lssecurity
Use the lssecurity command to display the current system Secure Sockets Layer (SSL) or Transport Layer Security (TLS) security settings.
Syntax
Parameters
- -nohdr
- (Optional) By default, headings are displayed for each column of data in a concise style
view, and for each item of data in a detailed style view. The -nohdr
parameter suppresses the display of these headings.Note: If no data exists to be displayed, headings are not displayed.
- -delim delimiter
- (Optional) By default in a concise view, all columns of data are space-separated. The width
of each column is set to the maximum width of each item of data. In a detailed view, each item
of data has its own row, and if the headers are displayed, the data is separated from the
header by a space. The -delim parameter overrides this behavior. Valid
input for the -delim parameter is a 1-byte character. If you enter
-delim :on the command line, the colon character (:) separates all items of data in a concise view; for example, the spacing of columns does not occur. In a detailed view, the data is separated from its header by the specified delimiter.
Description
This command displays the current system security settings system-wide, including the SSL or TLS and SSH security levels.This table provides the possible values that are displayed for the lssecurity command.
| Attribute | Value |
|---|---|
sslprotocol |
Specifies the current security level setting, a numeric value of 1, 2, 3, or
4.Use these sslprotocol security level settings.
Note: You cannot use the management GUI if the
sslprotocol value is set to 1 and you are using SSL 3.0 or TLS
1.0. |
sshprotocol |
Specifies the current security level for SSH, a numeric value of
1 or 2. Use these sshprotocol security
level settings.
|
gui_timeout_mins |
Specifies the number of minutes of inactivity until a browser session expires. The value is in the range 5 - 240. |
cli_timeout_mins |
Specifies the number of minutes of inactivity until an SSH session expires. The value is in the range 5 - 240. |
min_password_length |
Specifies the minimum number of characters that are required in a new password. The value is in the range 6 - 64. |
password_special_chars |
Specifies the minimum number of special characters that are required in any new passwords that are created on the system. A value of 0 means that no special characters are required. The value is in the range 0 - 3. |
password_upper_case |
Specifies the minimum number of uppercase characters that are required in any new passwords that are created on the system. A value of 0 means that no uppercase characters are required. The value is in the range 0 - 3. |
password_lower_case |
Specifies the minimum number of lowercase characters that are required in any new passwords that are created on the system. A value of 0 means that no lowercase characters are required. The value is in the range 0 - 3. |
password_digits |
Specifies the minimum number of digits that are required in any new passwords that are created on the system. A value of 0 means that no numbers are required. The value is in the range 0 - 3. |
check_password_history |
Specifies whether password history is checked to prevent a user from reusing a previous password. The value is either yes or no. |
max_password_history |
Specifies the number of previous passwords to compare with if checkpasswordhistory is enabled. A value of 0 means that the new password is compared with the current password only. The value is in the range 6 - 10. |
min_password_age_days |
Specifies the minimum number of days between password changes. This setting is enforced if checkpasswordhistory is enabled. The value is in the range 0 - 365. |
password_expiry_days |
Specifies the number of days before a password expires and must be changed. The value is in the range 0 - 365. |
expiry_warning_days |
Specifies the number of days before a password expires that a warning is raised when the user logs in. The value is in the range 0 - 30. |
lockout_period_mins |
Specifies the number of minutes a user is locked out for when the number of failed authentication attempts exceeds the max_failed_logins value. The value is in the range 0 - 10080. |
max_failed_login_attempts |
Specifies the number of failed logins that cause the account to become locked. The value is in the range 0 - 10. |
superuser_locking |
Specifies whether the user locking policy on the system applies to the superuser. The value is either enabled or disabled. |
restapi_timeout_mins |
Specifies the total number of minutes of activity until a RESTful API token expires. The value is in the range 10 - 120. |
| ssh_grace_time_seconds | Specifies the value of the LoginGraceTime field in the SSHD config. The value is in the range 15 - 1800. |
| ssh_max_tries | Specifies the value of the LoginGraceTime setting in the SSHD config. The value is in the range 1 - 10. |
| superuser_multi_factor | Specifies if the multi-factor authentication is enabled for the superuser. The value is either yes or no. |
| superuser_password_sshkey_required | Specifies whether superuser should provide both password and SSH public key during authentication. The value is either yes or no. |
| superuser_gui_disabled | Specifies whether GUI access is disabled for superuser. The value is either yes or no. |
| superuser_rest_disabled | Specifies whether REST-API access is disabled for superuser. The value is either yes or no. |
An invocation example
lssecurityThe resulting output
sslprotocol 3
sshprotocol 1
gui_timeout_mins 30
cli_timeout_mins 15
restapi_timeout_mins 60
min_password_length 8
password_special_chars 0
password_upper_case 0
password_lower_case 0
password_digits 0
check_password_history no
max_password_history 6
min_password_age_days 1
password_expiry_days 0
expiry_warning_days 14
superuser_locking enabled
max_failed_login_attempts 10
lockout_period_mins 1
superuser_multi_factor yes
ssh_grace_time_seconds 900
ssh_max_tries 3
superuser_password_sshkey_required no
superuser_gui_disabled no
superuser_rest_disabled yes