slight improvement and fix

arch-hardening.sh

@@ -14,6 +14,7 @@ EOL
 
 # [LOGG-2154] Ensure system log is configured to send logs to a remote log server
 sudo pacman -S --noconfirm --needed syslog-ng
+sudo systemctl enable --now syslog-ng@default.service
 
 # [USB-3000] Ensure USBGUARD is installed and configured
 sudo pacman -S --noconfirm --needed usbguard
@@ -60,9 +61,8 @@ sudo systemctl enable --now clamav-daemon
 # [FINT-4350] Install a file integrity tool
 sudo pacman -S --noconfirm --needed aide
 sudo aide --init
-sudo aide --update
-sudo systemctl enable --now aidecheck.timer
 sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
+sudo systemctl enable --now aidecheck.timer
 
 # [FIRE-45XX] Firewall configuration
 # remove iptables if installed
@@ -100,7 +100,7 @@ sudo tee /etc/sysctl.d/99-hardened.conf > /dev/null <<'EOL'
 kernel.randomize_va_space = 2
 kernel.kptr_restrict = 2
 kernel.unprivileged_bpf_disabled = 1
-kernel.modules_disabled = 1
+#kernel.modules_disabled = 1 # Uncomment to disable module loading entirely at your own risk
 kernel.sysrq = 0
 kernel.core_uses_pid = 1
 
@@ -171,7 +171,7 @@ sudo mount -o remount /tmp
 
 # [FILE-6430] Disable mounting of some filesystems
 sudo tee /etc/modprobe.d/fs_blacklist.conf > /dev/null <<EOL
-Blacklist unnecessary filesystem modules to reduce attack surface
+# Blacklist unnecessary filesystem modules to reduce attack surface
 
 # Cramfs (Compressed ROM filesystem)
 blacklist cramfs
@@ -270,6 +270,7 @@ sudo sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' /etc/login.defs
 
 # [AUTH-9328] Ensure default user umask is 027 or more restrictive
 sudo sed -i 's/^UMASK.*/UMASK 027/' /etc/login.defs
+sudo sed -i 's/^#\?umask .*/umask 027/' /etc/profile
 
 # [ACCT-9622] Enable process accounting
 sudo pacman -S --noconfirm --needed acct