If the Trivial File Transfer Protocol (TFTP) server is required, the TOSS TFTP daemon must be configured to operate in secure mode.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-253102 | TOSS-04-040600 | SV-253102r1134939_rule | CCI-000366 | medium |
| Description | ||||
| Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files. | ||||
| STIG | Date | |||
| Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide | 2026-02-19 | |||
Details
Check Text (C-253102r1134939_chk)
Note: If TFTP is not required, it should not be installed. If TFTP is not installed, this rule is not applicable.
Determine if TFTP server is installed with the following command:
$ sudo dnf list installed | grep tftp-server
tftp-server.x86_64 x.x-x.el8
Verify that the TFTP daemon, if tftp.server is installed, is configured to operate in secure mode with the following command:
$ grep -i execstart /usr/lib/systemd/system/tftp.service
ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot
If TFTP is installed and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.
Note: The "-s" option ensures that the TFTP server only serves files from the specified directory, which is a security measure to prevent unauthorized access to other parts of the file system.
Fix Text (F-56505r1134938_fix)
Configure the TFTP daemon to operate in secure mode with the following command:
$ sudo systemctl edit tftp.service
In the editor enter:
[Service]
ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot
After making changes, reload the systemd daemon and restart the TFTP service as follows:
$ sudo systemctl daemon-reload
$ sudo systemctl restart tftp.service