1.4 Ensure the default value of individual salt per vm is configured

Information

The concept of salting has been introduced to help address concerns system administrators may have over the security implications of Transparent Page Sharing otherwise known as TPS. As per the original TPS implementation, multiple virtual machines could share pages when the contents of the pages were same. With the new salting settings, the virtual machines can share pages only if the salt value and contents of the pages are identical. A new host config option Mem.ShareForceSalting is introduced to enable or disable salting.

By default, salting is enabled (Mem.ShareForceSalting=2) and each virtual machine has a different salt. This means page sharing does not occur across the virtual machines (inter-VM TPS) and only happens inside a virtual machine (intra VM).

Rationale:

Intra-VM means that TPS will de-duplicate identical pages of memory within a virtual machine, but will not share the pages with any other virtual machines. Ensuring the default setting is in place so that page sharing only occurs inside a virtual machine is the best option here.

Solution

From vSphere Web Client:

Select a host

Click 'Configure' -> 'Settings' -> 'System' -> 'Advanced System settings'

Filter for Mem.ShareForceSalting.

Click edit

Set it to 2.

Additionally, the following PowerCLI command can be used:

Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting | Set-AdvancedSetting -Value 2

See Also

https://workbench.cisecurity.org/benchmarks/8020

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1

Plugin: VMware

Control ID: 2a16d7edca1efbfaa6fa4f97bceb59099decc2ad746f6d4d4b8b167281dbfa1b