lssecurity
Use the lssecurity command to display the current system Secure Sockets Layer (SSL) or Transport Layer Security (TLS) security settings.
Syntax
Parameters
- -delim delimiter
- (Optional) Specify a delimiter to separate data in the output.
- -nohdr
- (Optional) Suppress the headings in the output.
- -iscsihostauthmode 0|1
- 0: Indicates level 0. All the hashing algorithms, MD5, SHA1, SHA2, and SHA3-256 are allowed.
Description
This command displays the current system security settings system-wide, including the SSL or TLS and SSH security levels.This table provides the possible values that are displayed for the lssecurity command.
Attribute | Value |
---|---|
sslprotocol |
Indicates the current security level setting, a numeric value from 2 to 7 .Use these sslprotocol
security level settings.
|
sshprotocol |
Indicates the current security level for SSH, a numeric value of
1 or 2 . Use these sshprotocol security
level settings.
|
gui_timeout_mins |
Indicates the number of minutes of inactivity until a browser session expires. The value is in the range 5 - 240. |
cli_timeout_mins |
Indicates the number of minutes of inactivity until an SSH session expires. The value is in the range 5 - 240. |
min_password_length |
Indicates the minimum number of characters that are required in a new password. The value is in the range 6 - 64. |
password_special_chars |
Indicates the minimum number of special characters that are required in any new passwords that are created on the system. A value of 0 means that no special characters are required. The value is in the range 0 - 3. |
password_upper_case |
Indicates the minimum number of uppercase characters that are required in any new passwords that are created on the system. A value of 0 means that no uppercase characters are required. The value is in the range 0 - 3. |
password_lower_case |
Indicates the minimum number of lowercase characters that are required in any new passwords that are created on the system. A value of 0 means that no lowercase characters are required. The value is in the range 0 - 3. |
password_digits |
Indicates the minimum number of digits that are required in any new passwords that are created on the system. A value of 0 means that no numbers are required. The value is in the range 0 - 3. |
check_password_history |
Indicates whether password history is checked to prevent a user from reusing a previous password. The value is either yes or no. |
max_password_history |
Indicates the number of previous passwords to compare with if checkpasswordhistory is enabled. A value of 0 means that the new password is compared with the current password only. The value is in the range 6 - 10. |
min_password_age_days |
Indicates the minimum number of days between password changes. This setting is enforced if checkpasswordhistory is enabled. The value is in the range 0 - 365. |
password_expiry_days |
Indicates the number of days before a password expires and must be changed. The value is in the range 0 - 365. |
expiry_warning_days |
Indicates the number of days before a password expires that a warning is raised when the user logs in. The value is in the range 0 - 30. |
lockout_period_mins |
Indicates the number of minutes a user is locked out for when the number of failed authentication attempts exceeds the max_failed_logins value. The value is in the range 0 - 10080. |
max_failed_login_attempts |
Indicates the number of failed logins that cause the account to become locked. The value is in the range 0 - 10. |
superuser_locking |
Indicates whether the user locking policy on the system applies to the superuser. The value is either enabled or disabled. |
restapi_timeout_mins |
Indicates the total number of minutes of activity until a RESTful API token expires. The value is in the range 10 - 120. |
ssh_grace_time_seconds | Indicates the value of the LoginGraceTime field in the SSHD config. The value is in the range 15 - 1800. |
ssh_max_tries | Indicates the value of the LoginGraceTime setting in the SSHD config. The value is in the range 1 - 10. |
superuser_multi_factor | Indicates if the multi-factor authentication is enabled for the superuser. The value is either yes or no. |
superuser_password_sshkey_required | Indicates whether superuser should provide both password and SSH public key during authentication. The value is either yes or no. |
superuser_gui_disabled | Indicates whether GUI access is disabled for superuser. The value is either yes or no. |
superuser_rest_disabled | Indicates whether REST-API access is disabled for superuser. The value is either yes or no. |
superuser_cim_disabled | Indicates whether CIMOM access is disabled for superuser. The value is either yes or no. |
two_person_integrity_enabled | Indicates whether two person integrity (TPI) is enabled on a system. The value is either yes or no. The default value is no. If two_person_integrity_enabled is yes and two_person_integrity_superuser_locked is no, the system is operating in a state that is inconsistent with TPI operations. In this case, an error event (0989051 - SS_EID_TPI_ENABLED) is logged. |
two_person_integrity_superuser_locked |
Indicates whether superuser is locked. It shows a value that is the same as the superuser_locked value from the sainfo lsservicestatus command. |
ssl_protocols_enabled | Indicates the versions of the TLS protocol that are supported by the SSL protocol security level that is currently enabled. |
ssl_protocol_suggested | Indicates whether the system is automatically following the suggested SSL protocol level. |
ssh_protocol_suggested | Indicates whether the system is automatically following the suggested SSH protocol level. |
patch_auto_update | Indicates whether the Patch Auto Updater service is enabled or disabled. |