This is not the latest version of the STIG. This is provided for archival purposes. See the latest STIG.

If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode.

STIG ID: ALMA-09-021690  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium (CAT II)  |  CCI: CCI-000366 |  Vulnerability Id: V-269272

Vulnerability Discussion

Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files. Using the "-s" option causes the TFTP service to only serve files from the given directory.

Check

Note: If a TFTP server is not installed, this requirement is Not Applicable.

Verify the TFTP daemon is configured to operate in secure mode.

Check if a TFTP server is installed with the following command:

$ dnf list --installed tftp-server

Installed Packages
tftp-server.x86_64 5.2-37.el9 @appstream

If a TFTP server is installed, check for the server arguments with the following command:

$ systemctl cat tftp | grep ExecStart=

ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot

If the "ExecStart" line does not have a "-s" option, and a subdirectory is not assigned, this is a finding.

Fix

Configure the TFTP daemon to operate in secure mode with the following command:

$ systemctl edit tftp.service

Insert the following between the two sets of comments, making sure to add the "-s" option with a nonroot ("/") directory.

[Service]
ExecStart=
ExecStart=/usr/sbin/in.tftpd -s /tftp
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.