pscap command

pscap shows an overview of processes and their assigned capabilities

The pscap utility shows the current capabilities that a process has access to. When running the pscap command it will retrieve the active processes and determines from each process what capabilities they have assigned. If they are unrestricted, in other words all capabilities, it will show full in the capabilities column.

Special characters are the @, meaning ambient capabilities, and + to show open-ended bounding set, meaning it is not restricted.

This tool is very helpful to quicly focus on network-related applications and see what capabilities they have. This may help in system hardening efforts, for example by using a hardening profile to systemd services

Example output

Example of running pscap as the root user.

# pscap
ppid  pid   name        command             capabilities
1     239   root        systemd-journal     chown, dac_override, dac_read_search, fowner, setgid, setuid, sys_ptrace, sys_admin, audit_control, mac_override, syslog, audit_read +
1     268   root        systemd-udevd       chown, dac_override, dac_read_search, fowner, fsetid, kill, setgid, setuid, setpcap, linux_immutable, net_bind_service, net_broadcast, net_admin, net_raw, ipc_lock, ipc_owner, sys_module, sys_rawio, sys_chroot, sys_ptrace, sys_pacct, sys_admin, sys_boot, sys_nice, sys_resource, sys_tty_config, mknod, lease, audit_write, audit_control, setfcap, mac_override, mac_admin, syslog, block_suspend, audit_read, perfmon, bpf, checkpoint_restore +
1     306   systemd-timesync  systemd-timesyn     sys_time @ +
1     403   root        dhclient            dac_override, net_bind_service, net_admin, net_raw +
1     502   root        cron                full +
1     504   messagebus  dbus-daemon         audit_write +
1     506   root        qemu-ga             full +
1     508   root        systemd-logind      chown, dac_override, dac_read_search, fowner, linux_immutable, sys_admin, sys_tty_config, audit_control, mac_admin +
1     510   root        login               full +
1     515   root        sshd                full +
1     541   root        systemd             full +
541   542   root        (sd-pam)            full +
510   548   root        bash                full +
515   552   root        sshd                full +
567   571   root        su                  full +
571   572   root        bash                full +
515   15485 root        sshd                full +
15492 15496 root        su                  full +
15496 15497 root        bash                full +
1     20728 root        nginx               full +

Installation

When pscap command is not installed by default, it can be added to the system using the relevant software package.

Package information for pscap command

Operating systemPackage nameInstallation
AlmaLinuxlibcap-ng-utils
dnf install libcap-ng-utils
Arch Linuxlibcap-ng-utils
pacman -S libcap-ng-utils
Debianlibcap-ng-utils
apt install libcap-ng-utils
Fedoralibcap-ng-utils
dnf install libcap-ng-utils
Red Hat Enterprise Linuxlibcap-ng-utils
dnf install libcap-ng-utils
Rocky Linuxlibcap-ng-utils
dnf install libcap-ng-utils
Ubuntulibcap-ng-utils
apt install libcap-ng-utils

Your Linux distribution using a different package? Share your feedback.

Usage