If the Trivial File Transfer Protocol (TFTP) server is required, the TOSS TFTP daemon must be configured to operate in secure mode.

STIG ID: TOSS-04-040600  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-253102

Vulnerability Discussion

Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.

Check

Note: If TFTP is not required, it should not be installed. If TFTP is not installed, this rule is not applicable.

Determine if TFTP server is installed with the following command:

$ sudo dnf list installed | grep tftp-server
tftp-server.x86_64 x.x-x.el8

Verify that the TFTP daemon, if tftp.server is installed, is configured to operate in secure mode with the following command:

$ grep -i execstart /usr/lib/systemd/system/tftp.service
ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot

If TFTP is installed and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Note: The "-s" option ensures that the TFTP server only serves files from the specified directory, which is a security measure to prevent unauthorized access to other parts of the file system.

Fix

Configure the TFTP daemon to operate in secure mode with the following command:
$ sudo systemctl edit tftp.service

In the editor enter:
[Service]
ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot

After making changes, reload the systemd daemon and restart the TFTP service as follows:
$ sudo systemctl daemon-reload
$ sudo systemctl restart tftp.service
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.