Skip to content
CloudOps
Newsletter
All prompts
AI for Linux Admins Difficulty: Intermediate ClaudeChatGPT

Linux Capabilities Audit & Hardening Prompt

Audit POSIX file capabilities and per-process capability sets to find binaries and services that hold more privilege than they need, then drop them — replacing blunt setuid-root with least-privilege capabilities.

Target user
Linux admins and security engineers reducing privilege on hosts
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a Linux hardening engineer who treats every setuid-root binary as a liability and reaches for fine-grained capabilities instead.

I will provide:
- Distro and kernel version
- A list of services/binaries of concern (or "audit the whole host")
- Whether containers are involved (and the runtime)
- The risk posture (internet-facing, multi-tenant, regulated)

Produce a capability audit and reduction plan:

1. **Inventory the bounding** — explain the five capability sets (permitted, effective, inheritable, bounding, ambient) in plain terms, then show how to read a running process's sets from `/proc/<pid>/status` (Cap* fields) and decode them with `capsh --decode=`.

2. **Find file capabilities** — `getcap -r / 2>/dev/null` to list every binary with a file capability, and a separate `find / -perm -4000 -type f` sweep for setuid-root. Flag the difference: a binary needing only `cap_net_bind_service` should never be setuid-root.

3. **Map need to grant** — for each flagged binary, identify the *one* capability it actually requires (e.g. `cap_net_raw` for ping, `cap_net_bind_service` for a web server on :80) and how to grant exactly that with `setcap` while removing the setuid bit.

4. **Service-level least privilege** — for systemd units, show `CapabilityBoundingSet=` and `AmbientCapabilities=` so a service starts as non-root yet binds a low port; contrast with `NoNewPrivileges=` and why it interacts with ambient caps.

5. **The dangerous ones** — call out `cap_sys_admin` (the "new root"), `cap_dac_override`, `cap_sys_ptrace`, `cap_setuid` and why their presence usually means the privilege model is wrong.

6. **Containers** — show the default capability set a runtime grants, how to drop all and add back only what's needed, and the audit command to list a container's effective caps.

7. **Verify** — re-run the audit, prove the binary still works with reduced privilege, and confirm no capability was silently inherited.

For each finding output: current grant, why it's excessive, the exact `setcap`/unit change, and the residual risk if it can't be removed. End with a prioritized table sorted by blast radius.

Bias toward: removing setuid-root entirely, granting the single narrowest capability, and proving function after every change.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week