The variable "amzn2023cis_authselect['options']" is not used anywhere

[darrais]

Describe the Issue The variable amzn2023cis_authselect['options'] is not used anywhere.

Expected Behavior If choosing to use a custom authselect profile, the user should be able to define the options to include, providing greater flexibility to the playbook.

Actual Behavior Currently, the custom authselect profile selection includes only the with-faillock option. Although this is aligned with requirement 4.4.2, it hinders the ability of the user to include other options.

Control(s) Affected 4.4.1 and 4.4.2

Environment

• Branch being used: devel
• Ansible Version: 2.15.4
• Host Python Version: 3.9.16
• Ansible Server Python Version: 3.12.3

Possible Solution A possible solution is to change the shell command of the 3rd task in the rule block 4.4.2 (this) to include the variable amzn2023cis_authselect['options']. This will allow the user to append additional options to the authselect select command (and, possibly, even overwrite the with-faillock option that is currently being set).

For example, the task mentioned could be changed to:

- name: "4.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles"
  ansible.builtin.shell: "authselect select custom/{{ amzn2023cis_authselect['custom_profile_name'] }} {{ amzn2023cis_authselect['options'] }}"
  when: amzn2023cis_authselect_custom_profile_select

[uk-bolly]

hi @darrais

Excellent catch, that is exactly how it was supposed to be to enable you to add your own options if required. I am adding this to the next PR which will hopefully be merged this week.

Many thanks for feeding this back

uk-bolly