If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-230557 | RHEL-08-040350 | SV-230557r1088855_rule | CCI-000366 | medium |
| Description | ||||
| Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files. | ||||
| STIG | Date | |||
| Red Hat Enterprise Linux 8 Security Technical Implementation Guide | 2025-05-14 | |||
Details
Check Text (C-230557r1088855_chk)
Note: IAW RHEL-08-040190 if TFTP is not required, it should not be installed. If TFTP is not installed, this rule is not applicable.
Check to see if TFTP server is installed with the following command:
$ sudo dnf list installed | grep tftp-server
tftp-server.x86_64 x.x-x.el8
Verify that the TFTP daemon, if tftp.server is installed, is configured to operate in secure mode with the following command:
$ grep -i execstart /usr/lib/systemd/system/tftp.service
ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot
Note: The "-s" option ensures that the TFTP server only serves files from the specified directory, which is a security measure to prevent unauthorized access to other parts of the file system.
If the TFTP server is installed but the TFTP daemon is not configured to operate in secure mode, this is a finding.
Fix Text (F-33201r1069173_fix)
Configure the TFTP daemon to operate in secure mode with the following command:
$ sudo systemctl edit tftp.service
In the editor enter:
[Service]
ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot
After making changes, reload the systemd daemon and restart the TFTP service as follows:
$ sudo systemctl daemon-reload
$ sudo systemctl restart tftp.service