diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_error_action.var b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_error_action.var
index ace5c84912c5..c235c6ac4560 100644
--- a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_error_action.var
+++ b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_error_action.var
@@ -28,3 +28,4 @@ options:
     cis_ubuntu2204: syslog|single|halt
     cis_ubuntu2404: syslog|single|halt
     cis_debian12: syslog|single|halt
+    cis_debian13: syslog|single|halt
diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var
index bde0d87fbfb6..ed5e8b182a88 100644
--- a/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var
+++ b/linux_os/guide/auditing/configure_auditd_data_retention/var_auditd_disk_full_action.var
@@ -29,3 +29,4 @@ options:
     cis_ubuntu2204: halt|single
     cis_ubuntu2404: halt|single
     cis_debian12: halt|single
+    cis_debian13: halt|single
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/debian.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/debian.xml
new file mode 100644
index 000000000000..1a35e805ebca
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/debian.xml
@@ -0,0 +1,28 @@
+<def-group>
+  <definition class="compliance" id="grub2_uefi_password" version="1">
+    {{{ oval_metadata("The UEFI grub2 boot loader should have password protection enabled.", rule_title=rule_title) }}}
+
+    <criteria operator="AND">
+      <criterion comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg" test_ref="test_grub2_uefi_password_grubcfg" />
+      <criterion comment="make sure a superuser is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg" test_ref="test_bootloader_uefi_superuser"/>
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg" id="test_bootloader_uefi_superuser" version="2">
+    <ind:object object_ref="object_bootloader_uefi_superuser" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_bootloader_uefi_superuser" version="2">
+    <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg" id="test_grub2_uefi_password_grubcfg" version="1">
+    <ind:object object_ref="object_grub2_uefi_password_grubcfg" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_grub2_uefi_password_grubcfg" version="1">
+    <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>