The display security risk command displays security risks in the system and suggested solutions for the risks.
display security risk [ trap-info ] [ feature feature-name ] [ level { high | medium | low } ]
| Parameter | Description | Value |
|---|---|---|
trap-info |
Displays alarm informations of security risk. |
- |
feature feature-name |
Displays security risks of a specified feature. |
The value is a string of 1 to 31 case-insensitive characters, spaces not supported. The specified feature must be supported on the device. |
level |
Displays security risks of a specified level. |
- |
high |
Displays security risks of High level. |
- |
medium |
Displays security risks of Medium level. |
- |
low |
Displays security risks of Low level. |
- |
Usage Scenario
Protocols have different security performances, and some protocols may have security risks. Run the display security risk command to identify security risks in the system. Then clear the security risks according to the repair action in the command output.
You can filter the security risks by specifying the security level, feature, or both.
Precautions
The security risks that are displayed vary with user levels. The system administrators can view all security risks in the system. Other users can only view the security risks matching their levels.
# Display security risks in the system.
<sysname> display security risk Risk level : high Feature name : CONSOLE Risk information : No authentication is configured on the console interface. Repair action : Use AAA authentication. Risk level : high Feature name : GRSA Risk information : Length of RSA key less than or equal to 1024 bits is exit. Repair action : 2048-bit is recommended to all RSA keys. Risk level : high Feature name : HWTACACS Risk information : HWTACACS is not configured to authenticate packets. Repair action : Please configure HWTACACS to authenticate packets. Risk level : high Feature name : NTP Risk information : NTP no authentication configured. Repair action : Configure authentication. Risk level : high Feature name : RSA Risk information : The length of an RSA host key is less than or equal to 1024 bits. Repair action : Re-create a 2048-bit RSA host key. Risk level : high Feature name : SNMP Risk information : SNMPv1/SNMPv2c is enabled. Repair action : Use SNMPv3. Risk level : high Feature name : TELNET Risk information : None authentication is configured for Telnet users. Repair action : Use AAA authentication. Risk level : medium Feature name : CONFIGURATION-MANAGEMENT Risk information : Configurations were automatically backed up to the server by means of FTP/TFTP. Repair action : Use SFTP. Risk level : medium Feature name : DCN Risk information : DCN use normal tcp connection. Repair action : Please use SSL TCP connection. Risk level : medium Feature name : DSA Risk information : The length of a DSA host key is less than 1024 bits. Repair action : Re-create a 2048-bit DSA host key. Risk level : medium Feature name : FTP Risk information : The FTP server function is used. Repair action : Use SFTP. Risk level : medium Feature name : GRSA Risk information : Length of DSA key less than 1024 bits is exit. Repair action : 2048-bit is recommended to all DSA keys Risk level : medium Feature name : SNMP Risk information : DES56/3DES for SNMPv3 usm-user is configured. Repair action : Use AES. Risk level : medium Feature name : SNMP Risk information : Complexity check is disabled. Repair action : Enable complexity check. Risk level : medium Feature name : SSH Risk information : SSHv1 is enabled. Repair action : Close SSHv1. Risk level : medium Feature name : TELNET Risk information : The Telnet server function is used. Repair action : Use STELNET. Risk level : low Feature name : SSL Risk information : The certificate cert_file in SSL ploicy policy_name will expire after 2 day(s). Repair action : Load a new certificate. Risk level : low Feature name : SSL Risk information : The certificate cert_file in SSL policy policy_name is expired. Repair action : Load a new certificate.
# Display security risks of the SNMP feature.
<sysname> display security risk feature snmp Risk level : high Feature name : SNMP Risk information : SNMPv1/SNMPv2c is enabled. Repair action : Use SNMPv3. Risk level : medium Feature name : SNMP Risk information : Complexity check is disabled. Repair action : Enable complexity check.
# Display security risks of Medium level.
<sysname> display security risk level medium Risk level : medium Feature name : DSA Risk information : The length of a DSA host key is less than 1024 bits. Repair action : Re-create a 2048-bit DSA host key. Risk level : medium Feature name : SNMP Risk information : Complexity check is disabled. Repair action : Enable complexity check.
Item |
Description |
|---|---|
Risk level |
Security risk level. It can be any value of the following:
|
Feature name |
Name of the feature which has a security risk. |
Risk information |
Information about the security risks. |
Repair action |
Suggested solutions for the security risks. |