UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

If the Trivial File Transfer Protocol (TFTP) server is required, RHEL 9 TFTP daemon must be configured to operate in secure mode.


Overview

Finding ID Version Rule ID IA Controls Severity
V-257952 RHEL-09-252055 SV-257952r991589_rule Medium
Description
Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files. Using the "-s" option causes the TFTP service to only serve files from the given directory.
STIG Date
Red Hat Enterprise Linux 9 Security Technical Implementation Guide 2024-06-04

Details

Check Text ( C-61693r925841_chk )
Verify the TFTP daemon is configured to operate in secure mode.

Check if a TFTP server is installed with the following command:

$ sudo dnf list --installed tftp-server

Example output:

tftp-server.x86_64 5.2-35.el9.x86_64

Note: If a TFTP server is not installed, this requirement is Not Applicable.

If a TFTP server is installed, check for the server arguments with the following command:

$ systemctl cat tftp | grep ExecStart
ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot

If the "ExecStart" line does not have a "-s" option, and a subdirectory is not assigned, this is a finding.
Fix Text (F-61617r925842_fix)
Configure the TFTP daemon to operate in secure mode.

1. Find the path for the systemd service.

$ sudo systemctl show tftp | grep FragmentPath=
FragmentPath=/etc/systemd/system/tftp.service

2. Edit the ExecStart line on that file to add the -s option with a subdirectory.

ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot