[OSDOCS#17176]: Make changes as per the errors and warnings CQA Remediation-2

modules/security-container-content-external-scanning.adoc

@@ -6,19 +6,13 @@
 [id="security-container-content-external-scanning_{context}"]
 = Integrating external scanning
 
-{product-title} makes use of link:https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/[object annotations]
-to extend functionality. External tools, such as vulnerability scanners, can
-annotate image objects with metadata to summarize results and control pod
-execution. This section describes the recognized format of this annotation so it
-can be reliably used in consoles to display useful data to users.
+[role="_abstract"]
+{product-title} makes use of object annotations to extend functionality. External tools, such as vulnerability scanners, can annotate image objects with metadata to summarize results and control pod execution. This section describes the recognized format of this annotation so it can be reliably used in consoles to display useful data to users.
 
 [id="security-image-metadata_{context}"]
 == Image metadata
 
-There are different types of image quality data, including package
-vulnerabilities and open source software (OSS) license compliance. Additionally,
-there may be more than one provider of this metadata. To that end, the following
-annotation format has been reserved:
+There are different types of image quality data, including package vulnerabilities and open source software (OSS) license compliance. Additionally, there might be more than one provider of this metadata. To that end, the following annotation format has been reserved:
 
 ----
 quality.images.openshift.io/<qualityType>.<providerId>: {}
@@ -31,22 +25,15 @@ quality.images.openshift.io/<qualityType>.<providerId>: {}
 
 |`qualityType`
 |Metadata type
-|`vulnerability` +
-`license` +
-`operations` +
-`policy`
+|`vulnerability`, `license`, `operations`, `policy`
 
 |`providerId`
 |Provider ID string
-|`openscap` +
-`redhatcatalog` +
-`redhatinsights` +
-`blackduck` +
-`jfrog`
+|`openscap`, `redhatcatalog`, `redhatinsights`, `blackduck`, `jfrog`
 |===
 
 [id="security-example-annotation-keys_{context}"]
-=== Example annotation keys
+== Example annotation keys
 
 ----
 quality.images.openshift.io/vulnerability.blackduck: {}
@@ -55,8 +42,7 @@ quality.images.openshift.io/license.blackduck: {}
 quality.images.openshift.io/vulnerability.openscap: {}
 ----
 
-The value of the image quality annotation is structured data that must adhere to
-the following format:
+The value of the image quality annotation is structured data that must adhere to the following format:
 
 .Annotation value format
 [option="header"]
@@ -79,7 +65,7 @@ the following format:
 |String
 |`reference`
 |Yes
-|URL of information source or more details. Required so user may validate the data.
+|URL of information source or more details. Required so user might validate the data.
 |String
 
 |`scannerVersion`
@@ -125,7 +111,7 @@ representation. The value is range `0..3` where `0` = low.
 |===
 
 [id="security-example-annotation-values_{context}"]
-=== Example annotation values
+== Example annotation values
 
 This example shows an OpenSCAP annotation for an image with
 vulnerability summary data and a compliance boolean:
@@ -173,14 +159,10 @@ with an external URL for additional details:
 [id="security-annotating-image-objects_{context}"]
 == Annotating image objects
 
-While image stream objects
-are what an end user of {product-title} operates against,
-image objects are annotated with
-security metadata. Image objects are cluster-scoped, pointing to a single image
-that may be referenced by many image streams and tags.
+While image stream objects are what a user of {product-title} operates against, image objects are annotated with security metadata. Image objects are cluster-scoped, pointing to a single image that might be referenced by many image streams and tags.
 
 [id="security-example-annotate-CLI_{context}"]
-=== Example annotate CLI command
+== Example annotate CLI command
 
 Replace `<image>` with an image digest, for example
 `sha256:401e359e0f45bfdcf004e258b72e253fd07fba8cc5c6f2ed4f4608fb119ecc2`:
@@ -206,7 +188,7 @@ Use the `images.openshift.io/deny-execution` image policy
 to programmatically control if an image can be run.
 
 [id="security-controlling-pod-execution-example-annotation_{context}"]
-=== Example annotation
+== Example annotation
 
 [source,yaml]
 ----
@@ -217,19 +199,12 @@ annotations:
 [id="security-integration-reference_{context}"]
 == Integration reference
 
-In most cases, external tools such as vulnerability scanners develop a
-script or plugin that watches for image updates, performs scanning, and
-annotates the associated image object with the results. Typically this
-automation calls the {product-title} {product-version} REST APIs to write the annotation. See
-{product-title} REST APIs for general
-information on the REST APIs.
+In most cases, external tools such as vulnerability scanners develop a script or plugin that watches for image updates, performs scanning, and annotates the associated image object with the results. Typically this automation calls the {product-title} {product-version} REST APIs to write the annotation. See {product-title} REST APIs for general information about the REST APIs.
 
 [id="security-integration-reference-example-api-call_{context}"]
-=== Example REST API call
+== Example REST API call
 
-The following example call using `curl` overrides the value of the
-annotation. Be sure to replace the values for `<token>`, `<openshift_server>`,
-`<image_id>`, and `<image_annotation>`.
+The following example call by using `curl` overrides the value of the annotation. Be sure to replace the values for `<token>`, `<openshift_server>`, `<image_id>`, and `<image_annotation>`.
 
 .Patch API call
 [source,terminal]
@@ -259,8 +234,6 @@ The following is an example of `PATCH` payload data:
 ifdef::openshift-origin[]
 [NOTE]
 ====
-Due to the complexity of this API call and challenges with escaping characters,
-an API developer tool such as link:https://www.getpostman.com/[Postman] may
-assist in creating API calls.
+Due to the complexity of this API call and challenges with escaping characters, an API developer tool such as Postman might assist in creating API calls.
 ====
 endif::[]

modules/security-container-content-inside.adoc

@@ -6,30 +6,15 @@
 [id="security-container-content-inside_{context}"]
 = Securing inside the container
 
-Applications and infrastructures are composed of readily available components,
-many of which are open source packages such as, the Linux operating system,
-JBoss Web Server, PostgreSQL, and Node.js.
-
-Containerized versions of these packages are also available. However, you need
-to know where the packages originally came from, what versions are used, who built them, and whether
-there is any malicious code inside them.
+[role="_abstract"]
+Applications and infrastructures are composed of readily available components, many of which are open source packages such as, the Linux operating system, JBoss Web Server, PostgreSQL, and Node.js. Containerized versions of these packages are also available. However, you need to know where the packages originally came from, what versions are used, who built them, and whether there is any malicious code inside them.
 
 Some questions to answer include:
 
 * Will what is inside the containers compromise your infrastructure?
 * Are there known vulnerabilities in the application layer?
 * Are the runtime and operating system layers current?
 
-By building your containers from Red Hat
-link:https://access.redhat.com/articles/4238681[Universal Base Images] (UBI) you are
-assured of a foundation for your container images that consists of
-the same RPM-packaged software that is included in Red Hat Enterprise Linux.
-No subscriptions are required to either use or redistribute UBI images.
+By building your containers from Red Hat Universal Base Images (UBI) you are assured of a foundation for your container images that consists of the same RPM-packaged software that is included in Red Hat Enterprise Linux. No subscriptions are required to either use or redistribute UBI images.
 
-To assure ongoing security of the containers themselves, security
-scanning features, used directly from {op-system-base} or added to {product-title},
-can alert you when
-an image you are using has vulnerabilities. OpenSCAP image scanning is
-available in {op-system-base} and the
-link:https://access.redhat.com/documentation/en-us/red_hat_quay/3/html/red_hat_quay_operator_features/container-security-operator-setup[{rhq-cso}] can be added
-to check container images used in {product-title}.
+To assure ongoing security of the containers themselves, security scanning features, used directly from {op-system-base} or added to {product-title}, can alert you when an image you are using has vulnerabilities. OpenSCAP image scanning is available in {op-system-base} and the {rhq-cso} can be added to check container images used in {product-title}.

modules/security-container-content-scanning.adoc

@@ -6,29 +6,14 @@
 [id="security-container-content-scanning_{context}"]
 = Security scanning in {op-system-base}
 
-For {op-system-base-full} systems, OpenSCAP scanning is available
-from the `openscap-utils` package. In {op-system-base}, you can use the `openscap-podman`
-command to scan images for vulnerabilities. See
-link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/security_hardening/index#scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening[Scanning containers and container images for vulnerabilities] in the Red Hat Enterprise Linux documentation.
+[role="_abstract"]
+For {op-system-base-full} systems, OpenSCAP scanning is available from the `openscap-utils` package. In {op-system-base}, you can use the `openscap-podman` command to scan images for vulnerabilities.
 
-{product-title} enables you to leverage {op-system-base} scanners with your CI/CD process.
-For example, you can integrate static code analysis tools that test for security
-flaws in your source code and software composition analysis tools that identify
-open source libraries to provide metadata on those libraries such as
-known vulnerabilities.
+{product-title} enables you to use {op-system-base} scanners with your Continuous Integration and Continuous Delivery (CI/CD) process. For example, you can integrate static code analysis tools that test for security flaws in your source code and software composition analysis tools that identify open source libraries to provide metadata on those libraries such as known vulnerabilities.
 
 [id="quay-security-scan_{context}"]
 == Scanning OpenShift images
 
-For the container images that are running in {product-title}
-and are pulled from {quay} registries, you can use an Operator to list the
-vulnerabilities of those images. The
-link:https://access.redhat.com/documentation/en-us/red_hat_quay/3/html/red_hat_quay_operator_features/container-security-operator-setup[{rhq-cso}]
-can be added to {product-title} to provide vulnerability reporting
-for images added to selected namespaces.
+For the container images that are running in {product-title} and are pulled from {quay} registries, you can use an Operator to list the vulnerabilities of those images. The {rhq-cso} can be added to {product-title} to provide vulnerability reporting for images added to selected namespaces.
 
-Container image scanning for {quay} is performed by the
-link:https://access.redhat.com/documentation/en-us/red_hat_quay/3/html/vulnerability_reporting_with_clair_on_red_hat_quay/index[Clair].
-In {quay}, Clair can search for and report vulnerabilities in
-images built from {op-system-base}, CentOS, Oracle, Alpine, Debian, and Ubuntu
-operating system software.
+Container image scanning for {quay} is performed by Clair. In {quay}, Clair can search for and report vulnerabilities in images built from {op-system-base}, CentOS, Oracle, Alpine, Debian, and Ubuntu operating system software.

modules/security-container-content-universal.adoc

@@ -6,45 +6,20 @@
 [id="security-container-content-universal_{context}"]
 = Creating redistributable images with UBI
 
-To create containerized applications, you typically start with a trusted base
-image that offers the components that are usually provided by the operating system.
-These include the libraries, utilities, and other features the application
-expects to see in the operating system's file system.
+[role="_abstract"]
+You can typically start with a trusted base image that offers the components that are usually provided by the operating system to create containerized applications. These include the libraries, utilities, and other features the application expects to see in the operating system's file system.
 
-Red{nbsp}Hat Universal Base Images (UBI) were created to encourage anyone building their
-own containers to start with one that is made entirely from Red{nbsp}Hat Enterprise
-Linux rpm packages and other content. These UBI images are updated regularly
-to keep up with security patches and free to use and redistribute with
-container images built to include your own software.
+Red{nbsp}Hat Universal Base Images (UBI) were created to encourage anyone building their own containers to start with one that is made entirely from Red{nbsp}Hat Enterprise Linux RPM packages and other content. These UBI images are updated regularly to keep up with security patches and free to use and redistribute with container images built to include your own software.
 
