Ensure tftp Daemon Uses Secure Mode

An XCCDF Rule

Description

If running the Trivial File Transfer Protocol (TFTP) service is necessary, it should be configured to change its root directory at startup. To do so, find the path for the tftp systemd service:

$ sudo systemctl show tftp | grep FragmentPath=
FragmentPath=/etc/systemd/system/tftp.service

and ensure the ExecStart line on that file includes the -s option with a subdirectory:

ExecStart=/usr/sbin/in.tftpd -s

Rationale

Using the -s option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally-specified directory reduces the risk of sharing files which should remain private.

ID: xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode
Severity: Medium
References: 11 12 13 14 15 16 18 3 5 8 9

APO01.06 APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.04 DSS05.05 DSS05.07 DSS06.02 DSS06.06

CCI-000366

4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3

SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6

A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.1.2 A.6.2.1 A.6.2.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5

AC-6 CM-6(b) CM-7(a)

PR.AC-3 PR.AC-4 PR.DS-5 PR.IP-1 PR.PT-3 PR.PT-4

SRG-OS-000480-GPOS-00227

SV-257952r925843_rule
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if rpm --quiet -q tftp-server; then

var_tftpd_secure_directory='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_tftpd_secure_directory" use="legacy"/>'

if grep -q 'server_args' /etc/xinetd.d/tftp; then
    sed -i -E "s;^([[:blank:]]*server_args[[:blank:]]+=[[:blank:]]+.*?)(-s[[:blank:]]+[[:graph:]]+)*(.*)$;\1 -s $var_tftpd_secure_directory \3;" /etc/xinetd.d/tftp
else
    echo "server_args = -s $var_tftpd_secure_directory" >> /etc/xinetd.d/tftp
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-RHEL-09-252055
  - NIST-800-53-AC-6  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-7(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - tftpd_uses_secure_mode
- name: XCCDF Value var_tftpd_secure_directory # promote to variable
  set_fact:
    var_tftpd_secure_directory: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_tftpd_secure_directory" use="legacy"/>
  tags:
    - always

- name: Find out if the file exists and contains the line configuring server arguments
  find:
    path: /etc/xinetd.d
    patterns: tftp
    contains: ^[\s]+server_args.*$
  register: tftpd_secure_config_line
  when: '"tftp-server" in ansible_facts.packages'
  tags:
  - DISA-STIG-RHEL-09-252055
  - NIST-800-53-AC-6
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-7(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - tftpd_uses_secure_mode

- name: Ensure that TFTP server is configured to start with secure directory
  lineinfile:
    path: /etc/xinetd.d/tftp
    regexp: ^[\s]*(server_args[\s]+=[\s]+.*?)(-s[\s]+[/\.\w]+)*(.*)$
    line: \1 -s {{ var_tftpd_secure_directory }} \3
    state: present
    backrefs: true
  when:
  - '"tftp-server" in ansible_facts.packages'
  - tftpd_secure_config_line is defined and tftpd_secure_config_line.matched > 0
  tags:
  - DISA-STIG-RHEL-09-252055
  - NIST-800-53-AC-6
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-7(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - tftpd_uses_secure_mode

- name: Insert correct config line to start TFTP server with secure directory
  lineinfile:
    path: /etc/xinetd.d/tftp
    line: server_args = -s {{ var_tftpd_secure_directory }}
    state: present
    create: true
  when:
  - '"tftp-server" in ansible_facts.packages'
  - tftpd_secure_config_line is defined and tftpd_secure_config_line.matched == 0
  tags:
  - DISA-STIG-RHEL-09-252055
  - NIST-800-53-AC-6
  - NIST-800-53-CM-6(b)
  - NIST-800-53-CM-7(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - tftpd_uses_secure_mode

Ensure tftp Daemon Uses Secure Mode

Description

Rationale

Remediation - Shell Script

Remediation - Ansible