documentation_complete: true


title: 'Ensure tftp Daemon Uses Secure Mode'

description: |-
    If running the Trivial File Transfer Protocol (TFTP) service is necessary,
    it should be configured to change its root directory at startup. To do so,
    {{%- if product in ["ol7","rhel8","ol8","rhv4"] %}}
    ensure <tt>/etc/xinetd.d/tftp</tt> includes <tt>-s</tt> as a command line argument,
    as shown in the following example:
    <pre>server_args = -s {{{ xccdf_value("var_tftpd_secure_directory") }}}</pre>
    {{%- else %}}
    find the path for the <tt>tftp</tt> systemd service:
    <pre>$ sudo systemctl show tftp | grep FragmentPath=
    FragmentPath=/etc/systemd/system/tftp.service</pre>

    and ensure the <tt>ExecStart</tt> line on that file includes the <tt>-s</tt> option with a subdirectory:
    <pre>ExecStart=/usr/sbin/in.tftpd -s {{{ xccdf_value("var_tftpd_secure_directory") }}}</pre>
    {{%- endif %}}

rationale: |-
    Using the <tt>-s</tt> option causes the TFTP service to only serve files from the
    given directory. Serving files from an intentionally-specified directory
    reduces the risk of sharing files which should remain private.

severity: medium

platform: package[tftp-server]

identifiers:
    cce@rhel8: CCE-82434-2
    cce@rhel9: CCE-90736-0
    cce@rhel10: CCE-88137-5

references:
    cis-csc: 11,12,13,14,15,16,18,3,5,8,9
    cobit5: APO01.06,APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
    isa-62443-2009: 4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3
    isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
    iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
    nist: CM-6(b),AC-6,CM-7(a)
    nist-csf: PR.AC-3,PR.AC-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
    srg: SRG-OS-000480-GPOS-00227
    stigid@ol7: OL07-00-040720
    stigid@ol8: OL08-00-040350

ocil_clause: |-
{{%- if product in ["ol7","rhel8","ol8","rhv4"] %}}
    '"server_args" line does not have a "-s" option, and a subdirectory is not assigned'
{{%- else %}}
    'the "ExecStart" line does not have a "-s" option, and a subdirectory is not assigned'
{{%- endif %}}

ocil: |-
    Verify the TFTP daemon is configured to operate in secure mode.

    Check if a TFTP server is installed with the following command:
    {{% if product in ["ol7","rhel8","ol8","rhv4"] %}}
    <pre>$ rpm -qa | grep tftp</pre>
    {{% else %}}
    <pre>$ sudo dnf list --installed tftp-server

    tftp-server.x86_64    5.2-35.el9.x86_64</pre>
    {{% endif %}}

    If a TFTP server is not installed, this is Not Applicable.
    <br /><br />
    {{% if product in ["ol7","rhel8","ol8","rhv4"] %}}
    If a TFTP server is installed, verify TFTP is configured by with
    the <tt>-s</tt> option by running the following command:

    <pre>grep "server_args" /etc/xinetd.d/tftp</pre>
    <pre>server_args = -s {{{ xccdf_value("var_tftpd_secure_directory") }}}</pre>
    {{% else %}}
    If a TFTP server is installed, check for the server arguments with the following command:

    <pre>$ systemctl cat tftp | grep ExecStart=
    ExecStart=/usr/sbin/in.tftpd -s {{{ xccdf_value("var_tftpd_secure_directory") }}}</pre>
    {{% endif %}}

fixtext: |-
    {{%- if product in ["ol7","rhel8","ol8","rhv4"] %}}
    Configure the TFTP daemon to operate in secure mode by adding the following line to "/etc/xinetd.d/tftp" (or modify the line to have the required value):

    server_args = -s {{{ xccdf_value("var_tftpd_secure_directory") }}}
    {{%- else %}}
    Configure the TFTP daemon to operate in secure mode.

    1. Find the path for the systemd service

    $ sudo systemctl show tftp | grep FragmentPath=
    FragmentPath=/etc/systemd/system/tftp.service

    2. Edit the ExecStart line on that file to add the -s option with a subdirectory.

    ExecStart=/usr/sbin/in.tftpd -s {{{ xccdf_value("var_tftpd_secure_directory") }}}
    {{%- endif %}}

srg_requirement: 'If the Trivial File Transfer Protocol (TFTP) server is required, the {{{ full_name }}} TFTP daemon must be configured to operate in secure mode.'