ComplianceAsCode · teacup-on-rockingchair · Feb 26, 2026 · Feb 26, 2026 · Feb 26, 2026 · Feb 26, 2026
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/sle16.xml b/linux_os/guide/services/ssh/ssh_server/sshd_limit_user_access/oval/sle16.xml
@@ -0,0 +1,100 @@
+{{% macro test_sshd_lineinfile(filepath, param, id) %}}
+{{%- set object_id = filepath | replace("/", "_") | replace("-", "_") | replace(".", "_") -%}}
+  <ind:textfilecontent54_test id="{{{ id }}}" version="1" check="all"
+    check_existence="only_one_exists" comment="Check if there is an {{{ param }}} entry in {{{ filepath }}}">
+    <ind:object object_ref="object_{{{ param }}}{{{ object_id }}}" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_{{{ param }}}{{{ object_id }}}" version="1">
+    <ind:filepath operation="pattern match">^{{{ filepath }}}</ind:filepath>
+    <ind:pattern operation="pattern match" datatype="string">(?i)^[ ]*{{{ param }}}[ ]+((?:[^ \n]+[ ]*)+)$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+{{% endmacro %}}
+
+{{% macro test_sshd_lineindir(filepath, param, id) %}}
+{{%- set object_id = filepath | replace("/", "_") | replace("-", "_") | replace(".", "_") -%}}
+  <ind:textfilecontent54_test id="{{{ id }}}" version="1" check="all"
+    check_existence="only_one_exists" comment="Check if there is an {{{ param }}} entry in {{{ filepath }}}">
+    <ind:object object_ref="object_{{{ param }}}{{{ object_id }}}" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_{{{ param }}}{{{ object_id }}}" version="1">
+    <ind:path>{{{ filepath }}}</ind:path>
+    <ind:filename operation="pattern match">.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match" datatype="string">(?i)^[ ]*{{{ param }}}[ ]+((?:[^ \n]+[ ]*)+)$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+{{% endmacro %}}
+
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("One of the following parameters of the sshd configuration file is set: AllowUsers, DenyUsers, AllowGroups, DenyGroups.", rule_title=rule_title) }}}
+    <criteria operator="OR" comment="sshd limits the users who can log in">
+      <criteria comment="AllowUsers, DenyUsers, AllowGroups, DenyGroups when using /etc/ssh/sshd_config" operator="AND">
+        <criterion comment="SSH configuration /etc/ssh/sshd_config exists" test_ref="test_etc_ssh_sshd_config_exist"/>
+        <criteria operator="OR">
+            <criterion test_ref="test_allow_user_is_configured_etc_ssh_sshdconfig" />
+            <criterion test_ref="test_allow_groups_is_configured_etc_ssh_sshdconfig" />
+            <criterion test_ref="test_deny_users_is_configured_etc_ssh_sshdconfig" />
+            <criterion test_ref="test_deny_groups_is_configured_etc_ssh_sshdconfig" />
+            <criterion test_ref="test_allow_user_is_configured_etc_ssh_sshdconfig_dir" />
+            <criterion test_ref="test_allow_groups_is_configured_etc_ssh_sshdconfig_dir" />
+            <criterion test_ref="test_deny_users_is_configured_etc_ssh_sshdconfig_dir" />
+            <criterion test_ref="test_deny_groups_is_configured_etc_ssh_sshdconfig_dir" />
+            <criterion test_ref="test_allow_user_is_configured_usr_etc_ssh_sshdconfig_dir" />
+            <criterion test_ref="test_allow_groups_is_configured_usr_etc_ssh_sshdconfig_dir" />
+            <criterion test_ref="test_deny_users_is_configured_usr_etc_ssh_sshdconfig_dir" />
+            <criterion test_ref="test_deny_groups_is_configured_usr_etc_ssh_sshdconfig_dir" />
+        </criteria>
+      </criteria>
+      <criteria comment="AllowUsers, DenyUsers, AllowGroups, DenyGroups when using /usr/etc/ssh/sshd_config" operator="AND">
+        <criterion comment="SSH configuration /etc/ssh/sshd_config does not exists" test_ref="test_etc_ssh_sshd_config_exist" negate="true"/>
+        <criteria operator="OR">
+            <criterion test_ref="test_allow_user_is_configured_usr_etc_ssh_sshdconfig" />
+            <criterion test_ref="test_allow_groups_is_configured_usr_etc_ssh_sshdconfig" />
+            <criterion test_ref="test_deny_users_is_configured_usr_etc_ssh_sshdconfig" />
+            <criterion test_ref="test_deny_groups_is_configured_usr_etc_ssh_sshdconfig" />
+            <criterion test_ref="test_allow_user_is_configured_etc_ssh_sshdconfig_dir" />
+            <criterion test_ref="test_allow_groups_is_configured_etc_ssh_sshdconfig_dir" />
+            <criterion test_ref="test_deny_users_is_configured_etc_ssh_sshdconfig_dir" />
+            <criterion test_ref="test_deny_groups_is_configured_etc_ssh_sshdconfig_dir" />
+            <criterion test_ref="test_allow_user_is_configured_usr_etc_ssh_sshdconfig_dir" />
+            <criterion test_ref="test_allow_groups_is_configured_usr_etc_ssh_sshdconfig_dir" />
+            <criterion test_ref="test_deny_users_is_configured_usr_etc_ssh_sshdconfig_dir" />
+            <criterion test_ref="test_deny_groups_is_configured_usr_etc_ssh_sshdconfig_dir" />
+        </criteria>
+      </criteria>
+    </criteria>
+  </definition>
+
+  <unix:file_test check="all" check_existence="all_exist"
+      comment="SSH configuration /etc/ssh/sshd_config exists"
+      id="test_etc_ssh_sshd_config_exist"
+      state_operator="AND" version="1">
+    <unix:object object_ref="obj_etc_ssh_sshd_config_exist"/>
+  </unix:file_test>
+  <unix:file_object
+      comment="SSH configuration /etc/ssh/sshd_config exists"
+      id="obj_etc_ssh_sshd_config_exist" version="1">
+    <unix:filepath operation="pattern match">^/etc/ssh/sshd_config</unix:filepath>
+  </unix:file_object>
+
+  {{{ test_sshd_lineinfile("/etc/ssh/sshd_config", "AllowUsers", "test_allow_user_is_configured_etc_ssh_sshdconfig") }}}
+  {{{ test_sshd_lineinfile("/etc/ssh/sshd_config", "AllowGroups", "test_allow_groups_is_configured_etc_ssh_sshdconfig") }}}
+  {{{ test_sshd_lineinfile("/etc/ssh/sshd_config", "DenyUsers", "test_deny_users_is_configured_etc_ssh_sshdconfig") }}}
+  {{{ test_sshd_lineinfile("/etc/ssh/sshd_config", "DenyGroups", "test_deny_groups_is_configured_etc_ssh_sshdconfig") }}}
+
+  {{{ test_sshd_lineinfile("/usr/etc/ssh/sshd_config", "AllowUsers", "test_allow_user_is_configured_usr_etc_ssh_sshdconfig") }}}
+  {{{ test_sshd_lineinfile("/usr/etc/ssh/sshd_config", "AllowGroups", "test_allow_groups_is_configured_usr_etc_ssh_sshdconfig") }}}
+  {{{ test_sshd_lineinfile("/usr/etc/ssh/sshd_config", "DenyUsers", "test_deny_users_is_configured_usr_etc_ssh_sshdconfig") }}}
+  {{{ test_sshd_lineinfile("/usr/etc/ssh/sshd_config", "DenyGroups", "test_deny_groups_is_configured_usr_etc_ssh_sshdconfig") }}}
+
+  {{{ test_sshd_lineindir("/etc/ssh/sshd_config.d", "AllowUsers", "test_allow_user_is_configured_etc_ssh_sshdconfig_dir") }}}
+  {{{ test_sshd_lineindir("/etc/ssh/sshd_config.d", "AllowGroups", "test_allow_groups_is_configured_etc_ssh_sshdconfig_dir") }}}
+  {{{ test_sshd_lineindir("/etc/ssh/sshd_config.d", "DenyUsers", "test_deny_users_is_configured_etc_ssh_sshdconfig_dir") }}}
+  {{{ test_sshd_lineindir("/etc/ssh/sshd_config.d", "DenyGroups", "test_deny_groups_is_configured_etc_ssh_sshdconfig_dir") }}}
+
+  {{{ test_sshd_lineindir("/usr/etc/ssh/sshd_config.d", "AllowUsers", "test_allow_user_is_configured_usr_etc_ssh_sshdconfig_dir") }}}
+  {{{ test_sshd_lineindir("/usr/etc/ssh/sshd_config.d", "AllowGroups", "test_allow_groups_is_configured_usr_etc_ssh_sshdconfig_dir") }}}
+  {{{ test_sshd_lineindir("/usr/etc/ssh/sshd_config.d", "DenyUsers", "test_deny_users_is_configured_usr_etc_ssh_sshdconfig_dir") }}}
+  {{{ test_sshd_lineindir("/usr/etc/ssh/sshd_config.d", "DenyGroups", "test_deny_groups_is_configured_usr_etc_ssh_sshdconfig_dir") }}}
+</def-group>
@@ -1,4 +1,4 @@
 #!/bin/bash
 
