1.4 Ensure the default value of individual salt per vm is configured


The concept of salting has been introduced to help address concerns system administrators may have over the security implications of Transparent Page Sharing otherwise known as TPS. As per the original TPS implementation, multiple virtual machines could share pages when the contents of the pages were same. With the new salting settings, the virtual machines can share pages only if the salt value and contents of the pages are identical. A new host config option Mem.ShareForceSalting is introduced to enable or disable salting.

By default, salting is enabled (Mem.ShareForceSalting=2) and each virtual machine has a different salt. This means page sharing does not occur across the virtual machines (inter-VM TPS) and only happens inside a virtual machine (intra VM).


Intra-VM means that TPS will de-duplicate identical pages of memory within a virtual machine, but will not share the pages with any other virtual machines. Ensuring the default setting is in place so that page sharing only occurs inside a virtual machine is the best option here.


There is potential in a performance impact regarding this setting, each environment and the impact on it will vary.


From the vSphere Web Client:

Select a host

Click Configure then expand System then select Advanced System settings.

Click Edit then Filter for Mem.ShareForceSalting.

Set the value to 2.

Click OK.

Additionally, the following PowerCLI command can be used:

Get-VMHost | Get-AdvancedSetting -Name Mem.ShareForceSalting | Set-AdvancedSetting -Value 2

See Also


Item Details


References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1

Plugin: VMware

Control ID: e2ae98d258323b0ab58d5c112d6c599beca3541cdd0924493dab3f548e054a9d