diff --git a/arch-hardening.sh b/arch-hardening.sh
index 66f7f1e..99c8102 100644
--- a/arch-hardening.sh
+++ b/arch-hardening.sh
@@ -16,6 +16,10 @@ EOL
 sudo pacman -S --noconfirm --needed syslog-ng
 sudo systemctl enable --now syslog-ng@default.service
 
+# [NETW-2706] Ensure DNSSEC validation is enabled
+echo 'DNSSEC=yes' | sudo tee -a /etc/systemd/resolved.conf > /dev/null
+sudo systemctl restart systemd-resolved
+
 # [USB-3000] Ensure USBGUARD is installed and configured
 sudo pacman -S --noconfirm --needed usbguard
 sudo usbguard generate-policy | sudo tee /etc/usbguard/rules.conf > /dev/null
@@ -239,7 +243,7 @@ sudo tee /etc/issue > /dev/null <<EOL
 * activity on this system is monitored, recorded, and may be used  *
 * as evidence in criminal or civil proceedings.                    *
 ********************************************************************
-\n\l
+\n - \l
 EOL
 
 # [HRDN-7220] Don't install /usr/bin/as by adding it to NoExtract
@@ -248,7 +252,7 @@ if sudo grep -q 'usr/bin/as' /etc/pacman.conf; then
 else
     if sudo grep -qE '^[[:space:]]*NoExtract' /etc/pacman.conf; then
         sudo sed -i '0,/^[[:space:]]*NoExtract/ s|^\([[:space:]]*NoExtract[[:space:]]*=[[:space:]]*\)\(.*\)$|\1\2 usr/bin/as|' /etc/pacman.conf
-    elif sudo grep -qE '^[[:space:]]*#[[:space:]]*NoExtract' /etc/pacman.conf; then
+        elif sudo grep -qE '^[[:space:]]*#[[:space:]]*NoExtract' /etc/pacman.conf; then
         sudo sed -i '/^[[:space:]]*#[[:space:]]*NoExtract/ a NoExtract = usr/bin/as' /etc/pacman.conf
     else
         sudo bash -c 'printf "\n# NoExtract added by hardening script\nNoExtract = usr/bin/as\n" >> /etc/pacman.conf'
@@ -330,6 +334,11 @@ sudo sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' /etc/login.defs
 
 # [AUTH-9328] Ensure default user umask is 027 or more restrictive
 sudo sed -i 's/^UMASK.*/UMASK 027/' /etc/login.defs
+if sudo grep -qE '^[[:space:]]*#?[[:space:]]*umask' /etc/bash.bashrc; then
+    sudo sed -i 's/^[[:space:]]*#\?[[:space:]]*umask.*/umask 027/' /etc/bash.bashrc
+else
+    echo 'umask 027' | sudo tee -a /etc/bash.bashrc > /dev/null
+fi
 if sudo grep -qE '^[[:space:]]*#?[[:space:]]*umask' /etc/profile; then
     sudo sed -i 's/^[[:space:]]*#\?[[:space:]]*umask.*/umask 027/' /etc/profile
 else
@@ -372,9 +381,9 @@ EOL
 # To test
 # Function to create basic systemd hardening drop-in
 create_systemd_hardening () {
-  SERVICE="$1"
-  DROPIN="/etc/systemd/system/${SERVICE}.d"
-  sudo mkdir -p "$DROPIN"
+    SERVICE="$1"
+    DROPIN="/etc/systemd/system/${SERVICE}.d"
+    sudo mkdir -p "$DROPIN"
   sudo tee "$DROPIN/hardening.conf" > /dev/null <<EOL
 [Service]
 PrivateTmp=true
@@ -391,7 +400,7 @@ RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
 SystemCallFilter=@system-service
 UMask=0077
 EOL
-  sudo systemctl daemon-reload
+    sudo systemctl daemon-reload
 }
 
 # Add conservative hardening overrides for high-risk services you should review
@@ -438,7 +447,7 @@ SERVICES_TO_HARDEN=(
     "wpa_supplicant"
 )
 for S in "${SERVICES_TO_HARDEN[@]}"; do
-  if systemctl list-unit-files | grep -q "$S"; then
-    create_systemd_hardening "$S"
-  fi
+    if systemctl list-unit-files | grep -q "$S"; then
+        create_systemd_hardening "$S"
+    fi
 done