shellcheck cleaning

Signed-off-by: Alexei Ledenev <alexei.ledenev@hp.com>

bats_tests/1_host_configuration.bats

@@ -48,9 +48,9 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
   declare -a trusted_users=("vagrant" "docker" "ubuntu")
   users_string=$(awk -F':' '/^docker/{print $4}' /etc/group)
   docker_users=(${users_string//,/ })
-  for u in ${docker_users[@]}; do
+  for u in "${docker_users[@]}"; do
     local found=1
-    for tu in ${trusted_users[@]}; do
+    for tu in "${trusted_users[@]}"; do
       if [ "$u" = "$tu" ]; then
         found=0
       fi
@@ -75,7 +75,7 @@ test_audit_directory() {
   assert [ -d "$directory" ]
   run command -v auditctl >/dev/null
   assert_success
-  run auditctl -l | grep $directory
+  run auditctl -l | grep "$directory"
   assert_success
 }
 

bats_tests/3_docker_daemon_configuration_files.bats

@@ -8,7 +8,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
 @test "3.1  - Verify that docker.service file ownership is set to root:root" {
   file="$(get_systemd_service_file docker.service)"
   if [ -f "$file" ]; then
-    if [ "$(stat -c %u%g $file)" -ne 00 ]; then
+    if [ "$(stat -c %u%g "$file")" -ne 00 ]; then
       fail "Wrong ownership for $file"
     fi
   fi
@@ -18,7 +18,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
 @test "3.2  - Verify that docker.service file permissions are set to 644" {
   file="$(get_systemd_service_file docker.service)"
   if [ -f "$file" ]; then
-    if [ "$(stat -c %a $file)" -ne 644 ]; then
+    if [ "$(stat -c %a "$file")" -ne 644 ]; then
       fail "Wrong permissions for $file"
     fi
   fi
@@ -28,7 +28,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
 @test "3.3  - Verify that docker.socket file ownership is set to root:root" {
   file="$(get_systemd_service_file docker.socket)"
   if [ -f "$file" ]; then
-    if [ "$(stat -c %u%g $file)" -ne 00 ]; then
+    if [ "$(stat -c %u%g "$file")" -ne 00 ]; then
       fail "Wrong ownership for $file"
     fi
   fi
@@ -38,7 +38,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
 @test "3.4  - Verify that docker.socket file permissions are set to 644" {
   file="$(get_systemd_service_file docker.socket)"
   if [ -f "$file" ]; then
-    if [ "$(stat -c %a $file)" -ne 644 ]; then
+    if [ "$(stat -c %a "$file")" -ne 644 ]; then
       fail "Wrong permissions for $file"
     fi
   fi
@@ -58,7 +58,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
 @test "3.6  - Verify that /etc/docker directory permissions are set to 755 or 700" {
   directory="/etc/docker"
   if [ -d "$directory" ]; then
-    if [ "$(stat -c %a $directory)" -ne 755 -a "$(stat -c %a $directory)" -ne 700 ]; then
+    if [ "$(stat -c %a $directory)" -ne 755 ] && [ "$(stat -c %a $directory)" -ne 700 ]; then
       fail "Wrong permissions for $directory : $(stat -c %a $directory)"
     fi
   fi
@@ -89,7 +89,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
     fail=0
     perms=$(ls -lL $directory | grep ".crt" | awk '{print $1}')
     for p in $perms; do
-      if [ "$p" != "-r--r--r--." -a "$p" = "-r--------." ]; then
+      if [ "$p" != "-r--r--r--." ] && [ "$p" = "-r--------." ]; then
         fail=1
       fi
     done

bats_tests/4_1_create_user_in_container.bats.template

@@ -7,10 +7,10 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
 
 # 4.1
 @test "4.1  - Create a user for the container: {{c}}" {
-  local user=$(docker inspect --format 'User={{.Config.User}}' "{{c}}")
-  if [ "$user" = "User=" -o "$user" = "User=[]" -o "$user" = "User=<no value>" ]; then
+  user=$(docker inspect --format 'User={{.Config.User}}' "{{c}}")
+  if [ "$user" = "User=" ] || [ "$user" = "User=[]" ] || [ "$user" = "User=<no value>" ]; then
     # get PID 1 and check if it's running as root (uid=0)
-    local uid=$(docker exec {{c}} awk '/^Uid:/{print $2}' /proc/1/status)
+    uid=$(docker exec {{c}} awk '/^Uid:/{print $2}' /proc/1/status)
     if [ $uid -eq 0 ]; then
       fail "Running as root: {{c}}"
     fi

