lssecurity

Use the lssecurity command to display the current system Secure Sockets Layer (SSL) or Transport Layer Security (TLS) security settings.

Syntax

Read syntax diagramSkip visual syntax diagram lssecurity -nohdr-delimdelimiter

Parameters

-nohdr
(Optional) By default, headings are displayed for each column of data in a concise style view, and for each item of data in a detailed style view. The -nohdr parameter suppresses the display of these headings.
Note: If no data exists to be displayed, headings are not displayed.
-delim delimiter
(Optional) By default in a concise view, all columns of data are space-separated. The width of each column is set to the maximum width of each item of data. In a detailed view, each item of data has its own row, and if the headers are displayed, the data is separated from the header by a space. The -delim parameter overrides this behavior. Valid input for the -delim parameter is a 1-byte character. If you enter -delim : on the command line, the colon character (:) separates all items of data in a concise view; for example, the spacing of columns does not occur. In a detailed view, the data is separated from its header by the specified delimiter.

Description

This command displays the current system SSL, SSH, or TLS security settings.

This table provides the possible values that are displayed for the lssecurity command.

Table 1. lssecurity attribute values
Attribute Value
sslprotocol Specifies the current security level setting, a numeric value of 1, 2, 3, or 4.
Use these sslprotocol security level settings.
  • 1 Allows TLS 1.0, TLS 1.1, and TLS 1.2, but disallows SSL 3.0.
  • 2 Disallows TLS 1.0 and TLS 1.1.
  • 3 Also disallows TLS 1.2 cipher suites that are not exclusive to 1.2.
  • 4 Additionally disallows RSA key exchange ciphers and static key exchange ciphers.
Note: You cannot use the management GUI if the sslprotocol value is set to 1 and you are using SSL 3.0 or TLS 1.0.
sshprotocol Specifies the current security level for SSH, a numeric value of 1 or 2.
Use these sshprotocol security level settings.
  • 1 Allows the following key exchange methods.
    • curve25519-sha256
    • curve25519-sha256@libssh.org
    • ecdh-sha2-nistp256
    • ecdh-sha2-nistp384
    • ecdh-sha2-nistp521
    • diffie-hellman-group-exchange-sha256
    • diffie-hellman-group16-sha512
    • diffie-hellman-group18-sha512
    • diffie-hellman-group14-sha256
    • diffie-hellman-group14-sha1
    • diffie-hellman-group1-sha1
    • diffie-hellman-group-exchange-sha1
  • 2 Allows the following key exchange methods.
    • curve25519-sha256
    • curve25519-sha256@libssh.org
    • ecdh-sha2-nistp256
    • ecdh-sha2-nistp384
    • ecdh-sha2-nistp521
    • diffie-hellman-group-exchange-sha256
    • diffie-hellman-group16-sha512
    • diffie-hellman-group18-sha512
    • diffie-hellman-group14-sha256
    • diffie-hellman-group14-sha1
gui_timeout_mins Specifies the number of minutes of inactivity until a browser session expires. The value is in the range 5 - 240.
cli_timeout_mins Specifies the number of minutes of inactivity until an SSH session expires. The value is in the range 5 - 240.
min_password_length Specifies the minimum number of characters that are required in a new password. The value is in the range 6 - 64.
password_special_chars Specifies the minimum number of special characters that are required in any new passwords that are created on the system. A value of 0 means that no special characters are required. The value is in the range 0 - 3.
password_upper_case Specifies the minimum number of uppercase characters that are required in any new passwords that are created on the system. A value of 0 means that no uppercase characters are required. The value is in the range 0 - 3.
password_lower_case Specifies the minimum number of lowercase characters that are required in any new passwords that are created on the system. A value of 0 means that no lowercase characters are required. The value is in the range 0 - 3.
password_digits Specifies the minimum number of digits that are required in any new passwords that are created on the system. A value of 0 means that no numbers are required. The value is in the range 0 - 3.
check_password_history Specifies whether password history is checked to prevent a user from reusing a previous password. The value is either yes or no.
max_password_history Specifies the number of previous passwords to compare with if checkpasswordhistory is enabled. A value of 0 means that the new password is compared with the current password only. The value is in the range 6 - 10.
min_password_age_days Specifies the minimum number of days between password changes. This setting is enforced if checkpasswordhistory is enabled. The value is in the range 0 - 365.
password_expiry_days Specifies the number of days before a password expires and must be changed. The value is in the range 0 - 365.
expiry_warning_days Specifies the number of days before a password expires that a warning is raised when the user logs in. The value is in the range 0 - 30.
lockout_period_mins Specifies the number of minutes a user is locked out for when the number of failed authentication attempts exceeds the max_failed_logins value. The value is in the range 0 - 10080.
max_failed_login_attempts Specifies the number of failed logins that cause the account to become locked. The value is in the range 0 - 10.
superuser_locking Specifies whether the user locking policy on the system applies to the superuser. The value is either enabled or disabled.

An invocation example

lssecurity

The resulting output


sslprotocol 4
sshprotocol 1
gui_timeout_mins 120
cli_timeout_mins 60
min_password_length 8
password_special_chars 1
password_upper_case 2
password_lower_case 3
password_digits 1
check_password_history yes
max_password_history 6
min_password_age_days 1
password_expiry_days 90
expiry_warning_days 14
lockout_period_mins 1
max_failed_logins 3 
superuser_locking disabled