diff --git a/DC-task-restrict-at b/DC-task-restrict-at
new file mode 100644
index 000000000..b0501ff36
--- /dev/null
+++ b/DC-task-restrict-at
@@ -0,0 +1,12 @@
+# This file originates from the project https://github.com/openSUSE/doc-kit
+# This file can be edited downstream.
+
+MAIN="task-restrict-at.xml"
+ROOTID="task-restrict-at"
+
+PROFCONDITION="suse-product"
+#PROFCONDITION="suse-product;beta"
+#PROFCONDITION="community-project"
+
+STYLEROOT="/usr/share/xml/docbook/stylesheet/suse2021-ns"
+FALLBACK_STYLEROOT="/usr/share/xml/docbook/stylesheet/suse-ns"
diff --git a/DC-task-restrict-cron b/DC-task-restrict-cron
new file mode 100644
index 000000000..7cdd5dba8
--- /dev/null
+++ b/DC-task-restrict-cron
@@ -0,0 +1,12 @@
+# This file originates from the project https://github.com/openSUSE/doc-kit
+# This file can be edited downstream.
+
+MAIN="task-restrict-cron.xml"
+ROOTID="task-restrict-cron"
+
+PROFCONDITION="suse-product"
+#PROFCONDITION="suse-product;beta"
+#PROFCONDITION="community-project"
+
+STYLEROOT="/usr/share/xml/docbook/stylesheet/suse2021-ns"
+FALLBACK_STYLEROOT="/usr/share/xml/docbook/stylesheet/suse-ns"
diff --git a/xml/task-restrict-at.xml b/xml/task-restrict-at.xml
new file mode 100644
index 000000000..af1cb020a
--- /dev/null
+++ b/xml/task-restrict-at.xml
@@ -0,0 +1,225 @@
+
+
+
+
+
+
+ %entities;
+ at">
+]>
+
+
+
+
+
+
+ Restricting the &atd; scheduler
+
+
+ https://bugzilla.suse.com/enter_bug.cgi
+ Smart Docs
+ Documentation
+ cwickert@suse.com
+
+ no
+
+
+
+
+ Environment
+ This document applies to the following products and product versions:
+
+
+ &sles; 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5, 12 SP4, 12 SP3
+
+
+ &sles4sap; 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5, 12 SP4, 12 SP3
+
+
+ &sleha; 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5, 12 SP4, 12 SP3
+
+
+ &slehpc; 15 SP3, 15 SP2, 15 SP1, 15 GA
+
+
+ &sled; 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5, 12 SP4, 12 SP3
+
+
+ &slert; 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5, 12 SP4, 12 SP3
+
+
+
+
+
+ Introduction
+
+ The &atd; job execution system allows users to schedule one-time running
+ jobs. The at.allow file specifies a list of users that
+ are allowed to schedule jobs via &atd;. The file does not exist by default,
+ so all users can schedule &atd; jobs—except for those listed in
+ at.deny)
+
+
+
+
+ Requirements
+
+
+
+ You have installed your product and your system is up and running.
+
+
+
+
+ The at package is installed. If not, run
+ zypper in at to install it.
+
+
+
+
+
+
+
+ Restrict access to the &atd; scheduler
+
+
+
+ To prevent users except for &rootuser; from scheduling jobs with &atd;,
+ perform the following steps.
+
+
+
+ Create an empty file /etc/at.allow:
+
+&prompt.sudo;touch /etc/at.allow
+
+
+
+ Allow users to schedule jobs with &atd; by adding their usernames to the
+ file:
+
+&prompt.sudo;echo "&exampleuser_plain;" >> /etc/at.allow
+
+
+
+ To verify, try scheduling a job as non-root user listed in
+ at.allow:
+
+&prompt.user;at 00:00
+at>
+
+ Quit the &atd;prompt with
+ C and
+ try the same with a user not listed in
+ /etc/at.allow (or before adding them the file in step
+ 2 of this procedure):
+
+&prompt.user2;at 00:00
+You do not have permission to use at.
+
+
+
+
+
+ Summary
+
+ You have successfully restricted scheduling jobs with &atd; for non-root
+ users.
+
+
+
+
+ Troubleshooting
+ When implementing /etc/at.allow, there are
+ basically only two problems that can occur:
+
+
+
+ A user can schedule a job with &atd; although
+ they should not.
+
+
+ Check that the username in /etc/at.allow matches
+ the actual username.
+
+
+
+
+ A user can not schedule a job with &atd; jobs
+ although they should.
+
+
+ If the user is correctly listed in /etc/at.allow
+ but cannot schedule &atd; jobs, check if they are also listed in
+ /etc/at.deny. If the user appears in both files,
+ /etc/at.deny wins. Remove the user from that file to
+ allow them to schedule &atd; jobs.
+
+
+
+
+
+
+
+ Next steps
+
+
+
+ &atd; is not widely used anymore. If you do not have valid use cases,
+ consider uninstalling the daemon instead of just restricting its access.
+
+
+
+
+ To further improve security, also consider restricting access to the
+ &crond; daemon.
+
+
+
+
+
+
+ Related topics
+
+
+
+ Restricting the &crond; scheduler
+
+
+
+
+
+ Create &systemd; timers
+
+
+
+
+
+
diff --git a/xml/task-restrict-cron.xml b/xml/task-restrict-cron.xml
new file mode 100644
index 000000000..8c977a98d
--- /dev/null
+++ b/xml/task-restrict-cron.xml
@@ -0,0 +1,249 @@
+
+
+
+
+
+
+ %entities;
+]>
+
+
+
+
+
+
+ Restricting the &crond; daemon
+
+
+ https://bugzilla.suse.com/enter_bug.cgi
+ Smart Docs
+ Documentation
+ cwickert@suse.com
+
+ no
+
+
+
+
+ Environment
+ This document applies to the following products and product versions:
+
+
+ &sles; 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5, 12 SP4, 12 SP3
+
+
+ &sles4sap; 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5, 12 SP4, 12 SP3
+
+
+ &sleha; 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5, 12 SP4, 12 SP3
+
+
+ &slehpc; 15 SP3, 15 SP2, 15 SP1, 15 GA
+
+
+ &sled; 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5, 12 SP4, 12 SP3
+
+
+ &slert; 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5, 12 SP4, 12 SP3
+
+
+
+
+
+ Introduction
+
+ The &crond; system is used to automatically run commands in the background at
+ predefined times.
+
+
+
+ The cron.allow file specifies a list of users that are
+ allowed to execute jobs via &crond;. The file does not exist by default, so
+ all users can create &crond; jobs—except for those listed in
+ cron.deny.
+
+
+
+
+ Requirements
+
+
+
+ You have installed your product and your system is up and running.
+
+
+
+
+ The cron package is installed. If not, run
+ zypper in cron to install it.
+
+
+
+
+
+
+
+ Restrict access to the &crond; daemon
+
+
+
+ To prevent users except for root from creating &crond; jobs, perform the
+ following steps.
+
+
+
+ Create an empty file /etc/cron.allow:
+
+&prompt.sudo;touch /etc/cron.allow
+
+
+
+ Allow users to create &crond; jobs by adding their usernames to the file:
+
+&prompt.sudo;echo "&exampleuser_plain;" >> /etc/cron.allow
+
+
+
+ To verify, try creating a &crond; job as non-root user listed in
+ cron.allow. You should see the message:
+
+&prompt.user;crontab -e
+no crontab for &exampleuser_plain; - using an empty one
+
+ Quit the crontab editor and try the same with a user
+ not listed in cron.allow (or
+ before adding them to the file in step 2 of this procedure):
+
+&prompt.user2;crontab -e
+You (&exampleuserII_plain;) are not allowed to use this program (crontab)
+See crontab(1) for more information
+
+
+
+
+
+ Summary
+
+ You have successfully restricted creation of new &crond; jobs for non-root
+ users.
+
+
+ Existing &crond; jobs
+
+ Implementing cron.allow only prevents users from
+ creating new &crond; jobs. Existing jobs will still be run, even for users
+ listed in cron.deny. To prevent this, create the file
+ as described and remove existing user crontabs from the directory
+ /var/spool/cron/tabs to ensure they are not run
+ anymore.
+
+
+
+
+
+ Troubleshooting
+ When implementing /etc/cron.allow, there are
+ basically only two problems that can occur:
+
+
+
+ A user can create a cron job although they should
+ not.
+
+
+ Check that the username in /etc/cron.allow matches
+ the actual username.
+
+
+
+
+ A user can not create cron jobs although they
+ should.
+
+
+ If the user is correctly listed in /etc/cron.allow
+ but cannot create new &crond; jobs,
+ check if they are also listed in /etc/cron.deny. If
+ the user appears in both files, /etc/cron.deny wins.
+ Remove the user from the file to allow them to create cron jobs.
+
+
+
+
+
+
+
+ Next steps
+
+
+
+ To further improve security, also consider restricting access to the
+ at scheduler.
+
+
+
+
+ You should also consider switching to &systemd; timer units, as they allow
+ for more powerful and reliable task execution. By default, users cannot use
+ them to run code when they are not logged in. This limits the way users can
+ interact with the system while not being connected to it.
+
+
+
+
+
+
+
+ Related topics
+
+
+
+ Restricting the at scheduler
+
+
+
+
+ Create &systemd; timers
+
+
+
+
+
+