Double quote to prevent globbing and word splitting.

Do not use legacy backticks. Proper use of printf Do not use wc -l with grep, instead use grep -c Use pgrep Signed-off-by: Werner Buck <wernerbuck@gmail.com>
2025-06-21 14:19:08 +00:00 · 2015-05-29 13:42:34 +02:00 · 2015-05-29 13:42:34 +02:00 · f4aab9c8c5
commit f4aab9c8c5
parent 54202b3b41
9 changed files with 87 additions and 87 deletions
--- a/tests/1_host_configuration.sh
+++ b/tests/1_host_configuration.sh
@ -14,8 +14,8 @@ fi

 # 1.2
 check_1_2="1.2  - Use an updated Linux Kernel"
-kernel_version=`uname -r | cut -d "-" -f 1`
-do_version_check 3.10 $kernel_version
+kernel_version=$(uname -r | cut -d "-" -f 1)
+do_version_check 3.10 "$kernel_version"
 if [ $? -eq 11 ]; then
  warn "$check_1_2"
 else
@ -25,11 +25,11 @@ fi
 # 1.5
 check_1_5="1.5  - Remove all non-essential services from the host - Network"
 # Check for listening network services.
-listening_services=`netstat -na | grep -v tcp6 | grep -v unix | grep LISTEN | wc -l`
-if [ $listening_services -eq 0 ]; then
+listening_services=$(netstat -na | grep -v tcp6 | grep -v unix | grep -c LISTEN)
+if [ "$listening_services" -eq 0 ]; then
  warn "1.5  - Failed to get listening services for check: $check_1_5"
 else
-  if [ $listening_services -gt 5 ]; then
+  if [ "$listening_services" -gt 5 ]; then
    warn "$check_1_5"
    warn "     * Host listening on: $listening_services ports"
  else
@ -39,8 +39,8 @@ fi

 # 1.6
 check_1_6="1.6  - Keep Docker up to date"
-docker_version=`docker version | grep 'Server version' | awk '{print $3}'`
 do_version_check 1.6.2 $docker_version
+docker version | grep 'Server version' | awk '{print $3}'
 if [ $? -eq 11 ]; then
  warn "$check_1_6"
 else
@ -49,7 +49,7 @@ fi

 # 1.7
 check_1_7="1.7  - Only allow trusted users to control Docker daemon"
-docker_users=`grep docker /etc/group`
+docker_users=$(grep docker /etc/group)
 info "$check_1_7"
 for u in $docker_users; do
  info "     * $u"
--- a/tests/2_docker_daemon_configuration.sh
+++ b/tests/2_docker_daemon_configuration.sh
@ -5,7 +5,7 @@ info "2 - Docker Daemon Configuration"

 # 2.1
 check_2_1="2.1  - Do not use lxc execution driver"
-$ps_command $ps_args | grep docker | grep lxc >/dev/null 2>&1
+pgrep -U root -u root -lf docker | grep lxc >/dev/null 2>&1
 if [ $? -eq 0 ]; then
  warn "$check_2_1"
 else
@ -14,7 +14,7 @@ fi

 # 2.2
 check_2_2="2.2  - Restrict network traffic between containers"
-$ps_command $ps_args | grep docker | grep "icc=false" >/dev/null 2>&1
+pgrep -U root -u root -lf docker | grep "icc=false" >/dev/null 2>&1
 if [ $? -eq 0 ]; then
  pass "$check_2_2"
 else
@ -23,7 +23,7 @@ fi

 # 2.3
 check_2_3="2.3  - Set the logging level"
-$ps_command $ps_args | grep docker | grep "log-level=\"debug\"" >/dev/null 2>&1
+pgrep -U root -u root -lf docker | grep "log-level=\"debug\"" >/dev/null 2>&1
 if [ $? -eq 0 ]; then
  warn "$check_2_3"
 else
@ -32,7 +32,7 @@ fi

 # 2.4
 check_2_4="2.4  - Allow Docker to make changes to iptables"
-$ps_command $ps_args | grep docker | grep "iptables=false" >/dev/null 2>&1
+pgrep -U root -u root -lf docker | grep "iptables=false" >/dev/null 2>&1
 if [ $? -eq 0 ]; then
  warn "$check_2_4"
 else
@ -41,7 +41,7 @@ fi

 # 2.5
 check_2_5="2.5  - Do not use insecure registries"
-$ps_command $ps_args | grep docker | grep "insecure-registry" >/dev/null 2>&1
+pgrep -U root -u root -lf docker | grep "insecure-registry" >/dev/null 2>&1
 if [ $? -eq 0 ]; then
  warn "$check_2_5"
 else
@ -50,7 +50,7 @@ fi

 # 2.6
 check_2_6="2.6  - Setup a local registry mirror"
-$ps_command $ps_args | grep docker | grep "registry-mirror" >/dev/null 2>&1
+pgrep -U root -u root -lf docker | grep "registry-mirror" >/dev/null 2>&1
 if [ $? -eq 0 ]; then
  pass "$check_2_6"
 else
@ -60,7 +60,7 @@ fi

 # 2.7
 check_2_7="2.7  - Do not use the aufs storage driver"
-storage_driver=`docker info 2>/dev/null| grep -e "^Storage Driver:\s*aufs\s*$"`
+docker info 2>/dev/null| grep -e "^Storage Driver:\s*aufs\s*$"
 if [ $? -eq 0 ]; then
  warn "$check_2_7"
 else
@ -69,7 +69,7 @@ fi

 # 2.8
 check_2_8="2.8  - Do not bind Docker to another IP/Port or a Unix socket"
-$ps_command $ps_args | grep docker | grep "\-H" >/dev/null 2>&1
+pgrep -U root -u root -lf docker | grep "\-H" >/dev/null 2>&1
 if [ $? -eq 0 ]; then
  info "$check_2_8"
  info "     * Docker daemon running with -H"
@ -79,9 +79,9 @@ fi

 # 2.9
 check_2_9="2.9  - Configure TLS authentication for Docker daemon"
-$ps_command $ps_args | grep docker | grep "tcp://" >/dev/null 2>&1
+pgrep -U root -u root -lf docker | grep "tcp://" >/dev/null 2>&1
 if [ $? -eq 0 ]; then
-  $ps_command $ps_args | grep docker | grep "tlsverify" | grep "tlskey" >/dev/null 2>&1
+  pgrep -U root -u root -lf docker | grep "tlsverify" | grep "tlskey" >/dev/null 2>&1
  if [ $? -eq 0 ]; then
    pass "$check_2_9"
    info "     * Docker daemon currently listening on TCP"
@ -96,7 +96,7 @@ fi

 # 2.10
 check_2_10="2.10 - Set default ulimit as appropriate"
-$ps_command $ps_args | grep docker | grep "default-ulimit" >/dev/null 2>&1
+pgrep -U root -u root -lf docker | grep "default-ulimit" >/dev/null 2>&1
 if [ $? -eq 0 ]; then
  pass "$check_2_10"
 else
--- a/tests/3_docker_daemon_configuration_files.sh
+++ b/tests/3_docker_daemon_configuration_files.sh
@ -247,10 +247,10 @@ fi
 check_3_16="3.16 - Verify that /etc/docker directory permissions are set to 755"
 directory="/etc/docker"
 if [ -d "$directory" ]; then
-  perms=`ls -ld $directory | awk '{print $1}'`
-  if [ $perms = "drwxr-xr-x." ]; then
+  perms=$(ls -ld $directory | awk '{print $1}')
+  if [ "$perms" = "drwxr-xr-x." ]; then
    pass "$check_3_16"
-  elif [ $perms = "drwx------" ]; then
+  elif [ "$perms" = "drwx------" ]; then
    pass "$check_3_16"
  else
    warn "$check_3_16"
@ -266,9 +266,9 @@ check_3_17="3.17 - Verify that registry certificate file ownership is set to roo
 directory="/etc/docker/certs.d/"
 if [ -d "$directory" ]; then
  fail=0
-  owners=`ls -lL $directory/* | grep .crt | awk '{print $3, $4}'`
+  owners=$(ls -lL "$directory"/*.crt | awk '{print "$3", "$4"}')
  for p in $owners; do
-    printf "$p" | grep "root" >/dev/null 2>&1
+    printf "%s" "$p" | grep "root" >/dev/null 2>&1
    if [ $? -ne 0 ]; then
      fail=1
    fi
@ -289,7 +289,7 @@ check_3_18="3.18 - Verify that registry certificate file permissions are set to
 directory="/etc/docker/certs.d/"
 if [ -d "$directory" ]; then
  fail=0
-  perms=`ls -lL $directory/* | grep .crt | awk '{print $1}'`
+  perms=$(ls -lL "$directory"/*.crt | awk '{print $1}')
  for p in $perms; do
    if [ "$p" != "-rw-r--r--." -a "$p" = "-rw-------." ]; then
      fail=1
@ -308,7 +308,7 @@ fi

 # 3.19
 check_3_19="3.19 - Verify that TLS CA certificate file ownership is set to root:root"
-tlscacert=`ps -ef | grep docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1`
+tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1)
 if [ -f "$tlscacert" ]; then
  ls -ld "$tlscacert" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1
  if [ $? -eq 0 ]; then
@ -324,9 +324,9 @@ fi

 # 3.20
 check_3_20="3.20 - Verify that TLS CA certificate file permissions are set to 444"
-tlscacert=`ps -ef | grep docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1`
+tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1)
 if [ -f "$tlscacert" ]; then
-  perms=`ls -ld "$tlscacert" | awk '{print $1}'`
+  perms=$(ls -ld "$tlscacert" | awk '{print $1}')
  if [ "$perms" = "-rw-r--r--" ]; then
    pass "$check_3_20"
  else
@ -340,7 +340,7 @@ fi

 # 3.21
 check_3_21="3.21 - Verify that Docker server certificate file ownership is set to root:root"
-tlscert=`ps -ef | grep docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1`
+tlscert=$(pgrep -lf docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1)
 if [ -f "$tlscert" ]; then
  ls -ld "$tlscert" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1
  if [ $? -eq 0 ]; then
@ -356,9 +356,9 @@ fi

 # 3.22
 check_3_22="3.22 - Verify that Docker server certificate file permissions are set to 444"
-tlscacert=`ps -ef | grep docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1`
+tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1)
 if [ -f "$tlscert" ]; then
-  perms=`ls -ld "$tlscert" | awk '{print $1}'`
+  perms=$(ls -ld "$tlscert" | awk '{print $1}')
  if [ "$perms" = "-rw-r--r--" ]; then
    pass "$check_3_22"
  else
@ -372,7 +372,7 @@ fi

 # 3.23
 check_3_23="3.23 - Verify that Docker server key file ownership is set to root:root"
-tlskey=`ps -ef | grep docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1`
+tlskey=$(pgrep -lf docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1)
 if [ -f "$tlskey" ]; then
  ls -ld "$tlskey" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1
  if [ $? -eq 0 ]; then
@ -388,9 +388,9 @@ fi

 # 3.24
 check_3_24="3.24 - Verify that Docker server key file permissions are set to 400"
-tlskey=`ps -ef | grep docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1`
+tlskey=$(pgrep -lf docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1)
 if [ -f "$tlskey" ]; then
-  perms=`ls -ld "$tlskey" | awk '{print $1}'`
+  perms=$(ls -ld "$tlskey" | awk '{print $1}')
  if [ "$perms" = "-r--------" ]; then
    pass "$check_3_24"
  else
@ -422,7 +422,7 @@ fi
 check_3_26="3.26 - Verify that Docker socket file permissions are set to 660"
 file="/var/run/docker.sock"
 if [ -f "$file" ]; then
-  perms=`ls -ld "$file" | awk '{print $1}'`
+  perms=$(ls -ld "$file" | awk '{print $1}')
  if [ "$perms" = "srw-rw----" ]; then
    pass "$check_3_26"
  else
--- a/tests/4_container_images.sh
+++ b/tests/4_container_images.sh
@ -17,7 +17,7 @@ else
  set -f; IFS=$'
 '
  for c in $containers; do
-    user=`docker inspect --format 'User={{.Config.User}}' $c`
+    user=$(docker inspect --format 'User={{.Config.User}}' "$c")

    if [ "$user" = "User=" -o "$user" = "User=[]" -o "$user" = "User=<no value>" ]; then
      # If it's the first container, fail the test
--- a/tests/5_container_runtime.sh
+++ b/tests/5_container_runtime.sh
@ -15,7 +15,7 @@ else

  fail=0
  for c in $containers; do
-    policy=`docker inspect --format 'AppArmorProfile={{ .AppArmorProfile }}' $c`
+    policy=$(docker inspect --format 'AppArmorProfile={{ .AppArmorProfile }}' "$c")

    if [ "$policy" = "AppArmorProfile=" -o "$policy" = "AppArmorProfile=[]" -o "$policy" = "AppArmorProfile=<no value>" ]; then
      # If it's the first container, fail the test
@ -38,7 +38,7 @@ else

  fail=0
  for c in $containers; do
-    policy=`docker inspect --format 'SecurityOpt={{ .HostConfig.SecurityOpt }}' $c`
+    policy=$(docker inspect --format 'SecurityOpt={{ .HostConfig.SecurityOpt }}' "$c")

