From 479a219feeefba01d4dae28782515980bc346825 Mon Sep 17 00:00:00 2001
From: Amrita <amrita.sakthivel@suse.com>
Date: Tue, 17 Sep 2024 17:12:35 +0530
Subject: [PATCH 1/6] adds asm file

---
 articles/systemd-securing.asm.xml | 35 +++++++++++++++++--------------
 1 file changed, 19 insertions(+), 16 deletions(-)

diff --git a/articles/systemd-securing.asm.xml b/articles/systemd-securing.asm.xml
index eabc9892f..2831144d2 100644
--- a/articles/systemd-securing.asm.xml
+++ b/articles/systemd-securing.asm.xml
@@ -19,9 +19,13 @@
 <!-- R E S O U R C E S -->
   <resources>
     <resource href="../concepts/systemd-securing.xml" xml:id="_systemd-securing"/>
+    <!-- Tasks -->
+    <resource href="../tasks/systemd-example-secure-service.xml" xml:id="_systemd-example-secure-service"/>
     <resource href="../tasks/systemd-analyze-security-service-files.xml" xml:id="_systemd-analyze-security-service-files"/>
-    <resource href="../references/systemd-securing-techniques.xml" xml:id="_systemd-securing-techniques"/>
+    <!-- References -->
+    <!-- Glues -->
     <resource href="../glues/systemd-securing-more-info.xml" xml:id="_systemd-securing-more-info"/>
+    <!-- Miscellaneous -->
     <resource href="../common/legal.xml" xml:id="_legal"/>
     <resource href="../common/license_gfdl1.2.xml" xml:id="_gfdl"/>
   </resources>
@@ -42,7 +46,7 @@
       </revhistory>
 <!-- TODO: provide a listing of possible and validatable meta entry values. Maybe in our geekodoc repo? -->
 <!-- add author's e-mail -->
-      <meta name="maintainer" content="tbazant@suse.com" its:translate="no"/>
+      <meta name="maintainer" content="amrita.sakthivel@suse.com" its:translate="no"/>
 <!-- ISO date of last update as YYYY-MM-DD -->
       <meta name="updated" content="2023-12-18" its:translate="no"/>
 <!-- this does not work yet. Use the dm tags listed below for now
@@ -101,9 +105,9 @@
             <term>WHAT?</term>
             <listitem>
               <para>
-                &systemd; service files are most often used to operate one or more &systemd;
-                services, such as starting, stopping or viewing the status of the service. Besides
-                this, the service files can limit the privileges of the service they control.
+                &systemd; service files are a powerful tool for managing services in a Linux environment.
+                These service files are used to operate one or more &systemd; services such as starting,enabling,stopping or viewing the
+                status of the service. Additionally, the service files can limit the privileges of the service they control.
               </para>
             </listitem>
           </varlistentry>
@@ -111,7 +115,7 @@
             <term>WHY?</term>
             <listitem>
               <para>
-                Using security options of &systemd; service files increases the security of the
+                Using the security options of &systemd; service files increases the security of the
                 service they control. This adds another security layer of the whole operating
                 system.
               </para>
@@ -121,8 +125,7 @@
             <term>EFFORT</term>
             <listitem>
               <para>
-                It takes less than 15 minutes to understand how &systemd; can control the security
-                level of &systemd; services.
+                20 minutes of reading time.
               </para>
             </listitem>
           </varlistentry>
@@ -132,12 +135,12 @@
               <itemizedlist>
                 <listitem>
                   <para>
-                    Good knowledge of the &systemd; environment
+                    Basic understanding of Linux commands
                   </para>
                 </listitem>
                 <listitem>
                   <para>
-                    &rootuser; privileges
+                    Basic understanding of Linux processes, daemons, and control groups
                   </para>
                 </listitem>
               </itemizedlist>
@@ -147,18 +150,18 @@
       </abstract>
     </merge>
     <module resourceref="_systemd-securing"/>
-    <module resourceref="_systemd-analyze-security-service-files">
+
+       <module resourceref="_systemd-example-secure-service">
       <merge>
-        <title>Analyzing the security level</title>
+        <title>How to analyze the security of a &systemd; service</title>
       </merge>
     </module>
-    <module resourceref="_systemd-securing-techniques">
+    <module resourceref="_systemd-securing-more-info">
       <merge>
-        <title>Techniques of securing</title>
+        <title>For more information</title>
       </merge>
     </module>
-    <module resourceref="_systemd-securing-more-info"/>
-    <module resourceref="_legal"/>
+      <module resourceref="_legal"/>
     <module resourceref="_gfdl">
       <output renderas="appendix"/>
     </module>

From 9d6809fa145d88b3909a16fccca15943bbda4370 Mon Sep 17 00:00:00 2001
From: Amrita <amrita.sakthivel@suse.com>
Date: Fri, 20 Sep 2024 16:41:14 +0530
Subject: [PATCH 2/6] adds more content

---
 articles/systemd-securing.asm.xml        |   2 +-
 concepts/systemd-securing.xml            |  38 ++++--
 glues/systemd-securing-more-info.xml     |  25 +---
 tasks/systemd-example-secure-service.xml | 166 +++++++++++++++++++++++
 4 files changed, 198 insertions(+), 33 deletions(-)
 create mode 100644 tasks/systemd-example-secure-service.xml

diff --git a/articles/systemd-securing.asm.xml b/articles/systemd-securing.asm.xml
index 2831144d2..9c9418b91 100644
--- a/articles/systemd-securing.asm.xml
+++ b/articles/systemd-securing.asm.xml
@@ -149,7 +149,7 @@
         </variablelist>
       </abstract>
     </merge>
-    <module resourceref="_systemd-securing"/>
+    <module resourceref="_systemd-secure-services"/>
 
        <module resourceref="_systemd-example-secure-service">
       <merge>
diff --git a/concepts/systemd-securing.xml b/concepts/systemd-securing.xml
index 31ec4a133..41fdc1983 100644
--- a/concepts/systemd-securing.xml
+++ b/concepts/systemd-securing.xml
@@ -14,7 +14,8 @@
   xmlns:xlink="http://www.w3.org/1999/xlink"
   xmlns:trans="http://docbook.org/ns/transclusion">
   <info>
-    <title>Secure &systemd; services</title>
+    <title>Introduction to securing &systemd; services</title>
+    <meta name="maintainer" content="amrita.sakthivel@suse.com" its:translate="no"/>
     <abstract>
       <para>
         Linux increases its security by separating privileges between individual components of the
@@ -30,23 +31,32 @@
         them from certain privileges that normal users are allowed to use.
       </para>
     </abstract>
-    <meta name="maintainer" content="tbazant@suse.cz" its:translate="no"/>
   </info>
-  <section xml:id="how-it-works-securing-with-systemd">
-    <title>How does securing services with &systemd; work?</title>
-    <para>
-      There are several methods to secure processes and applications that you can use
-      simultaneously. For example, confining with &selnx; <phrase os="sles">or &aa; </phrase>is
-      recommended. &systemd; can apply additional restrictions to local services by using
-      technologies included in the kernel. These restrictions are activated by adding specific
-      options to the &systemd; service definition and restarting the service.
-    </para>
-  </section>
+
   <section xml:id="benefits-securing-with-systemd">
-    <title>Benefits of securing services</title>
+    <title>Why is securing &systemd; services important?</title>
     <para>
       Securing &systemd; services increases the security of the whole operating system and protects
-      sensitive data contained on its file system.
+      sensitive data contained on its file system. With &systemd;, you can configure your system in many ways.
+      &systemd; runs as the first process on boot (PID1) which means that it has a lot of power on your Linux environment.
     </para>
+    <para>&systemd; can apply additional restrictions to local services by using technologies included in the kernel.
+      These restrictions are activated by adding specific options to the systemd service definition and restarting the service.
+      &systemd; has a command-line tool <command>systemd-analyze security</command>. This command analyses the services and checks
+      if the services are using its security options.</para>
+  </section>
+  <section xml:id="what-is-systemd-aalyze-security-command">
+    <title>What is the <command>systemd-analyze security</command> command?</title>
+    <para>
+     The command analyzes the security and sandboxing settings of the specified service units.
+     A detailed analysis of the security settings is executed and displayed.
+     If a service unit is not specified, all currently loaded, long-running service units are inspected and the results are displayed in a terse table.
+     </para>
+<para>The command upon checking the security settings, assigns a numeric value , also known as <emphasis>exposure level</emphasis>.
+  This value is dependent on how important a setting is. It then calculates an overall exposure level for the whole unit. This value ranges
+  from 0.0-10.0, which is an indicator of how exposed a service is security wise.
+  High exposure levels indicate that the service might benefit from additional security settings.
+  While low exposure levels indicate tight security restrictions.
+</para>
   </section>
 </topic>
diff --git a/glues/systemd-securing-more-info.xml b/glues/systemd-securing-more-info.xml
index b9bbd3f86..4be4932c4 100644
--- a/glues/systemd-securing-more-info.xml
+++ b/glues/systemd-securing-more-info.xml
@@ -18,39 +18,28 @@
   <itemizedlist>
     <listitem>
       <para>
-        All security options are described in &systemd;'s man pages. Refer to <command>man 5
-        systemd.exec</command>.
+        <command>man 5 systemd.exec</command>
       </para>
     </listitem>
     <listitem>
       <para>
-        The list of currently defined kernel capabilities is available in <command>man 7
-        capabilities</command>.
+       <command>man 7 capabilities</command>
       </para>
     </listitem>
     <listitem>
       <para>
-        Enabling and disabling &systemd; services is described in
-        <link xlink:href="https://documentation.suse.com/smart/linux/html/reference-systemctl-enable-disable-services/reference-systemctl-enable-disable-services.html"/>.
+       Introduction to &systemd; basics <link xlink:href="https://documentation.suse.com/smart/systems-management/html/systemd-basics/index.html"> </link>
       </para>
     </listitem>
     <listitem>
       <para>
-        Managing &systemd; targets with <command>systemctl</command> is described in
-        <link xlink:href="https://documentation.suse.com/smart/linux/html/reference-managing-systemd-targets-systemctl/reference-systemctl-managing-targets.html"/>.
+        Managing &systemd; services <link xlink:href="https://documentation.suse.com/smart/systems-management/html/systemd-management/index.html"/>
       </para>
-    </listitem>
-    <listitem>
-      <para>
-        Sending termination signals to &systemd; services is described in
-        <link xlink:href="https://documentation.suse.com/smart/linux/html/task-send-termination-signals-systemd/task-send-termination-signals-systemd.html"/>.
-      </para>
-    </listitem>
+      </listitem>
     <listitem>
       <para>
-        Starting and stopping &systemd; services is described in
-        <link xlink:href="https://documentation.suse.com/smart/linux/html/reference-systemctl-start-stop-services/reference-systemctl-start-stop-services.html"/>.
+       System and Service Manager <link xlink:href="https://systemd.io/"> </link>
       </para>
     </listitem>
-  </itemizedlist>
+      </itemizedlist>
 </topic>
diff --git a/tasks/systemd-example-secure-service.xml b/tasks/systemd-example-secure-service.xml
new file mode 100644
index 000000000..9c375146d
--- /dev/null
+++ b/tasks/systemd-example-secure-service.xml
@@ -0,0 +1,166 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE topic
+[
+  <!ENTITY % entities SYSTEM "../common/generic-entities.ent">
+    %entities;
+]>
+<topic xml:id="systemd-example-secure-service"
+ role="task" xml:lang="en"
+ xmlns="http://docbook.org/ns/docbook" version="5.2"
+ xmlns:its="http://www.w3.org/2005/11/its"
+ xmlns:xi="http://www.w3.org/2001/XInclude"
+ xmlns:xlink="http://www.w3.org/1999/xlink"
+ xmlns:trans="http://docbook.org/ns/transclusion">
+  <info>
+    <title>How to analyze the security of a &systemd; service?</title>
+    <meta name="maintainer" content="amrita.sakthivel@suse.com" its:translate="no"/>
+    <abstract>
+      <para>
+       Use &systemd; to secure and strengthen services using specific directives and verify the same.
+       Use the <literal>security</literal> option to analyze the security and the sandboxing settings of one or more specified services.
+       </para>
+
+    </abstract>
+
+</info>
+  <procedure>
+       <step><para>Create a &systemd; service in the <filename>/etc/systemd/system</filename>. </para>
+           </step>
+           <step><para>Reload the service files to include the new service:</para>
+            <screen>&prompt.sudo; systemctl daemon-reload</screen>
+           </step>
+           <step><para>Start,enable, and check the status of the service:</para>
+<screen>&prompt.sudo; systemctl start <replaceable>SERVICE_NAME</replaceable></screen>
+<screen>&prompt.sudo;systemctl enable <replaceable>SERVICE_NAME</replaceable></screen>
+<screen>&prompt.sudo; systemctl status <replaceable>SERVICE_NAME</replaceable></screen>
+
+              </step>
+              <step><para>Analyze the security settings of the service:</para>
+                <screen>&prompt.sudo; systemd-analyze security <replaceable>SERVICE_NAME</replaceable></screen>
+                <para>For example:</para>
+<screen>&prompt.sudo; systemd-analyze security test.service
+NAME                DESCRIPTION                              EXPOSURE
+✗ PrivateNetwork=     Service has access to the host's network      0.5
+✗ User=/DynamicUser=  Service runs as root user                     0.4
+✗ DeviceAllow=        Service has no device ACL
+...
+→ Overall exposure level for test.service: 9.6 UNSAFE 😨
+</screen>
+               </step>
+              </procedure>
+               <section xml:id="improving-overall-exposure">
+                <title>How to improve the overall exposure with options?</title>
+                <para>Use the command <command>systemd-analyze security</command> to analyze the security settings of a
+                &systemd; service. For example: </para>
+<screen>
+NAME                DESCRIPTION                              EXPOSURE
+✗ PrivateNetwork=     Service has access to the host's network      0.5
+✗ User=/DynamicUser=  Service runs as root user                     0.4
+✗ DeviceAllow=        Service has no device ACL                     0.2
+...
+→ Overall exposure level for test.service: 9.6 UNSAFE 😨
+</screen>
+                <para>If you get <emphasis>9.6 UNSAFE</emphasis>, this is not good but you can use the following options to improve the rating.</para>
+                <variablelist>
+                <varlistentry>
+                  <term>NoNewPrivileges=yes</term>
+                  <listitem>
+                    <para>
+                     New privileges are not required.
+                    </para>
+                  </listitem>
+                </varlistentry>
+                <varlistentry>
+                  <term>PrivateTmp=yes</term>
+                  <listitem>
+                    <para>
+                     Private directory for temporary files. This option provides the service with a private <filename>/tmp</filename> isolated from
+                     the host system's <filename>/tmp</filename>. The shared host <filename>/tmp</filename>
+                     directory is a major source of security problems, such as symlink attacks and DoS
+                     <filename>/tmp</filename> temporary files.
+                    </para>
+                  </listitem>
+                </varlistentry>
+                <varlistentry>
+                  <term>PrivateNetwork=yes</term>
+                  <listitem>
+                    <para>
+                      This option isolates the service and its processes from networking. This prevents
+                      external network requests from reaching the protected service. Be aware that certain
+                      services require the network to be operational.
+                    </para>
+                  </listitem>
+                </varlistentry>
+                <varlistentry>
+                  <term>InaccessibleDirectories=/home</term>
+                  <listitem>
+                    <para>
+                      This option makes the specified directories inaccessible to the service. This option
+                      narrows the range of directories that can be read or modified by the service, for
+                      example, to secure users' private files.
+                    </para>
+                  </listitem>
+                </varlistentry>
+                <varlistentry>
+                  <term>ReadOnlyDirectories=/var</term>
+                  <listitem>
+                    <para>
+                      This option makes the specified directories inaccessible for writing to the service. The
+                      example configuration makes the whole tree below <filename>/var</filename> read-only.
+                      This option prevents the service from damaging the system files.
+                    </para>
+                  </listitem>
+                </varlistentry>
+                <varlistentry>
+                  <term>CapabilityBoundingSet=CAP_CHOWN CAP_KILL</term>
+                  <listitem>
+                    <para>
+                      This option restricts the kernel capabilities that a service can retain. In the example
+                      above, only the <literal>CAP_CHOWN</literal> and <literal>CAP_KILL</literal> capabilities
+                      are retained by the service, and the service and any processes it creates cannot obtain
+                      any other capabilities, not even via setuid binaries.
+                    </para>
+                    <tip>
+                      <para>
+                        To easily identify which processes on your system retain which capabilities, use the
+                        <command>pscap</command> tool from the <package>libcap-ng-utils</package> package.
+                      </para>
+                    </tip>
+                    <tip>
+                      <para>
+                        The <literal>~</literal> prefix inverts the meaning of the option&mdash;instead of
+                        listing all capabilities that the service retains, you may list the ones it does not
+                        retain:
+                      </para>
+<screen>...
+[Service]
+CapabilityBoundingSet=~CAP_SYS_PTRACE
+...</screen>
+                    </tip>
+                  </listitem>
+
+                </varlistentry>
+                <varlistentry>
+                  <term>LimitNPROC=1, LimitFSIZE=0</term>
+                  <listitem>
+                    <para>
+                      You can use <emphasis>resource limits</emphasis> to apply security limits on services.
+                      Two of them can disable specific operating system features:
+                      <option>RLIMIT_NPROC=1</option> disables precess forking, while
+                      <option>RLIMIT_FSIZE=0</option> disables creating non-empty files on the file system.
+                    </para>
+                  </listitem>
+                </varlistentry>
+                <varlistentry>
+                  <term>DeviceAllow=/dev/null rw</term>
+                  <listitem>
+                    <para>
+                      This option limits access to <filename>/dev/null</filename>, disallowing access to any
+                      other device nodes.
+                    </para>
+                  </listitem>
+                </varlistentry>
+              </variablelist>
+               </section>
+
+              </topic>

From d67ae2bc87c30cc8f8cf0cb739a0ea40380e57d9 Mon Sep 17 00:00:00 2001
From: Tom Schraitle <toms@suse.de>
Date: Mon, 23 Sep 2024 10:12:13 +0200
Subject: [PATCH 3/6] Correct wrong ID

---
 articles/systemd-securing.asm.xml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/articles/systemd-securing.asm.xml b/articles/systemd-securing.asm.xml
index 9c9418b91..302f207be 100644
--- a/articles/systemd-securing.asm.xml
+++ b/articles/systemd-securing.asm.xml
@@ -18,7 +18,7 @@
     -->
 <!-- R E S O U R C E S -->
   <resources>
-    <resource href="../concepts/systemd-securing.xml" xml:id="_systemd-securing"/>
+    <resource href="../concepts/systemd-securing.xml" xml:id="_systemd-secure-services"/>
     <!-- Tasks -->
     <resource href="../tasks/systemd-example-secure-service.xml" xml:id="_systemd-example-secure-service"/>
     <resource href="../tasks/systemd-analyze-security-service-files.xml" xml:id="_systemd-analyze-security-service-files"/>
@@ -150,7 +150,6 @@
       </abstract>
     </merge>
     <module resourceref="_systemd-secure-services"/>
-
        <module resourceref="_systemd-example-secure-service">
       <merge>
         <title>How to analyze the security of a &systemd; service</title>

From 2938f4a167468db922426d90a9d87a4f1867f748 Mon Sep 17 00:00:00 2001
From: Amrita <amrita.sakthivel@suse.com>
Date: Tue, 10 Dec 2024 16:03:41 +0530
Subject: [PATCH 4/6] review feedback-1

---
 articles/systemd-securing.asm.xml        |  2 +-
 concepts/systemd-securing.xml            |  2 +-
 tasks/systemd-example-secure-service.xml | 10 +++++-----
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/articles/systemd-securing.asm.xml b/articles/systemd-securing.asm.xml
index 302f207be..c8aeef7f8 100644
--- a/articles/systemd-securing.asm.xml
+++ b/articles/systemd-securing.asm.xml
@@ -70,7 +70,7 @@
       -->
       <meta name="architecture" its:translate="no">
         <phrase>&x86-64;</phrase>
-        <phrase>&power;</phrase>
+        <phrase>&power;</phrase>How to improve the overall exposure
       </meta>
       <meta name="productname" its:translate="no">
         <productname version="16.0" os="sles">&productname;</productname>
diff --git a/concepts/systemd-securing.xml b/concepts/systemd-securing.xml
index 41fdc1983..60f13b16d 100644
--- a/concepts/systemd-securing.xml
+++ b/concepts/systemd-securing.xml
@@ -52,7 +52,7 @@
      A detailed analysis of the security settings is executed and displayed.
      If a service unit is not specified, all currently loaded, long-running service units are inspected and the results are displayed in a terse table.
      </para>
-<para>The command upon checking the security settings, assigns a numeric value , also known as <emphasis>exposure level</emphasis>.
+<para>Upon checking the security settings, the command assigns a numeric value , also known as <emphasis>exposure level</emphasis>.
   This value is dependent on how important a setting is. It then calculates an overall exposure level for the whole unit. This value ranges
   from 0.0-10.0, which is an indicator of how exposed a service is security wise.
   High exposure levels indicate that the service might benefit from additional security settings.
diff --git a/tasks/systemd-example-secure-service.xml b/tasks/systemd-example-secure-service.xml
index 9c375146d..97e50a37e 100644
--- a/tasks/systemd-example-secure-service.xml
+++ b/tasks/systemd-example-secure-service.xml
@@ -49,7 +49,7 @@ NAME                DESCRIPTION                              EXPOSURE
                </step>
               </procedure>
                <section xml:id="improving-overall-exposure">
-                <title>How to improve the overall exposure with options?</title>
+                <title>How to improve the overall exposure</title>
                 <para>Use the command <command>systemd-analyze security</command> to analyze the security settings of a
                 &systemd; service. For example: </para>
 <screen>
@@ -126,17 +126,17 @@ NAME                DESCRIPTION                              EXPOSURE
                         <command>pscap</command> tool from the <package>libcap-ng-utils</package> package.
                       </para>
                     </tip>
-                    <tip>
+
                       <para>
-                        The <literal>~</literal> prefix inverts the meaning of the option&mdash;instead of
-                        listing all capabilities that the service retains, you may list the ones it does not
+                        The <literal>~</literal> prefix inverts the meaning of the option&mdash;. Instead of
+                        listing all capabilities that the service retains, you can list the ones it does not
                         retain:
                       </para>
 <screen>...
 [Service]
 CapabilityBoundingSet=~CAP_SYS_PTRACE
 ...</screen>
-                    </tip>
+
                   </listitem>
 
                 </varlistentry>

From 08909565a5a38142ad5a8433fd319cc81da2319e Mon Sep 17 00:00:00 2001
From: Amrita <amrita.sakthivel@suse.com>
Date: Tue, 10 Dec 2024 16:22:07 +0530
Subject: [PATCH 5/6] review feedback-2

---
 tasks/systemd-example-secure-service.xml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/tasks/systemd-example-secure-service.xml b/tasks/systemd-example-secure-service.xml
index 97e50a37e..1663e7415 100644
--- a/tasks/systemd-example-secure-service.xml
+++ b/tasks/systemd-example-secure-service.xml
@@ -121,9 +121,10 @@ NAME                DESCRIPTION                              EXPOSURE
                       any other capabilities, not even via setuid binaries.
                     </para>
                     <tip>
+                    <title>The <command>pscap</command> command tool</title>
                       <para>
-                        To easily identify which processes on your system retain which capabilities, use the
-                        <command>pscap</command> tool from the <package>libcap-ng-utils</package> package.
+                                              To easily identify which processes on your system retain which capabilities, use the
+                        <command>pscap</command> command tool from the <package>libcap-ng-utils</package> package.
                       </para>
                     </tip>
 

From eb4b365baf9895c5a4bdf2909c66f845ae1bfe75 Mon Sep 17 00:00:00 2001
From: Amrita <amrita.sakthivel@suse.com>
Date: Wed, 11 Dec 2024 14:46:08 +0530
Subject: [PATCH 6/6] metadata and review

---
 DC-systemd-securing                      | 10 ++++++----
 articles/systemd-securing.asm.xml        |  2 +-
 tasks/systemd-example-secure-service.xml |  4 ++--
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/DC-systemd-securing b/DC-systemd-securing
index 1e0595555..f7aa7a79a 100644
--- a/DC-systemd-securing
+++ b/DC-systemd-securing
@@ -4,9 +4,11 @@ SRC_DIR="articles"
 IMG_SRC_DIR="images"
 
 PROFCONDITION="suse-product"
-PROFOS="sles"
-#PROFCONDITION="suse-product;beta"
-#PROFCONDITION="community-project"
-
+## Profiling
+PROFOS="PRODUCT"
+PROFCONDITION="PRODUCTNUMBER"
+STRUCTID="STRUCTURE-ID"
+PROFARCH="x86_64;zseries;power;aarch64"
+DOCBOOK5_RNG_URI="urn:x-suse:rng:v2:geekodoc-flat"
 STYLEROOT="/usr/share/xml/docbook/stylesheet/suse2022-ns"
 FALLBACK_STYLEROOT="/usr/share/xml/docbook/stylesheet/suse-ns"
diff --git a/articles/systemd-securing.asm.xml b/articles/systemd-securing.asm.xml
index c8aeef7f8..1c091e09a 100644
--- a/articles/systemd-securing.asm.xml
+++ b/articles/systemd-securing.asm.xml
@@ -73,7 +73,7 @@
         <phrase>&power;</phrase>How to improve the overall exposure
       </meta>
       <meta name="productname" its:translate="no">
-        <productname version="16.0" os="sles">&productname;</productname>
+        <productname version="15-SP6">&sles;</productname>
       </meta>
       <meta name="title" its:translate="yes">Securing &systemd; services</meta>
       <meta name="description" its:translate="yes">Securing &systemd; services</meta>
diff --git a/tasks/systemd-example-secure-service.xml b/tasks/systemd-example-secure-service.xml
index 1663e7415..6935d40f8 100644
--- a/tasks/systemd-example-secure-service.xml
+++ b/tasks/systemd-example-secure-service.xml
@@ -16,8 +16,8 @@
     <meta name="maintainer" content="amrita.sakthivel@suse.com" its:translate="no"/>
     <abstract>
       <para>
-       Use &systemd; to secure and strengthen services using specific directives and verify the same.
-       Use the <literal>security</literal> option to analyze the security and the sandboxing settings of one or more specified services.
+       Use the <command>systemd-analyze security</command> command to analyze the security settings of a  &systemd; service.
+       The <literal>security</literal> option analyzes the security and the sandboxing settings of one or more specified services.
        </para>
 
     </abstract>