mediumsystemverified ✓
Configure TFTP daemon to operate in secure mode
tftp-secure-mode · RHEL ≥ 8 · 1 impl
Description
If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode. The secure option restricts TFTP to a specific directory and prevents directory traversal.
Rationale
Without the secure option, the TFTP daemon serves files from the root filesystem, allowing unauthenticated access to any world-readable file. Secure mode restricts TFTP to a designated directory, limiting the exposure of sensitive files.
Check → Remediate
Checkcommand
if ! rpm -q tftp-server >/dev/null 2>&1; then exit 0; fi grep -qE '^\s*server_args\s*=.*--secure|-s\s+/' \ /etc/xinetd.d/tftp /usr/lib/systemd/system/tftp.service 2>/dev/null
- expected_exit:
- 0
Remediatemanual
- note:
- Configure the TFTP daemon to run in secure mode by adding the --secure flag and specifying a restricted directory in /etc/xinetd.d/tftp: server_args = -s /var/lib/tftpboot Or add '--secure /var/lib/tftpboot' to the ExecStart line in the systemd unit file, then restart the tftp service.
Framework references
STIG
V-281363 / RHEL-10-800310V-280947 / RHEL-10-200050V-257835 / RHEL-09-215060V-230557
NIST 800-53
CM-7CM-6
Live verification
rhel8:check
#tftp#service#security#hardening#stig