-Search the
-link:https://catalog.redhat.com/software/containers/explore[Red Hat Ecosystem Catalog]
-to both find and check the health of different UBI images.
-As someone creating secure container images, you might
-be interested in these two general types of UBI images:
+Search the Red Hat Ecosystem Catalog to both find and check the health of different UBI images. As someone creating secure container images, you might be interested in these two general types of UBI images:
 
-* **UBI**: There are standard UBI images for RHEL 7, 8, and 9 (`ubi7/ubi`,
-`ubi8/ubi`, and `ubi9/ubi`), as well as minimal images based on those systems (`ubi7/ubi-minimal`, `ubi8/ubi-mimimal`, and ubi9/ubi-minimal). All of these images are preconfigured to point to free
-repositories of {op-system-base} software that you can add to the container images you build,
-using standard `yum` and `dnf` commands.
+* **UBI**: There are standard UBI images for RHEL 7, 8, and 9 (`ubi7/ubi`, `ubi8/ubi`, and `ubi9/ubi`), and minimal images based on those systems (`ubi7/ubi-minimal`, `ubi8/ubi-mimimal`, and ubi9/ubi-minimal). All of these images are preconfigured to point to free repositories of {op-system-base} software that you can add to the container images you build, using standard `yum` and `dnf` commands.
 +
 [NOTE]
 ====
-Red{nbsp}Hat encourages people to use these images on other distributions,
-such as Fedora and Ubuntu.
+Red{nbsp}Hat encourages people to use these images on other distributions, such as Fedora and Ubuntu.
 ====
 
-* **Red{nbsp}Hat Software Collections**: Search the Red{nbsp}Hat Ecosystem Catalog
-for `rhscl/` to find images created to use as base images for specific types
-of applications. For example, there are Apache httpd ([x-]`rhscl/httpd-*`),
-Python ([x-]`rhscl/python-*`), Ruby ([x-]`rhscl/ruby-*`), Node.js
-([x-]`rhscl/nodejs-*`) and Perl ([x-]`rhscl/perl-*`) rhscl images.
+* **Red{nbsp}Hat Software Collections**: Search the Red{nbsp}Hat Ecosystem Catalog for `rhscl/` to find images created to use as base images for specific types of applications. For example, there are Apache httpd ([x-]`rhscl/httpd-*`), Python ([x-]`rhscl/python-*`), Ruby ([x-]`rhscl/ruby-*`), Node.js ([x-]`rhscl/nodejs-*`) and Perl ([x-]`rhscl/perl-*`) rhscl images.
 
-Keep in mind that while UBI images are freely available and redistributable,
-Red{nbsp}Hat support for these images is only available through Red{nbsp}Hat
-product subscriptions.
-
-See
-link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/building_running_and_managing_containers/index#using_red_hat_universal_base_images_standard_minimal_and_runtimes[Using Red{nbsp}Hat Universal Base Images]
-in the Red Hat Enterprise Linux documentation for information on how to use and build on
-standard, minimal and init UBI images.
+Remember that while UBI images are freely available and redistributable, Red{nbsp}Hat support for these images is only available through Red{nbsp}Hat product subscriptions.

modules/security-monitoring-audit-logging.adoc

@@ -2,9 +2,9 @@
 //
 // * security/container_security/security-monitoring.adoc
 
+:_mod-docs-content-type: CONCEPT
 [id="security-monitoring-audit-logs_{context}"]
 = Audit logs
 
-With _audit logs_, you can follow a sequence of activities associated with how a
-user, administrator, or other {product-title} component is behaving.
-API audit logging is done on each server.
+[role="_abstract"]
+With _audit logs_, you can follow a sequence of activities associated with how a user, administrator, or other {product-title} component is behaving. API audit logging is done on each server.

modules/security-monitoring-cluster-logging.adoc

@@ -2,9 +2,11 @@
 //
 // * security/container_security/security-monitoring.adoc
 
+:_mod-docs-content-type: CONCEPT
 [id="security-monitoring-cluster-logging_{context}"]
 = Logging
 
+[role="_abstract"]
 Using the `oc log` command, you can view container logs, build configs and deployments in real time. Different can users have access different access to logs:
 
 * Users who have access to a project are able to see the logs for that project by default.