If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode.

STIG ID: ALMA-09-021690  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-269272

Vulnerability Discussion

Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files. Using the "-s" option causes the TFTP service to only serve files from the given directory.

Check

Note: If a TFTP server is not installed, this requirement is Not Applicable.

Verify the TFTP daemon is configured to operate in secure mode.

Check if a TFTP server is installed with the following command:

$ dnf list --installed tftp-server

Installed Packages
tftp-server.x86_64 5.2-37.el9 @appstream

If a TFTP server is installed, check for the server arguments with the following command:

$ systemctl cat tftp | grep ExecStart=

ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot

If the "ExecStart" line does not have a "-s" option, and a subdirectory is not assigned, this is a finding.

Fix

Configure the TFTP daemon to operate in secure mode with the following command:

$ systemctl edit tftp.service

Insert the following between the two sets of comments, making sure to add the "-s" option with a nonroot ("/") directory.

[Service]
ExecStart=
ExecStart=/usr/sbin/in.tftpd -s /tftp
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.