====== Password policy on AIX ======

Get current default password policy
<cli prompt='>'>
[root@aix001] /root> cat /etc/security/user | sed 's/\*//g' | grep -p "default:"
default:
        admin = false
        login = true
        su = true
        daemon = true
        rlogin = true
        sugroups = ALL
        admgroups =
        ttys = ALL
        auth1 = SYSTEM
        auth2 = NONE
        tpath = nosak
        umask = 022
        expires = 0
        SYSTEM = "compat"
        logintimes =
        pwdwarntime = 0
        account_locked = false
        loginretries = 0
        histexpire = 13
        histsize = 8
        minage = 0
        maxage = 0
        maxexpired = -1
        minalpha = 2
        minother = 0
        minlen = 11
        mindiff = 0
        maxrepeats = 0
        dictionlist =
        pwdchecks =
        default_roles =
        core_compress = on
        core_path = on
        core_naming = on
        core_pathname = /var/core
        minloweralpha = 1
        minupperalpha = 1
        mindigit = 0
        minspecialchar = 0
</cli>

Before changing global settings for all user, make a backup of the files:
  /etc/security/user
  /etc/security/login.cfg
  
Recommended settings
<cli prompt='>'>
chsec -f /etc/security/user -s default -a mindiff=0
chsec -f /etc/security/user -s default -a minage=1
chsec -f /etc/security/user -s default -a maxage=13
chsec -f /etc/security/user -s default -a minlen=8
chsec -f /etc/security/user -s default -a minalpha=2
chsec -f /etc/security/user -s default -a minother=1
chsec -f /etc/security/user -s default -a maxrepeats=0
chsec -f /etc/security/user -s default -a histexpire=13
chsec -f /etc/security/user -s default -a minloweralpha=1
chsec -f /etc/security/user -s default -a minupperalpha=1
chsec -f /etc/security/user -s default -a mindigit=0
chsec -f /etc/security/user -s default -a minspecialchar=0
chsec -f /etc/security/user -s default -a histsize=8
chsec -f /etc/security/user -s default -a maxexpired=3
chsec -f /etc/security/user -s default -a loginretries=5
chsec -f /etc/security/login.cfg -s default -a logininterval=300
chsec -f /etc/security/login.cfg -s default -a logindisable=10
chsec -f /etc/security/login.cfg -s default -a loginreenable=360
chsec -f /etc/security/login.cfg -s default -a logindelay=10
chsec -f /etc/security/login.cfg -s usw -a logintimeout=30
chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha512
</cli>

For changing particular settings, for example prevent root user password expiration
  chuser -R files maxage=0 root
  chuser -R files maxexpired=-1 root
  
Now you can list changes for root:
<cli prompt='>'>
[root@aix01] /root/scripts> lsuser -f root
root:
        id=0
        pgrp=system
        groups=system,bin,sys,security,cron,audit,lp
        home=/root
        shell=/usr/bin/ksh93
        auditclasses=general
        login=true
        su=true
        rlogin=true
        daemon=true
        admin=true
        sugroups=ALL
        admgroups=apache,nagios
        tpath=nosak
        ttys=ALL
        expires=0
        auth1=SYSTEM
        auth2=NONE
        umask=22
        registry=files
        SYSTEM=compat
        logintimes=
        loginretries=0
        pwdwarntime=0
        account_locked=false
        minage=0
        maxage=0
        maxexpired=-1
...
</cli>

List default values
<cli prompt='#'>
[root@nim01]/root# lssec -f /etc/security/login.cfg -s usw -a ALL
usw program= messages= retry= timeout= retry_delay= auth_type=STD_AUTH shells=/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappd maxlogins=32767 logintimeout=60 options= dist_uniqid= searchorderflag= maxroles=8 pwd_algorithm=ssha512 sec_trace_level= sec_trace_area= mkhomeatlogin= authcontroldomain= unix_passwd_compat= sulogfulldate= efssharedkeys= rotate_failedlogin=
[root@nim01]/root# lssec -f /etc/security/user -s default -a ALL
default login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 logintimes= loginretries=0 pwdwarntime=0 account_locked=false SYSTEM="compat" registry= minage=0 maxage=0 maxexpired=-1 minalpha=0 minloweralpha=0 minupperalpha=0 minother=0 mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= dce_export= maxulogs= uactivity= utocount= capabilities= auth_name= auth_domain= hostsallowedlogin= hostsdeniedlogin= rcmds= core_compress=on core_path=on core_pathname=/var/core core_naming=on core_name= default_roles= domains=
</cli>

To check password expiration do:
<cli prompt='#'>
[root@nim01]/root# logins -ao
root:0:system:0::-7:0
daemon:1:staff:1::-7:10170
bin:2:bin:2::-7:10170
sys:3:sys:3::-7:10170
</cli>