cscli postoverflows install crowdsecurity/auditd-nix-wrappers-whitelist-processWith the Nix package manager, certain executables are wrapped, meaning the executable in PATH is just a symlink to an executable named in the following way /nix/store/<hash>/bin/.<program>-wrapped. This will trigger the suspicious process detection because the name of the binary starts with a . character.
This postoverflow will whitelist processes that follow the .<program>-wrapped pattern if they are executed from /nix/store.
1name: crowdsecurity/auditd-nix-wrappers-whitelist-process2description: "Whitelist wrapped binaries in the Nix store"3whitelist:4 reason: "Nix wrapped binaries"5 expression:6 - |7 evt.Overflow.Alert.GetScenario() == 'crowdsecurity/auditd-sus-exec' && all(evt.Overflow.Alert.Events, {.GetMeta('exe') matches '^\\/nix\\/store\\/[^\\/]+\\/bin\\/\\.[^\\/]+-wrapped$'})8