From bfe226e04beb20f17f0aa553ddb1f9cc7a001036 Mon Sep 17 00:00:00 2001 From: Erik Moeller Date: Wed, 28 Apr 2021 17:44:34 -0700 Subject: [PATCH 1/2] Clarify admin & FPF roles and responsibilities; services --- docs/admin.rst | 74 ++++++++++++++++++++++++++++++++++++++-- docs/getting_support.rst | 47 ++++++++++++++++++++----- 2 files changed, 109 insertions(+), 12 deletions(-) diff --git a/docs/admin.rst b/docs/admin.rst index fad0bd3f1..849d01b2e 100644 --- a/docs/admin.rst +++ b/docs/admin.rst @@ -12,9 +12,57 @@ The SecureDrop architecture contains multiple machines and hardened servers. While many of the installation and maintenance tasks have been automated, a skilled Linux admin is required to responsibly run the system. -This section outlines the tasks the admin is responsible for in order to -ensure that their SecureDrop instance continues to be a safe place for sources to -talk to journalists. +Responsibilities of SecureDrop administrators +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +As a SecureDrop administrator, it is your responsibility to: + +* :ref:`manage users ` +* :ref:`manage the system configuration ` +* :ref:`ensure that servers and workstations are kept up-to-date ` +* :ref:`monitor OSSEC alerts ` +* :ref:`monitor the SecureDrop team's release and security-related + communications ` +* investigate and respond to security incidents +* schedule and perform required maintenance tasks, such as operating system + upgrades +* ensure that SecureDrop users adhere to the documented processes for checking + SecureDrop, communicating with sources, and reviewing documents +* verify the integrity of SecureDrop code +* avoid the installation of unsupported code or patches +* :doc:`decommission SecureDrop after it is no longer in use ` + +Responsibilities of the SecureDrop team +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +The SecureDrop team employed by Freedom of the Press Foundation (FPF) and the +SecureDrop community maintain and develop the SecureDrop software, which +is offered as open source software, free of charge, and at your own risk. + +FPF offers :doc:`paid priority support services `. We are +happy to provide assistance with installing the system, with training of +administrators and journalists, and with investigation of technical issues +and incidents. + +.. note:: + + Freedom of the Press Foundation does not offer systems administration, + hosting or "remote hands" services. + +When the SecureDrop team becomes aware of a security vulnerability in SecureDrop +or its software dependencies, we assess the impact of the vulnerability in the +context of existing security mitigations and :doc:`our threat model `. +Based on this assessment, we prioritize technical work and external communications. + +For high severity issues that require technical changes to SecureDrop, we will +issue a point release as soon as possible. As part of issuing a release or +advisory, we will post further details on the SecureDrop website and to the support +portal. + +In rare circumstances, we may provide signed patches to impacted SecureDrop +instances to allow for immediate resolution of a security incident or a technical +issue. Even in these cases, we ask that you never install code provided to you +that is not signed using the current `SecureDrop release key `__. + +.. _manage_users: Managing Users ~~~~~~~~~~~~~~ @@ -27,6 +75,8 @@ and two-factor authentication method (using a smartphone application or YubiKey) See :ref:`User Management` for more information on adding and managing users. +.. _manage_config: + Managing the System Configuration ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -41,6 +91,7 @@ are available to support this: to configure and install SecureDrop, to perform operations including server backups and restores, and to update the server configuration after installation. +.. _manage_updates: Keeping the System Updated ~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -104,6 +155,8 @@ Upgrade Documentation`_ on how to upgrade the drives. .. _`Tails Upgrade Documentation`: https://tails.boum.org/doc/upgrade/index.en.html +.. _monitoring_ossec: + Monitoring OSSEC Alerts ~~~~~~~~~~~~~~~~~~~~~~~ @@ -120,6 +173,21 @@ See the :doc:`OSSEC Guide ` for more information on common OSSEC a .. _The Admin Interface: +.. _monitoring_comms: + +Monitoring SecureDrop-related communications +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Release announcements and security advisories are posted to the +`SecureDrop blog `__, which is also available as +an `RSS feed `__. You can also follow us on +our social media accounts (`Twitter `__ and +`Mastodon `__). + +We strongly recommend :doc:`joining the SecureDrop support portal `. +As a member of the support portal, you will receive email notifications related +to all major announcements, and you can open tickets in case of technical issues. +Membership is free of charge. + The Admin Interface ------------------------- diff --git a/docs/getting_support.rst b/docs/getting_support.rst index 650a068a6..fb5c316d9 100644 --- a/docs/getting_support.rst +++ b/docs/getting_support.rst @@ -1,18 +1,47 @@ Getting Support =============== -There are a variety of support options available for people who need help installing SecureDrop, or are looking for help with their existing SecureDrop instance. +There are a several support options available if you need help installing +SecureDrop, or are looking for help with your existing SecureDrop instance. -Community Based Support ------------------------ -The `SecureDrop forum `_ is a great place to discuss SecureDrop and to get help from others. It is based on Discourse and creating an account is simple and easy. +.. note:: + + If your installation is up and running, we recommend that you + `submit your SecureDrop to the SecureDrop directory `__. + This also serves as a first introduction to the SecureDrop team. + +Support Portal +-------------- +Because of the sensitive nature of SecureDrop-related communications, we recommend +that you request an account on the support portal at https://support.freedom.press/ +and review `our documentation `__ +for using it. + +As a member of the support portal, you will receive notifications regarding +SecureDrop releases and security advisories, and you will be able to open tickets +to request technical support. -Additionally, the `SecureDrop Gitter channel `_ is a great place to discuss SecureDrop in real-time chat. This is mostly a development focused channel, but occasionally support questions do come up. +Membership in the support portal is free of charge and granted at Freedom of the +Press Foundation's sole discretion. To reach out regarding a membership request, +please use the `contact form `__. + +While we will provide technical assistance within reason and at our discretion, we +encourage you to consider a paid support agreement to receive priority support, +staff training, or installation help. Visit the `Priority Support `_ +and `Training `_ pages on the SecureDrop website +for more information. + +Community Based Support +----------------------- +The `SecureDrop forum `_ is a good place to +discuss SecureDrop and to get help from the international community of +SecureDrop users and developers. -.. warning:: Remember that both the SecureDrop forum and the Gitter channel are public. **Do not post any sensitive information through public channels.** +You can also connect directly with the SecureDrop development team and the larger +SecureDrop community using the `SecureDrop Gitter channel `_ . -Priority Support and Training ------------------------------ +.. warning:: -Freedom of the Press Foundation provides paid priority support and SecureDrop training to organizations. Visit the `Priority Support `_ and `Training `_ pages on the SecureDrop website for more information. + Remember that both the SecureDrop forum and the Gitter channel are + public. **Do not post any sensitive information through public channels.** From 69eac636a4740e600b88853c7838764b9c60039d Mon Sep 17 00:00:00 2001 From: Erik Moeller Date: Tue, 4 May 2021 16:14:33 -0700 Subject: [PATCH 2/2] Address review comments --- docs/admin.rst | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/docs/admin.rst b/docs/admin.rst index 849d01b2e..42ac2c916 100644 --- a/docs/admin.rst +++ b/docs/admin.rst @@ -18,10 +18,12 @@ As a SecureDrop administrator, it is your responsibility to: * :ref:`manage users ` * :ref:`manage the system configuration ` -* :ref:`ensure that servers and workstations are kept up-to-date ` +* :ref:`ensure that servers, firewall and workstations are kept up-to-date ` * :ref:`monitor OSSEC alerts ` * :ref:`monitor the SecureDrop team's release and security-related communications ` +* apply available firmware updates to all SecureDrop hardware +* ensure that the SecureDrop environment is physically secure and monitored * investigate and respond to security incidents * schedule and perform required maintenance tasks, such as operating system upgrades @@ -44,8 +46,9 @@ and incidents. .. note:: - Freedom of the Press Foundation does not offer systems administration, - hosting or "remote hands" services. + Each SecureDrop instance is hosted and operated independently. Freedom of the + Press Foundation does not offer systems administration, hosting or "remote + hands" services. When the SecureDrop team becomes aware of a security vulnerability in SecureDrop or its software dependencies, we assess the impact of the vulnerability in the @@ -57,10 +60,16 @@ issue a point release as soon as possible. As part of issuing a release or advisory, we will post further details on the SecureDrop website and to the support portal. -In rare circumstances, we may provide signed patches to impacted SecureDrop -instances to allow for immediate resolution of a security incident or a technical -issue. Even in these cases, we ask that you never install code provided to you -that is not signed using the current `SecureDrop release key `__. +In rare circumstances when a technical fix is extremely time sensitive, we may +provide signed patches to impacted SecureDrop instances. Even in these cases, we +ask that you never install code provided to you that is not signed using the +current `SecureDrop release key `__. + +When in doubt how to resolve an issue, please avoid following technical +instructions that have not been vetted by the SecureDrop team. If you encounter +bugs, please `report them `__. +For sensitive matters, you can contact us via the `SecureDrop Support Portal`_ +or via our `contact form `__. .. _manage_users: