updates

content/modules/ROOT/pages/00-setup-install-navigation.adoc

@@ -1,5 +1,4 @@
 = Lab setup and introduction
-// :toclevels: 1
 
 == Module goals
 
@@ -97,26 +96,6 @@ oc config use-context eks-admin
 Switched to context "eks-admin".
 ----
 
-[source,sh,subs="attributes",role=execute]
-----
-oc whoami
-oc get nodes -A
-----
-
-[.console-output]
-[source,bash,subs="+macros,+attributes"]
-----
-[lab-user@bastion ~]$ oc whoami
-oc get nodes -A
-Error from server (NotFound): the server could not find the requested resource (get users.user.openshift.io ~)
-NAME                                            STATUS   ROLES    AGE    VERSION
-ip-<IP_ADDRESS>.us-east-2.compute.internal   Ready    <none>   163m   v1.28.8-eks-ae9a62a
-ip-<IP_ADDRESS>.us-east-2.compute.internal   Ready    <none>   163m   v1.28.8-eks-ae9a62a
-ip-<IP_ADDRESS>.us-east-2.compute.internal   Ready    <none>   163m   v1.28.8-eks-ae9a62a
-----
-
-IMPORTANT: We should not have access with the *oc* command as it is an OpenShift command but you can see the EKS nodes and their information.
-
 *Verify access to the OpenShift cluster*
 
 Next, let's switch to the OpenShift cluster running and do our work (for now) in the OpenShift cluster
@@ -220,7 +199,7 @@ Access:
 	rw WorkflowAdministration
 ----
 
-NOTE: This output is showing that you have unrestricted access to the RHACS product. these permissions can be seen in the **RHACS Access Control** tab that we will review later.
+NOTE: This output is showing that you have unrestricted access to the RHACS product. These permissions can be seen in the **RHACS Access Control** tab that we will review later.
 
 image::01-rhacs-access-control.png[RHACS access control]
 
@@ -582,7 +561,7 @@ Scan results for image: quay-8h2gf.apps.cluster-8h2gf.sandbox182.opentlc.com/qua
 WARN:   A total of 17 unique vulnerabilities were found in 9 components
 ----
 
-[start=6]
+[start=2]
 . For the last verification step. Run the following command to ensure that the applications are up and running.
 
 [source,bash,role="execute"]

content/modules/ROOT/pages/01-visibility-and-navigation.adoc

@@ -209,22 +209,24 @@ With these widgets, you can customize the information displayed on the dashboard
 
 == Navigating the main use cases
 
+We are going to work from the top down throughout the ACS dashboard to give you an overview of all of the use cases that ACS will cover, starting with the network UI.
+
 === Network 
 
-We are going to work from the top down throughout the ACS dashboard to give you an overview of all of the use cases that ACS will cover, starting with the network UI.
+The network user interface contains two drop-downs: the *Network Graph* tab and the *Listening Endpoints* tab. 
 
-image::00-network-1.png[link=self, window=blank, width=100%, Dashboard Filter]
+> *Click on the Network Graph tab*
 
-The network user interface contains two drop-downs: the network graph tab and the listening endpoints tab. 
+image::00-network-1.png[link=self, window=blank, width=100%, Dashboard Filter]
 
 The network graph tab allows you to visualize all the network connections in your cluster look at Baseline flows simulate Network policies manage CIDR blocks and more
 
+> *Click on the Listening Endpoints tab*
+
 image::00-network-2.png[link=self, window=blank, width=100%, Dashboard Filter]
 
 With the *Listening Endpoints tab*, you can see all of the deployments across your clusters and audit for any reported listening endpoints. As you drill down through cluster namespace and into deployments, you will see the exact process ID, Port protocol pod ID, container name and whether they are exposed.
 
-image::00-network-3.png[link=self, window=blank, width=100%, Dashboard Filter]
-
 === Violations 
 
 On to the violations tab.
@@ -284,12 +286,12 @@ image::00-compliance-3.png[link=self, window=blank, width=100%]
 [start=1]
 . Hit the *Scan environment* button in the top right of the page to kick off your first scan. 
 
-. Ensure you see the bar graphs fill up with data before moving. We we will review these compliance results in a later module.
-
 image::01-compliance-4.png[link=self, window=blank, width=100%]
 
+. Ensure you see the bar graphs fill up with data before moving. We we will review these compliance results in a later module.
+
 ====
-We will dive deeper into this tab in later sections but feel free to explore and 
+We will dive deeper into this tab in later sections but feel free to explore the compliance dashboard and it's various graphs.
 ====
 
 === Vulnerability Management

content/modules/ROOT/pages/02-vulnerability-management-lab.adoc

@@ -96,7 +96,7 @@ Buttons along the top of the interface will list details by;
 - Node vulnerabilities
 - Image vulnerabilities and risk
 
-image::acs-vuln-dashboard-02.png[link=self, window=blank, width=100%, Top Policy Buttons]
+image::acs-vuln-dashboard-02.png[link=self, window=blank, width=100%]
 
 The *Application & Infrastructure* button displays a list that takes you to reports by;
 
@@ -121,23 +121,27 @@ Above the panel information, there are buttons to link you to all policies, CVEs
 ====
 
 
-image::acs-vuln-dashboard-02.png[link=self, window=blank, width=100%, Top Policy Buttons]
+image::acs-vuln-dashboard-02.png[link=self, window=blank, width=100%]
 
-image::acs-vuln-dashboard-03.png[link=self, window=blank, width=100%, Top Policy Buttons]
+image::acs-vuln-dashboard-03.png[link=self, window=blank, width=100%]
 
 [start=2]
 
 . Locate the *Top riskiest images* panel. 
 
 Here, you can see the CVEs associated with containers currently running in the cluster.
 
-image::acs-risk-02.png[link=self, window=blank, width=100%, Riskiest Images]
+image::acs-risk-02.png[link=self, window=blank, width=100%]
+
+NOTE: You can sort by other criteria such as "Top riskiest node components" (and others) by click the arrow to the left of the "View all button"
+
+image::acs-vuln-dashboard-04.png[link=self, window=blank, width=100%,]
 
 [start=3]
 
 . In the *Top riskiest images* panel, click on the *VIEW ALL* button.
 
-image::acs-risk-03.png[link=self, window=blank, width=100%, Riskiest Images]
+image::acs-risk-03.png[link=self, window=blank, width=100%]
 
 The images in this dashboard are listed here in order of *risk*, 
 
@@ -219,10 +223,16 @@ image::02-vuln2-4.png[link=self, window=blank, width=100%]
 
 You will get the same information from the previous section. 
 
-However, if you click the deployments tab, you will see the specific deployments with all these vulnerabilities. This ability to see the individual deployments as well as their images is crucial. When you're talking about multiple clusters and thousands of vulnerabilities, you're going to have the same workloads across different clusters, and you will need to drill down into the individual deployments.
+However, if you click the *Deployments button*, you will see the specific deployments with all these vulnerabilities.
+
+image::02-vuln2-5.png[link=self, window=blank, width=100%]
+
+image::02-vuln2-5.5.png[link=self, window=blank, width=100%]
+
+This ability to see the individual deployments as well as their images is crucial. When you're talking about multiple clusters and thousands of vulnerabilities, you're going to have the same workloads across different clusters, and you will need to drill down into the individual deployments.
 
 [start=3]
-. Click on the CVE severity tab on the left and filter by critical and important vulnerabilities.
+. Click on the CVE severity dropdown on the right side of the page and filter by critical and important vulnerabilities.
 
 image::02-vuln2-6.png[link=self, window=blank, width=100%]
 

content/modules/ROOT/pages/03-risk-profiling.adoc

@@ -222,7 +222,7 @@ The event timeline shows for each pod the process activity that has occurred ove
 image::04-risk-7.png[link=self, window=blank, width=100%]
 image::04-risk-8.png[link=self, window=blank, width=100%]
 
-While ACS monitored the baseline activity it picked up a feew policy violations from the container. as you click the blew dot you will see what is being flagged.
+While ACS monitored baseline activity, it detected a few policy violations from the container. Click the blue dot to view the flagged issues.
 
 NOTE: You can take advantage of the constrained lifecycle of containers for better runtime incident detection and response. Containers are not general-purpose virtual machines and therefore, generally have a simple lifecycle. They typically have a startup period, with some initialization, and then settle down to a small number of processes running continuously and making or receiving connections. Deviations from the baseline can be used to take enforcement action and alert team members. Runtime activity rules can be combined with other activity.
 

content/modules/ROOT/pages/04-policy-management.adoc

@@ -15,7 +15,8 @@ As we move into this next section, let's focus on identifying and enforcing a ru
 
 == RHACS Runtime Policy Basics
 
-RHACS observes container processes and collects this information to enable you to craft policies to prevent behavior that you don’t like. This information can also create baseline policy configurations that the user can update. Runtime policies can include all build-time and deploy-time policy criteria but they can also include data about process executions during runtime.
+RHACS observes container processes and collects this information to enable you to craft policies to prevent behavior that you don’t like. This information can also create baseline policy configurations that the user can update. Runtime policies can include build-time and deploy-time policy criteria but they can also include data about process executions during runtime. However, runtime policies that use “audit logs” event source cannot use build and deploy criteria at all as they are Kubernetes specific events.
+
 
 The example below demonstrates how security may want to block a package manager from downloading any packages to the container. This runtime enforcement option is the first in the process of shifting left. After runtime enforcement, you will want to stop the package manager from being used in the container altogether.
 
@@ -232,7 +233,7 @@ image::acs-deploy-05.png[link=self, window=blank, width=100%]
 
 Now, let's test it out! We're going to deploy a simple Ubuntu application to the cluster.
 
-[source,YAML,]
+[source,sh,subs="attributes",role=execute]
 ----
 cat << EOF > ubuntu-deployment.yml
 apiVersion: apps/v1
@@ -359,9 +360,9 @@ ERROR:  Policy "Ubuntu Package Manager in Image - Default namespace" within Depl
 ERROR:  checking deployment failed after 3 retries: breaking policies found: failed policies found: 1 policies violated that are failing the check
 ----
 
-|====
-You should see one of the policies you've created breaking the deployment process while the others are in inform-only mode. 
-|====
+
+> You should see one of the policies you've created breaking the deployment process while the others are in inform-only mode. 
+
 
 *Congrats!* 
 

content/modules/ROOT/pages/05-cicd-and-automation.adoc

@@ -127,7 +127,7 @@ chmod: cannot access './roxctl': No such file or directory
 /tekton/scripts/script-0-ftdft: line 5: ./roxctl: No such file or directory
 ----
 
-This snippet is talling us that that are variable that are incorrect. With RHACS you will need API access to query central for results. 
+This snippet indicates that there are incorrect variables. With RHACS, API access is required to query Central for results.
 
 Let's take a look at the secret file necessary for *OpenShift Pipelines*.
 

content/modules/ROOT/pages/06-compliance.adoc

@@ -43,7 +43,7 @@ image::07-comp-2.png[link=self, window=blank, width=100%]
 Since RHACS was installed prior to the Compliance Operator, we’ll need to restart the ACS sensor in the OpenShift cluster to see these results.
 
 [start=8]
-. Run till following command to restart the RHACS scanner pod. This will speed up the process for the profiles to appear in RHACS Central.
+. Run the following command to restart the RHACS scanner pod. This will speed up the process for the profiles to appear in RHACS Central.
 
 
 [source,sh,subs="attributes",role=execute]
@@ -153,6 +153,10 @@ And you should end up with a dashboard that looks like this
 
 image::07-comp-9.png[link=self, window=blank, width=100%]
 
+Focusing on the standards that matter most to you is essential for reducing unnecessary noise in the UI.
+
+IMPORTANT: add all the standards back before progressing to the next section
+
 *Click the "Manage standards button"*
 
 . Click on PCI, or the PCI percentage bar, in the upper-left “Passing Standards Across Clusters” graph
@@ -323,7 +327,7 @@ oc get  namespaces -o json | jq '[.items[] | select((.metadata.name | startswith
 
 [source,sh,subs="attributes",role=execute]
 ----
-oc get  namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name ]'
+oc get networkpolicies -A -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default") | .metadata.namespace] | unique'
 ----
 
 *Sample Output*
@@ -332,13 +336,16 @@ oc get  namespaces -o json | jq '[.items[] | select((.metadata.name | startswith
 ----
 [lab-user@bastion pipeline]$ oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default") | .metadata.namespace] | unique'
 [
+  "janus-argocd",
   "medical",
+  "sonataflow-infra",
   "stackrox",
+  "trusted-profile-analyzer",
   "vault"
 ]
 ----
 
-It's great to know that StackRox (RHACS) is covered!
+> It's great to know that StackRox (RHACS) is covered!
 
 It the Networking section we will go about fixing this issue through the generation and application of network policy. For now I offer you a challenge.
 

content/modules/ROOT/pages/07-notifications.adoc

@@ -215,7 +215,7 @@ image::https://media.giphy.com/media/v1.Y2lkPTc5MGI3NjExenowdjBqdG9weG5jdXJ2NTZw
 
 Add the notifier to the *Runtime Policy* 'Netcat Execution Detected'. Enable enforcement of the policy and watch the "visa-processor" container for a violation. This container runs an *nc* command every minute or so. 
 
-Your mission is completed with a Notification to Slack or Teams.
+Your mission is completed with a notification to Slack or Teams.
 
 == Summary
 
@@ -225,4 +225,4 @@ Nice!
 
 You integrations a webhook into RHACS and configured notifications based on previous policies.
 
-Let's go check out the *RHACS API*!
+Time to review the *RHACS API*!

content/modules/ROOT/pages/08-api.adoc

@@ -89,7 +89,7 @@ image::06-cd-10.png[link=self, window=blank, width=100%]
 . Click *Generate*
 . Now it's time to export the API token as a variable for the roxctl CLI. 
 
-IMPORTANT:Be sure to put the AP token in the correct location.
+IMPORTANT:Be sure to put the API token in the correct location.
 
 [source,sh,subs="attributes",role=execute]
 ----
@@ -268,7 +268,7 @@ Search filter for time range:
 
 [source,sh,subs="attributes",role=execute]
 ----
-curl -k -H "Authorization: Bearer $ROX_API_TOKEN" https://$ROX_CENTRAL_ADDRESS/v1/alerts?query==Violation%20Time%3A%3E1d | jq -r '.'
+curl -k -H "Authorization: Bearer $ROX_API_TOKEN" "https://$ROX_CENTRAL_ADDRESS/v1/alerts?query=Violation%20Time%3A%3E1d" | jq -r '.'
 ----
 
 == Documentation and Resources

content/modules/ROOT/pages/10-installation.adoc

@@ -50,7 +50,6 @@ helm
 Use "helm [command] --help" for more information about a command.
 ----
 
-
 ## Setting Up Red Hat Account and Creating Central Instance on ACS
 
 *Procedure*
@@ -70,10 +69,11 @@ IMPORTANT: You need ACS Central Services to be available to deploy ACS Secured C
 
 ## Checking and Accessing the Central Instance
 
-helm install stackrox-secured-cluster-services stackrox/stackrox-secured-cluster-services -n stackrox -f init-bundle.yml --set clusterName=eks-production-cluster --set centralEndpoint=acs-data-cs3a2gnasu0g1ivkgbhg.acs.rhcloud.com:443 --set [email protected] --set imagePullSecrets.password='rfm1kjm0qym6awq!BVN' --create-namespace
+*Procedure*
 
+helm install stackrox-secured-cluster-services stackrox/stackrox-secured-cluster-services -n stackrox -f init-bundle.yml --set clusterName=eks-production-cluster --set centralEndpoint=acs-data-cs3a2gnasu0g1ivkgbhg.acs.rhcloud.com:443 --set [email protected] --set imagePullSecrets.password='rfm1kjm0qym6awq!BVN' --create-namespace
 
-## Simplifying the Loom Transcript: Setting Up EKS Production Cluster
+## Setting Up EKS Production Cluster
 
 1. **Accessing ACS Console**