Merge pull request #3 from wernerb/shellcheck

Shellcheck

docker-bench-security.sh

@@ -14,21 +14,20 @@
 . ./helper_lib.sh
 
 # Setup the paths
-this_path=$(abspath $0)       ## Path of this file including filenamel
-dir_name=`dirname ${this_path}`    ## Dir where this file is
-myname=`basename ${this_path}`     ## file name of this script.
-logger="${myname}.log"
+this_path=$(abspath "$0")       ## Path of this file including filenamel
+myname=$(basename "${this_path}")     ## file name of this script.
 
 export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/
+logger="${myname}.log"
 
 # Check for required program(s)
 req_progs='docker netstat grep awk'
 for p in $req_progs; do
-  command -v $p >/dev/null 2>&1 || { printf "$p command not found.\n"; exit 1; }
+  command -v "$p" >/dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; }
 done
 
 # Ensure we can connect to docker daemon
-`docker ps -q >/dev/null 2>&1`
+docker ps -q >/dev/null 2>&1
 if [ $? -ne 0 ]; then
   printf "Error connecting to docker daemon (does docker ps work?)\n"
   exit 1
@@ -36,9 +35,9 @@ fi
 
 usage () {
   printf "
-  usage: $myname [options]
+  usage: %s [options]
 
-  -h           optional  Print this help message\n"
+  -h           optional  Print this help message\n" "$myname"
   exit 1
 }
 
@@ -51,10 +50,10 @@ yell "# ------------------------------------------------------------------------
 # https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf
 # ------------------------------------------------------------------------------"
 
-logit "Initializing `date`\n"
+logit "Initializing $(date)\n"
 
 # Warn if not root
-ID=`id -u`
+ID=$(id -u)
 if [ "x$ID" != "x0" ]; then
     warn "Some tests might require root to run"
     sleep 3
@@ -73,19 +72,19 @@ done
 # Load all the tests from tests/ and run them
 main () {
   # List all running containers
-  containers=`docker ps -q`
+  containers=$(docker ps -q)
   # If there is a container with label docker-bench, memorize it:
   benchcont="nil"
   for c in $containers; do
-    labels=`docker inspect --format '{{ .Config.Labels }}' $c`
+    labels=$(docker inspect --format '{{ .Config.Labels }}' "$c")
     contains "$labels" "docker-bench" && benchcont="$c"
   done
   # List all running containers except docker-bench
-  containers=`docker ps -q | grep -v $benchcont`
+  containers=$(docker ps -q | grep -v "$benchcont")
 
   for test in tests/*.sh
   do
-     . ./$test
+     . ./"$test"
   done
 }
 

helper_lib.sh

@@ -10,10 +10,10 @@ abspath () { case "$1" in /*)printf "%s\n" "$1";; *)printf "%s\n" "$PWD/$1";; es
 do_version_check() {
     [ "$1" = "$2" ] && return 10
 
-    ver1front=`printf $1 | cut -d "." -f -1`
-    ver1back=`printf $1 | cut -d "." -f 2-`
-    ver2front=`printf $2 | cut -d "." -f -1`
-    ver2back=`printf $2 | cut -d "." -f 2-`
+    ver1front=$(printf "%s" "$1" | cut -d "." -f -1)
+    ver1back=$(printf "%s" "$1" | cut -d "." -f 2-)
+    ver2front=$(printf "%s" "$2" | cut -d "." -f -1)
+    ver2back=$(printf "%s" "$2" | cut -d "." -f 2-)
 
     if [ "$ver1front" != "$1" ] || [ "$ver2front" != "$2" ]; then
         [ "$ver1front" -gt "$ver2front" ] && return 11

output_lib.sh

@@ -1,3 +1,4 @@
+#!/bin/sh
 bldred='\033[1;31m'
 bldgrn='\033[1;32m'
 bldblu='\033[1;34m'
@@ -5,21 +6,21 @@ bldylw='\033[1;33m' # Yellow
 txtrst='\033[0m'
 
 logit () {
-  printf "$1\n" | tee -a $logger
+  printf "%b\n" "$1" | tee -a "$logger"
 }
 
 info () {
-  printf '%b' "${bldblu}[INFO]${txtrst} $1\n" | tee -a $logger
+  printf "%b\n" "${bldblu}[INFO]${txtrst} $1" | tee -a "$logger"
 }
 
 pass () {
-  printf '%b' "${bldgrn}[PASS]${txtrst} $1\n" | tee -a $logger
+  printf "%b\n" "${bldgrn}[PASS]${txtrst} $1" | tee -a "$logger"
 }
 
 warn () {
-  printf '%b' "${bldred}[WARN]${txtrst} $1\n" | tee -a $logger
+  printf "%b\n" "${bldred}[WARN]${txtrst} $1" | tee -a "$logger"
 }
 
 yell () {
-  printf '%b' "${bldylw}$1${txtrst}\n"
+  printf "%b\n" "${bldylw}$1${txtrst}\n"
 }

tests/1_host_configuration.sh

@@ -14,8 +14,8 @@ fi
 
 # 1.2
 check_1_2="1.2  - Use an updated Linux Kernel"
-kernel_version=`uname -r | cut -d "-" -f 1`
-do_version_check 3.10 $kernel_version
+kernel_version=$(uname -r | cut -d "-" -f 1)
+do_version_check 3.10 "$kernel_version"
 if [ $? -eq 11 ]; then
   warn "$check_1_2"
 else
@@ -25,11 +25,11 @@ fi
 # 1.5
 check_1_5="1.5  - Remove all non-essential services from the host - Network"
 # Check for listening network services.
-listening_services=`netstat -na | grep -v tcp6 | grep -v unix | grep LISTEN | wc -l`
-if [ $listening_services -eq 0 ]; then
+listening_services=$(netstat -na | grep -v tcp6 | grep -v unix | grep -c LISTEN)
+if [ "$listening_services" -eq 0 ]; then
   warn "1.5  - Failed to get listening services for check: $check_1_5"
 else
-  if [ $listening_services -gt 5 ]; then
+  if [ "$listening_services" -gt 5 ]; then
     warn "$check_1_5"
     warn "     * Host listening on: $listening_services ports"
   else
@@ -39,8 +39,8 @@ fi
 
 # 1.6
 check_1_6="1.6  - Keep Docker up to date"
-docker_version=`docker version | grep 'Server version' | awk '{print $3}'`
 do_version_check 1.6.2 $docker_version
+docker version | grep 'Server version' | awk '{print $3}'
 if [ $? -eq 11 ]; then
   warn "$check_1_6"
 else
@@ -49,7 +49,7 @@ fi
 
 # 1.7
 check_1_7="1.7  - Only allow trusted users to control Docker daemon"
-docker_users=`grep docker /etc/group`
+docker_users=$(grep docker /etc/group)
 info "$check_1_7"
 for u in $docker_users; do
   info "     * $u"

tests/2_docker_daemon_configuration.sh

@@ -5,7 +5,7 @@ info "2 - Docker Daemon Configuration"
 
 # 2.1
 check_2_1="2.1  - Do not use lxc execution driver"
-$ps_command $ps_args | grep docker | grep lxc >/dev/null 2>&1
+pgrep -U root -u root -lf docker | grep lxc >/dev/null 2>&1
 if [ $? -eq 0 ]; then
   warn "$check_2_1"
 else
@@ -14,7 +14,7 @@ fi
 
 # 2.2
 check_2_2="2.2  - Restrict network traffic between containers"
-$ps_command $ps_args | grep docker | grep "icc=false" >/dev/null 2>&1
+pgrep -U root -u root -lf docker | grep "icc=false" >/dev/null 2>&1
 if [ $? -eq 0 ]; then
   pass "$check_2_2"
 else
@@ -23,7 +23,7 @@ fi
 
 # 2.3
 check_2_3="2.3  - Set the logging level"
-$ps_command $ps_args | grep docker | grep "log-level=\"debug\"" >/dev/null 2>&1
+pgrep -U root -u root -lf docker | grep "log-level=\"debug\"" >/dev/null 2>&1
 if [ $? -eq 0 ]; then
   warn "$check_2_3"
 else
@@ -32,7 +32,7 @@ fi
 
 # 2.4
 check_2_4="2.4  - Allow Docker to make changes to iptables"
-$ps_command $ps_args | grep docker | grep "iptables=false" >/dev/null 2>&1
+pgrep -U root -u root -lf docker | grep "iptables=false" >/dev/null 2>&1
 if [ $? -eq 0 ]; then
   warn "$check_2_4"
 else
@@ -41,7 +41,7 @@ fi
 
 # 2.5
 check_2_5="2.5  - Do not use insecure registries"
-$ps_command $ps_args | grep docker | grep "insecure-registry" >/dev/null 2>&1
+pgrep -U root -u root -lf docker | grep "insecure-registry" >/dev/null 2>&1
 if [ $? -eq 0 ]; then
   warn "$check_2_5"
 else
@@ -50,7 +50,7 @@ fi
 