bats_tests/5_container_runtime.bats.template

@@ -7,7 +7,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
 # 5.1
 @test "5.1  - Verify AppArmor Profile, if applicable: {{c}}" {
   policy=$(docker inspect --format 'AppArmorProfile={{ .AppArmorProfile }}' "{{c}}")
-  if [ "$policy" = "AppArmorProfile=" -o "$policy" = "AppArmorProfile=[]" -o "$policy" = "AppArmorProfile=<no value>" ]; then
+  if [ "$policy" = "AppArmorProfile=" ] || [ "$policy" = "AppArmorProfile=[]" ] || [ "$policy" = "AppArmorProfile=<no value>" ]; then
     fail "No AppArmorProfile Found: {{c}}"
   fi
 }
@@ -15,7 +15,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
 # 5.2
 @test "5.2  - Verify SELinux security options, if applicable: {{c}}" {
   policy=$(docker inspect --format 'SecurityOpt={{ .HostConfig.SecurityOpt }}' "{{c}}")
-  if [ "$policy" = "SecurityOpt=" -o "$policy" = "SecurityOpt=[]" -o "$policy" = "SecurityOpt=<no value>" ]; then
+  if [ "$policy" = "SecurityOpt=" ] || [ "$policy" = "SecurityOpt=[]" ] || [ "$policy" = "SecurityOpt=<no value>" ]; then
     fail "No SecurityOptions Found: {{c}}"
   fi
 }
@@ -23,7 +23,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
 # 5.3
 @test "5.3  - Restrict Linux Kernel Capabilities within containers: {{c}}" {
   caps=$(docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' "{{c}}")
-  if [ "$caps" != 'CapAdd=' -a "$caps" != 'CapAdd=[]' -a "$caps" != 'CapAdd=<no value>' -a "$caps" != 'CapAdd=<nil>' ]; then
+  if [ "$caps" != 'CapAdd=' ] && [ "$caps" != 'CapAdd=[]' ] && [ "$caps" != 'CapAdd=<no value>' ] && [ "$caps" != 'CapAdd=<nil>' ]; then
     fail "Capabilities added: $caps to {{c}}"
   fi
 }
@@ -48,7 +48,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
     volumes=$(docker inspect --format '{{ .Mounts }}' "{{c}}")
   fi
   # Go over each directory in sensitive dir and see if they exist in the volumes
-  for v in ${sensitive_dirs[@]}; do
+  for v in "${sensitive_dirs[@]}"; do
     run contains "$volumes" "$v"
     if [ $status -eq 0 ]; then
       fail "Sensitive directory $v mounted in: {{c}}"
@@ -146,7 +146,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
 # 5.17
 @test "5.17 - Do not directly expose host devices to containers: {{c}}" {
   devices=$(docker inspect --format 'Devices={{ .HostConfig.Devices }}' "{{c}}")
-  if [ "$devices" != "Devices=" -a "$devices" != "Devices=[]" -a "$devices" != "Devices=<no value>" ]; then
+  if [ "$devices" != "Devices=" ] && [ "$devices" != "Devices=[]" ] && [ "$devices" != "Devices=<no value>" ]; then
     fail "Container has devices exposed directly: {{c}}"
   fi
 }
@@ -154,7 +154,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
 # 5.18
 @test "5.18 - Override default ulimit at runtime only if needed: {{c}}" {
   ulimits=$(docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' "{{c}}")
-  if [ "$ulimits" = "Ulimits=" -o "$ulimits" = "Ulimits=[]" -o "$ulimits" = "Ulimits=<no value>" ]; then
+  if [ "$ulimits" = "Ulimits=" ] || [ "$ulimits" = "Ulimits=[]" ] || [ "$ulimits" = "Ulimits=<no value>" ]; then
     fail "Container no default ulimit override: {{c}}"
   fi
 }

