:py:mod:`dissect.target.plugins.os.unix.history`
================================================

.. py:module:: dissect.target.plugins.os.unix.history




Module Contents
---------------

Classes
~~~~~~~

.. autoapisummary::

   dissect.target.plugins.os.unix.history.CommandHistoryPlugin




Attributes
~~~~~~~~~~

.. autoapisummary::

   dissect.target.plugins.os.unix.history.CommandHistoryRecord
   dissect.target.plugins.os.unix.history.RE_EXTENDED_BASH
   dissect.target.plugins.os.unix.history.RE_EXTENDED_ZSH
   dissect.target.plugins.os.unix.history.RE_FISH


.. py:data:: CommandHistoryRecord

.. py:data:: RE_EXTENDED_BASH

.. py:data:: RE_EXTENDED_ZSH

.. py:data:: RE_FISH

.. py:class:: CommandHistoryPlugin(target: dissect.target.target.Target)

   Bases: :py:obj:`dissect.target.plugin.Plugin`


   UNIX command history plugin.


   .. py:attribute:: COMMAND_HISTORY_RELATIVE_PATHS
      :value: (('bash', '.bash_history'), ('fish', '.local/share/fish/fish_history'), ('mongodb', '.dbshell'),...



   .. py:method:: check_compatible() -> None

      Perform a compatibility check with the target.

      This function should return ``None`` if the plugin is compatible with the current target (``self.target``).
      For example, check if a certain file exists. Otherwise it should raise an
      :class:`UnsupportedPluginError`.

      :raises UnsupportedPluginError: If the plugin could not be loaded.



   .. py:method:: commandhistory() -> collections.abc.Iterator[CommandHistoryRecord]

      Return shell history for all UNIX users.

      When using a shell, history of the used commands can be kept on the system. These are usually written to
      a hidden file named ``.$SHELL_history`` and may expose commands that were used by an adversary.



   .. py:method:: parse_generic_history(file: pathlib.Path, user: dissect.target.helpers.record.UnixUserRecord, shell: str) -> collections.abc.Iterator[CommandHistoryRecord]

      Parse ``bash_history`` contents.

      Regular ``.bash_history`` files contain one plain command per line.
      Extended ``.bash_history`` files look like this:

      .. code-block::

          #1648598339
          echo "this is a test"

      .. rubric:: References

      - http://git.savannah.gnu.org/cgit/bash.git/tree/bashhist.c



   .. py:method:: parse_zsh_history(file: pathlib.Path, user: dissect.target.helpers.record.UnixUserRecord) -> collections.abc.Iterator[CommandHistoryRecord]

      Parse ``zsh_history`` contents.

      Regular ``.zsh_history`` lines are just the plain commands. Extended ``.zsh_history`` files look like this:

      .. code-block::

          : 1673860722:0;sudo apt install sl
          : :;

      .. rubric:: References

      - https://sourceforge.net/p/zsh/code/ci/master/tree/Src/hist.c



   .. py:method:: parse_fish_history(history_file: dissect.target.helpers.fsutil.TargetPath, user: dissect.target.helpers.record.UnixUserRecord) -> collections.abc.Iterator[CommandHistoryRecord]

      Parses the history file of the fish shell.

      The fish history file is formatted as pseudo-YAML. An example of such a file:

      .. code-block::

          - cmd: ls
          when: 1688642435
          - cmd: cd home/
          when: 1688642441
          paths:
              - home/
          - cmd: echo "test: test"
          when: 1688986629

      Note that the last ``- cmd: echo "test: test"`` is not valid YAML,
      which is why we cannot safely use the Python yaml module.

      .. rubric:: References

      - https://github.com/fish-shell/fish-shell/blob/master/src/history.cpp