Information
Transparent Page Sharing (TPS) aids in optimizing memory usage among virtual machines but under certain circumstances can be exploited to access data on adjacent virtual machines unauthorizedly. By configuring the Mem.ShareForceSalting parameter, inter-VM TPS is restricted, enhancing isolation and security. The parameter governing this behavior is Mem.ShareForceSalting with a recommended setting of 2.
Restricting inter-VM TPS is crucial to prevent potential unauthorized access to data, ensuring an extra layer of isolation and security between virtual machines which is indispensable especially in a multi-tenant environment.
Solution
From the vSphere Web Client:
- Select a host
- Click Configure then expand System then select Advanced System settings
- Click Edit then Filter for Mem.ShareForceSalting
- Set the value to 2
- Click OK
Additionally, the following PowerCLI command can be used:
Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting | Set-AdvancedSetting -Value 2
Impact:
There is no noted functional impact, indicating that restricting inter-VM TPS does not adversely affect the system's performance or operations while bolstering security against potential data access exploits.
Item Details
Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1
Control ID: e6e67106dc0a21302de887f8c79ab08096c37bacbfd6eff79518263a79223c14