generate_tests.sh

@@ -20,10 +20,10 @@ prepare_tests_directory()
 
 list_running_containers() {
     # List all running containers
-  local containers=$(docker ps | sed '1d' | awk '{print $NF}')
+  containers=($(docker ps | sed '1d' | awk '{print $NF}' | tr "\n" " "))
   # If there is a container with label docker_bench_security, memorize it:
   local benchcont="nil"
-  for c in $containers; do
+  for c in "${containers[@]}"; do
     labels=$(docker inspect --format '{{ .Config.Labels }}' "$c")
     contains "$labels" "docker_bench_security" && benchcont="$c"
   done
@@ -35,9 +35,9 @@ generate_all_tests() {
   # prepare test direcory: copy tests and templates
   prepare_tests_directory
   # generate tests from templates for running containers
-  local containers=$(list_running_containers)
-  ( cd $TEST_ROOT
-  for c in ${containers[@]}; do
+  containers=($(list_running_containers))
+  ( cd $TEST_ROOT || exit 1
+  for c in "${containers[@]}"; do
     for t in *.bats.template; do
       sed -e "s/{{c}}/$c/g" "${t}" > "${t%.*.*}_${c}.bats"
     done

run_tests.sh

@@ -2,8 +2,6 @@
 
 . ./generate_tests.sh
 
-TERMINFO=/usr/share/terminfo
-
 TEST_RESULTS=$BENCH_ROOT/results
 
 # make result folder (inside VOLUME)
@@ -23,9 +21,9 @@ OPT_RESULTS=1
 
 #Set fonts for Help.
 if [ -e "/usr/bin/tput" ]; then
-  BOLD=`tput bold`
-  REV=`tput smso`
-  NORM=`tput sgr0`
+  BOLD=$(tput bold)
+  REV=$(tput smso)
+  NORM=$(tput sgr0)
 else
   BOLD=""
   REV=""
@@ -50,7 +48,7 @@ HELP() {
 
 #Check the number of arguments. If none are passed, print help and exit.
 NUMARGS=$#
-if [ $NUMARGS -eq 0 ]; then
+if [ "$NUMARGS" -eq 0 ]; then
   HELP
 fi
 
@@ -73,7 +71,7 @@ while getopts o:rptcgh FLAG; do
       ;;
     c)  # count tests
       if [ -d "$TEST_ROOT" ]; then
-        echo -e "There are ${BOLD}$(bats $TEST_ROOT -c)${NORM} tests in ${BOLD}$TEST_ROOT${NORM}"
+        echo -e "There are ${BOLD}$(bats "${TEST_ROOT}" -c)${NORM} tests in ${BOLD}${TEST_ROOT}${NORM}"
       else
         echo -e "No tests found, run ${BOLD}${SCRIPT}${NORM} with ${REV}-g${NORM} option first."
       fi
@@ -99,8 +97,8 @@ shift $((OPTIND-1))  #This tells getopts to move on to the next argument.
 
 ### Run Bats tests ###
 
-TESTS=$TEST_ROOT
-if [ ! -d $TEST_ROOT ]; then # generate tests if needed
+TESTS="${TEST_ROOT}"
+if [ ! -d "${TEST_ROOT}" ]; then # generate tests if needed
   generate_all_tests
 fi
 
@@ -108,13 +106,13 @@ if [ $# -ne 0 ]; then # get tests from command line
   TESTS=$*
 fi
 
-if [ $OPT_RESULTS -eq 0 ]; then # run tests and [create test result file]
+if [ ${OPT_RESULTS} -eq 0 ]; then # run tests and [create test result file]
   if [ ! -d "$OPT_OUTPUT" ]; then
     mkdir -p "$OPT_OUTPUT"
   fi
-  bats $TESTS -${OPT_FORMAT} > "${OPT_OUTPUT}/tests_$(date +%s).tap"
+  bats "${TESTS}" -${OPT_FORMAT} > "${OPT_OUTPUT}/tests_$(date +%s).tap"
 else
-  bats $TESTS -${OPT_FORMAT}
+  bats "${TESTS}" -${OPT_FORMAT}
 fi
 
 exit 0