Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The TFTP daemon must operate in "secure mode" which provides access only to a single directory on the host file system.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| RHEL-06-000338 | RHEL-06-000338 | RHEL-06-000338_rule | High |
| Description |
|---|
| Using the "-s" option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally-specified directory reduces the risk of sharing files which should remain private. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 6 Security Technical Implementation Guide | 2013-02-05 |
Details
| Check Text ( C-RHEL-06-000338_chk ) |
|---|
| Verify "tftp" is configured by with the "-s" option by running the following command. grep "server_args" /etc/xinetd.d/tftp The output should indicate the "server_args" variable is configured with the "-s" flag, matching the example below. # grep "server_args" /etc/xinetd.d/tftp server_args = -s /var/lib/tftpboot |
| Fix Text (F-RHEL-06-000338_fix) |
|---|
| If running the "tftp" service is necessary, it should be configured to change its root directory at startup. To do so, ensure "/etc/xinetd.d/tftp" includes "-s" as a command line argument, as shown in the following example (which is also the default): server_args = -s /var/lib/tftpboot |