The AIX Security Guide is a key resource. This is provided on the AIX documentation CD and is also available at: http://publib.boulder.ibm.com/infocenter/pseries/v5r3/topic/com.ibm.aix.doc/aixbman/security/security.pdf

Another useful document to highlight is the IBM Redbook "Additional AIX Security Tools on IBM eserver pSeries, IBM RS/6000 and SP/Cluster", available at http://www.redbooks.ibm.com/abstracts/sg245971.html.
This gives practical steps for performing several of the checklist security tasks on an AIX system.

When installing the base operating system, choosing
More Options -> Install Trusted Computing Base
enables the AIX trusted path features including the secure attention key, and also enables basic system integrity checking (see G.5.1 below).

A guide to minimizing services in AIX is provided by Sandor Sklar in "Securing AIX Network Services". This is available at http://www.blacksheepnetworks.com/security/resources/securing-aix-network-services.html

Standard network services that will be started are configured in /etc/rc.tcpip.

The AIX command securetcpip makes it straightforward to disable the following services: rcp, rlogin, rlogind, rsh, rshd, tftp, and tftpd. securetcpip also disables .netrc files, as discussed in section E.5.5.

AIX services set to run on startup listed in /etc/initab can be disabled using the command rmitab <service>.

The Titan hardening scripts now have preliminary support for AIX, available at http://www.trouble.org/titan/

In AIX the chuser command can be used to set user resource limits. These settings are stored in the file /etc/security/limits.

User logins can be limited to certain times of day in the file /etc/security/login.cfg

The chuser command can be used to enforce password policy, login restrictions and also to disable accounts. This information is stored in the file /etc/security/user. The default values for new users are given in the file /usr/lib/security/mkuser.default

AIX uses shadow passwords by default. These are stored in the file /etc/security/passwd.

RBAC is implemented in AIX. Documentation showing how to split the powers of root using RBAC is provided in the AIX Security Guide:
http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.doc/aixbman/security/administrative_roles.htm

Instead of /etc/fstab, AIX uses the file /etc/filesystems.

On 64-bit AIX systems the Stack Execute Disable (SED) feature is turned on by default, but for selected programs only. This mechanism is configured using the sedmgr command, but note that if it is enabled for all executables, then those programs incompatible with SED need to have the "exempt" bit explicitly set. For details, see:
http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.doc/aixbman/security/stack_exec_disable.htm

Note that AIX syslog by default may be configured to log nothing, or log to /tmp only. In this case, this should be fixed by editing /etc/syslog.conf and then using the touch command to create the new log files.

AIX has an auditing subsystem configured using the files in /etc/security/audit/* For further information on how to select events to audit, see the documentation at:
http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.doc/aixbman/security/auditing.htm

If AIX has been installed with the "TCB" option, AIX provides basic file integrity checking using the tcbck command. Details of the monitored files are kept in /etc/security/sysck.cfg Unfortunately, the weak checksum used by tcbck is really only effective protection against accidental modification rather than an active attacker, so it is recommended still to use Tripwire or AIDE for integrity checking on AIX. In some cases tcbck is also able to identify some potentially suspicious new files, devices or symlinks.

AIX does not come as standard with a full-featured host firewall, however it is possible to add static packet filter rules using the IPSEC command genfilt. This requires the IP Security filesets to have been installed, as described here. The set of filter rules can be saved to a file using expfilt and loaded on future boots using impfilt and mkfilt -u to activate the rules. lsfilt will list the current rules. As an alternative, SMIT or the Web-based System Manager can be used to create the rules.

On AIX, instead of sysctls, the no command is used to tune network stack settings. The manual page for no documents the settings that are available, and those that can be adjusted for security are listed here.