syslock command

Use this command to display and configure system lockdown settings.

Syntax:

syslock [-options]

Table 1. syslock options
Option	Description	Values
-en	Enable or disable system configuration lock function. Note Enable with -e option can promote the current inventory as trusted snapshot.	enabled, disabled
-e	Enable system configuration lock settings with or without enforcing current inventory into trusted snapshot. Note A default value will be set if there is not a -e option.	enabled, disabled
-l [x]	List inventory of specific snapshot at index x.	The index number xis specified as an integer in the command option.
-m	Take manual snapshot.
-d	Description for manual snapshot.	String of up to 32 characters.
-c	List inventory difference from trusted snapshot.
-po	Set lockdown policy. Note The action will prevent server booting if System Guard is in noncompliant status.	none, osboot, pperm
-cpu	Set cpu lockdown.	on, off
-dimm	Set dimm lockdown.	on, off
-pci	Set pci lockdown.	on, off
-drive	Set drive lockdown.	on, off
-riser	Set riser lockdown.	on, off
-bp	Set backplane lockdown.	on, off

To show current status and snapshot list (trusted and history)
system> syslock
Current status: disabled
Policy: none
cpu:    off
dXCC:   off
pci:    off
drive:  off
riser:  off
bp:     off

No snapshot.

System changes have been detected!
Index   In Use           Date              Description
-----  --------    -------------------   ----------------
1      Yes         28/01/2022 15:32:59   Enforced by XCCroot.
2      No          28/01/2022 15:28:16   Boot by BMC.

system> syslock
Current status: disabled
Policy: none
cpu:    off
dXCC:   off
pci:    off
drive:  off
riser:  off
bp:     off

To list inventory of specific snapshot
system> syslock -l 1
Location     Component ID          Description
---------    --------------        ----------------
To enable/disable function.(enable with passphrase, and/or promote current inventory as trusted snapshot):
system> syslock -en enabled
ok
system> syslock -en disabled
ok
system> syslock -en disabled -p Passw0rd12 -e disabled
ok
To take manual snapshot:
system> syslock -m -d xyz
ok
To list inventory difference from trusted snapshot
System>syslock -c
system configuration changes have been detected:

 Difference      Location    ID             Description
 --------------      ----------    ---------------    ----------------------------------------------------------------
  New device    Drive 13   S0K2QRYC    Drive 13, IBM-ESXS, 300GB 10K 6Gbps SAS 2.5"

To set lockdown policy:
system> syslock -po none/pperm/osboot

To set lockdown components:
system>syslock -cpu <on | off>
system>syslock -dXCC <on | off>
system>syslock -pci <on | off>
system>syslock -drive <on | off>
system>syslock -tpm <on | off>
system>syslock -riser <on | off>
system>syslock -bp <on | off>
system>syslock -board <on | off>
system>syslock -psu <on | off>
system>syslock -fan <on | off>
system>syslock -xccfw <on | off>
system>syslock -uefifw <on | off>

Give documentation feedback