Clarify admin & FPF roles and responsibilities; services #206
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -12,9 +12,66 @@ The SecureDrop architecture contains multiple machines and hardened servers. | |
| While many of the installation and maintenance tasks have been automated, a | ||
| skilled Linux admin is required to responsibly run the system. | ||
|
|
||
| Responsibilities of SecureDrop administrators | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
| As a SecureDrop administrator, it is your responsibility to: | ||
|
|
||
| * :ref:`manage users <manage_users>` | ||
| * :ref:`manage the system configuration <manage_config>` | ||
| * :ref:`ensure that servers, firewall and workstations are kept up-to-date <manage_updates>` | ||
| * :ref:`monitor OSSEC alerts <monitoring_ossec>` | ||
| * :ref:`monitor the SecureDrop team's release and security-related | ||
|
There was a problem hiding this comment. added in 69eac63 (this may not be the admin's direct responsibility, so used "ensure" wording) |
||
| communications <monitoring_comms>` | ||
| * apply available firmware updates to all SecureDrop hardware | ||
| * ensure that the SecureDrop environment is physically secure and monitored | ||
| * investigate and respond to security incidents | ||
| * schedule and perform required maintenance tasks, such as operating system | ||
| upgrades | ||
| * ensure that SecureDrop users adhere to the documented processes for checking | ||
| SecureDrop, communicating with sources, and reviewing documents | ||
| * verify the integrity of SecureDrop code | ||
| * avoid the installation of unsupported code or patches | ||
| * :doc:`decommission SecureDrop after it is no longer in use <decommission>` | ||
|
|
||
| Responsibilities of the SecureDrop team | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
| The SecureDrop team employed by Freedom of the Press Foundation (FPF) and the | ||
| SecureDrop community maintain and develop the SecureDrop software, which | ||
| is offered as open source software, free of charge, and at your own risk. | ||
|
|
||
| FPF offers :doc:`paid priority support services <getting_support>`. We are | ||
| happy to provide assistance with installing the system, with training of | ||
| administrators and journalists, and with investigation of technical issues | ||
| and incidents. | ||
|
|
||
| .. note:: | ||
|
|
||
| Each SecureDrop instance is hosted and operated independently. Freedom of the | ||
| Press Foundation does not offer systems administration, hosting or "remote | ||
| hands" services. | ||
|
|
||
| When the SecureDrop team becomes aware of a security vulnerability in SecureDrop | ||
| or its software dependencies, we assess the impact of the vulnerability in the | ||
| context of existing security mitigations and :doc:`our threat model <threat_model/threat_model>`. | ||
| Based on this assessment, we prioritize technical work and external communications. | ||
|
|
||
| For high severity issues that require technical changes to SecureDrop, we will | ||
| issue a point release as soon as possible. As part of issuing a release or | ||
| advisory, we will post further details on the SecureDrop website and to the support | ||
| portal. | ||
|
|
||
| In rare circumstances when a technical fix is extremely time sensitive, we may | ||
| provide signed patches to impacted SecureDrop instances. Even in these cases, we | ||
| ask that you never install code provided to you that is not signed using the | ||
| current `SecureDrop release key <http://securedrop.org/securedrop-release-key.asc>`__. | ||
|
|
||
| When in doubt how to resolve an issue, please avoid following technical | ||
| instructions that have not been vetted by the SecureDrop team. If you encounter | ||
| bugs, please `report them <https://github.com/freedomofpress/securedrop/issues/new/choose>`__. | ||
| For sensitive matters, you can contact us via the `SecureDrop Support Portal`_ | ||
| or via our `contact form <https://securedrop.org/help/>`__. | ||
|
|
||
| .. _manage_users: | ||
|
|
||
| Managing Users | ||
| ~~~~~~~~~~~~~~ | ||
|
|
@@ -27,6 +84,8 @@ and two-factor authentication method (using a smartphone application or YubiKey) | |
| See :ref:`User Management<User Management>` for more information on adding and managing | ||
| users. | ||
|
|
||
| .. _manage_config: | ||
|
|
||
| Managing the System Configuration | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
