docs: add security best practices (#483)

Author: kb-newrelic

distributions/README.md

@@ -132,6 +132,23 @@ If the distribution provides a default configuration, some options are exposed v
 
 We recommend using the default configuration, but you can always supply your own via the `--config` [flag](https://opentelemetry.io/docs/collector/configuration/). The full list of components available for configuration is available in the respective `manifest.yaml`.
 
+### Security Best Practices
+
+This section summarizes security practices we deem the most crucial. For comprehensive security guidance, refer to the [Collector configuration best practices](https://opentelemetry.io/docs/security/config-best-practices/).
+
+#### Minimize Privileged Access
+
+The collector should run as a non-root user whenever possible. If a use-case requires elevated privileges or RBAC, this will be documented in its installation instructions.
+
+#### Store secrets securely
+Store secrets like API keys or certificates in a dedicated secret store and avoid hardcoding secrets in your config and instead prefer [environment variable expansion](https://opentelemetry.io/docs/collector/configuration/#environment-variables).
+
+#### Secure connections
+Receivers and Exporters should always be configured to use a secure and authenticated connection. In practical terms this means
+- using TLS for outgoing and incoming (requires [setting up certificates](https://opentelemetry.io/docs/collector/configuration/#setting-up-certificates)) connections
+- require authentication for backends the collector writes to, e.g. via an API Key
+- bind receivers to specific network interfaces, such as a pod’s IP, or `localhost` instead of `0.0.0.0` ([#1](https://opentelemetry.io/docs/security/config-best-practices/#protect-against-denial-of-service-attacks), [#2](https://cwe.mitre.org/data/definitions/1327.html)) to prevent exposing unintended access
+
 ## Additional Notes
 
 ### Healthcheck

distributions/nrdot-collector-host/README.md

@@ -16,9 +16,15 @@ Note: See [general README](../README.md) for information that applies to all dis
 
 The following instructions assume you have read and understood the [general installation instructions](../README.md#installation).
 
+### Linux Packages and NRDOT_MODE=ROOT
+Our linux packages (deb, rpm) install the collector as a `systemd` service. By default the collector is installed as a non-root user to prevent unintended access by accident. While this is usually sufficient for the `hostmetricsreceiver` to scrape host metrics, the `filelogreceiver` is likely to run into permission issues reading the default files from the `/var/log` directory and report errors for the affected files.
+Your options to address this issue are:
+- adjust the list of files to avoid accessing privileged files, either by providing your own complete config or by overwriting the list, e.g. `--config 'yaml:receivers::filelog::include: [/var/log/dpkg.log, /var/log/messages]'`
+- provide access to those files for the collector user, see `nrdot-collector-host.service` for the exact IDs
+- install the collector in root mode by setting the environment variable `NRDOT_MODE=ROOT` before calling `dpkg`/`rpm` to install the service
+
 ### Containerized Environments
-If you're deploying the `host` distribution as a container, make sure to configure the [root_path](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/receiver/hostmetricsreceiver/README.md#collecting-host-metrics-from-inside-a-container-linux-only) and mount the host's file system accordingly, otherwise NRDOT will not be able 
-See also [our troubleshooting guide](./TROUBLESHOOTING.md) for more details.
+If you're deploying the collector as a container, make sure to configure the [root_path](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/receiver/hostmetricsreceiver/README.md#collecting-host-metrics-from-inside-a-container-linux-only) and mount the host's file system accordingly, otherwise NRDOT will not be able to collect host metrics. See also [our troubleshooting guide](./TROUBLESHOOTING.md) for more details.
 
 
 ## Configuration

distributions/nrdot-collector/README.md

@@ -29,8 +29,15 @@ This is the default use case for `nrdot-collector`, i.e. the published artifacts
 
 The following instructions assume you have read and understood the [general installation instructions](../README.md#installation).
 
+#### Linux Packages and NRDOT_MODE=ROOT
+Our linux packages (deb, rpm) install the collector as a `systemd` service. By default the collector is installed as a non-root user to prevent unintended access by accident. While this is usually sufficient for the `hostmetricsreceiver` to scrape host metrics, the `filelogreceiver` is likely to run into permission issues reading the default files from the `/var/log` directory and report errors for the affected files.
+Your options to address this issue are:
+- adjust the list of files to avoid accessing privileged files, either by providing your own complete config or by overwriting the list, e.g. `--config 'yaml:receivers::filelog::include: [/var/log/dpkg.log, /var/log/messages]'`
+- provide access to those files for the collector user, see `nrdot-collector.service` for the exact IDs
+- install the collector in root mode by setting the environment variable `NRDOT_MODE=ROOT` before calling `dpkg`/`rpm` to install the service
+
 #### Containerized Environments
-When deploying as a container, configure the [root_path](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/receiver/hostmetricsreceiver/README.md#collecting-host-metrics-from-inside-a-container-linux-only) and mount the host's file system accordingly for proper host metrics collection. See [troubleshooting guide](./TROUBLESHOOTING.md) for details.
+If you're deploying the collector as a container, make sure to configure the [root_path](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/receiver/hostmetricsreceiver/README.md#collecting-host-metrics-from-inside-a-container-linux-only) and mount the host's file system accordingly, otherwise NRDOT will not be able to collect host metrics. See also [our troubleshooting guide](./TROUBLESHOOTING.md) for more details.
 
 ### Configuration