pscap command

pscap shows an overview of processes and their assigned capabilities

Typical usage: service hardening, system hardening, troubleshooting

Installation
Usage
- Options

Introduction into pscap

The pscap utility shows the current capabilities that a process has access to. When running the pscap command it will retrieve the active processes and determines from each process what capabilities they have assigned. If they are unrestricted, in other words all capabilities, it will show full in the capabilities column.

Special characters are the @, meaning ambient capabilities, and + to show open-ended bounding set, meaning it is not restricted.

This tool is very helpful to quickly focus on network-related applications and see what capabilities they have. This may help in system hardening efforts, for example by using a hardening profile to systemd services

Example output

Example of running pscap as the root user.

# pscap
ppid  pid   name        command             capabilities
1     239   root        systemd-journal     chown, dac_override, dac_read_search, fowner, setgid, setuid, sys_ptrace, sys_admin, audit_control, mac_override, syslog, audit_read +
1     268   root        systemd-udevd       chown, dac_override, dac_read_search, fowner, fsetid, kill, setgid, setuid, setpcap, linux_immutable, net_bind_service, net_broadcast, net_admin, net_raw, ipc_lock, ipc_owner, sys_module, sys_rawio, sys_chroot, sys_ptrace, sys_pacct, sys_admin, sys_boot, sys_nice, sys_resource, sys_tty_config, mknod, lease, audit_write, audit_control, setfcap, mac_override, mac_admin, syslog, block_suspend, audit_read, perfmon, bpf, checkpoint_restore +
1     306   systemd-timesync  systemd-timesyn     sys_time @ +
1     403   root        dhclient            dac_override, net_bind_service, net_admin, net_raw +
1     502   root        cron                full +
1     504   messagebus  dbus-daemon         audit_write +
1     506   root        qemu-ga             full +
1     508   root        systemd-logind      chown, dac_override, dac_read_search, fowner, linux_immutable, sys_admin, sys_tty_config, audit_control, mac_admin +
1     510   root        login               full +
1     515   root        sshd                full +
1     541   root        systemd             full +
541   542   root        (sd-pam)            full +
510   548   root        bash                full +
515   552   root        sshd                full +
567   571   root        su                  full +
571   572   root        bash                full +
515   15485 root        sshd                full +
15492 15496 root        su                  full +
15496 15497 root        bash                full +
1     20728 root        nginx               full +

Installation

When pscap is not installed by default, it can be added to the system using the relevant software package.

Package information for pscap

Operating system	Package name	Installation
AlmaLinux	libcap-ng-utils	`dnf install libcap-ng-utils`
Arch Linux	libcap-ng-utils	`pacman -S libcap-ng-utils`
Debian	libcap-ng-utils	`apt install libcap-ng-utils`
Fedora	libcap-ng-utils	`dnf install libcap-ng-utils`
Red Hat Enterprise Linux	libcap-ng-utils	`dnf install libcap-ng-utils`
Rocky Linux	libcap-ng-utils	`dnf install libcap-ng-utils`
Ubuntu	libcap-ng-utils	`apt install libcap-ng-utils`

Your Linux distribution using a different package? Share your feedback.

Usage

Available options

Long option	Short option	Description
	-a	Include all processes (like init)

Missing an option in this overview? Share your feedback.

Frequently Asked Questions

What is the pscap command and its purpose?

The pscap command is a command-line tool on Linux running process and what Linux capabilities they currently have assigned.

Which package provides the pscap command?

The command pscap is provided by the libcap-ng-utils package.

Related and similar commands

Linux has a lot of tools and commands available and sometimes you just need that little other tool. Here is a list of commands that are similar or related to pscap:

Related and similar commands to pscap
Command	Category	Summary
basename	files	Strips directory and file name suffix from a given path
capsh	capabilities	Linux capabilities testing and debugging tool
captest	capabilities	Capabilities and privilege escalation testing tool
chrt	processes	Sets Linux scheduler policy and priority for a process or command
filecap	capabilities	Display of Linux capabilities set on binaries in paths
firejail	sandboxing	Sandboxing tool for Linux
getcap	capabilities	Show file capabilities
getpcaps	capabilities	Show process capabilities
kill	processes	Sending signals to processes
netcap	capabilities	Display available capabilities for running processes using network sockets
nice	processes	Runs commands with specified priority
numactl	processes	Controls NUMA policy for processes and shared memory
peekfd	processes	Tracks a process and show file descriptor activity
pidof	processes	Returns process IDs for a process name
pidstat	monitoring	Monitoring CPU, memory, and disk activity
pidwait	processes	Wait for process to stop
pmap	processes	Shows memory mapping of process
prtstat	processes	Shows process details for selected process like state, CPU and memory usage
pslog	logging	Shows which log files a process has opened
pstree	processes	Show active processes and children like a tree
pwdx	processes	Shows current working directory of a process
renice	processes	Changes the priority of running processes
setcap	capabilities	Add or remove Linux capabilities to a file
slabtop	memory	Shows slab usage of kernel
smem	memory	Show memory usage including swap
strace	process inspection	Inspects running process
units	data conversion	Converts a unit into another one, like from Celcius to Fahrenheit
watch	processes	Monitors changes in output of specified command

Also 💙 the command-line or terminal? Here is a set of cheat sheets for Linux to get more done from within the shell: