Responsibilities

The SecureDrop architecture contains multiple machines and hardened servers. While many of the installation and maintenance tasks have been automated, a skilled Linux admin is required to responsibly run the system.

Responsibilities of SecureDrop administrators

As a SecureDrop administrator, it is your responsibility to:

• install SecureDrop

• manage users

• manage the system configuration

• ensure that servers, firewall and workstations are kept up-to-date

• monitor OSSEC alerts

• monitor the SecureDrop team’s release and security-related communications

• apply available firmware updates to all SecureDrop hardware

• ensure that the SecureDrop environment is physically secure and monitored

• investigate and respond to security incidents

• schedule and perform required maintenance tasks, such as operating system upgrades

• ensure that SecureDrop users adhere to the documented processes for checking SecureDrop, communicating with sources, and reviewing documents

• verify the integrity of SecureDrop code

• avoid the installation of unsupported code or patches

• decommission SecureDrop after it is no longer in use

Responsibilities of the SecureDrop team

The SecureDrop team employed by Freedom of the Press Foundation (FPF) and the SecureDrop community maintain and develop the SecureDrop software, which is offered as open source software, free of charge, and at your own risk.

FPF offers paid priority support services. We are happy to provide assistance with installing the system, with training of administrators and journalists, and with investigation of technical issues and incidents.

Note

Each SecureDrop instance is hosted and operated independently. Freedom of the Press Foundation does not offer systems administration, hosting or “remote hands” services.

When the SecureDrop team becomes aware of a security vulnerability in SecureDrop or its software dependencies, we assess the impact of the vulnerability in the context of existing security mitigations and our threat model. Based on this assessment, we prioritize technical work and external communications.

For high severity issues that require technical changes to SecureDrop, we will issue a point release as soon as possible. As part of issuing a release or advisory, we will post further details on the SecureDrop website and to the support portal.

In rare circumstances when a technical fix is extremely time sensitive, we may provide signed patches to impacted SecureDrop instances. Even in these cases, we ask that you never install code provided to you that is not signed using the current SecureDrop release key.

When in doubt how to resolve an issue, please avoid following technical instructions that have not been vetted by the SecureDrop team. If you encounter bugs, please report them. For sensitive matters, you can contact us via the SecureDrop Support Portal or via our contact form.

Managing Users

Admins are responsible for managing user credentials and encouraging best practices. (See Passphrases and Passphrase Best Practices.) The admin will also have access to the Journalist Interface, via her own username, passphrase, and two-factor authentication method (using a smartphone application or YubiKey).

See User Management for more information on adding and managing users.

Managing the System Configuration

Admins are responsible for configuring and maintaining the system. Several tools are available to support this:

• The Admin Interface allows the admin to manage users and configure web interface features such as organizations logos and submission preferences

• Server SSH access is also available, to allow administrators to troubleshoot server issues and perform manual updates.

• The securedrop-admin utility is used via the Admin Workstation to configure and install SecureDrop, to perform operations including server backups and restores, and to update the server configuration after installation.

Keeping the System Updated

The admin is responsible for ensuring that updates are applied to SecureDrop. Where possible, updates are applied automatically, but some update operations require manual intervention.

Updates: Servers

The admin should be aware of all SecureDrop updates and take any required manual action if requested in the SecureDrop Release Blog (RSS feed). We also recommend registering with the SecureDrop Support Portal to stay apprised of upcoming releases.

Most often, the SecureDrop servers will automatically update via apt. However, occasionally you will need to run securedrop-admin install or take other manual steps. If you are onboarded to the support portal, we will let you know in advance of major releases if manual intervention will be required.

Updates: Network Firewall

Given all traffic first hits the network firewall as it faces the non-Tor public network, the admin should ensure that critical security patches are applied to the firewall.

Because of recent changes to the frequency and scope of security updates, we do not recommend the use of pfSense Community Edition (CE). pfSense Plus continues to receive necessary security updates on a regular basis, and is provided with the purchase of most Netgate firewalls. If you wish to use a custom firewall or alternate option, we recommend using an OPNSense-based solution.

If you’re using one of the network firewalls recommended by FPF, you can subscribe to email updates from the Netgate homepage or follow the Netgate blog to be alerted when releases occur. If critical security updates need to be applied, you can do so through the firewall’s pfSense WebGUI.

Refer to our Keeping pfSense up to Date documentation or the official pfSense Upgrade Docs for further details on how to update the suggested firewall.

No matter which vendor you go with, you should make it a priority to stay informed of potential updates to your network firewall.

Updates: Workstations

The admin should keep all SecureDrop workstations updated with:

• Tails updates for each Admin Workstation, Journalist Workstation, and Secure Viewing Station; and

• SecureDrop workstation updates for each Admin Workstation and Journalist Workstation.

You should apply Tails updates to your Tails drives as they are released, as they often contain critical security fixes. Subscribe to the Tails RSS Feed to be alerted of new releases. The online Tails drives, once booted and connected to Tor, will alert you if upgrades are available. Follow the Tails Upgrade Documentation on how to upgrade the drives.

Admin and Journalist Workstations automatically check for updates on boot. An update window will pop up when updates are needed, and you should simply follow the prompts in the updater to perform the update.

Note

Note that you will need to have a Tails Administrator password configured to complete the update. If you forget to do so, you will need to reboot to enable it.

Monitoring OSSEC Alerts

SecureDrop uses OSSEC to monitor the servers for unusual activity caused by system configuration issues or security breaches. The admin should decrypt and read all OSSEC alerts. Report any suspicious events to FPF through the SecureDrop Support Portal. See the OSSEC Guide for more information on common OSSEC alerts.

Warning

Do not post logs or alerts to public forums without first carefully examining and redacting any sensitive information.

Monitoring SecureDrop-related communications

Release announcements and security advisories are posted to the SecureDrop blog, which is also available as an RSS feed. You can also follow us on our social media accounts (Twitter and Mastodon).

We strongly recommend joining the SecureDrop support portal. As a member of the support portal, you will receive email notifications related to all major announcements, and you can open tickets in case of technical issues. Membership is free of charge.