 # 2.6
 check_2_6="2.6  - Setup a local registry mirror"
-$ps_command $ps_args | grep docker | grep "registry-mirror" >/dev/null 2>&1
+pgrep -U root -u root -lf docker | grep "registry-mirror" >/dev/null 2>&1
 if [ $? -eq 0 ]; then
   pass "$check_2_6"
 else
@@ -60,7 +60,7 @@ fi
 
 # 2.7
 check_2_7="2.7  - Do not use the aufs storage driver"
-storage_driver=`docker info 2>/dev/null| grep -e "^Storage Driver:\s*aufs\s*$"`
+docker info 2>/dev/null| grep -e "^Storage Driver:\s*aufs\s*$"
 if [ $? -eq 0 ]; then
   warn "$check_2_7"
 else
@@ -69,7 +69,7 @@ fi
 
 # 2.8
 check_2_8="2.8  - Do not bind Docker to another IP/Port or a Unix socket"
-$ps_command $ps_args | grep docker | grep "\-H" >/dev/null 2>&1
+pgrep -U root -u root -lf docker | grep "\-H" >/dev/null 2>&1
 if [ $? -eq 0 ]; then
   info "$check_2_8"
   info "     * Docker daemon running with -H"
@@ -79,9 +79,9 @@ fi
 
 # 2.9
 check_2_9="2.9  - Configure TLS authentication for Docker daemon"
-$ps_command $ps_args | grep docker | grep "tcp://" >/dev/null 2>&1
+pgrep -U root -u root -lf docker | grep "tcp://" >/dev/null 2>&1
 if [ $? -eq 0 ]; then
-  $ps_command $ps_args | grep docker | grep "tlsverify" | grep "tlskey" >/dev/null 2>&1
+  pgrep -U root -u root -lf docker | grep "tlsverify" | grep "tlskey" >/dev/null 2>&1
   if [ $? -eq 0 ]; then
     pass "$check_2_9"
     info "     * Docker daemon currently listening on TCP"
@@ -96,7 +96,7 @@ fi
 
 # 2.10
 check_2_10="2.10 - Set default ulimit as appropriate"
-$ps_command $ps_args | grep docker | grep "default-ulimit" >/dev/null 2>&1
+pgrep -U root -u root -lf docker | grep "default-ulimit" >/dev/null 2>&1
 if [ $? -eq 0 ]; then
   pass "$check_2_10"
 else

tests/3_docker_daemon_configuration_files.sh

@@ -247,10 +247,10 @@ fi
 check_3_16="3.16 - Verify that /etc/docker directory permissions are set to 755"
 directory="/etc/docker"
 if [ -d "$directory" ]; then
-  perms=`ls -ld $directory | awk '{print $1}'`
-  if [ $perms = "drwxr-xr-x." ]; then
+  perms=$(ls -ld $directory | awk '{print $1}')
+  if [ "$perms" = "drwxr-xr-x." ]; then
     pass "$check_3_16"
-  elif [ $perms = "drwx------" ]; then
+  elif [ "$perms" = "drwx------" ]; then
     pass "$check_3_16"
   else
     warn "$check_3_16"
@@ -266,9 +266,9 @@ check_3_17="3.17 - Verify that registry certificate file ownership is set to roo
 directory="/etc/docker/certs.d/"
 if [ -d "$directory" ]; then
   fail=0
-  owners=`ls -lL $directory/* | grep .crt | awk '{print $3, $4}'`
+  owners=$(ls -lL "$directory"/*.crt | awk '{print "$3", "$4"}')
   for p in $owners; do
-    printf "$p" | grep "root" >/dev/null 2>&1
+    printf "%s" "$p" | grep "root" >/dev/null 2>&1
     if [ $? -ne 0 ]; then
       fail=1
     fi
@@ -289,7 +289,7 @@ check_3_18="3.18 - Verify that registry certificate file permissions are set to
 directory="/etc/docker/certs.d/"
 if [ -d "$directory" ]; then
   fail=0
-  perms=`ls -lL $directory/* | grep .crt | awk '{print $1}'`
+  perms=$(ls -lL "$directory"/*.crt | awk '{print $1}')
   for p in $perms; do
     if [ "$p" != "-rw-r--r--." -a "$p" = "-rw-------." ]; then
       fail=1
@@ -308,7 +308,7 @@ fi
 
