Shell History Files with Embedded Credentials

Detects credentials embedded in shell history files (.bash_history, .zsh_history, ConsoleHost_History.txt) including exported environment variable secrets, mysql command-line passwords, curl basic auth credentials, and sshpass invocations. Mirrors Snaffler rule KeepShellHistoryByName.

Type

regex

Engine

boost_regex

Confidence

high

Confidence justification

High confidence: export of an environment variable whose name contains PASS, TOKEN, SECRET or KEY followed by a non-whitespace value is a canonical shell credential anti-pattern. mysql -p with inline password and sshpass -p are equally unambiguous. curl -u is slightly broader but gated with evidence.

Jurisdictions

global

Regulations

Criminal Code Act 1995 (Cth)

Frameworks

CIS Controls, ISO 27001, NIST CSF

Data categories

credentials, security

Scope

specific

Platform compatibility

Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Unsupported

Pattern

export\s+[A-Za-z_]*(?:PASS|TOKEN|SECRET|KEY)[A-Za-z_]*=\S{4,}

Corroborative evidence keywords

export, mysql, curl, sshpass, history, bash_history, zsh_history

Proximity: 300 characters

Should match

• export DB_PASSWORD=S3cr3t! — Shell export of a PASSWORD env var with a plaintext credential value
• mysql -uroot -pP@ssw0rd dbname — mysql command-line with inline -p password flag
• curl https://api.example.com/data -u admin:HunterTwo99 — curl basic-auth -u user:password argument
• sshpass -p 'Secret1' ssh user@host.example.com — sshpass invocation with plaintext -p password
• export API_SECRET=abcdef1234567890 — Shell export of a SECRET env var

Should not match

• cd /home/user — Plain shell navigation command with no credential
• ls -la — Directory listing command with no credential
• export PATH=/usr/local/bin:$PATH — PATH export — var name does not contain PASS/TOKEN/SECRET/KEY

Known false positives

• Shell history entries that set PASS/TOKEN/SECRET/KEY env vars to variable references rather than literal values, e.g. export DB_PASSWORD=$VAULT_SECRET. Mitigation: The variable-reference form ($VAR) still begins with $ so \S{4,} still matches; treat as lower severity but still noteworthy.
• mysql commands that use -p without an inline password (prompts interactively), e.g. mysql -uroot -p dbname where -p is the last flag before the db name. Mitigation: The pattern requires \S{3,} immediately after -p with no space, which distinguishes inline passwords from the interactive -p flag.

Collections

• Snaffler Parity — Credential & Secret Files