Why Is There A Bashmu In My Room? Mac OS
While all versions of macOS have provided bash_history for users, since macOS 10.11 (El Capitan), we get even more information on terminal history through the bash sessions files. This is not a replacement for the old .bash_history file which is still there.
There are several problems with bash_history - you cannot tell when any command in that file was run, the sequence of commands may not be right, and so on. For more on that, refer Hal Pomeranz's excellent talk - You don't know jack about Bash history
Even if there were no anomalies and only a single terminal was always in use, there is still the issue of how do I know which command was run when? With Bash sessions, macOS gives us more data to work with. Since El Capitan, every new terminal window will be tracked independently with a TERM_SESSION_ID which appears to be a randomly generated UUID.
Each session can also be restored when you shutdown and restart your machine with the 'Reopen windows when logging back in' option set. Perhaps for this purpose, session history (a subset of bash history) is tracked and saved separately on a per session basis.
You will find 3 files for each session as seen in screenshot below.
TERM_SESSION_ID.history --> Contains session history
TERM_SESSION_ID.historynew --> Mostly blank/empty
TERM_SESSION_ID.session --> Contains the last session resume date and time
Theoretically, as bash history is now also stored on a per session basis, this should make it trivial to track commands run in different windows (sessions). If you were expecting history for a single session in its .history file, then you thought wrong. The .history file contains all previous history (from earlier sessions) and then appended at the very end, the history for this session.
So can we reliably break apart commands per session? Is the sequence of commands intact? Let's run a small experiment to find out.
We create two sessions (2 terminal windows) and run a few commands in each session. Commands are interspersed, so we run a command in Session-1, then another in Session-2 and then again something in Session-1. We will try to see if order is maintained.
Session-1 started 9:44
Session-2 started 9:51
Session-2 closed 9:59
Session-1 is closed first, followed by Session-2. Here is a snippet of relevant metadata from the resulting files:
Created Time of TERM_SESSION_ID.historynew = Session created time
Created Time of TERM_SESSION_ID.history = Session end time
This is easily done in code and the mac_apt BASHSESSIONS plugin parses this information to break out the individual commands per session, along with session start and stop time.
While you still cannot get the exact time when an individual command was run, the sessions functionality does give you a very good narrowed time frame to work with. While we do not have the absolute order of commands ('cp -h' was run before 'printenv'), we do have a narrowed time-frame for the set of commands ('cp-h' run between 9:51-9:59 and 'printenv' run between 9:44-9:57). This is a big thing for analysts and investigators!
There are several problems with bash_history - you cannot tell when any command in that file was run, the sequence of commands may not be right, and so on. For more on that, refer Hal Pomeranz's excellent talk - You don't know jack about Bash history
It is mostly used by developers, but there are a few programs that use it directly.-GitHub is an important Repository used by Open-Source software developers, to provide downloadable executable files and to allow others to 'help' with development by rigorously checking out source files and checking in modifications when nearly finished. Due to increased security and permissions with Mac OS 10.14 Mojave and 10.15 Catalina, you will be prompted to authorize the Zoom Desktop Client to use the microphone, camera, and on Mac OS 10.15 Catalina, screen recording. The permissions are set within System Preferences of the device. Possibly there isn't adequate space available on your Mac (we always recommend that you don't install if you have less than 20GB of space free as your Mac may struggle with the installation.
Even if there were no anomalies and only a single terminal was always in use, there is still the issue of how do I know which command was run when? With Bash sessions, macOS gives us more data to work with. Since El Capitan, every new terminal window will be tracked independently with a TERM_SESSION_ID which appears to be a randomly generated UUID.
| Figure 1 - Fetching terminal's session id |
Each session can also be restored when you shutdown and restart your machine with the 'Reopen windows when logging back in' option set. Perhaps for this purpose, session history (a subset of bash history) is tracked and saved separately on a per session basis.
| Figure 2 - Restored session |
Show me the artifacts!
The location you want to go to is /Users/<USER>/.bash_sessionsYou will find 3 files for each session as seen in screenshot below.
| Figure 3 - .bash_sessions folder contents |
TERM_SESSION_ID.history --> Contains session history
TERM_SESSION_ID.historynew --> Mostly blank/empty
TERM_SESSION_ID.session --> Contains the last session resume date and time
| Figure 4 - Sample .session file |
| Figure 5 - Sample .history file showing commands typed at terminal |
How this helps?
Some (but not all) of the problems associated with reading .bash_history are now gone.Theoretically, as bash history is now also stored on a per session basis, this should make it trivial to track commands run in different windows (sessions). If you were expecting history for a single session in its .history file, then you thought wrong. The .history file contains all previous history (from earlier sessions) and then appended at the very end, the history for this session.
So can we reliably break apart commands per session? Is the sequence of commands intact? Let's run a small experiment to find out.
We create two sessions (2 terminal windows) and run a few commands in each session. Commands are interspersed, so we run a command in Session-1, then another in Session-2 and then again something in Session-1. We will try to see if order is maintained.
Session-1 started 9:44
Session-2 started 9:51
| Figure 6 - Commands run with their sequence |
Why Is There A Bashmu In My Room Mac Os Catalina
Session-1 closed 9:57Session-2 closed 9:59
Session-1 is closed first, followed by Session-2. Here is a snippet of relevant metadata from the resulting files:
| Figure 7 - Relevant metadata from stat command |
Fun Facts
The start and stop time for a session is available if you look at the crtime (File Created time) for the .history and .historynew files. These are in bold in the screenshot above.Created Time of TERM_SESSION_ID.historynew = Session created time
Created Time of TERM_SESSION_ID.history = Session end time
Isolating session data
By comparing the data in various .history files (from different sessions), you can find out exactly which commands belong to a particular session. See pic below, where lines 1-181 (not shown) are from older history (other past sessions). Lines 182-184 are from Session-1 and are seen in its history file at the end. Session-2 (closed after Session-1Why Is There A Bashmu In My Room Mac Os X
) has the same format, ie, old session history with this session's history appended (lines 185-189).| Figure 8- .history files from Session-1 (Left) and Session-2 (Right) |
This is easily done in code and the mac_apt BASHSESSIONS plugin parses this information to break out the individual commands per session, along with session start and stop time.
While you still cannot get the exact time when an individual command was run, the sessions functionality does give you a very good narrowed time frame to work with. While we do not have the absolute order of commands ('cp -h' was run before 'printenv'), we do have a narrowed time-frame for the set of commands ('cp-h' run between 9:51-9:59 and 'printenv' run between 9:44-9:57). This is a big thing for analysts and investigators!