smallone 2013-10-01
当一个高配置的主机虚拟成N个不同的VM主机分给不同的用户使用的时候,需要防范利用VM的漏洞逃逸到宿主机或者取得了其他VM的信息,这是云安全遇到的一个不小的难题。
要想逃逸,首先要检测当前操作系统是否为VM,下面提供几个Linux下的检查方法:
第一,首推facter virtual ,权限为普通用户,约定,普通用户命令提示符用$表示,root用户命令提示符用#表示,第一组为实体机的返回,第二组为虚拟机的返回:
$facter virtual
physical
$facter virtual
vmware
第二,cat /proc/scsi/scsi,需要分析Vendor中的内容:
$cat /proc/scsi/scsi
Attached devices:
Host: scsi6 Channel: 03 Id: 00 Lun: 00
Vendor: HP Model: P410 Rev: 5.14
Type: RAID ANSI SCSI revision: 05
Host: scsi6 Channel: 00 Id: 00 Lun: 00
Vendor: HP Model: LOGICAL VOLUME Rev: 5.14
Type: Direct-Access
$cat /proc/scsi/scsi
Attached devices:
Host: scsi1 Channel: 00 Id: 00 Lun: 00
Vendor: NECVMWar Model: VMware IDE CDR10 Rev: 1.00
Type: CD-ROM ANSI SCSI revision: 05
Host: scsi2 Channel: 00 Id: 00 Lun: 00
Vendor: VMware Model: Virtual disk Rev: 1.0
Type: Direct-Access
由于我当前使用的测试环境为vmware,下面以它为例
第三,lspci | grep -i vmware:
$ lspci | grep -i vmware
实体机上无返回结果
$ lspci | grep -i vmware
00:07.7 System peripheral: VMware Virtual Machine Communication Interface (rev 10)
00:0f.0 VGA compatible controller: VMware SVGA II Adapter
00:11.0 PCI bridge: VMware PCI bridge (rev 02)
00:15.0 PCI bridge: VMware PCI Express Root Port (rev 01)
00:15.1 PCI bridge: VMware PCI Express Root Port (rev 01)
00:15.2 PCI bridge: VMware PCI Express Root Port (rev 01)
00:15.3 PCI bridge: VMware PCI Express Root Port (rev 01)
00:15.4 PCI bridge: VMware PCI Express Root Port (rev 01)
第四,grep -i vmware /proc/scsi/scsi /proc/ide/*/model
$grep -i vmware /proc/scsi/scsi /proc/ide/*/model
grep: /proc/ide/*/model: No such file or directory
$ grep -i vmware /proc/scsi/scsi /proc/ide/*/model
/proc/scsi/scsi: Vendor: NECVMWar Model: VMware IDE CDR10 Rev: 1.00
/proc/scsi/scsi: Vendor: VMware Model: Virtual disk Rev: 1.0
第五,需要root权限,dmidecode | grep -i vmware
#dmidecode | grep -i vmware
实体机无返回
# dmidecode | grep -i vmware
Manufacturer: VMware, Inc.
Product Name: VMware Virtual Platform
Serial Number: VMware-56 4d 29 65 6c ac 42 33-33 7f 89 2c d0 36 a3 25
Description: VMware SVGA II
推荐阅读: