End of support notice: On May 20, 2026, AWS will end support for Amazon Inspector Classic. After May 20, 2026, you will no longer be able to access the Amazon Inspector Classic console or Amazon Inspector Classic resources. Amazon Inspector Classic no longer available to new accounts and accounts that have not completed an assessment in the last 6 months. For all other accounts, access will remain valid until May 20, 2026, after which you will no longer be able to access the Amazon Inspector Classic console or Amazon Inspector Classic resources. For more information, see [Amazon Inspector Classic end of support](https://docs.aws.amazon.com/inspector/v1/userguide/inspector-migration.html). # Amazon Inspector Classic rules packages and rules You can use Amazon Inspector Classic to assess your assessment targets (collections of AWS resources) for potential security issues and vulnerabilities. Amazon Inspector Classic compares the behavior and the security configuration of the assessment targets to selected security *rules packages*. In the context of Amazon Inspector Classic, a *rule* is a security check that Amazon Inspector Classic performs during the assessment run. In Amazon Inspector Classic, rules are grouped into distinct *rules packages* either by category, severity, or pricing. This gives you choices for the kinds of analysis that you can perform. For example, Amazon Inspector Classic offers a large number of rules that you can use to assess your applications. But you might want to include a smaller subset of the available rules to target a specific area of concern or to uncover specific security problems. Companies with large IT departments might want to determine whether their application is exposed to any security threat. Others might want to focus only on issues with the severity level of **High**. + [Severity levels for rules in Amazon Inspector Classic](#SeverityLevels) + [Rules packages in Amazon Inspector Classic](#InspectorRulePackages) ## Severity levels for rules in Amazon Inspector Classic Each Amazon Inspector Classic rule has an assigned severity level. This reduces the need to prioritize one rule over another in your analysis. It can also help you determine your response when a rule highlights a potential problem. **High**, **Medium**, and **Low** levels all indicate a security issue that can result in compromised information confidentiality, integrity, and availability within your assessment target. The levels are distinguished by how likely the issue is to result in a compromise and how urgent it is to fix the issue. The **Informational** level simply highlights a security configuration detail of your assessment target. Here are the recommended ways to respond to issues based on their severity: + **High** – High severity issues are extremely urgent. Amazon Inspector Classic recommends that you treat this security issue as an emergency and implement an immediate remediation. + **Medium** – Medium severity issues are somewhat urgent. Amazon Inspector Classic recommends that you fix this issue at the next possible opportunity, for example, during your next service update. + **Low** – Low severity issues are less urgent. Amazon Inspector Classic recommends that you fix this issue as part of one of your future service updates. + **Informational** – These issues are purely informational. Based on your business and organization goals, you can either simply make note of this information or use it to improve the security of your assessment target. ## Rules packages in Amazon Inspector Classic An Amazon Inspector assessment can use any combination of the following rules packages: **Network assessments:** + [Network Reachability](inspector_network-reachability.md) **Host assessments:** + [Common vulnerabilities and exposures](inspector_cves.md) + [Center for Internet Security (CIS) Benchmarks](inspector_cis.md) + [Security best practices for Amazon Inspector Classic](inspector_security-best-practices.md) # Network Reachability The rules in the Network Reachability package analyze your network configurations to find security vulnerabilities of your EC2 instances. The findings that Amazon Inspector generates also provide guidance about restricting access that is not secure. The Network Reachability rules package uses the latest technology from the AWS [Provable Security](https://aws.amazon.com/security/provable-security/) initiative. The findings generated by these rules show whether your ports are reachable from the internet through an internet gateway (including instances behind Application Load Balancers or Classic Load Balancers), a VPC