This is not the latest version of the STIG. This is provided for archival purposes. See the latest STIG.

If the Trivial File Transfer Protocol (TFTP) server is required, the OL 8 TFTP daemon must be configured to operate in secure mode.

STIG ID: OL08-00-040350  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium (CAT II)  |  CCI: CCI-000366 |  Vulnerability Id: V-248902

Vulnerability Discussion

Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.

Check

Verify the TFTP daemon is configured to operate in secure mode with the following commands:

$ sudo yum list installed tftp-server

tftp-server.x86_64 x.x-x.el8

If a TFTP server is not installed, this is not applicable.

If a TFTP server is installed, check for the server arguments with the following command:

$ sudo grep server_args /etc/xinetd.d/tftp

server_args = -s /var/lib/tftpboot

If the "server_args" line does not have a "-s" option and a subdirectory is not assigned, this is a finding.

Fix

Configure the TFTP daemon to operate in secure mode by adding the following line to "/etc/xinetd.d/tftp" (or modify the line to have the required value):

server_args = -s /var/lib/tftpboot
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.