> > > There is a tool floating around called TAP which is a kernel mod that > > allows you to easily watch streams on SunOs, and capture what a person > > is typing. It is easy to modify so that you could actually write to > > the stream thus emulating that person and hijacking their terminal > > connection. > > > > To load the modules, the intruder does a modload to add the module to > > the kernel. One way to detect the hijacking tool is to do a > > > > modstat > > > > and see if there is any unfamiliar modules loaded. An intruder could trojan > > modstat so it might be worthwhile to check the integrity of modstat. > > If the 'cracker' has enough access to modload the code of his or her > choosing into your machine, you have no security. > > That is to say, anyone who can modload the code is *already* root, and > could with enough care and patience, just read the data out of the kernel > streams buffers using, oh, adb, or even 'crash'. [...] In the more recent versions of 'BSD based operating systems based on 4.4-Lite, with the kernel security level stuff, I believe it is not possible to load a kernel module after it has left single user mode. Does anyone know of a hack to SunOS which affords the same kind of `protection' ? Of course, /dev/kmem & /dev/mem would need to become read-only devices too... Darren