Fixing mach_kernel file visibility using Casper
Following the release of Security Update 2015-002, it became apparent that the usually-hidden /mach_kernel file was now visible via the Finder. The mach_kernel file file is important to OS X and is stored on the root level of the hard drive on most versions of OS X (OS X 10.10.x has moved the mach_kernel file out of the root level of the Mac’s boot drive.)
To help fix this issue, Apple has made a KBase article available showing how to re-hide the /mach_kernel file using the chflags command.
As part of a post describing the problem, Tim Sutton has written a script to identify and fix the issue by using the ls command to check for the hidden attribute and then using the chflags command to re-hide the /mach_kernel file as needed. I’ve adapted Tim’s script for use in my own shop to have Casper find and fix this issue. For more details, see below the jump.
The first part of fixing the problem was detecting which machines had the problem. To address this, I wrote a Casper Extension Attribute to check for and display the following results:
If the /mach_kernel file exists and is not hidden:
Result: Visible
If the /mach_kernel file exists and is hidden:
Result: Hidden
If the /mach_kernel file does not exist (as will be the case on OS X 10.10.x):
Result: /mach_kernel not present on OS X xx.xx.xx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # This Extension Attribute checks to see | |
| # if the /mach_kernel file is visible. | |
| # The /mach_kernel file should be not visible | |
| # when viewed from the Finder. | |
| # | |
| # EA adapted from script by Tim Sutton. | |
| # Link: http://macops.ca/security-updates-leaving-mach_kernel-visible/ | |
| # | |
| # Script will display the following results: | |
| # If the /mach_kernel file exists and is not hidden – Visible | |
| # If the /mach_kernel file exists and is hidden – Hidden | |
| # If the /mach_kernel file does not exist – /mach_kernel not present on OS X xx.xx.xx | |
| # Check for the OS version number | |
| os_version=$(sw_vers -productVersion) | |
| if [ ! -e /mach_kernel ]; then | |
| result="/mach_kernel not present on OS X $os_version" | |
| fi | |
| if [ -e /mach_kernel ]; then | |
| if ! /bin/ls -lO /mach_kernel | grep hidden > /dev/null; then | |
| result=Visible | |
| else | |
| result=Hidden | |
| fi | |
| fi | |
| echo "<result>$result</result>" | |
| exit 0 |
From there, I set up a Smart Group to look for machines that fit the following criteria:
Check mach_kernel visibility: like: Visible
Here’s how the smart group looks in Casper 9.x:
The next part was writing a script to fix the problem. To address this, I adapted Tim’s script and then added it to my Casper server:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # This script checks to see if the /mach_kernel file is visible or hidden. | |
| # The /mach_kernel file should not be visible when viewed from the Finder, | |
| # so the script will use /usr/bin/chflags to set the /mach_kernel file to be hidden. | |
| # | |
| # Original script by Tim Sutton. | |
| # Link: http://macops.ca/security-updates-leaving-mach_kernel-visible/ | |
| # | |
| # For information on how to hide the /mach_kernel | |
| # file, please see this Apple KBase article: | |
| # | |
| # https://support.apple.com/HT203829 | |
| if [ -e /mach_kernel ]; then | |
| if ! /bin/ls -lO /mach_kernel | grep hidden > /dev/null; then | |
| echo "/mach_kernel not set to be hidden. Re-hiding." | |
| /usr/bin/chflags hidden /mach_kernel | |
| fi | |
| fi | |
| exit 0 |
I’ve also posted the script and Extension Attribute to GitHub:
Extension Attribute: https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Extension_Attributes/check_mach_kernel_file_visibility
Once I had the EA, smart group and script created, I set up a policy that is scoped to run on members of that smart group. The policy I set up will run the script to re-hide the /mach_kernel file, then run a new inventory. The inventory update should then take the machine out of the smart group.
Here’s how the policy I set up looks in Casper 9.x:
Leave a comment
Recent Comments
 | Ben LeRoy on Losing a giant |
 | Peter-Erik on Downloading installer packages… |
 | nathanhaggard on Losing a giant |
 | andras0602 on Disabling login window clock d… |
 | Jeff on Losing a giant |
Der Flounder 
Now using. Thanks for posting!
Oh… for 100% clarity and thoroughness, consider posting a screen shot of the Scope tab.
For such small corrections, i like to use a “FIX” Extension Attribute which automatically corrects the problem:
#!/bin/bash
# Files or Directories to hide
paths_to_hide=(
“/mach_kernel”
“/opt”
“/Quarantine”
)
EA_Result=””
for path_item in “${paths_to_hide[@]}”; do
fs_item=”${path_item}”
if [[ -f “${fs_item}” ]]; then
st_flags=$( /usr/bin/stat -q -f%f “${fs_item}” 2>/dev/null) # hidden is 32768
fs_status=$( expr ${st_flags} / 32768 )
if [[ ${fs_status} -eq 0 ]]; then
/usr/bin/chflags hidden “${fs_item}” 2>/dev/null \
&& EA_Result=”${EA_Result}${fs_item} ” \
|| EA_Result=”${EA_Result}ERROR:${fs_item} ”
fi
fi
done
echo “${EA_Result% }”