Need win_shell to run with elevated privileges

[aadams26]

SUMMARY

Need win_shell to run local ps1 script file as elevated to modify file located in C:\Program Files.

ISSUE TYPE

• Bug Report

COMPONENT NAME

win_shell

ANSIBLE VERSION

ansible 2.9.5
  config file = /home/aadams/qradar/ansible/ansible.cfg
  configured module search path = ['/home/aadams/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.6/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.6.8 (default, Aug  7 2019, 17:28:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]

CONFIGURATION

CACHE_PLUGIN(/home/aadams/qradar/ansible/ansible.cfg) = jsonfile
CACHE_PLUGIN_CONNECTION(/home/aadams/qradar/ansible/ansible.cfg) = ./facts_cache
CACHE_PLUGIN_TIMEOUT(/home/aadams/qradar/ansible/ansible.cfg) = 864000
DEFAULT_FORKS(/home/aadams/qradar/ansible/ansible.cfg) = 100
DEFAULT_GATHERING(/home/aadams/qradar/ansible/ansible.cfg) = smart
DEFAULT_HOST_LIST(/home/aadams/qradar/ansible/ansible.cfg) = ['/home/aadams/qradar/ansible/inventory']
DEFAULT_LOG_PATH(/home/aadams/qradar/ansible/ansible.cfg) = /home/aadams/qradar/ansible/ansible.log
DEFAULT_NO_LOG(/home/aadams/qradar/ansible/ansible.cfg) = False
DEFAULT_TIMEOUT(/home/aadams/qradar/ansible/ansible.cfg) = 30
HOST_KEY_CHECKING(/home/aadams/qradar/ansible/ansible.cfg) = False
INVENTORY_ENABLED(/home/aadams/qradar/ansible/ansible.cfg) = ['yaml', 'constructed', 'ini']

OS / ENVIRONMENT

Ansible host:
CentOS 7

Target host:
Windows Server 2012

STEPS TO REPRODUCE

Authentication. NOTE user has local administrative privileges - part of 'Administrators' group.

vars:
        ansible_connection: winrm
        ansible_port: 5985
        ansible_user: someuser
        ansible_password: supersecretpw
        ansible_winrm_scheme: http
        ansible_winrm_server_cert_validation: ignore
        ansible_winrm_message_encryption: auto
        ansible_winrm_transport: credssp

Playbook

- hosts: host.domain.gov
  tasks:
    - name: Install WinCollect
      import_tasks: roles/rsyslog/tasks/windowsWinCollectInstallation.yml
      when: ansible_os_family == "Windows"

Imported task

- name: Transfer WinCollectConfig PowerShell Script
  win_copy:
    src: ../files/winCollectConfig.ps1
    dest: C:\Windows\Temp\winCollectConfig.ps1

- name: Modify WinCollect Config File
  win_shell: C:\Windows\Temp\winCollectConfig.ps1 -logSource {{ ansible_fqdn }}
  ignore_errors: true

EXPECTED RESULTS

Configuration update done through ps1 file should reflect in the WinCollect Configuration Console the way it does when running the script locally via RDP.

ACTUAL RESULTS

Configurations do not go through. I believe that this is because xml.save is unable to save to the file in C:\Program Files in spite of the user being part of the 'administrators' group. When I run this script locally I am able to see the changes no problem by running powershell as administrator and running the script file.

ansible-playbook 2.9.5
  config file = /home/aadams/qradar/ansible/ansible.cfg
  configured module search path = ['/home/aadams/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.6/site-packages/ansible
  executable location = /usr/local/bin/ansible-playbook
  python version = 3.6.8 (default, Aug  7 2019, 17:28:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
Using /home/aadams/qradar/ansible/ansible.cfg as config file
Parsed /home/aadams/qradar/ansible/inventory/00-linux.yml inventory source with yaml plugin
Parsed /home/aadams/qradar/ansible/inventory/00-other.yml inventory source with yaml plugin
Parsed /home/aadams/qradar/ansible/inventory/00-windows.yml inventory source with yaml plugin
Parsed /home/aadams/qradar/ansible/inventory/10-allHosts.yml inventory source with yaml plugin
Parsed /home/aadams/qradar/ansible/inventory/20-passwords.yml inventory source with yaml plugin
Parsed /home/aadams/qradar/ansible/inventory/90-constructed.yml inventory source with constructed plugin
statically imported: /home/aadams/qradar/ansible/roles/rsyslog/tasks/windowsWinCollectInstallation.yml

PLAYBOOK: rsyslog-wincollect.yml ************************************************************************************************************************************************************************************************************
1 plays in rsyslog-wincollect.yml

PLAY [host.domain.gov] *********************************************************************************************************************************************************************************************************
META: ran handlers

[...]

TASK [Transfer WinCollectConfig PowerShell Script] ******************************************************************************************************************************************************************************************
task path: /home/aadams/qradar/ansible/roles/rsyslog/tasks/windowsWinCollectInstallation.yml:69
Using module file /usr/local/lib/python3.6/site-packages/ansible/modules/windows/win_copy.ps1
Pipelining is enabled.
<host.domain.gov> ESTABLISH WINRM CONNECTION FOR USER: someuser on PORT 5985 TO host.domain.gov
EXEC (via pipeline wrapper)
EXEC (via pipeline wrapper)
<host.domain.gov> PUT "/home/aadams/qradar/ansible/roles/rsyslog/files/winCollectConfig.ps1" TO "C:\Users\someuser\AppData\Local\Temp\ansible-tmp-1583519948.4458473-54926114791427\source"
Using module file /usr/local/lib/python3.6/site-packages/ansible/modules/windows/win_copy.ps1
Pipelining is enabled.
EXEC (via pipeline wrapper)
EXEC (via pipeline wrapper)
changed: [host.domain.gov] => {
    "changed": true,
    "checksum": "38ee1c6a29e831b6ff96cf7cdb19e2b50cbea806",
    "dest": "C:\\Windows\\Temp\\winCollectConfig.ps1",
    "operation": "file_copy",
    "original_basename": "winCollectConfig.ps1",
    "size": 10903,
    "src": "../files/winCollectConfig.ps1"
}

TASK [Modify WinCollect Config File] ********************************************************************************************************************************************************************************************************
task path: /home/aadams/qradar/ansible/roles/rsyslog/tasks/windowsWinCollectInstallation.yml:74
Using module file /usr/local/lib/python3.6/site-packages/ansible/modules/windows/win_shell.ps1
Pipelining is enabled.
<host.domain.gov> ESTABLISH WINRM CONNECTION FOR USER: someuser on PORT 5985 TO host.domain.gov
EXEC (via pipeline wrapper)
changed: [host.domain.gov] => {
    "changed": true,
    "cmd": "C:\\Windows\\Temp\\winCollectConfig.ps1 -logSource host.domain.gov",
    "delta": "0:00:00.813370",
    "end": "2020-03-06 06:39:14.756616",
    "rc": 0,
    "start": "2020-03-06 06:39:13.943246",
    "stderr": "",
    "stderr_lines": [],
    "stdout": "\r\nvalue                                   name                                   \r\n-----                                   ----                                   \r\ndhsie                                   Login.Domain                           \r\nsvc_qradar                              Login.Username                         \r\nZyhXmvOp1Nz7sEis3l/nvJjB4TY6zwR1gzBu... Login.Password                         \r\n-1156266728                             Login.Handle                           \r\nBASE64:RSA1024/SHA1:CLEAR               Login.Password.Algorithm               \r\n                                        Environment                            \r\n                                        svc_qradar                             \r\n1000000                                 QueueHighWaterMark                     \r\n750000                                  QueueLowWaterMark                      \r\n10                                      DataChunkPeriod                        \r\n500000                                  DataProcessingPeriod                   \r\nfalse                                   Schedule.Invert                        \r\ntrue                                    Schedule.Enable                        \r\n                                        Environment                            \r\n5000                                    EventThrottleInEPS                     \r\n                                        Environment                            \r\n                                        Environment                            \r\n10.150.202.11                           TargetAddress                          \r\n6514                                    TargetPort                             \r\nLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t... Certificate                            \r\n                                        Environment                            \r\n                                        Module                                 \r\n                                        Module                                 \r\n                                        Module                                 \r\n                                        Module                                 \r\n                                        QRadar Collector                       \r\n{host.domain.gov}{QRada... AddRoute                               \r\n\r\n\r\n",
    "stdout_lines": [
        "",
        "value                                   name                                   ",
        "-----                                   ----                                   ",
        "dhsie                                   Login.Domain                           ",
        "svc_qradar                              Login.Username                         ",
        "ZyhXmvOp1Nz7sEis3l/nvJjB4TY6zwR1gzBu... Login.Password                         ",
        "-1156266728                             Login.Handle                           ",
        "BASE64:RSA1024/SHA1:CLEAR               Login.Password.Algorithm               ",
        "                                        Environment                            ",
        "                                        svc_qradar                             ",
        "1000000                                 QueueHighWaterMark                     ",
        "750000                                  QueueLowWaterMark                      ",
        "10                                      DataChunkPeriod                        ",
        "500000                                  DataProcessingPeriod                   ",
        "false                                   Schedule.Invert                        ",
        "true                                    Schedule.Enable                        ",
        "                                        Environment                            ",
        "5000                                    EventThrottleInEPS                     ",
        "                                        Environment                            ",
        "                                        Environment                            ",
        "10.150.202.11                           TargetAddress                          ",
        "6514                                    TargetPort                             ",
        "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t... Certificate                            ",
        "                                        Environment                            ",
        "                                        Module                                 ",
        "                                        Module                                 ",
        "                                        Module                                 ",
        "                                        Module                                 ",
        "                                        QRadar Collector                       ",
        "{host.domain.gov}{QRada... AddRoute                               ",
        "",
        ""
    ]
}

