From f59b8dbb4d002182c155e12c9f062eedaff92728 Mon Sep 17 00:00:00 2001
From: Marco De Donno <mdedonno1337@gmail.com>
Date: Fri, 8 Oct 2021 15:15:00 +0200
Subject: [PATCH 1/4] Add support for Debian 11

---
 CMakeLists.txt                                |   5 +
 build_product                                 |   1 +
 .../rule.yml                                  |   2 +-
 .../apt/apt_sources_list_official/rule.yml    |   2 +-
 .../package_net-snmp_removed/rule.yml         |   3 +-
 .../service_snmpd_disabled/rule.yml           |   3 +-
 .../ansible/shared.yml                        |   2 +-
 .../snmpd_not_default_password/bash/shared.sh |   2 +-
 .../snmpd_not_default_password/rule.yml       |   2 +-
 .../ssh/service_sshd_disabled/rule.yml        |   3 +-
 .../sshd_set_loglevel_info/rule.yml           |   1 +
 .../sshd_set_max_auth_tries/rule.yml          |   1 +
 .../audit_rules_file_deletion_events/rule.yml |   2 +-
 .../rule.yml                                  |   2 +-
 .../rule.yml                                  |   2 +-
 .../rule.yml                                  |   2 +-
 .../rule.yml                                  |   2 +-
 .../rule.yml                                  |   2 +-
 .../rule.yml                                  |   2 +-
 .../rule.yml                                  |   2 +-
 .../rule.yml                                  |   2 +-
 .../rule.yml                                  |   2 +-
 .../rule.yml                                  |   2 +-
 .../rule.yml                                  |   2 +-
 .../audit_rules_login_events/rule.yml         |   2 +-
 .../rule.yml                                  |   2 +-
 .../audit_rules_login_events_lastlog/rule.yml |   2 +-
 .../rule.yml                                  |   2 +-
 .../auditing/package_audit_installed/rule.yml |   1 +
 .../auditing/service_auditd_enabled/rule.yml  |   1 +
 .../oval/shared.xml                           |   4 +-
 .../rsyslog_files_permissions/bash/shared.sh  |   2 +-
 .../rsyslog_files_permissions/oval/shared.xml |   4 +-
 .../sysctl_net_ipv4_ip_forward/rule.yml       |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../file_groupowner_etc_gshadow/rule.yml      |   1 +
 .../file_groupowner_etc_shadow/rule.yml       |   1 +
 .../rule.yml                                  |   1 +
 .../rule.yml                                  |   1 +
 .../file_permissions_etc_gshadow/rule.yml     |   1 +
 .../file_permissions_etc_shadow/rule.yml      |   1 +
 .../aide/aide_build_database/rule.yml         |   2 +-
 .../aide/package_aide_installed/rule.yml      |   2 +-
 products/debian11/CMakeLists.txt              |   6 +
 products/debian11/overlays/.gitkeep           |   0
 products/debian11/product.yml                 |  30 +++++
 .../profiles/anssi_np_nt28_average.profile    |  36 ++++++
 .../profiles/anssi_np_nt28_high.profile       |  11 ++
 .../profiles/anssi_np_nt28_minimal.profile    |  31 +++++
 .../anssi_np_nt28_restrictive.profile         |  18 +++
 products/debian11/profiles/standard.profile   |  59 +++++++++
 products/debian11/transforms/constants.xslt   |  21 ++++
 .../debian11/transforms/shorthand2xccdf.xslt  |   9 ++
 .../debian11/transforms/table-srgmap.xslt     |  11 ++
 products/debian11/transforms/table-style.xslt |   5 +
 .../transforms/xccdf-apply-overlay-stig.xslt  |   8 ++
 .../transforms/xccdf2table-byref.xslt         |   9 ++
 .../debian11/transforms/xccdf2table-cce.xslt  |   9 ++
 .../xccdf2table-profileanssirefs.xslt         | 112 ++++++++++++++++++
 .../xccdf2table-profileccirefs.xslt           |   9 ++
 .../xccdf2table-profilecisrefs.xslt           |   9 ++
 .../xccdf2table-profilenistrefs.xslt          |   8 ++
 .../debian11/transforms/xccdf2table-stig.xslt |   9 ++
 .../checks/oval/installed_OS_is_debian11.xml  |  27 +++++
 ssg/constants.py                              |   5 +-
 tests/unit/ssg-module/test_utils.py           |   2 +-
 utils/duplicated_prodtypes.py                 |   2 +-
 utils/fix_file_ocilclause.py                  |   2 +-
 69 files changed, 496 insertions(+), 36 deletions(-)
 create mode 100644 products/debian11/CMakeLists.txt
 create mode 100644 products/debian11/overlays/.gitkeep
 create mode 100644 products/debian11/product.yml
 create mode 100644 products/debian11/profiles/anssi_np_nt28_average.profile
 create mode 100644 products/debian11/profiles/anssi_np_nt28_high.profile
 create mode 100644 products/debian11/profiles/anssi_np_nt28_minimal.profile
 create mode 100644 products/debian11/profiles/anssi_np_nt28_restrictive.profile
 create mode 100644 products/debian11/profiles/standard.profile
 create mode 100644 products/debian11/transforms/constants.xslt
 create mode 100644 products/debian11/transforms/shorthand2xccdf.xslt
 create mode 100644 products/debian11/transforms/table-srgmap.xslt
 create mode 100644 products/debian11/transforms/table-style.xslt
 create mode 100644 products/debian11/transforms/xccdf-apply-overlay-stig.xslt
 create mode 100644 products/debian11/transforms/xccdf2table-byref.xslt
 create mode 100644 products/debian11/transforms/xccdf2table-cce.xslt
 create mode 100644 products/debian11/transforms/xccdf2table-profileanssirefs.xslt
 create mode 100644 products/debian11/transforms/xccdf2table-profileccirefs.xslt
 create mode 100644 products/debian11/transforms/xccdf2table-profilecisrefs.xslt
 create mode 100644 products/debian11/transforms/xccdf2table-profilenistrefs.xslt
 create mode 100644 products/debian11/transforms/xccdf2table-stig.xslt
 create mode 100644 shared/checks/oval/installed_OS_is_debian11.xml

