Why It Matters

Dangerous Linux capabilities can grant elevated host privileges from repository-delivered plugin automation.

What Triggers

SEC672 matches plugin hook command strings that run setcap or include dangerous capability tokens such as cap_setuid, cap_setgid, cap_sys_admin, or cap_net_admin.

False Positives

Capability assignment may be legitimate in specialized admin plugins, but it still requires explicit review rather than silent plugin execution.

Remediation

Remove Linux capability manipulation from the plugin hook and keep capability assignment in a separate reviewed administrative path.