    if [ "$policy" = "SecurityOpt=" -o "$policy" = "SecurityOpt=[]" -o "$policy" = "SecurityOpt=<no value>" ]; then
      # If it's the first container, fail the test
@ -61,15 +61,15 @@ else

  fail=0
  for c in $containers; do
-    exec_check=`docker exec $c ps -el 2>/dev/null`
+    exec_check=$(docker exec "$c" ps -el 2>/dev/null)
    if [ $? -eq 255 ]; then
      warn "$check_5_3"
      warn "      * Docker exec fails: $c"
      fail=1
    fi

-    processes=`docker exec $c ps -el 2>/dev/null | wc -l | awk '{print $1}'`
-    if [ $processes -gt 5 ]; then
+    processes=$(docker exec "$c" ps -el 2>/dev/null | wc -l | awk '{print $1}')
+    if [ "$processes" -gt 5 ]; then
      # If it's the first container, fail the test
      if [ $fail -eq 0 ]; then
        warn "$check_5_3"
@ -90,7 +90,7 @@ else

  fail=0
  for c in $containers; do
-    caps=`docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' $c`
+    caps=$(docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' "$c")

    if [ "$caps" != "CapAdd=" -a "$caps" != "CapAdd=[]" -a "$caps" != "CapAdd=<no value>" ]; then
      # If it's the first container, fail the test
@ -113,7 +113,7 @@ else

  fail=0
  for c in $containers; do
-    privileged=`docker inspect --format '{{ .HostConfig.Privileged }}' $c`
+    privileged=$(docker inspect --format '{{ .HostConfig.Privileged }}' "$c")

    if [ "$privileged" = "true" ]; then
      # If it's the first container, fail the test
@ -145,7 +145,7 @@ else
 /usr'
  fail=0
  for c in $containers; do
-    volumes=`docker inspect --format '{{ .VolumesRW }}' $c`
+    volumes=$(docker inspect --format '{{ .VolumesRW }}' "$c")
    # Go over each directory in sensitive dir and see if they exist in the volumes
    for v in $sensitive_dirs; do
      sensitive=0
@ -172,14 +172,14 @@ else

  fail=0
  for c in $containers; do
-    exec_check=`docker exec $c ps -el 2>/dev/null`
+    docker exec "$c" ps -el 2>/dev/null
    if [ $? -eq 255 ]; then
      warn "$check_5_7"
      warn "     * Docker exec failed: $c"
      fail=1
    fi

-    processes=`docker exec $c ps -el 2>/dev/null | grep sshd | wc -l | awk '{print $1}'`
+    processes=$(docker exec "$c" ps -el 2>/dev/null | grep -c sshd | awk '{print $1}')
    if [ $processes -gt 1 ]; then
      # If it's the first container, fail the test
      if [ $fail -eq 0 ]; then
@ -201,7 +201,7 @@ else

  fail=0
  for c in $containers; do
-    port=`docker port $c | awk '{print $1}' | cut -d '/' -f1`
+    port=$(docker port "$c" | awk '{print $1}' | cut -d '/' -f1)

    if [ ! -z "$port" ] && [ "$port" -lt 1025 ]; then
      # If it's the first container, fail the test
@ -224,7 +224,7 @@ else

  fail=0
  for c in $containers; do
-    mode=`docker inspect --format 'NetworkMode={{ .HostConfig.NetworkMode }}' $c`
+    mode=$(docker inspect --format 'NetworkMode={{ .HostConfig.NetworkMode }}' "$c")

    if [ "$mode" = "NetworkMode=host" ]; then
      # If it's the first container, fail the test
@ -247,9 +247,9 @@ else

  fail=0
  for c in $containers; do
-    memory=`docker inspect --format '{{ .Config.Memory }}' $c`
+    memory=$(docker inspect --format '{{ .Config.Memory }}' "$c")

