diff --git a/debian-hardening.sh b/debian-hardening.sh
index c0ab91c..fa42264 100644
--- a/debian-hardening.sh
+++ b/debian-hardening.sh
@@ -433,7 +433,7 @@ sudo systemctl enable --now unattended-upgrades || true
 
 # [FILE-7524] Ensuring file permissions
 log "Enforcing file permissions for SSH & cron..."
-sudo chmod -R 640 /var/log/ || true
+#sudo chmod -R 640 /var/log/ || true
 sudo chmod 600 /etc/crontab || true
 sudo chmod 700 /etc/cron.* || true
 sudo chmod -R 700 /etc/cron.d/ || true
@@ -473,7 +473,7 @@ set_pwq "enforcing" 1
 
 # Add pam_pwquality to /etc/pam.d/common-password if not present
 if ! grep -q "pam_pwquality.so" /etc/pam.d/common-password 2>/dev/null; then
-    sudo sed -i "/pam_unix.so/ i password   requisite                    pam_pwquality.so retry=3" /etc/pam.d/common-password || true
+    sudo sed -i "/pam_unix.so/ i password   requisite                    pam_pwquality.so" /etc/pam.d/common-password || true
 fi
 
 # [AUTH-9286] Password aging
@@ -482,19 +482,19 @@ sudo sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' /etc/login.defs || true
 
 # [AUTH-9328] Default umask
 if sudo grep -Eq '^[[:space:]]*#?[[:space:]]*UMASK\b' /etc/login.defs 2>/dev/null; then
-	sudo sed -ri "s|^[[:space:]]*#?[[:space:]]*UMASK[[:space:]]+.*|UMASK 077|" /etc/login.defs || true
+	sudo sed -ri "s|^[[:space:]]*#?[[:space:]]*UMASK[[:space:]]+.*|UMASK 027|" /etc/login.defs || true
 else
-	echo 'UMASK 077' | sudo tee -a /etc/login.defs > /dev/null
+	echo 'UMASK 027' | sudo tee -a /etc/login.defs > /dev/null
 fi
 if grep -qE '^[[:space:]]*#?[[:space:]]*umask' /etc/bash.bashrc 2>/dev/null; then
-    sudo sed -i 's/^[[:space:]]*#\?[[:space:]]*umask.*/umask 077/' /etc/bash.bashrc || true
+    sudo sed -i 's/^[[:space:]]*#\?[[:space:]]*umask.*/umask 027/' /etc/bash.bashrc || true
 else
-    echo 'umask 077' | sudo tee -a /etc/bash.bashrc > /dev/null
+    echo 'umask 027' | sudo tee -a /etc/bash.bashrc > /dev/null
 fi
 if grep -qE '^[[:space:]]*#?[[:space:]]*umask' /etc/profile 2>/dev/null; then
-    sudo sed -i 's/^[[:space:]]*#\?[[:space:]]*umask.*/umask 077/' /etc/profile || true
+    sudo sed -i 's/^[[:space:]]*#\?[[:space:]]*umask.*/umask 027/' /etc/profile || true
 else
-    echo 'umask 077' | sudo tee -a /etc/profile > /dev/null
+    echo 'umask 027' | sudo tee -a /etc/profile > /dev/null
 fi
 
 # [AUTH-9408] Logging of failed login attempts is enabled