Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//20350112
8.2 (U) Cherry Blossom Master and Slave Servers
(S) The operational CB servers (also referred to as the CherryTree server, CB-CC
(Command & Control) server, or the “backend”) are housed in a secure sponsor facility.
The CB system has a Master server that is running all of the necessary CB processes. The
CB system also has a hot spare Slave server. If the Master server fails, the Master server
can be taken offline for repair/diagnosis and the Slave server can be converted to the
Master server. When the failed server is returned to the system, it will become the Slave.
The “Cherry Blossom Installation Guide” documents that process of converting a Slave
to a Master server and the process of reinserting a failed server.
8.2.1 (U) System Data Replication/Backup to the Slave Server
(S) The Slave server performs replication/backup duties of CB data. The CB server uses a
mysql database to store system data, and it stores Copy Data in flat pcap files. The mysql
replication feature is used to keep an in-sync copy of the database on the Slave server.
The “rsync” utility is used to keep an in-sync copy of CB Copy Data on the Slave server.
8.3 (U) CB Server Monitoring with SNMP
(U) The CB servers (both Master and Slave) support health monitoring via SNMP. The
servers run appropriately configured snmpd daemons (configuration file is
/etc/snmp/snmpd.conf). An SNMP agent (e.g., the net-snmp package) running on a
remote but properly networked/firewalled host can query the servers for relevant health
monitoring information. It is expected that the sponsor will maintain a server with an
SNMP agent (a.k.a. the SNMP Monitoring Server) that periodically polls the CB servers
for health monitoring information. It is also expected that the sponsor will properly
network the SNMP Monitoring Server give it appropriate SNMP access (port 161)
through the sponsor firewall(s).
(U) See the “Cherry Blossom Installation Guide” for configuration related to SNMP
monitoring information.
8.4 (U) CB Server Diagnostics
(U) The CB server processes write a number of different log files that can be useful in
diagnosing problems. See the “Cherry Blossom Server Diagnostics” section of the
“Cherry Blossom Installation Guide” for information on diagnostic log files.
8.5 (S) Configuring Forwarding of Alerts to Sponsor Alert System
(Catapult)
(S) CherryWeb can be used to configure the forwarding of Alerts to the Sponsor Alert
System (Catapult). Upon receipt of a primitive Alert (email address, chat user, or
primitive MAC, but not derived MAC), the CB server can send an email to Catapult,
which would then distribute the Alert as appropriate.
(S) The email that the CB server sends to Catapult has a fixed subject line of the format:
[ALERT: Target Name] In Flytrap Location on Flytrap Name
43
SECRET//20350112