Why Is There A Bashmu In My Room? Mac OS

While all versions of macOS have provided bash_history for users, since macOS 10.11 (El Capitan), we get even more information on terminal history through the bash sessions files. This is not a replacement for the old .bash_history file which is still there.
  1. Why Is There A Bashmu In My Room Mac Os Catalina
  2. Why Is There A Bashmu In My Room Mac Os X
  3. Why Is There A Bashmu In My Room Mac Os Download
  4. Why Is There A Bashmu In My Room Mac Os 11

The.bashrc file is in your home directory. So from command line do: cd ls -a This will show all the hidden files in your home directory. 'cd' will get you home and ls -a will 'list all'.

There are several problems with bash_history - you cannot tell when any command in that file was run, the sequence of commands may not be right, and so on. For more on that, refer Hal Pomeranz's excellent talk - You don't know jack about Bash history
Even if there were no anomalies and only a single terminal was always in use, there is still the issue of how do I know which command was run when? With Bash sessions, macOS gives us more data to work with. Since El Capitan, every new terminal window will be tracked independently with a

GNU Bash is a powerful shell. Unfortunately the Mac OS operating systems doesn’t provide the latest version which may prevent you to take advantage of the latest features that came with Bash 4 and 5. Also, running an outdated bash version probably expose you to some major vulnerabilities. The.bashrc file is in your home directory. So from command line do: cd ls -a This will show all the hidden files in your home directory. 'cd' will get you home and ls -a will 'list all'. This version of Bash is included in all versions of macOS, even the newest one. The reason that Apple includes such an old version of Bash in its operating system has to do with licensing. Since version 4.0 (successor of 3.2), Bash uses the GNU General Public License v3 (GPLv3), which Apple does not (want to) support.

TERM_SESSION_ID which appears to be a randomly generated UUID.
Figure 1 - Fetching terminal's session id

Each session can also be restored when you shutdown and restart your machine with the 'Reopen windows when logging back in' option set. Perhaps for this purpose, session history (a subset of bash history) is tracked and saved separately on a per session basis.
Figure 2 - Restored session

Show me the artifacts!

Why Is There A Bashmu In My Room Mac Os Catalina

The location you want to go to is /Users/<USER>/.bash_sessions
You will find 3 files for each session as seen in screenshot below.
Figure 3 - .bash_sessions folder contents

TERM_SESSION_ID.history --> Contains session history
TERM_SESSION_ID.historynew --> Mostly blank/empty
TERM_SESSION_ID.session --> Contains the last session resume date and time
Figure 4 - Sample .session file

Figure 5 - Sample .history file showing commands typed at terminal

How this helps?

Some (but not all) of the problems associated with reading .bash_history are now gone.
Theoretically, as bash history is now also stored on a per session basis, this should make it trivial to track commands run in different windows (sessions). If you were expecting history for a single session in its .history file, then you thought wrong. The .history file contains all previous history (from earlier sessions) and then appended at the very end, the history for this session.
So can we reliably break apart commands per session? Is the sequence of commands intact? Let's run a small experiment to find out.
We create two sessions (2 terminal windows) and run a few commands in each session. Commands are interspersed, so we run a command in
Session-1, then another in Why Is There A Bashmu In My Room? Mac OSSession-2 and then again something in Session-1. We will try to see if order is maintained.
Session-1 started 9:44
Session-2 started 9:51
Figure 6 - Commands run with their sequence

Session-1 closed 9:57
Session-2 closed 9:59

Why Is There A Bashmu In My Room Mac Os X

Session-1 is closed first, followed by Session-2. Here is a snippet of relevant metadata from the resulting files:
Figure 7 - Relevant metadata from stat command

Fun Facts

The start and stop time for a session is available if you look at the crtime (File Created time) for the .history and .historynew files. These are in bold in the screenshot above.
Created Time of TERM_SESSION_ID.historynew = Session created time
Created Time of TERM_SESSION_ID.history = Session end time

Why Is There A Bashmu In My Room Mac Os Download



Isolating session data

By comparing the data in various .history files (from different sessions), you can find out exactly which commands belong to a particular session. See pic below, where lines 1-181 (not shown) are from older history (other past sessions). Lines 182-184 are from Session-1 and are seen in its history file at the end. Session-2 (closed after Session-1) has the same format, ie, old session history with this session's history appended (lines 185-189).
Figure 8- .history files from Session-1 (Left) and Session-2 (Right)

This is easily done in code and the mac_apt BASHSESSIONS plugin parses this information to break out the individual commands per session, along with session start and stop time.
While you still cannot get the exact time when an individual command was run, the sessions functionality does give you a very good narrowed time frame to work with. While we do not have the absolute order of commands ('cp -h' was run before 'printenv'), we do have a narrowed time-frame for the set of commands ('cp-h' run between 9:51-9:59 and 'printenv' run between 9:44-9:57). This is a big thing for analysts and investigators!
  • In a Finder window, press VO-Right Arrow or VO-Left Arrow to move through the window until you hear “toolbar.” Interact with the toolbar.
    • Press VO-Right Arrow until you hear “view radio group” and then interact with that control. Press VO-Right Arrow key until you hear the view you want to use.

    You can choose from icon, list, column, or Cover Flow view. In Cover Flow view, the browser is split horizontally into two sections. The top section is a graphical view of each item, such as folder icons or a preview of the first page of a document. The bottom section is a list view of the items.

  • When you have selected a view, stop interacting with the view radio group and the toolbar, and then press VO-Right Arrow to move through the window until you hear “sidebar.”
    • To move down the list of items in the sidebar, press VO-Down Arrow. When you hear the item you want, jump to it in the view browser; you can interact with it.

    To jump, press VO-J. If you’re using VoiceOver gestures, keep a finger on the trackpad and press the Control key.

  • Move to and select the item you want to open, using the method for the view you’re in:

    • Icon view: Use the arrow keys to move to the item you want.

    List view: To move down the list rows, press VO-Down Arrow. To expand and collapse a folder, press VO-. To move the VoiceOver cursor across a row and hear information about an item, press VO-Right Arrow. Or press VO-R to hear the entire row read at once.

    Column view: To move down the list until you find the folder or file you want, use the Down Arrow key. To move into subfolders, press the Right Arrow key.

    Cover Flow view: To flip through the items in the top section and move automatically through the corresponding list rows in the bottom section, press the Left Arrow or Right Arrow key.

    When you find the file or folder you want to open, use the Finder shortcut Command-O or Command-Down Arrow to open it.

    Why Is There A Bashmu In My Room Mac Os 11

    VoiceOver announces when you have selected an alias or a file or folder you don’t have permission to open.