lintai docs

Appearance

Rule Reference

SEC649lintai-ai-securitystablehookdeny

Hook script: cron persistence

Hook script manipulates cron persistence

Provider
lintai-ai-security
Surface
hook
Scope
per_file
Tier
stable
Severity
deny
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

basemembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Matches explicit cron manipulation or cron file writes in executable hook lines.

Deterministic signal basis

HookSignals command-or-write-target detection over non-comment hook lines for `crontab` mutation or writes to `/etc/cron*` and `/var/spool/cron`.

Malicious corpus
hook-service-persistence
Benign corpus
cursor-plugin-clean-basic
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC201Hook script: remote code executionHook script downloads remote code and executes ithookstable
SEC202Hook script: secret exfiltrationHook script appears to exfiltrate secrets through a network callhookstable
SEC203Hook script: insecure HTTP secret sendHook script sends secret material to an insecure http:// endpointhookstable
SEC204Hook script: TLS verification disabledHook script disables TLS or certificate verification for a network callhookstable
SEC205Hook script: hardcoded auth in network callHook script embeds static authentication material in a network callhookstable
SEC206Hook script: base64 payload executionHook script decodes a base64 payload and executes ithookstable

Why It Matters

Cron changes create scheduled persistence outside the repository workflow. A shared hook should not silently install recurring host tasks.

What Triggers

SEC649 matches executable hook lines that mutate cron through crontab or write cron persistence files such as /etc/crontab, /etc/cron*, or /var/spool/cron.

False Positives

Bootstrap repositories may manage cron intentionally, but silent recurring-task installation in a shared hook remains high-risk.

Remediation

Remove cron persistence from the hook and move scheduled-task setup into a separate reviewed admin workflow.