 # 3.19
 check_3_19="3.19 - Verify that TLS CA certificate file ownership is set to root:root"
-tlscacert=`ps -ef | grep docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1`
+tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1)
 if [ -f "$tlscacert" ]; then
   ls -ld "$tlscacert" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1
   if [ $? -eq 0 ]; then
@@ -324,9 +324,9 @@ fi
 
 # 3.20
 check_3_20="3.20 - Verify that TLS CA certificate file permissions are set to 444"
-tlscacert=`ps -ef | grep docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1`
+tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1)
 if [ -f "$tlscacert" ]; then
-  perms=`ls -ld "$tlscacert" | awk '{print $1}'`
+  perms=$(ls -ld "$tlscacert" | awk '{print $1}')
   if [ "$perms" = "-rw-r--r--" ]; then
     pass "$check_3_20"
   else
@@ -340,7 +340,7 @@ fi
 
 # 3.21
 check_3_21="3.21 - Verify that Docker server certificate file ownership is set to root:root"
-tlscert=`ps -ef | grep docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1`
+tlscert=$(pgrep -lf docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1)
 if [ -f "$tlscert" ]; then
   ls -ld "$tlscert" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1
   if [ $? -eq 0 ]; then
@@ -356,9 +356,9 @@ fi
 
 # 3.22
 check_3_22="3.22 - Verify that Docker server certificate file permissions are set to 444"
-tlscacert=`ps -ef | grep docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1`
+tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1)
 if [ -f "$tlscert" ]; then
-  perms=`ls -ld "$tlscert" | awk '{print $1}'`
+  perms=$(ls -ld "$tlscert" | awk '{print $1}')
   if [ "$perms" = "-rw-r--r--" ]; then
     pass "$check_3_22"
   else
@@ -372,7 +372,7 @@ fi
 
 # 3.23
 check_3_23="3.23 - Verify that Docker server key file ownership is set to root:root"
-tlskey=`ps -ef | grep docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1`
+tlskey=$(pgrep -lf docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1)
 if [ -f "$tlskey" ]; then
   ls -ld "$tlskey" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1
   if [ $? -eq 0 ]; then
@@ -388,9 +388,9 @@ fi
 
 # 3.24
 check_3_24="3.24 - Verify that Docker server key file permissions are set to 400"
-tlskey=`ps -ef | grep docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1`
+tlskey=$(pgrep -lf docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1)
 if [ -f "$tlskey" ]; then
-  perms=`ls -ld "$tlskey" | awk '{print $1}'`
+  perms=$(ls -ld "$tlskey" | awk '{print $1}')
   if [ "$perms" = "-r--------" ]; then
     pass "$check_3_24"
   else
@@ -422,7 +422,7 @@ fi
 check_3_26="3.26 - Verify that Docker socket file permissions are set to 660"
 file="/var/run/docker.sock"
 if [ -f "$file" ]; then
-  perms=`ls -ld "$file" | awk '{print $1}'`
+  perms=$(ls -ld "$file" | awk '{print $1}')
   if [ "$perms" = "srw-rw----" ]; then
     pass "$check_3_26"
   else

tests/4_container_images.sh

@@ -17,7 +17,7 @@ else
   set -f; IFS=$'
 '
   for c in $containers; do
-    user=`docker inspect --format 'User={{.Config.User}}' $c`
+    user=$(docker inspect --format 'User={{.Config.User}}' "$c")
 
     if [ "$user" = "User=" -o "$user" = "User=[]" -o "$user" = "User=<no value>" ]; then
       # If it's the first container, fail the test

tests/5_container_runtime.sh

@@ -15,7 +15,7 @@ else
 
   fail=0
   for c in $containers; do
-    policy=`docker inspect --format 'AppArmorProfile={{ .AppArmorProfile }}' $c`
+    policy=$(docker inspect --format 'AppArmorProfile={{ .AppArmorProfile }}' "$c")
 
     if [ "$policy" = "AppArmorProfile=" -o "$policy" = "AppArmorProfile=[]" -o "$policy" = "AppArmorProfile=<no value>" ]; then
       # If it's the first container, fail the test
@@ -38,7 +38,7 @@ else
 
   fail=0
   for c in $containers; do
-    policy=`docker inspect --format 'SecurityOpt={{ .HostConfig.SecurityOpt }}' $c`
+    policy=$(docker inspect --format 'SecurityOpt={{ .HostConfig.SecurityOpt }}' "$c")
 
     if [ "$policy" = "SecurityOpt=" -o "$policy" = "SecurityOpt=[]" -o "$policy" = "SecurityOpt=<no value>" ]; then
       # If it's the first container, fail the test
@@ -61,15 +61,15 @@ else
 
   fail=0
   for c in $containers; do
-    exec_check=`docker exec $c ps -el 2>/dev/null`
+    exec_check=$(docker exec "$c" ps -el 2>/dev/null)
     if [ $? -eq 255 ]; then
       warn "$check_5_3"
       warn "      * Docker exec fails: $c"
       fail=1
     fi
 
