QA Procedures

Release QA

Hardware installation from scratch:

1. Download, verify, and clean Ubuntu install (http://releases.ubuntu.com/16.04/); config as per standard Install documentation

2. Fresh clone of securedrop repo on the Admin workstation

3. (git fetch --tags), verify the tag for the release branch you are testing, then check out that tag

4. Edit install_files/ansible_base/roles/install-fpf-repo/defaults/main.yml to use:

apt_repo_url: https://apt-test.freedom.press
...
apt_repo_pubkey_files:
    - apt-test-signing-key.pub

5. ./securedrop-admin setup, then ./securedrop-admin sdconfig, then ./securedrop-admin install

6. Kernel Testing. On app server:

   1. install paxtest (available via apt) and run paxtest blackhat The results you want are:

      • strcpy and strcpy, PIE should be paxtest: paxtest: return address contains a NULL byte
      • Randomization tests: bit guesses in the high 20s or higher
      • Everything else: "Killed"

   2. torify curl -L https://meltdown.ovh -o meltdown.sh on the Admin workstation. Then scp meltdown.sh app:~ so that you have the script on the app server. Make meltdown.sh executable, and run the script as sudo. Note: this should only be done on non-production (QA-only) hardware. You should not see any tests that come back as STATUS:VULNERABLE. Note: you will generate OSSEC alerts about grsec when you run these two tests – this is normal/expected.

Follow the QA matrix for further tests (end-to-end, monitor logs, etc).

More tips

• AppArmor can be checked with sudo aa-status
• Kernel can be checked with uname -r
• Submissions table is at /var/lib/securedrop/db.sqlite. Use sudo sqlite3 /var/lib/securedrop/db.sqliteto open,select * from submissions` to see submission hashes, etc

Upgrade hardware installation:

TK

Pull Request QA

TK