|
|
@@ -41,6 +100,7 @@ are available to support this: | |
| to configure and install SecureDrop, to perform operations including server backups and restores, | ||
| and to update the server configuration after installation. | ||
|
|
||
| .. _manage_updates: | ||
|
|
||
| Keeping the System Updated | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
@@ -104,6 +164,8 @@ Upgrade Documentation`_ on how to upgrade the drives. | |
| .. _`Tails | ||
| Upgrade Documentation`: https://tails.boum.org/doc/upgrade/index.en.html | ||
|
|
||
| .. _monitoring_ossec: | ||
|
|
||
| Monitoring OSSEC Alerts | ||
| ~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
|
|
@@ -120,6 +182,21 @@ See the :doc:`OSSEC Guide <ossec_alerts>` for more information on common OSSEC a | |
|
|
||
| .. _The Admin Interface: | ||
|
|
||
| .. _monitoring_comms: | ||
|
|
||
| Monitoring SecureDrop-related communications | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
| Release announcements and security advisories are posted to the | ||
| `SecureDrop blog <https://securedrop.org/news>`__, which is also available as | ||
| an `RSS feed <https://securedrop.org/news/feed/>`__. You can also follow us on | ||
| our social media accounts (`Twitter <https://twitter.com/securedrop>`__ and | ||
| `Mastodon <https://securedrop.org/news/feed/>`__). | ||
|
|
||
| We strongly recommend :doc:`joining the SecureDrop support portal <getting_support>`. | ||
| As a member of the support portal, you will receive email notifications related | ||
| to all major announcements, and you can open tickets in case of technical issues. | ||
| Membership is free of charge. | ||
|
|
||
| The Admin Interface | ||
| ------------------------- | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,18 +1,47 @@ | ||
| Getting Support | ||
| =============== | ||
|
|
||
| There are a several support options available if you need help installing | ||
| SecureDrop, or are looking for help with your existing SecureDrop instance. | ||
|
|
||
|
|
||
| .. note:: | ||
|
|
||
| If your installation is up and running, we recommend that you | ||
| `submit your SecureDrop to the SecureDrop directory <https://securedrop.org/directory/submit/>`__. | ||
| This also serves as a first introduction to the SecureDrop team. | ||
|
|
||
| Support Portal | ||
| -------------- | ||
| Because of the sensitive nature of SecureDrop-related communications, we recommend | ||
| that you request an account on the support portal at https://support.freedom.press/ | ||
| and review `our documentation <https://support-docs.securedrop.org/en/latest/>`__ | ||
| for using it. | ||
|
|
||
| As a member of the support portal, you will receive notifications regarding | ||
| SecureDrop releases and security advisories, and you will be able to open tickets | ||
| to request technical support. | ||
|
|
||
| Membership in the support portal is free of charge and granted at Freedom of the | ||
| Press Foundation's sole discretion. To reach out regarding a membership request, | ||
| please use the `contact form <https://securedrop.org/help/>`__. | ||
|
|
||
| While we will provide technical assistance within reason and at our discretion, we | ||
| encourage you to consider a paid support agreement to receive priority support, | ||
| staff training, or installation help. Visit the `Priority Support <https://securedrop.org/priority-support/>`_ | ||
| and `Training <https://securedrop.org/training/>`_ pages on the SecureDrop website | ||
| for more information. | ||
|
|
||
| Community Based Support | ||
| ----------------------- | ||
| The `SecureDrop forum <https://forum.securedrop.org/>`_ is a good place to | ||
| discuss SecureDrop and to get help from the international community of | ||
| SecureDrop users and developers. | ||
|
|
||
| You can also connect directly with the SecureDrop development team and the larger | ||
| SecureDrop community using the `SecureDrop Gitter channel <https://gitter.im/freedomofpress/securedrop>`_ . | ||
|
|
||
| .. warning:: | ||
|
|
||
| Remember that both the SecureDrop forum and the Gitter channel are | ||
| public. **Do not post any sensitive information through public channels.** |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and firmware(s)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
created a separate bullet for this in 69eac63, we may want to flesh out instructions for monitoring/applying firmware updates