Format Updates

AWS ECR Notes.md

@@ -2,9 +2,9 @@
 
 How to upload a docker image from laptop to AWS ECR. 
 
-(skip) already included in docker? brew install docker-credential-helper-ecr
+(skip) already included in docker? `brew install docker-credential-helper-ecr`
 
-Add to ~/.docker/config.json ( or don't and maybe docker will add it for you. )
+Add to `~/.docker/config.json` ( or don't and maybe docker will add it for you. )
 ```
 {
         "auths": {

AWS New Account Setup Notes.md

@@ -48,7 +48,7 @@ For this step, you can do both Commerical account and GovCloud account at the sa
    6. Log out of `IAMAdmin`, log in to `MDRAdmin` 
 1. Change password to something that does not include JSON characters and record in the vault.
 2. Follow instructions for ["Using Vault for TOTP things", section "Adding a new TOTP Code" in `cloud-accounts.md`](https://github.xdr.accenturefederalcyber.com/mdr-engineering/msoc-infrastructure/wiki/cloud-accounts#adding-a-new-totp-code---especially-for-an-aws-account) to configure and store the MFA token for the root account.
-3. Put the MFA secret key into the `*_mfa_secret field` in Vault. 
+3. Put the MFA secret key into the `*_mfa_secret` field in Vault. 
 3. Sign out and back in. (Not optional! Required because MFA requirement in IAM policies)
 4. Go back to IAM and create access keys for the `MDRAdmin` user. Store them for later use. 
 5. Delete `IAMAdmin` from AWS and your personal virtual authenticator.
@@ -69,7 +69,7 @@ Region should be `us-gov-east-1` or `us-east-1`.
 
 1. Run `aws-mfa --profile tmp --region={region}` ( Note: No `-long-term`, because script assumes it ). To switch from gov to commerical use the `--force` flag. 
 1. Verify account number: `AWS_PROFILE=tmp aws sts get-caller-identity --region={region}`
-1. Update and branch xdr-terraform-live Git repo ( see below )
+1. Update and branch `xdr-terraform-live` Git repo ( see below )
 1. Name the branch `feature/${INITIALS}_${TICKET}_CustomerSetup_${CUSTOMERPREFIX}`
 1. This branch will be used in future steps
 1. Create a copy of the account skeleton ( see below )

Aide Notes.md

@@ -1,42 +1,33 @@
 # Aide Notes
-
-https://www.tecmint.com/check-integrity-of-file-and-directory-using-aide-in-linux/
-
+[Check Integrity of File and Directory Using “AIDE” in Linux](https://www.tecmint.com/check-integrity-of-file-and-directory-using-aide-in-linux/)
 
 Aide is used to check hashes on files. 
-
 # Basic Usage
+```
+#Initialize the very first DB at `/var/lib/aide/aide.db.new.gz`
+aide --init
 
-Initialize the very first DB at /var/lib/aide/aide.db.new.gz
-
-`aide --init`
-
-Check the current file system against the DB
-
-`aide --check`
-
-Update the DB based on the file system
-
-`aide --update`
-
-Show extra debugging
+#Check the current file system against the DB
+aide --check
 
-`aide --verbose=255`
+#Update the DB based on the file system
+aide --update
 
+#Show extra debugging
+aide --verbose=255
+```
 # Best Practices
 
-1. create a database against which future checks are performed. `aide --init`
-2. move the database to a read-only media. the config file and AIDE binary should also be moved to read only. This read only media should only be accessible during the scan.
-3. check the current files against the read only init DB. `aide --check`
-4. make adjustments to the conf file if needed and update the aide DB with `aide --update`. This will create a new DB. This new DB should be placed on the read-only media along with new config file. 
+1. Create a database against which future checks are performed. `aide --init`
+2. Move the database to a read-only media. the config file and AIDE binary should also be moved to read only. This read only media should only be accessible during the scan.
+3. Check the current files against the read only init DB. `aide --check`
+4. Make adjustments to the conf file if needed and update the aide DB with `aide --update`. This will create a new DB. This new DB should be placed on the read-only media along with new config file. 
 
 # Splunk 
-
-https://community.splunk.com/t5/Getting-Data-In/Splunk-and-AIDE-How-do-I-ignore-the-first-line-of-an-AIDE-log/m-p/307082
+[Splunk and AIDE -- How do I ignore the first line of an AIDE log file?](https://community.splunk.com/t5/Getting-Data-In/Splunk-and-AIDE-How-do-I-ignore-the-first-line-of-an-AIDE-log/m-p/307082)
 
 ## Add context to the log file
-
-https://www.oldlogsnewtricks.com/post/best-practice-enriched-log-paths
+[Splunk: Best Practice - Enriched log paths](https://www.oldlogsnewtricks.com/post/best-practice-enriched-log-paths)
 
 ```
 14 * * * * /sbin/aide --check >> /var/log/aide_`rpm -qa aide`_`md5sum /etc/aide.conf`_aide-`date`.log
@@ -45,11 +36,10 @@ https://www.oldlogsnewtricks.com/post/best-practice-enriched-log-paths
 aide --check >> /var/log/aide/aide-$(date +%s).log
 
 ## Prep Aide logs for Splunk
-
-https://github.com/jls3tech/AIDE-Handler/blob/master/aide_Runv3.sh
-
+[AIDE-Handler aide_Runv3](https://github.com/jls3tech/AIDE-Handler/blob/master/aide_Runv3.sh)
+```
 cat /var/log/aide/aide-1600126273.log | grep 'changed\|added\|removed'|sed -r 's/://g'|sed -r 's/ /,/g' >> /var/log/aide/splunk-log
-
+```
 ## Splunk Search 
 
 `index=os sourcetype=aide`

Collectd Notes.md

@@ -4,7 +4,7 @@ Collectd is used to tracking hard drive space and cpu usage. The data is collect
 
 # Service
 
-systemctl restart collectd
+`systemctl restart collectd`
 
 ## How do i search the data in Splunk?
 05/08/2020

Fluentd Notes.md

@@ -11,7 +11,7 @@ Config file location:
 Logs location:
 `/var/log/td-agent/td-agent.log`
 
-Fluentd is installed on afs-splunk-syslog-1 and nga-splunk-syslog-1. Fluentd will not start unless the directories specifid in the config file are created. 
+Fluentd is installed on `afs-splunk-syslog-1` and `nga-splunk-syslog-1`. Fluentd will not start unless the directories specifid in the config file are created. 
 
 ```
 salt -L 'afs-splunk-syslog-1' cmd.run 'ls -larth /opt/syslog-ng/'

Interconnects Notes.md

@@ -1,5 +1,5 @@
 # Interconnects Notes
-The Interconnect servers allow for traffic between the AWS Transit Gateways. They are located in test and prod AWS mdr-x-c2-gov account. The interconnects are redundent. 
+The Interconnect servers allow for traffic between the AWS Transit Gateways. They are located in test and prod AWS `mdr-x-c2-gov account`. The interconnects are redundent. 
 
 2 servers for test and 2 servers for prod. 4 total servers. 
 
@@ -16,9 +16,9 @@ strongswan is the VPN IPSEC tunnels software used to connect to the aws VPN tunn
 
 ## Quagga
 
-Quagga contains zebra and behaves like a cisco router. It is where the BGP is configured.  
+Quagga contains zebra and behaves like a Cisco router. It is where the BGP is configured.  
 
-Primary iteraction is via the shell, which behaves like a cisco router:
+Primary iteraction is via the shell, which behaves like a Cisco router:
 
 `vtysh`
 
@@ -38,11 +38,11 @@ systemctl status zebra
 
 ## Troubleshooting Steps
 
-1. check interfaces `ifconfig` (should be 4 `vti` interface). If no interfaces, restart strongswan. 
-2. ensure you can ping the link-local `169.*` address. Subtract 1 from the IP address to ping the remote/AWS-side VPN IP address
+1. Check interfaces `ifconfig` (should be 4 `vti` interface). If no interfaces, restart strongswan. 
+2. Ensure you can ping the link-local `169.*` address. Subtract 1 from the IP address to ping the remote/AWS-side VPN IP address
 
 ## IPs
-
+```
 dev-interconnect-0
 
 server IP: 169.254.230.198
@@ -56,8 +56,8 @@ AWS Side: 169.254.221.229
 
 server IP: 169.254.145.142
 AWS Side: 169.254.145.141
-
-
+```
+```
 dev-interconnect-1
 
 server IP: 169.254.186.190
@@ -71,7 +71,8 @@ AWS Side: 169.254.20.161
 
 server IP: 169.254.128.190
 AWS Side: 169.254.128.189
-
+```
+```
 prod-interconnect-0
 
 server IP: 169.254.152.218
@@ -85,7 +86,8 @@ AWS Side: 169.254.253.45
 
 server IP: 169.254.91.130
 AWS Side: 169.254.91.129
-
+```
+```
 prod-interconnect-1
 
 server IP: 169.254.247.158
@@ -98,4 +100,5 @@ server IP: 169.254.22.22
 AWS Side: 169.254.22.21
 
 server IP: 169.254.38.14
-AWS Side: 169.254.38.13
+AWS Side: 169.254.38.13
+```

Phantom Upgrade Notes.md

@@ -1,25 +1,23 @@
 # Phantom Upgrade Notes
 
-IMPORTANT NOTE: During the migiration to GovCloud, we had to use the limited offline rpms. This changes the upgrade process. The notes below may be outdated. Reference https://docs.splunk.com/Documentation/Phantom/4.9/Install/UpgradeOffline
+IMPORTANT NOTE: During the migiration to GovCloud, we had to use the limited offline rpms. This changes the upgrade process. The notes below may be outdated. [Reference](https://docs.splunk.com/Documentation/Phantom/4.9/Install/UpgradeOffline)
 
 Recommend you see the installation notes in `Phantom Notes.md`
 
-
 # General Notes
 
-Use the Splunk Phantom repo not the msoc repo.
+Use the `Splunk Phantom` repo, not the `msoc` repo.
 BE SURE TO HAVE AT MOST 55% FREE space  ( 45% used space)
 
-backup docs
-https://docs.splunk.com/Documentation/Phantom/4.10.2/Admin/Restorefromabackup
+Backup documentation [Restore Splunk Phantom from a backup](https://docs.splunk.com/Documentation/Phantom/4.10.2/Admin/Restorefromabackup)
 
 # 4.10
 05/2021
 
 Follow Splunk Docs! 
-Switched XDR from offline RPM install to Phantom repo install 
-I had to upgrade to latest version in 4.9 before upgrading to 4.10
-Use tmux to avoid SSH timeout during upgrade
+Switched XDR from offline RPM install to `Phantom` repo install 
+I had to upgrade to latest version in `4.9` before upgrading to `4.10`
+Use `tmux` to avoid SSH timeout during upgrade
 
 
 # 4.9
@@ -28,7 +26,7 @@ Use tmux to avoid SSH timeout during upgrade
 ## Prep Work
 See Splunk docs!
 
-Silence Phantom sensu checks
+Silence Phantom Sensu checks
 
 Stop Phantom
 `/opt/phantom/bin/stop_phantom.sh`
@@ -65,11 +63,11 @@ Centos7 (Caasp)
 
 Troubleshooting
 Error: Error - Phantom requires that the user 'phantom' has access to cron.
-Solution: `vim /etc/cron.allow`   and add phantom
+Solution: `vim /etc/cron.allow` and add phantom
 
-Error!  It looks like you don't have enough space in your /tmp directory
-Your /tmp directory must have a capacity of at least 5GB
-If you would like to ignore this check, please re-run with the option --no-space-check
+Error!  It looks like you don't have enough space in your `/tmp directory`
+Your `/tmp directory` must have a capacity of at least `5GB`
+If you would like to ignore this check, please re-run with the option `--no-space-check`
 ## Upgrade
 
 Upgrade script

Portal Notes.md

@@ -1,17 +1,16 @@
 # Portal Notes
 
 
-XDR Portal Notes
-https://github.xdr.accenturefederalcyber.com/MDR-Content/mdr-content/wiki/Customer-Portal
-
+XDR Portal [Notes link](https://github.xdr.accenturefederalcyber.com/MDR-Content/mdr-content/wiki/Customer-Portal)
 
 Portal is a custom application running on Django app in docker. 
 
 ## Help! Portal is down!
 Start with a docker container restart
+```
 salt 'customer-portal*' cmd.run 'docker container ls'
 salt 'customer-portal*' cmd.run 'docker restart portal nginx'
-
+```
 
 ## Deploy Process
 
@@ -29,8 +28,8 @@ salt 'customer-portal*' state.sls docker.portal --output-diff
 ```
 
