netcap command
netcap shows an overview of network-related processes and their capabilitiesThe netcap utility shows the current capabilities for processes that are using network sockets.
When running the netcap command it will retrieve the active processes that have network sockets opened. For each of those processes, it will show what capabilities they have assigned. If they are unrestricted, in other words all capabilities, it will show full in the capabilities column.
Special characters are the @, meaning ambient capabilities, and + to show open-ended bounding set, meaning it is not restricted.
This tool is very helpful to quicly focus on network-related applications and see what capabilities they have. This may help in system hardening efforts, for example by using a hardening profile to systemd services.
Example output
Example of running netcap as the root user.
# netcap
ppid pid acct command type port capabilities
1 20728 root nginx tcp 80 full +
1 515 root sshd tcp 22 full +
515 552 root sshd tcp 22 full +
515 15485 root sshd tcp 22 full +
1 20728 root nginx tcp6 80 full +
1 515 root sshd tcp6 22 full +
1 403 root dhclient udp 68 dac_override, net_bind_service, net_admin, net_raw +
1 403 root dhclient pkt enp1s0 dac_override, net_bind_service, net_admin, net_raw +
Installation
When netcap command is not installed by default, it can be added to the system using the relevant software package.
Package information for netcap command
| Operating system | Package name | Installation |
|---|---|---|
| AlmaLinux | libcap-ng-utils | |
| Arch Linux | libcap-ng-utils | |
| Debian | libcap-ng-utils | |
| Fedora | libcap-ng-utils | |
| Red Hat Enterprise Linux | libcap-ng-utils | |
| Rocky Linux | libcap-ng-utils | |
| Ubuntu | libcap-ng-utils | |
Your Linux distribution using a different package? Share your feedback.