RHEL-10-200050 - RHEL 10 must not have a Trivial File Transfer Protocol (TFTP) server package installed unless it is required by the mission, and if required, the TFTP daemon must be configured to operate in secure mode.

Information

Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of TFTP services.

If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the information systems security manager (ISSM), restricted to only authorized personnel, and have access control rules established.

Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.

Solution

Configure RHEL 10 so that TFTP operates in secure mode if installed.

If TFTP server is not required, remove it with the following command:

$ sudo dnf -y remove tftp-server

Configure the TFTP daemon to operate in secure mode with the following command:

$ sudo systemctl edit tftp.service

In the editor, enter:

[Service]
ExecStart=/usr/sbin/in.tftpd -s /var/lib/tftpboot

After making changes, reload the systemd daemon and restart the TFTP service as follows:

$ sudo systemctl daemon-reload
$ sudo systemctl restart tftp.service

Item Details

Audit Name: DISA Red Hat Enterprise Linux 10 STIG v1r1

Category: CONFIGURATION MANAGEMENT

Plugin: Unix

Control ID: 6f46f5eefb1b39d9361628ffb65b58fdfc3ea24660df3ae639f1bc62f01d673a

Detections

Analytics

RHEL-10-200050 - RHEL 10 must not have a Trivial File Transfer Protocol (TFTP) server package installed unless it is required by the mission, and if required, the TFTP daemon must be configured to operate in secure mode.

Information

Solution

See Also

Item Details