diff --git a/etc/grml/fai/config/hooks/instsoft.GRMLBASE b/etc/grml/fai/config/hooks/instsoft.GRMLBASE
index 13bbdbf2..2a52aa41 100755
--- a/etc/grml/fai/config/hooks/instsoft.GRMLBASE
+++ b/etc/grml/fai/config/hooks/instsoft.GRMLBASE
@@ -9,6 +9,9 @@
 set -u
 set -e
 
+# FAI sets $target, but shellcheck does not know that.
+target=${target:?}
+
 # if hooks/updatebase.GRMLBASE fails for whatever reason
 # and can't skip instsoft.GRMLBASE we have to make sure
 # we exit here as well
@@ -23,17 +26,17 @@ if [ "$FAI_ACTION" = "softupdate" ] ; then
 
    # /etc/resolv.conf is usually a symlink, pointing out of the chroot.
    # Make it a file with known contents.
-   rm -f "${target}"/etc/resolv.conf
+   rm -f "$target"/etc/resolv.conf
    cat /etc/resolv.conf >> "$target"/etc/resolv.conf
 
-   if [ -r $target/etc/policy-rc.d.conf ] ; then
-      sed -i "s/EXITSTATUS=.*/EXITSTATUS='101'/" $target/etc/policy-rc.d.conf
+   if [ -r "$target"/etc/policy-rc.d.conf ] ; then
+      sed -i "s/EXITSTATUS=.*/EXITSTATUS='101'/" "$target"/etc/policy-rc.d.conf
    fi
 
    # we definitely don't want to fail running fai sofupdate just
    # because of some well known bugs:
-   [ -d $target/etc/apt/apt.conf.d ] || mkdir $target/etc/apt/apt.conf.d
-   cat > $target/etc/apt/apt.conf.d/10apt-listbugs << EOF
+   [ -d "$target"/etc/apt/apt.conf.d ] || mkdir "$target"/etc/apt/apt.conf.d
+   cat > "$target"/etc/apt/apt.conf.d/10apt-listbugs << EOF
 // Check all packages whether they has critical bugs before they are installed.
 // If you don't like it, comment it out.
 //DPkg::Pre-Install-Pkgs {"/usr/sbin/apt-listbugs apt || exit 10"};
@@ -87,11 +90,14 @@ EOF
 
    if $ROOTCMD test -x /usr/bin/aptitude ; then
       if $ROOTCMD aptitude --help | grep -q safe-upgrade ; then
+         # shellcheck disable=SC2086 # APTITUDE_OPTS needs word-splitting.
          APT_LISTCHANGES_FRONTEND=none APT_LISTBUGS_FRONTEND=none $ROOTCMD aptitude -y $APTITUDE_OPTS safe-upgrade
       else
+         # shellcheck disable=SC2086 # APTITUDE_OPTS needs word-splitting.
          APT_LISTCHANGES_FRONTEND=none APT_LISTBUGS_FRONTEND=none $ROOTCMD aptitude -y $APTITUDE_OPTS upgrade
       fi
    else
+      # shellcheck disable=SC2086 # APTGET_OPTS needs word-splitting.
       APT_LISTCHANGES_FRONTEND=none APT_LISTBUGS_FRONTEND=none $ROOTCMD apt-get -y $APTGET_OPTS --force-yes upgrade
    fi
 
@@ -120,8 +126,8 @@ fi
 
 # we definitely don't want to fail running fai dirinstall just
 # because of some well known bugs:
-[ -d $target/etc/apt/apt.conf.d ] || mkdir $target/etc/apt/apt.conf.d
-cat > $target/etc/apt/apt.conf.d/10apt-listbugs << EOF
+[ -d "$target"/etc/apt/apt.conf.d ] || mkdir "$target"/etc/apt/apt.conf.d
+cat > "$target"/etc/apt/apt.conf.d/10apt-listbugs << EOF
 // Check all packages whether they has critical bugs before they are installed.
 // If you don't like it, comment it out.
 //DPkg::Pre-Install-Pkgs {"/usr/sbin/apt-listbugs apt || exit 10"};
diff --git a/etc/grml/fai/config/hooks/instsoft.ZFS b/etc/grml/fai/config/hooks/instsoft.ZFS
index 2e8a072b..0d489e9d 100755
--- a/etc/grml/fai/config/hooks/instsoft.ZFS
+++ b/etc/grml/fai/config/hooks/instsoft.ZFS
@@ -9,6 +9,9 @@
 set -u
 set -e
 
+# FAI sets $target, but shellcheck does not know that.
+target=${target:?}
+
 # We don't want to install build-essential, dkms et al via package_config
 # because they will end up bloating the iso; it seems cleaner to install
 # them, build the zfs modules, then remove them.
@@ -29,9 +32,10 @@ echo "$0: Installing latest kernel and its headers, as well as build-essential."
 # keeping track of what gets installed. This is an ugly hack and should not
 # be needed, but without it the resulting ISO is hundreds of megabytes
 # larger. I hope this kludge can go away eventually.
-extra_packages=($($ROOTCMD apt-get --assume-no --download-only --mark-auto -u install \
+mapfile -t extra_packages <($ROOTCMD \
+    apt-get --assume-no --download-only --mark-auto -u install \
 	build-essential linux-image-amd64 linux-headers-amd64 \
-	| sed '0,/The following NEW packages will be installed/d;/^[^ ]/,$d'))
+	| sed '0,/The following NEW packages will be installed/d;/^[^ ]/,$d')
 $ROOTCMD apt-get --yes --mark-auto -u install build-essential linux-image-amd64 linux-headers-amd64
 
 # Remove all but the latest kernel (TODO: support passing in the desired
@@ -54,7 +58,11 @@ else
 fi
 
 echo "$0: Installing zfs-dkms itself."
-extra_packages=(${extra_packages[@]} $($ROOTCMD apt-get --assume-no --download-only --mark-auto -u install zfs-dkms | sed '0,/The following NEW packages will be installed/d;/^[^ ]/,$d'))
+mapfile -t zfs_packages <($ROOTCMD \
+    apt-get --assume-no --download-only --mark-auto -u install \
+	zfs-dkms \
+	| sed '0,/The following NEW packages will be installed/d;/^[^ ]/,$d')
+extra_packages=("${extra_packages[@]}" "${zfs_packages[@]}")
 $ROOTCMD apt-get --yes --mark-auto -u install zfs-dkms
 
 # Now invoke the dkms kernel postinst script for the only kernel that's left
@@ -66,16 +74,16 @@ $ROOTCMD /etc/kernel/postinst.d/dkms "$kernelversion"
 
 tempfile=$(mktemp)
 echo "$0: Saving built modules into a backup file (removing the dkms package will remove them, but we'll put them back)."
-$ROOTCMD tar cf - /lib/modules/$kernelversion/updates/dkms >$tempfile
+$ROOTCMD tar cf - "/lib/modules/$kernelversion/updates/dkms" >"$tempfile"
 
 echo "$0: Removing packages only needed to build zfs modules."
-remove_packages=($(echo "${extra_packages[@]}" zfs-dkms '^linux-headers-.*' build-essential $pahole | tr ' ' '\n' | sort -u))
-$ROOTCMD apt-get --yes --purge --autoremove remove ${remove_packages[@]}
+remove_packages=("${extra_packages[@]}" zfs-dkms '^linux-headers-.*' build-essential "$pahole")
+$ROOTCMD apt-get --yes --purge --autoremove remove "${remove_packages[@]}"
 echo "$0: Trying extra hard to get rid of auto-installed packages. This is a hack that is one of the ways we're trying to work around a perceived bug in apt autoremove and should be a no-op."
 $ROOTCMD apt-get --yes --purge autoremove
 
 echo "$0: Restoring backed-up kernel modules."
-$ROOTCMD tar xf - <$tempfile
-rm $tempfile
-$ROOTCMD depmod -a $kernelversion
+$ROOTCMD tar xf - <"$tempfile"
+rm "$tempfile"
+$ROOTCMD depmod -a "$kernelversion"
 echo "$0: Completed successfully. Enjoy your zfs."
diff --git a/etc/grml/fai/config/hooks/savelog.LAST.source b/etc/grml/fai/config/hooks/savelog.LAST.source
index de671e5f..f9386f2f 100755
--- a/etc/grml/fai/config/hooks/savelog.LAST.source
+++ b/etc/grml/fai/config/hooks/savelog.LAST.source
@@ -4,7 +4,7 @@
 # print errors and warnings found to error.log
 # WARNING: This will only work with english error messages!
 