[ansibot]

Files identified in the description:

• lib/ansible/modules/windows/win_shell.py

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibot]

cc @ShachafGoldstein @if-meaton @jborean93 @jhawkesworth @nitzmahone
click here for bot help

[ShachafGoldstein]

There are no errors in the output, it could be an error with double hop or something in the script itself.

[jborean93]

Is This A Bug?

Hi!

Thanks very much for your submission to Ansible. It sincerely means a lot to us.

We're not sure this is a bug, and we don't mean for this to be confrontational. Let's explain what we're thinking:

• Ansible runs with the highest privilege available to the user, to verify this just run whoami.exe /all and you will see the user is a member of the Administrators group and has a High Mandatory Label
• As @ShachafGoldstein has stated there is no error in your output so we can't really see what is going wrong
• Typically access denied errors occur when you try and access a network resource like a fileshare. This is due to the double hop problem with WinRM where it doesn't have access to your credentials so it cannot auth with any servers

The fix for the double hop problem as well as some other less common permissions issues with WinRM normally is to either use CredSSP or Kerberos with credential delegation auth, or use become on the task as documented at https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#limitations.

As such, we're going to close this ticket. However, we're open to being corrected, should you wish to discuss. You can stop by one of our two mailing lists
to talk about this and we might be persuaded otherwise.

• https://groups.google.com/forum/#!forum/ansible-project - for user questions, tips, and tricks
• https://groups.google.com/forum/#!forum/ansible-devel - for strategy, future planning, and questions about writing code

Comments on closed tickets aren't something we monitor, so if you do disagree with this, a mailing list thread is probably appropriate.

Thank you once again for this and your interest in Ansible!

[aadams26]

@ShachafGoldstein thanks for the quick response. I just tried to see if it was a double hop issue by adding the following:

  become: yes
  become_method: runas
  vars:
    ansible_become_user: '{{ ansible_user }}'
    ansible_become_pass: '{{ ansible_password }}'

But still not updating config file. I ran the script locally instead and it updates configs that way. Do you know what else it could be?

[jhawkesworth]

@aadams26 would rather chat about this on irc or ansible-project google group rather than a closed ticket, but does something else already have the file open?

[aadams26]

@jhawkesworth Hi, thank you I have already posted here: https://groups.google.com/forum/#!topic/ansible-project/2MPbadVGBcs

And no, the file is not open, it is ported over using ansible and then immediately deleted once complete. In order to test that it was successfully working I simply transferred the file and ran it manually. It works perfectly when running powershell as admin.