-find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d'
+source common.sh
 echo "AllowGroups testgroup1 testgroup2 testgroup3" >> /etc/ssh/sshd_config
@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+source common.sh
+echo "AllowGroups group" >> /etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
@@ -1,4 +1,4 @@
 #!/bin/bash
 
-find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d'
+source common.sh
 echo "AllowUsers testuser1 testuser2 testuser3" >> /etc/ssh/sshd_config
@@ -1,5 +1,5 @@
 #!/bin/bash
 
-find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d'
+source common.sh
 echo "AllowUsers testuser1 testuser2 testuser3" >> /etc/ssh/sshd_config
 echo "AllowGroups testgroup1 testgroup2 testgroup3" >> /etc/ssh/sshd_config
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+source common.sh
+
+echo "AllowUsers testuser1 testuser2 testuser3" >> /usr/etc/ssh/sshd_config
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+declare -a SSHD_PATHS=("/etc/ssh/sshd_config")
+{{% if product == 'sle16' %}}
+SSHD_PATHS+=("/usr/etc/ssh/sshd_config" /usr/etc/ssh/sshd_config.d/* /etc/ssh/sshd_config.d/*)
+{{% endif %}}
+# clean up configurations
+sed -i '/^(Allow|Deny)(Users|Groups).*/d' "${SSHD_PATHS[@]}"
+
+# restore to defaults for sle16
+{{% if product == 'sle16' %}}
+if [ -e "/etc/ssh/sshd_config" ] ; then
+    rm /etc/ssh/sshd_config
+fi
+{{% endif %}}
@@ -0,0 +1,7 @@
+#!/bin/bash
+# remediation = none
+# platform = SUSE Linux Enterprise 16
+source common.sh
+
+touch /etc/ssh/sshd_config
+echo "DenyGroups testgroup" >> /usr/etc/ssh/sshd_config
@@ -1,4 +1,4 @@
 #!/bin/bash
 
-find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d'
+source common.sh
 echo "DenyGroups testgroup1 testgroup2 testgroup3" >> /etc/ssh/sshd_config
@@ -1,4 +1,4 @@
 #!/bin/bash
 
-find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d'
+source common.sh
 echo "DenyUsers testuser1 testuser2 testuser3" >> /etc/ssh/sshd_config
@@ -1,5 +1,5 @@
 #!/bin/bash
 
-find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d'
+source common.sh
 echo "DenyUsers testuser1 testuser2 testuser3" >> /etc/ssh/sshd_config
 echo "DenyGroups testgroup1 testgroup2 testgroup3" >> /etc/ssh/sshd_config
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+source common.sh
+
+echo "DenyUsers user" >> /usr/etc/ssh/sshd_config.d/01-complianceascode-reinforce-os-defaults.conf
@@ -1,6 +1,6 @@
 #!/bin/bash
 # remediation = none
 
-find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d'
+source common.sh
 echo "AllowGroups " >> /etc/ssh/sshd_config
 echo "DenyGroups " >> /etc/ssh/sshd_config
@@ -1,6 +1,6 @@
 #!/bin/bash
 # remediation = none
 
-find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d'
+source common.sh
 echo "AllowUsers " >> /etc/ssh/sshd_config
 echo "DenyUsers " >> /etc/ssh/sshd_config
@@ -1,4 +1,4 @@
 #!/bin/bash
 # remediation = none
 
-find /etc/ssh/sshd_config* -type f -print0 | xargs -0 sed -i '/^(Allow|Deny)(Users|Groups).*/d'
+source common.sh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/sle16.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/sle16.xml
@@ -0,0 +1,153 @@
+<def-group>
+  <definition class="compliance" id="sshd_set_idle_timeout" version="1">
+    {{{ oval_metadata("The SSH idle timeout interval should be set to an appropriate value.", rule_title=rule_title) }}}
+    <criteria comment="SSH is configured correctly or is not installed" operator="OR">
+      <criteria comment="sshd is not installed" operator="AND">
+        <extend_definition comment="sshd is not required or requirement is unset" definition_ref="sshd_not_required_or_unset"/>
+        <extend_definition comment="rpm package openssh-server removed" definition_ref="package_openssh-server_removed"/>
+      </criteria>
+      <criteria comment="sshd is installed and configured using /etc/ssh/sshd_config" operator="AND">
+        <extend_definition comment="sshd is required or requirement is unset" definition_ref="sshd_required_or_unset"/>
+        <extend_definition comment="rpm package openssh-server installed" definition_ref="package_openssh-server_installed"/>
+        <criteria comment="ClientAliveInterval is configured correctly in /etc/ssh/sshd_config" operator="AND">
+          <criterion comment="SSH configuration /etc/ssh/sshd_config exists" test_ref="test_etc_ssh_sshd_config_exist"/>
+          <criterion comment="Check ClientAliveInterval in /usr/etc/ssh/sshd_config" test_ref="test_sshd_idle_timeout_etc" />
+          <criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config.d/" test_ref="test_sshd_idle_timeout_config_dir"/>
+          <criterion comment="Check ClientAliveInterval in /usr/etc/ssh/sshd_config.d/" test_ref="test_sshd_idle_timeout_usr_config_dir"/>
+          <criterion comment="the configuration exists" test_ref="test_clientaliveinterval_present_etc" />
+        </criteria>
+      </criteria>
+      <criteria comment="sshd is installed and configured using /usr/etc/ssh/sshd_config" operator="AND">
+        <extend_definition comment="sshd is required or requirement is unset" definition_ref="sshd_required_or_unset" />
+        <extend_definition comment="rpm package openssh-server installed" definition_ref="package_openssh-server_installed" />
+        <criteria comment="ClientAliveInterval is configured correctly in /usr/etc/ssh/sshd_config" operator="AND">
+          <criterion comment="SSH configuration /etc/ssh/sshd_config does not exists" test_ref="test_etc_ssh_sshd_config_exist" negate="true"/>
+          <criterion comment="Check ClientAliveInterval in /usr/etc/ssh/sshd_config" test_ref="test_sshd_idle_timeout_usr" />
+          <criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config.d/" test_ref="test_sshd_idle_timeout_config_dir"/>
+          <criterion comment="Check ClientAliveInterval in /usr/etc/ssh/sshd_config.d/" test_ref="test_sshd_idle_timeout_usr_config_dir"/>
+          <criterion comment="the configuration exists" test_ref="test_clientaliveinterval_present_usr" />
+        </criteria>
+      </criteria>
+    </criteria>
+  </definition>
+
+  <unix:file_test check="all" check_existence="all_exist"
+      comment="SSH configuration /etc/ssh/sshd_config exists"
+      id="test_etc_ssh_sshd_config_exist"
+      state_operator="AND" version="1">
+    <unix:object object_ref="obj_etc_ssh_sshd_config_exist"/>
+  </unix:file_test>
+  <unix:file_object
+      comment="SSH configuration /etc/ssh/sshd_config exists"
+      id="obj_etc_ssh_sshd_config_exist" version="1">
+    <unix:filepath operation="pattern match">^/etc/ssh/sshd_config</unix:filepath>
+  </unix:file_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="any_exist"
+    comment="timeout is configured in /etc/ssh/sshd_config"
+    id="test_sshd_idle_timeout_etc" version="1">
+    <ind:object object_ref="object_sshd_idle_timeout_etc" />
+    <ind:state state_ref="state_timeout_value_upper_bound" />
+    <ind:state state_ref="state_timeout_value_lower_bound" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_sshd_idle_timeout_etc" version="2">
+    <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="any_exist"
+    comment="timeout is configured in /usr/etc/ssh/sshd_config"
+    id="test_sshd_idle_timeout_usr" version="1">
+    <ind:object object_ref="object_sshd_idle_timeout_usr" />
+    <ind:state state_ref="state_timeout_value_upper_bound" />
+    <ind:state state_ref="state_timeout_value_lower_bound" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_sshd_idle_timeout_usr" version="2">
+    <ind:filepath>/usr/etc/ssh/sshd_config</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="any_exist"
+    comment="timeout is configured in config directory /etc/ssh/sshd_config.d"
+    id="test_sshd_idle_timeout_config_dir" version="1">
+    <ind:object object_ref="object_sshd_idle_timeout_config_dir" />
+    <ind:state state_ref="state_timeout_value_upper_bound" />
+    <ind:state state_ref="state_timeout_value_lower_bound" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_sshd_idle_timeout_config_dir" version="2">
+    <ind:path>/etc/ssh/sshd_config.d</ind:path>
+    <ind:filename operation="pattern match">.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="any_exist"
+    comment="timeout is configured in config directory /usr/etc/ssh/sshd_config.d"
+    id="test_sshd_idle_timeout_usr_config_dir" version="1">
+    <ind:object object_ref="object_sshd_idle_timeout_usr_config_dir" />
+    <ind:state state_ref="state_timeout_value_upper_bound" />
+    <ind:state state_ref="state_timeout_value_lower_bound" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_sshd_idle_timeout_usr_config_dir" version="2">
+    <ind:path>/usr/etc/ssh/sshd_config.d</ind:path>
+    <ind:filename operation="pattern match">.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state comment="upper bound of ClientAliveInterval in seconds"
+  id="state_timeout_value_upper_bound" version="1">
+    <ind:subexpression datatype="int" operation="less than or equal" var_check="all"
+    var_ref="sshd_idle_timeout_value" />
+  </ind:textfilecontent54_state>
+
+  <ind:textfilecontent54_state comment="lower bound of ClientAliveInterval in seconds"
+  id="state_timeout_value_lower_bound" version="1">
+    <ind:subexpression datatype="int" operation="greater than">0</ind:subexpression>
+  </ind:textfilecontent54_state>
+
+  <ind:textfilecontent54_test id="test_clientaliveinterval_present_etc" version="1"
+    check="all" check_existence="at_least_one_exists"
+    comment="Verify that the value of ClientAliveInterval is present">
+    <ind:object object_ref="obj_collection_obj_sshd_set_idle_timeout" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object comment="All confs collection" id="obj_collection_obj_sshd_set_idle_timeout" version="1">
+    <set set_operator="UNION">
+      <set set_operator="UNION">
+        <object_reference>object_sshd_idle_timeout_etc</object_reference>
+      </set>
+      <set set_operator="UNION">
+        <object_reference>object_sshd_idle_timeout_config_dir</object_reference>
+        <object_reference>object_sshd_idle_timeout_usr_config_dir</object_reference>
+      </set>
+    </set>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test id="test_clientaliveinterval_present_usr" version="1"
+    check="all" check_existence="at_least_one_exists"
+    comment="Verify that the value of ClientAliveInterval is present">
+    <ind:object object_ref="obj_collection_obj_sshd_set_idle_timeout_usr" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object comment="All confs collection" id="obj_collection_obj_sshd_set_idle_timeout_usr" version="1">
+    <set set_operator="UNION">
+      <set set_operator="UNION">
+        <object_reference>object_sshd_idle_timeout_usr</object_reference>
+      </set>
+      <set set_operator="UNION">
+        <object_reference>object_sshd_idle_timeout_config_dir</object_reference>
+        <object_reference>object_sshd_idle_timeout_usr_config_dir</object_reference>
+      </set>
+    </set>
+  </ind:textfilecontent54_object>
+
+  <external_variable comment="timeout value" datatype="int" id="sshd_idle_timeout_value" version="1" />
+
+</def-group>