peering connection, or a VPN through a virtual gateway. These findings also highlight network configurations that allow for potentially malicious access, such as mismanaged security groups, ACLs, IGWs, and so on. These rules help automate the monitoring of your AWS networks and identify where network access to your EC2 instances might be misconfigured. By including this package in your assessment run, you can implement detailed network security checks without having to install scanners and send packets, which are complex and expensive to maintain, especially across VPC peering connections and VPNs. **Important** An Amazon Inspector Classic agent is not required to assess your EC2 instances with this rules package. However, an installed agent can provide information about the presence of any processes listening on the ports. Do not install an agent on an operating system that Amazon Inspector Classic does not support. If an agent is present on an instance that runs an unsupported operating system, then the Network Reachability rules package will not work on that instance. For more information, see [Amazon Inspector Classic rules packages for supported operating systems](inspector_rule-packages_across_os.md). ## Configurations analyzed Network Reachability rules analyze the configuration of the following entities for vulnerabilities: + [Amazon EC2 instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html) + [Application Load Balancers](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#alb) + [Direct Connect](https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html) + [Elastic Load Balancers](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html) + [Elastic Network Interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html) + [Internet Gateways (IGWs)](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html) + [Network Access Control Lists (ACLs)](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html) + [Route Tables](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) + [Security Groups (SGs)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html) + [Subnets](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html) + [Virtual Private Clouds (VPCs)](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html) + [Virtual Private Gateways (VGWs)](https://docs.aws.amazon.com/vpc/latest/userguide/SetUpVPNConnections.html#vpn-create-vpg) + [VPC peering connections](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html) ## Reachability routes Network Reachability rules check for the following reachability routes, which correspond to the ways in which your ports can be accessed from outside of your VPC: + **`Internet`** - Internet gateways (including Application Load Balancers and Classic Load Balancers) + **`PeeredVPC`** - VPC peering connections + **`VGW`** - Virtual private gateways ## Findings types An assessment that includes the Network Reachability rules package can return the following types of findings for each reachability route: + [`RecognizedPort`](#inspector_network-reachability-types-1) + [`UnrecognizedPortWithListener`](#inspector_network-reachability-types-2) + [`NetworkExposure`](#inspector_network-reachability-types-3) ### `RecognizedPort` A port that is typically used for a well-known service is reachable. If an agent is present on the target EC2 instance, the generated finding will also indicate whether there is an active listening process on the port. Findings of this type are given a severity based on the security impact of the well-known service: + **`RecognizedPortWithListener`** – A recognized port is externally reachable from the public internet through a specific networking component, and a process is listening on the port. + **`RecognizedPortNoListener`** – A port is externally reachable from the public internet through a specific networking component, and there are no processes listening on the port. + **`RecognizedPortNoAgent`** – A port is externally reachable from the public internet through a specific networking component. The presence of a process listening on the port can't be determined without installing an agent on the target instance. The following table shows a list of recognized ports: | Service | TCP Ports | UDP Ports | | --- | --- | --- | | SMB | 445 | 445 | | NetBIOS | 137, 139 | 137, 138 | | LDAP | 389 | 389 | | LDAP over TLS | 636 | | | Global catalog LDAP | 3268 | | | Global catalog LDAP over TLS | 3269 | | | NFS | 111, 2049, 4045, 1110 | 111, 2049, 4045, 1110 | | Kerberos | 88, 464, 543, 544, 749, 751 | 88, 464, 749, 750, 751, 752 | | RPC | 111, 135, 530 | 111, 135, 530 | | WINS | 1512, 42 | 1512, 42 | | DHCP | 67, 68, 546, 547 | 67, 68, 546, 547 | | Syslog | 601 | 514 | | Print services | 515 | | | Telnet | 23 | 23 | | FTP | 21 | 21 | | SSH | 22 | 22 | | RDP | 3389 | 3389 | | MongoDB | 27017, 27018, 27019, 28017 | | | SQL Server | 1433 | 1434 | | MySQL | 3306 | | | PostgreSQL | 5432 | | | Oracle | 1521, 1630 | | | Elasticsearch | 9300, 9200 | | | HTTP | 80 | 80 | | HTTPS | 443 | 443 | ### `UnrecogizedPortWithListener` A port that is not listed in the preceding table is reachable and has an active listening process on it. Because findings of this type show information about listening processes, they can be generated only when an Amazon Inspector agent is installed on the target EC2 instance. Findings of this type are given **Low** severity. ### `NetworkExposure` Findings of this type show aggregate information on the ports that are reachable on your EC2 instance. For each combination of elastic network interfaces and security groups on an EC2 instance, these findings show the reachable set of TCP and UDP port ranges. Findings of this type have the severity of **Informational**. # Common vulnerabilities and exposures The rules in this package help verify whether the EC2 instances in your assessment targets are exposed to common vulnerabilities and exposures (CVEs). Attacks can exploit unpatched vulnerabilities to compromise the confidentiality, integrity, or availability of your service or data. The CVE system provides a reference method for publicly known information security vulnerabilities and exposures. For more information, see [ https://cve.mitre.org/](https://cve.mitre.org/). If a particular CVE appears in a *finding* that is produced by an Amazon Inspector Classic assessment, you can search [https://cve.mitre.org/](https://cve.mitre.org/) for the ID of the CVE (for example, **CVE-2009-0021**). The search results can provide detailed information about this CVE, its severity, and how to mitigate it. For the Common Vulnerabilities & Exploits (CVE) rules package, Amazon Inspector has mapped the provided CVSS Base Scoring and ALAS Severity levels provided: | | | **Amazon Inspector Severity ** | **CVSS Base Score ** | **ALAS Severity (if CVSS not scored)** | | --- |--- |--- | | High | >= 5 | Critical or Important | | Medium | < 5 and >= 2.1 | Medium | | Low | < 2.1 and >= 0.8 | Low | | Informational | < 0.8 | N/A | The rules included in this package help you assess whether your EC2 instances are exposed to the CVEs in the following regional lists: + [US East (N. Virginia)](https://s3.us-east-1.amazonaws.com/rules-engine.us-east-1/CVEList.txt) + [US East (Ohio)](https://s3.us-east-2.amazonaws.com/rules-engine.us-east-2/CVEList.txt) + [US West (N. California)](https://s3.us-west-1.amazonaws.com/rules-engine.us-west-1/CVEList.txt) + [US West (Oregon)](https://s3.us-west-2.amazonaws.com/rules-engine.us-west-2/CVEList.txt) + [EU (Ireland)](https://s3.eu-west-1.amazonaws.com/rules-engine.eu-west-1/CVEList.txt) + [EU (Frankfurt)](https://s3.eu-central-1.amazonaws.com/rules-engine.eu-central-1/CVEList.txt) + [EU (London)](https://s3.eu-west-2.amazonaws.com/rules-engine.eu-west-2/CVEList.txt) + [EU (Stockholm)](https://s3.eu-north-1.amazonaws.com/rules-engine.eu-north-1/CVEList.txt) + [Asia Pacific (Tokyo)](https://s3.ap-northeast-1.amazonaws.com/rules-engine.ap-northeast-1/CVEList.txt) + [Asia Pacific (Seoul)](https://s3.ap-northeast-2.amazonaws.com/rules-engine.ap-northeast-2/CVEList.txt) + [Asia Pacific (Mumbai)](https://s3.ap-south-1.amazonaws.com/rules-engine.ap-south-1/CVEList.txt) + [Asia Pacific (Sydney)](https://s3.ap-southeast-2.amazonaws.com/rules-engine.ap-southeast-2/CVEList.txt) + [AWS GovCloud West (US)](https://s3.us-gov-west-1.amazonaws.com/rules-engine.us-gov-west-1/CVEList.txt) + [AWS GovCloud East (US)](https://s3.us-gov-east-1.amazonaws.com/rules-engine.us-gov-east-1/CVEList.txt) The CVE rules package is updated regularly; this list includes the CVEs that are included in assessments runs that occur at the same time that this list is retrieved. For more information, see [Amazon Inspector Classic rules packages for supported operating systems](inspector_rule-packages_across_os.md). # Center for Internet Security (CIS) Benchmarks The CIS Security Benchmarks program provides well-defined, unbiased, consensus-based industry best practices to help organizations assess and improve their security. AWS is a CIS Security Benchmarks Member company. For a list of Amazon Inspector Classic certifications, see the [Amazon Web Services page on the CIS website](https://benchmarks.cisecurity.org/membership/certified/amazon/). Amazon