ESXi : TransparentPageSharing-intra-enabled

Information

Ensure default setting for intra-VM TPS is correct.
Acknowledgement of the recent academic research that leverages Transparent Page Sharing (TPS) to gain unauthorized access to data under certain highly controlled conditions and documents VMwares precautionary measure of restricting TPS to individual virtual machines by default in upcoming ESXi releases. At this time, VMware believes that the published information disclosure due to TPS between virtual machines is impractical in a real world deployment.

VMs that do not have the sched.mem.pshare.salt option set cannot share memory with any other VMs.
https://kb.vmware.com/kb/2080735
https://kb.vmware.com/kb/2097593
https://kb.vmware.com/kb/2091682

Solution

$tps = 2
$VMHosts = Get-VMHost | Where {$_.ConnectionState -eq "Connected"}
foreach ($VMHost in $VMHosts) {
Set-VMHostAdvancedConfiguration -VMHost $VMHost -Name Mem.ShareForceSalting" -Value $tps
}

See Also

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/files/xls/vSphere_6_0_Hardening_Guide_GA_15_Jun_2015.xls

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-16

Plugin: VMware

Control ID: acf7d40609a9f60b34c11b5c89f9d6569e134078836320785e2b59d70e6e9797