Home > Casper, Mac administration, Mac OS X, Scripting > Fixing mach_kernel file visibility using Casper

Fixing mach_kernel file visibility using Casper

Following the release of Security Update 2015-002, it became apparent that the usually-hidden /mach_kernel file was now visible via the Finder. The mach_kernel file file is important to OS X and is stored on the root level of the hard drive on most versions of OS X (OS X 10.10.x has moved the mach_kernel file out of the root level of the Mac’s boot drive.)

To help fix this issue, Apple has made a KBase article available showing how to re-hide the /mach_kernel file using the chflags command.

As part of a post describing the problem, Tim Sutton has written a script to identify and fix the issue by using the ls command to check for the hidden attribute and then using the chflags command to re-hide the /mach_kernel file as needed. I’ve adapted Tim’s script for use in my own shop to have Casper find and fix this issue. For more details, see below the jump.

The first part of fixing the problem was detecting which machines had the problem. To address this, I wrote a Casper Extension Attribute to check for and display the following results:

If the /mach_kernel file exists and is not hidden:

Result: Visible

If the /mach_kernel file exists and is hidden:

Result: Hidden

If the /mach_kernel file does not exist (as will be the case on OS X 10.10.x):

Result: /mach_kernel not present on OS X xx.xx.xx

Casper_Extension_Attribute_Setup

From there, I set up a Smart Group to look for machines that fit the following criteria:

Check mach_kernel visibility: like: Visible

Here’s how the smart group looks in Casper 9.x:

Screen Shot 2015-03-11 at 1.51.45 PM

The next part was writing a script to fix the problem. To address this, I adapted Tim’s script and then added it to my Casper server:

Screen Shot 2015-03-11 at 1.37.53 PM

Screen Shot 2015-03-11 at 1.38.01 PM

I’ve also posted the script and Extension Attribute to GitHub:

Script: https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/fix_mach_kernel_file_visibility

Extension Attribute: https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Extension_Attributes/check_mach_kernel_file_visibility

Once I had the EA, smart group and script created, I set up a policy that is scoped to run on members of that smart group. The policy I set up will run the script to re-hide the /mach_kernel file, then run a new inventory. The inventory update should then take the machine out of the smart group.

Here’s how the policy I set up looks in Casper 9.x:

Screen Shot 2015-03-11 at 1.52.55 PM

Screen Shot 2015-03-11 at 1.52.59 PM

Screen Shot 2015-03-11 at 1.53.02 PM

  1. Jason
    March 11, 2015 at 8:31 pm

    Now using. Thanks for posting!

    • Jason
      March 11, 2015 at 9:04 pm

      Oh… for 100% clarity and thoroughness, consider posting a screen shot of the Scope tab.

  2. Christoph von Gabler-Sahm
    March 12, 2015 at 1:01 pm

    For such small corrections, i like to use a “FIX” Extension Attribute which automatically corrects the problem:

    #!/bin/bash

    # Files or Directories to hide
    paths_to_hide=(
    “/mach_kernel”
    “/opt”
    “/Quarantine”
    )

    EA_Result=””
    for path_item in “${paths_to_hide[@]}”; do
    fs_item=”${path_item}”
    if [[ -f “${fs_item}” ]]; then
    st_flags=$( /usr/bin/stat -q -f%f “${fs_item}” 2>/dev/null) # hidden is 32768
    fs_status=$( expr ${st_flags} / 32768 )
    if [[ ${fs_status} -eq 0 ]]; then
    /usr/bin/chflags hidden “${fs_item}” 2>/dev/null \
    && EA_Result=”${EA_Result}${fs_item} ” \
    || EA_Result=”${EA_Result}ERROR:${fs_item} ”
    fi
    fi
    done

    echo “${EA_Result% }”

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: