docs: apply changes based on PR feedback 3641

Signed-off-by: AnaisUrlichs <[email protected]>

docs/docs/deep-dive/caching-events.md

@@ -8,13 +8,8 @@ caching options you may execute:
 man tracee-cache
 ``` -->
 
-!!! Read Important
-    Before continuing, please read the [architecture page], in order to
-    understand the [tracee pipeline] concept, AND the [performance page], to
-    understand possible pain points.
 
-[architecture page]: ../../contributing/architecture.md
-[tracee pipeline]: ../../contributing/architecture.md#tracee-pipeline-concept
+<!-- TODO: reference the architecture page again-->
 
 ![Tracee Cache](../../images/tracee-cache.png)
 

docs/docs/events/index.md

@@ -1,6 +1,6 @@
 # Events
 
-Events refer to the activity in a system that tracee monitors. There are two main types of events, built-in events that are part of Tracee and custom events, which references the way users define other events that Tracee should monitor. 
+Events refer to the system activity that tracee monitors. There are two types of events, built-in events that are part of Tracee and custom events, which are user defined events. 
 
 As part of built-in events, there are six types of events:
 
@@ -13,7 +13,9 @@ As part of built-in events, there are six types of events:
 
 This section documents all of the different events that Tracee exposes.
 
-## Defining events
+## Configuring Tracee Events
+
+Events are defined in the [Policy](../policies/index.md) YAML manifest. 
 
 Tracing the `execve` events in a [policy](../policies/index.md):
 
@@ -33,9 +35,9 @@ spec:
 
 If no event is passed with [filters] or [policies], tracee will start with a set of default events.
 
-Please head over to the [Tracee usage](../usage/index.md) documentation for more information on configuring events.
+Please head over to the [Tracee usage](../policies/usage/kubernetes.md) documentation for more information on configuring events.
 
-### Event Sets QUESTION
+### Event Sets
 
 Events can be part of a set. For example, `default`, `network_events`, `syscalls`. 
 We can ask Tracee to trace a full set, or sets, instead of passing event by event, for example:
@@ -54,15 +56,6 @@ spec:
 	  - event: syscalls
 ```
 
-## Read in AVD
-
-[Aqua Vulnerability Database (AVD)](https://avd.aquasec.com) is a public index of all security information that can be reported across all of Aqua's products and tools. As such, it also contains entries about Tracee security events. The AVD entries on runtime security are generated from the [detection signatures](https://github.com/aquasecurity/tracee/tree/main/signatures) and are organized by MITRE ATT&CK categorization. Browse at [avd.aquasec.com/tracee](https://avd.aquasec.com/tracee/).
-
-👈 Please use the side-navigation on the left in order to browse the different topics.
-
-[filters]: ../../filters/filtering
-[policies]: ../../policies
-
 ## Video Content
 
 If you are curious to learn more about the Tracee Events architecture and related decision making, then have a look at the following video Q&A:

docs/docs/flags/containers.1.md

@@ -1,7 +1,7 @@
 ---
-title: TRACEE-CRS
+title: TRACEE-CRI
 section: 1
-header: Tracee CRS Flag Manual
+header: Tracee CRI Flag Manual
 date: 2023/10
 ...
 

docs/docs/install/config/cli.md

@@ -1,6 +1,5 @@
-# CLI Config
+# Configuring Tracee through the CLI
 
-## Configuring Tracee with the `--config` Flag
 
 The `--config` flag allows you to specify global configuration options for Tracee by providing a configuration file in YAML or JSON format, among other supported formats. The `--config` flag can be used to set any flag that is available through the command line interface (CLI), except for a few reserved flags.
 
@@ -12,35 +11,10 @@ To use the `--config` flag, you need to provide the path to the configuration fi
 tracee --config /path/to/tracee-config.yaml
 ```
 
-You can also override specific configuration options by passing additional flags on the command line. For example, the following command overrides the log level set in the configuration file with info:
-
-```console
-sudo ./dist/tracee --config ./examples/config/global_config.yaml --log info
-```
-
-!!! Note
-    Any flags specified on the command line will take precedence over the values specified in the configuration file.
-
-## Configuration File Format
-
-The configuration file can be in any format supported by the [viper](https://github.com/spf13/viper) library, which includes YAML, JSON, TOML, INI, HCL and Java properties. The configuration file should contain a mapping of flag names to their values. For example, to output aggregated debug level logs every default seconds `--log debug --log aggregate`, you would add the following to your configuration file:
-
-```yaml
-log:
-    - debug
-    - aggregate
-```
-
-## Reserved Flags
-
-There are a few flags that are reserved for the CLI and cannot be set through the configuration file. These include:
-`--config`, `--capture`, `--policy`, `--scope`, and `--events`.
-
 ## Example Configuration Files
 
-To help you get started with configuring Tracee using the `--config` flag, we've provided two example configuration files in the `examples/config` directory of the Tracee repository:
+The configuration file should contain a mapping in YAML format of configuration options to their values. To help you get started with configuring Tracee using the `--config` flag, we've provided two example configuration files in the `examples/config` directory of the Tracee repository:
 
-- `examples/config/global_config.json`: This file contains an example configuration in JSON format.
 - `examples/config/global_config.yaml`: This file contains the same example configuration as global_config.json, but in YAML format.
 
 These example files demonstrate how you can set various configuration options using the `--config` flag. You can use these files as a starting point for your own configuration, or as a reference for the available configuration options.

docs/docs/outputs/index.md

@@ -2,7 +2,7 @@
 
 It is possible to manage the events gathered in Tracee logs through the CLI using the `--output` and `--log` flag. Users can control where and how to output events by specifying `--output <format>:<destination>`.  The `--output` flag can be used multiple times to output events.
 
-Furthermore, the `--log` flag can be used to define what components of the gathered events should be appended to the Tracee output. However, for more fine-grained filters, please take a look at the [filtering section](../filters/index.md)
+Furthermore, the `--log` flag can be used to define what components of the gathered events should be appended to the Tracee output. However, for more fine-grained filters, please take a look at the [scope section](../policies/scopes.md)
 
 **The following output formats are supported:**
 

docs/docs/policies/index.md

@@ -1,6 +1,8 @@
 # Policies
 
-Policies allow users to specify which [events](../events/index.md) to trace in which workloads. The policy `scope` defines which workloads this policy is limited to. The policy can define multiple `rules` that specify the events to trace. 
+Policies allow users to specify which [events](../events/index.md) to trace in which workloads. The policy `scope` defines which workloads this policy is limited to. The policy can define multiple `rules` that specify the events to trace. Policies are used both for the [Tracee CLI](./usage/cli.md) and for the [Tracee Kubernetes](./usage/kubernetes.md) installaction. This makes it easier to share policies across use cases and environments.
+
+It is possible to load up to 64 policies into Tracee.
 
 Here is an example policy:
 
@@ -23,13 +25,12 @@ spec:
 
 This policy applies to any workload (`global`) and will log the `dropped_executable`, and `security_file_open` events. An argument filter (`args.pathname`) is set on the `security_file_open` event to log only files which were opened from the `/tmp` directory.
 
+!!! Note TODO
+    Note that currently each event type can only be defined once in a policy
+
 There are many ways to fine tune the scope and filters. For further information on the details, have a look at the respective sections: 
 
-* [scopes](./scopes.md)
-* [rules](./rules.md)
+* [Specify the Policy scope](./scopes.md)
+* [Filter events in the rules section](./rules.md)
 
 While specifying event filters is optional, policies must have the `name`, `description`, `scope` and `rules` fields.
-It is possible to load up to 64 policies into Tracee.
-
-!!! Note TODO
-    Note that currently each event type can only be defined once in a policy

docs/docs/policies/rules.md

@@ -1,10 +1,12 @@
 # Rules
 
-Rules determine which events a policy should trace and make it possible to narrow down when and event should be recorded.
+Rules are part of the Tracee Policy, which defines which events to trace. The events that are part of a specific policy are recorded in the `rules` section of the Tracee Policy. It is possible to define multiple events within each policy. The [events](../events/index.md) section provides further information on the type of events that Tracee can track.
+
+Below are several examples on configuring events in the Tracee Policy.
 
 ## Events
 
-Events support three types of filters: `context`, `arguments` and `return value`. 
+Every event that is specified within the `rules` section supports three types of filters: `context`, `arguments` and `return value`. 
 
 ### Type of Events
 

docs/docs/policies/scopes.md

@@ -2,7 +2,7 @@
 
 Scope defines the workload a policy will be observing. 
 
-The supported scopes are:
+The supported scopes are listed below.
 
 ### global
 

docs/docs/policies/usage/cli.md

@@ -4,16 +4,24 @@ This section details how to use the flags in the Tracee CLI.
 
 ## Applying Tracee Polcies
 
-A [policy file](../policies/index.md) can be applied in the Tracee command using the `--policy` flag and providing a path to the location of the policy file.
+A [policy file](../index.md) can be applied in the Tracee command using the `--policy` flag and providing a path to the location of the policy file.
 
 ```console
 tracee --policy ./policy.yml
 ```
 
 ## Using multiple policies
 
-To specify multiple policies, users TODO
+To specify multiple policies, users can either specify the directory, which contains all of the policies that they would like to load into Tracee, or by specifying the policies one by one.
+
+Through a directory:
 
 ```console
-tracee --policy ./policy.yml
+tracee --policy ./policy-directory
 ```
+
+By specifying individual policies:
+
+```console
+tracee --policy ./policy-one.yaml --policy ./policy-two.yaml 
+```

docs/docs/policies/usage/kubernetes.md

@@ -7,4 +7,4 @@
 
  Tracking Kubernetes activity with eBPF and Tracee Policies 
 
- [![Watch the video](../../images/traceepolicies.png)](https://youtu.be/VneWxs9Jpu0?si=eAnRDJVZShhg_td0)
+ [![Watch the video](../../../images/traceepolicies.png)](https://youtu.be/VneWxs9Jpu0?si=eAnRDJVZShhg_td0)

mkdocs.yml

@@ -565,7 +565,6 @@ nav:
                 - Overview: docs/policies/index.md
                 - Scopes: docs/policies/scopes.md
                 - Rules: docs/policies/rules.md
-                - CLI Filtering: docs/policies/filtering.md
                 - Usage:
                       - CLI: docs/policies/usage/cli.md
                       - Kubernetes: docs/policies/usage/kubernetes.md
@@ -602,7 +601,6 @@ nav:
           - Overview: contributing/overview.md
           - Documentation: contributing/documentation.md
           - Source Code Guidelines: contributing/guidelines.md
-          - Architecture: contributing/architecture.md
           - Setup Development Machine with Vagrant: contributing/setup-development-machine-with-vagrant.md
           - Building:
                 - Building Tracee: contributing/building/building.md
@@ -633,4 +631,4 @@ extra:
 
 plugins:
     - search
-    - macros
+    - macros