lssecurity

Use the lssecurity command to display the current system Secure Sockets Layer (SSL) or Transport Layer Security (TLS) security settings.

Syntax

Read syntax diagramSkip visual syntax diagram lssecurity -nohdr-delimdelimiter

Parameters

-nohdr
(Optional) By default, headings are displayed for each column of data in a concise style view, and for each item of data in a detailed style view. The -nohdr parameter suppresses the display of these headings.
Note: If no data exists to be displayed, headings are not displayed.
-delim delimiter
(Optional) By default in a concise view, all columns of data are space-separated. The width of each column is set to the maximum width of each item of data. In a detailed view, each item of data has its own row, and if the headers are displayed, the data is separated from the header by a space. The -delim parameter overrides this behavior. Valid input for the -delim parameter is a 1-byte character. If you enter -delim : on the command line, the colon character (:) separates all items of data in a concise view; for example, the spacing of columns does not occur. In a detailed view, the data is separated from its header by the specified delimiter.

Description

This command displays the current system security settings system-wide, including the SSL or TLS and SSH security levels.

This table provides the possible values that are displayed for the lssecurity command.

Table 1. lssecurity attribute values
Attribute Value
sslprotocol Specifies the current security level setting, a numeric value from 2 to 7.
Use these sslprotocol security level settings.
  • 2 - Allows TLS 1.2, but disallows TLS 1.0 and TLS 1.1.
  • 3 - Also disallows TLS 1.2 cipher suites that are not exclusive to 1.2.
  • 4 - Additionally disallows RSA key exchange ciphers and static key exchange ciphers.
  • 5 (Compatibility mode) - Initially allows TLS 1.3, which is the preferred method of connection. If TLS 1.3 fails, TLS 1.2 is used for connections.
  • 6 - Allows TLS 1.3 and the five ciphers of this level.
  • 7 - Allows TLS 1.3 and a single FIPS cipher.
sshprotocol Specifies the current security level for SSH, a numeric value of 1 or 2.
Use these sshprotocol security level settings.
  • 1 Allows the following key exchange methods.
    • curve25519-sha256
    • curve25519-sha256@libssh.org
    • ecdh-sha2-nistp256
    • ecdh-sha2-nistp384
    • ecdh-sha2-nistp521
    • diffie-hellman-group-exchange-sha256
    • diffie-hellman-group16-sha512
    • diffie-hellman-group18-sha512
    • diffie-hellman-group14-sha256
    • diffie-hellman-group14-sha1
    • diffie-hellman-group1-sha1
    • diffie-hellman-group-exchange-sha1
  • 2 Allows the following key exchange methods.
    • curve25519-sha256
    • curve25519-sha256@libssh.org
    • ecdh-sha2-nistp256
    • ecdh-sha2-nistp384
    • ecdh-sha2-nistp521
    • diffie-hellman-group-exchange-sha256
    • diffie-hellman-group16-sha512
    • diffie-hellman-group18-sha512
    • diffie-hellman-group14-sha256
    • diffie-hellman-group14-sha1
  • 3 Allows the following key exchange methods:
    • curve25519-sha256
    • curve25519-sha256@libssh.org
    • ecdh-sha2-nistp256
    • ecdh-sha2-nistp384
    • ecdh-sha2-nistp521
    • diffie-hellman-group-exchange-sha256
    • diffie-hellman-group16-sha512
    • diffie-hellman-group18-sha512
    • diffie-hellman-group14-sha256
gui_timeout_mins Specifies the number of minutes of inactivity until a browser session expires. The value is in the range 5 - 240.
cli_timeout_mins Specifies the number of minutes of inactivity until an SSH session expires. The value is in the range 5 - 240.
min_password_length Specifies the minimum number of characters that are required in a new password. The value is in the range 6 - 64.
password_special_chars Specifies the minimum number of special characters that are required in any new passwords that are created on the system. A value of 0 means that no special characters are required. The value is in the range 0 - 3.
password_upper_case Specifies the minimum number of uppercase characters that are required in any new passwords that are created on the system. A value of 0 means that no uppercase characters are required. The value is in the range 0 - 3.
password_lower_case Specifies the minimum number of lowercase characters that are required in any new passwords that are created on the system. A value of 0 means that no lowercase characters are required. The value is in the range 0 - 3.
password_digits Specifies the minimum number of digits that are required in any new passwords that are created on the system. A value of 0 means that no numbers are required. The value is in the range 0 - 3.
check_password_history Specifies whether password history is checked to prevent a user from reusing a previous password. The value is either yes or no.
max_password_history Specifies the number of previous passwords to compare with if checkpasswordhistory is enabled. A value of 0 means that the new password is compared with the current password only. The value is in the range 6 - 10.
min_password_age_days Specifies the minimum number of days between password changes. This setting is enforced if checkpasswordhistory is enabled. The value is in the range 0 - 365.
password_expiry_days Specifies the number of days before a password expires and must be changed. The value is in the range 0 - 365.
expiry_warning_days Specifies the number of days before a password expires that a warning is raised when the user logs in. The value is in the range 0 - 30.
lockout_period_mins Specifies the number of minutes a user is locked out for when the number of failed authentication attempts exceeds the max_failed_logins value. The value is in the range 0 - 10080.
max_failed_login_attempts Specifies the number of failed logins that cause the account to become locked. The value is in the range 0 - 10.
superuser_locking Specifies whether the user locking policy on the system applies to the superuser. The value is either enabled or disabled.
restapi_timeout_mins Specifies the total number of minutes of activity until a RESTful API token expires. The value is in the range 10 - 120.
ssh_grace_time_seconds Specifies the value of the LoginGraceTime field in the SSHD config. The value is in the range 15 - 1800.
ssh_max_tries Specifies the value of the LoginGraceTime setting in the SSHD config. The value is in the range 1 - 10.
superuser_multi_factor Specifies if the multi-factor authentication is enabled for the superuser. The value is either yes or no.
superuser_password_sshkey_required Specifies whether superuser should provide both password and SSH public key during authentication. The value is either yes or no.
superuser_gui_disabled Specifies whether GUI access is disabled for superuser. The value is either yes or no.
superuser_rest_disabled Specifies whether REST-API access is disabled for superuser. The value is either yes or no.
superuser_cim_disabled Specifies whether CIMOM access is disabled for superuser. The value is either yes or no.
two_person_integrity_enabled Specifies whether two person integrity (TPI) is enabled on a system. The value is either yes or no. The default value is no. If two_person_integrity_enabled is yes and two_person_integrity_superuser_locked is no, the system is operating in a state that is inconsistent with TPI operations. In this case, an error event (0989051 - SS_EID_TPI_ENABLED) is logged.
two_person_integrity_superuser_locked

Specifies whether superuser is locked. It shows a value that is the same as the superuser_locked value from the sainfo lsservicestatus command.
ssl_protocols_enabled Specifies the versions of the TLS protocol that are supported by the SSL protocol security level that is currently enabled.
ssl_protocol_suggested Specifies whether the system is automatically following the suggested SSL protocol level.
ssh_protocol_suggested Specifies whether the system is automatically following the suggested SSH protocol level.

An invocation example

lssecurity

The resulting output

sslprotocol 3
sshprotocol 1
gui_timeout_mins 30
cli_timeout_mins 15
restapi_timeout_mins 60
min_password_length 8
password_special_chars 0
password_upper_case 0
password_lower_case 0
password_digits 0
check_password_history no
max_password_history 6
min_password_age_days 1
password_expiry_days 0
expiry_warning_days 14
superuser_locking enabled
max_failed_login_attempts 10
lockout_period_mins 1
superuser_multi_factor yes
ssh_grace_time_seconds 900
ssh_max_tries 3
superuser_password_sshkey_required no
superuser_gui_disabled no
superuser_rest_disabled yes
superuser_cim_disabled yes
two_person_integrity_enabled yes
two_person_integrity_superuser_locked yes
ssl_protocols_enabled TLSv1.2:TLSv1.3
ssl_protocol_suggested yes
ssh_protocol_suggested yes