If the security settings that were changed by applying a security level are to be reset to the original values, this can be done using “aixpert -u”.

# aixpert -u
entry name=lls_usrck_370FC0F4 not found
entry name=lls_pwdck_370FC0F4 not found
entry name=lls_grpck_370FC0F4 not found
entry name=lls_rmrhostsnetrc_370FC0F4 not found
# 

After executing the command, the initial state should essentially be restored. Some (few) security settings cannot be undone; details can be found in the IBM documentation AIX Security Expert – IBM Documentation. An example of this would be cleaning the password file using pwck. The original, uncleaned version of the file is not backed up by aixpert and therefore cannot be restored.

Running “aixpert -u” renames the appliedaixpert.xml and undo.xml files in the core subdirectory to appliedaixpert.bak and undo.bak, respectively. A new appliedaixpert.xml file is created without rules. All steps of “aixpert -u” are logged in detail in log/aixpert.log.

The ability to restore the initial state is extremely helpful when unexpected problems arise due to the application of a security level. The undo functionality usually allows you to quickly return to a functioning configuration, albeit with a lower or unknown security level.