The macOS system must disable Trivial File Transfer Protocol (TFTP) service.

STIG ID: APPL-15-002038  |  SRG: SRG-OS-000074-GPOS-00042 |  Severity: high |  CCI: CCI-000197,CCI-000213 |  Vulnerability Id: V-268499

Vulnerability Discussion

If the system does not require TFTP support, it is nonessential and must be disabled.

The information system must be configured to provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection of devices and unauthorized transfer of information.

NOTE: TFTP service is disabled at startup by default with macOS.

Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000080-GPOS-00048

Check

Verify the macOS system is configured to disable TFTP service with the following command:

/bin/launchctl print-disabled system | /usr/bin/grep -c '"com.apple.tftpd" => disabled'

If the result is not "1", this is a finding.

Fix

Configure the macOS system to disable TFTP service with the following command:

/bin/launchctl disable system/com.apple.tftpd

The system may need to be restarted for the update to take effect.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.