← Rules Catalog
mediumsystemverified

Configure TFTP daemon to operate in secure mode

tftp-secure-mode · RHEL ≥ 8 · 1 impl

Description

If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode. The secure option restricts TFTP to a specific directory and prevents directory traversal.

Rationale

Without the secure option, the TFTP daemon serves files from the root filesystem, allowing unauthenticated access to any world-readable file. Secure mode restricts TFTP to a designated directory, limiting the exposure of sensitive files.

Check → Remediate

Checkcommand
if ! rpm -q tftp-server >/dev/null 2>&1; then exit 0; fi
grep -qE '^\s*server_args\s*=.*--secure|-s\s+/' \
  /etc/xinetd.d/tftp /usr/lib/systemd/system/tftp.service 2>/dev/null
expected_exit:
0
Remediatemanual
note:
Configure the TFTP daemon to run in secure mode by adding the --secure flag and specifying a restricted directory in /etc/xinetd.d/tftp: server_args = -s /var/lib/tftpboot Or add '--secure /var/lib/tftpboot' to the ExecStart line in the systemd unit file, then restart the tftp service.

Framework references

STIG

V-281363 / RHEL-10-800310V-280947 / RHEL-10-200050V-257835 / RHEL-09-215060V-230557

NIST 800-53

CM-7CM-6

Live verification

rhel8:check
#tftp#service#security#hardening#stig