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 0dc93f3b72d..79ec09693ea 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -68,6 +68,7 @@ option(SSG_PRODUCT_DEFAULT "If enabled, all default release products will be bui
 option(SSG_PRODUCT_CHROMIUM "If enabled, the Chromium SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_DEBIAN9 "If enabled, the Debian 9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_DEBIAN10 "If enabled, the Debian 10 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+option(SSG_PRODUCT_DEBIAN11 "If enabled, the Debian 11 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_EXAMPLE "If enabled, the Example SCAP content will be built" FALSE)
 option(SSG_PRODUCT_FEDORA "If enabled, the Fedora SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_FIREFOX "If enabled, the Firefox SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -263,6 +264,7 @@ message(STATUS "Products:")
 message(STATUS "Chromium: ${SSG_PRODUCT_CHROMIUM}")
 message(STATUS "Debian 9: ${SSG_PRODUCT_DEBIAN9}")
 message(STATUS "Debian 10: ${SSG_PRODUCT_DEBIAN10}")
+message(STATUS "Debian 11: ${SSG_PRODUCT_DEBIAN11}")
 message(STATUS "Example: ${SSG_PRODUCT_EXAMPLE}")
 message(STATUS "Fedora: ${SSG_PRODUCT_FEDORA}")
 message(STATUS "Firefox: ${SSG_PRODUCT_FIREFOX}")
@@ -333,6 +335,9 @@ endif()
 if (SSG_PRODUCT_DEBIAN10)
     add_subdirectory("products/debian10" "debian10")
 endif()
+if (SSG_PRODUCT_DEBIAN11)
+    add_subdirectory("products/debian11" "debian11")
+endif()
 if (SSG_PRODUCT_EXAMPLE)
     add_subdirectory("products/example" "example")
 endif()
diff --git a/build_product b/build_product
index 050617dc8e4..4d7aae8762c 100755
--- a/build_product
+++ b/build_product
@@ -285,6 +285,7 @@ all_cmake_products=(
 	CHROMIUM
 	DEBIAN9
 	DEBIAN10
+	DEBIAN11
 	EXAMPLE
 	FEDORA
 	FIREFOX
diff --git a/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/rule.yml b/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/rule.yml
index 83e1d2e2ae6..fed7bb04abb 100644
--- a/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/rule.yml
+++ b/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian9,ubuntu1604,ubuntu1804,ubuntu2004
+prodtype: debian11,debian10,debian9,ubuntu1604,ubuntu1804,ubuntu2004
 
 title: 'Disable unauthenticated repositories in APT configuration'
 
diff --git a/linux_os/guide/services/apt/apt_sources_list_official/rule.yml b/linux_os/guide/services/apt/apt_sources_list_official/rule.yml
index 60b673a4f2e..61e0662f54e 100644
--- a/linux_os/guide/services/apt/apt_sources_list_official/rule.yml
+++ b/linux_os/guide/services/apt/apt_sources_list_official/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian9
+prodtype: debian11,debian10,debian9
 
 title: 'Ensure that official distribution repositories are used'
 
diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml
index bf6298fe1e4..30fa4c70bd8 100644
--- a/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml
+++ b/linux_os/guide/services/snmp/disabling_snmp_service/package_net-snmp_removed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
+prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
 
 title: 'Uninstall net-snmp Package'
 
@@ -41,6 +41,7 @@ template:
         pkgname: net-snmp
         pkgname@debian9: snmp
         pkgname@debian10: snmp
+        pkgname@debian11: snmp
         pkgname@ubuntu1604: snmp
         pkgname@ubuntu1804: snmp
         pkgname@ubuntu2004: snmp
diff --git a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml
index 66a71f85331..db2ba677cba 100644
--- a/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml
+++ b/linux_os/guide/services/snmp/disabling_snmp_service/service_snmpd_disabled/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian9,rhel7,rhel8,rhel9,sle15
+prodtype: debian11,debian10,debian9,rhel7,rhel8,rhel9,sle15
 
 title: 'Disable snmpd Service'
 
@@ -36,4 +36,5 @@ template:
         servicename: snmpd
         packagename@debian9: snmpd
         packagename@debian10: snmpd
+        packagename@debian11: snmpd
         packagename: net-snmp
diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
index 4e4f24f3001..632c711183a 100644
--- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = debian 10,debian 9,multi_platform_fedora,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,WRLinux 1019
+# platform = debian 11,debian 10,debian 9,multi_platform_fedora,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,WRLinux 1019
 # reboot = false
 # strategy = configure
 # complexity = low
diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh
index 11b71c46827..a76c29731a3 100644
--- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh
+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = debian 10,debian 9,multi_platform_fedora,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,WRLinux 1019
+# platform = debian 11,debian 10,debian 9,multi_platform_fedora,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,WRLinux 1019
 
 {{{ bash_instantiate_variables("var_snmpd_ro_string", "var_snmpd_rw_string") }}}
 
diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml
index 19775b8cf60..ff958f108ff 100644
--- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml
+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian9,fedora,ol7,ol8,rhel7,rhel8,wrlinux1019
+prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhel7,rhel8,wrlinux1019
 
 title: 'Ensure Default SNMP Password Is Not Used'
 
diff --git a/linux_os/guide/services/ssh/service_sshd_disabled/rule.yml b/linux_os/guide/services/ssh/service_sshd_disabled/rule.yml
index 220f444874c..d33b2612305 100644
--- a/linux_os/guide/services/ssh/service_sshd_disabled/rule.yml
+++ b/linux_os/guide/services/ssh/service_sshd_disabled/rule.yml
@@ -5,7 +5,7 @@ title: 'Disable SSH Server If Possible (Unusual)'
 description: |-
     The SSH server service, sshd, is commonly needed.
     However, if it can be disabled, do so.
-    {{% if product in ['debian9', 'debian10', 'ubuntu1604', 'ubuntu1804'] %}}
+    {{% if product in ['debian9', 'debian10', 'debian11', 'ubuntu1604', 'ubuntu1804'] %}}
     {{{ describe_service_disable(service="sshd") }}}
     {{% else %}}
     {{{ describe_service_disable(service="sshd") }}}
@@ -29,5 +29,6 @@ template:
         packagename@sle12: openssh
         daemonname@debian9: ssh
         daemonname@debian10: ssh
+        daemonname@debian11: ssh
         daemonname@ubuntu1604: ssh
         daemonname@ubuntu1804: ssh
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml
index 5b7703d7da5..e8af1415311 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_info/rule.yml
@@ -25,6 +25,7 @@ identifiers:
 
