diff --git a/.github/workflows/gate.yaml b/.github/workflows/gate.yaml index 7a82d691657b..cadaa76aca99 100644 --- a/.github/workflows/gate.yaml +++ b/.github/workflows/gate.yaml @@ -12,6 +12,7 @@ concurrency: jobs: validate-sle: name: Build, Test on SLE Latest (Container) + if: github.repository == 'ComplianceAsCode/content' runs-on: ubuntu-latest container: image: registry.suse.com/bci/bci-base:latest @@ -42,6 +43,7 @@ jobs: validate-suse: name: Build, Test on OpenSUSE Leap 15 (Container) + if: github.repository == 'ComplianceAsCode/content' runs-on: ubuntu-latest container: image: opensuse/leap:15 @@ -85,6 +87,7 @@ jobs: validate-ubuntu-22-04: name: Build, Test on Ubuntu 22.04 + if: github.repository == 'ComplianceAsCode/content' runs-on: ubuntu-22.04 steps: - name: Install Deps @@ -104,6 +107,7 @@ jobs: validate-ubuntu-24-04: name: Build, Test on Ubuntu 24.04 + if: github.repository == 'ComplianceAsCode/content' runs-on: ubuntu-24.04 steps: - name: Install Deps @@ -123,6 +127,7 @@ jobs: validate-fedora-rawhide: name: Build, Test on Fedora Rawhide (Container) + if: github.repository == 'ComplianceAsCode/content' runs-on: ubuntu-latest container: image: registry.fedoraproject.org/fedora:rawhide diff --git a/.github/workflows/gate_fedora.yml b/.github/workflows/gate_fedora.yml index 87f6220e48be..48bb0aa19356 100644 --- a/.github/workflows/gate_fedora.yml +++ b/.github/workflows/gate_fedora.yml @@ -12,6 +12,7 @@ concurrency: jobs: validate-fedora: name: Build, Test on Fedora Latest (Container) + if: github.repository == 'ComplianceAsCode/content' runs-on: ubuntu-latest container: image: fedora:latest diff --git a/.github/workflows/gate_thin_ds.yml b/.github/workflows/gate_thin_ds.yml index f0b9621de733..43f56d737490 100644 --- a/.github/workflows/gate_thin_ds.yml +++ b/.github/workflows/gate_thin_ds.yml @@ -12,6 +12,7 @@ concurrency: jobs: build-and-test-thin-ds: name: Build, Test on Fedora Latest (Container) + if: github.repository == 'ComplianceAsCode/content' runs-on: ubuntu-latest container: image: fedora:latest diff --git a/CLAUDE.md b/CLAUDE.md new file mode 100644 index 000000000000..e4052f8e351c --- /dev/null +++ b/CLAUDE.md @@ -0,0 +1,247 @@ +# CLAUDE.md + +This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. + +## Project Overview + +This repository produces SCAP data streams, Ansible playbooks, Bash scripts, and other artifacts for compliance scanning and remediation. Each supported OS or platform is a **product** (subdirectory under `products/`). The core Python library that drives the build system lives in `ssg/`. + +## Build Commands + +```bash +# Build a single product (full build including guides and tables) +./build_product rhel9 + +# Build data stream only (faster — skips guides and tables) +./build_product rhel9 --datastream-only + +# Build targeting a single rule (fastest — for development) +./build_product rhel9 --datastream-only --rule-id accounts_password_minlen_login_defs + +# Build output: build/ssg--ds.xml +``` + +## Linting and Testing + +```bash +# Lint Python code +ruff check ssg utils tests build-scripts + +# Lint YAML files +yamllint -c .yamllint + +# Auto-fix YAML lint issues +yamlfix -c yamlfix.toml + +# Run Python unit tests +python -m pytest tests/unit/ssg-module/ + +# Run utils that import ssg/ — must set PYTHONPATH first +PYTHONPATH=. python utils/controleval.py --help +PYTHONPATH=. python utils/find_duplicates.py --help +``` + +Python style: PEP 8 with a 99-character line limit. YAML style: 4-space indentation for new files (some older files use 2-space), `.yml` extension, one blank line between sections. + +## Repository Structure + +``` +applications/openshift/ # OCP4/Kubernetes rules, organized by component (api-server/, kubelet/, etcd/, …) +linux_os/guide/ # Linux rules organized by area (system/, services/, auditing/, …) +controls/ # Compliance framework mappings (CIS, STIG, SRG, NIST, …) +products/ # Product definitions, profiles, and product-specific controls +shared/templates/ # ~40 reusable check/remediation templates +shared/macros/ # Jinja2 macro files for OVAL, Ansible, Bash generation +components/ # Component definitions mapping rules to packages (e.g., audit.yml) +ssg/ # Python library used by build-scripts/ and utils/ +build-scripts/ # CMake-invoked scripts that assemble the build artifacts +utils/ # Developer utilities (controleval, find_duplicates, compare_ds, …) +``` + +## Discovering Rule Directories + +- **OCP4/Kubernetes rules**: `applications/openshift//`, where the rule ID prefix matches the component name with hyphens → underscores (e.g., `api-server/` → `api_server_` prefix). +- **Linux rules**: `linux_os/guide//`, e.g., `system/accounts/`, `services/ssh/`, `auditing/`. +- Each rule lives in its own directory; the **directory name is the rule ID**. It contains `rule.yml` and optionally `tests/`. +- Each category directory contains a `group.yml` describing the group. Rules must belong to a group that covers the same software or service. + +## Rule Format (`rule.yml`) + +Sections **must appear in this order** when present: + +```yaml +documentation_complete: true # Must be true to be built + +title: 'Title Case Short Title' # One line; must match directory name + +description: |- # HTML-Like: supports , 
, , , 
    , 
  • 
+rationale: |-
+severity: medium                  # low | medium | high | unknown
+
+identifiers:                      # Keys alphabetical order
+    cce@rhel9: CCE-XXXXX-X
+
+references:                       # Keys alphabetical order
+    cis@rhel9: 1.2.3
+    nist: CM-6,CM-6(1)
+    stigid@rhel9: RHEL-09-XXXXXX
+
+platform: machine                 # Use platform (not platforms) for new rules
+
+ocil_clause: 'the value is not set'
+ocil: |-                          # Manual check instructions (HTML-Like)
+
+fixtext: |-                       # STIG fix instructions (HTML-Like)
+checktext: |-                     # STIG check instructions (HTML-Like)
+srg_requirement: '...'
+
+warnings:
+    - general: |-
+
+conflicts:
+    - some_rule_id
+requires:
+    - other_rule_id
+
+template:
+    name: 
+    vars: ...
+```
+
+One rule = one configuration change. Create a variable (`.var` file) when a setting can take multiple valid values.
+
+## Available Templates (`shared/templates/`)
+
+Key templates for Linux: `sysctl`, `file_permissions`, `file_owner`, `file_groupowner`, `shell_lineinfile`, `sshd_lineinfile`, `service_enabled`, `service_disabled`, `package_installed`, `package_removed`, `audit_rules_*`, `kernel_module_disabled`, `grub2_bootloader_argument`, `sudo_defaults_option`, `sebool`, `dconf_ini_file`.
+
+Key templates for OCP4: `yamlfile_value`.
+
+When a template fits, always use it rather than writing custom OVAL/Ansible/Bash checks.
+
+### `yamlfile_value` (primary OCP4 template)
+
+```yaml
+template:
+    name: yamlfile_value
+    vars:
+        ocp_data: "true"
+        filepath: '/apis/...'
+        yamlpath: '.spec.field'
+        check_existence: "at_least_one_exists"   # optional
+        entity_check: "at least one"              # optional
+        values:
+          - value: 'expected'
+            type: "string"                        # string | int | boolean
+            operation: "pattern match"            # equals | not equal | pattern match | greater than or equal | less than or equal
+```
+
+### Other common templates
+
+```yaml
+# sysctl
+template:
+    name: sysctl
+    vars:
+        sysctlvar: net.ipv6.conf.all.accept_ra
+        datatype: int
+
+# file_permissions
+template:
+    name: file_permissions
+    vars:
+        filepath: /etc/ssh/sshd_config
+        filemode: '0600'
+
+# shell_lineinfile
+template:
+    name: shell_lineinfile
+    vars:
+        path: /etc/login.defs
+        parameter: PASS_MIN_LEN
+        value: '15'
+
+# package_installed / package_removed
+template:
+    name: package_removed
+    vars:
+        pkgname: avahi
+        pkgname@ubuntu2204: avahi-daemon   # product-scoped override
+```
+
+## Common Jinja2 Macros
+
+```
+{{{ full_name }}}                                        → product full name
+{{{ xccdf_value("var_name") }}}                         → XCCDF variable reference
+{{{ describe_sysctl_option_value(sysctl="key", value="val") }}}
+{{{ complete_ocil_entry_sysctl_option_value(sysctl="key", value="val") }}}
+{{{ fixtext_sysctl("key", "value") }}}
+{{{ describe_service_disable(service="name") }}}
+{{{ describe_service_enable(service="name") }}}
+{{{ describe_file_permissions(file="/path", perms="0700") }}}
+{{{ fixtext_directory_permissions(file="/path", mode="0600") }}}
+{{{ complete_ocil_entry_package_installed("name") }}}
+{{{ complete_ocil_entry_package_removed("name") }}}
+{{{ fixtext_package_removed("name") }}}
+{{{ weblink("https://...") }}}
+
+# OCP4 specific
+{{{ openshift_cluster_setting("/api/path") }}}
+{{{ openshift_filtered_cluster_setting({'/api/path': jqfilter}) }}}
+{{{ openshift_filtered_path('/api/path', jqfilter) }}}
+```
+
+## Control File Format
+
+Two layouts exist:
+
+**Single file** (`controls/.yml` or `products//controls/.yml`):
+```yaml
+policy: 'Policy Title'
+title: 'Full Title'
+id: policy_id
+version: V1R1
+reference_type: stigid   # or cis, srg, etc.
+product: rhel9
+levels:
+    - id: high
+controls:
+    - id: RHEL-09-211010
+      levels: [high]
+      title: '...'
+      rules: [installed_OS_is_vendor_supported]
+      status: automated  # automated | manual | inherently met | does not meet | pending | not applicable
+      notes: '...'
+```
+
+**Split directory** (`controls/.yml` + `controls//section-N.yml`): used for large frameworks like CIS. The top-level file holds `policy`, `title`, `id`, `levels`; section files hold nested `controls:` lists.
+
+## Profile Format
+
+`products//profiles/.profile`:
+
+```yaml
+documentation_complete: true
+title: 'Profile Title'
+description: |-
+platform: rhel9
+metadata:
+    version: V2R7
+    SMEs: [github_username]
+selections:
+    - stig_rhel9:all          # all rules from a control file
+    - specific_rule_id
+    - '!excluded_rule_id'
+    - var_name=value
+```
+
+## Guidelines for Claude
+
+1. **Always show proposals before making changes.** Present the full content of any new or modified file and wait for explicit approval.
+2. **Follow existing patterns.** Before creating a rule, find 2-3 similar existing rules and match their style exactly.
+3. **Check for duplicates.** Search before creating a new rule; use `PYTHONPATH=. python utils/find_duplicates.py`.
+4. **Use the correct directory.** Find existing rules with the same prefix to locate the right subdirectory.
+5. **Preserve formatting.** 4-space YAML indentation for new files; match surrounding file style.
+6. **Don't invent references.** Only use CCE, CIS, STIG, SRG, NIST IDs the user provides or that exist in authoritative source documents.
+7. **Use templates.** When a shared template covers the requirement, use it instead of writing custom checks.
+8. **Rule sections order.** Follow the exact field order listed in the Rule Format section above.
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 22b05a236dd1..96232f10e4c2 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -146,7 +146,7 @@ find_program(XMLLINT_EXECUTABLE NAMES xmllint REQUIRED)
 find_program(XSLTPROC_EXECUTABLE NAMES xsltproc REQUIRED)
 find_program(YAMLLINT_EXECUTABLE NAMES yamllint)
 
-if(SSG_PRODUCT_FEDORA OR SSG_PRODUCT_RHEL8 OR SSG_PRODUCT_RHEL9 OR SSG_PRODUCT_RHEL10 OR SSG_PRODUCT_UBUNTU2004 OR SSG_PRODUCT_UBUNTU2204 OR SSG_PRODUCT_UBUNTU2404)
+if(SSG_PRODUCT_FEDORA OR SSG_PRODUCT_RHEL8 OR SSG_PRODUCT_RHEL9 OR SSG_PRODUCT_RHEL10 OR SSG_PRODUCT_UBUNTU2004 OR SSG_PRODUCT_UBUNTU2204 OR SSG_PRODUCT_UBUNTU2404 OR SSG_PRODUCT_DEBIAN11 OR SSG_PRODUCT_DEBIAN12 OR SSG_PRODUCT_DEBIAN13)
 set(SSG_SCE_ENABLED ON)
 endif()
 
diff --git a/build/.gitkeep b/build/.gitkeep
deleted file mode 100644
index e69de29bb2d1..000000000000
diff --git a/components/apparmor.yml b/components/apparmor.yml
index 9f2e000260e9..770f9d537214 100644
--- a/components/apparmor.yml
+++ b/components/apparmor.yml
@@ -12,3 +12,4 @@ rules:
 - package_apparmor_installed
 - package_apparmor-utils_installed
 - package_pam_apparmor_installed
+- sysctl_kernel_apparmor_restrict_unprivileged_unconfined
diff --git a/components/apt.yml b/components/apt.yml
index cb1cbd476842..8148a2d7df81 100644
--- a/components/apt.yml
+++ b/components/apt.yml
@@ -5,4 +5,26 @@ packages:
 - apt
 rules:
 - apt_conf_disallow_unauthenticated
+- apt_disable_weak_dependencies
 - apt_sources_list_official
+- directory_groupowner_apt_auth_conf_d
+- directory_groupowner_apt_sources_list_d
+- directory_groupowner_apt_trusted_gpg_d
+- directory_groupowner_usr_share_keyrings
+- directory_owner_apt_auth_conf_d
+- directory_owner_apt_sources_list_d
+- directory_owner_apt_trusted_gpg_d
+- directory_owner_usr_share_keyrings
+- directory_permissions_apt_auth_conf_d
+- directory_permissions_apt_sources_list_d
+- directory_permissions_apt_trusted_gpg_d
+- directory_permissions_usr_share_keyrings
+- file_groupowner_apt_auth_conf_d
+- file_groupowner_apt_gpg_keys
+- file_groupowner_apt_sources_list_d
+- file_owner_apt_auth_conf_d
+- file_owner_apt_gpg_keys
+- file_owner_apt_sources_list_d
+- file_permissions_apt_auth_conf_d
+- file_permissions_apt_gpg_keys
+- file_permissions_apt_sources_list_d
diff --git a/components/kea.yml b/components/kea.yml
index b4db421edd9d..c80631898db3 100644
--- a/components/kea.yml
+++ b/components/kea.yml
@@ -3,3 +3,6 @@ packages:
 - kea
 rules:
 - package_kea_removed
+- service_kea_dhcp4_server_disabled
+- service_kea_dhcp6_server_disabled
+- service_kea_dhcp_ddns_server_disabled
diff --git a/components/kernel.yml b/components/kernel.yml
index ef50ac95e91e..eee782928c69 100644
--- a/components/kernel.yml
+++ b/components/kernel.yml
@@ -201,6 +201,8 @@ rules:
 - sysctl_net_ipv6_conf_default_forwarding
 - sysctl_net_ipv6_conf_default_max_addresses
 - sysctl_net_ipv6_conf_default_router_solicitations
+- sysctl_conf_symlink_etc_sysctl_d
+- sysctl_reapply_after_network
 - sysctl_user_max_user_namespaces
 - sysctl_user_max_user_namespaces_no_remediation
 - sysctl_vm_mmap_min_addr
diff --git a/components/openssh.yml b/components/openssh.yml
index 63c1017aecf8..06dac05cba3a 100644
--- a/components/openssh.yml
+++ b/components/openssh.yml
@@ -71,6 +71,7 @@ rules:
 - sshd_enable_x11_forwarding
 - sshd_limit_user_access
 - sshd_print_last_log
+- sshd_set_allow_groups
 - sshd_rekey_limit
 - sshd_set_idle_timeout
 - sshd_set_keepalive
diff --git a/components/syslog-ng.yml b/components/syslog-ng.yml
index 88b09f225e35..9862dda16258 100644
--- a/components/syslog-ng.yml
+++ b/components/syslog-ng.yml
@@ -4,3 +4,5 @@ packages:
 rules:
 - package_syslogng_installed
 - service_syslogng_enabled
+- syslogng_filecreatemode
+- syslogng_nolisten
diff --git a/components/ufw.yml b/components/ufw.yml
index 3ceaeeed9064..b79ffaafd565 100644
--- a/components/ufw.yml
+++ b/components/ufw.yml
@@ -10,6 +10,9 @@ rules:
 - service_ufw_enabled
 - set_ufw_default_rule
 - set_ufw_loopback_traffic
+- ufw_default_incoming_rule
+- ufw_default_outgoing_rule
+- ufw_disabled_routed
 - ufw_only_required_services
 - ufw_rate_limit
 - ufw_rules_for_open_ports
diff --git a/controls/cis_debian13.yml b/controls/cis_debian13.yml
index f409e5958dfd..e0c6db034727 100644
--- a/controls/cis_debian13.yml
+++ b/controls/cis_debian13.yml
@@ -65,7 +65,7 @@ controls:
       status: automated
 
     - id: 1.1.1.6
-      title: Ensure overlayfs kernel module is not available (Automated)
+      title: Ensure overlay kernel module is not available (Automated)
       levels:
           - l2_server
           - l2_workstation
@@ -78,7 +78,7 @@ controls:
       levels:
           - l2_server
           - l2_workstation
-      related_rules:
+      rules:
           - kernel_module_squashfs_disabled
       status: automated
 
@@ -117,7 +117,7 @@ controls:
       status: manual
 
     - id: 1.1.2.1.1
-      title: Ensure /tmp is a separate partition (Automated)
+      title: Ensure /tmp is tmpfs or a separate partition (Automated)
       levels:
           - l1_server
           - l1_workstation
@@ -362,107 +362,116 @@ controls:
       levels:
           - l2_server
           - l2_workstation
-      status: pending
-      notes: |-
-          Needs a new Debian-specific rule checking weak dependencies
+      rules:
+          - apt_disable_weak_dependencies
+      status: automated
 
     - id: 1.2.1.3
       title: Ensure access to gpg key files are configured (Automated)
       levels:
           - l1_server
-          - l2_server
-      status: pending
-      notes: |-
-          Needs a new Debian-specific rule for GPG key file access checks.
-          Check if all .gpg key files in /usr/share/keyrings/ and /etc/apt/trusted.gpg.d have permissions 0644 and owned by root:root
-          Check if .list and .sources in /etc/apt/sources.list.d have permissions 0644 and owned by root:root and include option signed-by
+      rules:
+          - file_groupowner_apt_gpg_keys
+          - file_groupowner_apt_sources_list_d
+          - file_owner_apt_gpg_keys
+          - file_owner_apt_sources_list_d
+          - file_permissions_apt_gpg_keys
+          - file_permissions_apt_sources_list_d
+      status: automated
 
     - id: 1.2.1.4
-      title: Ensure access to /etc/apt/trusted.gpg.d directory is configured
+      title: Ensure access to /etc/apt/trusted.gpg.d directory is configured (Automated)
       levels:
           - l1_server
-          - l2_server
-      status: pending
-      notes: |-
-          Needs a new Debian-specific rule for /etc/apt/trusted.gpg.d directory access checks.
-          Check if /etc/apt/trusted.gpg.d has permissions 0755 and owned by root:root
- 
+      rules:
+          - directory_groupowner_apt_trusted_gpg_d
+          - directory_owner_apt_trusted_gpg_d
+          - directory_permissions_apt_trusted_gpg_d
+      status: automated
+
     - id: 1.2.1.5
       title: Ensure access to /etc/apt/auth.conf.d directory is configured (Automated)
       levels:
           - l1_server
-          - l2_server
-      status: pending
-      notes: |-
-          Check if /etc/apt/auth.conf.d has permissions 0755 and owned by root:root
+      rules:
+          - directory_groupowner_apt_auth_conf_d
+          - directory_owner_apt_auth_conf_d
+          - directory_permissions_apt_auth_conf_d
+      status: automated
 
     - id: 1.2.1.6
       title: Ensure access to files in the /etc/apt/auth.conf.d/ directory is configured (Automated)
       levels:
-        - l1_server
-        - l1_workstation
-      status: pending
-      notes: |-
-          Check if /etc/apt/auth.conf.d/* has permissions 0755 and owned by root:root 
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_groupowner_apt_auth_conf_d
+          - file_owner_apt_auth_conf_d
+          - file_permissions_apt_auth_conf_d
+      status: automated
 
     - id: 1.2.1.7
       title: Ensure access to /usr/share/keyrings directory is configured (Automated)
       levels:
           - l1_server
-          - l2_server
-      status: pending
-      notes: |-
-          Check if /usr/share/keyrings has permissions 0755 and owned by root:root 
+      rules:
+          - directory_groupowner_usr_share_keyrings
+          - directory_owner_usr_share_keyrings
+          - directory_permissions_usr_share_keyrings
+      status: automated
 
     - id: 1.2.1.8
       title: Ensure access to /etc/apt/sources.list.d directory is configured (Automated)
       levels:
           - l1_server
-          - l2_server
-      status: pending
-      notes: |-
-          Check if /etc/apt/sources.list.d has permissions 0755 and owned by root:root 
+      rules:
+          - directory_groupowner_apt_sources_list_d
+          - directory_owner_apt_sources_list_d
+          - directory_permissions_apt_sources_list_d
+      status: automated
 
     - id: 1.2.1.9
       title: Ensure access to files in /etc/apt/sources.list.d are configured (Automated)
       levels:
           - l1_server
-          - l2_server
-      status: pending
-      notes: |-
-          Check if /etc/apt/sources.list.d/* has permissions 0755 and owned by root:root
+      rules:
+          - file_groupowner_apt_sources_list_d
+          - file_owner_apt_sources_list_d
+          - file_permissions_apt_sources_list_d
+      status: automated
 
     - id: 1.2.2.1
       title: Ensure updates, patches, and additional security software are installed (Manual)
       levels:
-        - l1_server
-        - l1_workstation
+          - l1_server
+          - l1_workstation
       status: manual
 
     - id: 1.3.1.1
-      title: Ensure AppArmor is installed (Automated) 
+      title: Ensure apparmor packages are installed (Automated)
       levels:
-        - l1_server
-        - l1_workstation
+          - l1_server
+          - l1_workstation
       rules:
-        - package_apparmor_installed
-        - package_apparmor-utils_installed
+          - package_apparmor_installed
+          - package_apparmor-utils_installed
       status: automated
 
     - id: 1.3.1.2
-      title: Ensure AppArmor is enabled in the bootloader configuration (Automated)
+      title: Ensure AppArmor is enabled (Automated)
       levels:
           - l1_server
           - l1_workstation
       rules:
           - grub2_enable_apparmor
+          - apparmor_configured
       status: automated
 
     - id: 1.3.1.3
       title: Ensure all AppArmor Profiles are enforcing (Automated)
       levels:
-          - l2_server
-          - l2_workstation
+          - l1_server
+          - l1_workstation
       rules:
           - all_apparmor_profiles_enforced
       status: automated
@@ -476,11 +485,11 @@ controls:
     - id: 1.3.1.4
       title: Ensure apparmor_restrict_unprivileged_unconfined is enabled (Automated)
       levels:
-        - l1_server
-        - l1_workstation
-      status: pending
-      notes: |-
-          Check if sysctl kernel.apparmor_restrict_unprivileged_unconfined = 1
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_kernel_apparmor_restrict_unprivileged_unconfined
+      status: automated
 
     - id: 1.4.1
       title: Ensure bootloader password is set (Automated)
@@ -514,118 +523,2920 @@ controls:
     - id: 1.5.2
       title: Ensure fs.protected_symlinks is configured (Automated)
       levels:
-          - l2_server
-          - l2_workstation
+          - l1_server
+          - l1_workstation
       rules:
           - sysctl_fs_protected_symlinks
       status: automated
 
+    # Note: CIS Debian 13 v1.0.0 appears to duplicate kernel.yama.ptrace_scope
+    # in both 1.5.3 and 1.5.10. Keeping both IDs for traceability to the benchmark.
     - id: 1.5.3
       title: Ensure kernel.yama.ptrace_scope is configured (Automated)
       levels:
-        - l1_server
-        - l1_workstation
+          - l1_server
+          - l1_workstation
       rules:
-        - sysctl_kernel_yama_ptrace_scope
+          - sysctl_kernel_yama_ptrace_scope_value=1
+          - sysctl_kernel_yama_ptrace_scope
       status: automated
 
     - id: 1.5.4
       title: Ensure fs.suid_dumpable is configured (Automated)
       levels:
-        - l1_server
-        - l1_workstation
-      rules: 
-        - sysctl_fs_suid_dumpable
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_fs_suid_dumpable
       status: automated
 
     - id: 1.5.5
       title: Ensure kernel.dmesg_restrict is configured (Automated)
       levels:
-        - l1_server
-        - l1_workstation
+          - l1_server
+          - l1_workstation
       rules:
-        - sysctl_kernel_dmesg_restrict
+          - sysctl_kernel_dmesg_restrict
       status: automated
 
     - id: 1.5.6
       title: Ensure prelink is not installed (Automated)
       levels:
-        - l1_server
-        - l1_workstation
+          - l1_server
+          - l1_workstation
       rules:
-          - disable_prelink
+          - package_prelink_removed
       status: automated
 
     - id: 1.5.7
       title: Ensure Automatic Error Reporting is configured (Automated)
       levels:
-        - l1_server
-        - l1_workstation
-      status: pending
-      notes: |-
-          Check if systemctl is-active apport.service , fail if it's active
-          Check if apport is installed , if it's not installed pass
+          - l1_server
+          - l1_workstation
+      rules:
+          - service_apport_disabled
+      status: automated
 