-    processes=`docker exec $c ps -el 2>/dev/null | wc -l | awk '{print $1}'`
-    if [ $processes -gt 5 ]; then
+    processes=$(docker exec "$c" ps -el 2>/dev/null | wc -l | awk '{print $1}')
+    if [ "$processes" -gt 5 ]; then
       # If it's the first container, fail the test
       if [ $fail -eq 0 ]; then
         warn "$check_5_3"
@@ -90,7 +90,7 @@ else
 
   fail=0
   for c in $containers; do
-    caps=`docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' $c`
+    caps=$(docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' "$c")
 
     if [ "$caps" != "CapAdd=" -a "$caps" != "CapAdd=[]" -a "$caps" != "CapAdd=<no value>" ]; then
       # If it's the first container, fail the test
@@ -113,7 +113,7 @@ else
 
   fail=0
   for c in $containers; do
-    privileged=`docker inspect --format '{{ .HostConfig.Privileged }}' $c`
+    privileged=$(docker inspect --format '{{ .HostConfig.Privileged }}' "$c")
 
     if [ "$privileged" = "true" ]; then
       # If it's the first container, fail the test
@@ -145,7 +145,7 @@ else
 /usr'
   fail=0
   for c in $containers; do
-    volumes=`docker inspect --format '{{ .VolumesRW }}' $c`
+    volumes=$(docker inspect --format '{{ .VolumesRW }}' "$c")
     # Go over each directory in sensitive dir and see if they exist in the volumes
     for v in $sensitive_dirs; do
       sensitive=0
@@ -172,14 +172,14 @@ else
 
   fail=0
   for c in $containers; do
-    exec_check=`docker exec $c ps -el 2>/dev/null`
+    docker exec "$c" ps -el 2>/dev/null
     if [ $? -eq 255 ]; then
       warn "$check_5_7"
       warn "     * Docker exec failed: $c"
       fail=1
     fi
 
-    processes=`docker exec $c ps -el 2>/dev/null | grep sshd | wc -l | awk '{print $1}'`
+    processes=$(docker exec "$c" ps -el 2>/dev/null | grep -c sshd | awk '{print $1}')
     if [ $processes -gt 1 ]; then
       # If it's the first container, fail the test
       if [ $fail -eq 0 ]; then
@@ -201,7 +201,7 @@ else
 
   fail=0
   for c in $containers; do
-    port=`docker port $c | awk '{print $1}' | cut -d '/' -f1`
+    port=$(docker port "$c" | awk '{print $1}' | cut -d '/' -f1)
 
     if [ ! -z "$port" ] && [ "$port" -lt 1025 ]; then
       # If it's the first container, fail the test
@@ -224,7 +224,7 @@ else
 
   fail=0
   for c in $containers; do
-    mode=`docker inspect --format 'NetworkMode={{ .HostConfig.NetworkMode }}' $c`
+    mode=$(docker inspect --format 'NetworkMode={{ .HostConfig.NetworkMode }}' "$c")
 
     if [ "$mode" = "NetworkMode=host" ]; then
       # If it's the first container, fail the test
@@ -247,9 +247,9 @@ else
 
   fail=0
   for c in $containers; do
-    memory=`docker inspect --format '{{ .Config.Memory }}' $c`
+    memory=$(docker inspect --format '{{ .Config.Memory }}' "$c")
 
