Home > Casper, Mac administration, Mac OS X, Scripting > Fixing mach_kernel file visibility using Casper

Fixing mach_kernel file visibility using Casper

Following the release of Security Update 2015-002, it became apparent that the usually-hidden /mach_kernel file was now visible via the Finder. The mach_kernel file file is important to OS X and is stored on the root level of the hard drive on most versions of OS X (OS X 10.10.x has moved the mach_kernel file out of the root level of the Mac’s boot drive.)

To help fix this issue, Apple has made a KBase article available showing how to re-hide the /mach_kernel file using the chflags command.

As part of a post describing the problem, Tim Sutton has written a script to identify and fix the issue by using the ls command to check for the hidden attribute and then using the chflags command to re-hide the /mach_kernel file as needed. I’ve adapted Tim’s script for use in my own shop to have Casper find and fix this issue. For more details, see below the jump.

The first part of fixing the problem was detecting which machines had the problem. To address this, I wrote a Casper Extension Attribute to check for and display the following results:

If the /mach_kernel file exists and is not hidden:

Result: Visible

If the /mach_kernel file exists and is hidden:

Result: Hidden

If the /mach_kernel file does not exist (as will be the case on OS X 10.10.x):

Result: /mach_kernel not present on OS X xx.xx.xx

#!/bin/bash
# This Extension Attribute checks to see
# if the /mach_kernel file is visible.
# The /mach_kernel file should be not visible
# when viewed from the Finder.
#
# EA adapted from script by Tim Sutton.
# Link: http://macops.ca/security-updates-leaving-mach_kernel-visible/
#
# Script will display the following results:
# If the /mach_kernel file exists and is not hidden – Visible
# If the /mach_kernel file exists and is hidden – Hidden
# If the /mach_kernel file does not exist – /mach_kernel not present on OS X xx.xx.xx
# Check for the OS version number
os_version=$(sw_vers -productVersion)
if [ ! -e /mach_kernel ]; then
result="/mach_kernel not present on OS X $os_version"
fi
if [ -e /mach_kernel ]; then
if ! /bin/ls -lO /mach_kernel | grep hidden > /dev/null; then
result=Visible
else
result=Hidden
fi
fi
echo "<result>$result</result>"
exit 0

view raw
gistfile1.txt
hosted with ❤ by GitHub

Casper_Extension_Attribute_Setup

From there, I set up a Smart Group to look for machines that fit the following criteria:

Check mach_kernel visibility: like: Visible

Here’s how the smart group looks in Casper 9.x:

Screen Shot 2015-03-11 at 1.51.45 PM

The next part was writing a script to fix the problem. To address this, I adapted Tim’s script and then added it to my Casper server:

#!/bin/bash
# This script checks to see if the /mach_kernel file is visible or hidden.
# The /mach_kernel file should not be visible when viewed from the Finder,
# so the script will use /usr/bin/chflags to set the /mach_kernel file to be hidden.
#
# Original script by Tim Sutton.
# Link: http://macops.ca/security-updates-leaving-mach_kernel-visible/
#
# For information on how to hide the /mach_kernel
# file, please see this Apple KBase article:
#
# https://support.apple.com/HT203829
if [ -e /mach_kernel ]; then
if ! /bin/ls -lO /mach_kernel | grep hidden > /dev/null; then
echo "/mach_kernel not set to be hidden. Re-hiding."
/usr/bin/chflags hidden /mach_kernel
fi
fi
exit 0

view raw
gistfile1.txt
hosted with ❤ by GitHub

Screen Shot 2015-03-11 at 1.37.53 PM

Screen Shot 2015-03-11 at 1.38.01 PM

I’ve also posted the script and Extension Attribute to GitHub:

Script: https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/fix_mach_kernel_file_visibility

Extension Attribute: https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Extension_Attributes/check_mach_kernel_file_visibility

Once I had the EA, smart group and script created, I set up a policy that is scoped to run on members of that smart group. The policy I set up will run the script to re-hide the /mach_kernel file, then run a new inventory. The inventory update should then take the machine out of the smart group.

Here’s how the policy I set up looks in Casper 9.x:

Screen Shot 2015-03-11 at 1.52.55 PM

Screen Shot 2015-03-11 at 1.52.59 PM

Screen Shot 2015-03-11 at 1.53.02 PM

  1. Jason
    March 11, 2015 at 8:31 pm

    Now using. Thanks for posting!

    • Jason
      March 11, 2015 at 9:04 pm

      Oh… for 100% clarity and thoroughness, consider posting a screen shot of the Scope tab.

  2. Christoph von Gabler-Sahm
    March 12, 2015 at 1:01 pm

    For such small corrections, i like to use a “FIX” Extension Attribute which automatically corrects the problem:

    #!/bin/bash

    # Files or Directories to hide
    paths_to_hide=(
    “/mach_kernel”
    “/opt”
    “/Quarantine”
    )

    EA_Result=””
    for path_item in “${paths_to_hide[@]}”; do
    fs_item=”${path_item}”
    if [[ -f “${fs_item}” ]]; then
    st_flags=$( /usr/bin/stat -q -f%f “${fs_item}” 2>/dev/null) # hidden is 32768
    fs_status=$( expr ${st_flags} / 32768 )
    if [[ ${fs_status} -eq 0 ]]; then
    /usr/bin/chflags hidden “${fs_item}” 2>/dev/null \
    && EA_Result=”${EA_Result}${fs_item} ” \
    || EA_Result=”${EA_Result}ERROR:${fs_item} ”
    fi
    fi
    done

    echo “${EA_Result% }”

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: