detect-running-alg-socket: Detect processes using AF_ALG sockets in Linux.

In the current security landscape, kernel module management is a critical function for system hardening. The recent introduction of vulnerabilities leveraging interfaces like `AF_ALG` (via technologies such as `aead`) mandates a granular approach to mitigation. Simply blacklisting or disabling the module, while tempting for reducing the attack surface, can introduce significant service outages if critical applications rely on it. `detect-running-alg-socket` addresses this specific operational concern. It provides a focused audit mechanism to determine *who* is using `AF_ALG` before making any restrictive changes. Its functionality is straightforward but highly valuable: it scans the system's `/proc` filesystem (specifically the file descriptors) to identify all active processes that have opened or are actively using sockets associated with the AF_ALG interface. The output, presented in a clean JSON format, immediately maps the PID, the specific file descriptor, and the process name, eliminating the guesswork from manual `lsof` or raw shell scripting. For DevOps and SecOps teams, the ability to reliably enumerate these dependencies is paramount. The tool's structured output isn't just informational; it's actionable data. It allows administrators to generate a dependency map, informing necessary migration plans—for example, updating an application's networking stack or whitelisting specific exceptions before a module removal. The inclusion of a streaming mode adds a layer of robustness, useful for continuous or interactive monitoring scenarios. While the core utility is undeniable, users must be mindful of the tool's operational scope. Detecting usage does not equate to understanding the *security context* of that usage. A process merely using `AF_ALG` might be legitimate, but the data gathered needs subsequent investigation to determine if the usage pattern itself constitutes a risk. Furthermore, due to the nature of accessing `/proc` files and file descriptors, running the tool with elevated privileges (root/sudo) is often necessary to get a complete and accurate picture, as indicated by potential permission errors in the output examples.