-errfile=$LOGDIR/error.log
+errfile="$LOGDIR"/error.log
 
 # Define grep patterns. Do not start or end with an empty line!
 globalerrorpatterns="error
@@ -109,15 +109,15 @@ $myerrorpatterns"
 ignorepatterns="$globalignorepatterns
 $myignorepatterns"
 
-cd $LOGDIR || exit 3
-if [ -s $errfile ]; then
+cd "$LOGDIR" || exit 3
+if [ -s "$errfile" ]; then
     echo "Errorfile already exists. Aborting."
     exit
 fi
 
-grep -i "$errorpatterns" *.log | grep -vi "$ignorepatterns" > $errfile
+grep -i "$errorpatterns" ./*.log | grep -vi "$ignorepatterns" > "$errfile"
 
-if [ -s $errfile ]; then
+if [ -s "$errfile" ]; then
    echo "ERRORS found in log files. See $errfile."
 else
    echo "Congratulations! No errors found in log files."
diff --git a/etc/grml/fai/config/hooks/updatebase.GRMLBASE b/etc/grml/fai/config/hooks/updatebase.GRMLBASE
index e3306544..b8204c27 100755
--- a/etc/grml/fai/config/hooks/updatebase.GRMLBASE
+++ b/etc/grml/fai/config/hooks/updatebase.GRMLBASE
@@ -8,15 +8,19 @@
 
 set -u
 set -e
+# shellcheck source=/dev/null
 . "$GRML_LIVE_CONFIG"
 
+# FAI sets $target, but shellcheck does not know that.
+target=${target:?}
+
 # visualize chroot inside zsh:
-echo grml_chroot > $target/etc/debian_chroot
+echo grml_chroot > "${target}"/etc/debian_chroot
 
-echo "$HOSTNAME" > $target/etc/hostname
+echo "$HOSTNAME" > "${target}"/etc/hostname
 
 if [ -n "${APT_PROXY:-}" ] ; then
-  cat > $target/etc/apt/apt.conf.d/90grml-apt-proxy.conf <<EOF
+  cat > "$target"/etc/apt/apt.conf.d/90grml-apt-proxy.conf <<EOF
 Acquire::http { Proxy "$APT_PROXY"; };
 EOF
 fi
@@ -29,24 +33,24 @@ if [ "$FAI_ACTION" = "softupdate" ] ; then
 
    ## based on FAI's lib/updatebase:
    # some packages must access /proc even in chroot environment
-   if ! [ -d $FAI_ROOT/proc/1 ] ; then
-      mount -t proc proc $FAI_ROOT/proc || true
+   if ! [ -d "$FAI_ROOT"/proc/1 ] ; then
+      mount -t proc proc "$FAI_ROOT"/proc || true
    fi
    # some packages must access /sys even in chroot environment
-   if ! [ -d $FAI_ROOT/sys/kernel ] ; then
-      mount -t sysfs sysfs $FAI_ROOT/sys || true
+   if ! [ -d "$FAI_ROOT"/sys/kernel ] ; then
+      mount -t sysfs sysfs "$FAI_ROOT"/sys || true
    fi
    # if we are using udev, also mount it into $FAI_ROOT
    if [ -f /etc/init.d/udev ] ; then
-      mount --bind /dev $FAI_ROOT/dev || true
+      mount --bind /dev "$FAI_ROOT"/dev || true
    fi
 
-   if [ -d $FAI_ROOT/run ] ; then
-      mount -t tmpfs tmpfs $FAI_ROOT/run || true
-      mkdir $FAI_ROOT/run/lock
+   if [ -d "$FAI_ROOT"/run ] ; then
+      mount -t tmpfs tmpfs "$FAI_ROOT"/run || true
+      mkdir "$FAI_ROOT"/run/lock
    fi
 
-   mount -t devpts devpts $FAI_ROOT/dev/pts || true
+   mount -t devpts devpts "$FAI_ROOT"/dev/pts || true
 
    # skip the task if we want to build a new ISO only,
    # this means we do NOT update any packages
@@ -61,9 +65,9 @@ if [ -n "$BOOTSTRAP_ONLY" ] ; then
 fi
 
 # work around #632624: udev fails to install on systems with old kernel versions
-if ! [ -e ${target}/etc/udev/kernel-upgrade ] ; then
+if ! [ -e "${target}"/etc/udev/kernel-upgrade ] ; then
   echo "Working around udev package bug, creating /etc/udev/kernel-upgrade"
-  echo "# installed via updatebase.GRMLBASE" > ${target}/etc/udev/kernel-upgrade
+  echo "# installed via updatebase.GRMLBASE" > "${target}"/etc/udev/kernel-upgrade
 fi
 
 # install all apt related files