 references:
     cis@debian10: 9.3.2
+    cis@debian11: 9.3.2
     cis@rhel7: 5.3.5
     cis@rhel8: 5.2.5
     cis@sle12: 5.3.6
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
index 47d0fe85403..185f9fc9380 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
@@ -21,6 +21,7 @@ identifiers:
 
 references:
     cis@debian9: 9.3.5
+    cis@debian11: 9.3.5
     cis@rhel7: 5.3.7
     cis@rhel8: 5.2.7
     cis@sle12: 5.3.8
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml
index 1de2b794ce3..b60d5c86cc8 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019
+prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019
 
 title: 'Ensure auditd Collects File Deletion Events by User'
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml
index e2ff8a026b6..691dc30d493 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019
+prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019
 
 title: 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)'
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
index 247647b856b..b4eccbbb33d 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
+prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
 
 title: 'Record Unsuccessful Access Attempts to Files - creat'
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
index 21c8ee76eb8..2f6b9af5164 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
+prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
 
 title: 'Record Unsuccessful Access Attempts to Files - ftruncate'
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
index 9d8342f82e7..a5b48fad104 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
+prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
 
 title: 'Record Unsuccessful Access Attempts to Files - open'
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
index 9bb5ffe3fcb..3de4de015f3 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
+prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
 
 title: 'Record Unsuccessful Access Attempts to Files - open_by_handle_at'
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
index 6f0d00bf482..c758d704985 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
+prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
 
 title: 'Record Unsuccessful Access Attempts to Files - openat'
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
index f988e4ec8ff..3d7e3ea0fcc 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
+prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
 
 title: 'Record Unsuccessful Access Attempts to Files - truncate'
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml
index 55246da9677..e26878f293c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019
+prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019
 
 title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading'
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
index cc4e3a609b6..52d25b3715e 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
+prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
 
 title: 'Ensure auditd Collects Information on Kernel Module Unloading - delete_module'
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
index aa170023215..b3d3d88eb62 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
+prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
 
 title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module'
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
index 470429cc704..d51738c2f21 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
+prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
 
 title: 'Ensure auditd Collects Information on Kernel Module Loading - init_module'
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml
index c062cf525c5..1d4bab4ca7d 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019
+prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019
 
 title: 'Record Attempts to Alter Logon and Logout Events'
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
index 6dda4dd8b90..f0617c83288 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019
+prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,wrlinux1019
 
 title: 'Record Attempts to Alter Logon and Logout Events - faillock'
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
index 902f411e4af..4be3216caa6 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
+prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
 
 title: 'Record Attempts to Alter Logon and Logout Events - lastlog'
 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml
index 0da922289c0..fae95e0ef71 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
+prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
 
 title: 'Record Attempts to Alter Logon and Logout Events - tallylog'
 
diff --git a/linux_os/guide/system/auditing/package_audit_installed/rule.yml b/linux_os/guide/system/auditing/package_audit_installed/rule.yml
index 8f4e46e976a..886dafad1bf 100644
--- a/linux_os/guide/system/auditing/package_audit_installed/rule.yml
+++ b/linux_os/guide/system/auditing/package_audit_installed/rule.yml
@@ -46,3 +46,4 @@ template:
         pkgname@ubuntu2004: auditd
         pkgname@debian9: auditd
         pkgname@debian10: auditd
+        pkgname@debian11: auditd
diff --git a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
index 539e2a4a8a7..71253143ef1 100644
--- a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
+++ b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
@@ -71,6 +71,7 @@ template:
         packagename: audit
         packagename@debian9: auditd
         packagename@debian10: auditd
+        packagename@debian11: auditd
         packagename@ubuntu1604: auditd
         packagename@ubuntu1804: auditd
         packagename@ubuntu2004: auditd
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
index 8b955b06b07..96d477ea23b 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
@@ -3,7 +3,7 @@
     {{{ oval_metadata("All syslog log files should be owned by the appropriate group.") }}}
 
     <criteria operator="AND">
-      {{% if product in ["debian9", "debian10", "ubuntu1604"] %}}
+      {{% if product in ["debian9", "debian10", "debian11", "ubuntu1604"] %}}
       <extend_definition comment="rsyslog daemon is used as local logging daemon" definition_ref="package_rsyslog_installed" />
       {{% endif %}}
       <criterion comment="Check if all system log files are owned by the appropriate group" test_ref="test_rsyslog_files_groupownership" />
@@ -106,7 +106,7 @@
 
   <unix:file_state id="state_rsyslog_files_groupownership" version="1">
     <unix:type operation="equals">regular</unix:type>
-    {{% if product in ["debian9", "debian10", "ubuntu1604", "ubuntu2004"] %}}
+    {{% if product in ["debian9", "debian10", "debian11", "ubuntu1604", "ubuntu2004"] %}}
     <unix:group_id datatype="int">4</unix:group_id>
     {{% else %}}
     <unix:group_id datatype="int">0</unix:group_id>
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index ca659a24080..c1236f84d45 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -48,7 +48,7 @@ do
 		unset ARRAY_FOR_LOG_FILE
 	fi
 done
-{{% if product in ["debian9", "debian10", "ubuntu1604", "ubuntu1804", "ubuntu2004", "sle15", "sle12"] %}}
+{{% if product in ["debian9", "debian10", "debian11", "ubuntu1604", "ubuntu1804", "ubuntu2004", "sle15", "sle12"] %}}
 DESIRED_PERM_MOD=640
 {{% else %}}
 DESIRED_PERM_MOD=600
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
index c0557c881fe..a04e6fd8900 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
@@ -3,7 +3,7 @@
     {{{ oval_metadata("File permissions for all syslog log files should be set correctly.") }}}
 
     <criteria operator="AND">
-      {{% if product in ["debian9", "debian10", "ubuntu1604", "ubuntu1804"] %}}
+      {{% if product in ["debian9", "debian10", "debian11", "ubuntu1604", "ubuntu1804"] %}}
       <extend_definition comment="rsyslog daemon is used as local logging daemon" definition_ref="package_rsyslog_installed" />
       {{% endif %}}
       <criterion comment="Check permissions of all system log files" test_ref="test_rsyslog_files_permissions" />
@@ -108,7 +108,7 @@
   <unix:file_state id="state_rsyslog_files_permissions" version="1">
     <unix:type operation="equals">regular</unix:type>
     <unix:uexec datatype="boolean">false</unix:uexec>
-    {{% if product in ["debian9", "debian10", "ubuntu1604", "ubuntu1804", "ubuntu2004", "sle15", "sle12"] %}}
+    {{% if product in ["debian9", "debian10", "debian11", "ubuntu1604", "ubuntu1804", "ubuntu2004", "sle15", "sle12"] %}}
     <unix:gread datatype="boolean">true</unix:gread>
     {{% else %}}
     <unix:gread datatype="boolean">false</unix:gread>
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
index bc75de1e413..ac80bf2a15c 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
@@ -66,5 +66,6 @@ template:
         datatype: int
         sysctlval@debian9: ''
         sysctlval@debian10: ''
+        sysctlval@debian11: ''
         sysctlval@ubuntu1604: ''
         sysctlval@ubuntu1804: ''
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
index f1f7c7a4d65..128acbffff5 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
@@ -38,6 +38,7 @@ template:
         filegid: '0'
         filegid@debian9: '42'
         filegid@debian10: '42'
+        filegid@debian11: '42'
         filegid@ubuntu1604: '42'
         filegid@ubuntu1804: '42'
         filegid@ubuntu2004: '42'
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
index 88208c25d80..8bcb98d9fd1 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
@@ -41,6 +41,7 @@ template:
         filegid: '0'
         filegid@debian9: '42'
         filegid@debian10: '42'
+        filegid@debian11: '42'
         filegid@ubuntu1604: '42'
         filegid@ubuntu1804: '42'
         filegid@ubuntu2004: '42'
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml
index ca65dbc5af7..dabb489c0b6 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml
@@ -46,6 +46,7 @@ template:
         filegid: '0'
         filegid@debian9: '42'
         filegid@debian10: '42'
+        filegid@debian11: '42'
         filegid@ubuntu1604: '42'
         filegid@ubuntu1804: '42'
         filegid@ubuntu2004: '42'
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml
index f42ccef3ee5..036d9cdb16f 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml
@@ -51,6 +51,7 @@ template:
         filegid: '0'
         filegid@debian9: '42'
         filegid@debian10: '42'
+        filegid@debian11: '42'
         filegid@ubuntu1604: '42'
         filegid@ubuntu1804: '42'
         filegid@ubuntu2004: '42'
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
index 9fd8981485b..732bb15dfcc 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
@@ -42,6 +42,7 @@ template:
         filemode: '0000'
         filemode@debian9: '0640'
         filemode@debian10: '0640'
+        filemode@debian11: '0640'
         filemode@ubuntu1604: '0640'
         filemode@ubuntu1804: '0640'
         filemode@ubuntu2004: '0640'
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
index 70e474b280e..2d03c2e5125 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
@@ -44,6 +44,7 @@ template:
         filemode: '0000'
         filemode@debian9: '0640'
         filemode@debian10: '0640'
+        filemode@debian11: '0640'
         filemode@ubuntu1604: '0640'
         filemode@ubuntu1804: '0640'
         filemode@ubuntu2004: '0640'
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
index 02404617c11..1d9c98378ea 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
@@ -51,6 +51,7 @@ template:
         filemode: '0000'
         filemode@debian9: '0640'
         filemode@debian10: '0640'
+        filemode@debian11: '0640'
         filemode@ubuntu1604: '0640'
         filemode@ubuntu1804: '0640'
         filemode@ubuntu2004: '0640'
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml
index 8d1ca918377..daf81def878 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml
@@ -58,6 +58,7 @@ template:
         filemode: '0000'
         filemode@debian9: '0640'
         filemode@debian10: '0640'
+        filemode@debian11: '0640'
         filemode@ubuntu1604: '0640'
         filemode@ubuntu1804: '0640'
         filemode@ubuntu2004: '0640'
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml
index faacdc76de8..8e242cb4f5b 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
+prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
 
 title: 'Build and Test AIDE Database'
 
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
index d9024c63e80..d121604452c 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
+prodtype: debian11,debian10,debian9,fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,wrlinux1019
 
 title: 'Install AIDE'
 
