Rules Related To 'tftp'

Component overview

Relevant packages:

Relevant groups:

None

Changelog:

No changes recorded.

Relevant rules:

Rule details

Uninstall tftp-server Package

package_tftp-server_removed

Description

The tftp-server package can be removed with the following command:

 $ sudo dnf remove tftp-server

Rationale

Removing the tftp-server package decreases the risk of the accidental (or intentional) activation of tftp services.

If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the Information Systems Securty Manager (ISSM), restricted to only authorized personnel, and have access control rules established.

Remove tftp Daemon

package_tftp_removed

Description

Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between systems. TFTP does not support authentication and can be easily hacked. The package tftp is a client program that allows for connections to a tftp server.

Rationale

It is recommended that TFTP be removed, unless there is a specific need for TFTP (such as a boot server). In that case, use extreme caution when configuring the services.

Disable tftp Service

service_tftp_disabled

Description

The tftp service should be disabled. The tftp service can be disabled with the following command:

$ sudo systemctl mask --now tftp.service

Rationale

Disabling the tftp service ensures the system is not acting as a TFTP server, which does not provide encryption or authentication.

Ensure tftp Daemon Uses Secure Mode

tftpd_uses_secure_mode

Description

If running the Trivial File Transfer Protocol (TFTP) service is necessary, it should be configured to change its root directory at startup. To do so, find the path for the tftp systemd service:

$ sudo systemctl show tftp | grep FragmentPath=
FragmentPath=/etc/systemd/system/tftp.service
and ensure the ExecStart line on that file includes the -s option with a subdirectory:
ExecStart=/usr/sbin/in.tftpd -s $var_tftpd_secure_directory

Rationale

Using the -s option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally-specified directory reduces the risk of sharing files which should remain private.

Ensure tftp systemd Service Uses Secure Mode

tftp_uses_secure_mode_systemd

Description

If running the Trivial File Transfer Protocol (TFTP) service is necessary, it should be configured to change its root directory at startup. To do so, find the path for the tftp systemd service:

$ sudo systemctl show tftp | grep ExecStart=
ExecStart={ path=/usr/sbin/in.tftpd ; argv[]=/usr/sbin/in.tftpd -s /var/lib/tftpboot ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 }e
and ensure the ExecStart line on that file includes the -s option with a subdirectory:
ExecStart=/usr/sbin/in.tftpd -s $var_tftpd_secure_directory

Rationale

Using the -s option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally-specified directory reduces the risk of sharing files which should remain private.