aixpert Command


Aids the system administrator in setting the security configuration.



aixpert -l h|high | m|medium | l|low | d|default | s|sox-cobit [-n -o filename ] [ -a -o filename ] [ -p ]

aixpert -c [ -P ] profile name [-r] [-R]

aixpert -u [ -p ]

aixpert -d

aixpert [-f filename ] [ -a -o filename ] [ -p ]

aixpert -t

aixpert -c -P profile name


The aixpert command sets a variety of system configuration settings to enable the desired security level.

Running aixpert with the only the -l flag set implements the security settings promptly without letting the user configure the settings. For example, running aixpert -l high applies all the high-level security settings to the system automatically. However, running aixpert -l with the -n -o filename option saves the security settings to a file specified by the filename parameter. The -f flag then applies the new configurations.

After the initial selection, a menu is displayed itemizing all security configuration options associated with the selected security level. These options can be accepted in whole or individually toggled off or on. After any secondary changes, aixpert continues to apply the security settings to the computer system.

Note: It is recommended that aixpert be rerun after any major systems changes, such as the installation or updates of software. If a particular security configuration item is deselected when aixpert is rerun, that configuration item is skipped.

Some profiles of the aixpert command have shun port rules that create dynamic IP security (IPSec) filter rules and exist for a specified duration. These IPSec filter rules deny all packets that arrive from a specific port of the source host. When fragmented packets arrive at the destination host, the deny filter rules are applied on the fragments based on the source IP, the destination IP, and the protocol, irrespective of the source and destination ports because the IP fragments do not contain the port details. Therefore, these deny rules drop all fragments on all ports, which are received at the destination from all source ports for the specified protocol from the specified source.

If the IP fragments from a specified source must be allowed at the destination, an appropriate genfilt rule must be added for that source after the aixpert rules are applied. This new rule must be added above the aixpert rules so that the genfilt rule can take effect. Adding such a rule might make the destination vulnerable to IP fragmentation attacks from the source. Therefore, such rules must be added with diligence. For more information about handling fragments by using IPSec filters, see genfilt man page.


Item Description
-a The settings with the associated level security options are written in abbreviated file format to the file specified by the -o flag. You must specify the -o option when you specify the -a option.
-c Checks the security settings against the previously applied set of rules. If the check against a rule fails, the previous versions of the rule are also checked. This process continues until the check passes, or until all of the instances of the failed rule in the /etc/security/aixpert/core/appliedaixpert.xml file are checked.
-f Applies the security settings in the provided filename.
For example, the following command writes all of the high-level security options to the /etc/security/aixpert/core/hls.xml file:
aixpert -l h -n -o /etc/security/aixpert/core/hls.xml
After removing any unwanted options, you can apply these security settings with the following command:
aixpert -f /etc/security/aixpert/core/hls.xml

When you specify the -f option, security settings are consistently applied from system to system by securely transferring and applying an appliedaixpert.xml file from system to system.

All the successfully applied rules are written to the /etc/security/aixpert/core/appliedaixpert.xml file and the corresponding "undo" action rules are written to the /etc/security/aixpert/core/undo.xml file.

-l Sets the system security settings to the level specified with this option. This flag has the following options:
Specifies high-level security options.
Specifies medium-level security options.
Specifies low-level security options.
Specifies AIX® standards-level security options.
Specifies SOX-COBIT best practices-level security options.
If you specify both the -l and -n flags, the security settings are not implemented on the system; however, they are only written to the file that you specified in the -o flag.

All the successfully applied rules are written to the /etc/security/aixpert/core/appliedaixpert.xml file and the corresponding undo action rules are written to the /etc/security/aixpert/core/undo.xml file.

Attention: When you use the d|default option, the option can overwrite the configured security settings that you previously set through the aixpert command or independently, and restores the system to its traditional open configuration.
-n The settings with the associated level security options are written to the file specified by the -o flag. You must specify the -o option when you use the -n option.
-o Stores security output to the file pointed to by filename. The output file has its read and write permissions set to root as a security precaution. This file should be protected against unwanted access.
-p Specifies that the output of the security rules is displayed by using verbose output. The -p option logs the rules processed into the audit subsystem if the auditing option is turned on. This option can be used with any of the -l, -u, -c and -f options.
-P Accepts the profile name as input. This option is used along with the -c option. The -c option along with the -P option is used to check the compatibility of the system is with the profile passed.
-r Reports existing settings of the system. The output is intended to be used in security or compliance audit reports. The report describes each setting, how it might relate to a regulatory compliance requirement, and whether the check passed or failed.
-R Produces the same output as the -r flag, but also appends a description about each script or program used to implement the configuration setting.
-t Displays the type of the profile applied on the system.
-u Undoes the security settings that have been applied.
-d Displays the document type definition (DTD).


Item Description
filename The output file that stores the security settings. Root permission is required to access this file.


The aixpert command is executable only by root.


  1. To write all of the high-level security options to an output file, use the following command:
    aixpert -l high -n -o /etc/security/aixpert/plugin/myPreferredSettings.xml
    After completing this command, the output file can be edited, and specific security roles can be commented out by enclosing them in the standard xml comment string (<-- begins the comment and -\> closes the comment).
  2. To apply the security settings from a configuration file, use the following command:
    aixpert -f /etc/security/aixpert/plugin/myPreferredSettings.xml
  3. To check the security settings that have been applied to the system, and to log the rules that failed into the audit subsystem, use the following command:
    aixpert –c -p


Item Description
/usr/sbin/aixpert/ Contains the aixpert command.


Item Description
/etc/security/aixpert/core/aixpertall.xml Contains an xml listing of all possible security settings. Has -r-------- permissions, and requires root security.
/etc/security/aixpert/core/appliedaixpert.xml Contains an xml listing of applied security.
/etc/security/aixpert/log/aixpert.log Contains a trace log of applied security settings. This does not use syslog. The aixpert command writes directly to the file. Has -rw------- permissions, and requires root security.
/etc/security/aixpert/log/firstboot.log Contains a trace log of the security settings that were applied during the first boot of a Secure by Default (SbD) installation.
/etc/security/aixpert/core/undo.xml Contains an xml listing of security settings, which can be undone.