Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Gyrfalcon 2.0 SECRET//NOFORN
7. (S//NF) First, execute the Gyrfalcon application.
7.1 (S//NF) Confirm the Gyrfalcon application has the correct owner and group for the
directory in which you install the application and encrypted configuration file.
7.1.1 For example, the application and encrypted configuration file are installed into a
directory which has “root:root” owner and group permissions.
7.1.2 (as root)
chown root:root client
7.1.3 (as root) chown root:root config_file
7.1.4 (as root) chmod 755 client
7.1.5 (as root) chmod 700 config_file
7.2 (S//NF) At this time, the operator should be executing the application from within the
JQC/KitV hidden directory. If the application is configured with “root:root” owner and
group permissions, then the application should be executed as “root” else as the owner of the
application.
7.2.1 (as the configured user) ./client /dev/null
7.3 (S//NF) Ensure the encrypted configuration file has been removed from the file system.
7.3.1 (S//NF) The Gyrfalcon application will securely unlink the encrypted
configuration file from the file system after successfully reading it into memory.
8. (S//NF) Second, the operator needs to set up the LD_PRELOAD environment variable to inform
the Linux dynamic linker to load the Gyrfalcon library into the OpenSSH client address space.
8.1 (S//NF) The environment variable needs to be inserted into the OpenSSH client shell
profile or RC script.
8.1.1 LD_PRELOAD=libgssapi.so.2
8.2 (S//NF) Testing during development the LD_PRELOAD environment variable was used
as follows.
8.2.1 LD_PRELOAD=libgssapi.so.2 ssh 10.3.2.180
8.3 (S//NF) There is a better way of getting the Linux dynamic linker to load the Gyrfalcon
library, however, there was not enough time to finish development.
9. (U) Keep the archive_file_YYYY-MM-DD_HH:MM:SS.MS.tar.bz2 in a safe location on the local
operator computer or network for your records. This file is essential for sustained operations and
post processing.
November 2013 SECRET//NOFORN//20381126 9