If the Trivial File Transfer Protocol (TFTP) server is required, TOSS 5 TFTP daemon must be configured to operate in secure mode.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-282682TOSS-05-000208SV-282682r1201337_ruleCCI-000366high
Description
Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files. Using the "-s" option causes the TFTP service to only serve files from the given directory.
STIGDate
Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide2026-04-01

Details

Check Text (C-282682r1201337_chk)

Note: If TFTP is not required, it should not be installed. If TFTP is not installed, this is not applicable. Determine if TFTP server is installed using the following command: $ sudo dnf list installed | grep tftp-server tftp-server.x86_64 x.x-x.el8 Verify the TFTP daemon, if tftp.server is installed, is configured to operate in secure mode using the following command: $ grep -i execstart /usr/lib/systemd/system/tftp.service ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot If TFTP is installed and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding. Note: The "-s" option ensures that the TFTP server only serves files from the specified directory, which is a security measure to prevent unauthorized access to other parts of the file system.

Fix Text (F-87148r1201336_fix)

Configure the TFTP daemon to operate in secure mode using the following command: $ sudo systemctl edit tftp.service In the editor, enter: [Service] ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot After making changes, reload the systemd daemon and restart the TFTP service: $ sudo systemctl daemon-reload $ sudo systemctl restart tftp.service