The TFTP daemon must operate in "secure mode" which provides access only to a single directory on the host file system.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| RHEL-06-000338 | RHEL-06-000338 | RHEL-06-000338_rule | High |
| Description |
|---|
| Using the "-s" option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally-specified directory reduces the risk of sharing files which should remain private. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 6 Security Technical Implementation Guide | 2013-02-05 |
Details
| Check Text ( C-RHEL-06-000338_chk ) |
|---|
| Verify "tftp" is configured by with the "-s" option by running the following command. grep "server_args" /etc/xinetd.d/tftp The output should indicate the "server_args" variable is configured with the "-s" flag, matching the example below. # grep "server_args" /etc/xinetd.d/tftp server_args = -s /var/lib/tftpboot |
| Fix Text (F-RHEL-06-000338_fix) |
|---|
| If running the "tftp" service is necessary, it should be configured to change its root directory at startup. To do so, ensure "/etc/xinetd.d/tftp" includes "-s" as a command line argument, as shown in the following example (which is also the default): server_args = -s /var/lib/tftpboot |