-    if [ $memory = "0" ]; then
+    if [ "$memory" = "0" ]; then
       # If it's the first container, fail the test
       if [ $fail -eq 0 ]; then
         warn "$check_5_11"
@@ -270,7 +270,7 @@ else
 
   fail=0
   for c in $containers; do
-    shares=`docker inspect --format '{{ .Config.CpuShares }}' $c`
+    shares=$(docker inspect --format '{{ .Config.CpuShares }}' "$c")
 
     if [ "$shares" = "0" ]; then
       # If it's the first container, fail the test
@@ -293,7 +293,7 @@ else
 
   fail=0
   for c in $containers; do
-   read_status=`docker inspect --format '{{ .HostConfig.ReadonlyRootfs }}' $c`
+   read_status=$(docker inspect --format '{{ .HostConfig.ReadonlyRootfs }}' "$c")
 
     if [ "$read_status" = "false" ]; then
       # If it's the first container, fail the test
@@ -316,7 +316,7 @@ else
 
   fail=0
   for c in $containers; do
-    ip=`docker port $c | awk '{print $3}' | cut -d ':' -f1`
+    ip=$(docker port "$c" | awk '{print $3}' | cut -d ':' -f1)
     if [ "$ip" = "0.0.0.0" ]; then
       # If it's the first container, fail the test
       if [ $fail -eq 0 ]; then
@@ -338,7 +338,7 @@ else
 
   fail=0
   for c in $containers; do
-    policy=`docker inspect --format 'RestartPolicyName={{ .HostConfig.RestartPolicy.Name }}' $c`
+    policy=$(docker inspect --format 'RestartPolicyName={{ .HostConfig.RestartPolicy.Name }}' "$c")
 
     if [ "$policy" = "RestartPolicyName=always" ]; then
       # If it's the first container, fail the test
@@ -361,7 +361,7 @@ else
 
   fail=0
   for c in $containers; do
-    mode=`docker inspect --format 'PidMode={{.HostConfig.PidMode }}' $c`
+    mode=$(docker inspect --format 'PidMode={{.HostConfig.PidMode }}' "$c")
 
     if [ "$mode" = "PidMode=host" ]; then
       # If it's the first container, fail the test
@@ -384,7 +384,7 @@ else
 
   fail=0
   for c in $containers; do
-    mode=`docker inspect --format 'IpcMode={{.HostConfig.IpcMode }}' $c`
+    mode=$(docker inspect --format 'IpcMode={{.HostConfig.IpcMode }}' "$c")
 
     if [ "$mode" = "IpcMode=host" ]; then
       # If it's the first container, fail the test
@@ -407,7 +407,7 @@ else
 
   fail=0
   for c in $containers; do
-    devices=`docker inspect --format 'Devices={{ .HostConfig.Devices }}' $c`
+    devices=$(docker inspect --format 'Devices={{ .HostConfig.Devices }}' "$c")
 
     if [ "$devices" != "Devices=" -a "$devices" != "Devices=[]" -a "$devices" != "Devices=<no value>" ]; then
       # If it's the first container, fail the test
@@ -431,7 +431,7 @@ else
   # List all the running containers, ouput their ID and host devices
   fail=0
   for c in $containers; do
-    ulimits=`docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' $c`
+    ulimits=$(docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' "$c")
 
     if [ "$ulimits" = "Ulimits=" -o "$ulimits" = "Ulimits=[]" -o "$ulimits" = "Ulimits=<no value>" ]; then
       # If it's the first container, fail the test

tests/6_docker_security_operations.sh

@@ -15,7 +15,7 @@ else
   set -f; IFS=$'
 '
   for c in $containers; do
-    volumes=`docker inspect --format '{{ .Volumes }}' $c`
+    volumes=$(docker inspect --format '{{ .Volumes }}' "$c")
 
     if [ "$volumes" = "map[]" ]; then
       # If it's the first container, fail the test
@@ -36,8 +36,8 @@ set +f; unset IFS
 
 # 6.6
 check_6_6="6.6 - Avoid image sprawl"
-images=`docker images | wc -l | awk '{print $1}'`
-if [ $images -gt 100 ]; then
+images=$(docker images | wc -l | awk '{print $1}')
+if [ "$images" -gt 100 ]; then
   warn "$check_6_6"
   warn "     * There are currently: $images images"
 else
@@ -47,10 +47,10 @@ fi
 
 # 6.7
 check_6_7="6.7 - Avoid container sprawl"
-total_containers=`docker info 2>/dev/null | grep "Containers" | awk '{print $2}'`
-running_containers=`docker ps -q | wc -l | awk '{print $1}'`
-diff=`expr "$total_containers" - "$running_containers"`
-if [ $diff -gt 25 ]; then
+total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}')
+running_containers=$(docker ps -q | wc -l | awk '{print $1}')
+diff="$(($total_containers - $running_containers))"
+if [ "$diff" -gt 25 ]; then
   warn "$check_6_7"
   warn "     * There are currently a total of $total_containers containers, with only $running_containers of them currently running"
 else