Fixing mach_kernel file visibility using Casper
Following the release of Security Update 2015-002, it became apparent that the usually-hidden /mach_kernel file was now visible via the Finder. The mach_kernel file file is important to OS X and is stored on the root level of the hard drive on most versions of OS X (OS X 10.10.x has moved the mach_kernel file out of the root level of the Mac’s boot drive.)
As part of a post describing the problem, Tim Sutton has written a script to identify and fix the issue by using the ls command to check for the hidden attribute and then using the chflags command to re-hide the /mach_kernel file as needed. I’ve adapted Tim’s script for use in my own shop to have Casper find and fix this issue. For more details, see below the jump.
The first part of fixing the problem was detecting which machines had the problem. To address this, I wrote a Casper Extension Attribute to check for and display the following results:
If the /mach_kernel file exists and is not hidden:
If the /mach_kernel file exists and is hidden:
If the /mach_kernel file does not exist (as will be the case on OS X 10.10.x):
Result: /mach_kernel not present on OS X xx.xx.xx
From there, I set up a Smart Group to look for machines that fit the following criteria:
Check mach_kernel visibility: like: Visible
Here’s how the smart group looks in Casper 9.x:
The next part was writing a script to fix the problem. To address this, I adapted Tim’s script and then added it to my Casper server:
I’ve also posted the script and Extension Attribute to GitHub:
Once I had the EA, smart group and script created, I set up a policy that is scoped to run on members of that smart group. The policy I set up will run the script to re-hide the /mach_kernel file, then run a new inventory. The inventory update should then take the machine out of the smart group.
Here’s how the policy I set up looks in Casper 9.x: