syslock command
Use this command to display and configure system lockdown settings.
Syntax:
syslock [-options]
Option | Description | Values |
---|---|---|
-en | Enable or disable system configuration lock function. Note Enable with | enabled, disabled |
-e | Enable system configuration lock settings with or without enforcing current inventory into trusted snapshot. Note A default value will be set if there is not a | enabled, disabled |
-l [x] | List inventory of specific snapshot at index x. | The index number xis specified as an integer in the command option. |
-m | Take manual snapshot. | |
-d | Description for manual snapshot. | String of up to 32 characters. |
-c | List inventory difference from trusted snapshot. | |
-po | Set lockdown policy. Note The action will prevent server booting if System Guard is in noncompliant status. | none, osboot, pperm |
-cpu | Set cpu lockdown. | on, off |
-dimm | Set dimm lockdown. | on, off |
-pci | Set pci lockdown. | on, off |
-drive | Set drive lockdown. | on, off |
-riser | Set riser lockdown. | on, off |
-bp | Set backplane lockdown. | on, off |
To show current status and snapshot list (trusted and history)
system> syslock
Current status: disabled
Policy: none
cpu: off
dXCC: off
pci: off
drive: off
riser: off
bp: off
No snapshot.
System changes have been detected!
Index In Use Date Description
----- -------- ------------------- ----------------
1 Yes 28/01/2022 15:32:59 Enforced by XCCroot.
2 No 28/01/2022 15:28:16 Boot by BMC.
system> syslock
Current status: disabled
Policy: none
cpu: off
dXCC: off
pci: off
drive: off
riser: off
bp: off
To list inventory of specific snapshot
system> syslock -l 1
Location Component ID Description
--------- -------------- ----------------
To enable/disable function.(enable with passphrase, and/or promote current inventory as trusted snapshot):
system> syslock -en enabled
ok
system> syslock -en disabled
ok
system> syslock -en disabled -p Passw0rd12 -e disabled
ok
To take manual snapshot:
system> syslock -m -d xyz
ok
To list inventory difference from trusted snapshot
System>syslock -c
system configuration changes have been detected:
Difference Location ID Description
-------------- ---------- --------------- ----------------------------------------------------------------
New device Drive 13 S0K2QRYC Drive 13, IBM-ESXS, 300GB 10K 6Gbps SAS 2.5"
To set lockdown policy:
system> syslock -po none/pperm/osboot
To set lockdown components:
system>syslock -cpu <on | off>
system>syslock -dXCC <on | off>
system>syslock -pci <on | off>
system>syslock -drive <on | off>
system>syslock -tpm <on | off>
system>syslock -riser <on | off>
system>syslock -bp <on | off>
system>syslock -board <on | off>
system>syslock -psu <on | off>
system>syslock -fan <on | off>
system>syslock -xccfw <on | off>
system>syslock -uefifw <on | off>
Give documentation feedback