Administrator Guide

You (the administrator) should have your own username and password, plus two-factor authentication through either the Google Authenticator app on your smartphone or a YubiKey.

Responsibilities

The SecureDrop architecture contains multiple hardened servers, and while we have automated many of the installation and maintenance tasks, a skilled Linux administrator and some manual intervention is required to responsibly run the system.

This section outlines the tasks the administrator is responsible for in order to ensure that the SecureDrop server continues to be a safe place for sources to talk to journalists.

Keep your SecureDrop Server Updated

You should maintain awareness of SecureDrop updates and take any required manual action if requested in the SecureDrop Release Blog. We recommend subscribing to the SecureDrop RSS Feed to stay apprised of new updates.

Most often, the SecureDrop server will automatically update via apt. However, occasionally you will need to run the Ansible playbooks. We will inform you in the release blog when this is the case. If you are onboarded to our SecureDrop Support Portal, we will let you know in advance of major releases if manual intervention will be required.

Keep your Network Firewall Updated

Given all traffic first hits the network firewall as it faces the non-Tor public network, you will want to ensure that critical security patches are applied.

Be informed of potential updates to your network firewall. If you’re using the suggested network firewall by FPF you can subscribe to the Netgate RSS Feed to be alerted when releases occur. If critical security updates need to be applied, you can do so through the firewall’s pfSense WebGUI. Refer to our Keeping pfSense up to date documentation or the official pfSense Upgrade Docs for further details on how to update the suggested firewall.

Keep your Tails Drives Updated

You should apply updates to your Tails drives as they are released, as they can contain critical security fixes. Subscribe to the Tails RSS Feed to be alerted of new releases. The online Tails drives, once booted and connected to Tor, will alert you if upgrades are available. Follow the Tails Upgrade Documentation on how to upgrade the drives.

Monitor OSSEC alerts for Unusual Activity

You should decrypt and read your OSSEC alerts. Report any suspicious events to FPF through the SecureDrop Support Portal. See the OSSEC Guide for more information on common OSSEC alerts.

Warning

Do not post logs or alerts to public forums without first carefully examining and redacting any sensitive information.

Adding Users

Now you can add new logins for the journalists at your news organization who will be checking the system for submissions. Make sure the journalist is physically in the same room as you when you do this, as they will have to scan a barcode for their two-factor authentication. Since you’re logged in, this is the screen you should see now:

SecureDrop main page

In the top right corner click the “Admin” link, which should bring you to this page:

SecureDrop admin home

Once there, click ‘Add User’ button, which will take you to this page:

Add a new user

Here, you will hand the keyboard over to the journalist so they can create their own username. Once they’re done entering a username for themselves, have them write down their pre-generated diceware passphrase. Then, you will select whether you would like them to also be an administrator (this allows them to add or delete other journalist accounts), and whether they will be using Google Authenticator or a YubiKey for two-factor authentication.

Tip

Consider using the alternative FreeOTP application for mobile two-factor authentication.

Google Authenticator

If they are using Google Authenticator for their two-factor, they can just proceed to the next page:

Enable Google Authenticator

At this point, the journalist should make sure they have downloaded the Google Authenticator app to their smartphone. It can be installed from the Apple Store for an iPhone or from the Google Play store for an Android phone. Once you download it and open it, the app does not require setup. It should prompt you to scan a barcode. The journalist should use their phone’s camera to scan the barcode on the screen.

If they have difficulty scanning the barcode, they can use the “Manual Entry” option and use their phone’s keyboard to input the random characters that are highlighted in yellow.

Inside the Google Authenticator app, a new entry for this account will appear on the main screen, with a six digit number that recycles to a new number every thirty seconds. Enter the six digit number under “Verification code” at the bottom of the screen, and hit enter.

If Google Authenticator was set up correctly, you will be redirected back to the Admin Interface and will see a flashed message that says “Two factor token successfully verified for user new username!”.

YubiKey

If the journalist wishes to use a YubiKey for two-factor authentication, check the box next to “I’m using a YubiKey”. You will then need to enter the OATH-HOTP Secret Key that your YubiKey is configured with. For more information, read the YubiKey Setup Guide.

Enable YubiKey

Once you’ve configured your YubiKey and entered the Secret Key, click Add user. On the next page, enter a code from your YubiKey by inserting it into the workstation and pressing the button.

Verify YubiKey

If everything was set up correctly, you will be redirected back to the Admin Interface, where you should see a flashed message that says “Two factor token successfully verified for user new username!”.

Congratulations! You have successfully set up a journalist on SecureDrop. Make sure the journalist remembers their username and password and always has their 2 factor authentication device in their possession when they attempt to log in to SecureDrop.

Updating the Servers

Sometimes you will want to update the system configuration on the SecureDrop servers. For example, to customize the logo on the source interface, or change the PGP key that OSSEC alerts are encrypted to. You can do this from your Admin Workstation by following the procedure described in this section.

Updating system configuration

The server configuration is stored on the Admin Workstation in ~/Persistent/securedrop/install_files/ansible-base/group_vars/all/site-specific.

If you want to update the system configuration, there are two options:

  1. Manually edit the site-specific file to make the desired modifications.
  2. From ~/Persistent/securedrop, run ./securedrop-admin sdconfig --force, which will require you to retype each variable in site-specific.

Once you have edited the site-specific server configuration file, you will need to apply the changes to the servers. From ~/Persistent/securedrop:

./securedrop-admin install

Note

If you see an error running ./securedrop-admin install, and believe it may be an intermittent issue (for example, due to losing network connectivity to the servers), it is safe to run the ./securedrop-admin install command again. If you see the same issue consistently, then you will need to troubleshoot it.

Once the install command has successfully completed, the changes are applied. Read the next section if you have multiple administrators.

Managing site-specific updates on teams with multiple admins

Organizations with multiple admins should establish a protocol to communicate any changes one admin makes to the site-specific configuration file on the server.

Currently, when one admin pushes changes in site-specific to the server, the changes will not sync to the local site-specific file on the remaining admin workstations. Without being aware of changes made to site-specific, admins run the risk of pushing old information to the servers. This can affect the receipt of OSSEC alerts, viability of the Submission Key, among other critical components of the SecureDrop environment.

There are multiple ways to avoid pushing out-of-date information to the servers. We recommend admins establish a secure communication pipeline to alert fellow admins of any changes made to site-specific on the server. That clues every admin in on changes in real time, providing all team members with a reminder to manually update all site-specific files.

In addition to secure group communications, admins can learn of updates to the server by monitoring OSSEC alerts. (Please note that while an OSSEC alert can notify you of the occurrence of an update to the server, it may not reveal the content of the change.) Another management option would be SSHing into the server and manually inspecting the configuration to identify any discrepancies.