Inspector Classic currently provides the following CIS Certified rules packages to help establish secure configuration postures for the following operating systems: **Amazon Linux** + `CIS Benchmark for Amazon Linux 2 Benchmark v1.0.0 Level 1` + `CIS Benchmark for Amazon Linux 2 Benchmark v1.0.0 Level 2` + `CIS Benchmark for Amazon Linux Benchmark v2.1.0 Level 1` + `CIS Benchmark for Amazon Linux Benchmark v2.1.0 Level 2` + `CIS Benchmark for Amazon Linux 2014.09-2015.03 v1.1.0 Level 1` **CentOS Linux** + `CIS Benchmark for CentOS Linux 7 Benchmark v2.2.0 Level 1 Server` + `CIS Benchmark for CentOS Linux 7 Benchmark v2.2.0 Level 2 Server` + `CIS Benchmark for CentOS Linux 7 Benchmark v2.2.0 Level 1 Workstation` + `CIS Benchmark for CentOS Linux 7 Benchmark v2.2.0 Level 2 Workstation` + `CIS Benchmark for CentOS Linux 6 Benchmark v2.0.2 Level 1 Server` + `CIS Benchmark for CentOS Linux 6 Benchmark v2.0.2 Level 2 Server` + `CIS Benchmark for CentOS Linux 6 Benchmark v2.0.2 Level 1 Workstation` + `CIS Benchmark for CentOS Linux 6 Benchmark v2.0.2 Level 2 Workstation` **Red Hat Enterprise Linux** + `CIS Benchmark for Red Hat Enterprise Linux 7 Benchmark v2.1.1 Level 1 Server` + `CIS Benchmark for Red Hat Enterprise Linux 7 Benchmark v2.1.1 Level 2 Server` + `CIS Benchmark for Red Hat Enterprise Linux 7 Benchmark v2.1.1 Level 1 Workstation` + `CIS Benchmark for Red Hat Enterprise Linux 7 Benchmark v2.1.1 Level 2 Workstation` + `CIS Benchmark for Red Hat Enterprise Linux 6 Benchmark v2.0.2 Level 1 Server` + `CIS Benchmark for Red Hat Enterprise Linux 6 Benchmark v2.0.2 Level 2 Server` + `CIS Benchmark for Red Hat Enterprise Linux 6 Benchmark v2.0.2. Level 1 Workstation` + `CIS Benchmark for Red Hat Enterprise Linux 6 Benchmark v2.0.2 Level 2 Workstation` **Ubuntu** + `CIS Benchmark for Ubuntu Linux 18.04 LTS Benchmark v1.0.0 Level 1 Server` + `CIS Benchmark for Ubuntu Linux 18.04 LTS Benchmark v1.0.0 Level 2 Server` + `CIS Benchmark for Ubuntu Linux 18.04 LTS Benchmark v1.0.0 Level 1 Workstation` + `CIS Benchmark for Ubuntu Linux 18.04 LTS Benchmark v1.0.0 Level 2 Workstation` + `CIS Benchmark for Ubuntu Linux 16.04 LTS Benchmark v1.1.0 Level 1 Server` + `CIS Benchmark for Ubuntu Linux 16.04 LTS Benchmark v1.1.0 Level 2 Server` + `CIS Benchmark for Ubuntu Linux 16.04 LTS Benchmark v1.1.0 Level 1 Workstation` + `CIS Benchmark for Ubuntu Linux 16.04 LTS Benchmark v1.1.0 Level 2 Workstation` + `CIS Benchmark for Ubuntu Linux 14.04 LTS Benchmark v2.0.0 Level 1 Server` + `CIS Benchmark for Ubuntu Linux 14.04 LTS Benchmark v2.0.0 Level 2 Server` + `CIS Benchmark for Ubuntu Linux 14.04 LTS Benchmark v2.0.0 Level 1 Workstation` + `CIS Benchmark for Ubuntu Linux 14.04 LTS Benchmark v2.0.0 Level 2 Workstation` **Windows** + `Windows Server 2016 (CIS Benchmark for Microsoft Windows 2016 RTM (Release 1607), v1.1.0, Level 1 Member Server Profile)` + `Windows Server 2016 (CIS Benchmark for Microsoft Windows 2016 RTM (Release 1607), v1.1.0, Level 2 Member Server Profile)` + `Windows Server 2016 (CIS Benchmark for Microsoft Windows 2016 RTM (Release 1607), v1.1.0, Level 1 Domain Controller Profile)` + `Windows Server 2016 (CIS Benchmark for Microsoft Windows 2016 RTM (Release 1607), v1.1.0, Level 2 Domain Controller Profile)` + `Windows Server 2016 (CIS Benchmark for Microsoft Windows 2016 RTM (Release 1607), v1.1.0, Next Generation Windows Security Profile)` + `Windows Server 2012 R2 (CIS Benchmark for Microsoft Windows 2012 R2, v2.2.0, Level 1 Domain Controller Profile)` + `Windows Server 2012 R2 (CIS Benchmark for Microsoft Windows 2012 R2, v2.2.0, Level 2 Domain Controller Profile)` + `Windows Server 2012 R2 (CIS Benchmark for Microsoft Windows 2012 R2, v2.2.0, Level 1 Member Server Profile)` + `Windows Server 2012 R2 (CIS Benchmark for Microsoft Windows 2012 R2, v2.2.0, Level 2 Member Server Profile)` + `Windows Server 2012 (CIS Benchmark for Microsoft Windows 2012 non-R2, v2.0.0, Level 1 Member Server Profile)` + `Windows Server 2012 (CIS Benchmark for Microsoft Windows 2012 non-R2, v2.0.0, Level 2 Member Server Profile)` + `Windows Server 2012 (CIS Benchmark for Microsoft Windows 2012 non-R2, v2.0.0, Level 1 Domain Controller Profile)` + `Windows Server 2012 (CIS Benchmark for Microsoft Windows 2012 non-R2, v2.0.0, Level 2 Domain Controller Profile)` + `Windows Server 2008 R2 (CIS Benchmark for Microsoft Windows 2008 R2, v3.0.0, Level 1 Domain Controller Profile)` + `Windows Server 2008 R2 (CIS Benchmark for Microsoft Windows 2008 R2, v3.0.0, Level 1 Member Server Profile)` If a specific CIS benchmark appears in a finding that is produced by an Amazon Inspector Classic assessment run, you can download a detailed PDF description of the benchmark from [https://benchmarks.cisecurity.org/](https://benchmarks.cisecurity.org/) (free registration required). The benchmark document provides detailed information about this CIS benchmark, its severity, and how to mitigate it. For more information, see [Amazon Inspector Classic rules packages for supported operating systems](inspector_rule-packages_across_os.md). # Security best practices for Amazon Inspector Classic Use Amazon Inspector Classic rules to help determine whether your systems are configured securely. **Important** Currently, you can include in your assessment targets EC2 instances that are running either Linux-based or Windows-based operating systems. During an assessment run, the rules described in this section generate findings **only** for the EC2 instances that are running Linux-based operating systems. The rules do not generate findings for EC2 instances that are running Windows-based operating systems. For more information, see [Amazon Inspector Classic rules packages for supported operating systems](inspector_rule-packages_across_os.md). **Topics** + [ ## Disable root login over SSH ](#disable-root-login-over-SSH) + [ ## Support SSH version 2 only ](#support-ssh-v2-only) + [ ## Disable password authentication Over SSH ](#disable-password-authentication-over-ssh) + [ ## Configure password maximum age ](#password-maximum-age) + [ ## Configure password minimum length ](#password-minimum-length) + [ ## Configure password complexity ](#password-complexity) + [ ## Enable ASLR ](#ASLR) + [ ## Enable DEP ](#DEP-OS) + [ ## Configure permissions for system directories ](#permissions-for-system-directories) ## Disable root login over SSH This rule helps determine whether the SSH daemon is configured to permit logging in to your EC2 instance as [root ](http://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html). **Severity** [Medium](inspector_rule-packages.md#SeverityLevels) **Finding** There is an EC2 instance in your assessment target that is configured to allow users to log in with root credentials over SSH. This increases the likelihood of a successful brute-force attack. **Resolution** We recommend that you configure your EC2 instance to prevent root account logins over SSH. Instead, log in as a non-root user and use `sudo` to escalate privileges when necessary. To disable SSH root account logins, set `PermitRootLogin` to `no` in the `/etc/ssh/sshd_config` file, and then restart `sshd`. ## Support SSH version 2 only This rule helps determine whether your EC2 instances are configured to support SSH protocol version 1. **Severity** [Medium](inspector_rule-packages.md#SeverityLevels) **Finding** An EC2 instance in your assessment target is configured to support SSH-1, which contains inherent design flaws that greatly reduce its security. **Resolution** We recommend that you configure EC2 instances in your assessment target to support only SSH-2 and later. For OpenSSH, you can achieve this by setting `Protocol 2` in the `/etc/ssh/sshd_config` file. For more information, see `man sshd_config`. ## Disable password authentication Over SSH This rule helps determine whether your EC2 instances are configured to support password authentication over the SSH protocol. **Severity** [Medium](inspector_rule-packages.md#SeverityLevels) **Finding** An EC2 instance in your assessment target is configured to support password authentication over SSH. Password authentication is susceptible to brute-force attacks and should be disabled in favor of key-based authentication where possible. **Resolution** We recommend that you disable password authentication over SSH on your EC2 instances and enable support for key-based authentication instead. This significantly reduces the likelihood of a successful brute-force attack. For more information, see [https://aws.amazon.com/articles/1233/](https://aws.amazon.com/articles/1233/). If password authentication is supported, it is important to restrict access to the SSH server to trusted IP addresses. ## Configure password maximum age This rule helps determine whether the maximum age for passwords is configured on your EC2 instances. **Severity** [Medium](inspector_rule-packages.md#SeverityLevels) **Finding** An EC2 instance in your assessment target is not configured for a maximum age for passwords. **Resolution** If you are using passwords, we recommend that you configure a maximum age for passwords on all EC2 instances in your assessment target. This requires users to regularly change their passwords and reduces the chances of a