Ensure tftp systemd Service Uses Secure Mode

An XCCDF Rule

Description

If running the Trivial File Transfer Protocol (TFTP) service is necessary, it should be configured to change its root directory at startup. To do so, find the path for the tftp systemd service:

$ sudo systemctl show tftp | grep ExecStart=
ExecStart={ path=/usr/sbin/in.tftpd ; argv[]=/usr/sbin/in.tftpd -s /var/lib/tftpboot ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }e

and ensure the ExecStart line on that file includes the -s option with a subdirectory:

ExecStart=/usr/sbin/in.tftpd -s

warning alert: Warning

An OVAL check is not currently available since ExecStart cannot be checked with OVAL since it is not exposed via dbus. Currently, a remedation is not available for this rule.

Rationale

Using the -s option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally-specified directory reduces the risk of sharing files which should remain private.

ID: xccdf_org.ssgproject.content_rule_tftp_uses_secure_mode_systemd
Severity: Medium
Updated: 5 days ago