If the Trivial File Transfer Protocol (TFTP) server is required, the TOSS TFTP daemon must be configured to operate in secure mode.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-253102 | TOSS-04-040600 | SV-253102r1102131_rule | Medium |
| Description |
| Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files. |
| STIG | Date |
| Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide | 2025-05-08 |
Details
| Check Text (C-56555r1102129_chk) |
| Note: If TFTP is not required, it should not be installed. If TFTP is not installed, this is not applicable. Check if TFTP server is installed with the following command: $ sudo dnf list installed | grep tftp-server tftp-server.x86_64 x.x-x.el8 If tftp.server is installed, verify the TFTP daemon is configured to operate in secure mode with the following command: $ grep -i execstart /usr/lib/systemd/system/tftp.service ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot Note: The "-s" option ensures that the TFTP server only serves files from the specified directory, which is a security measure to prevent unauthorized access to other parts of the file system. |
| Fix Text (F-56505r1102130_fix) |
| Configure the TFTP daemon to operate in secure mode with the following command: $ sudo systemctl edit tftp.service In the editor, enter: [Service] ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot After making changes, reload the systemd daemon and restart the TFTP service as follows: $ sudo systemctl daemon-reload $ sudo systemctl restart tftp.service |