     - id: 1.5.8
       title: Ensure kernel.kptr_restrict is configured (Automated)
       levels:
-        - l1_server
-        - l1_workstation
+          - l1_server
+          - l1_workstation
       rules:
-        - sysctl_kernel_kptr_restrict
+          - sysctl_kernel_kptr_restrict
       status: automated
 
     - id: 1.5.9
       title: Ensure kernel.randomize_va_space is configured (Automated)
       levels:
-        - l1_server
-        - l1_workstation
+          - l1_server
+          - l1_workstation
       rules:
-        - sysctl_kernel_randomize_va_space
+          - sysctl_kernel_randomize_va_space
       status: automated
 
     - id: 1.5.10
       title: Ensure kernel.yama.ptrace_scope is configured (Automated)
       levels:
-        - l1_server
-        - l1_workstation
+          - l1_server
+          - l1_workstation
       rules:
+          - sysctl_kernel_yama_ptrace_scope_value=1
           - sysctl_kernel_yama_ptrace_scope
       status: automated
 
     - id: 1.5.11
       title: Ensure core file size is configured (Automated)
       levels:
-        - l1_server
-        - l1_workstation
+          - l1_server
+          - l1_workstation
       rules:
           - disable_users_coredumps
+      status: automated
 
     - id: 1.5.12
       title: Ensure systemd-coredump ProcessSizeMax is configured (Automated)
       levels:
-        - l1_server
-        - l1_workstation
+          - l1_server
+          - l1_workstation
       rules:
-        - coredump_disable_backtraces
+          - coredump_disable_backtraces
       status: automated
 
     - id: 1.5.13
       title: Ensure systemd-coredump Storage is configured (Automated)
       levels:
-        - l1_server
-        - l1_workstation
+          - l1_server
+          - l1_workstation
       rules:
-        - coredump_disable_storage
+          - coredump_disable_storage
       status: automated
 
     - id: 1.6.1
       title: Ensure /etc/motd is configured (Automated)
       levels:
-        - l1_server
-        - l1_workstation
+          - l1_server
+          - l1_workstation
+      rules:
+          - cis_banner_text=cis
+          - banner_etc_motd_cis
+      status: automated
+
+    - id: 1.6.2
+      title: Ensure /etc/issue is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - cis_banner_text=cis
+          - banner_etc_issue_cis
+      status: automated
+
+    - id: 1.6.3
+      title: Ensure /etc/issue.net is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - cis_banner_text=cis
+          - banner_etc_issue_net_cis
+      status: automated
+
+    - id: 1.6.4
+      title: Ensure access to /etc/motd is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_groupowner_etc_motd
+          - file_owner_etc_motd
+          - file_permissions_etc_motd
+      status: automated
+
+    - id: 1.6.5
+      title: Ensure access to /etc/issue is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_groupowner_etc_issue
+          - file_owner_etc_issue
+          - file_permissions_etc_issue
+      status: automated
+
+    - id: 1.6.6
+      title: Ensure access to /etc/issue.net is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_groupowner_etc_issue_net
+          - file_owner_etc_issue_net
+          - file_permissions_etc_issue_net
+      status: automated
+
+    - id: 1.7.1
+      title: Ensure GDM is removed (Automated)
+      levels:
+          - l2_server
+      rules:
+          - package_gdm_removed
+      status: automated
+
+    - id: 1.7.2
+      title: Ensure GDM login banner is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - dconf_login_banner_text=cis_default
+          - dconf_login_banner_contents=cis_default
+          - dconf_gnome_banner_enabled
+          - dconf_gnome_login_banner_text
+      status: automated
+
+    - id: 1.7.3
+      title: Ensure GDM disable-user-list option is enabled (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - dconf_gnome_disable_user_list
+      status: automated
+
+    - id: 1.7.4
+      title: Ensure GDM screen locks when the user is idle (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - inactivity_timeout_value=15_minutes
+          - var_screensaver_lock_delay=5_seconds
+          - dconf_gnome_screensaver_idle_delay
+          - dconf_gnome_screensaver_lock_enabled
+          - dconf_gnome_screensaver_lock_delay
+      status: automated
+      notes: |
+          The rules satisfy both controls 1.7.4 and 1.7.5.
+          Rule lock_enabled is not part of CIS recommendation but is
+          required to assure the lock is enabled and cannot be manually disabled.
+          See https://workbench.cisecurity.org/benchmarks/18959/tickets/23123
+
+    - id: 1.7.5
+      title: Ensure GDM screen locks cannot be overridden (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - dconf_gnome_screensaver_idle_delay
+          - dconf_gnome_screensaver_lock_enabled
+          - dconf_gnome_screensaver_lock_delay
+      status: automated
+      notes: |
+          The rules satisfy both controls 1.7.4 and 1.7.5.
+          Rule lock_enabled is not part of CIS recommendation but is
+          required to assure the lock is enabled and cannot be manually disabled.
+          See https://workbench.cisecurity.org/benchmarks/18959/tickets/23123
+
+    - id: 1.7.6
+      title: Ensure GDM automatic mounting of removable media is disabled (Automated)
+      levels:
+          - l1_server
+          - l2_workstation
+      rules:
+          - dconf_gnome_disable_automount
+          - dconf_gnome_disable_automount_open
+      status: automated
+      notes: |
+          The rules satisfy both controls 1.7.6 and 1.7.7
+
+    - id: 1.7.7
+      title: Ensure GDM disabling automatic mounting of removable media is not overridden (Automated)
+      levels:
+          - l1_server
+          - l2_workstation
+      rules:
+          - dconf_gnome_disable_automount
+          - dconf_gnome_disable_automount_open
+      status: automated
+      notes: |
+          The rules satisfy both controls 1.7.6 and 1.7.7
+
+    - id: 1.7.8
+      title: Ensure GDM autorun-never is enabled (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - dconf_gnome_disable_autorun
+      status: automated
+      notes: |
+          The rule satisfies both controls 1.7.8 and 1.7.9
+
+    - id: 1.7.9
+      title: Ensure GDM autorun-never is not overridden (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - dconf_gnome_disable_autorun
+      status: automated
+      notes: |
+          The rule satisfies both controls 1.7.8 and 1.7.9
+
+    - id: 1.7.10
+      title: Ensure XDMCP is not enabled (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - gnome_gdm_disable_xdmcp
+      status: automated
+
+    - id: 1.7.11
+      title: Ensure Xwayland is configured (Automated)
+      levels:
+          - l1_workstation
+      rules:
+          - xwayland_disabled
+      status: automated
+
+    - id: 2.1.1
+      title: Ensure autofs services are not in use (Automated)
+      levels:
+          - l1_server
+          - l2_workstation
+      rules:
+          - service_autofs_disabled
+          - package_autofs_removed
+      status: automated
+
+    - id: 2.1.2
+      title: Ensure avahi daemon services are not in use (Automated)
+      levels:
+          - l1_server
+          - l2_workstation
+      rules:
+          - package_avahi_removed
+          - service_avahi-daemon_disabled
+      status: automated
+
+    - id: 2.1.3
+      title: Ensure dhcp server services are not in use (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_kea_removed
+          - service_kea_dhcp4_server_disabled
+          - service_kea_dhcp6_server_disabled
+          - service_kea_dhcp_ddns_server_disabled
+      status: automated
+
+    - id: 2.1.4
+      title: Ensure dns server services are not in use (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_bind_removed
+          - service_named_disabled
+      status: automated
+
+    - id: 2.1.5
+      title: Ensure dnsmasq services are not in use (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_dnsmasq_removed
+          - service_dnsmasq_disabled
+      status: automated
+
+    - id: 2.1.6
+      title: Ensure ftp server services are not in use (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_vsftpd_removed
+          - service_vsftpd_disabled
+      status: automated
+
+    - id: 2.1.7
+      title: Ensure ldap server services are not in use (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
       rules:
-        - banner_etc_motd_cis
-        - cis_banner_text=cis
+          - package_openldap-servers_removed
+          - service_slapd_disabled
       status: automated
 
+    - id: 2.1.8
+      title: Ensure message access server services are not in use (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_dovecot_removed
+          - service_dovecot_disabled
+      status: automated
+
+    - id: 2.1.9
+      title: Ensure network file system services are not in use (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_nfs-kernel-server_removed
+          - service_nfs_disabled
+      status: automated
+
+    - id: 2.1.10
+      title: Ensure nis server services are not in use (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_ypserv_removed
+          - service_ypserv_disabled
+      status: automated
+
+    - id: 2.1.11
+      title: Ensure print server services are not in use (Automated)
+      levels:
+          - l1_server
+          - l2_workstation
+      rules:
+          - package_cups_removed
+          - service_cups_disabled
+      status: automated
+
+    - id: 2.1.12
+      title: Ensure rpcbind services are not in use (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_rpcbind_removed
+          - service_rpcbind_disabled
+      status: automated
+
+    - id: 2.1.13
+      title: Ensure rsync services are not in use (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_rsync_removed
+          - service_rsyncd_disabled
+      status: automated
+
+    - id: 2.1.14
+      title: Ensure samba file server services are not in use (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_samba_removed
+          - service_smb_disabled
+      status: automated
+
+    - id: 2.1.15
+      title: Ensure snmp services are not in use (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_net-snmp_removed
+          - service_snmpd_disabled
+      status: automated
+
+    - id: 2.1.16
+      title: Ensure telnet-server services are not in use (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_inetutils-telnetd_removed
+          - package_telnetd_removed
+      status: automated
+
+    - id: 2.1.17
+      title: Ensure tftp server services are not in use (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_tftp-server_removed
+          - service_tftp_disabled
+      status: automated
+
+    - id: 2.1.18
+      title: Ensure web proxy server services are not in use (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_squid_removed
+          - service_squid_disabled
+      status: automated
+
+    - id: 2.1.19
+      title: Ensure web server services are not in use (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_httpd_removed
+          - package_nginx_removed
+          - service_httpd_disabled
+          - service_nginx_disabled
+      status: automated
+
+    - id: 2.1.20
+      title: Ensure xinetd services are not in use (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_xinetd_removed
+          - service_xinetd_disabled
+      status: automated
+
+    - id: 2.1.21
+      title: Ensure X window server services are not in use (Automated)
+      levels:
+          - l2_server
+      rules:
+          - package_xorg-x11-server-common_removed
+      status: automated
+
+    - id: 2.1.22
+      title: Ensure mail transfer agents are configured for local-only mode (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - has_nonlocal_mta
+          - var_postfix_inet_interfaces=loopback-only
+          - postfix_network_listening_disabled
+      status: automated
+
+    - id: 2.1.23
+      title: Ensure only approved services are listening on a network interface (Manual)
+      levels:
+          - l1_server
+          - l1_workstation
+      status: manual
+
+    - id: 2.2.1
+      title: Ensure nis client is not installed (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_nis_removed
+      status: automated
+
+    - id: 2.2.2
+      title: Ensure rsh client is not installed (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_rsh_removed
+      status: automated
+
+    - id: 2.2.3
+      title: Ensure talk client is not installed (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_talk_removed
+      status: automated
+
+    - id: 2.2.4
+      title: Ensure telnet client is not installed (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_inetutils-telnet_removed
+          - package_telnet_removed
+      status: automated
+
+    - id: 2.2.5
+      title: Ensure ldap client is not installed (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_openldap-clients_removed
+      status: automated
+
+    - id: 2.2.6
+      title: Ensure ftp client is not installed (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_ftp_removed
+          - package_tnftp_removed
+      status: automated
+
+    - id: 2.3.1.1
+      title: Ensure a single time synchronization daemon is in use (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - var_timesync_service=systemd-timesyncd
+          - package_chrony_installed
+          - service_chronyd_enabled
+          - service_chronyd_disabled
+          - package_timesyncd_installed
+          - service_timesyncd_enabled
+          - service_timesyncd_disabled
+          - ntp_single_service_active
+      status: automated
+      notes: |
+          To select which timesync daemon to install and configure, use the
+          profile variable var_timesync_service.
+
+    - id: 2.3.2.1
+      title: Ensure systemd-timesyncd configured with authorized timeserver (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - var_multiple_time_servers=debian
+          - service_timesyncd_configured
+      status: automated
+
+    - id: 2.3.2.2
+      title: Ensure systemd-timesyncd is enabled and running (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      related_rules:
+          - service_timesyncd_enabled
+          - service_timesyncd_disabled
+      status: automated
+      notes: Implemented in 2.3.1.1
+
+    - id: 2.3.3.1
+      title: Ensure chrony is configured with authorized timeserver (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - var_multiple_time_servers=debian
+          - var_multiple_time_pools=debian
+          - chronyd_configure_pool_and_server
+      status: partial
+      notes: |
+          Rule does not check or remediate config files included via
+          confdir and sourcedir directives.
+
+    - id: 2.3.3.2
+      title: Ensure chrony is running as user _chrony (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - chronyd_run_as_chrony_user
+      status: automated
+
+    - id: 2.3.3.3
+      title: Ensure chrony is enabled and running (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      related_rules:
+          - service_chronyd_enabled
+          - service_chronyd_disabled
+      status: automated
+      notes: Implemented in 2.3.1.1
+
+    - id: 2.4.1.1
+      title: Ensure cron daemon is enabled and active (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_cron_installed
+          - service_cron_enabled
+      status: automated
+
+    - id: 2.4.1.2
+      title: Ensure access to /etc/crontab is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_groupowner_crontab
+          - file_owner_crontab
+          - file_permissions_crontab
+      status: automated
+
+    - id: 2.4.1.3
+      title: Ensure access to /etc/cron.hourly is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_groupowner_cron_hourly
+          - file_owner_cron_hourly
+          - file_permissions_cron_hourly
+      status: automated
+
+    - id: 2.4.1.4
+      title: Ensure access to /etc/cron.daily is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_groupowner_cron_daily
+          - file_owner_cron_daily
+          - file_permissions_cron_daily
+      status: automated
+
+    - id: 2.4.1.5
+      title: Ensure access to /etc/cron.weekly is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_groupowner_cron_weekly
+          - file_owner_cron_weekly
+          - file_permissions_cron_weekly
+      status: automated
+
+    - id: 2.4.1.6
+      title: Ensure access to /etc/cron.monthly is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_groupowner_cron_monthly
+          - file_owner_cron_monthly
+          - file_permissions_cron_monthly
+      status: automated
+
+    - id: 2.4.1.7
+      title: Ensure access to /etc/cron.yearly is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_groupowner_cron_yearly
+          - file_owner_cron_yearly
+          - file_permissions_cron_yearly
+      status: automated
+
+    - id: 2.4.1.8
+      title: Ensure access to /etc/cron.d is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_groupowner_cron_d
+          - file_owner_cron_d
+          - file_permissions_cron_d
+      status: automated
+
+    - id: 2.4.1.9
+      title: Ensure access to crontab is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_cron_allow_exists
+          - file_cron_deny_not_exist
+          - file_groupowner_cron_allow
+          - file_owner_cron_allow
+          - file_permissions_cron_allow
+      status: automated
+
+    - id: 2.4.2.1
+      title: Ensure access to at is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_at_allow_exists
+          - file_groupowner_at_allow
+          - file_owner_at_allow
+          - file_permissions_at_allow
+          - file_groupowner_at_deny
+          - file_owner_at_deny
+          - file_permissions_at_deny
+      status: automated
+      notes: file_owner_at_deny and file_owner_at_allow currently require root as owner and don't accept
+          daemon
+
+    - id: 3.1.1
+      title: Ensure IPv6 status is identified (Manual)
+      levels:
+          - l1_server
+          - l1_workstation
+      status: manual
+
+    - id: 3.1.2
+      title: Ensure wireless interfaces are not available (Automated)
+      levels:
+          - l1_server
+      rules:
+          - wireless_disable_interfaces
+      status: automated
+
+    - id: 3.1.3
+      title: Ensure bluetooth services are not in use (Automated)
+      levels:
+          - l1_server
+          - l2_workstation
+      rules:
+          - service_bluetooth_disabled
+      status: automated
+
+    - id: 3.2.1
+      title: Ensure atm kernel module is not available (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - kernel_module_atm_disabled
+      status: automated
+
+    - id: 3.2.2
+      title: Ensure can kernel module is not available (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - kernel_module_can_disabled
+      status: automated
+
+    - id: 3.2.3
+      title: Ensure dccp kernel module is not available (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - kernel_module_dccp_disabled
+      status: automated
+
+    - id: 3.2.4
+      title: Ensure rds kernel module is not available (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - kernel_module_rds_disabled
+      status: automated
+
+    - id: 3.2.5
+      title: Ensure sctp kernel module is not available (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - kernel_module_sctp_disabled
+      status: automated
+
+    - id: 3.2.6
+      title: Ensure tipc kernel module is not available (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - kernel_module_tipc_disabled
+      status: automated
+
+    - id: 3.3.1.1
+      title: Ensure net.ipv4.ip_forward is configured (Automated)
+      levels:
+          - l2_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv4_ip_forward
+      status: automated
+
+    - id: 3.3.1.2
+      title: Ensure net.ipv4.conf.all.forwarding is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv4_conf_all_forwarding
+      status: automated
+
+    - id: 3.3.1.3
+      title: Ensure net.ipv4.conf.default.forwarding is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv4_conf_default_forwarding
+      status: automated
+
+    - id: 3.3.1.4
+      title: Ensure net.ipv4.conf.all.send_redirects is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv4_conf_all_send_redirects
+      status: automated
+
+    - id: 3.3.1.5
+      title: Ensure net.ipv4.conf.default.send_redirects is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv4_conf_default_send_redirects
+      status: automated
+
+    - id: 3.3.1.6
+      title: Ensure net.ipv4.icmp_ignore_bogus_error_responses is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
+      status: automated
+
+    - id: 3.3.1.7
+      title: Ensure net.ipv4.icmp_echo_ignore_broadcasts is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+      status: automated
+
+    - id: 3.3.1.8
+      title: Ensure net.ipv4.conf.all.accept_redirects is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv4_conf_all_accept_redirects
+      status: automated
+
+    - id: 3.3.1.9
+      title: Ensure net.ipv4.conf.default.accept_redirects is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv4_conf_default_accept_redirects
+      status: automated
+
+    - id: 3.3.1.10
+      title: Ensure net.ipv4.conf.all.secure_redirects is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv4_conf_all_secure_redirects
+      status: automated
+
+    - id: 3.3.1.11
+      title: Ensure net.ipv4.conf.default.secure_redirects is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv4_conf_default_secure_redirects
+      status: automated
+
+    - id: 3.3.1.12
+      title: Ensure net.ipv4.conf.all.rp_filter is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv4_conf_all_rp_filter
+      status: automated
+
+    - id: 3.3.1.13
+      title: Ensure net.ipv4.conf.default.rp_filter is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv4_conf_default_rp_filter
+      status: automated
+
+    - id: 3.3.1.14
+      title: Ensure net.ipv4.conf.all.accept_source_route is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv4_conf_all_accept_source_route
+      status: automated
+
+    - id: 3.3.1.15
+      title: Ensure net.ipv4.conf.default.accept_source_route is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv4_conf_default_accept_source_route
+      status: automated
+
+    - id: 3.3.1.16
+      title: Ensure net.ipv4.conf.all.log_martians is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv4_conf_all_log_martians
+          - sysctl_reapply_after_network
+      status: automated
+      notes: |-
+          On Debian 13, the kernel resets network sysctl values when interfaces
+          come up, overriding the early-boot configuration applied by
+          systemd-sysctl.service. sysctl_reapply_after_network creates a oneshot
+          service that re-applies all sysctl settings after networking is up,
+          ensuring the hardened values persist at runtime.
+
+    - id: 3.3.1.17
+      title: Ensure net.ipv4.conf.default.log_martians is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv4_conf_default_log_martians
+          - sysctl_reapply_after_network
+      status: automated
+      notes: |-
+          See notes for 3.3.1.16.
+
+    - id: 3.3.1.18
+      title: Ensure net.ipv4.tcp_syncookies is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv4_tcp_syncookies
+      status: automated
+
+    - id: 3.3.2.1
+      title: Ensure net.ipv6.conf.all.forwarding is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv6_conf_all_forwarding
+      status: automated
+
+    - id: 3.3.2.2
+      title: Ensure net.ipv6.conf.default.forwarding is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv6_conf_default_forwarding
+      status: automated
+
+    - id: 3.3.2.3
+      title: Ensure net.ipv6.conf.all.accept_redirects is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv6_conf_all_accept_redirects
+      status: automated
+
+    - id: 3.3.2.4
+      title: Ensure net.ipv6.conf.default.accept_redirects is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv6_conf_default_accept_redirects
+      status: automated
+
+    - id: 3.3.2.5
+      title: Ensure net.ipv6.conf.all.accept_source_route is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv6_conf_all_accept_source_route
+      status: automated
+
+    - id: 3.3.2.6
+      title: Ensure net.ipv6.conf.default.accept_source_route is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv6_conf_default_accept_source_route
+      status: automated
+
+    - id: 3.3.2.7
+      title: Ensure net.ipv6.conf.all.accept_ra is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv6_conf_all_accept_ra
+      status: automated
+
+    - id: 3.3.2.8
+      title: Ensure net.ipv6.conf.default.accept_ra is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sysctl_net_ipv6_conf_default_accept_ra
+      status: automated
+
+    - id: 4.1.1
+      title: Ensure ufw is installed (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_ufw_installed
+      status: automated
+
+    - id: 4.1.2
+      title: Ensure ufw service is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - check_ufw_active
+          - service_ufw_enabled
+      status: automated
+
+    - id: 4.1.3
+      title: Ensure ufw incoming default is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - ufw_default_incoming_rule
+      status: automated
+
+    - id: 4.1.4
+      title: Ensure ufw outgoing default is configured (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - ufw_default_outgoing_rule
+      status: automated
+
+    - id: 4.1.5
+      title: Ensure ufw routed default is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - ufw_disabled_routed
+      status: automated
+
+    - id: 5.1.1
+      title: Ensure access to /etc/ssh/sshd_config is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_groupowner_sshd_config
+          - file_owner_sshd_config
+          - file_permissions_sshd_config
+      status: automated
+
+    - id: 5.1.2
+      title: Ensure access to SSH private host key files is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_permissions_sshd_private_key
+      status: automated
+
+    - id: 5.1.3
+      title: Ensure access to SSH public host key files is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_permissions_sshd_pub_key
+      status: automated
+
+    - id: 5.1.4
+      title: Ensure sshd access is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sshd_limit_user_access
+      status: automated
+
+    - id: 5.1.5
+      title: Ensure sshd Banner is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sshd_enable_warning_banner_net
+      status: automated
+
+    - id: 5.1.6
+      title: Ensure sshd Ciphers are configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sshd_use_strong_ciphers
+      status: automated
+
+    - id: 5.1.7
+      title: Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sshd_idle_timeout_value=5_minutes
+          - var_sshd_set_keepalive=3
+          - sshd_set_idle_timeout
+          - sshd_set_keepalive
+      status: partial
+      notes: |
+          The current implementation imposes an upper boundary on the
+          values. The CIS benchmark requires only that the values
+          are greater than 0.
+
+    - id: 5.1.8
+      title: Ensure sshd DisableForwarding is enabled (Automated)
+      levels:
+          - l1_workstation
+          - l2_server
+      rules:
+          - sshd_disable_forwarding
+      status: automated
+
+    - id: 5.1.9
+      title: Ensure sshd GSSAPIAuthentication is disabled (Automated)
+      levels:
+          - l1_workstation
+          - l2_server
+      rules:
+          - sshd_disable_gssapi_auth
+      status: automated
+
+    - id: 5.1.10
+      title: Ensure sshd HostbasedAuthentication is disabled (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - disable_host_auth
+      status: automated
+
+    - id: 5.1.11
+      title: Ensure sshd IgnoreRhosts is enabled (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sshd_disable_rhosts
+      status: automated
+
+    - id: 5.1.12
+      title: Ensure sshd KexAlgorithms is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sshd_strong_kex=cis_debian13
+          - sshd_use_strong_kex
+      status: automated
+      notes: |
+        The selected KEX set includes the benchmark-required post-quantum
+        SSH key exchange algorithm(s).
+
+    - id: 5.1.13
+      title: Ensure sshd post-quantum cryptography key exchange algorithms are configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sshd_strong_kex=cis_debian13
+          - sshd_use_strong_kex
+      status: automated
+      notes: |
+          This control is implemented through the same KexAlgorithms setting
+          used in 5.1.12.
+
+    - id: 5.1.14
+      title: Ensure sshd LoginGraceTime is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - var_sshd_set_login_grace_time=60
+          - sshd_set_login_grace_time
+      status: automated
+
+    - id: 5.1.15
+      title: Ensure sshd LogLevel is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sshd_set_loglevel_info
+      status: automated
+
+    - id: 5.1.16
+      title: Ensure sshd MACs are configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sshd_strong_macs=cis_debian13
+          - sshd_use_strong_macs
+      status: automated
+
+    - id: 5.1.17
+      title: Ensure sshd MaxAuthTries is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sshd_max_auth_tries_value=4
+          - sshd_set_max_auth_tries
+      status: automated
+
+    - id: 5.1.18
+      title: Ensure sshd MaxSessions is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - var_sshd_max_sessions=10
+          - sshd_set_max_sessions
+      status: automated
+
+    - id: 5.1.19
+      title: Ensure sshd MaxStartups is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - var_sshd_set_maxstartups=10:30:60
+          - sshd_set_maxstartups
+      status: automated
+
+    - id: 5.1.20
+      title: Ensure sshd PermitEmptyPasswords is disabled (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sshd_disable_empty_passwords
+      status: automated
+
+    - id: 5.1.21
+      title: Ensure sshd PermitRootLogin is disabled (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sshd_disable_root_login
+      status: automated
+
+    - id: 5.1.22
+      title: Ensure sshd PermitUserEnvironment is disabled (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sshd_do_not_permit_user_env
+      status: automated
+
+    - id: 5.1.23
+      title: Ensure sshd UsePAM is enabled (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sshd_enable_pam
+      status: automated
+
+    - id: 5.2.1
+      title: Ensure sudo is installed (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_sudo_installed
+      status: automated
+
+    - id: 5.2.2
+      title: Ensure sudo commands use pty (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sudo_add_use_pty
+      status: automated
+
+    - id: 5.2.3
+      title: Ensure sudo log file exists (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sudo_custom_logfile
+      status: automated
+
+    - id: 5.2.4
+      title: Ensure users must provide password for escalation (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - sudo_require_authentication
+      status: automated
+
+    - id: 5.2.5
+      title: Ensure re-authentication for privilege escalation is not disabled globally (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - sudo_remove_no_authenticate
+      status: automated
+
+    - id: 5.2.6
+      title: Ensure sudo timestamp_timeout is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - var_sudo_timestamp_timeout=15_minutes
+          - sudo_require_reauthentication
+      status: automated
+
+    - id: 5.2.7
+      title: Ensure access to the su command is restricted (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - var_pam_wheel_group_for_su=cis
+          - ensure_pam_wheel_group_empty
+          - use_pam_wheel_group_for_su
+      status: automated
+
+    - id: 5.3.1.1
+      title: Ensure latest version of pam is installed (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_pam_runtime_installed
+      status: automated
+      notes: |
+          The CIS benchmark requires that libpam-runtime is installed and is the latest
+          version available. The automated check only covers installation; verifying the
+          latest version requires a manual check.
+
+    - id: 5.3.1.2
+      title: Ensure latest version of libpam-modules is installed (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_pam_modules_installed
+      status: automated
+      notes: |
+          The CIS benchmark requires that libpam-modules is installed and is the latest
+          version available. The automated check only covers installation; verifying the
+          latest version requires a manual check.
+
+    - id: 5.3.1.3
+      title: Ensure latest version of libpam-pwquality is installed (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_pam_pwquality_installed
+      status: automated
+      notes: |
+          The CIS benchmark requires that libpam-pwquality is installed and is the latest
+          version available. The automated check only covers installation; verifying the
+          latest version requires a manual check.
+
+    - id: 5.3.2.1
+      title: Ensure pam_unix module is enabled (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - accounts_password_pam_unix_enabled
+      status: automated
+
+    - id: 5.3.2.2
+      title: Ensure pam_faillock module is enabled (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - accounts_passwords_pam_faillock_enabled
+      status: automated
+
+    - id: 5.3.2.3
+      title: Ensure pam_pwquality module is enabled (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - accounts_password_pam_pwquality_enabled
+      status: automated
+
+    - id: 5.3.2.4
+      title: Ensure pam_pwhistory module is enabled (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - accounts_password_pam_pwhistory_enabled
+      status: automated
+
+    - id: 5.3.3.1.1
+      title: Ensure password failed attempts lockout is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - var_accounts_passwords_pam_faillock_deny=4
+          - accounts_passwords_pam_faillock_deny
+      status: automated
+
+    - id: 5.3.3.1.2
+      title: Ensure password unlock time is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - var_accounts_passwords_pam_faillock_unlock_time=900
+          - accounts_passwords_pam_faillock_unlock_time
+      status: automated
+
+    - id: 5.3.3.1.3
+      title: Ensure password failed attempts lockout includes root account (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - var_accounts_passwords_pam_faillock_root_unlock_time=900
+          - accounts_passwords_pam_faillock_root_unlock_time
+      status: automated
+
+    - id: 5.3.3.2.1
+      title: Ensure password number of changed characters is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - var_password_pam_difok=2
+          - accounts_password_pam_difok
+      status: automated
+
+    - id: 5.3.3.2.2
+      title: Ensure password length is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - var_password_pam_minlen=14
+          - accounts_password_pam_minlen
+      status: automated
+
+    - id: 5.3.3.2.3
+      title: Ensure password complexity is configured (Manual)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - var_password_pam_minclass=4
+          - var_password_pam_dcredit=1
+          - var_password_pam_lcredit=1
+          - var_password_pam_ocredit=1
+          - var_password_pam_ucredit=1
+          - accounts_password_pam_minclass
+          - accounts_password_pam_dcredit
+          - accounts_password_pam_lcredit
+          - accounts_password_pam_ocredit
+          - accounts_password_pam_ucredit
+      status: automated
+
+    - id: 5.3.3.2.4
+      title: Ensure password same consecutive characters is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - var_password_pam_maxrepeat=3
+          - accounts_password_pam_maxrepeat
+      status: automated
+
+    - id: 5.3.3.2.5
+      title: Ensure password maximum sequential characters is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - var_password_pam_maxsequence=3
+          - accounts_password_pam_maxsequence
+      status: automated
+
+    - id: 5.3.3.2.6
+      title: Ensure password dictionary check is enabled (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - var_password_pam_dictcheck=1
+          - accounts_password_pam_dictcheck
+      status: automated
+
+    - id: 5.3.3.2.7
+      title: Ensure password quality checking is enforced (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - var_password_pam_enforcing=1
+          - accounts_password_pam_enforcing
+      status: automated
+
+    - id: 5.3.3.2.8
+      title: Ensure password quality is enforced for the root user (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - accounts_password_pam_enforce_root
+      status: automated
+
+    - id: 5.3.3.3.1
+      title: Ensure password history remember is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - var_password_pam_remember=24
+          - accounts_password_pam_pwhistory_remember
+      status: automated
+
+    - id: 5.3.3.3.2
+      title: Ensure password history is enforced for the root user (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - accounts_password_pam_pwhistory_enforce_root
+      status: automated
+
+    - id: 5.3.3.3.3
+      title: Ensure pam_pwhistory includes use_authtok (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - accounts_password_pam_pwhistory_use_authtok
+      status: automated
+
+    - id: 5.3.3.4.1
+      title: Ensure pam_unix does not include nullok (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - no_empty_passwords_unix
+      status: automated
+
+    - id: 5.3.3.4.2
+      title: Ensure pam_unix does not include remember (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - accounts_password_pam_unix_no_remember
+      status: automated
+
+    - id: 5.3.3.4.3
+      title: Ensure pam_unix includes a strong password hashing algorithm (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - var_password_hashing_algorithm_pam=cis_debian13
+          - set_password_hashing_algorithm_systemauth
+      status: automated
+
+    - id: 5.3.3.4.4
+      title: Ensure pam_unix includes use_authtok (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - accounts_password_pam_unix_authtok
+      status: automated
+
+    - id: 5.4.1.1
+      title: Ensure password expiration is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - var_accounts_maximum_age_login_defs=365
+          - accounts_maximum_age_login_defs
+          - accounts_password_set_max_life_existing
+      status: automated
+
+    - id: 5.4.1.2
+      title: Ensure minimum password days is configured (Manual)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - var_accounts_minimum_age_login_defs=1
+          - accounts_minimum_age_login_defs
+          - accounts_password_set_min_life_existing
+      status: automated
+
+    - id: 5.4.1.3
+      title: Ensure password expiration warning days is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - var_accounts_password_warn_age_login_defs=7
+          - accounts_password_warn_age_login_defs
+          - accounts_password_set_warn_age_existing
+      status: automated
+
+    - id: 5.4.1.4
+      title: Ensure strong password hashing algorithm is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - set_password_hashing_algorithm_logindefs
+          - var_password_hashing_algorithm=cis_debian13
+      status: automated
+      notes: Rule allows either SHA512 or YESCRYPT
+
+    - id: 5.4.1.5
+      title: Ensure inactive password lock is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - var_account_disable_post_pw_expiration=45
+          - account_disable_post_pw_expiration
+          - accounts_set_post_pw_existing
+      status: automated
+      notes: CIS setting now 45 days.
+
+    - id: 5.4.1.6
+      title: Ensure all users last password change date is in the past (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - accounts_password_last_change_is_in_past
+      status: automated
+
+    - id: 5.4.2.1
+      title: Ensure root is the only UID 0 account (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - accounts_no_uid_except_zero
+      status: automated
+
+    - id: 5.4.2.2
+      title: Ensure root is the only GID 0 account (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - accounts_root_gid_zero
+      status: automated
+      notes: |
+          The remediation is not automated as the removal or modification
+          of group IDs from a system is too disruptive.
+
+    - id: 5.4.2.3
+      title: Ensure group root is the only GID 0 group (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - groups_no_zero_gid_except_root
+      status: automated
+      notes: |
+          The remediation is not automated as the removal or modification
+          of group IDs from a system is too disruptive.
+
+    - id: 5.4.2.4
+      title: Ensure root account access is controlled (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - ensure_root_access_controlled
+      status: automated
+      notes: This rule doesn't come with a remediation, as the exact requirement allows root to either
+          have a password or be locked.
+
+    - id: 5.4.2.5
+      title: Ensure root path integrity (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - accounts_root_path_dirs_no_write
+          - root_path_all_dirs
+          - root_path_no_dot
+          - no_dirs_unowned_by_root
+      status: automated
+
+    - id: 5.4.2.6
+      title: Ensure root user umask is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - accounts_umask_root
+      status: automated
+
+    - id: 5.4.2.7
+      title: Ensure system accounts do not have a valid login shell (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - no_shelllogin_for_systemaccounts
+      status: automated
+
+    - id: 5.4.2.8
+      title: Ensure accounts without a valid login shell are locked (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - no_invalid_shell_accounts_unlocked
+      status: automated
+      notes: |
+          Remediation is not automated.
+
+    - id: 5.4.3.1
+      title: Ensure nologin is not listed in /etc/shells (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - no_nologin_in_shells
+      status: automated
+
+    - id: 5.4.3.2
+      title: Ensure default user shell timeout is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - var_accounts_tmout=15_min
+          - accounts_tmout
+      status: automated
+
+    - id: 5.4.3.3
+      title: Ensure default user umask is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - var_accounts_user_umask=027
+          - accounts_umask_etc_bashrc
+          - accounts_umask_etc_login_defs
+          - accounts_umask_etc_profile
+      status: automated
+
+    - id: 6.1.1.1.1
+      title: Ensure journald service is active (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - service_systemd-journald_enabled
+      status: automated
+
+    - id: 6.1.1.1.2
+      title: Ensure journald log file access is configured (Manual)
+      levels:
+          - l1_server
+          - l1_workstation
+      status: manual
+
+    - id: 6.1.1.1.3
+      title: Ensure journald log file rotation is configured (Manual)
+      levels:
+          - l1_server
+          - l1_workstation
+      status: manual
+
+    - id: 6.1.1.1.4
+      title: Ensure journald ForwardToSyslog is disabled (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - journald_disable_forward_to_syslog
+      status: automated
+
+    - id: 6.1.1.1.5
+      title: Ensure journald Storage is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - journald_storage
+      status: automated
+
+    - id: 6.1.1.1.6
+      title: Ensure journald Compress is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - journald_compress
+      status: automated
+
+    - id: 6.1.1.2.1
+      title: Ensure systemd-journal-remote is installed (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_systemd-journal-remote_installed
+      status: automated
+
+    - id: 6.1.1.2.2
+      title: Ensure systemd-journal-upload authentication is configured (Manual)
+      levels:
+          - l1_server
+          - l1_workstation
+      related_rules:
+          - systemd_journal_upload_server_tls
+          - systemd_journal_upload_url
+      status: manual
+
+    - id: 6.1.1.2.3
+      title: Ensure systemd-journal-upload is enabled and active (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - service_systemd-journal-upload_enabled
+      status: automated
+
+    - id: 6.1.1.2.4
+      title: Ensure systemd-journal-remote service is not in use (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - socket_systemd-journal-remote_disabled
+      status: automated
+
+    - id: 6.1.2.1
+      title: Ensure rsyslog is installed (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - package_rsyslog_installed
+      status: automated
+
+    - id: 6.1.2.2
+      title: Ensure rsyslog service is enabled and active (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - service_rsyslog_enabled
+      status: automated
+
+    - id: 6.1.2.3
+      title: Ensure journald is configured to send logs to rsyslog (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - journald_forward_to_syslog
+      status: automated
+
+    - id: 6.1.2.4
+      title: Ensure rsyslog log file creation mode is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - rsyslog_filecreatemode
+      status: automated
+
+    - id: 6.1.2.5
+      title: Ensure rsyslog logging is configured (Manual)
+      levels:
+          - l1_server
+          - l1_workstation
+      status: manual
+
+    - id: 6.1.2.6
+      title: Ensure rsyslog is configured to send logs to a remote log host (Manual)
+      levels:
+          - l1_server
+          - l1_workstation
+      related_rules:
+          - rsyslog_remote_loghost
+      status: manual
+
+    - id: 6.1.2.7
+      title: Ensure rsyslog is not configured to receive logs from a remote client (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - rsyslog_nolisten
+      status: automated
+
+    - id: 6.1.2.8
+      title: Ensure logrotate is configured (Manual)
+      levels:
+          - l1_server
+          - l1_workstation
+      status: manual
+
+    - id: 6.1.2.9
+      title: Ensure rsyslog-gnutls is installed (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - package_rsyslog-gnutls_installed
+      status: automated
+
+    - id: 6.1.2.10
+      title: Ensure rsyslog forwarding uses gtls (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - rsyslog_remote_tls
+      status: automated
+
+    - id: 6.1.2.11
+      title: Ensure rsyslog CA certificates are configured (Manual)
+      levels:
+          - l2_server
+          - l2_workstation
+      status: manual
+
+    - id: 6.1.3.1
+      title: Ensure access to all logfiles has been configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_groupownerships_var_log_apt
+          - file_groupownerships_var_log_gdm
+          - file_groupownerships_var_log_gdm3
+          - file_groupownerships_var_log_landscape
+          - file_groupownerships_var_log_sssd
+          - file_groupowner_var_log_auth
+          - file_groupowner_var_log_cloud_init
+          - file_groupowner_var_log_journal
+          - file_groupowner_var_log_lastlog
+          - file_groupowner_var_log_localmessages
+          - file_groupowner_var_log_messages
+          - file_groupowner_var_log_secure
+          - file_groupowner_var_log_syslog
+          - file_groupowner_var_log_waagent
+          - file_groupowner_var_log_wbtmp
+          - file_ownerships_var_log_apt
+          - file_ownerships_var_log_gdm
+          - file_ownerships_var_log_gdm3
+          - file_ownerships_var_log_landscape
+          - file_ownerships_var_log_sssd
+          - file_owner_var_log_auth
+          - file_owner_var_log_cloud_init
+          - file_owner_var_log_journal
+          - file_owner_var_log_lastlog
+          - file_owner_var_log_localmessages
+          - file_owner_var_log_messages
+          - file_owner_var_log_secure
+          - file_owner_var_log_syslog
+          - file_owner_var_log_waagent
+          - file_owner_var_log_wbtmp
+          - file_permissions_var_log_apt
+          - file_permissions_var_log_auth
+          - file_permissions_var_log_cloud-init
+          - file_permissions_var_log_gdm
+          - file_permissions_var_log_gdm3
+          - file_permissions_var_log_lastlog
+          - file_permissions_var_log_localmessages
+          - file_permissions_var_log_messages
+          - file_permissions_var_log_secure
+          - file_permissions_var_log_sssd
+          - file_permissions_var_log_syslog
+          - file_permissions_var_log_waagent
+          - file_permissions_var_log_wbtmp
+          - file_groupownerships_var_log
+          - file_ownerships_var_log
+          - permissions_local_var_log
+      status: automated
+
+    - id: 6.2.1.1
+      title: Ensure auditd packages are installed (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - package_audit_installed
+          - package_audit-audispd-plugins_installed
+      status: automated
+      notes: |
+          Added also the missing rule for audispd.
+
+    - id: 6.2.1.2
+      title: Ensure auditd service is enabled and active (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - service_auditd_enabled
+      status: automated
+
+    - id: 6.2.1.3
+      title: Ensure auditing for processes that start prior to auditd is enabled (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - grub2_audit_argument
+          - zipl_audit_argument
+      status: automated
+
+    - id: 6.2.1.4
+      title: Ensure audit_backlog_limit is configured (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - grub2_audit_backlog_limit_argument
+          - var_audit_backlog_limit=8192
+          - zipl_audit_backlog_limit_argument
+      status: automated
+
+    - id: 6.2.2.1
+      title: Ensure audit log storage size is configured (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - var_auditd_max_log_file=6
+          - auditd_data_retention_max_log_file
+      status: automated
+
+    - id: 6.2.2.2
+      title: Ensure audit logs are not automatically deleted (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - var_auditd_max_log_file_action=keep_logs
+          - auditd_data_retention_max_log_file_action
+      status: automated
+
+    - id: 6.2.2.3
+      title: Ensure system is disabled when audit logs are full (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - var_auditd_disk_error_action=cis_debian13
+          - var_auditd_disk_full_action=cis_debian13
+          - auditd_data_disk_error_action
+          - auditd_data_disk_full_action
+      status: automated
+
+    - id: 6.2.2.4
+      title: Ensure system warns when audit logs are low on space (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - var_auditd_action_mail_acct=root
+          - var_auditd_space_left_action=email
+          - var_auditd_admin_space_left_action=halt
+          - auditd_data_retention_action_mail_acct
+          - auditd_data_retention_admin_space_left_action
+          - auditd_data_retention_space_left_action
+      status: automated
+      notes: |
+          The variables should allow multiple options.
+
+    - id: 6.2.3.1
+      title: Ensure modification of the /etc/sudoers file is collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_sysadmin_actions
+      status: automated
+
+    - id: 6.2.3.2
+      title: Ensure actions as another user are always logged (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_suid_auid_privilege_function
+      status: automated
+
+    - id: 6.2.3.3
+      title: Ensure events that modify the sudo log file are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_sudo_log_events
+      status: automated
+
+    - id: 6.2.3.4
+      title: Ensure events that modify date and time information are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_time_adjtimex
+          - audit_rules_time_clock_settime
+          - audit_rules_time_settimeofday
+          - audit_rules_time_watch_localtime
+      status: automated
+
+    - id: 6.2.3.5
+      title: Ensure events that modify sethostname and setdomainname are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_networkconfig_modification
+      status: automated
+
+    - id: 6.2.3.6
+      title: Ensure events that modify /etc/issue and /etc/issue.net are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_networkconfig_modification
+      status: automated
+
+    - id: 6.2.3.7
+      title: Ensure events that modify /etc/hosts and /etc/hostname are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_networkconfig_modification
+          - audit_rules_networkconfig_modification_hostname_file
+      status: automated
+
+    - id: 6.2.3.8
+      title: Ensure events that modify the system's network environment are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_networkconfig_modification
+      status: automated
+
+    - id: 6.2.3.9
+      title: Ensure events that modify /etc/NetworkManager directory are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_networkconfig_modification_etc_networkmanager_system_connections
+          - audit_rules_networkconfig_modification_networkmanager
+      status: automated
+
+    - id: 6.2.3.10
+      title: Ensure use of privileged commands are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_privileged_commands
+      status: automated
+
+    - id: 6.2.3.11
+      title: Ensure unsuccessful file access attempts are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_unsuccessful_file_modification_creat
+          - audit_rules_unsuccessful_file_modification_ftruncate
+          - audit_rules_unsuccessful_file_modification_open
+          - audit_rules_unsuccessful_file_modification_openat
+          - audit_rules_unsuccessful_file_modification_truncate
+      status: automated
+
+    - id: 6.2.3.12
+      title: Ensure events that modify /etc/group information are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_usergroup_modification_group
+      status: automated
+
+    - id: 6.2.3.13
+      title: Ensure events that modify /etc/passwd information are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_usergroup_modification_passwd
+      status: automated
+
+    - id: 6.2.3.14
+      title: Ensure events that modify /etc/shadow and /etc/gshadow are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_usergroup_modification_shadow
+          - audit_rules_usergroup_modification_gshadow
+      status: automated
+
+    - id: 6.2.3.15
+      title: Ensure events that modify /etc/security/opasswd are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_usergroup_modification_opasswd
+      status: automated
+
+    - id: 6.2.3.16
+      title: Ensure events that modify /etc/nsswitch.conf file are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_usergroup_modification_nsswitch_conf
+      status: automated
+
+    - id: 6.2.3.17
+      title: Ensure events that modify /etc/pam.conf and /etc/pam.d/ information are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_usergroup_modification_pam_conf
+          - audit_rules_usergroup_modification_pamd
+      status: automated
+
+    - id: 6.2.3.18
+      title: Ensure discretionary access control permission modification events chmod,fchmod,fchmodat,fchmodat2 are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_dac_modification_chmod
+          - audit_rules_dac_modification_fchmod
+          - audit_rules_dac_modification_fchmodat
+      status: automated
+
+    - id: 6.2.3.19
+      title: Ensure discretionary access control permission modification events chown,fchown,lchown,fchownat are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_dac_modification_chown
+          - audit_rules_dac_modification_fchown
+          - audit_rules_dac_modification_lchown
+          - audit_rules_dac_modification_fchownat
+      status: automated
+
+    - id: 6.2.3.20
+      title: Ensure discretionary access control permission modification events setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_dac_modification_setxattr
+          - audit_rules_dac_modification_lsetxattr
+          - audit_rules_dac_modification_fsetxattr
+          - audit_rules_dac_modification_removexattr
+          - audit_rules_dac_modification_lremovexattr
+          - audit_rules_dac_modification_fremovexattr
+      status: automated
+
+    - id: 6.2.3.21
+      title: Ensure successful file system mounts are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_media_export
+      status: automated
+
+    - id: 6.2.3.22
+      title: Ensure session initiation information is collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_session_events
+      status: automated
+
+    - id: 6.2.3.23
+      title: Ensure login and logout events are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - var_accounts_passwords_pam_faillock_dir=run
+          - audit_rules_login_events_faillock
+          - audit_rules_login_events_lastlog
+      status: automated
+
+    - id: 6.2.3.24
+      title: Ensure unlink file deletion events by users are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_file_deletion_events_unlink
+          - audit_rules_file_deletion_events_unlinkat
+      status: automated
+
+    - id: 6.2.3.25
+      title: Ensure rename file deletion events by users are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_file_deletion_events_rename
+          - audit_rules_file_deletion_events_renameat
+      status: automated
+
+    - id: 6.2.3.26
+      title: Ensure events that modify the system's Mandatory Access Controls are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_mac_modification_etc_apparmor
+          - audit_rules_mac_modification_etc_apparmor_d
+      status: automated
+
+    - id: 6.2.3.27
+      title: Ensure successful and unsuccessful attempts to use the chcon command are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_execution_chcon
+      status: automated
+
+    - id: 6.2.3.28
+      title: Ensure successful and unsuccessful attempts to use the setfacl command are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_execution_setfacl
+      status: automated
+
+    - id: 6.2.3.29
+      title: Ensure successful and unsuccessful attempts to use the chacl command are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_execution_chacl
+      status: automated
+
+    - id: 6.2.3.30
+      title: Ensure successful and unsuccessful attempts to use the usermod command are collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_privileged_commands_usermod
+      status: automated
+
+    - id: 6.2.3.31
+      title: Ensure kernel module loading unloading and modification is collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_kernel_module_loading_create
+          - audit_rules_privileged_commands_kmod
+      status: automated
+
+    - id: 6.2.3.32
+      title: Ensure kernel "init_module" and "finit_module" loading unloading and modification is collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_kernel_module_loading_init
+          - audit_rules_kernel_module_loading_finit
+      status: automated
+
+    - id: 6.2.3.33
+      title: Ensure kernel "delete_module" loading unloading and modification is collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_kernel_module_loading_delete
+      status: automated
+
+    - id: 6.2.3.34
+      title: Ensure kernel query_module loading unloading and modification is collected (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_kernel_module_loading_query
+      status: automated
+
+    - id: 6.2.3.35
+      title: Ensure the audit configuration is loaded regardless of errors (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_continue_loading
+      status: automated
+
+    - id: 6.2.3.36
+      title: Ensure the audit configuration is immutable (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - audit_rules_immutable
+      status: automated
+
+    - id: 6.2.3.37
+      title: Ensure the running and on disk configuration is the same (Manual)
+      levels:
+          - l2_server
+          - l2_workstation
+      status: manual
+
+    - id: 6.2.4.1
+      title: Ensure audit log files mode is configured (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - file_permissions_var_log_audit
+      status: automated
+
+    - id: 6.2.4.2
+      title: Ensure audit log files owner is configured (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - file_ownership_var_log_audit_stig
+      status: automated
+
+    - id: 6.2.4.3
+      title: Ensure audit log files group owner is configured (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - file_group_ownership_var_log_audit
+      status: automated
+
+    - id: 6.2.4.4
+      title: Ensure the audit log file directory mode is configured (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - directory_permissions_var_log_audit
+      status: automated
+
+    - id: 6.2.4.5
+      title: Ensure audit configuration files mode is configured (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - file_permissions_etc_audit_auditd
+          - file_permissions_etc_audit_rules
+          - file_permissions_etc_audit_rulesd
+      status: automated
+
+    - id: 6.2.4.6
+      title: Ensure audit configuration files owner is configured (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - file_ownership_audit_configuration
+      status: automated
+
+    - id: 6.2.4.7
+      title: Ensure audit configuration files group owner is configured (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - file_groupownership_audit_configuration
+      status: automated
+
+    - id: 6.2.4.8
+      title: Ensure audit tools mode is configured (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - file_permissions_audit_binaries
+      status: automated
+
+    - id: 6.2.4.9
+      title: Ensure audit tools owner is configured (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - file_ownership_audit_binaries
+      status: automated
+
+    - id: 6.2.4.10
+      title: Ensure audit tools group owner is configured (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - file_groupownership_audit_binaries
+      status: automated
+
+    - id: 6.3.1
+      title: Ensure AIDE is installed (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - aide_build_database
+          - package_aide_installed
+      status: automated
+
+    - id: 6.3.2
+      title: Ensure filesystem integrity is regularly checked (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - aide_periodic_checking_systemd_timer
+      status: automated
+
+    - id: 6.3.3
+      title: Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated)
+      levels:
+          - l2_server
+          - l2_workstation
+      rules:
+          - aide_check_audit_tools
+      status: automated
+
+    - id: 7.1.1
+      title: Ensure access to /etc/passwd is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_groupowner_etc_passwd
+          - file_owner_etc_passwd
+          - file_permissions_etc_passwd
+      status: automated
+
+    - id: 7.1.2
+      title: Ensure access to /etc/passwd- is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_groupowner_backup_etc_passwd
+          - file_owner_backup_etc_passwd
+          - file_permissions_backup_etc_passwd
+      status: automated
+
+    - id: 7.1.3
+      title: Ensure access to /etc/group is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_groupowner_etc_group
+          - file_owner_etc_group
+          - file_permissions_etc_group
+      status: automated
+
+    - id: 7.1.4
+      title: Ensure access to /etc/group- is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_groupowner_backup_etc_group
+          - file_owner_backup_etc_group
+          - file_permissions_backup_etc_group
+      status: automated
+
+    - id: 7.1.5
+      title: Ensure access to /etc/shadow is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_groupowner_etc_shadow
+          - file_owner_etc_shadow
+          - file_permissions_etc_shadow
+      status: automated
+
+    - id: 7.1.6
+      title: Ensure access to /etc/shadow- is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_groupowner_backup_etc_shadow
+          - file_owner_backup_etc_shadow
+          - file_permissions_backup_etc_shadow
+      status: automated
+
+    - id: 7.1.7
+      title: Ensure access to /etc/gshadow is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_groupowner_etc_gshadow
+          - file_owner_etc_gshadow
+          - file_permissions_etc_gshadow
+      status: automated
+
+    - id: 7.1.8
+      title: Ensure access to /etc/gshadow- is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_groupowner_backup_etc_gshadow
+          - file_owner_backup_etc_gshadow
+          - file_permissions_backup_etc_gshadow
+      status: automated
+
+    - id: 7.1.9
+      title: Ensure access to /etc/shells is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_owner_etc_shells
+          - file_groupowner_etc_shells
+          - file_permissions_etc_shells
+      status: automated
+
+    - id: 7.1.10
+      title: Ensure access to /etc/security/opasswd is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_owner_etc_security_opasswd
+          - file_groupowner_etc_security_opasswd
+          - file_permissions_etc_security_opasswd
+          - file_owner_etc_security_opasswd_old
+          - file_groupowner_etc_security_opasswd_old
+          - file_permissions_etc_security_opasswd_old
+      status: automated
+
+    - id: 7.1.11
+      title: Ensure world writable files and directories are secured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - file_permissions_unauthorized_world_writable
+      status: automated
+
+    - id: 7.1.12
+      title: Ensure no files or directories without an owner and a group exist (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - no_files_unowned_by_user
+          - file_permissions_ungroupowned
+      status: automated
+
+    - id: 7.1.13
+      title: Ensure SUID and SGID files are reviewed (Manual)
+      levels:
+          - l1_server
+          - l1_workstation
+      status: manual
+
+    - id: 7.2.1
+      title: Ensure accounts in /etc/passwd use shadowed passwords (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - accounts_password_all_shadowed
+      status: automated
+
+    - id: 7.2.2
+      title: Ensure /etc/shadow password fields are not empty (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - no_empty_passwords_etc_shadow
+      status: automated
+
+    - id: 7.2.3
+      title: Ensure all groups in /etc/passwd exist in /etc/group (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - gid_passwd_group_same
+      status: automated
+
+    - id: 7.2.4
+      title: Ensure shadow group is empty (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - ensure_shadow_group_empty
+      status: automated
+
+    - id: 7.2.5
+      title: Ensure no duplicate UIDs exist (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - account_unique_id
+      status: automated
+
+    - id: 7.2.6
+      title: Ensure no duplicate GIDs exist (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - group_unique_id
+      status: automated
+
+    - id: 7.2.7
+      title: Ensure no duplicate user names exist (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - account_unique_name
+      status: automated
+
+    - id: 7.2.8
+      title: Ensure no duplicate group names exist (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - group_unique_name
+      status: automated
+
+    - id: 7.2.9
+      title: Ensure local interactive user home directories are configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - accounts_user_interactive_home_directory_exists
+          - file_groupownership_home_directories
+          - file_ownership_home_directories
+          - file_permissions_home_directories
+      status: automated
+
+    - id: 7.2.10
+      title: Ensure local interactive user dot files access is configured (Automated)
+      levels:
+          - l1_server
+          - l1_workstation
+      rules:
+          - no_rsh_trust_files
+          - no_forward_files
+          - no_netrc_files
+          - accounts_user_dot_user_ownership
+          - accounts_user_dot_group_ownership
+          - var_user_initialization_files_regex=all_dotfiles
+          - file_permission_user_init_files
+          - file_permission_user_bash_history
+      status: automated
diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_error_action.var b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_error_action.var
index ace5c84912c5..c235c6ac4560 100644
--- a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_error_action.var
+++ b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_error_action.var
@@ -28,3 +28,4 @@ options:
     cis_ubuntu2204: syslog|single|halt
     cis_ubuntu2404: syslog|single|halt
     cis_debian12: syslog|single|halt
+    cis_debian13: syslog|single|halt
diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var
index bde0d87fbfb6..ed5e8b182a88 100644
--- a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var
+++ b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var
@@ -29,3 +29,4 @@ options:
     cis_ubuntu2204: halt|single
     cis_ubuntu2404: halt|single
     cis_debian12: halt|single
+    cis_debian13: halt|single
diff --git a/linux_os/guide/services/apt/apt_disable_weak_dependencies/bash/shared.sh b/linux_os/guide/services/apt/apt_disable_weak_dependencies/bash/shared.sh
new file mode 100644
index 000000000000..fcbbdc590eed
--- /dev/null
+++ b/linux_os/guide/services/apt/apt_disable_weak_dependencies/bash/shared.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_debian
+
+mkdir -p /etc/apt/apt.conf.d
+cat > /etc/apt/apt.conf.d/60-no-weak-dependencies <<'EOF'
+APT::Install-Recommends "0";
+APT::Install-Suggests "0";
+EOF
diff --git a/linux_os/guide/services/apt/apt_disable_weak_dependencies/oval/shared.xml b/linux_os/guide/services/apt/apt_disable_weak_dependencies/oval/shared.xml
new file mode 100644
index 000000000000..158bdeb8d6e2
--- /dev/null
+++ b/linux_os/guide/services/apt/apt_disable_weak_dependencies/oval/shared.xml
@@ -0,0 +1,40 @@
+
+  
+    {{{ oval_metadata("APT weak dependencies should be disabled.", rule_title=rule_title) }}}
+
+    
+      
+      
+    
+  
+
+  
+    
+    
+  
+
+  
+    
+    
+  
+
+  
+    /etc/apt/apt.conf(\.d/.*)?$
+    ^[\s]*(?i)APT::Install-Recommends(?-i)[\s]+(.*)$
+    1
+  
+
+  
+    /etc/apt/apt.conf(\.d/.*)?$
+    ^[\s]*(?i)APT::Install-Suggests(?-i)[\s]+(.*)$
+    1
+  
+
+  
+    ^"0";[\s]*$
+  
+
diff --git a/linux_os/guide/services/apt/apt_disable_weak_dependencies/rule.yml b/linux_os/guide/services/apt/apt_disable_weak_dependencies/rule.yml
new file mode 100644
index 000000000000..5e0287ec9f65
--- /dev/null
+++ b/linux_os/guide/services/apt/apt_disable_weak_dependencies/rule.yml
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+title: 'Disable APT Weak Dependencies'
+
+description: |-
+    APT should be configured to avoid installing packages listed only as
+    Recommends or Suggests dependencies.
+
+rationale: |-
+    Unless a system specifically requires the additional capabilities provided by
+    weak dependencies, those packages should not be installed in order to reduce
+    the potential attack surface.
+
+severity: medium
+
+ocil_clause: 'APT weak dependency options are not disabled'
+
+ocil: |-
+    Run the following command:
+    
    $ apt-config dump | grep "APT::Install-"
    
+    The output should include:
+    
    APT::Install-Recommends "0";
+    APT::Install-Suggests "0";
    
+
+fixtext: |-
+    Create an APT configuration file that disables weak dependencies:
+    
    # printf '%s\n%s\n' 'APT::Install-Recommends "0";' 'APT::Install-Suggests "0";' > /etc/apt/apt.conf.d/60-no-weak-dependencies
    
diff --git a/linux_os/guide/services/apt/directory_groupowner_apt_auth_conf_d/rule.yml b/linux_os/guide/services/apt/directory_groupowner_apt_auth_conf_d/rule.yml
new file mode 100644
index 000000000000..9a22110abd85
--- /dev/null
+++ b/linux_os/guide/services/apt/directory_groupowner_apt_auth_conf_d/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title: 'Verify Group Owner on /etc/apt/auth.conf.d Directory'
+
+description: '{{{ describe_directory_group_owner(directory="/etc/apt/auth.conf.d", group="root") }}}'
+
+rationale: |-
+    The /etc/apt/auth.conf.d directory should be group-owned by root to prevent
+    unauthorized changes to APT authentication configuration.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_directory_group_owner(directory="/etc/apt/auth.conf.d", group="root") }}}'
+
+ocil: |-
+    {{{ ocil_directory_group_owner(directory="/etc/apt/auth.conf.d", group="root") }}}
+
+fixtext: '{{{ fixtext_directory_group_owner(file="/etc/apt/auth.conf.d", group="root") }}}'
+
+template:
+    name: file_groupowner
+    vars:
+        filepath: /etc/apt/auth.conf.d/
+        gid_or_name: '0'
diff --git a/linux_os/guide/services/apt/directory_groupowner_apt_sources_list_d/rule.yml b/linux_os/guide/services/apt/directory_groupowner_apt_sources_list_d/rule.yml
new file mode 100644
index 000000000000..1fdacf66293d
--- /dev/null
+++ b/linux_os/guide/services/apt/directory_groupowner_apt_sources_list_d/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title: 'Verify Group Owner on /etc/apt/sources.list.d Directory'
+
+description: '{{{ describe_directory_group_owner(directory="/etc/apt/sources.list.d", group="root") }}}'
+
+rationale: |-
+    The /etc/apt/sources.list.d directory should be group-owned by root to
+    prevent unauthorized changes to APT repository configuration.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_directory_group_owner(directory="/etc/apt/sources.list.d", group="root") }}}'
+
+ocil: |-
+    {{{ ocil_directory_group_owner(directory="/etc/apt/sources.list.d", group="root") }}}
+
+fixtext: '{{{ fixtext_directory_group_owner(file="/etc/apt/sources.list.d", group="root") }}}'
+
+template:
+    name: file_groupowner
+    vars:
+        filepath: /etc/apt/sources.list.d/
+        gid_or_name: '0'
diff --git a/linux_os/guide/services/apt/directory_groupowner_apt_trusted_gpg_d/rule.yml b/linux_os/guide/services/apt/directory_groupowner_apt_trusted_gpg_d/rule.yml
new file mode 100644
index 000000000000..a2d798e3c0a0
--- /dev/null
+++ b/linux_os/guide/services/apt/directory_groupowner_apt_trusted_gpg_d/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title: 'Verify Group Owner on /etc/apt/trusted.gpg.d Directory'
+
+description: '{{{ describe_directory_group_owner(directory="/etc/apt/trusted.gpg.d", group="root") }}}'
+
+rationale: |-
+    The /etc/apt/trusted.gpg.d directory should be group-owned by root to prevent
+    unauthorized changes to APT trusted keys.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_directory_group_owner(directory="/etc/apt/trusted.gpg.d", group="root") }}}'
+
+ocil: |-
+    {{{ ocil_directory_group_owner(directory="/etc/apt/trusted.gpg.d", group="root") }}}
+
+fixtext: '{{{ fixtext_directory_group_owner(file="/etc/apt/trusted.gpg.d", group="root") }}}'
+
+template:
+    name: file_groupowner
+    vars:
+        filepath: /etc/apt/trusted.gpg.d/
+        gid_or_name: '0'
diff --git a/linux_os/guide/services/apt/directory_groupowner_usr_share_keyrings/rule.yml b/linux_os/guide/services/apt/directory_groupowner_usr_share_keyrings/rule.yml
new file mode 100644
index 000000000000..af0af4b0bafa
--- /dev/null
+++ b/linux_os/guide/services/apt/directory_groupowner_usr_share_keyrings/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title: 'Verify Group Owner on /usr/share/keyrings Directory'
+
+description: '{{{ describe_directory_group_owner(directory="/usr/share/keyrings", group="root") }}}'
+
+rationale: |-
+    The /usr/share/keyrings directory should be group-owned by root to prevent
+    unauthorized changes to package repository keys.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_directory_group_owner(directory="/usr/share/keyrings", group="root") }}}'
+
+ocil: |-
+    {{{ ocil_directory_group_owner(directory="/usr/share/keyrings", group="root") }}}
+
+fixtext: '{{{ fixtext_directory_group_owner(file="/usr/share/keyrings", group="root") }}}'
+
+template:
+    name: file_groupowner
+    vars:
+        filepath: /usr/share/keyrings/
+        gid_or_name: '0'
diff --git a/linux_os/guide/services/apt/directory_owner_apt_auth_conf_d/rule.yml b/linux_os/guide/services/apt/directory_owner_apt_auth_conf_d/rule.yml
new file mode 100644
index 000000000000..5bcdd7b2ca30
--- /dev/null
+++ b/linux_os/guide/services/apt/directory_owner_apt_auth_conf_d/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title: 'Verify Owner on /etc/apt/auth.conf.d Directory'
+
+description: '{{{ describe_directory_owner(directory="/etc/apt/auth.conf.d", owner="root") }}}'
+
+rationale: |-
+    The /etc/apt/auth.conf.d directory should be owned by root to prevent
+    unauthorized changes to APT authentication configuration.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_directory_owner(directory="/etc/apt/auth.conf.d", owner="root") }}}'
+
+ocil: |-
+    {{{ ocil_directory_owner(directory="/etc/apt/auth.conf.d", owner="root") }}}
+
+fixtext: '{{{ fixtext_directory_owner(file="/etc/apt/auth.conf.d", owner="root") }}}'
+
+template:
+    name: file_owner
+    vars:
+        filepath: /etc/apt/auth.conf.d/
+        uid_or_name: '0'
diff --git a/linux_os/guide/services/apt/directory_owner_apt_sources_list_d/rule.yml b/linux_os/guide/services/apt/directory_owner_apt_sources_list_d/rule.yml
new file mode 100644
index 000000000000..9054c089900b
--- /dev/null
+++ b/linux_os/guide/services/apt/directory_owner_apt_sources_list_d/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title: 'Verify Owner on /etc/apt/sources.list.d Directory'
+
+description: '{{{ describe_directory_owner(directory="/etc/apt/sources.list.d", owner="root") }}}'
+
+rationale: |-
+    The /etc/apt/sources.list.d directory should be owned by root to prevent
+    unauthorized changes to APT repository configuration.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_directory_owner(directory="/etc/apt/sources.list.d", owner="root") }}}'
+
+ocil: |-
+    {{{ ocil_directory_owner(directory="/etc/apt/sources.list.d", owner="root") }}}
+
+fixtext: '{{{ fixtext_directory_owner(file="/etc/apt/sources.list.d", owner="root") }}}'
+
+template:
+    name: file_owner
+    vars:
+        filepath: /etc/apt/sources.list.d/
+        uid_or_name: '0'
diff --git a/linux_os/guide/services/apt/directory_owner_apt_trusted_gpg_d/rule.yml b/linux_os/guide/services/apt/directory_owner_apt_trusted_gpg_d/rule.yml
new file mode 100644
index 000000000000..8e0214d54055
--- /dev/null
+++ b/linux_os/guide/services/apt/directory_owner_apt_trusted_gpg_d/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title: 'Verify Owner on /etc/apt/trusted.gpg.d Directory'
+
+description: '{{{ describe_directory_owner(directory="/etc/apt/trusted.gpg.d", owner="root") }}}'
+
+rationale: |-
+    The /etc/apt/trusted.gpg.d directory should be owned by root to prevent
+    unauthorized changes to APT trusted keys.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_directory_owner(directory="/etc/apt/trusted.gpg.d", owner="root") }}}'
+
+ocil: |-
+    {{{ ocil_directory_owner(directory="/etc/apt/trusted.gpg.d", owner="root") }}}
+
+fixtext: '{{{ fixtext_directory_owner(file="/etc/apt/trusted.gpg.d", owner="root") }}}'
+
+template:
+    name: file_owner
+    vars:
+        filepath: /etc/apt/trusted.gpg.d/
+        uid_or_name: '0'
diff --git a/linux_os/guide/services/apt/directory_owner_usr_share_keyrings/rule.yml b/linux_os/guide/services/apt/directory_owner_usr_share_keyrings/rule.yml
new file mode 100644
index 000000000000..f82849fb4fdd
--- /dev/null
+++ b/linux_os/guide/services/apt/directory_owner_usr_share_keyrings/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title: 'Verify Owner on /usr/share/keyrings Directory'
+
+description: '{{{ describe_directory_owner(directory="/usr/share/keyrings", owner="root") }}}'
+
+rationale: |-
+    The /usr/share/keyrings directory should be owned by root to prevent
+    unauthorized changes to package repository keys.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_directory_owner(directory="/usr/share/keyrings", owner="root") }}}'
+
+ocil: |-
+    {{{ ocil_directory_owner(directory="/usr/share/keyrings", owner="root") }}}
+
+fixtext: '{{{ fixtext_directory_owner(file="/usr/share/keyrings", owner="root") }}}'
+
+template:
+    name: file_owner
+    vars:
+        filepath: /usr/share/keyrings/
+        uid_or_name: '0'
diff --git a/linux_os/guide/services/apt/directory_permissions_apt_auth_conf_d/rule.yml b/linux_os/guide/services/apt/directory_permissions_apt_auth_conf_d/rule.yml
new file mode 100644
index 000000000000..e85e1f2b28e2
--- /dev/null
+++ b/linux_os/guide/services/apt/directory_permissions_apt_auth_conf_d/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title: 'Verify Permissions on /etc/apt/auth.conf.d Directory'
+
+description: '{{{ describe_directory_permissions(directory="/etc/apt/auth.conf.d", perms="0755") }}}'
+
+rationale: |-
+    The /etc/apt/auth.conf.d directory contains configuration that may include
+    repository credentials. Its permissions should prevent unauthorized changes.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_directory_permissions(directory="/etc/apt/auth.conf.d", perms="drwxr-xr-x") }}}'
+
+ocil: |-
+    {{{ ocil_directory_permissions(directory="/etc/apt/auth.conf.d", perms="drwxr-xr-x") }}}
+
+fixtext: '{{{ fixtext_directory_permissions(file="/etc/apt/auth.conf.d", mode="0755") }}}'
+
+template:
+    name: file_permissions
+    vars:
+        filepath: /etc/apt/auth.conf.d/
+        filemode: '0755'
diff --git a/linux_os/guide/services/apt/directory_permissions_apt_sources_list_d/rule.yml b/linux_os/guide/services/apt/directory_permissions_apt_sources_list_d/rule.yml
new file mode 100644
index 000000000000..fcc107e5d7d8
--- /dev/null
+++ b/linux_os/guide/services/apt/directory_permissions_apt_sources_list_d/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title: 'Verify Permissions on /etc/apt/sources.list.d Directory'
+
+description: '{{{ describe_directory_permissions(directory="/etc/apt/sources.list.d", perms="0755") }}}'
+
+rationale: |-
+    A non-root user should not be able to add or remove APT repository
+    configuration from /etc/apt/sources.list.d.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_directory_permissions(directory="/etc/apt/sources.list.d", perms="drwxr-xr-x") }}}'
+
+ocil: |-
+    {{{ ocil_directory_permissions(directory="/etc/apt/sources.list.d", perms="drwxr-xr-x") }}}
+
+fixtext: '{{{ fixtext_directory_permissions(file="/etc/apt/sources.list.d", mode="0755") }}}'
+
+template:
+    name: file_permissions
+    vars:
+        filepath: /etc/apt/sources.list.d/
+        filemode: '0755'
diff --git a/linux_os/guide/services/apt/directory_permissions_apt_trusted_gpg_d/rule.yml b/linux_os/guide/services/apt/directory_permissions_apt_trusted_gpg_d/rule.yml
new file mode 100644
index 000000000000..592d5898f04f
--- /dev/null
+++ b/linux_os/guide/services/apt/directory_permissions_apt_trusted_gpg_d/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title: 'Verify Permissions on /etc/apt/trusted.gpg.d Directory'
+
+description: '{{{ describe_directory_permissions(directory="/etc/apt/trusted.gpg.d", perms="0755") }}}'
+
+rationale: |-
+    A non-privileged user with write access to /etc/apt/trusted.gpg.d can
+    compromise the APT chain of trust by adding trusted keys.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_directory_permissions(directory="/etc/apt/trusted.gpg.d", perms="drwxr-xr-x") }}}'
+
+ocil: |-
+    {{{ ocil_directory_permissions(directory="/etc/apt/trusted.gpg.d", perms="drwxr-xr-x") }}}
+
+fixtext: '{{{ fixtext_directory_permissions(file="/etc/apt/trusted.gpg.d", mode="0755") }}}'
+
+template:
+    name: file_permissions
+    vars:
+        filepath: /etc/apt/trusted.gpg.d/
+        filemode: '0755'
diff --git a/linux_os/guide/services/apt/directory_permissions_usr_share_keyrings/rule.yml b/linux_os/guide/services/apt/directory_permissions_usr_share_keyrings/rule.yml
new file mode 100644
index 000000000000..6aee15082740
--- /dev/null
+++ b/linux_os/guide/services/apt/directory_permissions_usr_share_keyrings/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title: 'Verify Permissions on /usr/share/keyrings Directory'
+
+description: '{{{ describe_directory_permissions(directory="/usr/share/keyrings", perms="0755") }}}'
+
+rationale: |-
+    A non-root user should not be able to add or remove package repository keys
+    from /usr/share/keyrings.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_directory_permissions(directory="/usr/share/keyrings", perms="drwxr-xr-x") }}}'
+
+ocil: |-
+    {{{ ocil_directory_permissions(directory="/usr/share/keyrings", perms="drwxr-xr-x") }}}
+
+fixtext: '{{{ fixtext_directory_permissions(file="/usr/share/keyrings", mode="0755") }}}'
+
+template:
+    name: file_permissions
+    vars:
+        filepath: /usr/share/keyrings/
+        filemode: '0755'
diff --git a/linux_os/guide/services/apt/file_groupowner_apt_auth_conf_d/rule.yml b/linux_os/guide/services/apt/file_groupowner_apt_auth_conf_d/rule.yml
new file mode 100644
index 000000000000..63df18aa1d77
--- /dev/null
+++ b/linux_os/guide/services/apt/file_groupowner_apt_auth_conf_d/rule.yml
@@ -0,0 +1,25 @@
+documentation_complete: true
+
+title: 'Verify Group Owner on Files in /etc/apt/auth.conf.d'
+
+description: '{{{ describe_file_group_owner(file="/etc/apt/auth.conf.d/*.conf", group="root") }}}'
+
+rationale: |-
+    Files in /etc/apt/auth.conf.d should be group-owned by root to prevent
+    unauthorized changes to APT authentication configuration.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/apt/auth.conf.d/*.conf", group="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_group_owner(file="/etc/apt/auth.conf.d/*.conf", group="root") }}}
+
+fixtext: '{{{ fixtext_file_group_owner(file="/etc/apt/auth.conf.d/*.conf", group="root") }}}'
+
+template:
+    name: file_groupowner
+    vars:
+        filepath: /etc/apt/auth.conf.d/
+        file_regex: ^.*\.conf$
+        gid_or_name: '0'
diff --git a/linux_os/guide/services/apt/file_groupowner_apt_gpg_keys/rule.yml b/linux_os/guide/services/apt/file_groupowner_apt_gpg_keys/rule.yml
new file mode 100644
index 000000000000..6cd97b38ef6b
--- /dev/null
+++ b/linux_os/guide/services/apt/file_groupowner_apt_gpg_keys/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+title: 'Verify Group Owner on APT GPG Key Files'
+
+description: '{{{ describe_file_group_owner(file="/usr/share/keyrings/*.gpg and /etc/apt/trusted.gpg.d/*.gpg", group="root") }}}'
+
+rationale: |-
+    APT GPG key files should be group-owned by root to prevent unauthorized
+    modification of package trust anchors.
+
+severity: medium
+
+ocil_clause: 'APT GPG key files are not group-owned by root'
+
+ocil: |-
+    {{{ ocil_file_group_owner(file="/usr/share/keyrings/*.gpg and /etc/apt/trusted.gpg.d/*.gpg", group="root") }}}
+
+fixtext: '{{{ fixtext_file_group_owner(file="/usr/share/keyrings/*.gpg and /etc/apt/trusted.gpg.d/*.gpg", group="root") }}}'
+
+template:
+    name: file_groupowner
+    vars:
+        filepath:
+            - /usr/share/keyrings/
+            - /etc/apt/trusted.gpg.d/
+        file_regex:
+            - ^.*gpg$
+            - ^.*gpg$
+        gid_or_name: '0'
diff --git a/linux_os/guide/services/apt/file_groupowner_apt_sources_list_d/rule.yml b/linux_os/guide/services/apt/file_groupowner_apt_sources_list_d/rule.yml
new file mode 100644
index 000000000000..8ec2d8392917
--- /dev/null
+++ b/linux_os/guide/services/apt/file_groupowner_apt_sources_list_d/rule.yml
@@ -0,0 +1,25 @@
+documentation_complete: true
+
+title: 'Verify Group Owner on Files in /etc/apt/sources.list.d'
+
+description: '{{{ describe_file_group_owner(file="/etc/apt/sources.list.d/*", group="root") }}}'
+
+rationale: |-
+    Files in /etc/apt/sources.list.d should be group-owned by root to prevent
+    unauthorized changes to APT repository configuration.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/apt/sources.list.d/*", group="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_group_owner(file="/etc/apt/sources.list.d/*", group="root") }}}
+
+fixtext: '{{{ fixtext_file_group_owner(file="/etc/apt/sources.list.d/*", group="root") }}}'
+
+template:
+    name: file_groupowner
+    vars:
+        filepath: /etc/apt/sources.list.d/
+        file_regex: ^.*$
+        gid_or_name: '0'
diff --git a/linux_os/guide/services/apt/file_owner_apt_auth_conf_d/rule.yml b/linux_os/guide/services/apt/file_owner_apt_auth_conf_d/rule.yml
new file mode 100644
index 000000000000..53fd3185eb9c
--- /dev/null
+++ b/linux_os/guide/services/apt/file_owner_apt_auth_conf_d/rule.yml
@@ -0,0 +1,25 @@
+documentation_complete: true
+
+title: 'Verify Owner on Files in /etc/apt/auth.conf.d'
+
+description: '{{{ describe_file_owner(file="/etc/apt/auth.conf.d/*.conf", owner="root") }}}'
+
+rationale: |-
+    Files in /etc/apt/auth.conf.d should be owned by root to prevent
+    unauthorized changes to APT authentication configuration.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/apt/auth.conf.d/*.conf", owner="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_owner(file="/etc/apt/auth.conf.d/*.conf", owner="root") }}}
+
+fixtext: '{{{ fixtext_file_owner(file="/etc/apt/auth.conf.d/*.conf", owner="root") }}}'
+
+template:
+    name: file_owner
+    vars:
+        filepath: /etc/apt/auth.conf.d/
+        file_regex: ^.*\.conf$
+        uid_or_name: '0'
diff --git a/linux_os/guide/services/apt/file_owner_apt_gpg_keys/rule.yml b/linux_os/guide/services/apt/file_owner_apt_gpg_keys/rule.yml
new file mode 100644
index 000000000000..3555535c56d4
--- /dev/null
+++ b/linux_os/guide/services/apt/file_owner_apt_gpg_keys/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+title: 'Verify Owner on APT GPG Key Files'
+
+description: '{{{ describe_file_owner(file="/usr/share/keyrings/*.gpg and /etc/apt/trusted.gpg.d/*.gpg", owner="root") }}}'
+
+rationale: |-
+    APT GPG key files should be owned by root to prevent unauthorized modification
+    of package trust anchors.
+
+severity: medium
+
+ocil_clause: 'APT GPG key files are not owned by root'
+
+ocil: |-
+    {{{ ocil_file_owner(file="/usr/share/keyrings/*.gpg and /etc/apt/trusted.gpg.d/*.gpg", owner="root") }}}
+
+fixtext: '{{{ fixtext_file_owner(file="/usr/share/keyrings/*.gpg and /etc/apt/trusted.gpg.d/*.gpg", owner="root") }}}'
+
+template:
+    name: file_owner
+    vars:
+        filepath:
+            - /usr/share/keyrings/
+            - /etc/apt/trusted.gpg.d/
+        file_regex:
+            - ^.*gpg$
+            - ^.*gpg$
+        uid_or_name: '0'
diff --git a/linux_os/guide/services/apt/file_owner_apt_sources_list_d/rule.yml b/linux_os/guide/services/apt/file_owner_apt_sources_list_d/rule.yml
new file mode 100644
index 000000000000..78ec88ee8e20
--- /dev/null
+++ b/linux_os/guide/services/apt/file_owner_apt_sources_list_d/rule.yml
@@ -0,0 +1,25 @@
+documentation_complete: true
+
+title: 'Verify Owner on Files in /etc/apt/sources.list.d'
+
+description: '{{{ describe_file_owner(file="/etc/apt/sources.list.d/*", owner="root") }}}'
+
+rationale: |-
+    Files in /etc/apt/sources.list.d should be owned by root to prevent
+    unauthorized changes to APT repository configuration.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/apt/sources.list.d/*", owner="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_owner(file="/etc/apt/sources.list.d/*", owner="root") }}}
+
+fixtext: '{{{ fixtext_file_owner(file="/etc/apt/sources.list.d/*", owner="root") }}}'
+
+template:
+    name: file_owner
+    vars:
+        filepath: /etc/apt/sources.list.d/
+        file_regex: ^.*$
+        uid_or_name: '0'
diff --git a/linux_os/guide/services/apt/file_permissions_apt_auth_conf_d/rule.yml b/linux_os/guide/services/apt/file_permissions_apt_auth_conf_d/rule.yml
new file mode 100644
index 000000000000..5f005632d909
--- /dev/null
+++ b/linux_os/guide/services/apt/file_permissions_apt_auth_conf_d/rule.yml
@@ -0,0 +1,25 @@
+documentation_complete: true
+
+title: 'Verify Permissions on Files in /etc/apt/auth.conf.d'
+
+description: '{{{ describe_file_permissions(file="/etc/apt/auth.conf.d/*.conf", perms="0640") }}}'
+
+rationale: |-
+    Files in /etc/apt/auth.conf.d may contain credentials for private
+    repositories or proxies and should not be readable by unauthorized users.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/apt/auth.conf.d/*.conf", perms="-rw-r-----") }}}'
+
+ocil: |-
+    {{{ ocil_file_permissions(file="/etc/apt/auth.conf.d/*.conf", perms="-rw-r-----") }}}
+
+fixtext: '{{{ fixtext_file_permissions(file="/etc/apt/auth.conf.d/*.conf", mode="0640") }}}'
+
+template:
+    name: file_permissions
+    vars:
+        filepath: /etc/apt/auth.conf.d/
+        file_regex: ^.*\.conf$
+        filemode: '0640'
diff --git a/linux_os/guide/services/apt/file_permissions_apt_gpg_keys/rule.yml b/linux_os/guide/services/apt/file_permissions_apt_gpg_keys/rule.yml
new file mode 100644
index 000000000000..3f1b5b0268ab
--- /dev/null
+++ b/linux_os/guide/services/apt/file_permissions_apt_gpg_keys/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+title: 'Verify Permissions on APT GPG Key Files'
+
+description: '{{{ describe_file_permissions(file="/usr/share/keyrings/*.gpg and /etc/apt/trusted.gpg.d/*.gpg", perms="0644") }}}'
+
+rationale: |-
+    APT GPG key files are used to verify package authenticity. Restricting their
+    permissions prevents unauthorized modification while keeping them readable by APT.
+
+severity: medium
+
+ocil_clause: 'APT GPG key files have permissions more permissive than 0644'
+
+ocil: |-
+    {{{ ocil_file_permissions(file="/usr/share/keyrings/*.gpg and /etc/apt/trusted.gpg.d/*.gpg", perms="-rw-r--r--") }}}
+
+fixtext: '{{{ fixtext_file_permissions(file="/usr/share/keyrings/*.gpg and /etc/apt/trusted.gpg.d/*.gpg", mode="0644") }}}'
+
+template:
+    name: file_permissions
+    vars:
+        filepath:
+            - /usr/share/keyrings/
+            - /etc/apt/trusted.gpg.d/
+        file_regex:
+            - ^.*gpg$
+            - ^.*gpg$
+        filemode: '0644'
diff --git a/linux_os/guide/services/apt/file_permissions_apt_sources_list_d/rule.yml b/linux_os/guide/services/apt/file_permissions_apt_sources_list_d/rule.yml
new file mode 100644
index 000000000000..be74a221f410
--- /dev/null
+++ b/linux_os/guide/services/apt/file_permissions_apt_sources_list_d/rule.yml
@@ -0,0 +1,25 @@
+documentation_complete: true
+
+title: 'Verify Permissions on Files in /etc/apt/sources.list.d'
+
+description: '{{{ describe_file_permissions(file="/etc/apt/sources.list.d/*", perms="0644") }}}'
+
+rationale: |-
+    Files in /etc/apt/sources.list.d contain APT repository configuration. They
+    should not be writable by non-root users.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/apt/sources.list.d/*", perms="-rw-r--r--") }}}'
+
+ocil: |-
+    {{{ ocil_file_permissions(file="/etc/apt/sources.list.d/*", perms="-rw-r--r--") }}}
+
+fixtext: '{{{ fixtext_file_permissions(file="/etc/apt/sources.list.d/*", mode="0644") }}}'
+
+template:
+    name: file_permissions
+    vars:
+        filepath: /etc/apt/sources.list.d/
+        file_regex: ^.*$
+        filemode: '0644'
diff --git a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml
index 9e62a077de40..8e014ea513e4 100644
--- a/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml
+++ b/linux_os/guide/services/avahi/disable_avahi_group/package_avahi_removed/rule.yml
@@ -42,5 +42,6 @@ template:
     name: package_removed
     vars:
         pkgname: avahi
+        pkgname@debian13: avahi-daemon
         pkgname@ubuntu2204: avahi-daemon
         pkgname@ubuntu2404: avahi-daemon
diff --git a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
index ac20125661b3..a59eb1542acf 100644
--- a/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
+++ b/linux_os/guide/services/avahi/disable_avahi_group/service_avahi-daemon_disabled/rule.yml
@@ -47,5 +47,6 @@ template:
     vars:
         servicename: avahi-daemon
         packagename: avahi
+        packagename@debian13: avahi-daemon
         packagename@ubuntu2204: avahi-daemon
         packagename@ubuntu2404: avahi-daemon
diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp4_server_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp4_server_disabled/rule.yml
new file mode 100644
index 000000000000..7cd770d5d3f1
--- /dev/null
+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp4_server_disabled/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+title: 'Disable kea-dhcp4-server Service'
+
+description: |-
+    The kea-dhcp4-server service should be disabled on
+    any system that does not need to act as a DHCPv4 server.
+    {{{ describe_service_disable(service="kea-dhcp4-server") }}}
+
+rationale: |-
+    Unmanaged or unintentionally activated DHCP servers may provide faulty information
+    to clients, interfering with the operation of a legitimate site
+    DHCP server if there is one.
+
+severity: medium
+
+ocil_clause: |-
+    {{{ ocil_clause_service_disabled(service="kea-dhcp4-server") }}}
+
+ocil: |-
+    {{{ ocil_service_disabled(service="kea-dhcp4-server") }}}
+
+platform: system_with_kernel
+
+template:
+    name: service_disabled
+    vars:
+        servicename: kea-dhcp4-server
+        packagename: kea
diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp6_server_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp6_server_disabled/rule.yml
new file mode 100644
index 000000000000..5545926ebb1e
--- /dev/null
+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp6_server_disabled/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+title: 'Disable kea-dhcp6-server Service'
+
+description: |-
+    The kea-dhcp6-server service should be disabled on
+    any system that does not need to act as a DHCPv6 server.
+    {{{ describe_service_disable(service="kea-dhcp6-server") }}}
+
+rationale: |-
+    Unmanaged or unintentionally activated DHCP servers may provide faulty information
+    to clients, interfering with the operation of a legitimate site
+    DHCP server if there is one.
+
+severity: medium
+
+ocil_clause: |-
+    {{{ ocil_clause_service_disabled(service="kea-dhcp6-server") }}}
+
+ocil: |-
+    {{{ ocil_service_disabled(service="kea-dhcp6-server") }}}
+
+platform: system_with_kernel
+
+template:
+    name: service_disabled
+    vars:
+        servicename: kea-dhcp6-server
+        packagename: kea
diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp_ddns_server_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp_ddns_server_disabled/rule.yml
new file mode 100644
index 000000000000..5b942ac12d20
--- /dev/null
+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp_ddns_server_disabled/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+title: 'Disable kea-dhcp-ddns-server Service'
+
+description: |-
+    The kea-dhcp-ddns-server service should be disabled on
+    any system that does not need to act as a DHCP Dynamic DNS update server.
+    {{{ describe_service_disable(service="kea-dhcp-ddns-server") }}}
+
+rationale: |-
+    Unmanaged or unintentionally activated DHCP servers may provide faulty information
+    to clients, interfering with the operation of a legitimate site
+    DHCP server if there is one.
+
+severity: medium
+
+ocil_clause: |-
+    {{{ ocil_clause_service_disabled(service="kea-dhcp-ddns-server") }}}
+
+ocil: |-
+    {{{ ocil_service_disabled(service="kea-dhcp-ddns-server") }}}
+
+platform: system_with_kernel
+
+template:
+    name: service_disabled
+    vars:
+        servicename: kea-dhcp-ddns-server
+        packagename: kea
diff --git a/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml
index 9e9e33fb7aea..2594286cc3c0 100644
--- a/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml
+++ b/linux_os/guide/services/dns/disabling_dns_server/package_bind_removed/rule.yml
@@ -45,5 +45,6 @@ template:
         pkgname@rhel9:
             - bind
             - bind9.18
+        pkgname@debian13: bind9
         pkgname@ubuntu2204: bind9
         pkgname@ubuntu2404: bind9
diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml
index 6fdbc76b7d31..9e9b2959a12b 100644
--- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml
+++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml
@@ -43,4 +43,5 @@ template:
     vars:
         servicename: named
         packagename: bind
+        packagename@debian13: bind9
         packagename@ubuntu2404: bind9
diff --git a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml
index 02f281ed5266..af5d8c78e8bf 100644
--- a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml
+++ b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-{{% if 'ubuntu' in product %}}
+{{% if 'ubuntu' in product or 'debian' in product %}}
   {{%- set package = "apache2" %}}
 {{% else %}}
   {{%- set package = "httpd" %}}
diff --git a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml
index 5135477cefec..c0a5562167cd 100644
--- a/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml
+++ b/linux_os/guide/services/http/disabling_httpd/service_httpd_disabled/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-{{% if 'ubuntu' in product %}}
+{{% if 'ubuntu' in product or 'debian' in product %}}
 {{% set service_name = "apache2" %}}
 {{% else %}}
 {{% set service_name = "httpd" %}}
diff --git a/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml
index 0a1f7f5b2a2e..d5bf8afcae11 100644
--- a/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml
+++ b/linux_os/guide/services/imap/disabling_dovecot/package_dovecot_removed/rule.yml
@@ -1,4 +1,4 @@
-{{% if 'ubuntu' not in product %}}
+{{% if 'ubuntu' not in product and 'debian' not in product %}}
  {{%- set package = "dovecot" %}}
 {{% else %}}
  {{%- set package = "dovecot-core" %}}
@@ -35,5 +35,6 @@ template:
     name: package_removed
     vars:
         pkgname: dovecot
+        pkgname@debian13: dovecot-core
         pkgname@ubuntu2204: dovecot-core
         pkgname@ubuntu2404: dovecot-core
diff --git a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml
index 303e37bd87d2..22511e6f7e81 100644
--- a/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml
+++ b/linux_os/guide/services/imap/disabling_dovecot/service_dovecot_disabled/rule.yml
@@ -34,4 +34,5 @@ template:
     name: service_disabled
     vars:
         servicename: dovecot
+        packagename@debian13: dovecot-core
         packagename@ubuntu2404: dovecot-core
diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
index 5ff291774a91..9dea007eb537 100644
--- a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
+++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml
@@ -1,6 +1,6 @@
 {{% if product in ["sle12", "sle15", "slmicro5"] %}}
   {{%- set package = "openldap2-client" %}}
-{{% elif "ubuntu" in product %}}
+{{% elif "ubuntu" in product or "debian" in product %}}
   {{%- set package = "ldap-utils" %}}
 {{% else %}}
   {{%- set package = "openldap-clients" %}}
@@ -46,3 +46,4 @@ template:
         pkgname@slmicro5: openldap2-client
         pkgname@ubuntu2204: ldap-utils
         pkgname@ubuntu2404: ldap-utils
+        pkgname@debian13: ldap-utils
diff --git a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml
index 2c2f7ea7552a..68f281990ecd 100644
--- a/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml
+++ b/linux_os/guide/services/ldap/openldap_server/package_openldap-servers_removed/rule.yml
@@ -1,6 +1,6 @@
 {{% if product in ["sle12", "sle15", "slmicro5"] %}}
   {{%- set package = "openldap2" %}}
-{{% elif "ubuntu" in product %}}
+{{% elif "debian" in product or "ubuntu" in product %}}
   {{%- set package = "slapd" %}}
 {{% else %}}
   {{%- set package = "openldap-servers" %}}
@@ -47,6 +47,7 @@ template:
     name: package_removed
     vars:
         pkgname: openldap-servers
+        pkgname@debian13: slapd
         pkgname@sle12: openldap2
         pkgname@sle15: openldap2
         pkgname@slmicro5: openldap2
diff --git a/linux_os/guide/services/ldap/openldap_server/service_slapd_disabled/rule.yml b/linux_os/guide/services/ldap/openldap_server/service_slapd_disabled/rule.yml
index af9de4746320..bc63db664410 100644
--- a/linux_os/guide/services/ldap/openldap_server/service_slapd_disabled/rule.yml
+++ b/linux_os/guide/services/ldap/openldap_server/service_slapd_disabled/rule.yml
@@ -30,4 +30,5 @@ template:
     vars:
         servicename: slapd
         packagename: openldap-servers
+        packagename@debian13: slapd
         packagename@ubuntu2404: slapd
diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml
index 0fb7af297083..17c38a189721 100644
--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml
+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs_disabled/rule.yml
@@ -44,5 +44,6 @@ template:
     vars:
         servicename: nfs-server
         packagename: nfs-utils
+        packagename@debian13: nfs-kernel-server
         packagename@ubuntu2404: nfs-kernel-server
         packagename@sle15: nfs-kernel-server
diff --git a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/ansible/shared.yml
index 54f7f2e53b9d..3b925a5a1632 100644
--- a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/ansible/shared.yml
+++ b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/ansible/shared.yml
@@ -9,7 +9,7 @@
 - name: {{{ rule_title }}} - Add missing / update wrong records for remote time servers
   ansible.builtin.lineinfile:
     path: {{{ chrony_conf_path }}}
-    regexp: '^\s*\bserver\b\s*\b{{ item }}\b$'
+    regexp: '^\s*\bserver\b\s*\b{{ item }}\b'
     state: present
     line: 'server {{ item }}'
     create: true
@@ -19,7 +19,7 @@
 - name: {{{ rule_title }}} - Add missing / update wrong records for remote time pools
   ansible.builtin.lineinfile:
     path: {{{ chrony_conf_path }}}
-    regexp: '^\s*\bpool\b\s*\b{{ item }}\b$'
+    regexp: '^\s*\bpool\b\s*\b{{ item }}\b'
     state: present
     line: 'pool {{ item }}'
     create: true
diff --git a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/oval/shared.xml
index 46caf86dd361..6512a93ae74d 100644
--- a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/oval/shared.xml
+++ b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/oval/shared.xml
@@ -16,7 +16,7 @@
           
               
           
-          $
+          ([[:space:]].*)?$
       
   
 
@@ -29,7 +29,7 @@
           
               
           
-          $
+          ([[:space:]].*)?$
       
   
 
diff --git a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/pool_with_options.pass.sh b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/pool_with_options.pass.sh
new file mode 100644
index 000000000000..0f455decb98f
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/pool_with_options.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = chrony
+# variables = var_multiple_time_servers=0.debian.pool.ntp.org,1.debian.pool.ntp.org,2.debian.pool.ntp.org,3.debian.pool.ntp.org,var_multiple_time_pools=0.debian.pool.ntp.org,1.debian.pool.ntp.org,2.debian.pool.ntp.org,3.debian.pool.ntp.org
+
+echo "" > {{{ chrony_conf_path }}}
+echo "pool 2.debian.pool.ntp.org iburst" >> {{{ chrony_conf_path }}}
diff --git a/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/server_with_options.pass.sh b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/server_with_options.pass.sh
new file mode 100644
index 000000000000..9a3729eadd8b
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_configure_pool_and_server/tests/server_with_options.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = chrony
+# variables = var_multiple_time_servers=0.debian.pool.ntp.org,1.debian.pool.ntp.org,2.debian.pool.ntp.org,3.debian.pool.ntp.org,var_multiple_time_pools=0.debian.pool.ntp.org,1.debian.pool.ntp.org,2.debian.pool.ntp.org,3.debian.pool.ntp.org
+
+echo "" > {{{ chrony_conf_path }}}
+echo "server 2.debian.pool.ntp.org iburst maxpoll 10" >> {{{ chrony_conf_path }}}
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/debian.sh b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/debian.sh
new file mode 100644
index 000000000000..84f0c626d920
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/bash/debian.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_debian
+
+{{{ bash_replace_or_append(chrony_conf_path, '^user', '_chrony', '%s %s', cce_identifiers=cce_identifiers) }}}
diff --git a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml
index 88b20cd2f9b0..ff4295d60ca3 100644
--- a/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml
+++ b/linux_os/guide/services/ntp/chronyd_run_as_chrony_user/oval/shared.xml
@@ -29,7 +29,7 @@
   
 
 
-{{%- elif 'ubuntu' in product -%}}
+{{%- elif 'ubuntu' in product or 'debian' in product -%}}
 {{{ oval_check_config_file(path='/etc/chrony/chrony.conf', prefix_regex='^[ \\t]*', parameter='user', separator_regex='[[:space:]]', value='_chrony', missing_parameter_pass=true, missing_config_file_fail=false, rule_id=rule_id, rule_title=rule_title) }}}
 {{%- else -%}}
 {{{ oval_check_config_file(path='/etc/sysconfig/chronyd', prefix_regex='^[ \\t]*', parameter='OPTIONS', separator_regex='=', value='["]?.*-u[\s]*chrony.*["]?', missing_parameter_pass=ok_by_default, missing_config_file_fail=true, rule_id=rule_id, rule_title=rule_title) }}}
diff --git a/linux_os/guide/services/ntp/package_timesyncd_installed/rule.yml b/linux_os/guide/services/ntp/package_timesyncd_installed/rule.yml
index a1546145887b..fd82653ed4a6 100644
--- a/linux_os/guide/services/ntp/package_timesyncd_installed/rule.yml
+++ b/linux_os/guide/services/ntp/package_timesyncd_installed/rule.yml
@@ -19,7 +19,7 @@ references:
     nist-csf: PR.PT-1
     pcidss: Req-10.4
 
-{{%- if 'ubuntu' in product %}}
+{{%- if 'ubuntu' in product or 'debian' in product %}}
 template:
     name: package_installed_guard_var
     vars:
diff --git a/linux_os/guide/services/ntp/service_chronyd_disabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_disabled/rule.yml
index 1f12127a45a1..8e88e19d2fad 100644
--- a/linux_os/guide/services/ntp/service_chronyd_disabled/rule.yml
+++ b/linux_os/guide/services/ntp/service_chronyd_disabled/rule.yml
@@ -13,7 +13,7 @@ severity: medium
 
 platform: package[chrony]
 
-{{%- if 'ubuntu' in product %}}
+{{%- if 'ubuntu' in product or 'debian' in product %}}
 template:
     name: service_disabled_guard_var
     vars:
@@ -27,6 +27,4 @@ template:
     vars:
         packagename: chrony
         servicename: chronyd
-        servicename@ubuntu2204: chrony
-        servicename@debian12: chrony
 {{%- endif %}}
diff --git a/linux_os/guide/services/ntp/service_timesyncd_configured/rule.yml b/linux_os/guide/services/ntp/service_timesyncd_configured/rule.yml
index 3b9c304b952d..4188ef4bf010 100644
--- a/linux_os/guide/services/ntp/service_timesyncd_configured/rule.yml
+++ b/linux_os/guide/services/ntp/service_timesyncd_configured/rule.yml
@@ -19,7 +19,7 @@ rationale: |-
 
 severity: medium
 
-platform: package[systemd]
+platform: package[systemd-timesyncd]
 
 identifiers:
     cce@sle12: CCE-92374-8
diff --git a/linux_os/guide/services/ntp/service_timesyncd_disabled/rule.yml b/linux_os/guide/services/ntp/service_timesyncd_disabled/rule.yml
index 7b0676b077ce..b6a0845d4dbe 100644
--- a/linux_os/guide/services/ntp/service_timesyncd_disabled/rule.yml
+++ b/linux_os/guide/services/ntp/service_timesyncd_disabled/rule.yml
@@ -17,7 +17,7 @@ severity: medium
 
 platform: package[systemd-timesyncd]
 
-{{%- if 'ubuntu' in product %}}
+{{%- if 'ubuntu' in product or 'debian' in product %}}
 template:
     name: service_disabled_guard_var
     vars:
diff --git a/linux_os/guide/services/ntp/var_multiple_time_pools.var b/linux_os/guide/services/ntp/var_multiple_time_pools.var
index 17e2f18c976a..b28ce40d6cf8 100644
--- a/linux_os/guide/services/ntp/var_multiple_time_pools.var
+++ b/linux_os/guide/services/ntp/var_multiple_time_pools.var
@@ -19,3 +19,4 @@ options:
     ubuntu: "0.ubuntu.pool.ntp.org,1.ubuntu.pool.ntp.org,2.ubuntu.pool.ntp.org,3.ubuntu.pool.ntp.org"
     debian: "0.debian.pool.ntp.org,1.debian.pool.ntp.org,2.debian.pool.ntp.org,3.debian.pool.ntp.org"
     nist: "time.nist.gov"
+    ulpgc: "pool.ntp.ulpgc.es"
diff --git a/linux_os/guide/services/ntp/var_multiple_time_servers.var b/linux_os/guide/services/ntp/var_multiple_time_servers.var
index 4ecfd28488b0..9ee263f1d09f 100644
--- a/linux_os/guide/services/ntp/var_multiple_time_servers.var
+++ b/linux_os/guide/services/ntp/var_multiple_time_servers.var
@@ -22,3 +22,4 @@ options:
     almalinux: "0.almalinux.pool.ntp.org,1.almalinux.pool.ntp.org,2.almalinux.pool.ntp.org,3.almalinux.pool.ntp.org"
     debian: "0.debian.pool.ntp.org,1.debian.pool.ntp.org,2.debian.pool.ntp.org,3.debian.pool.ntp.org"
     nist: "time.nist.gov,time-a-g.nist.gov,time-b-g.nist.gov,time-c-g.nist.gov"
+    ulpgc: "pool.ntp.ulpgc.es"
diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
index 8b8cc34064e4..269e1acba30f 100644
--- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
@@ -4,7 +4,7 @@ documentation_complete: true
 title: 'Uninstall rsh Package'
 
 description: |-
-    {{% if 'ubuntu' not in product %}}
+    {{% if 'ubuntu' not in product and 'debian' not in product %}}
     The rsh package contains the client commands
     {{% else %}}
     The rsh-client package contains the client commands
@@ -16,7 +16,7 @@ rationale: |-
     been replaced with the more secure SSH package. Even if the server is removed,
     it is best to ensure the clients are also removed to prevent users from
     inadvertently attempting to use these commands and therefore exposing
-    {{% if 'ubuntu' not in product %}}
+    {{% if 'ubuntu' not in product and 'debian' not in product %}}
     their credentials. Note that removing the rsh package removes
     {{% else %}}
     their credentials. Note that removing the rsh-client package removes
@@ -40,7 +40,7 @@ references:
     hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
     iso27001-2013: A.8.2.3,A.13.1.1,A.13.2.1,A.13.2.3,A.14.1.2,A.14.1.3
 
