lssecurity

Use the lssecurity command to display the current system Secure Sockets Layer (SSL) or Transport Layer Security (TLS) security settings.

Syntax

Read syntax diagramSkip visual syntax diagram svcinfo lssecurity -iscsiauthmethode01

Parameters

-delim delimiter
(Optional) Specify a delimiter to separate data in the output.
-nohdr
(Optional) Suppress the headings in the output.
-iscsihostauthmode 0|1
0: Indicates level 0. All the hashing algorithms, MD5, SHA1, SHA2, and SHA3-256 are allowed.
1: Indicates level 1.Only SHA2 and SHA3-256 are allowed.

Description

This command displays the current system security settings system-wide, including the SSL or TLS and SSH security levels.

This table provides the possible values that are displayed for the lssecurity command.

Table 1. lssecurity attribute values
Attribute Value
sslprotocol Indicates the current security level setting, a numeric value from 2 to 7.
Use these sslprotocol security level settings.
  • 2 - Allows TLS 1.2, but disallows TLS 1.0 and TLS 1.1.
  • 3 - Also disallows TLS 1.2 cipher suites that are not exclusive to 1.2.
  • 4 - Additionally disallows RSA key exchange ciphers and static key exchange ciphers.
  • 5 (Compatibility mode) - Initially allows TLS 1.3, which is the preferred method of connection. If TLS 1.3 fails, TLS 1.2 is used for connections.
  • 6 - Allows TLS 1.3 and the five ciphers of this level.
  • 7 - Allows TLS 1.3 and a single FIPS cipher.
sshprotocol Indicates the current security level for SSH, a numeric value of 1 or 2.
Use these sshprotocol security level settings.
  • 1 Allows the following key exchange methods.
    • curve25519-sha256
    • curve25519-sha256@libssh.org
    • ecdh-sha2-nistp256
    • ecdh-sha2-nistp384
    • ecdh-sha2-nistp521
    • diffie-hellman-group-exchange-sha256
    • diffie-hellman-group16-sha512
    • diffie-hellman-group18-sha512
    • diffie-hellman-group14-sha256
    • diffie-hellman-group14-sha1
    • diffie-hellman-group1-sha1
    • diffie-hellman-group-exchange-sha1
  • 2 Allows the following key exchange methods.
    • curve25519-sha256
    • curve25519-sha256@libssh.org
    • ecdh-sha2-nistp256
    • ecdh-sha2-nistp384
    • ecdh-sha2-nistp521
    • diffie-hellman-group-exchange-sha256
    • diffie-hellman-group16-sha512
    • diffie-hellman-group18-sha512
    • diffie-hellman-group14-sha256
    • diffie-hellman-group14-sha1
  • 3 Allows the following key exchange methods:
    • curve25519-sha256
    • curve25519-sha256@libssh.org
    • ecdh-sha2-nistp256
    • ecdh-sha2-nistp384
    • ecdh-sha2-nistp521
    • diffie-hellman-group-exchange-sha256
    • diffie-hellman-group16-sha512
    • diffie-hellman-group18-sha512
    • diffie-hellman-group14-sha256
gui_timeout_mins Indicates the number of minutes of inactivity until a browser session expires. The value is in the range 5 - 240.
cli_timeout_mins Indicates the number of minutes of inactivity until an SSH session expires. The value is in the range 5 - 240.
min_password_length Indicates the minimum number of characters that are required in a new password. The value is in the range 6 - 64.
password_special_chars Indicates the minimum number of special characters that are required in any new passwords that are created on the system. A value of 0 means that no special characters are required. The value is in the range 0 - 3.
password_upper_case Indicates the minimum number of uppercase characters that are required in any new passwords that are created on the system. A value of 0 means that no uppercase characters are required. The value is in the range 0 - 3.
password_lower_case Indicates the minimum number of lowercase characters that are required in any new passwords that are created on the system. A value of 0 means that no lowercase characters are required. The value is in the range 0 - 3.
password_digits Indicates the minimum number of digits that are required in any new passwords that are created on the system. A value of 0 means that no numbers are required. The value is in the range 0 - 3.
check_password_history Indicates whether password history is checked to prevent a user from reusing a previous password. The value is either yes or no.
max_password_history Indicates the number of previous passwords to compare with if checkpasswordhistory is enabled. A value of 0 means that the new password is compared with the current password only. The value is in the range 6 - 10.
min_password_age_days Indicates the minimum number of days between password changes. This setting is enforced if checkpasswordhistory is enabled. The value is in the range 0 - 365.
password_expiry_days Indicates the number of days before a password expires and must be changed. The value is in the range 0 - 365.
expiry_warning_days Indicates the number of days before a password expires that a warning is raised when the user logs in. The value is in the range 0 - 30.
lockout_period_mins Indicates the number of minutes a user is locked out for when the number of failed authentication attempts exceeds the max_failed_logins value. The value is in the range 0 - 10080.
max_failed_login_attempts Indicates the number of failed logins that cause the account to become locked. The value is in the range 0 - 10.
superuser_locking Indicates whether the user locking policy on the system applies to the superuser. The value is either enabled or disabled.
restapi_timeout_mins Indicates the total number of minutes of activity until a RESTful API token expires. The value is in the range 10 - 120.
ssh_grace_time_seconds Indicates the value of the LoginGraceTime field in the SSHD config. The value is in the range 15 - 1800.
ssh_max_tries Indicates the value of the LoginGraceTime setting in the SSHD config. The value is in the range 1 - 10.
superuser_multi_factor Indicates if the multi-factor authentication is enabled for the superuser. The value is either yes or no.
superuser_password_sshkey_required Indicates whether superuser should provide both password and SSH public key during authentication. The value is either yes or no.
superuser_gui_disabled Indicates whether GUI access is disabled for superuser. The value is either yes or no.
superuser_rest_disabled Indicates whether REST-API access is disabled for superuser. The value is either yes or no.
superuser_cim_disabled Indicates whether CIMOM access is disabled for superuser. The value is either yes or no.
two_person_integrity_enabled Indicates whether two person integrity (TPI) is enabled on a system. The value is either yes or no. The default value is no. If two_person_integrity_enabled is yes and two_person_integrity_superuser_locked is no, the system is operating in a state that is inconsistent with TPI operations. In this case, an error event (0989051 - SS_EID_TPI_ENABLED) is logged.
two_person_integrity_superuser_locked

Indicates whether superuser is locked. It shows a value that is the same as the superuser_locked value from the sainfo lsservicestatus command.

ssl_protocols_enabled Indicates the versions of the TLS protocol that are supported by the SSL protocol security level that is currently enabled.
ssl_protocol_suggested Indicates whether the system is automatically following the suggested SSL protocol level.
ssh_protocol_suggested Indicates whether the system is automatically following the suggested SSH protocol level.
patch_auto_update Indicates whether the Patch Auto Updater service is enabled or disabled.