Report: Unix Sockets
A unix domain socket (UDS), or unix socket, is an interprocess communication (IPC) mechanism that enables bidirectional data exchange among multiple processes running on the same host.
A unix socket may be a STREAM (analagous to TCP), a DATAGRAM (analagous to UDP), SEQPACKET (sequenced packet, analagous to SCTP), or RAW. Unix sockets commonly use the file system as their address name space, so processes refer to them as file system inodes, so two processes can communicate by opening the same socket.
Note
It is important to not conflate Unix sockets with network sockets. Network sockets are generally used to enable the exchange of data over the network, but they can also be used to achieve IPC by using the loopback interface (localhost). Unix sockets are only for interprocess communication, and can be secured using file system permissions, while TCP sockets can be secured only on the packet filter level.
Report Data: Unix Sockets
Following are the unix sockets present at the time the memory snapshot was taken of the centos 6 - 2.6.32-696.28.1.el6.x86_64 image from the samples gallery (requires authentication).
The following table describes each column of the reported data.
| Column | Description | Notes |
|---|---|---|
| Pid | ID of the parent process | |
| Process Name | Name of the parent process | |
| Socket Type | Socket type: STREAM, DATAGRAM, SEQPACKET, RAW | |
| Socket State | ||
| Reference Count | ||
| Name | Socket name, if defined | |
| Inode | Unique integer that identifes the socket | Linux and Unix sockets are implemented with filesystem semantics |
Forensic Hints
The same set of unix sockets can be obtained from a running Linux
system via the netstat -l -p or ss -x -a commands; any difference
between the set (a) read from usermode and (b) derived from memory inspection
should be investigated, as discussed here.