-    if [ $memory = "0" ]; then
+    if [ "$memory" = "0" ]; then
      # If it's the first container, fail the test
      if [ $fail -eq 0 ]; then
        warn "$check_5_11"
@ -270,7 +270,7 @@ else

  fail=0
  for c in $containers; do
-    shares=`docker inspect --format '{{ .Config.CpuShares }}' $c`
+    shares=$(docker inspect --format '{{ .Config.CpuShares }}' "$c")

    if [ "$shares" = "0" ]; then
      # If it's the first container, fail the test
@ -293,7 +293,7 @@ else

  fail=0
  for c in $containers; do
-   read_status=`docker inspect --format '{{ .HostConfig.ReadonlyRootfs }}' $c`
+   read_status=$(docker inspect --format '{{ .HostConfig.ReadonlyRootfs }}' "$c")

    if [ "$read_status" = "false" ]; then
      # If it's the first container, fail the test
@ -316,7 +316,7 @@ else

  fail=0
  for c in $containers; do
-    ip=`docker port $c | awk '{print $3}' | cut -d ':' -f1`
+    ip=$(docker port "$c" | awk '{print $3}' | cut -d ':' -f1)
    if [ "$ip" = "0.0.0.0" ]; then
      # If it's the first container, fail the test
      if [ $fail -eq 0 ]; then
@ -338,7 +338,7 @@ else

  fail=0
  for c in $containers; do
-    policy=`docker inspect --format 'RestartPolicyName={{ .HostConfig.RestartPolicy.Name }}' $c`
+    policy=$(docker inspect --format 'RestartPolicyName={{ .HostConfig.RestartPolicy.Name }}' "$c")

    if [ "$policy" = "RestartPolicyName=always" ]; then
      # If it's the first container, fail the test
@ -361,7 +361,7 @@ else

  fail=0
  for c in $containers; do
-    mode=`docker inspect --format 'PidMode={{.HostConfig.PidMode }}' $c`
+    mode=$(docker inspect --format 'PidMode={{.HostConfig.PidMode }}' "$c")

    if [ "$mode" = "PidMode=host" ]; then
      # If it's the first container, fail the test
@ -384,7 +384,7 @@ else

  fail=0
  for c in $containers; do
-    mode=`docker inspect --format 'IpcMode={{.HostConfig.IpcMode }}' $c`
+    mode=$(docker inspect --format 'IpcMode={{.HostConfig.IpcMode }}' "$c")

    if [ "$mode" = "IpcMode=host" ]; then
      # If it's the first container, fail the test
@ -407,7 +407,7 @@ else

  fail=0
  for c in $containers; do
-    devices=`docker inspect --format 'Devices={{ .HostConfig.Devices }}' $c`
+    devices=$(docker inspect --format 'Devices={{ .HostConfig.Devices }}' "$c")

    if [ "$devices" != "Devices=" -a "$devices" != "Devices=[]" -a "$devices" != "Devices=<no value>" ]; then
      # If it's the first container, fail the test
@ -431,7 +431,7 @@ else
  # List all the running containers, ouput their ID and host devices
  fail=0
  for c in $containers; do
-    ulimits=`docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' $c`
+    ulimits=$(docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' "$c")

    if [ "$ulimits" = "Ulimits=" -o "$ulimits" = "Ulimits=[]" -o "$ulimits" = "Ulimits=<no value>" ]; then
      # If it's the first container, fail the test
--- a/tests/6_docker_security_operations.sh
+++ b/tests/6_docker_security_operations.sh
@ -15,7 +15,7 @@ else
  set -f; IFS=$'
 '
  for c in $containers; do
-    volumes=`docker inspect --format '{{ .Volumes }}' $c`
+    volumes=$(docker inspect --format '{{ .Volumes }}' "$c")

    if [ "$volumes" = "map[]" ]; then
      # If it's the first container, fail the test
@ -36,8 +36,8 @@ set +f; unset IFS

 # 6.6
 check_6_6="6.6 - Avoid image sprawl"
-images=`docker images | wc -l | awk '{print $1}'`
-if [ $images -gt 100 ]; then
+images=$(docker images | wc -l | awk '{print $1}')
+if [ "$images" -gt 100 ]; then
  warn "$check_6_6"
  warn "     * There are currently: $images images"
 else
@ -47,10 +47,10 @@ fi

 # 6.7
 check_6_7="6.7 - Avoid container sprawl"
-total_containers=`docker info 2>/dev/null | grep "Containers" | awk '{print $2}'`
-running_containers=`docker ps -q | wc -l | awk '{print $1}'`
-diff=`expr "$total_containers" - "$running_containers"`
-if [ $diff -gt 25 ]; then
+total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}')
+running_containers=$(docker ps -q | wc -l | awk '{print $1}')
+diff="$(($total_containers - $running_containers))"
+if [ "$diff" -gt 25 ]; then
  warn "$check_6_7"
  warn "     * There are currently a total of $total_containers containers, with only $running_containers of them currently running"
 else