Title

The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system. (Cat I impact)

Discussion

Using the "-s" option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally specified directory reduces the risk of sharing files which should remain private.

Check Content

Verify the "tftp" package is installed: # rpm -qa | grep -i tftp tftp-5.2-22.e16.x86_64 If the "tftp" package is not installed, this is Not Applicable. Verify "tftp" is configured by with the "-s" option by running the following command: grep "server_args" /etc/xinetd.d/tftp The output should indicate the "server_args" variable is configured with the "-s" flag, matching the example below: # grep "server_args" /etc/xinetd.d/tftp server_args = -s /var/lib/tftpboot If it does not, this is a finding.

Fix Text

If running the "tftp" service is necessary, it should be configured to change its root directory at startup. To do so, ensure "/etc/xinetd.d/tftp" includes "-s" as a command line argument, as shown in the following example (which is also the default): server_args = -s /var/lib/tftpboot

Additional Identifiers

Rule ID: SV-218069r603264_rule

Vulnerability ID: V-218069

Group Title: SRG-OS-000480

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.