lowexperimentalLinuxOCIT1071.001

Linux Agent Writing Shared Socket Or IPC Artifacts

Detects AI agent processes creating Unix socket files or named pipes that could be used as unmonitored inter-agent communication channels, bypassing network-layer security controls.

Updated Jan 10, 2025 · OCI AI Security Team

agentic-aiinter-agentipcsocketlinuxociowasp-asi07

Problem Statement

Unix sockets and named pipes provide IPC channels that bypass network monitoring entirely. An AI agent creating ad hoc socket files may be establishing a covert communication channel with another agent or process, outside the visibility of network security controls.

Sample Logs

{"timestamp":"2025-01-10T08:45:00Z","computer_name":"oci-worker-32","user":"agent_svc","image":"/usr/bin/python3","target_filename":"/tmp/agent_ipc_7a3f.sock","event_type":"CreateFile"}

Required Fields

image

target_filename

user

computer_name

False Positives

·Python web frameworks (Flask, FastAPI, Gunicorn) that create Unix socket files for efficient local communication
·Database clients that create socket files for local database connections

Tuning Guidance

Allowlist known legitimate socket paths (e.g., database sockets). Alert on sockets with non-standard or randomized names that suggest dynamic creation for covert communication.