 +02:00
Admin MPCZ
4a5a1f6716 Qualys: bouton Sync complete vert (#22c55e) bien visible 2026-04-15 13:42:58 +02:00
Admin MPCZ
6824fee081 Qualys deploy UI: ActivationId/CustomerId masques (type password) + toggle œil 2026-04-15 13:37:15 +02:00
Admin MPCZ
a3a1ec7e6d Qualys deploy: bouton 'Sauvegarder ces valeurs' (ActivationId/Customer/Uri persistes) 2026-04-15 13:34:24 +02:00
Admin MPCZ
0ebf72d789 Qualys diff sync: sauve le timestamp DES LE DEBUT (resilient si annulation) 2026-04-15 13:29:36 +02:00
Admin MPCZ
5b6e113792 Qualys deploy: filtre s.os_family=linux + retire dropdown OS du UI 2026-04-15 13:18:09 +02:00
Admin MPCZ
206cc813f6 Qualys deploy: simplifie UI = ActivationId Linux uniquement (Windows hidden, persiste backend) 2026-04-15 13:14:23 +02:00
Admin MPCZ
55d08921f9 Qualys deploy: persiste activation_ids/customer/uri en secrets + selection auto Linux/Windows 2026-04-15 13:12:15 +02:00
Admin MPCZ
f59c6dcbdb Qualys deploy: 2 dropdowns ActivationId Linux et Windows (separes) 2026-04-15 13:04:34 +02:00
Admin MPCZ
0095f7914f Qualys deploy: POD SANEF = QG1 par defaut (pas QG2) 2026-04-15 13:00:45 +02:00
Admin MPCZ
2972baca1f Qualys deploy: dropdown ActivationId depuis API + ServerUri auto-deduit URL Qualys 2026-04-15 12:53:18 +02:00
Admin MPCZ
935c8003b4 Qualys sync: retry 3x avec backoff sur erreurs transitoires proxy/reseau 2026-04-15 12:44:49 +02:00
Admin MPCZ
9e03fd84c0 Qualys tags page: bandeau sync en cours + bouton Resync API disable 2026-04-15 12:39:40 +02:00
Admin MPCZ
48249d1c82 Qualys agents page: bandeau sync en cours + boutons sync desactives + bouton Annuler 2026-04-15 12:37:49 +02:00
Admin MPCZ
1dc7560f44 Qualys tags resync: message clair si busy + erreur API detaillee 2026-04-15 12:35:34 +02:00
Admin MPCZ
a62f9a4146 Qualys sync dual mode: diff (rapide, lastCheckedIn) + full (complet) 
- refresh_all_agents accepte mode='diff'|'full' (defaut diff)
- Mode diff: filtre Qualys lastCheckedIn > qualys_last_diff_sync (settings)
- Mode full: pull tous les assets (comme avant)
- Skip early-exit en diff si dernier diff < 5 min
- 2 boutons UI: 'Sync rapide (diff)' et 'Sync complete'
- JS refreshAgents(mode) passe le mode en query param
 2026-04-15 12:33:48 +02:00
Admin MPCZ
55f81de986 Qualys sync: fallback matching par IP integrer si hostname ne match pas 2026-04-15 12:25:27 +02:00
Admin MPCZ
36c638c8ce Add link_qualys_by_ip: lie qualys_assets a servers via IP quand hostname mismatch (cas node3->vdameasxt3) 2026-04-15 12:22:04 +02:00
Admin MPCZ
0dc9b07edd audit _run: retry sans sudo accepte sortie vide (pas containers/failed = OK, pas erreur) 2026-04-15 12:18:35 +02:00
Admin MPCZ
1a1af9e28a Qualys sync multi-pass: filtres SRV/server/SED/SEI/EMV pour couvrir tags heterogenes 2026-04-15 12:17:02 +02:00
Admin MPCZ
2746188f1c audit _run: detection sudo refused plus robuste (accent-insensitive, sudo:, no tty) 2026-04-15 12:12:22 +02:00
Admin MPCZ
2f880da275 Top bar: affiche display_name (Prenom NOM) + (AD) si LDAP + login en gris 2026-04-15 12:00:41 +02:00
Admin MPCZ
67fa28a2af Fix LDAP auto-provision: colonne display_name (pas full_name) 2026-04-15 11:52:20 +02:00
Admin MPCZ
f013aaaab6 LDAP auto-provision: user cree DESACTIVE par defaut + role viewer (admin doit l'activer) 2026-04-15 11:46:22 +02:00
Admin MPCZ
53d4f71607 LDAP: restriction groupe AD + auto-provisioning users (sans permissions) 
- Settings ldap_required_group (DN groupe autorise) + ldap_default_role
- ldap_authenticate verifie memberOf vs required_group avant bind
- auth.py: si user inconnu + LDAP + groupe OK -> auto-create user, role default,
  zero permission (admin doit assigner via /users)
 2026-04-15 11:45:33 +02:00
Admin MPCZ
d72d4a711f Add test_ldap: diagnostic LDAP/AD step-by-step (bind admin + search user + bind user) 2026-04-15 11:21:50 +02:00
