Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//20350112
8 (U) System Administration
(U) This section discusses the various System Administration tasks that can be
accomplished through CherryWeb and/or via accessing the file system on a production
CherryTree server.
(U) Most of the functionality described in this section is restricted to Users with
“cwadmin” privileges only (see 8.1.2). That said, it is important for non-cwadmin Users
to understand the concepts related to Users, Operations, and Permissions described in this
section.
(U) Note that more information related to system installation and configuration can be
found in the “Cherry Blossom Installation Guide”.
8.1 (U) Users, Operations, and Permissions
(U) The CB system has the ability to add Users, add Operations, and assign permissions
to Users on a per-Operation basis through CherryWeb (CW). This potentially allows
system data to be packaged around a Operation, which facilitates One-Way Transfer
(OWT) and compartmentalization of system data.
8.1.1 (U) Users
(U) Each distinct person using the system (i.e., through CW) is a User, and has a distinct
username and password for logging in to CW. Usernames and passwords are case
sensitive.
8.1.2 (U) User Roles
(U) A User can have one of two Roles: “cwuser” or “cwadmin”. Only Users with a Role
of “cwadmin” can perform system administration tasks described in this section. Any
User with “cwadmin” Role (or the “cwadmin” User of section 8.1.3) can grant any User a
“cwadmin” Role (see 8.1.4 for details). A User that has a “cwadmin” Role is referred to
as a User with “cwadmin” privileges.
8.1.3 (U) The “cwadmin” User
(S) At installation, the system has a “cwadmin” User with the default cwadmin password
(see “Cherry Blossom Installation Guide”) and the Role of “cwadmin” (see 8.1.2). The
cwadmin User is able to change the cwadmin password, create Users, change User
passwords, and assign User Role (see 8.1.2). The cwadmin User can never be removed
from the system. The cwadmin User is analogous to the UNIX “root” user.
(S) NOTE: “cwadmin” is used in two contexts in this document. First, there is a
“cwadmin” User (as described in this section) akin to the UNIX “root” user. The
“cwadmin” User is always in the system and can always perform all system
administration tasks. Second, there is a “cwadmin” Role (of section 8.1.2). Any User can
be give the Role of “cwadmin” meaning that they can perform all of the system
administration tasks – this is akin to a UNIX user with full “sudo” privileges.
38
SECRET//20350112