If the Trivial File Transfer Protocol (TFTP) server is required, the TOSS TFTP daemon must be configured to operate in secure mode.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-253102	SRG-OS-000480-GPOS-00227	TOSS-04-040600	SV-253102r991589_rule	2024-05-30	2

Description
Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.

ℹ️ Check
Verify the TFTP daemon is configured to operate in secure mode with the following commands: $ sudo yum list installed tftp-server tftp-server.x86_64 x.x-x.el8 If a TFTP server is not installed, this is Not Applicable. If a TFTP server is installed, check for the server arguments with the following command: $ sudo grep server_args /etc/xinetd.d/tftp server_args = -s /var/lib/tftpboot If the "server_args" line does not have a "-s" option, and a subdirectory is not assigned, this is a finding.

ℹ️ Check

Verify the TFTP daemon is configured to operate in secure mode with the following commands: $ sudo yum list installed tftp-server tftp-server.x86_64 x.x-x.el8 If a TFTP server is not installed, this is Not Applicable. If a TFTP server is installed, check for the server arguments with the following command: $ sudo grep server_args /etc/xinetd.d/tftp server_args = -s /var/lib/tftpboot If the "server_args" line does not have a "-s" option, and a subdirectory is not assigned, this is a finding.

✔️ Fix
Configure the TFTP daemon to operate in secure mode by adding the following line to "/etc/xinetd.d/tftp" (or modify the line to have the required value): server_args = -s /var/lib/tftpboot