STIGQter: STIG Summary: Oracle Linux 6 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system.

DISA Rule

SV-209040r603263_rule

Vulnerability Number

V-209040

Group Title

SRG-OS-000480

Rule Version

OL6-00-000338

Severity

CAT I

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

If running the "tftp" service is necessary, it should be configured to change its root directory at startup. To do so, ensure "/etc/xinetd.d/tftp" includes "-s" as a command line argument, as shown in the following example (which is also the default):

server_args = -s /var/lib/tftpboot

Check Contents

Verify the "tftp" package is installed:

# rpm -qa | grep -i tftp
tftp-5.2-22.e16.x86_64

If the "tftp" package is not installed, this is Not Applicable.

Verify "tftp" is configured by with the "-s" option by running the following command:

grep "server_args" /etc/xinetd.d/tftp

The output should indicate the "server_args" variable is configured with the "-s" flag, matching the example below:

# grep "server_args" /etc/xinetd.d/tftp
server_args = -s /var/lib/tftpboot

If it does not, this is a finding.

Vulnerability Number

V-209040

Documentable

False

Rule Version

OL6-00-000338

Severity Override Guidance

Verify the "tftp" package is installed:

# rpm -qa | grep -i tftp
tftp-5.2-22.e16.x86_64

If the "tftp" package is not installed, this is Not Applicable.

Verify "tftp" is configured by with the "-s" option by running the following command:

grep "server_args" /etc/xinetd.d/tftp

The output should indicate the "server_args" variable is configured with the "-s" flag, matching the example below:

# grep "server_args" /etc/xinetd.d/tftp
server_args = -s /var/lib/tftpboot

If it does not, this is a finding.

Check Content Reference

M

Target Key

2928

Comments