2.10 (L1) Host must restrict inter-VM transparent page sharing

Information

Transparent Page Sharing (TPS) aids in optimizing memory usage among virtual machines but under certain circumstances can be exploited to access data on adjacent virtual machines unauthorizedly. By configuring the Mem.ShareForceSalting parameter, inter-VM TPS is restricted, enhancing isolation and security. The parameter governing this behavior is Mem.ShareForceSalting with a recommended setting of 2.

Restricting inter-VM TPS is crucial to prevent potential unauthorized access to data, ensuring an extra layer of isolation and security between virtual machines which is indispensable especially in a multi-tenant environment.

Solution

From the vSphere Web Client:

- Select a host
- Click Configure then expand System then select Advanced System settings
- Click Edit then Filter for Mem.ShareForceSalting
- Set the value to 2
- Click OK

Additionally, the following PowerCLI command can be used:

Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting | Set-AdvancedSetting -Value 2

Impact:

There is no noted functional impact, indicating that restricting inter-VM TPS does not adversely affect the system's performance or operations while bolstering security against potential data access exploits.

See Also

https://workbench.cisecurity.org/benchmarks/15784

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1

Plugin: VMware

Control ID: e6e67106dc0a21302de887f8c79ab08096c37bacbfd6eff79518263a79223c14