{"description": "If running the Trivial File Transfer Protocol (TFTP) service is necessary,\nit should be configured to change its root directory at startup. To do so,\nfind the path for the <tt>tftp</tt> systemd service:\n<pre>$ sudo systemctl show tftp | grep ExecStart=\nExecStart={ path=/usr/sbin/in.tftpd ; argv[]=/usr/sbin/in.tftpd -s /var/lib/tftpboot ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }e\n</pre>\n\nand ensure the <tt>ExecStart</tt> line on that file includes the <tt>-s</tt> option with a subdirectory:\n<pre>ExecStart=/usr/sbin/in.tftpd -s <sub idref=\"var_tftpd_secure_directory\" /></pre>", "rationale": "Using the <tt>-s</tt> option causes the TFTP service to only serve files from the\ngiven directory. Serving files from an intentionally-specified directory\nreduces the risk of sharing files which should remain private.", "severity": "medium", "references": {"nist": ["IA-5 (1) (c)"], "srg": ["SRG-OS-000074-GPOS-00042"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the ExecStart property of tftp does not contain correctly set -s flag", "ocil": "Use <tt>sudo systemctl show tftp</tt> to verify that tftp service is using secure mode.\n<pre>$ sudo systemctl show tftp | grep ExecStart=\nExecStart={ path=/usr/sbin/in.tftpd ; argv[]=/usr/sbin/in.tftpd -s /var/lib/tftpboot ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }e\n</pre>\n\nand ensure the <tt>ExecStart</tt> line on that file includes the <tt>-s</tt> option with a subdirectory:\n<pre>ExecStart=/usr/sbin/in.tftpd -s <sub idref=\"var_tftpd_secure_directory\" /></pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "If the Trivial File Transfer Protocol (TFTP) server is required, the Ubuntu 22.04 TFTP daemon must be configured to operate in secure mode.", "checktext": "If a TFTP server is not installed, this rule is not applicable.\n\nCheck to see if TFTP server is installed with the following command:\n\n$ sudo dnf list installed | grep tftp-server\ntftp-server.x86_64 5.2-49.el10\n\nVerify that the TFTP daemon, if tftp.server is installed, is configured to operate in secure mode with the following command:\n\n$ systemctl cat tftp.service | grep -i execstart\nExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot\n\nNote: The \"-s\" option ensures that the TFTP server only serves files from the specified directory, which is a security measure to prevent unauthorized access to other parts of the file system.\n\nIf the TFTP server is installed but the TFTP daemon is not configured to operate in secure mode, this is a finding.", "fixtext": "Configure the TFTP daemon to operate in secure mode with the following command:\n$ sudo systemctl edit tftp.service\n\nIn the editor enter:\n[Service]\nExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot\n\nAfter making changes, reload the systemd daemon and restart the TFTP service as follows:\n$ sudo systemctl daemon-reload\n$ sudo systemctl restart tftp.service", "vuldiscussion": "Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files."}}, "platform": "package[tftp-server]", "platforms": ["package[tftp-server]"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["package_tftp-server"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Ensure tftp systemd Service Uses Secure Mode", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/obsolete/tftp/tftp_uses_secure_mode_systemd/rule.yml", "template": null}