Scenarios that have hit whitelist still showing up as alerts?

I have the following whitelist enabled, as I'm on NixOS: https://github.com/crowdsecurity/hub/blob/master/postoverflows/s01-whitelist/crowdsecurity/auditd-nix-wrappers-whitelist-process.yaml

It should be whitelisting all binaries that start follow the form of

/nix/store/*/.<binary name>-wrapped

/nix/store/*/.<binary name>-wrapped

, but it still seems to be generating alerts, like in this case:

https://gist.github.com/poperigby/97fd29e297c9843ff677d98eeef90f8e

Why is this happening?

GitHub

hub/postoverflows/s01-whitelist/crowdsecurity/auditd-nix-wrappers-w...

Main repository for crowdsec scenarios/parsers. Contribute to crowdsecurity/hub development by creating an account on GitHub.

Gist

gist:97fd29e297c9843ff677d98eeef90f8e

GitHub Gist: instantly share code, notes, and snippets.

CrowdSec•6/8/25, 10:13 PM

Important Information

Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command or press the green resolve button below.

Log Files

If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.

Guide Followed (CrowdSec Official)

If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.

Screenshots

Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.

•

6/8/25, 10:13 PM

PopeRigbyOP•6/8/25, 10:14 PM

My whitelist metrics are showing that the whitelist is getting hits:

PPopeRigby I have the following whitelist enabled, as I'm on NixOS: https://github.com/crow...

Loz•6/9/25, 6:29 AM

The reason is the whitelist looks for which is from your alerts which seems to be invoked from "parent_progname" which I guess is a symlink?

LLoz The reason is the whitelist looks for `exe` which is `/.runc-wrapped` from your ...

PopeRigbyOP•6/10/25, 4:58 AM

parent_progname is considered this:

PPopeRigby parent_progname is considered this: ``` /nix/store/m6hfmlrj4hw45j8j88zvvl0j7qchb...

Loz•6/10/25, 7:00 AM

Yes but the whitelist looks for not parent name, so either we update it with an or case or create one for runc

LLoz Yes but the whitelist looks for `exe` not parent name, so either we update it wi...

PopeRigbyOP•6/10/25, 6:55 PM

Ohhh, I guess I messed it up when I made it. How can I make it look for parent name? I wouldn't want to create a special case for runc because it's going to be a similar case with every other exe.

LLoz Yes but the whitelist looks for `exe` not parent name, so either we update it wi...

PopeRigbyOP•6/13/25, 12:24 AM

we update it with an or case

How can I do that?