Regularly run tests to monitor workstation configuration state

[emkll]

We run configurations tests on the securedrop-workstation as part of the test make target, but it could be useful to run these periodically (perhaps at boot), to provide some sort of healthcheck for the workstation.

These tests could also be run at boot or as part of the daily cron job, so that we ensure the configuration is as expected, after running provisioning scripts. https://github.com/freedomofpress/securedrop-workstation/blob/dff840b0a4661efaef5459fbb94c05fc7d1f35e5/dom0/securedrop-update#L53

We could also either report or take action on misconfigurations.

[emkll]

We are now applying dom0 state as part of https://github.com/freedomofpress/securedrop-workstation/pull/458, however running the tests on-demand in a staging or production context may still be helpful to debug issues.

For now, a user can clone the repo to dom0 and run make test, but the tests are not packaged in the RPM, used by staging and production environments.

[zenmonkeykstop]

Leaving open for now, further discussion required. One improvement here would be better support in Qubes for locking down the state of individual VMs.

[zenmonkeykstop]

Flagging for @deeplow - also @rocodes who had some thoughts on how to monitor system state.

[deeplow]

On the updater plans the eventual goal is to apply this kind of integrity check (see updater diagram), whenever there is no migration.

There is a specific issue about this already, but now I can't find it. I even commented on it this week. I commented that part of the make test already ensures this system state and is relatively fast, so we could consider using that.