lintai docs

Appearance

Rule Reference

SEC663lintai-ai-securitystablehookdeny

Hook script: Linux capability manipulation

Hook script manipulates Linux capabilities

Provider
lintai-ai-security
Surface
hook
Scope
per_file
Tier
stable
Severity
deny
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

basemembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Matches explicit Linux capability manipulation payloads in executable hook lines.

Deterministic signal basis

HookSignals shell-token analysis over non-comment hook lines for `setcap` or dangerous Linux capability tokens such as `cap_setuid` and `cap_sys_admin`.

Malicious corpus
hook-privilege-escalation-payloads
Benign corpus
cursor-plugin-clean-basic
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC201Hook script: remote code executionHook script downloads remote code and executes ithookstable
SEC202Hook script: secret exfiltrationHook script appears to exfiltrate secrets through a network callhookstable
SEC203Hook script: insecure HTTP secret sendHook script sends secret material to an insecure http:// endpointhookstable
SEC204Hook script: TLS verification disabledHook script disables TLS or certificate verification for a network callhookstable
SEC205Hook script: hardcoded auth in network callHook script embeds static authentication material in a network callhookstable
SEC206Hook script: base64 payload executionHook script decodes a base64 payload and executes ithookstable

Why It Matters

Linux capabilities like cap_setuid and cap_sys_admin can grant powerful privileges without full root.

What Triggers

SEC663 matches executable hook lines that run setcap or include dangerous capability tokens such as cap_setuid, cap_setgid, cap_sys_admin, or cap_net_admin.

False Positives

Capability assignment can be legitimate in low-level system tooling, but it remains a sensitive host privilege change in shared hooks.

Remediation

Remove Linux capability manipulation from the hook and keep capability assignment in an explicit reviewed admin workflow.