-{{% if 'ubuntu' not in product %}}
+{{% if 'ubuntu' not in product and 'debian' not in product %}}
 ocil: '{{{ describe_package_remove(package="rsh") }}}'
 {{% else %}}
 ocil: '{{{ describe_package_remove(package="rsh-client") }}}'
@@ -50,6 +50,7 @@ template:
     name: package_removed
     vars:
         pkgname: rsh
+        pkgname@debian13: rsh-client
         pkgname@ubuntu2204: rsh-client
         pkgname@ubuntu2404: rsh-client
 
diff --git a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml
index d4ed1fb801e0..fe7b621c885f 100644
--- a/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml
+++ b/linux_os/guide/services/obsolete/service_rsyncd_disabled/rule.yml
@@ -38,6 +38,8 @@ template:
     vars:
         servicename: rsyncd
         packagename: rsync-daemon
+        packagename@debian13: rsync
+        servicename@debian13: rsync
         packagename@ol7: rsync
         packagename@sle12: rsync
         packagename@sle15: rsync
diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
index 1aa283f3983a..7b33fb6a2452 100644
--- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
@@ -1,4 +1,4 @@
-{{% if 'ubuntu' in product %}}
+{{% if 'ubuntu' in product or 'debian' in product %}}
   {{%- set package = "tftpd-hpa" %}}
 {{% elif 'sle' in product %}}
   {{%- set package = "tftp" %}}
diff --git a/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml b/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml
index 510779e396e9..771275d4d102 100644
--- a/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml
+++ b/linux_os/guide/services/obsolete/tftp/service_tftp_disabled/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-{{% if 'ubuntu' in product %}}
+{{% if 'ubuntu' in product or 'debian' in product %}}
   {{%- set service_name = "tftpd-hpa" %}}
   {{%- set package = "tftpd-hpa" %}}
 {{% elif 'sle' in product or product == "slmicro5" %}}
diff --git a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml
index 1043e53b6d29..ea0cbf6135eb 100644
--- a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml
+++ b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml
@@ -34,6 +34,7 @@ template:
     name: service_disabled
     vars:
         servicename: smb
+        servicename@debian13: smbd
         servicename@ubuntu2204: smbd
         servicename@ubuntu2404: smbd
         packagename: samba
diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml
index 3d86a465a82e..5fcb1b044831 100644
--- a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml
+++ b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml
@@ -43,5 +43,6 @@ template:
     vars:
         pkgname: net-snmp
         pkgname@debian11: snmp
+        pkgname@debian13: snmpd
         pkgname@ubuntu2204: snmp
         pkgname@ubuntu2404: snmpd
diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml
index 0453930173d0..8fea1564215f 100644
--- a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml
+++ b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml
@@ -38,5 +38,6 @@ template:
         servicename: snmpd
         packagename@debian11: snmpd
         packagename@debian12: snmpd
+        packagename@debian13: snmpd
         packagename@ubuntu2404: snmpd
         packagename: net-snmp
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml
index b8f255fffe33..96a30bf196d0 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml
@@ -41,7 +41,7 @@ references:
 
 {{{ complete_ocil_entry_sshd_option(default="no", option="Banner", value="/etc/issue.net") }}}
 
-{{% if 'ubuntu' not in product %}}
+{{% if 'ubuntu' not in product and 'debian' not in product %}}
 conflicts:
     - sshd_enable_warning_banner
 {{% endif %}}
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_allow_groups/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_allow_groups/rule.yml
new file mode 100644
index 000000000000..31bd04d911fa
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_allow_groups/rule.yml
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+title: 'Set SSH AllowGroups'
+
+description: |-
+    The AllowGroups parameter restricts which groups of users
+    can log in via SSH. To configure it, edit /etc/ssh/sshd_config:
+    
    AllowGroups {{{ xccdf_value("var_sshd_allow_groups") }}}
    
+
+rationale: |-
+    Restricting SSH access to specific groups reduces the attack surface by
+    ensuring only authorized users can connect remotely.
+
+severity: medium
+
+ocil_clause: 'AllowGroups is not set to the required group'
+
+ocil: |-
+    Run the following command to verify the AllowGroups setting:
+    
    $ sudo grep -i AllowGroups /etc/ssh/sshd_config
    
+    The output should contain:
+    
    AllowGroups {{{ xccdf_value("var_sshd_allow_groups") }}}
    
+
+platform: package[openssh-server]
+
+template:
+    name: sshd_lineinfile
+    vars:
+        parameter: AllowGroups
+        xccdf_variable: var_sshd_allow_groups
+        datatype: string
diff --git a/linux_os/guide/services/ssh/sshd_strong_kex.var b/linux_os/guide/services/ssh/sshd_strong_kex.var
index d4a78a3fe45e..2f5295003d6c 100644
--- a/linux_os/guide/services/ssh/sshd_strong_kex.var
+++ b/linux_os/guide/services/ssh/sshd_strong_kex.var
@@ -22,3 +22,4 @@ options:
     cis_ubuntu2404: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
     std_openeuler: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
     cis_debian12: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+    cis_debian13: mlkem768x25519-sha256,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
diff --git a/linux_os/guide/services/ssh/sshd_strong_macs.var b/linux_os/guide/services/ssh/sshd_strong_macs.var
index a0a75f544ff8..988e89ff56fa 100644
--- a/linux_os/guide/services/ssh/sshd_strong_macs.var
+++ b/linux_os/guide/services/ssh/sshd_strong_macs.var
@@ -23,3 +23,4 @@ options:
     stig_rhel9: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
     stig_ol9: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
     cis_debian12: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+    cis_debian13: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
diff --git a/linux_os/guide/services/ssh/var_sshd_allow_groups.var b/linux_os/guide/services/ssh/var_sshd_allow_groups.var
new file mode 100644
index 000000000000..9caf34024c62
--- /dev/null
+++ b/linux_os/guide/services/ssh/var_sshd_allow_groups.var
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'SSH AllowGroups'
+
+description: 'Space-separated list of groups allowed to log in via SSH.'
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+    root: root
+    users: users
+    default: users
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
index 0c29abce28b6..1635b31334c3 100644
--- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
+++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml
@@ -60,5 +60,6 @@ template:
     name: package_removed
     vars:
         pkgname: xorg-x11-server-common
+        pkgname@debian13: xserver-common
         pkgname@ubuntu2204: xserver-common
         pkgname@ubuntu2404: xserver-common
diff --git a/linux_os/guide/system/accounts/accounts-pam/accounts_password_pam_unix_enabled/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/accounts_password_pam_unix_enabled/bash/shared.sh
index d3ed274a302a..c3d13462234b 100644
--- a/linux_os/guide/system/accounts/accounts-pam/accounts_password_pam_unix_enabled/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/accounts_password_pam_unix_enabled/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_ubuntu
+# platform = multi_platform_ubuntu,multi_platform_debian
 
 {{% if 'ubuntu' in product or 'debian' in product %}}
     {{{ bash_pam_unix_enable() }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/bash/shared.sh
index bd7ef67ddd77..eddf0d6281bb 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_enabled/bash/shared.sh
@@ -1,3 +1,3 @@
-# platform = multi_platform_ubuntu
+# platform = multi_platform_ubuntu,multi_platform_debian
 
 {{{ bash_pam_pwhistory_enable('cac_pwhistory','requisite') }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/bash/debian.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/bash/debian.sh
new file mode 100644
index 000000000000..519e94d8077b
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/bash/debian.sh
@@ -0,0 +1,21 @@
+# platform = multi_platform_debian
+
+{{{ bash_pam_pwhistory_enable('cac_pwhistory','requisite') }}}
+
+{{{ bash_instantiate_variables("var_password_pam_remember") }}}
+
+sed -i -E '/^Password:/,/^[^[:space:]]/ {
+    /pam_pwhistory\.so/ {
+        s/\s*remember=[^[:space:]]*//g
+        s/$/ remember='"$var_password_pam_remember"'/g
+    }
+}' /usr/share/pam-configs/cac_pwhistory
+
+sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ {
+    /pam_pwhistory\.so/ {
+        s/\s*remember=[^[:space:]]*//g
+        s/$/ remember='"$var_password_pam_remember"'/g
+    }
+}' /usr/share/pam-configs/cac_pwhistory
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable cac_pwhistory
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/debian.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/debian.xml
new file mode 100644
index 000000000000..739ade74c36e
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/oval/debian.xml
@@ -0,0 +1,58 @@
+{{% if "debian" in product %}}
+{{%- set accounts_password_pam_file = '/etc/pam.d/common-password' -%}}
+{{% endif %}}
+
+
+  
+    {{{ oval_metadata("The passwords to remember of pam_pwhistory should be set correctly.", rule_title=rule_title) }}}
+      
+        
+        
+      
+  
+
+  
+
+  
+  
+    
+  
+
+  
+    {{{ accounts_password_pam_file }}}
+    
+    1
+  
+
+  
+  
+    ^[ \t]*password[ \t]+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))[ \t]+pam_pwhistory\.so.*$
+  
+
+  
+    
+  
+
+  
+  
+    
+    
+  
+
+  
+    {{{ accounts_password_pam_file }}}
+    ^[ \t]*password[ \t]+(?:(?:sufficient)|(?:required)|(?:requisite)|(?:\[.*\]))[ \t]+pam_pwhistory\.so[ \t]+[^#\n\r]*\bremember=([0-9]*)\b.*$
+    1
+  
+
+
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/bash/debian.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/bash/debian.sh
new file mode 100644
index 000000000000..6696cccfdb36
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_use_authtok/bash/debian.sh
@@ -0,0 +1,13 @@
+# platform = multi_platform_debian
+
+{{{ bash_pam_pwhistory_enable('cac_pwhistory','requisite') }}}
+conf_file=/usr/share/pam-configs/cac_pwhistory
+if ! grep -qE 'pam_pwhistory\.so\s+[^#]*\buse_authtok\b' "$conf_file"; then
+	sed -i -E '/^Password:/,/^[^[:space:]]/ {
+    /pam_pwhistory\.so/ {
+        s/$/ use_authtok/g
+    }
+    }' "$conf_file"
+fi
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --enable cac_pwhistory
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/debian.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/debian.sh
new file mode 100644
index 000000000000..bb9b98b0a059
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_authtok/bash/debian.sh
@@ -0,0 +1,12 @@
+# platform = multi_platform_debian
+
+config_file="/usr/share/pam-configs/cac_unix"
+{{{ bash_pam_unix_enable() }}}
+sed -i -E '/^Password:/,/^[^[:space:]]/ {
+    /pam_unix\.so/ {
+        /use_authtok/! s/$/ use_authtok/g
+    }
+}'  "$config_file"
+
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update --remove unix --enable cac_unix
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/bash/shared.sh
index 43feff6ed1e8..d3d6d6c575b0 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enabled/bash/shared.sh
@@ -1,3 +1,3 @@
-# platform = multi_platform_ubuntu
+# platform = multi_platform_ubuntu,multi_platform_debian
 
 {{{ bash_pam_faillock_enable() }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/bash/shared.sh
index f79004374922..587deb246ad0 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/bash/shared.sh
@@ -1,6 +1,6 @@
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
 
-{{% if product in ['sle15', 'sle16'] %}}
+{{% if product in ['sle15', 'sle16'] or 'debian' in product %}}
 {{{ bash_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'requisite', 'pam_pwquality.so', '', '', 'BOF') }}}
 {{% else %}}
 {{{ bash_pam_pwquality_enable() }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/debian.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/debian.xml
new file mode 100644
index 000000000000..860c199a4ca7
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/oval/debian.xml
@@ -0,0 +1,37 @@
+{{% if 'debian' in product %}}
+{{% set configuration_files = ["common-password"] %}}
+{{% endif %}}
+
+  
+    {{{ oval_metadata("Check pam_pwquality module is enabled", rule_title=rule_title) }}}
+    
+      {{% for file in configuration_files %}}
+      
+      {{% endfor %}}
+    
+  
+
+  {{% macro test_pwquality_enabled(path, test_ref) %}}
+  
+    
+  
+  {{% endmacro %}}
+
+  {{% macro object_pwquality_enabled(path, test_ref) %}}
+  
+    {{{ path }}}
+    ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*$
+    1
+  
+  {{% endmacro %}}
+
+  {{% for file in configuration_files %}}
+  {{{ test_pwquality_enabled( path="/etc/pam.d/" ~ file ,
+                             test_ref="password_pam_pwquality_enabled_" ~ (file | escape_id)) }}}
+  {{{ object_pwquality_enabled( path="/etc/pam.d/" ~ file ,
+                               test_ref="password_pam_pwquality_enabled_" ~ (file | escape_id)) }}}
+  {{% endfor %}}
+
diff --git a/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var b/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var
index d955dbe9c17d..2238e4df257e 100644
--- a/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var
+++ b/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm.var
@@ -22,3 +22,4 @@ options:
     cis_rhel8: YESCRYPT|SHA512
     cis_rhel10: YESCRYPT|SHA512
     cis_fedora: YESCRYPT|SHA512
+    cis_debian13: YESCRYPT|SHA512
diff --git a/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm_pam.var b/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm_pam.var
index b6e46765560f..52a076c46313 100644
--- a/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm_pam.var
+++ b/linux_os/guide/system/accounts/accounts-pam/var_password_hashing_algorithm_pam.var
@@ -18,3 +18,4 @@ options:
     yescrypt: yescrypt
     cis_rhel8: yescrypt|sha512
     cis_rhel10: yescrypt|sha512
+    cis_debian13: yescrypt|sha512
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh
index 03336f17073a..0b60e18bc2d9 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_no_remember/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_almalinux,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_almalinux,multi_platform_ubuntu,multi_platform_debian
 # reboot = false
 # strategy = configure
 # complexity = low
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/bash/shared.sh
index 39767a05643b..d85a76cd1567 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/bash/shared.sh
@@ -9,3 +9,11 @@ config_file="/usr/share/pam-configs/cac_unix"
 sed -i '/pam_unix\.so/s/nullok//g' "$config_file"
 
 DEBIAN_FRONTEND=noninteractive pam-auth-update
+
+# Fallback: remove nullok directly in case pam-auth-update was blocked
+# by local modifications to /etc/pam.d/common-*
+for pam_file in /etc/pam.d/common-password /etc/pam.d/common-auth \
+                /etc/pam.d/common-account /etc/pam.d/common-session \
+                /etc/pam.d/common-session-noninteractive; do
+    [ -f "$pam_file" ] && sed -i '/pam_unix\.so/s/\bnullok\b//g' "$pam_file"
+done
diff --git a/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/bash/shared.sh b/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/bash/shared.sh
index 07f50b279d87..9230d8f42549 100644
--- a/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/bash/shared.sh
+++ b/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/bash/shared.sh
@@ -5,14 +5,14 @@
 
 # Ensure all AppArmor Profiles are enforcing
 apparmor_parser -q -r /etc/apparmor.d/
-{{% if 'ubuntu' in product %}}
+{{% if 'ubuntu' in product or 'debian' in product %}}
 # Current version of apparmor-utils has issue https://gitlab.com/apparmor/apparmor/-/issues/411 and we're waiting for https://gitlab.com/apparmor/apparmor/-/merge_requests/1218 to be landed on noble
 find /etc/apparmor.d -maxdepth 1 ! -type d -exec aa-enforce "{}" \;
 {{% else %}}
 aa-enforce /etc/apparmor.d/*
 {{% endif %}}
 
-{{% if 'ubuntu' in product %}}
+{{% if 'ubuntu' in product or 'debian' in product %}}
 UNCONFINED=$(aa-status | grep "processes are unconfined" | awk '{print $1;}')
 if [ $UNCONFINED -ne 0 ];
 {{% else %}}
diff --git a/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/oval/shared.xml b/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/oval/shared.xml
new file mode 100644
index 000000000000..571743c13e0a
--- /dev/null
+++ b/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/oval/shared.xml
@@ -0,0 +1,52 @@
+
+  
+    {{{ oval_metadata("Ensure all AppArmor profiles are in enforce mode", rule_title=rule_title) }}}
+    
+      
+    
+  
+
+  
+    /sys/kernel/security/apparmor/profiles
+    ^(.*)$
+    1
+  
+
+  
+    /sys/kernel/security/apparmor/profiles
+    ^.*(\(enforce\))$
+    1
+  
+
+  
+    
+      
+    
+  
+
+  
+    
+      
+    
+  
+
+  
+    {{{ rule_id }}}_var_num_all_profiles
+  
+
+  
+    
+  
+
+  
+    
+    
+  
+
diff --git a/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/sce/shared.sh b/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/sce/shared.sh
deleted file mode 100644
index 0c6915c6e564..000000000000
--- a/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/sce/shared.sh
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/bin/bash
-# platform = multi_platform_debian,multi_platform_sle,multi_platform_ubuntu
-# check-import = stdout
-
-# If apparmor or apparmor-utils are not installed, then this test fails.
-{{{ bash_package_installed("apparmor") }}}
-if [ $? -ne 0 ]; then
-    exit ${XCCDF_RESULT_FAIL}
-fi
-
-# if number of apparmor profiles loaded not the same as enforced profiles, then it fails.
-loaded_profiles=$(/usr/sbin/aa-status --profiled)
-enforced_profiles=$(/usr/sbin/aa-status --enforced)
-if [ ${loaded_profiles} -ne ${enforced_profiles} ]; then
-    exit $XCCDF_RESULT_FAIL
-fi
-
-unconfined=$(/usr/sbin/aa-status | grep "processes are unconfined" | awk '{print $1;}')
-if [ $unconfined -ne 0 ]; then
-    exit $XCCDF_RESULT_FAIL
-fi
-
-exit $XCCDF_RESULT_PASS
diff --git a/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/tests/correct_apparmor_profiles_enforced.pass.sh b/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/tests/correct_apparmor_profiles_enforced.pass.sh
index 983c18fa5659..35089c214ddc 100644
--- a/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/tests/correct_apparmor_profiles_enforced.pass.sh
+++ b/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/tests/correct_apparmor_profiles_enforced.pass.sh
@@ -4,7 +4,7 @@
 #Replace apparmor definitions
 apparmor_parser -q -r /etc/apparmor.d/
 #Set all profiles in enforce mode
-{{% if 'ubuntu' in product %}}
+{{% if 'ubuntu' in product or 'debian' in product %}}
 find /etc/apparmor.d -maxdepth 1 ! -type d -exec aa-enforce "{}" \;
 {{% else %}}
 aa-enforce /etc/apparmor.d/*
diff --git a/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/tests/incorrect_apparmor_profiles_enforced.fail.sh b/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/tests/incorrect_apparmor_profiles_enforced.fail.sh
index 794486cbfecb..1e3787a96cb1 100644
--- a/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/tests/incorrect_apparmor_profiles_enforced.fail.sh
+++ b/linux_os/guide/system/apparmor/all_apparmor_profiles_enforced/tests/incorrect_apparmor_profiles_enforced.fail.sh
@@ -4,7 +4,7 @@
 #Replace apparmor definitions and force profiles into compliant mode
 apparmor_parser -q -r  /etc/apparmor.d/ 
 #Set all profiles in complain mode
-{{% if 'ubuntu' in product %}}
+{{% if 'ubuntu' in product or 'debian' in product %}}
 find /etc/apparmor.d -maxdepth 1 ! -type d -exec aa-complain "{}" \;
 {{% else %}}
 aa-complain /etc/apparmor.d/*
diff --git a/linux_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/sce/shared.sh b/linux_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/sce/shared.sh
index af5c2a2d5648..7f855b28571f 100644
--- a/linux_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/sce/shared.sh
+++ b/linux_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/sce/shared.sh
@@ -8,15 +8,15 @@ if [ $? -ne 0 ]; then
         exit ${XCCDF_RESULT_FAIL}
 fi
 
-loaded_profiles=$(/usr/sbin/aa-status --profiled)
-enforced_profiles=$(/usr/sbin/aa-status --enforced)
-complain=$(/usr/sbin/aa-status --complaining)
-if [ ${loaded_profiles} -ne $((${enforced_profiles} + ${complain})) ]; then
+loaded_profiles=$(/usr/sbin/aa-status --profiled 2>/dev/null | grep -oE '^[0-9]+$')
+enforced_profiles=$(/usr/sbin/aa-status --enforced 2>/dev/null | grep -oE '^[0-9]+$')
+complain=$(/usr/sbin/aa-status --complaining 2>/dev/null | grep -oE '^[0-9]+$')
+if [ "${loaded_profiles:-0}" -ne "$(( ${enforced_profiles:-0} + ${complain:-0} ))" ]; then
     exit $XCCDF_RESULT_FAIL
 fi
 
-unconfined=$(/usr/sbin/aa-status | grep "processes are unconfined" | awk '{print $1;}')
-if [ $unconfined -ne 0 ]; then
+unconfined=$(/usr/sbin/aa-status 2>/dev/null | grep "processes are unconfined" | awk '{print $1;}')
+if [ "${unconfined:-0}" -ne 0 ]; then
     exit $XCCDF_RESULT_FAIL
 fi
 
diff --git a/linux_os/guide/system/apparmor/apparmor_configured/rule.yml b/linux_os/guide/system/apparmor/apparmor_configured/rule.yml
index 7f9bedc1ba60..cb2776276677 100644
--- a/linux_os/guide/system/apparmor/apparmor_configured/rule.yml
+++ b/linux_os/guide/system/apparmor/apparmor_configured/rule.yml
@@ -59,3 +59,4 @@ template:
         packagename@ubuntu2204: apparmor
         packagename@ubuntu2404: apparmor
         packagename@debian12: apparmor
+        packagename@debian13: apparmor
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/debian.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/debian.xml
new file mode 100644
index 000000000000..1a35e805ebca
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/debian.xml
@@ -0,0 +1,28 @@
+
+  
+    {{{ oval_metadata("The UEFI grub2 boot loader should have password protection enabled.", rule_title=rule_title) }}}
+
+    
+      
+      
+    
+  
+
+  
+    
+  
+  
+    {{{ grub2_uefi_boot_path }}}/grub.cfg
+    ^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$
+    1
+  
+
+  
+    
+  
+  
+    {{{ grub2_uefi_boot_path }}}/grub.cfg
+    ^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$
+    1
+  
+
diff --git a/linux_os/guide/system/logging/logging_services_active/oval/shared.xml b/linux_os/guide/system/logging/logging_services_active/oval/shared.xml
index ed5653530e3f..8738f59ffb97 100644
--- a/linux_os/guide/system/logging/logging_services_active/oval/shared.xml
+++ b/linux_os/guide/system/logging/logging_services_active/oval/shared.xml
@@ -11,7 +11,7 @@
   
   
-    ^(rsyslog|systemd-journald).service$
+    ^(rsyslog|syslog-ng|systemd-journald).service$
     ActiveState
     ste_{{{ rule_id }}}_logging_services
   
diff --git a/linux_os/guide/system/logging/logging_services_active/rule.yml b/linux_os/guide/system/logging/logging_services_active/rule.yml
index 2ccd6666d100..c3a5c3f8cb4c 100644
--- a/linux_os/guide/system/logging/logging_services_active/rule.yml
+++ b/linux_os/guide/system/logging/logging_services_active/rule.yml
@@ -5,7 +5,7 @@ title: 'Ensure One Logging Service Is In Use'
 description: |-
     Ensure that a logging system is active and in use.
     
    -    systemctl is-active rsyslog systemd-journald
+    systemctl is-active rsyslog syslog-ng systemd-journald
     
    
     The command should return at least one active.
 
diff --git a/linux_os/guide/system/logging/syslogng/group.yml b/linux_os/guide/system/logging/syslogng/group.yml
new file mode 100644
index 000000000000..13f0b74090fb
--- /dev/null
+++ b/linux_os/guide/system/logging/syslogng/group.yml
@@ -0,0 +1,11 @@
+documentation_complete: true
+
+title: 'Configure syslog-ng'
+
+description: |-
+    syslog-ng is an enhanced syslog daemon that can be used as a replacement
+    for rsyslog. It provides advanced log routing, filtering, and forwarding
+    capabilities, including reliable and encrypted transport of log messages.
+    This section discusses how to configure syslog-ng for best effect.
+
+platform: system_with_kernel
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/package_syslogng_installed/rule.yml b/linux_os/guide/system/logging/syslogng/package_syslogng_installed/rule.yml
similarity index 100%
rename from linux_os/guide/system/logging/rsyslog_accepting_remote_messages/package_syslogng_installed/rule.yml
rename to linux_os/guide/system/logging/syslogng/package_syslogng_installed/rule.yml
diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/service_syslogng_enabled/rule.yml b/linux_os/guide/system/logging/syslogng/service_syslogng_enabled/rule.yml
similarity index 100%
rename from linux_os/guide/system/logging/rsyslog_accepting_remote_messages/service_syslogng_enabled/rule.yml
rename to linux_os/guide/system/logging/syslogng/service_syslogng_enabled/rule.yml
diff --git a/linux_os/guide/system/logging/syslogng/syslogng_accepting_remote_messages/group.yml b/linux_os/guide/system/logging/syslogng/syslogng_accepting_remote_messages/group.yml
new file mode 100644
index 000000000000..fa63841c4309
--- /dev/null
+++ b/linux_os/guide/system/logging/syslogng/syslogng_accepting_remote_messages/group.yml
@@ -0,0 +1,13 @@
+documentation_complete: true
+
+title: 'Configure syslog-ng to Accept Remote Messages If Acting as a Log Server'
+
+description: |-
+    By default, syslog-ng does not listen over the network
+    for log messages. If needed, network source drivers (tcp(),
+    udp(), or network()) can be added to allow
+    the syslog-ng daemon to receive messages from other systems and for the
+    system thus to act as a log server.
+    If the system is not a log server, then such source entries should not
+    appear in the syslog-ng configuration files.
+    

    
diff --git a/linux_os/guide/system/logging/syslogng/syslogng_accepting_remote_messages/syslogng_nolisten/bash/shared.sh b/linux_os/guide/system/logging/syslogng/syslogng_accepting_remote_messages/syslogng_nolisten/bash/shared.sh
new file mode 100644
index 000000000000..79584a3503d7
--- /dev/null
+++ b/linux_os/guide/system/logging/syslogng/syslogng_accepting_remote_messages/syslogng_nolisten/bash/shared.sh
@@ -0,0 +1,21 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+network_regex='^\s*(tcp|udp|network)\('
+
+readarray -t targets < <(grep -l -E -r "${network_regex}" /etc/syslog-ng/ 2>/dev/null)
+
+config_changed=false
+if [ ${#targets[@]} -gt 0 ]; then
+    for target in "${targets[@]}"; do
+        sed -E -i "/${network_regex}/ s/^/# /" "$target"
+    done
+    config_changed=true
+fi
+
+if $config_changed; then
+    systemctl restart syslog-ng.service
+fi
diff --git a/linux_os/guide/system/logging/syslogng/syslogng_accepting_remote_messages/syslogng_nolisten/oval/shared.xml b/linux_os/guide/system/logging/syslogng/syslogng_accepting_remote_messages/syslogng_nolisten/oval/shared.xml
new file mode 100644
index 000000000000..b5704023c51d
--- /dev/null
+++ b/linux_os/guide/system/logging/syslogng/syslogng_accepting_remote_messages/syslogng_nolisten/oval/shared.xml
@@ -0,0 +1,49 @@
+
+    
+        {{{ oval_metadata("syslog-ng should not accept remote messages unless acting as a log server", rule_title=rule_title) }}}
+        
+            
+            
+            
+        
+    
+
+    
+        
+    
+
+    
+        ^\/etc\/syslog-ng\/(syslog-ng\.conf|conf\.d\/.*\.conf)$
+        ^\s*tcp\(
+        1
+    
+
+    
+        
+    
+
+    
+        ^\/etc\/syslog-ng\/(syslog-ng\.conf|conf\.d\/.*\.conf)$
+        ^\s*udp\(
+        1
+    
+
+    
+        
+    
+
+    
+        ^\/etc\/syslog-ng\/(syslog-ng\.conf|conf\.d\/.*\.conf)$
+        ^\s*network\(
+        1
+    
+
diff --git a/linux_os/guide/system/logging/syslogng/syslogng_accepting_remote_messages/syslogng_nolisten/rule.yml b/linux_os/guide/system/logging/syslogng/syslogng_accepting_remote_messages/syslogng_nolisten/rule.yml
new file mode 100644
index 000000000000..c3e654f2dec7
--- /dev/null
+++ b/linux_os/guide/system/logging/syslogng/syslogng_accepting_remote_messages/syslogng_nolisten/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+title: 'Ensure syslog-ng Does Not Accept Remote Messages Unless Acting As Log Server'
+
+description: |-
+    The syslog-ng daemon should not accept remote messages unless the
+    system acts as a log server. To ensure that it is not listening on the
+    network, verify that none of the following source driver calls appear
+    uncommented in syslog-ng configuration files:
+    
    tcp()
+    udp()
+    network()
    
+
+rationale: |-
+    Any process which receives messages from the network incurs some risk of
+    receiving malicious messages. This risk can be eliminated for syslog-ng by
+    configuring it not to listen on the network.
+
+severity: medium
+
+references:
+    nist: CM-7(a),CM-7(b),CM-6(a)
+
+ocil_clause: 'syslog-ng accepts remote messages and is not documented as a log aggregation system'
+
+ocil: |-
+    Verify that the system is not accepting syslog-ng messages from other systems
+    unless it is documented as a log aggregation server.
+    Display the contents of the syslog-ng configuration files:
+    
    find /etc/syslog-ng -name "*.conf" -exec cat '{}' \;
    
+    If any source block contains tcp(), udp(), or
+    network() source drivers, ask to see the documentation for the
+    system being used for log aggregation.
+
+fixtext: |-
+    Edit the syslog-ng configuration files under /etc/syslog-ng/ and
+    comment out or remove any tcp(), udp(), or
+    network() driver entries from source blocks.
+    Restart the service:
+    
    # systemctl restart syslog-ng.service
    
diff --git a/linux_os/guide/system/logging/syslogng/syslogng_filecreatemode/bash/shared.sh b/linux_os/guide/system/logging/syslogng/syslogng_filecreatemode/bash/shared.sh
new file mode 100644
index 000000000000..630558d14ba4
--- /dev/null
+++ b/linux_os/guide/system/logging/syslogng/syslogng_filecreatemode/bash/shared.sh
@@ -0,0 +1,14 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+# Remove any existing perm() directives to avoid duplicates
+sed -i '/^\s*perm(/d' /etc/syslog-ng/syslog-ng.conf
+find /etc/syslog-ng/conf.d/ -name "*.conf" -exec sed -i '/^\s*perm(/d' {} \;
+
+# Add perm(0640) via a drop-in options block
+echo 'options { perm(0640); };' > /etc/syslog-ng/conf.d/00-syslogng_filecreatemode.conf
+
+systemctl restart syslog-ng.service
diff --git a/linux_os/guide/system/logging/syslogng/syslogng_filecreatemode/oval/shared.xml b/linux_os/guide/system/logging/syslogng/syslogng_filecreatemode/oval/shared.xml
new file mode 100644
index 000000000000..183025bf73f9
--- /dev/null
+++ b/linux_os/guide/system/logging/syslogng/syslogng_filecreatemode/oval/shared.xml
@@ -0,0 +1,24 @@
+
+  
+    {{{ oval_metadata("perm() setting controls permissions applied to newly created log files by syslog-ng.", rule_title=rule_title) }}}
+    
+      
+    
+  
+
+  
+  
+    
+  
+
+  
+    ^/etc/syslog-ng/(syslog-ng\.conf|conf\.d/.*\.conf)$
+    perm\(0[0-6][0-4][0-7]\)
+    1
+  
+
diff --git a/linux_os/guide/system/logging/syslogng/syslogng_filecreatemode/rule.yml b/linux_os/guide/system/logging/syslogng/syslogng_filecreatemode/rule.yml
new file mode 100644
index 000000000000..c7eac686893b
--- /dev/null
+++ b/linux_os/guide/system/logging/syslogng/syslogng_filecreatemode/rule.yml
@@ -0,0 +1,34 @@
+documentation_complete: true
+
+title: 'Ensure syslog-ng Default File Permissions Configured'
+
+description: |-
+    syslog-ng will create logfiles that do not already exist on the system.
+    The perm() option in the global options block controls
+    what permissions will be applied to these newly created files.
+
+rationale: |-
+    It is important to ensure that log files have the correct permissions
+    to ensure that sensitive data is archived and protected.
+
+severity: medium
+
+references:
+    nist: CM-6(a)
+
+ocil_clause: 'perm() is not set or is more permissive than 0640'
+
+ocil: |-
+    Run the following command:
+    
    # grep -r 'perm(' /etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/conf.d/
    
+    Verify the output contains perm(0640) or a more restrictive value
+    in the global options block.
+
+fixtext: |-
+    Edit /etc/syslog-ng/syslog-ng.conf or a dedicated file in
+    /etc/syslog-ng/conf.d/ and ensure the global options block contains:
+    
    options {
+        perm(0640);
+    };
    
+    Restart the service:
+    
    # systemctl restart syslog-ng.service
    
diff --git a/linux_os/guide/system/network/network-ufw/check_ufw_active/bash/shared.sh b/linux_os/guide/system/network/network-ufw/check_ufw_active/bash/shared.sh
new file mode 100644
index 000000000000..2ddb6d28c5c7
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/check_ufw_active/bash/shared.sh
@@ -0,0 +1,5 @@
+# platform = multi_platform_ubuntu,multi_platform_debian
+
+systemctl unmask ufw.service
+systemctl --now enable ufw.service
+ufw --force enable
diff --git a/linux_os/guide/system/network/network-ufw/check_ufw_active/oval/shared.xml b/linux_os/guide/system/network/network-ufw/check_ufw_active/oval/shared.xml
new file mode 100644
index 000000000000..342e05891405
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/check_ufw_active/oval/shared.xml
@@ -0,0 +1,21 @@
+
+  
+    {{{ oval_metadata("Verify ufw is active", rule_title=rule_title) }}}
+    
+      
+    
+  
+
+  
+    
+  
+
+  
+    /etc/ufw/ufw.conf
+    ^ENABLED=yes$
+    1
+  
+
diff --git a/linux_os/guide/system/network/network-ufw/check_ufw_active/sce/shared.sh b/linux_os/guide/system/network/network-ufw/check_ufw_active/sce/shared.sh
deleted file mode 100644
index 4b7f4b0bd1f1..000000000000
--- a/linux_os/guide/system/network/network-ufw/check_ufw_active/sce/shared.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/usr/bin/env bash
-# platform = multi_platform_ubuntu
-# check-import = stdout
-
-result=$XCCDF_RESULT_FAIL
-
-if ufw status | grep -qw "active"; then
-    result=${XCCDF_RESULT_PASS}
-fi
-
-exit $result
diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/bash/shared.sh b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/bash/shared.sh
new file mode 100644
index 000000000000..02030a017bf6
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/bash/shared.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_ubuntu,multi_platform_debian
+
+ufw default deny incoming
diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/oval/shared.xml b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/oval/shared.xml
new file mode 100644
index 000000000000..0de9a6969b80
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/oval/shared.xml
@@ -0,0 +1,21 @@
+
+  
+    {{{ oval_metadata("Ensure ufw default incoming policy is deny or reject", rule_title=rule_title) }}}
+    
+      
+    
+  
+
+  
+    
+  
+
+  
+    /etc/default/ufw
+    ^DEFAULT_INPUT_POLICY="(DROP|REJECT)"$
+    1
+  
+
diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/rule.yml b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/rule.yml
new file mode 100644
index 000000000000..96ed807d3b6d
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_default_incoming_rule/rule.yml
@@ -0,0 +1,33 @@
+documentation_complete: true
+
+title: 'Ensure ufw Default Deny Policy for Incoming Connections'
+
+description: |-
+    A default deny policy on incoming connections ensures that any unconfigured
+    inbound network traffic will be rejected.
+
+    Note: Any port or protocol without an explicit allow before the default
+    deny will be blocked.
+
+rationale: |-
+    With a default accept policy the firewall will accept any incoming packet
+    that is not configured to be denied. It is easier to allow acceptable
+    usage than to block unacceptable usage.
+
+severity: medium
+
+platform: package[ufw]
+
+ocil_clause: 'the default policy for incoming connections is not set to deny or reject'
+
+ocil: |-
+    Run the following command and verify that the default policy for incoming
+    connections is deny or reject:
+    
    # ufw status verbose | grep Default:
    
+    Example output:
+    
    Default: deny (incoming), ...
    
+
+warnings:
+    - general: |-
+        Changing firewall settings while connected over network can
+        result in being locked out of the system.
diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/bash/shared.sh b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/bash/shared.sh
new file mode 100644
index 000000000000..7e8b8edb4ff9
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/bash/shared.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_ubuntu,multi_platform_debian
+
+ufw default deny outgoing
diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/rule.yml b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/rule.yml
new file mode 100644
index 000000000000..73b8e90eb183
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/rule.yml
@@ -0,0 +1,33 @@
+documentation_complete: true
+
+title: 'Ensure ufw Default Deny Policy for Outgoing Connections'
+
+description: |-
+    A default deny policy on outgoing connections ensures that only explicitly
+    allowed outbound network traffic will be permitted.
+
+    Note: Any port or protocol without an explicit allow before the default
+    deny will be blocked.
+
+rationale: |-
+    With a default accept policy the firewall will allow any outgoing packet
+    that is not configured to be denied. Restricting outgoing traffic reduces
+    the risk of data exfiltration and limits the impact of a compromised host.
+
+severity: medium
+
+platform: package[ufw]
+
+ocil_clause: 'the default policy for outgoing connections is not set to deny or reject'
+
+ocil: |-
+    Run the following command and verify that the default policy for outgoing
+    connections is deny or reject:
+    
    # ufw status verbose | grep Default:
    
+    Example output:
+    
    Default: ..., deny (outgoing), ...
    
+
+warnings:
+    - general: |-
+        Changing firewall settings while connected over network can
+        result in being locked out of the system.
diff --git a/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/sce/shared.sh b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/sce/shared.sh
new file mode 100644
index 000000000000..1fed07ac7cca
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_default_outgoing_rule/sce/shared.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+# platform = multi_platform_ubuntu,multi_platform_debian
+# check-import = stdout
+
+result=$XCCDF_RESULT_FAIL
+
+ufw_default_line=$(ufw status verbose 2>/dev/null | grep "^Default:")
+
+if echo "$ufw_default_line" | grep -Eq "(deny|reject|disabled) \(outgoing\)"; then
+    result=${XCCDF_RESULT_PASS}
+fi
+
+exit $result
diff --git a/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/bash/shared.sh b/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/bash/shared.sh
new file mode 100644
index 000000000000..17330f3df230
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/bash/shared.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_ubuntu,multi_platform_debian
+
+ufw default deny routed
diff --git a/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/oval/shared.xml b/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/oval/shared.xml
new file mode 100644
index 000000000000..865a40672089
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/oval/shared.xml
@@ -0,0 +1,21 @@
+
+  
+    {{{ oval_metadata("Ensure ufw default routed policy is disabled or deny", rule_title=rule_title) }}}
+    
+      
+    
+  
+
+  
+    
+  
+
+  
+    /etc/default/ufw
+    ^DEFAULT_FORWARD_POLICY="(DROP|REJECT)"$
+    1
+  
+
diff --git a/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/rule.yml b/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/rule.yml
new file mode 100644
index 000000000000..64b47612ec1e
--- /dev/null
+++ b/linux_os/guide/system/network/network-ufw/ufw_disabled_routed/rule.yml
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+title: 'Ensure ufw Default Policy for Routed (Forwarded) Traffic is Disabled'
+
+description: |-
+    The default policy for routed (forwarded) traffic in ufw should be set to
+    disabled or deny, ensuring that the system does not forward packets between
+    interfaces unless explicitly configured to do so.
+
+rationale: |-
+    Unless the system is intended to act as a router, forwarding traffic between
+    network interfaces should be disabled. Disabling the routed default policy
+    prevents the system from accidentally or maliciously forwarding traffic.
+
+severity: medium
+
+platform: package[ufw]
+
+ocil_clause: 'the default policy for routed traffic is not set to disabled or deny'
+
+ocil: |-
+    Run the following command and verify that the default policy for routed
+    traffic is disabled or deny:
+    
    # ufw status verbose | grep Default:
    
+    Example output:
+    
    Default: ..., disabled (routed)
    
+
+warnings:
+    - general: |-
+        Changing firewall settings while connected over network can
+        result in being locked out of the system.
diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml
index 1be0bd45ad28..192383d53e40 100644
--- a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml
@@ -57,10 +57,12 @@ template:
         excluded_files@slmicro5: ['*[bw]tmp', '*lastlog']
         excluded_files@slmicro6: ['*[bw]tmp', '*lastlog']
         excluded_files@ubuntu2204: ['history.log*', 'eipp.log.xz*', '[bw]tmp', '[bw]tmp.*', '[bw]tmp-*', 'lastlog', 'lastlog.*']
+        excluded_files@debian13: ['history.log*', 'eipp.log.xz*', '[bw]tmp', '[bw]tmp.*', '[bw]tmp-*', 'lastlog', 'lastlog.*']
         excluded_files@ubuntu2404: ['history.log*', 'eipp.log.xz*', '[bw]tmp', '[bw]tmp.*', '[bw]tmp-*', 'lastlog', 'lastlog.*', 'cloud-init.log*', 'localmessages*', 'waagent.log*']
         file_regex: '.*'
         filemode: '0640'
         filepath: /var/log/
+        recursive@debian13: 'true'
         recursive@sle12: 'true'
         recursive@sle15: 'true'
         recursive@sle16: 'true'
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml
index db4e868bc414..68efa233a2dc 100644
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_groupowner_var_log_messages/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
 
 title: 'Verify Group Who Owns /var/log/messages File'
 
-{{%- if product in ['ubuntu2404'] %}}
+{{%- if product in ['ubuntu2404'] or 'debian' in product %}}
 description: '{{{ describe_file_group_owner(file="/var/log/messages", group="adm|root") }}}'
 {{%- else %}}
 description: '{{{ describe_file_group_owner(file="/var/log/messages", group="root") }}}'
@@ -23,7 +23,7 @@ references:
     srg: SRG-OS-000206-GPOS-00084
     stigid@ol8: OL08-00-010230
 
-{{%- if product in ['ubuntu2404'] %}}
+{{%- if product in ['ubuntu2404'] or 'debian' in product %}}
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/var/log/messages", group="adm|root") }}}'
 
 ocil: |-
diff --git a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml
index 1eee00ea1d2e..845a23865cfe 100644
--- a/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_var_log_dir/file_permissions_var_log_messages/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
 
 title: 'Verify Permissions on /var/log/messages File'
 
-{{%  if product in ['ubuntu2404','ol9','ol8'] %}}
+{{%  if product in ['ubuntu2404','ol9','ol8'] or 'debian' in product %}}
     {{% set target_perms_octal="0640" %}}
     {{% set target_perms="-rw-r-----" %}}
 {{% else %}}
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/bash/shared.sh
new file mode 100644
index 000000000000..6964b1a5d77e
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+[ -f /etc/sysctl.conf ] || install -m 0644 /dev/null /etc/sysctl.conf
+ln -sf /etc/sysctl.conf /etc/sysctl.d/99-sysctl.conf
+systemctl restart systemd-sysctl.service
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/oval/shared.xml
new file mode 100644
index 000000000000..0852c36aa01c
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/oval/shared.xml
@@ -0,0 +1,24 @@
+
+    
+        {{{ oval_metadata("/etc/sysctl.d/99-sysctl.conf must be a symlink to /etc/sysctl.conf so that systemd-sysctl loads it at boot.", rule_title=rule_title) }}}
+        
+            
+        
+    
+
+    
+        
+        
+    
+
+    
+        /etc/sysctl.d/99-sysctl.conf
+    
+
+    
+        symbolic link
+    
+
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/rule.yml
new file mode 100644
index 000000000000..bfebe5fd8056
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_conf_symlink_etc_sysctl_d/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+title: 'Ensure /etc/sysctl.d/99-sysctl.conf Is a Symlink to /etc/sysctl.conf'
+
+description: |-
+    The file /etc/sysctl.d/99-sysctl.conf must be a symbolic link
+    pointing to /etc/sysctl.conf. This symlink is normally created by
+    the procps package and ensures that systemd-sysctl
+    processes /etc/sysctl.conf with the correct priority during boot.
+    Without it, kernel parameter settings written to /etc/sysctl.conf
+    are silently ignored by systemd-sysctl and do not persist across
+    reboots.
+
+rationale: |-
+    When /etc/sysctl.d/99-sysctl.conf is absent or is not a symlink to
+    /etc/sysctl.conf, systemd-sysctl does not load
+    /etc/sysctl.conf during boot. As a result, any kernel parameters
+    configured in that file — including security hardening settings — are not
+    applied at startup, undermining system hardening.
+
+severity: medium
+
+platform: machine
+
+references:
+    nist: CM-6(a)
+
+ocil_clause: '/etc/sysctl.d/99-sysctl.conf does not exist or is not a symlink to /etc/sysctl.conf'
+
+ocil: |-
+    Verify that /etc/sysctl.d/99-sysctl.conf is a symbolic link
+    pointing to /etc/sysctl.conf:
+    
    $ ls -l /etc/sysctl.d/99-sysctl.conf
    
+    The output should show a symlink pointing to /etc/sysctl.conf.
+
+fixtext: |-
+    Create the symbolic link:
+    
    # ln -sf /etc/sysctl.conf /etc/sysctl.d/99-sysctl.conf
    
+    Apply the settings immediately:
+    
    # systemctl restart systemd-sysctl.service
    
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined/rule.yml
new file mode 100644
index 000000000000..8a9a50f70d4c
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined/rule.yml
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+title: 'Enable kernel.apparmor_restrict_unprivileged_unconfined'
+
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.apparmor_restrict_unprivileged_unconfined", value="1") }}}'
+
+rationale: |-
+    Restricting unprivileged unconfined processes with AppArmor reduces the
+    attack surface available to local users and helps enforce additional
+    kernel-level hardening.
+
+severity: medium
+
+{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.apparmor_restrict_unprivileged_unconfined", value="1") }}}
+
+fixtext: |-
+    Configure {{{ full_name }}} to enable AppArmor restrictions for
+    unprivileged unconfined processes.
+    {{{ fixtext_sysctl("kernel.apparmor_restrict_unprivileged_unconfined", "1") | indent(4) }}}
+
+platform: system_with_kernel
+
+template:
+    name: sysctl
+    vars:
+        sysctlvar: kernel.apparmor_restrict_unprivileged_unconfined
+        datatype: int
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var
new file mode 100644
index 000000000000..bc933c4a36d9
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_apparmor_restrict_unprivileged_unconfined_value.var
@@ -0,0 +1,17 @@
+documentation_complete: true
+
+title: kernel.apparmor_restrict_unprivileged_unconfined
+
+description: |-
+    Prevent unprivileged and unconfined processes.
+
+type: number
+
+operator: equals
+
+interactive: false
+
+options:
+    default: 1
+    1: "1"
+    2: "2"
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/bash/shared.sh
new file mode 100644
index 000000000000..c5853b07e720
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/bash/shared.sh
@@ -0,0 +1,32 @@
+# platform = multi_platform_debian
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+SERVICE_FILE="/etc/systemd/system/sysctl-reapply-network.service"
+
+cat > "${SERVICE_FILE}" << 'EOF'
+[Unit]
+Description=Re-apply sysctl hardening after network interfaces come up
+After=networking.service systemd-networkd.service
+DefaultDependencies=no
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/sysctl --system
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+chown root:root "${SERVICE_FILE}"
+chmod 0644 "${SERVICE_FILE}"
+
+systemctl daemon-reload
+systemctl enable sysctl-reapply-network.service
+
+if [[ $(systemctl is-system-running) != "offline" ]]; then
+    systemctl start sysctl-reapply-network.service
+fi
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/oval/shared.xml
new file mode 100644
index 000000000000..7853ffdb8796
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/oval/shared.xml
@@ -0,0 +1,37 @@
+
+    
+        {{{ oval_metadata("Ensure sysctl-reapply-network.service exists and is enabled.", rule_title=rule_title) }}}
+        
+            
+            
+        
+    
+
+    
+        
+    
+
+    
+        /etc/systemd/system/sysctl-reapply-network.service
+    
+
+    
+        
+        
+    
+
+    
+        sysctl-reapply-network.service
+        UnitFileState
+    
+
+    
+        enabled
+    
+
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/rule.yml
new file mode 100644
index 000000000000..466bf7fcea48
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_reapply_after_network/rule.yml
@@ -0,0 +1,47 @@
+documentation_complete: true
+
+title: 'Ensure sysctl network settings are re-applied after network interfaces come up'
+
+description: |-
+    On Debian systems, the kernel resets certain network sysctl values when a
+    network interface is brought up, overriding hardened settings applied at
+    early boot by systemd-sysctl.service.
+    

    
+    Create a systemd oneshot service
+    /etc/systemd/system/sysctl-reapply-network.service:
+    
    [Unit]
+    Description=Re-apply sysctl hardening after network interfaces come up
+    After=networking.service systemd-networkd.service
+    DefaultDependencies=no
+
+    [Service]
+    Type=oneshot
+    ExecStart=/sbin/sysctl --system
+    RemainAfterExit=yes
+
+    [Install]
+    WantedBy=multi-user.target
    
+    Then reload the systemd daemon and enable the service:
+    
    $ sudo systemctl daemon-reload
+    $ sudo systemctl enable sysctl-reapply-network.service
    
+
+rationale: |-
+    When a network interface is initialized, the Linux kernel may reset interface-level
+    and global sysctl values to their defaults. Running sysctl --system after
+    network interfaces are up ensures the hardened values from /etc/sysctl.conf
+    and /etc/sysctl.d/ are the final values in effect at runtime.
+    

    
+    Using DefaultDependencies=no prevents the ordering cycle that would arise
+    from modifying systemd-sysctl.service itself to depend on
+    network-online.target.
+
+severity: medium
+
+platform: machine
+
+ocil_clause: 'the sysctl-reapply-network service does not exist or is not enabled'
+
+ocil: |-
+    Verify that the sysctl-reapply-network.service unit is enabled:
+    
    $ systemctl is-enabled sysctl-reapply-network.service
    
+    The output should be enabled.
diff --git a/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml b/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml
index 2e453c22b4f8..2654ff448e53 100644
--- a/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml
+++ b/linux_os/guide/system/software/gnome/package_gdm_removed/rule.yml
@@ -4,7 +4,7 @@ documentation_complete: true
 title: 'Remove the GDM Package Group'
 
 description: |-
-    {{% if 'ubuntu' not in product %}}
+    {{% if 'ubuntu' not in product and 'debian' not in product %}}
     By removing the gdm package, the system no longer has GNOME installed.
     {{% else %}}
     By removing the gdm3 package, the system no longer has GNOME installed.
@@ -12,7 +12,7 @@ description: |-
     If X Windows is not installed then the system cannot boot into graphical user mode.
     This prevents the system from being accidentally or maliciously booted into a graphical.target
     mode. To do so, run the following command:
-    {{% if 'ubuntu' not in product %}}
+    {{% if 'ubuntu' not in product and 'debian' not in product %}}
     
    $ sudo yum remove gdm
    
     {{% else %}}
     
    $ sudo apt remove gdm3
    
@@ -38,7 +38,7 @@ references:
     nist: CM-7(a),CM-7(b),CM-6(a)
     srg: SRG-OS-000480-GPOS-00227
 
-{{% if 'ubuntu' not in product %}}
+{{% if 'ubuntu' not in product and 'debian' not in product %}}
 ocil_clause: 'gdm has not been removed'
 
 ocil: |-
@@ -66,5 +66,6 @@ template:
     name: package_removed
     vars:
         pkgname: gdm
+        pkgname@debian13: gdm3
         pkgname@ubuntu2204: gdm3
         pkgname@ubuntu2404: gdm3
diff --git a/product_properties/10-grub.yml b/product_properties/10-grub.yml
index b2c17c23356b..af833fc6982d 100644
--- a/product_properties/10-grub.yml
+++ b/product_properties/10-grub.yml
@@ -21,6 +21,9 @@ overrides:
 {{% if "debian-like" in families %}}
   grub2_boot_path: "/boot/grub"
   grub_helper_executable: "update-grub"
+{{% if "ubuntu" not in families %}}
+  grub2_uefi_boot_path: "/boot/grub"
+{{% endif %}}
 {{% endif %}}
 {{% if "ubuntu" in families %}}
 {{% if major_version_ordinal <= 1804 %}}
diff --git a/products/debian12/profiles/cis_level1_server_ulpgc.profile b/products/debian12/profiles/cis_level1_server_ulpgc.profile
new file mode 100644
index 000000000000..5e207f20ee88
--- /dev/null
+++ b/products/debian12/profiles/cis_level1_server_ulpgc.profile
@@ -0,0 +1,15 @@
+documentation_complete: true
+
+title: 'CIS Debian 12 Benchmark Level 1 Server - Adaptado ULPGC'
+
+description: |-
+    Este perfil contiene la configuración de seguridad para el nivel 1 de CIS
+    adaptada para los servidores de la ULPGC, excluyendo la monitorización de AIDE.
+
+extends: cis_level1_server
+
+selections:
+    # El símbolo '!' le dice al compilador: "De todo lo que heredes, quita estas reglas"
+    - '!package_aide_installed'
+    - '!aide_build_database'
+    - '!aide_periodic_checking_systemd_timer'
diff --git a/products/debian13/product.yml b/products/debian13/product.yml
index 26258a81b9ff..115c0f8478fa 100644
--- a/products/debian13/product.yml
+++ b/products/debian13/product.yml
@@ -10,13 +10,16 @@ major_version_ordinal: 13
 
 benchmark_id: DEBIAN-13
 benchmark_root: "../../linux_os/guide"
-
 components_root: "../../components"
+
 profiles_root: "./profiles"
 
 pkg_manager: "apt_get"
+
 init_system: "systemd"
 
+sysctl_remediate_drop_in_file: "false"
+
 oval_feed_url: "https://www.debian.org/security/oval/oval-definitions-trixie.xml.bz2"
 
 chrony_conf_path: "/etc/chrony/chrony.conf"
@@ -30,9 +33,6 @@ cpes:
       title: "Debian Linux 13"
       check_id: installed_OS_is_debian13
 
-reference_uris:
-  cis: 'https://www.cisecurity.org/cis-benchmarks/'
-
 # Mapping of CPE platform to package
 platform_package_overrides:
   gdm: gdm3
@@ -44,3 +44,5 @@ platform_package_overrides:
   sssd: sssd-common
   audit: auditd
 
+reference_uris:
+  cis: 'https://www.cisecurity.org/benchmark/debian_linux/'
diff --git a/products/debian13/profiles/anssi_bp28_enhanced.profile b/products/debian13/profiles/anssi_bp28_enhanced.profile
deleted file mode 100644
index 67fdd5cfbc33..000000000000
--- a/products/debian13/profiles/anssi_bp28_enhanced.profile
+++ /dev/null
@@ -1,83 +0,0 @@
----
-documentation_complete: true
-
-title: 'ANSSI-BP-028 (enhanced)'
-
-description: |-
-    This profile contains configurations that align to ANSSI-BP-028 v2.0 at the enhanced hardening level.
-
-    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
-    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
-
-    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
-      https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
-
-selections:
-    - anssi:all:enhanced
-    - 'package_rsyslog_installed'
-    - 'service_rsyslog_enabled'
-  # PASS_MIN_LEN is handled by PAM on debian systems.
-    - '!accounts_password_minlen_login_defs'
-  # ANSSI BP 28 suggest using libpam_pwquality, which isn't deployed by default
-    - 'package_pam_pwquality_installed'
-  # PAM honour login.defs file for algorithm
-    - 'set_password_hashing_algorithm_logindefs'
-  # Debian uses apparmor
-    - '!selinux_state'
-    - '!audit_rules_mac_modification'
-    - '!selinux_policytype'
-    - '!sebool_selinuxuser_execheap'
-    - '!sebool_deny_execmem'
-    - '!sebool_selinuxuser_execstack'
-    - '!sebool_secure_mode_insmod'
-    - '!sebool_ssh_sysadm_login'
-
-  # this rule is incompatible with R38
-    - '!file_groupownership_system_commands_dirs'
-
-  # The following are MLS related rules (not part of ANSSI-BP-028)
-    - '!accounts_polyinstantiated_tmp'
-    - '!accounts_polyinstantiated_var_tmp'
-    - '!enable_pam_namespace'
-  # there is no tmp.mount unit on Debian 12.
-    - '!systemd_tmp_mount_enabled'
-  # this rule cannot handle /etc/chrony/chrony.conf path properly.
-  # chronyd_specify_remote_server still report wether chrony is configured.
-    - '!chronyd_configure_pool_and_server'
-
-  # Following rules aren't compatible with Debian 13
-    - '!accounts_passwords_pam_tally2_deny_root'
-    - '!ensure_redhat_gpgkey_installed'
-    - '!package_sequoia-sq_installed'
-    - '!set_password_hashing_algorithm_systemauth'
-    - '!package_dnf-automatic_installed'
-    - '!dnf-automatic_security_updates_only'
-    - '!cracklib_accounts_password_pam_lcredit'
-    - '!dnf-automatic_apply_updates'
-    - '!cracklib_accounts_password_pam_ocredit'
-    - '!accounts_password_pam_unix_rounds_system_auth'
-    - '!timer_dnf-automatic_enabled'
-    - '!accounts_passwords_pam_tally2'
-    - '!cracklib_accounts_password_pam_ucredit'
-    - '!file_permissions_unauthorized_sgid'
-    - '!ensure_gpgcheck_local_packages'
-    - '!accounts_passwords_pam_tally2_unlock_time'
-    - '!enable_authselect'
-    - '!cracklib_accounts_password_pam_minlen'
-    - '!cracklib_accounts_password_pam_dcredit'
-    - '!ensure_gpgcheck_globally_activated'
-    - '!file_permissions_unauthorized_suid'
-    - '!ensure_gpgcheck_never_disabled'
-    - '!ensure_oracle_gpgkey_installed'
-    - '!ensure_almalinux_gpgkey_installed'
-    - '!package_dracut-fips-aesni_installed'
-    - '!audit_rules_file_deletion_events_renameat2'
-    - '!audit_rules_dac_modification_fchmodat2'
-    - '!ldap_client_start_tls'
-    - '!ldap_client_tls_cacertpath'
-
-  # The following rule is not applicable to Debian 13
-    - '!logind_session_timeout'
-    - '!audit_rules_mac_modification_etc_selinux'
-    - '!no_nis_in_nsswitch'
-    - '!service_chronyd_enabled'
diff --git a/products/debian13/profiles/anssi_bp28_high.profile b/products/debian13/profiles/anssi_bp28_high.profile
deleted file mode 100644
index d5aae9cf346f..000000000000
--- a/products/debian13/profiles/anssi_bp28_high.profile
+++ /dev/null
@@ -1,76 +0,0 @@
-documentation_complete: true
-
-title: 'ANSSI-BP-028 (high)'
-
-description: |-
-    This profile contains configurations that align to ANSSI-BP-028 v2.0 at the high hardening level.
-
-    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
-    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
-
-    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
-    https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
-
-selections:
-  - anssi:all:high
-  - package_rsyslog_installed
-  - service_rsyslog_enabled
-  # PASS_MIN_LEN is handled by PAM on debian systems.
-  - '!accounts_password_minlen_login_defs'
-  # ANSSI BP 28 suggest using libpam_pwquality, which isn't deployed by default
-  - 'package_pam_pwquality_installed'
-  # PAM honour login.defs file for algorithm
-  - 'set_password_hashing_algorithm_logindefs'
-  # Debian uses apparmor
-  - '!selinux_state'
-  - '!audit_rules_mac_modification'
-  - '!selinux_policytype'
-  - '!sebool_selinuxuser_execheap'
-  - '!sebool_deny_execmem'
-  - '!sebool_selinuxuser_execstack'
-  - '!sebool_secure_mode_insmod'
-  - '!sebool_ssh_sysadm_login'
-
-  # The following are MLS related rules (not part of ANSSI-BP-028)
-  - '!accounts_polyinstantiated_tmp'
-  - '!accounts_polyinstantiated_var_tmp'
-  - '!enable_pam_namespace'
-  # there is no tmp.mount unit on Debian 12.
-  - '!systemd_tmp_mount_enabled'
-  # this rule cannot handle /etc/chrony/chrony.conf path properly.
-  # chronyd_specify_remote_server still reports whether chrony is configured.
-  - '!chronyd_configure_pool_and_server'
-
-  # Following rules aren't compatible with Debian 13
-  - '!accounts_passwords_pam_tally2_deny_root'
-  - '!ensure_redhat_gpgkey_installed'
-  - '!package_sequoia-sq_installed'
-  - '!set_password_hashing_algorithm_systemauth'
-  - '!package_dnf-automatic_installed'
-  - '!dnf-automatic_security_updates_only'
-  - '!cracklib_accounts_password_pam_lcredit'
-  - '!dnf-automatic_apply_updates'
-  - '!cracklib_accounts_password_pam_ocredit'
-  - '!accounts_password_pam_unix_rounds_system_auth'
-  - '!timer_dnf-automatic_enabled'
-  - '!accounts_passwords_pam_tally2'
-  - '!cracklib_accounts_password_pam_ucredit'
-  - '!file_permissions_unauthorized_sgid'
-  - '!ensure_gpgcheck_local_packages'
-  - '!accounts_passwords_pam_tally2_unlock_time'
-  - '!enable_authselect'
-  - '!cracklib_accounts_password_pam_minlen'
-  - '!cracklib_accounts_password_pam_dcredit'
-  - '!ensure_gpgcheck_globally_activated'
-  - '!file_permissions_unauthorized_suid'
-  - '!ensure_gpgcheck_never_disabled'
-  - '!ensure_oracle_gpgkey_installed'
-  - '!ensure_almalinux_gpgkey_installed'
-  - '!package_dracut-fips-aesni_installed'
-  - '!audit_rules_file_deletion_events_renameat2'
-  - '!audit_rules_dac_modification_fchmodat2'
-  - '!ldap_client_tls_cacertpath'
-  - '!ldap_client_start_tls'
-  - '!service_chronyd_enabled'
-  - '!audit_rules_mac_modification_etc_selinux'
-  - '!no_nis_in_nsswitch'
diff --git a/products/debian13/profiles/anssi_bp28_intermediary.profile b/products/debian13/profiles/anssi_bp28_intermediary.profile
deleted file mode 100644
index b1c9bf586cbf..000000000000
--- a/products/debian13/profiles/anssi_bp28_intermediary.profile
+++ /dev/null
@@ -1,64 +0,0 @@
-documentation_complete: true
-
-title: 'ANSSI-BP-028 (intermediary)'
-
-description: |-
-    This profile contains configurations that align to ANSSI-BP-028 v2.0 at the intermediary hardening level.
-
-    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
-    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
-
-    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
-    https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
-
-# selinux_state: not applicable
-# postfix_client_configure_mail_alias: not applicable. should be exim
-# grub2_l1tf_argument debian kernels are not vulnerable, but switching from
-# conditional cache flush to force mode prevent protection disabling.
-
-selections:
-  - anssi:all:intermediary
-  # PASS_MIN_LEN is handled by PAM on debian systems.
-  - '!accounts_password_minlen_login_defs'
-  # ANSSI BP 28 suggest using libpam_pwquality, which isn't deployed by default
-  - 'package_pam_pwquality_installed'
-  # PAM honour login.defs file for algorithm
-  - 'set_password_hashing_algorithm_logindefs'
-  # Debian uses apparmor
-  - '!selinux_state'
-  # The following are MLS related rules (not part of ANSSI-BP-028)
-  - '!accounts_polyinstantiated_tmp'
-  - '!accounts_polyinstantiated_var_tmp'
-  - '!enable_pam_namespace'
-
-  # Following rules aren't compatible with Debian 13
-  - '!accounts_passwords_pam_tally2_deny_root'
-  - '!ensure_redhat_gpgkey_installed'
-  - '!package_sequoia-sq_installed'
-  - '!set_password_hashing_algorithm_systemauth'
-  - '!package_dnf-automatic_installed'
-  - '!dnf-automatic_security_updates_only'
-  - '!cracklib_accounts_password_pam_lcredit'
-  - '!dnf-automatic_apply_updates'
-  - '!cracklib_accounts_password_pam_ocredit'
-  - '!accounts_password_pam_unix_rounds_system_auth'
-  - '!timer_dnf-automatic_enabled'
-  - '!accounts_passwords_pam_tally2'
-  - '!cracklib_accounts_password_pam_ucredit'
-  - '!file_permissions_unauthorized_sgid'
-  - '!ensure_gpgcheck_local_packages'
-  - '!accounts_passwords_pam_tally2_unlock_time'
-  - '!enable_authselect'
-  - '!cracklib_accounts_password_pam_minlen'
-  - '!cracklib_accounts_password_pam_dcredit'
-  - '!ensure_gpgcheck_globally_activated'
-  - '!file_permissions_unauthorized_suid'
-  - '!ensure_gpgcheck_never_disabled'
-  - '!ensure_oracle_gpgkey_installed'
-  - '!ensure_almalinux_gpgkey_installed'
-
-  # The following rule is not applicable to Debian 13
-  - '!logind_session_timeout'
-  - '!ldap_client_tls_cacertpath'
-  - '!ldap_client_start_tls'
-  - '!no_nis_in_nsswitch'
diff --git a/products/debian13/profiles/anssi_bp28_minimal.profile b/products/debian13/profiles/anssi_bp28_minimal.profile
deleted file mode 100644
index 1fa965edd67d..000000000000
--- a/products/debian13/profiles/anssi_bp28_minimal.profile
+++ /dev/null
@@ -1,47 +0,0 @@
-documentation_complete: true
-
-title: 'ANSSI-BP-028 (minimal)'
-
-description: |-
-    This profile contains configurations that align to ANSSI-BP-028 v2.0 at the minimal hardening level.
-
-    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
-    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
-
-    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
-    https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
-
-selections:
-  - anssi:all:minimal
-  # PASS_MIN_LEN is handled by PAM on debian systems.
-  - '!accounts_password_minlen_login_defs'
-  # ANSSI BP 28 suggest using libpam_pwquality, which isn't deployed by default
-  - 'package_pam_pwquality_installed'
-  # PAM honour login.defs file for algorithm
-  - 'set_password_hashing_algorithm_logindefs'
-
-  # Following rules aren't compatible with Debian 13
-  - '!accounts_passwords_pam_tally2_deny_root'
-  - '!ensure_redhat_gpgkey_installed'
-  - '!package_sequoia-sq_installed'
-  - '!set_password_hashing_algorithm_systemauth'
-  - '!package_dnf-automatic_installed'
-  - '!dnf-automatic_security_updates_only'
-  - '!cracklib_accounts_password_pam_lcredit'
-  - '!dnf-automatic_apply_updates'
-  - '!cracklib_accounts_password_pam_ocredit'
-  - '!accounts_password_pam_unix_rounds_system_auth'
-  - '!timer_dnf-automatic_enabled'
-  - '!accounts_passwords_pam_tally2'
-  - '!cracklib_accounts_password_pam_ucredit'
-  - '!file_permissions_unauthorized_sgid'
-  - '!ensure_gpgcheck_local_packages'
-  - '!accounts_passwords_pam_tally2_unlock_time'
-  - '!enable_authselect'
-  - '!cracklib_accounts_password_pam_minlen'
-  - '!cracklib_accounts_password_pam_dcredit'
-  - '!ensure_gpgcheck_globally_activated'
-  - '!file_permissions_unauthorized_suid'
-  - '!ensure_gpgcheck_never_disabled'
-  - '!ensure_oracle_gpgkey_installed'
-  - '!ensure_almalinux_gpgkey_installed'
diff --git a/products/debian13/profiles/cis_level1_server_ulpgc.profile b/products/debian13/profiles/cis_level1_server_ulpgc.profile
new file mode 100644
index 000000000000..2007007d2479
--- /dev/null
+++ b/products/debian13/profiles/cis_level1_server_ulpgc.profile
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+title: 'CIS Debian 13 Benchmark Level 1 Server - Adaptado ULPGC'
+
+description: |-
+    Este perfil contiene la configuración de seguridad para el nivel 1 de CIS
+    adaptada para los servidores de la ULPGC, excluyendo la monitorización de AIDE.
+
+# Copiamos la base del perfil CIS oficial
+extends: cis_level1_server
+
+selections:
+    # El símbolo '!' le dice al compilador: "De todo lo que heredes, quita estas reglas"
+    - sysctl_conf_symlink_etc_sysctl_d
+    - '!package_aide_installed'
+    - '!aide_build_database'
+    - '!aide_periodic_checking_systemd_timer'
+    # Sincronización horaria: usar chrony. Las reglas de systemd-timesyncd quedan
+    # automáticamente inaplicables gracias a los guards de var_timesync_service.
+    - var_timesync_service=chronyd
+    - var_multiple_time_servers=ulpgc
+    - var_multiple_time_pools=ulpgc
+    # 6.1.1 (journald standalone) y 6.1.2 (syslog daemon) son excluyentes. El perfil ULPGC
+    # usa syslog-ng (6.1.2), por lo que se excluyen las reglas de la ruta journald-solo.
+    - '!journald_disable_forward_to_syslog'
+    - '!package_systemd-journal-remote_installed'
+    - '!service_systemd-journal-upload_enabled'
+    - '!socket_systemd-journal-remote_disabled'
+    # 6.1.2: sustituir rsyslog por syslog-ng
+    - '!package_rsyslog_installed'
+    - '!service_rsyslog_enabled'
+    - '!rsyslog_filecreatemode'
+    - '!rsyslog_nolisten'
+    - package_syslogng_installed
+    - service_syslogng_enabled
+    - syslogng_filecreatemode
+    - syslogng_nolisten
+    # 5.1.4: remediación específica ULPGC — configurar AllowGroups
+    - sshd_set_allow_groups
+    - var_sshd_allow_groups=users
diff --git a/products/debian13/profiles/cis_level1_workstation.profile b/products/debian13/profiles/cis_level1_workstation.profile
new file mode 100644
index 000000000000..cfc331a42355
--- /dev/null
+++ b/products/debian13/profiles/cis_level1_workstation.profile
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+metadata:
+    version: 1.0.0
+
+reference: https://www.cisecurity.org/benchmark/debian_linux
+
+title: 'CIS Debian Benchmark for Level 1 - Workstation'
+
+description: |-
+    This profile defines a baseline that aligns to the "Level 1 - Workstation"
+    configuration from the Center for Internet Security®
+    Debian 13 Benchmark™, v1.0.0, released 2025-12-16.
+
+    This profile includes Center for Internet Security®
+    Debian 13 Benchmark™ content.
+
+selections:
+    - cis_debian13:all:l1_workstation
diff --git a/products/debian13/profiles/cis_level2_server.profile b/products/debian13/profiles/cis_level2_server.profile
new file mode 100644
index 000000000000..f17e167a39e2
--- /dev/null
+++ b/products/debian13/profiles/cis_level2_server.profile
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+metadata:
+    version: 1.0.0
+
+reference: https://www.cisecurity.org/benchmark/debian_linux
+
+title: 'CIS Debian Benchmark for Level 2 - Server'
+
+description: |-
+    This profile defines a baseline that aligns to the "Level 2 - Server"
+    configuration from the Center for Internet Security®
+    Debian 13 Benchmark™, v1.0.0, released 2025-12-16.
+
+    This profile includes Center for Internet Security®
+    Debian 13 Benchmark™ content.
+
+selections:
+    - cis_debian13:all:l2_server
diff --git a/products/debian13/profiles/cis_level2_workstation.profile b/products/debian13/profiles/cis_level2_workstation.profile
new file mode 100644
index 000000000000..0c9d0eb08a13
--- /dev/null
+++ b/products/debian13/profiles/cis_level2_workstation.profile
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+metadata:
+    version: 1.0.0
+
+reference: https://www.cisecurity.org/benchmark/debian_linux
+
+title: 'CIS Debian Benchmark for Level 2 - Workstation'
+
+description: |-
+    This profile defines a baseline that aligns to the "Level 2 - Workstation"
+    configuration from the Center for Internet Security®
+    Debian 13 Benchmark™, v1.0.0, released 2025-12-16.
+
+    This profile includes Center for Internet Security®
+    Debian 13 Benchmark™ content.
+
+selections:
+    - cis_debian13:all:l2_workstation
diff --git a/products/debian13/profiles/standard.profile b/products/debian13/profiles/standard.profile
deleted file mode 100644
index 5e52ca223928..000000000000
--- a/products/debian13/profiles/standard.profile
+++ /dev/null
@@ -1,57 +0,0 @@
-documentation_complete: true
-
-title: 'Standard System Security Profile for Debian 13'
-
-description: |-
-    This profile contains rules to ensure standard security baseline
-    of a Debian 13 system. Regardless of your system's workload
-    all of these checks should pass.
-
-selections:
-    - partition_for_tmp
-    - partition_for_var
-    - partition_for_var_log
-    - partition_for_var_log_audit
-    - partition_for_home
-    - package_audit_installed
-    - package_cron_installed
-    - package_ntp_installed
-    - package_rsyslog_installed
-    - package_telnetd_removed
-    - package_inetutils-telnetd_removed
-    - package_telnetd-ssl_removed
-    - package_nis_removed
-    - package_ntpdate_removed
-    - service_auditd_enabled
-    - service_cron_enabled
-    - service_ntp_enabled
-    - service_rsyslog_enabled
-    - sshd_idle_timeout_value=5_minutes
-    - sshd_set_idle_timeout
-    - sshd_disable_root_login
-    - sshd_disable_empty_passwords
-    - sshd_allow_only_protocol2
-    - var_sshd_set_keepalive=1
-    - sshd_set_keepalive
-    - rsyslog_files_ownership
-    - rsyslog_files_groupownership
-    - rsyslog_files_permissions
-    - "!rsyslog_remote_loghost"
-    - ensure_logrotate_activated
-    - file_permissions_systemmap
-    - file_permissions_etc_shadow
-    - file_owner_etc_shadow
-    - file_groupowner_etc_shadow
-    - file_permissions_etc_gshadow
-    - file_owner_etc_gshadow
-    - file_groupowner_etc_gshadow
-    - file_permissions_etc_passwd
-    - file_owner_etc_passwd
-    - file_groupowner_etc_passwd
-    - file_permissions_etc_group
-    - file_owner_etc_group
-    - file_groupowner_etc_group
-    - sysctl_fs_protected_symlinks
-    - sysctl_fs_protected_hardlinks
-    - sysctl_fs_suid_dumpable
-    - sysctl_kernel_randomize_va_space
diff --git a/shared/templates/accounts_password/bash.template b/shared/templates/accounts_password/bash.template
index 4eb0abaaa98e..e61ead0a6be0 100644
--- a/shared/templates/accounts_password/bash.template
+++ b/shared/templates/accounts_password/bash.template
@@ -27,7 +27,7 @@ fi
 }}}
 {{% endif %}}
 
-{{% if product == "ubuntu2404" or product == "debian13" %}}
+{{% if product == "ubuntu2404" %}}
 {{{ bash_pam_pwquality_enable() }}}
 {{% endif %}}
 
diff --git a/shared/templates/service_disabled_guard_var/bash.template b/shared/templates/service_disabled_guard_var/bash.template
index 0afd3332d867..38535e386905 100644
--- a/shared/templates/service_disabled_guard_var/bash.template
+++ b/shared/templates/service_disabled_guard_var/bash.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian
 # reboot = false
 # strategy = disable
 # complexity = low
diff --git a/tests/data/product_stability/debian12.yml b/tests/data/product_stability/debian12.yml
index b734d2be7dca..c1275e41f1ab 100644
--- a/tests/data/product_stability/debian12.yml
+++ b/tests/data/product_stability/debian12.yml
@@ -36,7 +36,7 @@ full_name: Debian 12
 gid_min: 1000
 groups: {}
 grub2_boot_path: /boot/grub
-grub2_uefi_boot_path: /boot/grub2
+grub2_uefi_boot_path: /boot/grub
 grub_helper_executable: update-grub
 init_system: systemd
 login_defs_defaults_path: /usr/etc/login.defs
diff --git a/tests/data/product_stability/debian13.yml b/tests/data/product_stability/debian13.yml
index 8fce85869fdf..251f56e836c4 100644
--- a/tests/data/product_stability/debian13.yml
+++ b/tests/data/product_stability/debian13.yml
@@ -37,7 +37,7 @@ full_name: Debian 13
 gid_min: 1000
 groups: {}
 grub2_boot_path: /boot/grub
-grub2_uefi_boot_path: /boot/grub2
+grub2_uefi_boot_path: /boot/grub
 grub_helper_executable: update-grub
 init_system: systemd
 login_defs_defaults_path: /usr/etc/login.defs