Admin MPCZ
bfc996e50e Add SANEF Qualys Tags V3 ref (docx + xlsx) dans deploy/docs/ 
- tools/gen_tags_v3_xlsx.py: generateur Excel (3 sheets: DYN / STAT / Prefixes)
- deploy/docs/SANEF_Qualys_Tags_V3_RuleTypes.docx: reference Word
- deploy/docs/SANEF_Qualys_Tags_V3_RuleTypes.xlsx: reference Excel
 2026-04-15 10:57:46 +02:00
Admin MPCZ
adc8d40df3 Add gen_tags_v3_docx: genere un Word avec tableaux Tag V3/RuleType/Valeur/Couleur 2026-04-15 10:56:30 +02:00
Admin MPCZ
52e859ba08 Sidebar: ajoute liens Tags V3 (vue / catalogue / gap) sous Qualys > Tags 2026-04-15 10:23:58 +02:00
Admin MPCZ
d508072969 Add /qualys/tagsv3/catalog: page de reference nom/type/QQL/couleur par categorie 
- Template catalog.html affiche les 6 categories + prefixes
- Tags avec QQL en font mono user-select:all pour copy-paste facile
- Export JSON dispo via /qualys/tagsv3/catalog.json
- Navigation croisee entre Vue/Catalog/Gap
 2026-04-15 10:20:41 +02:00
Admin MPCZ
ec7712f0c9 Add module Qualys Tags V3: catalogue YAML + service + pages /qualys/tagsv3 et /gap 
- deploy/qualys_tags_v3.yaml: catalogue 19 DYN + 6 SPEC manuel + prefixes
- app/services/qualys_tags_service.py: list/analyze_gap/create_static/delete via API
- app/routers/qualys_tags.py: routes /qualys/tagsv3 et /gap
- templates: qualys_tagsv3.html (liste) + qualys_tagsv3_gap.html (diff catalogue)
- Route /qualys/tagsv3/create-all-static pour creer les STAT manquants en bulk
- DYN manquants affiches avec QQL copy-paste pour console Qualys (API ne permet pas)
- PyYAML ajoute aux requirements
 2026-04-15 10:14:10 +02:00
Admin MPCZ
105a756008 Qualys hostname: retour a priorite name (sauf IP/localhost/vide), fqdn/netbios en fallback 2026-04-15 01:38:56 +02:00
Admin MPCZ
c7291d3e6d Qualys _parse_assets_full: hostname FQDN > NetBIOS > name (fix aussi cette fonction) 2026-04-15 01:20:28 +02:00
Admin MPCZ
71260e20c3 Qualys sync: hostname depuis FQDN > NetBIOS > name (evite troncature display name) 2026-04-15 01:11:08 +02:00
Admin MPCZ
7eb56bc9cd Qualys sync: filtre SRV au lieu de server (matche OS-WIN-SRV/OS-LIN-SRV DYN SANEF v3) 2026-04-15 01:00:37 +02:00
Admin MPCZ
8e085564ac Fix audit.html: {% endif %} manquant pour le bloc active_jobs 2026-04-15 00:32:20 +02:00
Admin MPCZ
7480bbf5ac audit _run: fallback sans sudo si sudoers refuse bash -c (commandes read-only OK sans root) 2026-04-15 00:26:42 +02:00
Admin MPCZ
2a10ec55ab Page /audit: liste les audits en cours avec bouton Reprendre 2026-04-15 00:22:22 +02:00
Admin MPCZ
3c4244597c Audit: ThreadPoolExecutor avec parallel borne (evite saturation DB/PSMP) 2026-04-15 00:20:12 +02:00
Admin MPCZ
48efb07b49 Audit exclusion: match par nom ET code (form UI envoie l'un ou l'autre) 2026-04-15 00:14:39 +02:00
Admin MPCZ
1cc8d42e4a Add fill_domaine_from_weekly: extrait servers.domaine depuis col D des sheets S02..S16 2026-04-15 00:07:55 +02:00
Admin MPCZ
ca4f779e48 Fix audit exclusion: NULL domaine = exclu (evite audit de 690 serveurs non-tagges) 2026-04-15 00:05:16 +02:00
Admin MPCZ
69cedff0fe Fix audit exclusion: match sur servers.domaine OR d.name OR d.code, NULL = non-exclu 
Les serveurs sans domain_env_id (majorite) etaient exclus a tort car
d.code=NULL et 'NULL NOT IN (...)' = NULL. Utilise COALESCE avec la
colonne plain-text s.domaine en priorite.
 2026-04-14 23:59:36 +02:00
Admin MPCZ
596276441b audit realtime: route via PSMP CyberArk si ssh_method=ssh_psmp 
Nouvelle fonction _connect_via_psmp avec auth_interactive Vault Password,
lookup ssh_method par hostname avant _connect. Fallback SSH direct si
PSMP echoue.
 2026-04-14 23:48:00 +02:00
Admin MPCZ
8729b8470b test_psmp: derivation Fernet exacte identique a secrets_service 2026-04-14 23:46:23 +02:00