Ensure tftp Daemon Uses Secure Mode
An XCCDF Rule
Description
If running the Trivial File Transfer Protocol (TFTP) service is necessary,
it should be configured to change its root directory at startup. To do so,
find the path for the tftp
systemd service:
$ sudo systemctl show tftp | grep FragmentPath= FragmentPath=/etc/systemd/system/tftp.serviceand ensure the
ExecStart
line on that file includes the -s
option with a subdirectory:
ExecStart=/usr/sbin/in.tftpd -s
Rationale
Using the -s
option causes the TFTP service to only serve files from the
given directory. Serving files from an intentionally-specified directory
reduces the risk of sharing files which should remain private.
- ID
- xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-53-AC-6
- NIST-800-53-CM-6(b)
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q tftp-server; then
var_tftpd_secure_directory='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_tftpd_secure_directory" use="legacy"/>'