The last 9 months or so I have been recommending to customers that they should use aixpert, or AIX Security Expert, as their preferred method of hardening AIX - rather than being concerned with doing it on their own.
Just to let everyone know how well I understand how hard it is to use "new technology" (AIX Security Expert has been out there nearly 4 years now, so that excuse really is not valid now ) - I have finally activated aixpert. But undid it immediately, as it caught me, and then reactivated it.
When I first activated it - using low settings - I could not login. Fortunately, it did let root login (being set to low security settings), and change his password, and figure out why ssh was no longer working.
Answer: passwords expired (older than maxage), and only a sys admin could change it now (older than maxexpired too!).
Solution: changed root password (required to even login), reset aixpert to default
# aixpert -l default
And then reset, now to high settings using:
# aixpert -l h -p
There is a lot of output - for the curious - read here .