Ensure tftp Daemon Uses Secure Mode
An XCCDF Rule
Description
If running the Trivial File Transfer Protocol (TFTP) service is necessary,
it should be configured to change its root directory at startup. To do so,
ensure /etc/xinetd.d/tftp
includes -s
as a command line argument,
as shown in the following example:
server_args = -s
Rationale
Using the -s
option causes the TFTP service to only serve files from the
given directory. Serving files from an intentionally-specified directory
reduces the risk of sharing files which should remain private.
- ID
- xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q tftp-server; then
var_tftpd_secure_directory='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_tftpd_secure_directory" use="legacy"/>'
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-53-AC-6
- NIST-800-53-CM-6(b)