 
-(from the wiki page https://github.xdr.accenturefederalcyber.com/MDR-Content/mdr-content/wiki/Customer-Portal)
-Last time i tried the ec2_tags grain targeting did not work.
+From the [Wiki page](https://github.xdr.accenturefederalcyber.com/MDR-Content/mdr-content/wiki/Customer-Portal)
+Last time we tried the `ec2_tags` grain targeting did not work.
 
 ```
 salt -G 'ec2_tags:Name:customer-portal' cmd.run "docker images" – You will need to grab the docker image ID for the container that needs to be updated
@@ -44,19 +43,20 @@ salt -G 'ec2_tags:Name:customer-portal' state.sls docker.portal
 ### Deploy specific tag to nginx and/or portal
 
 ```
-# login to ECR using the docker salt state
+#login to ECR using the docker salt state
 salt 'customer-portal*' state.sls docker.portal test=true --output-diff
-# create a new branch and modify the file to the needed tags then push it up.  
+
+#create a new branch and modify the file to the needed tags then push it up.  
 salt 'customer-portal*' state.sls docker.portal-revert saltenv=feature/bp_na_salt_portal_tag
-# once you are done delete the branch
-```
 
+#once you are done delete the branch
+```
 
 ## Command line access
+```
 docker exec -ti nginx bash
 docker exec -ti portal bash
 
-```
 salt 'customer-portal*' cmd.run 'docker restart portal'
 salt 'customer-portal*' cmd.run 'docker rm -f portal'
 salt 'customer-portal*' cmd.run 'docker rm -f nginx'
@@ -68,7 +68,8 @@ salt 'customer-portal*' state.sls docker.portal
 ```
 ## Docker entrypoint.sh & Varibles
 
-If the app.env is empty or has null values in it, then the docker did not pull the vault variables correctly. 
+If the app.env is empty or has null values in it, then the docker did not pull the vault variables correctly.
+
 ```
 cat /opt/portal/docker-entrypoint.sh
 cat /opt/portal/app.env
@@ -107,15 +108,14 @@ After attempting to login to the site, run this command to get admin access.
 `python3 manage.py promote richard.t.page@accenturefederal.com`
 `python3 manage.py promote brad.poulton@accenturefederal.com`
 
-Your IP must be whitelisted to access the admin site!
-https://portal.xdrtest.accenturefederalcyber.com/admin
+Your IP must be whitelisted to access the [Admin Site](https://portal.xdrtest.accenturefederalcyber.com/admin)
 
 TEST LB ACCESS
 
 6b6cdd72cdec ERROR 2021-04-19 23:10:46,130 - Invalid HTTP_HOST header: 'portal-alb-test-617285333.us-gov-east-1.elb.amazonaws.com'. You may need to add 'portal-alb-test-617285333.us-gov-east-1.elb.amazonaws.com' to ALLOWED_HOSTS. [django.security.DisallowedHost:88] 54
 
 ALLOWED_HOSTS is located....
-/opt/portal/dps_customer_portal/settings.py
+`/opt/portal/dps_customer_portal/settings.py`
 
 You can allow all subdomains like this, but OKTA doesn't support it:
 
@@ -147,13 +147,15 @@ logs are being sent to Splunk. This logging is configured in Salt.
 `index=os source="http*" host="customer-portal-*"`
 
 Nginx
+```
 /var/log/nginx/portal.access.log
 docker logs -f nginx
+```
 
 Portal
 
-startup.log
-I assume the logs going to splunk are the stdout. 
+`startup.log`
+I assume the logs going to splunk are the `stdout`. 
 
 
 ```

Sensu Go Migration Notes.md

@@ -1,10 +1,11 @@
 # Sensu Go Migration
 
-***Legecy***
+***Legacy***
 
-Currently sensu is installed, going to migrate us to Sensu Go
+Currently Sensu is installed, but will migrate us to `Sensu Go`
 
-1. move packages to repo server via wget be sure to check sha512
+1. Move packages to Repo server via `wget` be sure to check `sha512`
+```
 cd /var/www/html/redhat/msoc/Packages
 wget https://packagecloud.io/sensu/stable/packages/el/7/sensu-go-cli-5.15.0-7782.x86_64.rpm/download.rpm
 mv download.rpm  sensu-go-cli-5.15.0-el7.x86_64.rpm
@@ -14,15 +15,18 @@ mv download.rpm sensu-go-agent-5.15.0-7782.x86_64.rpm
 
 wget https://packagecloud.io/sensu/stable/packages/el/7/sensu-go-backend-5.15.0-7782.x86_64.rpm/download.rpm
 mv download.rpm sensu-go-backend-5.15.0-7782.x86_64.rpm
+```
 
-https://sensu.io/downloads
+Download the Sensu Go software packages; ie backend, cli, & agent - https://sensu.io/downloads
 
+```
 wget -O sensu-go-backend-5.16.1-8521.x86_64.rpm  https://packagecloud.io/sensu/stable/packages/el/7/sensu-go-backend-5.16.1-8521.x86_64.rpm/download.rpm
 wget -O sensu-go-agent-5.16.1-8521.x86_64.rpm https://packagecloud.io/sensu/stable/packages/el/7/sensu-go-agent-5.16.1-8521.x86_64.rpm/download.rpm
 wget -O sensu-go-cli-5.16.1-8521.x86_64.rpm https://packagecloud.io/sensu/stable/packages/el/7/sensu-go-cli-5.16.1-8521.x86_64.rpm/download.rpm
 
 chown apache: sensu-go-*
 chmod 640 sensu-go-*
+```
 
 [prod]root@reposerver:/var/www/html/redhat/msoc/Packages:# sha512sum sensu-go-*
 da69e33d8b9bb493cf261bd7fae261aabc19346a2c9942ada8a6005774ed9042fe129321f45425c300680036a2c9b14217db701c9b4e58843e486df24cc1e7d1  sensu-go-agent-5.15.0-7782.x86_64.rpm
@@ -37,11 +41,12 @@ b449d093c219bc6262ad82cf281ed12f83d0e42f1a83c6eeca53527278cfed61f97054b51a971ed4
 196641d17d774e1c82c8b3842736821736a739d25a8f0b214de26a1c2ec80a06cb0caa7713fb8026209a5d2454d458c502f3c887e48fa221646520c8f75423d6  sensu-go-cli-5.15.0-el7.x86_64.rpm
 f8b107e90bbd9a3b2348592d39ca69ed0e7e0cb02e0fc65caaedc31296f926077387c059d274554b099159169259355f4c5288855d6c6cadc62c70fdcbf6408c  sensu-go-cli-5.16.1-8521.x86_64.rpm
 
-FOLLOW INSTRUCTIONS IN reposerver notes to finish setting up packages
+FOLLOW INSTRUCTIONS IN Reposerver Notes.md to finish setting up packages
 
-
-remove old software
+```
+#remove old software
 yum remove uchiwa sensu jemalloc redis erlang rabbitmq-server
+```
 
 prep vault
 create policy
@@ -58,18 +63,20 @@ ext_pillar:
 
 adjust security groups through terraform
 
-run salt state
+```
+#run salt state
 salt sensu.msoc.defpoint.local saltutil.refresh_pillar
 salt sensu.msoc.defpoint.local state.sls sensu_master
-
+```
 
 Client to Agent migration
-uninstall client
+```
+#uninstall client
 pkg.remove sensu
 cmd.run 'rm -rf /etc/sensu/*'
 saltutil.refresh_pillar
 state.sls sensu_agent
-
+```
 
 Sensu Prod
 41 clients

Sensu Notes.md

@@ -7,7 +7,7 @@ See (Sensu Go Migration Notes.md) file for more details
 
 Congrats, we are over 100 servers in Prod. We now need a license. 
 
-These are the steps to apply the license. Manually write the license file to the Sensu server. Manually apply it with sensuctl. It is not handled by TF or salt at the moment. Sorry I was busy!
+These are the steps to apply the license. Manually write the license file to the Sensu server. Manually apply it with `sensuctl`. It is not handled by TF or Salt at the moment. Sorry I was busy!
 
 ```
 sudo -i
@@ -23,44 +23,44 @@ sensuctl logout
 echo "" > /root/sensu-password
 ```
 
-
 ## Sensu Upgrade
 08/03/2020
 
-https://docs.sensu.io/sensu-go/latest/operations/maintain-sensu/upgrade/
-
-1. download latest packages for master and agents to repo server and run `yum clean all` on sensu master 
-2. if needed, update salt states to ensure they are up-to-date
-2.1. Stop sensu services on sensu-master `systemctl stop sensu-agent` `systemctl stop sensu-backend`
-3. update sensu software on the sensu-master
-4. `yum update sensu-go-backend`
-   `yum update sensu-go-cli`
-   `yum update sensu-go-agent`
-   `systemctl daemon-reload`
-5. restart the sensu services
-   `systemctl start sensu-backend`
-   `systemctl start sensu-agent`
-6. run `yum clean all` on salt minions
+[Sensu Upgrade Documentation](https://docs.sensu.io/sensu-go/latest/operations/maintain-sensu/upgrade/)
+
+1. Download latest packages for master and agents to Repo server and run `yum clean all` on Sensu Master 
+2. If needed, update Salt states to ensure they are up-to-date
+3. Stop sensu services on sensu-master `systemctl stop sensu-agent` `systemctl stop sensu-backend`
+4. Update sensu software on the sensu-master
+   ```
+   yum update sensu-go-backend
+   yum update sensu-go-cli
+   yum update sensu-go-agent
+   systemctl daemon-reload
+   ```
+5. Restart the sensu services `systemctl start sensu-backend` and `systemctl start sensu-agent`
+6. Run `yum clean all` on Salt minions
 7. Stop agent on minion `systemctl stop sensu-agent`
 8. Upgrade agent on minion `yum update sensu-go-agent -y`
 9. Run this `systemctl daemon-reload`
-10. start agent `systemctl start sensu-agent`
-11. verify with this `salt '*' cmd.run 'sensu-agent version'`
-`salt -C '* not salt* not sensu* not jira*' cmd.run 'sensu-agent version'
-
+10. Start agent `systemctl start sensu-agent`
+11. Verify with this: 
+```
+salt '*' cmd.run 'sensu-agent version'
+salt -C '* not salt* not sensu* not jira*' cmd.run 'sensu-agent version'
+```
 
 In version 5.16 the default password was removed in favor of a sensu-backend init with bash variables. 
 
 Sen$uP@ssw0rd!
 
+```
 systemctl start sensu-backend
 export SENSU_BACKEND_CLUSTER_ADMIN_USERNAME=YOUR_USERNAME
 export SENSU_BACKEND_CLUSTER_ADMIN_PASSWORD=YOUR_PASSWORD
 sensu-backend init
-
-
 sensuctl create --file filename.json
-
+```
 
 ## OIDC Okta Auth
 ---
@@ -80,13 +80,14 @@ spec:
   groups_prefix: 'okta:'
   username_claim: email
   username_prefix: 'okta:'
-  
+
+```
 #cluster role binding for okta
 sensuctl cluster-role-binding create okta --cluster-role=cluster-admin --group=okta:mdr-admins
 sensuctl cluster-role-binding create mdr-admin --cluster-role=mdr-admin --group=ldap:mdr-admins
   
 sensuctl cluster-role-binding list
-
+```
 
 type: ClusterRoleBinding
 api_version: core/v2
@@ -185,5 +186,5 @@ sudo yum remove etcd3
 ```
 
 If you get the error `No help topic for 'endpoint'`, then your environment variables aren't set (did you set them before you sudo'd?).
-If you get the error `Error:  context deadline exceeded`, then your endpoint is wrong, probably https instead of http.
+If you get the error `Error:  context deadline exceeded`, then your endpoint is wrong, probably `https` instead of `http`.
 

Sophos Notes.md

@@ -2,13 +2,13 @@ Sophos Linux Anti-Virus Notes
 
 
 # Introduction
+A variety of tools are available from Sophos, including [Linux AV](https://secure2.sophos.com/en-us/products/free-tools.aspx)
 
-https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx
-PDF with instructions
-https://docs.sophos.com/esg/SAV-Linux/help/en-us/PDF/sav_linux_cg.pdf 
+Sophos Anti-Virus for Linux configuration guide with instructions: [Guide](https://docs.sophos.com/esg/SAV-Linux/help/en-us/PDF/sav_linux_cg.pdf) 
 
 # Installation
 Prerequisites
+```
 yum install kernel-devel
 
 Wget file sav-linux-free-9.tgz
@@ -32,74 +32,76 @@ tar -xvzf sav-linux-free-9.tgz
 
 #required post installation setup for updates
 /opt/sophos-av/bin/savsetup
+```
 
-Additional settings
-https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/73918/how-to-package-with-mkinstpkg-under-linux-because-i-find-hard
+Additional settings for [How to package with mkinstpkg under Linux](https://community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/73918/how-to-package-with-mkinstpkg-under-linux-because-i-find-hard)
 
 # Build Binary (deb/rpm)
+```
 yum install rpm-build rpm
 
 /opt/sophos-av/update/
 ./mkinstpkg -r --sophos --rpm-version=0.1 --rpm-release=0.1 --update-type=s
+```
 
 Commandline:  --enableSavProtectOnBoot=True --update-free=True --update-source-username=FAVLvRQL133F0 --update-source-password=k5va9rpkv5i --instdir=/opt/sophos-av --update-cache-path=/opt/sophos-av/update/cache/Primary --update-type=s --update-source-path=sophos: --acceptlicence=True --enableRMS=false --automatic=True --enableOnAccess=true --update-period-minutes=60
 
-RPM package is '/opt/sophos-av/update/savinstpkg-0.1-0.1.x86_64.rpm'
+RPM package is `/opt/sophos-av/update/savinstpkg-0.1-0.1.x86_64.rpm`
 
 If you get this error:
-
+```
 ./install.sh: line 34: /tmp/sophos_distribution_N53lTic/exectest: Permission denied
-Cannot execute files within /tmp directory. Please see KBA 131783 http://www.sophos.com/kb/131783
+Cannot execute files within /tmp directory.
+``` 
+Please see [KBA 131783](https://support.sophos.com/support/s/article/KB-000037998?language=en_US)
 
 Option 1
-Then run this command to temporarily adjust the /tmp noexec
-
+Then run this command to temporarily adjust the `/tmp noexec`
+```
 mount -o remount,exec /tmp
+```
 
-Then run the above install.sh command again. Once finished, run this command to turn it back on.
-
+Then run the above `install.sh` command again. Once finished, run this command to turn it back on.
+```
 mount -o remount,noexec /tmp
-
+```
 Option 2
-
+```
 export TMPDIR=/var/tmp
-
+```
 Option 3
-
+```
 mkdir /root/tmp
 export TMPDIR=/root/tmp
 
 #Uninstall
 /opt/sophos-av/uninstall.sh
 
-# Configuration
+#Configuration
 
 #Edit or query configurations
 /opt/sophos-av/bin/savconfig
 /opt/sophos-av/bin/savconfig --all
-
+```
 
 View Update source information:
-/opt/sophos-av/bin/savsetup
+`/opt/sophos-av/bin/savsetup`
 
-As for pulling updates, normally standalone machines will update directly from Sophos through an internet line, but they can be configured to pull updates from other locations such as an Update Manager if you were to have a SEC deployment.  If you are looking to limit internet bandwidth or restrict internet access, a workaround that may work is to have one Linux and one UNIX machine with Sophos installed that can reach out to the internet to pull updates.  Set up an SMB share for /opt/sophos-av/update/cache/Primary/ and configure the other Linux/UNIX machines update from this SMB share.
+As for pulling updates, normally standalone machines will update directly from Sophos through an internet line, but they can be configured to pull updates from other locations such as an Update Manager if you were to have a SEC deployment.  If you are looking to limit internet bandwidth or restrict internet access, a workaround that may work is to have one Linux and one UNIX machine with Sophos installed that can reach out to the internet to pull updates.  Set up an SMB share for `/opt/sophos-av/update/cache/Primary/` and configure the other Linux/UNIX machines update from this SMB share.
 
-Logs are located at /opt/sophos-av/log
+Logs are located at `/opt/sophos-av/log`
 
 # Manually Update 
-This will update signatures and engine
-/opt/sophos-av/bin/savupdate
+This will update signatures and engine `/opt/sophos-av/bin/savupdate`
 
 
 # Scheduled Scan
 
-See the example at /opt/sophos-av/doc/namedscan.example.en
-
-
-See PDF for additional instructions
-/opt/sophos-av/bin/savconfig add NamedScans Daily /home/fred/DailyScan
+See the example at `/opt/sophos-av/doc/namedscan.example.en`
 
+See PDF for additional instructions: `/opt/sophos-av/bin/savconfig add NamedScans Daily /home/fred/DailyScan`
 
+```
 Exclude dirs
 
 ExcludePath ^/proc/
@@ -114,31 +116,31 @@ ExcludePath ^/etc/audit/*
 ExcludePath ^/etc/security/*
 ExcludePath ^/var/log/audit/*
 ExcludePath ^/etc/krb5.keytab
-
-User clamscan
+```
+User `clamscan`
 
 # Usage
-
-View logs 
+```
+#View logs 
 /opt/sophos-av/bin/savlog
 /opt/sophos-av/bin/savlog --systemLog
 
-Log file for Splunk
+#Log file for Splunk
 cat /opt/sophos-av/log/savd.log
 
-Logs are also pushed to internal syslog and /opt/sophos-av/log/savd.log
+#Logs are also pushed to internal syslog and `/opt/sophos-av/log/savd.log`
 tail -200 /var/log/messages | grep savd
 
-View status
+#View status
 /opt/sophos-av/bin/savdstatus
 
-Manage the service
+#Manage the service
 /opt/sophos-av/bin/savdctl
 
-Start on demand scan
+#Start on demand scan
 savscan /.
 savscan /home/brad
-
+```
 
 
 EICAR test file