← Back to Apple macOS 26 (Tahoe) Security Technical Implementation Guide

V-277108

CAT I (High)

The macOS system must disable Trivial File Transfer Protocol (TFTP) service.

Rule ID

SV-277108r1149417_rule

STIG

Apple macOS 26 (Tahoe) Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000197 CCI-000213

Discussion

If the system does not require TFTP support, it is nonessential and must be disabled. The information system must be configured to provide only essential capabilities. Disabling TFTP helps prevent the unauthorized connection of devices and unauthorized transfer of information. Note: TFTP service is disabled at startup by default. Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000080-GPOS-00048

Check Content

Verify the macOS system is configured to disable TFTP service with the following command:

result="FAIL"
  enabled=$(/bin/launchctl print-disabled system | /usr/bin/grep '"com.apple.tftpd" => enabled')
  running=$(/bin/launchctl print system/com.apple.tftpd 2>/dev/null)
  
  if [[ -z "$running" ]] && [[ -z "$enabled" ]]; then
    result="PASS"
  elif [[ -n "$running" ]]; then
    result=result+" RUNNING"
  elif [[ -n "$enabled" ]]; then
    result=result+" ENABLED"
  fi
  echo $result

If the result is not "PASS", this is a finding.

Fix Text

Configure the macOS system to disable TFTP service with the following commands:

/bin/launchctl bootout system/com.apple.tftpd 
/bin/launchctl disable system/com.apple.tftpd

The system may need a restart for the update to take effect.