Introduction for SecureDrop Administrators

SecureDrop servers are managed by a systems administrator.

For larger newsrooms, there may be a team of systems admins, but at least one person within the organization will need to serve as the administrator. In some situations, such as smaller news organizations where a journalist has the technical capacity to administer systems, one person can serve as both Journalist and Administrator. When possible, we advise having a dedicated staff member serving the role of SecureDrop Administrator.

The admin connects to the Application and Monitor Servers over authenticated onion services, and manages them using Ansible.

If you are considering becoming a SecureDrop administrator, below are some attributes that will be important to have:

• Experience with managing Linux-based systems from the command line.

• Proficiency with network hardware such as firewalls and switches (e.g. pfSense).

• Experience with QubesOS.

• Experience with configuration management tools such as Ansible, Salt, Chef, or Puppet.

• Ability to use and configure secure communication tools such as GPG.

We consider the first two requirements and the last three preferred attributes.

This Admin Guide covers planning, installation, deployment, and ongoing maintenance of a SecureDrop installation.

Responsibilities of SecureDrop administrators

The SecureDrop architecture contains multiple machines and hardened servers. While many of the installation and maintenance tasks have been automated, a skilled Linux admin is required to responsibly run the system.

As a SecureDrop administrator, it is your responsibility to:

• install SecureDrop

• manage users

• manage the system configuration

• ensure that servers, firewall and workstations are kept up-to-date

• monitor OSSEC alerts

• monitor the SecureDrop team’s release and security-related communications

• apply available firmware updates to all SecureDrop hardware

• ensure that the SecureDrop environment is physically secure and monitored

• ensure that SecureDrop Workstations are kept up to date

• investigate and respond to security incidents

• schedule and perform required maintenance tasks, such as operating system upgrades

• ensure that SecureDrop users adhere to the documented processes for checking SecureDrop, communicating with sources, and reviewing documents

• verify the integrity of SecureDrop code

• avoid the installation of unsupported code or patches

• decommission SecureDrop after it is no longer in use

Responsibilities of the SecureDrop team

The SecureDrop team employed by Freedom of the Press Foundation (FPF) and the SecureDrop community maintain and develop the SecureDrop software, which is offered as open source software, free of charge, and at your own risk.

FPF offers paid priority support services. We are happy to provide assistance with installing the system, with training of administrators and journalists, and with investigation of technical issues and incidents.

Note

Each SecureDrop instance is hosted and operated independently. Freedom of the Press Foundation does not offer systems administration, hosting or “remote hands” services.

When the SecureDrop team becomes aware of a security vulnerability in SecureDrop or its software dependencies, we assess the impact of the vulnerability in the context of existing security mitigations and our threat model. Based on this assessment, we prioritize technical work and external communications.

For high severity issues that require technical changes to SecureDrop, we will issue a point release as soon as possible. As part of issuing a release or advisory, we will post further details on the SecureDrop website and to the support portal.

In rare circumstances when a technical fix is extremely time sensitive, we may provide signed patches to impacted SecureDrop instances. Even in these cases, we ask that you never install code provided to you that is not signed using the current SecureDrop release key.

When in doubt how to resolve an issue, please avoid following technical instructions that have not been vetted by the SecureDrop team. If you encounter bugs, please report them. For sensitive matters, you can contact us via the SecureDrop Support Portal or via our contact form.

Managing Users

Admins are responsible for managing user credentials and encouraging best practices. (See Passphrase Best Practices.) The admin will also have access to the Journalist Interface, via her own username, passphrase, and two-factor authentication method (using a smartphone application or YubiKey).

See User Management for more information on adding and managing users.

Managing the System Configuration

Admins are responsible for configuring and maintaining the system. Several tools are available to support this:

• The Admin Interface allows the admin to manage users and configure web interface features such as organizations logos and submission preferences

• Server SSH access is also available, to allow administrators to troubleshoot server issues and perform manual updates.

• The securedrop-admin utility is used via the Admin VM to configure and install SecureDrop, to perform operations including server backups and restores, and to update the server configuration after installation.

Keeping the System Updated

The admin is responsible for ensuring that updates are applied to SecureDrop. Where possible, updates are applied automatically, but some update operations require manual intervention.

Updates: Servers

The admin should be aware of all SecureDrop updates and take any required manual action if requested in the SecureDrop Release Blog (RSS feed). We also recommend registering with the SecureDrop Support Portal to stay apprised of upcoming releases.

Most often, the SecureDrop servers will automatically update via apt. However, occasionally you will need to take other manual steps. If you are in touch with us directly for support, we will let you know in advance of major releases if manual intervention will be required.

Updates: Network Firewall

Given all traffic first hits the network firewall as it faces the non-Tor public network, the admin should ensure that critical security patches are applied to the firewall.

Because of recent changes to the frequency and scope of security updates, we do not recommend the use of pfSense Community Edition (CE). pfSense Plus continues to receive necessary security updates on a regular basis, and is provided with the purchase of most Netgate firewalls. If you wish to use a custom firewall or alternate option, we recommend using an OPNSense-based solution.

If you’re using one of the network firewalls recommended by FPF, you can subscribe to email updates from the Netgate homepage or follow the Netgate blog to be alerted when releases occur. If critical security updates need to be applied, you can do so through the firewall’s pfSense WebGUI.

Refer to our Keeping pfSense up to Date documentation or the official pfSense Upgrade Docs for further details on how to update the suggested firewall.

No matter which vendor you go with, you should make it a priority to stay informed of potential updates to your network firewall.

Updates: Workstations

SecureDrop Workstation includes an updater application that runs automatically on startup, checks for Qubes and SecureDrop updates, and prompts the user to apply them if found. Given the sensitive nature of the system, it is critical that updates are applied when available. Administrators should ensure that users are aware of this requirement, and should periodically check to ensure that the system is up to date.

Monitoring OSSEC Alerts

SecureDrop uses OSSEC to monitor the servers for unusual activity caused by system configuration issues or security breaches. The admin should decrypt and read all OSSEC alerts. Report any suspicious events to FPF through the SecureDrop Support Portal. See the OSSEC Guide for more information on common OSSEC alerts.

Warning

Do not post logs or alerts to public forums without first carefully examining and redacting any sensitive information.

Monitoring SecureDrop-related communications

Release announcements and security advisories are posted to the SecureDrop blog, which is also available as an RSS feed. You can also follow us on our social media accounts (Twitter and Mastodon).

We strongly recommend joining the SecureDrop support portal. As a member of the support portal, you will receive email notifications related to all major announcements, and you can open tickets in case of technical issues. Membership is free of charge.

Installation Support

Any organization can install SecureDrop for free and also make modifications because the project is open source.

Because the installation and operation are complex, and because SecureDrop can only be as secure as the operational security practices followed by its users, Freedom of the Press Foundation will also help organizations install SecureDrop and train journalists and administrators.

If you would like to work with Freedom of the Press Foundation on your SecureDrop installation, please reach out to us. We do ask news organizations that can afford to pay for installation support, training and maintenance to do so.

As part of priority support agreements and on a pro-bono basis for smaller news organizations, Freedom of the Press Foundation will visit your offices, help set up SecureDrop and train journalists to use it. (For pro-bono support, we request that our travel costs are covered.)

Note

SecureDrop wants your feedback! Confused by something in our documentation? Let us know by opening an issue on GitHub or in our Gitter channel.