Details
The concept of salting has been introduced to help address concerns system administrators may have over the security implications of Transparent Page Sharing otherwise known as TPS. As per the original TPS implementation, multiple virtual machines could share pages when the contents of the pages were same. With the new salting settings, the virtual machines can share pages only if the salt value and contents of the pages are identical. A new host config option Mem.ShareForceSalting is introduced to enable or disable salting.
By default, salting is enabled (Mem.ShareForceSalting=2) and each virtual machine has a different salt. This means page sharing does not occur across the virtual machines (inter-VM TPS) and only happens inside a virtual machine (intra VM).
Rationale:
Intra-VM means that TPS will de-duplicate identical pages of memory within a virtual machine, but will not share the pages with any other virtual machines. Ensuring the default setting is in place so that page sharing only occurs inside a virtual machine is the best option here.
Solution
From vSphere Web Client:
Select a host
Click ‘Configure’ -> ‘Settings’ -> ‘System’ -> ‘Advanced System settings’
Filter for Mem.ShareForceSalting.
Click edit
Set it to 2.
Additionally, the following PowerCLI command can be used:
Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting | Set-AdvancedSetting -Value 2
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management, Identification and Authentication.This control applies to the following type of system VMware.