diff --git a/products/debian11/CMakeLists.txt b/products/debian11/CMakeLists.txt
new file mode 100644
index 00000000000..b98b58b3710
--- /dev/null
+++ b/products/debian11/CMakeLists.txt
@@ -0,0 +1,6 @@
+# Sometimes our users will try to do: "cd debian11; cmake ." That needs to error in a nice way.
+if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
+endif()
+
+ssg_build_product("debian11")
diff --git a/products/debian11/overlays/.gitkeep b/products/debian11/overlays/.gitkeep
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/products/debian11/product.yml b/products/debian11/product.yml
new file mode 100644
index 00000000000..1b9d40833b2
--- /dev/null
+++ b/products/debian11/product.yml
@@ -0,0 +1,30 @@
+product: debian11
+full_name: Debian 11
+type: platform
+
+benchmark_root: "../../linux_os/guide"
+
+profiles_root: "./profiles"
+
+pkg_manager: "apt_get"
+
+init_system: "systemd"
+
+grub2_boot_path: "/boot/grub"
+
+cpes_root: "../../shared/applicability"
+cpes:
+  - debian11:
+      name: "cpe:/o:debian:debian_linux:11"
+      title: "Debian Linux 11"
+      check_id: installed_OS_is_debian11
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+  gdm: gdm3
+  grub2: grub2-common
+  net-snmp: snmp
+  nss-pam-ldapd: libpam-ldap
+  pam: libpam-runtime
+  shadow: login
+  sssd: sssd-common
diff --git a/products/debian11/profiles/anssi_np_nt28_average.profile b/products/debian11/profiles/anssi_np_nt28_average.profile
new file mode 100644
index 00000000000..600f1a6f713
--- /dev/null
+++ b/products/debian11/profiles/anssi_np_nt28_average.profile
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+title: 'Profile for ANSSI DAT-NT28 Average (Intermediate) Level'
+
+description: 'This profile contains items for GNU/Linux installations already protected by multiple higher level security
+    stacks.'
+
+extends: anssi_np_nt28_minimal
+
+selections:
+    - partition_for_tmp
+    - partition_for_var
+    - partition_for_var_log
+    - partition_for_var_log_audit
+    - partition_for_home
+    - package_ntp_installed
+    - package_ntpdate_removed
+    - sshd_idle_timeout_value=5_minutes
+    - sshd_set_idle_timeout
+    - sshd_disable_root_login
+    - sshd_disable_empty_passwords
+    - sshd_allow_only_protocol2
+    - var_sshd_set_keepalive=0
+    - sshd_set_keepalive_0
+    - file_owner_logfiles_value=adm
+    - rsyslog_files_ownership
+    - file_groupowner_logfiles_value=adm
+    - rsyslog_files_groupownership
+    - rsyslog_files_permissions
+    - "!rsyslog_remote_loghost"
+    - ensure_logrotate_activated
+    - file_permissions_systemmap
+    - sysctl_fs_protected_symlinks
+    - sysctl_fs_protected_hardlinks
+    - sysctl_fs_suid_dumpable
+    - sysctl_kernel_randomize_va_space
diff --git a/products/debian11/profiles/anssi_np_nt28_high.profile b/products/debian11/profiles/anssi_np_nt28_high.profile
new file mode 100644
index 00000000000..8e4760a5477
--- /dev/null
+++ b/products/debian11/profiles/anssi_np_nt28_high.profile
@@ -0,0 +1,11 @@
+documentation_complete: true
+
+title: 'Profile for ANSSI DAT-NT28 High (Enforced) Level'
+
+description: 'This profile contains items for GNU/Linux installations storing sensitive informations that can be accessible
+    from unauthenticated or uncontroled networks.'
+
+extends: anssi_np_nt28_restrictive
+
+selections:
+    - grub2_enable_iommu_force
diff --git a/products/debian11/profiles/anssi_np_nt28_minimal.profile b/products/debian11/profiles/anssi_np_nt28_minimal.profile
new file mode 100644
index 00000000000..797aee747d7
--- /dev/null
+++ b/products/debian11/profiles/anssi_np_nt28_minimal.profile
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+title: 'Profile for ANSSI DAT-NT28 Minimal Level'
+
+description: 'This profile contains items to be applied systematically.'
+
+selections:
+    - sudo_remove_nopasswd
+    - sudo_remove_no_authenticate
+    - package_telnetd_removed
+    - package_inetutils-telnetd_removed
+    - package_telnetd-ssl_removed
+    - package_nis_removed
+    - package_rsyslog_installed
+    - service_rsyslog_enabled
+    - package_syslogng_installed
+    - service_syslogng_enabled
+    - apt_conf_disallow_unauthenticated
+    - apt_sources_list_official
+    - file_permissions_etc_shadow
+    - file_owner_etc_shadow
+    - file_groupowner_etc_shadow
+    - file_permissions_etc_gshadow
+    - file_owner_etc_gshadow
+    - file_groupowner_etc_gshadow
+    - file_permissions_etc_passwd
+    - file_owner_etc_passwd
+    - file_groupowner_etc_passwd
+    - file_permissions_etc_group
+    - file_owner_etc_group
+    - file_groupowner_etc_group
diff --git a/products/debian11/profiles/anssi_np_nt28_restrictive.profile b/products/debian11/profiles/anssi_np_nt28_restrictive.profile
new file mode 100644
index 00000000000..27e4ec396f9
--- /dev/null
+++ b/products/debian11/profiles/anssi_np_nt28_restrictive.profile
@@ -0,0 +1,18 @@
+documentation_complete: true
+
+title: 'Profile for ANSSI DAT-NT28 Restrictive Level'
+
+description: 'This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.'
+
+extends: anssi_np_nt28_average
+
+selections:
+    - partition_for_tmp
+    - partition_for_var
+    - partition_for_var_log
+    - partition_for_var_log_audit
+    - partition_for_home
+    - package_audit_installed
+    - package_cron_installed
+    - service_auditd_enabled
+    - service_ntp_enabled
diff --git a/products/debian11/profiles/standard.profile b/products/debian11/profiles/standard.profile
new file mode 100644
index 00000000000..e1b2c718dfe
--- /dev/null
+++ b/products/debian11/profiles/standard.profile
@@ -0,0 +1,59 @@
+documentation_complete: true
+
+title: 'Standard System Security Profile for Debian 11'
+
+description: |-
+    This profile contains rules to ensure standard security baseline
+    of a Debian 11 system. Regardless of your system's workload
+    all of these checks should pass.
+
+selections:
+    - partition_for_tmp
+    - partition_for_var
+    - partition_for_var_log
+    - partition_for_var_log_audit
+    - partition_for_home
+    - package_audit_installed
+    - package_cron_installed
+    - package_ntp_installed
+    - package_rsyslog_installed
+    - package_telnetd_removed
+    - package_inetutils-telnetd_removed
+    - package_telnetd-ssl_removed
+    - package_nis_removed
+    - package_ntpdate_removed
+    - service_auditd_enabled
+    - service_cron_enabled
+    - service_ntp_enabled
+    - service_rsyslog_enabled
+    - sshd_idle_timeout_value=5_minutes
+    - sshd_set_idle_timeout
+    - sshd_disable_root_login
+    - sshd_disable_empty_passwords
+    - sshd_allow_only_protocol2
+    - var_sshd_set_keepalive=0
+    - sshd_set_keepalive_0
+    - file_owner_logfiles_value=adm
+    - rsyslog_files_ownership
+    - file_groupowner_logfiles_value=adm
+    - rsyslog_files_groupownership
+    - rsyslog_files_permissions
+    - "!rsyslog_remote_loghost"
+    - ensure_logrotate_activated
+    - file_permissions_systemmap
+    - file_permissions_etc_shadow
+    - file_owner_etc_shadow
+    - file_groupowner_etc_shadow
+    - file_permissions_etc_gshadow
+    - file_owner_etc_gshadow
+    - file_groupowner_etc_gshadow
+    - file_permissions_etc_passwd
+    - file_owner_etc_passwd
+    - file_groupowner_etc_passwd
+    - file_permissions_etc_group
+    - file_owner_etc_group
+    - file_groupowner_etc_group
+    - sysctl_fs_protected_symlinks
+    - sysctl_fs_protected_hardlinks
+    - sysctl_fs_suid_dumpable
+    - sysctl_kernel_randomize_va_space
diff --git a/products/debian11/transforms/constants.xslt b/products/debian11/transforms/constants.xslt
new file mode 100644
index 00000000000..a47ff2592c0
--- /dev/null
+++ b/products/debian11/transforms/constants.xslt
@@ -0,0 +1,21 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
+
+<xsl:variable name="product_long_name">Debian 11</xsl:variable>
+<xsl:variable name="product_short_name">Debian 11</xsl:variable>
+<xsl:variable name="product_stig_id_name">DEBIAN_11_STIG</xsl:variable>
+<xsl:variable name="product_guide_id_name">DEBIAN-11</xsl:variable>
+<xsl:variable name="prod_type">debian11</xsl:variable>
+
+<!-- Define URI of official Center for Internet Security Benchmark for Debian Linux v1.0 -->
+<xsl:variable name="cisuri">https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf</xsl:variable>
+<xsl:variable name="disa-stigs-uri" select="$disa-stigs-os-unix-linux-uri"/>
+
+<!-- Define URI for custom CCE identifier which can be used for mapping to corporate policy -->
+<!--xsl:variable name="custom-cce-uri">https://www.example.org</xsl:variable-->
+
+<!-- Define URI for custom policy reference which can be used for linking to corporate policy -->
+<!--xsl:variable name="custom-ref-uri">https://www.example.org</xsl:variable-->
+
+</xsl:stylesheet>
diff --git a/products/debian11/transforms/shorthand2xccdf.xslt b/products/debian11/transforms/shorthand2xccdf.xslt
new file mode 100644
index 00000000000..cd8e8ed74d3
--- /dev/null
+++ b/products/debian11/transforms/shorthand2xccdf.xslt
@@ -0,0 +1,9 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:import href="../../../shared/transforms/shared_shorthand2xccdf.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:param name="ssg_version">unknown</xsl:param>
+<xsl:variable name="ovalfile">unlinked-debian11-oval.xml</xsl:variable>
+
+</xsl:stylesheet>
diff --git a/products/debian11/transforms/table-srgmap.xslt b/products/debian11/transforms/table-srgmap.xslt
new file mode 100644
index 00000000000..5798a48943b
--- /dev/null
+++ b/products/debian11/transforms/table-srgmap.xslt
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:include href="../../../shared/transforms/shared_table-srgmap.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+<xsl:variable name="items" select="document($map-to-items)//*[cdf:reference]" />
+<xsl:variable name="title" select="document($map-to-items)/cdf:Benchmark/cdf:title" />
+
+</xsl:stylesheet>
diff --git a/products/debian11/transforms/table-style.xslt b/products/debian11/transforms/table-style.xslt
new file mode 100644
index 00000000000..8b6caeab8cd
--- /dev/null
+++ b/products/debian11/transforms/table-style.xslt
@@ -0,0 +1,5 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:import href="../../../shared/transforms/shared_table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/products/debian11/transforms/xccdf-apply-overlay-stig.xslt b/products/debian11/transforms/xccdf-apply-overlay-stig.xslt
new file mode 100644
index 00000000000..4789419b80a
--- /dev/null
+++ b/products/debian11/transforms/xccdf-apply-overlay-stig.xslt
@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xccdf">
+
+<xsl:include href="../../../shared/transforms/shared_xccdf-apply-overlay-stig.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:variable name="overlays" select="document($overlay)/xccdf:overlays" />
+
+</xsl:stylesheet>
diff --git a/products/debian11/transforms/xccdf2table-byref.xslt b/products/debian11/transforms/xccdf2table-byref.xslt
new file mode 100644
index 00000000000..1cdb679c6fd
--- /dev/null
+++ b/products/debian11/transforms/xccdf2table-byref.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-byref.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/products/debian11/transforms/xccdf2table-cce.xslt b/products/debian11/transforms/xccdf2table-cce.xslt
new file mode 100644
index 00000000000..f156a669566
--- /dev/null
+++ b/products/debian11/transforms/xccdf2table-cce.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:cce="http://cce.mitre.org" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-cce.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/products/debian11/transforms/xccdf2table-profileanssirefs.xslt b/products/debian11/transforms/xccdf2table-profileanssirefs.xslt
new file mode 100644
index 00000000000..5cde9c4cc85
--- /dev/null
+++ b/products/debian11/transforms/xccdf2table-profileanssirefs.xslt
@@ -0,0 +1,112 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<!-- this style sheet expects parameter $profile, which is the id of the Profile to be shown -->
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+	<xsl:template match="/">
+		<html>
+		<head>
+			<title><xsl:value-of select="/cdf:Benchmark/cdf:Profile[@id=$profile]/cdf:title" /></title>
+		</head>
+		<body>
+			<br/>
+			<br/>
+			<div style="text-align: center; font-size: x-large; font-weight:bold"><xsl:value-of select="/cdf:Benchmark/cdf:Profile[@id=$profile]/cdf:title" /></div>
+			<br/>
+			<br/>
+			<xsl:apply-templates select="cdf:Benchmark"/>
+		</body>
+		</html>
+	</xsl:template>
+
+
+	<xsl:template match="cdf:Benchmark">
+		<xsl:call-template name="table-style" />
+
+		<table>
+			<thead>
+				<td>Rule Title</td>
+				<td>Description</td>
+				<td>Rationale</td>
+				<td>Variable Setting</td>
+				<td>ANSSI Best practice Mapping</td>
+			</thead>
+		<xsl:for-each select="/cdf:Benchmark/cdf:Profile[@id=$profile]/cdf:select">
+			<xsl:variable name="idrefer" select="@idref" />
+			<xsl:variable name="enabletest" select="@selected" />
+			<xsl:for-each select="//cdf:Rule">
+				<xsl:call-template name="ruleplate">
+					<xsl:with-param name="idreference" select="$idrefer" />
+					<xsl:with-param name="enabletest" select="$enabletest" />
+				</xsl:call-template>
+			</xsl:for-each>
+		</xsl:for-each>
+
+		</table>
+	</xsl:template>
+
+
+	<xsl:template match="cdf:Rule" name="ruleplate">
+		<xsl:param name="idreference" />
+		<xsl:param name="enabletest" />
+		<xsl:if test="@id=$idreference and $enabletest='true'">
+		<tr>
+			<td> <xsl:value-of select="cdf:title" /></td>
+			<td> <xsl:apply-templates select="cdf:description"/> </td>
+			<!-- call template to grab text and also child nodes (which should all be xhtml)  -->
+			<td> <xsl:apply-templates select="cdf:rationale"/> </td>
+			<!-- need to resolve <sub idref=""> here  -->
+			<td> <!-- TODO: print refine-value from profile associated with rule --> </td>
+			<td> 
+				<xsl:for-each select="cdf:reference[@href=$anssiuri]">
+					<xsl:value-of select="text()"/>
+					<br/>
+				</xsl:for-each>
+			</td> 
+		</tr>
+		</xsl:if>
+	</xsl:template>
+
+
+	<xsl:template match="cdf:check">
+		<xsl:for-each select="cdf:check-export">
+			<xsl:variable name="rulevar" select="@value-id" />
+				<!--<xsl:value-of select="$rulevar" />:-->
+				<xsl:for-each select="/cdf:Benchmark/cdf:Profile[@id=$profile]/cdf:refine-value">
+					<xsl:if test="@idref=$rulevar">
+						<xsl:value-of select="@selector" />
+					</xsl:if>
+				</xsl:for-each>
+		</xsl:for-each>
+	</xsl:template>
+
+
+    <!-- getting rid of XHTML namespace -->
+	<xsl:template match="xhtml:*">
+		<xsl:element name="{local-name()}">
+			<xsl:apply-templates select="node()|@*"/>
+		</xsl:element>
+	</xsl:template>
+
+    <xsl:template match="@*|node()">
+		<xsl:copy>
+			<xsl:apply-templates select="@*|node()"/>
+		</xsl:copy>
+	</xsl:template>
+
+    <xsl:template match="cdf:description">
+             <!-- print all the text and children (xhtml elements) of the description -->
+        <xsl:apply-templates select="@*|node()" />
+            </xsl:template>
+
+    <xsl:template match="cdf:rationale">
+             <!-- print all the text and children (xhtml elements) of the description -->
+        <xsl:apply-templates select="@*|node()" />
+            </xsl:template>
+
+
+
+</xsl:stylesheet>
diff --git a/products/debian11/transforms/xccdf2table-profileccirefs.xslt b/products/debian11/transforms/xccdf2table-profileccirefs.xslt
new file mode 100644
index 00000000000..30419e92b28
--- /dev/null
+++ b/products/debian11/transforms/xccdf2table-profileccirefs.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:cci="https://public.cyber.mil/stigs/cci" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:ovalns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-profileccirefs.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/products/debian11/transforms/xccdf2table-profilecisrefs.xslt b/products/debian11/transforms/xccdf2table-profilecisrefs.xslt
new file mode 100644
index 00000000000..07d321241fd
--- /dev/null
+++ b/products/debian11/transforms/xccdf2table-profilecisrefs.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-profilecisrefs.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/products/debian11/transforms/xccdf2table-profilenistrefs.xslt b/products/debian11/transforms/xccdf2table-profilenistrefs.xslt
new file mode 100644
index 00000000000..ea9f8b0da56
--- /dev/null
+++ b/products/debian11/transforms/xccdf2table-profilenistrefs.xslt
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-profilenistrefs.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/products/debian11/transforms/xccdf2table-stig.xslt b/products/debian11/transforms/xccdf2table-stig.xslt
new file mode 100644
index 00000000000..a71d8364d2c
--- /dev/null
+++ b/products/debian11/transforms/xccdf2table-stig.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-stig.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/shared/checks/oval/installed_OS_is_debian11.xml b/shared/checks/oval/installed_OS_is_debian11.xml
new file mode 100644
index 00000000000..7a44d04848f
--- /dev/null
+++ b/shared/checks/oval/installed_OS_is_debian11.xml
@@ -0,0 +1,27 @@
+<def-group>
+  <definition class="inventory" id="installed_OS_is_debian11" version="3">
+    <metadata>
+      <title>Debian Linux 11</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <reference ref_id="cpe:/o:debian:debian_linux:11" source="CPE" />
+      <description>The operating system installed on the system is Debian 11</description>
+    </metadata>
+    <criteria comment="Debian Linux is version 11" operator="AND">
+      <extend_definition comment="Debian is installed" definition_ref="installed_OS_is_debian" />
+      <criterion comment="Debian11 is installed" test_ref="test_debian_11" />
+    </criteria>
+  </definition>
+
+
+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Debian version" id="test_debian_11" version="1">
+    <ind:object object_ref="obj_debian_11" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_debian_11" version="1" comment="Check Debian version">
+    <ind:filepath>/etc/debian_version</ind:filepath>
+    <ind:pattern operation="pattern match">^11.[0-9]+$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/ssg/constants.py b/ssg/constants.py
index fee8ef8c659..10ea1199c92 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -7,7 +7,7 @@
 
 product_directories = [
     'chromium',
-    'debian9', 'debian10',
+    'debian9', 'debian10', 'debian11',
     'example',
     'fedora',
     'firefox',
@@ -157,6 +157,7 @@
     "Chromium": "chromium",
     "Debian 9": "debian9",
     "Debian 10": "debian10",
+    "Debian 11": "debian11",
     "Example": "example",
     "Fedora": "fedora",
     "Firefox": "firefox",
@@ -199,7 +200,7 @@
                        "wrlinux", "opensuse", "sle", "ol", "ocp", "rhcos", "example"]
 
 MULTI_PLATFORM_MAPPING = {
-    "multi_platform_debian": ["debian9", "debian10"],
+    "multi_platform_debian": ["debian9", "debian10", "debian11"],
     "multi_platform_example": ["example"],
     "multi_platform_fedora": ["fedora"],
     "multi_platform_opensuse": ["opensuse"],
diff --git a/tests/unit/ssg-module/test_utils.py b/tests/unit/ssg-module/test_utils.py
index f1e7b127469..ad4e725b26e 100644
--- a/tests/unit/ssg-module/test_utils.py
+++ b/tests/unit/ssg-module/test_utils.py
@@ -19,7 +19,7 @@ def test_is_applicable():
     assert not ssg.utils.is_applicable('rhosp13', 'rhel7')
     assert not ssg.utils.is_applicable('fedora,multi_platform_ubuntu', 'rhel7')
     assert not ssg.utils.is_applicable('ol7', 'rhel7')
-    assert not ssg.utils.is_applicable('fedora,debian9,debian10', 'rhel7')
+    assert not ssg.utils.is_applicable('fedora,debian9,debian10','debian11','rhel7')
 
 
 def test_is_applicable_for_product():
diff --git a/utils/duplicated_prodtypes.py b/utils/duplicated_prodtypes.py
index 7d54ebb918e..4cb2c16fef8 100755
--- a/utils/duplicated_prodtypes.py
+++ b/utils/duplicated_prodtypes.py
@@ -11,7 +11,7 @@
 def _create_profile_cache(ssg_root):
     profile_cache = {}
 
-    product_list = ['debian9', 'debian10', 'fedora', 'ol7', 'opensuse',
+    product_list = ['debian9', 'debian10', 'debian11', 'fedora', 'ol7', 'opensuse',
                     'rhel7', 'sle12', 'sle15', 'ubuntu1604', 'ubuntu1804', 'ubuntu2004',
                     'wrlinux']
 
diff --git a/utils/fix_file_ocilclause.py b/utils/fix_file_ocilclause.py
index 82b8c1140f2..462d2b37c15 100755
--- a/utils/fix_file_ocilclause.py
+++ b/utils/fix_file_ocilclause.py
@@ -11,7 +11,7 @@
 def _create_profile_cache(ssg_root):
     profile_cache = {}
 
-    product_list = ['debian9', 'debian10', 'fedora', 'ol7', 'opensuse',
+    product_list = ['debian9', 'debian10', 'debian11', 'fedora', 'ol7', 'opensuse',
                     'rhel7', 'sle12', 'ubuntu1604', 'ubuntu1804', 'ubuntu2004',
                     'wrlinux']
 

From c61ca29da313a7ab5ca5c296efe1ced6b4f974da Mon Sep 17 00:00:00 2001
From: Marco De Donno <mdedonno1337@gmail.com>
Date: Fri, 8 Oct 2021 15:32:24 +0200
Subject: [PATCH 2/4] Patch test utils file

---
 tests/unit/ssg-module/test_utils.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/unit/ssg-module/test_utils.py b/tests/unit/ssg-module/test_utils.py
index ad4e725b26e..9b8a55196f5 100644
--- a/tests/unit/ssg-module/test_utils.py
+++ b/tests/unit/ssg-module/test_utils.py
@@ -19,7 +19,7 @@ def test_is_applicable():
     assert not ssg.utils.is_applicable('rhosp13', 'rhel7')
     assert not ssg.utils.is_applicable('fedora,multi_platform_ubuntu', 'rhel7')
     assert not ssg.utils.is_applicable('ol7', 'rhel7')
-    assert not ssg.utils.is_applicable('fedora,debian9,debian10','debian11','rhel7')
+    assert not ssg.utils.is_applicable('fedora,debian9,debian10,debian11', 'rhel7')
 
 
 def test_is_applicable_for_product():

From 76e580f4047b78ec44c157aa0022e3e04c5011c4 Mon Sep 17 00:00:00 2001
From: Marco De Donno <mdedonno1337@gmail.com>
Date: Sun, 10 Oct 2021 22:26:40 +0200
Subject: [PATCH 3/4] Add the check for official repositories for Debian 11

---
 .../oval/debian11.xml                         | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 linux_os/guide/services/apt/apt_sources_list_official/oval/debian11.xml

diff --git a/linux_os/guide/services/apt/apt_sources_list_official/oval/debian11.xml b/linux_os/guide/services/apt/apt_sources_list_official/oval/debian11.xml
new file mode 100644
index 00000000000..92d26aea65e
--- /dev/null
+++ b/linux_os/guide/services/apt/apt_sources_list_official/oval/debian11.xml
@@ -0,0 +1,27 @@
+<def-group>
+  <definition class="compliance" id="apt_sources_list_official" version="1">
+    {{{ oval_metadata("Official distribution repositories contain up-to-date distribution security and functional patches.") }}}
+    <criteria comment="Match sources.list distribution repositories usage" operator="AND">
+      <criterion comment="Check /etc/apt/sources(.d/.+).list file for base" test_ref="test_apt_sources_list_base_official" />
+      <criterion comment="Check /etc/apt/sources(.d/.+).list file for security" test_ref="test_apt_sources_list_security_official" />
+    </criteria>
+  </definition>
+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Checks usage of official distribution base repositories"
+  id="test_apt_sources_list_base_official" version="1">
+    <ind:object object_ref="obj_apt_sources_list_base_official" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_apt_sources_list_base_official" version="1">
+    <ind:filepath operation="pattern match">^/etc/apt/sources(.d\/[a-zA-Z0-9]+){0,1}.list$</ind:filepath>
+    <ind:pattern operation="pattern match">^deb[\s]+http://[a-z\.]+\.debian\.org/debian[/]?[\s]+bullseye[\s]+main</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Checks usage of official distribution security repositories"
+  id="test_apt_sources_list_security_official" version="1">
+    <ind:object object_ref="obj_apt_sources_list_security_official" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_apt_sources_list_security_official" version="1">
+    <ind:filepath operation="pattern match">^/etc/apt/sources(.d\/[a-zA-Z0-9]+){0,1}.list$</ind:filepath>
+    <ind:pattern operation="pattern match">^deb[\s]+http://security\.debian\.org/debian-security[/]?[\s]+bullseye-security[\s]+main</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>

From 183bcc0d165900120c9091333852dc86305bf11b Mon Sep 17 00:00:00 2001
From: Marco De Donno <mdedonno1337@gmail.com>
Date: Thu, 14 Oct 2021 13:56:32 +0200
Subject: [PATCH 4/4] Add github actions to build the content for Debian (9, 10
 and 11)

---
 .github/workflows/gate.yaml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/.github/workflows/gate.yaml b/.github/workflows/gate.yaml
index 847aa3e4bb5..c4a5ce0f6bd 100644
--- a/.github/workflows/gate.yaml
+++ b/.github/workflows/gate.yaml
@@ -21,6 +21,29 @@ jobs:
         run: ctest -j2 --output-on-failure -E unique-stigids
         working-directory: ./build
 
+  validate-debian:
+    name: Build, Test on Debian 10 (Container)
+    runs-on: ubuntu-latest
+    container:
+      image: debian:buster
+    steps:
+      - name: Update the package repository
+        run: apt-get update
+      - name: Install Deps
+        run: apt-get install -y ansible-lint bats check cmake expat libopenscap8 libxml2-utils ninja-build python3-github python3-jinja2 python3-pip python3-pytest python3-pytest-cov python3-yaml xsltproc
+      - name: Install deps python
+        run: pip3 install ruamel.yaml yamlpath
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Build
+        env:
+          ADDITIONAL_CMAKE_OPTIONS: "-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED=ON"
+        run: |-
+          ./build_product debian9 debian10 debian11
+      - name: Test
+        working-directory: ./build
+        run: ctest -j2 --output-on-failure -E unique-stigids
+        
   validate-ubuntu:
     name: Build, Test on Ubuntu 20.04
     runs-on: ubuntu-20.04