successful password guessing attack. To fix this issue for existing users, use the **chage** command. To configure a maximum age for passwords for all future users, edit the `PASS_MAX_DAYS` field in the `/etc/login.defs` file. ## Configure password minimum length This rule helps determine whether a minimum length for passwords is configured on your EC2 instances. **Severity** [Medium](inspector_rule-packages.md#SeverityLevels) **Finding** An EC2 instance in your assessment target is not configured for a minimum length for passwords. **Resolution** If you are using passwords, we recommend that you configure a minimum length for passwords on all EC2 instances in your assessment target. Enforcing a minimum password length reduces the risk of a successful password guessing attack. You can do this by using the following option in the `pwquality.conf` file: `minlen`. For more information, see see [https://linux.die.net/man/5/pwquality.conf](https://linux.die.net/man/5/pwquality.conf). If `pwquality.conf` is not available on your instance, you can set the `minlen` option using the `pam_cracklib.so` module. For more information, see [https://linux.die.net/man/8/pam_cracklib](https://linux.die.net/man/8/pam_cracklib). The `minlen` option should be set to 14 or greater. ## Configure password complexity This rule helps determine whether a password complexity mechanism is configured on your EC2 instances. **Severity** [Medium](inspector_rule-packages.md#SeverityLevels) **Finding** No password complexity mechanism or restrictions are configured on EC2 instances in your assessment target. This allows users to set simple passwords, which increases the chances of unauthorized users gaining access and misusing accounts. **Resolution** If you are using passwords, we recommend that you configure all EC2 instances in your assessment target to require a level of password complexity. You can do this by using the following options in the `pwquality.conf` file: `lcredit`, `ucredit`, `dcredit`, and `ocredit`. For more information, see [https://linux.die.net/man/5/pwquality.conf](https://linux.die.net/man/5/pwquality.conf) . If `pwquality.conf` is not available on your instance, you can set the `lcredit`, `ucredit`, `dcredit`, and `ocredit` options using the `pam_cracklib.so` module. For more information, see [https://linux.die.net/man/8/pam_cracklib](https://linux.die.net/man/8/pam_cracklib). The expected value for each of these options is less than or equal to -1, as shown below: `lcredit <= -1, ucredit <= -1, dcredit<= -1, ocredit <= -1` Additionally, the `remember` option must be set to 12 or greater. For more information, see [https://linux.die.net/man/8/pam_unix](https://linux.die.net/man/8/pam_unix). ## Enable ASLR This rule helps determine whether address space layout randomization (ASLR) is enabled on the operating systems of the EC2 instances in your assessment target. **Severity** [Medium](inspector_rule-packages.md#SeverityLevels) **Finding** An EC2 instance in your assessment target does not have ASLR enabled. **Resolution** To improve the security of your assessment target, we recommend that you enable ASLR on the operating systems of all EC2 instances in your target by running **echo 2 \$1 sudo tee /proc/sys/kernel/randomize\$1va\$1space**. ## Enable DEP This rule helps determine whether Data Execution Prevention (DEP) is enabled on the operating systems of the EC2 instances in your assessment target. **Note** This rule is not supported for EC2 instances with ARM processors. **Severity** [Medium](inspector_rule-packages.md#SeverityLevels) **Finding** An EC2 instance in your assessment target does not have DEP enabled. **Resolution** We recommend that you enable DEP on the operating systems of all EC2 instances in your assessment target. Enabling DEP protects your instances from security compromises using buffer-overflow techniques. ## Configure permissions for system directories This rule checks permissions on system directories that contain binaries and system configuration information. It checks that only the root user (a user who logs in by using root account credentials) has write permissions for these directories. **Severity** [High](inspector_rule-packages.md#SeverityLevels) **Finding** An EC2 instance in your assessment target contains a system directory that is writable by non-root users. **Resolution** To improve the security of your assessment target and to prevent privilege escalation by malicious local users, configure all system directories on all EC2 instances in your target to be writable only by users who log in by using root account credentials.