diff --git a/arch-hardening.sh b/arch-hardening.sh
new file mode 100644
index 0000000..ab19c7f
--- /dev/null
+++ b/arch-hardening.sh
@@ -0,0 +1,292 @@
+#!/bin/bash
+
+# [STRG-1846] Disable drivers like firewire
+sudo tee /etc/modprobe.d/firewire-disable.conf > /dev/null <<EOL
+# Disable FireWire kernel modules to prevent unauthorized DMA access
+blacklist firewire-core
+install firewire-core /bin/false
+# Optional additional modules to blacklist
+blacklist firewire-ohci
+blacklist firewire-sbp2
+install firewire-ohci /bin/false
+install firewire-sbp2 /bin/false
+EOL
+
+# [LOGG-2154] Ensure system log is configured to send logs to a remote log server
+sudo pacman -S --noconfirm --needed syslog-ng
+
+# [USB-3000] Ensure USBGUARD is installed and configured
+sudo pacman -S --noconfirm --needed usbguard
+sudo usbguard generate-policy | sudo tee /etc/usbguard/rules.conf > /dev/null
+sudo sed -i 's/^PresentControllerPolicy = .*/PresentControllerPolicy = apply-policy/' /etc/usbguard/usbguard-daemon.conf
+sudo systemctl enable --now usbguard
+
+# [NETW-3200] Disable unused network protocols
+sudo tee /etc/modprobe.d/network-protocols-disable.conf > /dev/null <<EOL
+# Disable unnecessary network protocols to reduce attack surface
+blacklist dccp
+install dccp /bin/false
+
+blacklist sctp
+install sctp /bin/false
+
+blacklist rds
+install rds /bin/false
+
+blacklist tipc
+install tipc /bin/false
+EOL
+
+# [MALW-3276] Ensure rkhunter is installed
+sudo pacman -S --noconfirm --needed rkhunter
+sudo rkhunter --propupd
+sudo tee /etc/rkhunter.conf > /dev/null <<EOL
+# rkhunter configuration file
+
+# Whitelist to avoid false positive
+SCRIPTWHITELIST=/usr/bin/egrep
+SCRIPTWHITELIST=/usr/bin/fgrep
+SCRIPTWHITELIST=/usr/bin/ldd
+SCRIPTWHITELIST=/usr/bin/vendor_perl/GET
+EOL
+
+# [MALW-3282] Ensure ClamAV is installed
+sudo pacman -S --noconfirm --needed clamav
+sudo freshclam
+sudo systemctl enable --now clamav-freshclam
+sleep 5
+sudo systemctl enable --now clamav-daemon
+
+# [FINT-4350] Install a file integrity tool
+sudo pacman -S --noconfirm --needed aide
+sudo aide --init
+sudo aide --update
+sudo systemctl enable --now aidecheck.timer
+sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
+
+# [FIRE-45XX] Firewall configuration
+# remove iptables if installed
+if pacman -Qi iptables &> /dev/null; then
+    sudo pacman -R --noconfirm iptables
+fi
+sudo pacman -S --noconfirm --needed nftables
+echo "blacklist ip_tables" | sudo tee /etc/modprobe.d/blacklist-iptables.conf
+sudo tee /etc/modprobe.d/ip_tables-disable.conf > /dev/null <<EOL
+# Disable ip_tables to prevent conflicts with nftables
+blacklist ip_tables
+install ip_tables /bin/false
+EOL
+
+# [TOOL-5190] Ensure IDS/IPS tools are installed
+sudo pacman -S --noconfirm --needed snort
+
+# [KRNL-5820] Disable core dumps
+## create file /etc/security/limits.d/20-disable-core-dumps.conf with the following content:
+sudo tee /etc/security/limits.d/20-disable-core-dumps.conf > /dev/null <<EOL
+# Disable core dumps for ALL users
+# The format is: <domain> <type> <item> <value>
+* hard    core    0
+* soft    core    0
+EOL
+
+# Append to /etc/profile to enforce core dump restriction system-wide
+echo '# Set the core dump soft limit to 0 (current enforceable limit)' | sudo tee -a /etc/profile > /dev/null
+echo 'ulimit -S -c 0 > /dev/null 2>&1' | sudo tee -a /etc/profile > /dev/null
+echo '# Set the hard limit to 0 (absolute maximum limit)' | sudo tee -a /etc/profile > /dev/null
+echo 'ulimit -H -c 0 > /dev/null 2>&1' | sudo tee -a /etc/profile > /dev/null
+
+# [KRNL-6000] Check sysctl settings for kernel hardening
+sudo tee /etc/sysctl.d/99-hardened.conf > /dev/null <<'EOL'
+# Kernel and filesystem hardening settings
+kernel.randomize_va_space = 2
+kernel.kptr_restrict = 2
+kernel.unprivileged_bpf_disabled = 1
+kernel.modules_disabled = 1
+kernel.sysrq = 0
+kernel.core_uses_pid = 1
+
+fs.suid_dumpable = 0
+fs.protected_fifos = 2
+fs.protected_hardlinks = 1
+fs.protected_regular = 2
+fs.protected_symlinks = 1
+
+dev.tty.ldisc_autoload = 0
+
+net.core.bpf_jit_harden = 2
+
+net.ipv4.conf.all.forwarding = 0
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.all.rp_filter = 1
+
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.default.log_martians = 1
+
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.default.accept_redirects = 0
+EOL
+
+# Apply settings now
+sudo sysctl --system
+
+# [SHLL-6220] Idle session handling
+sudo sed -i 's/^#\?TMOUT=.*/TMOUT=900/' /etc/profile
+sudo sed -i 's/^#\?readonly TMOUT.*/readonly TMOUT/' /etc/profile
+sudo sed -i 's/^#\?export TMOUT.*/export TMOUT/' /etc/profile
+
+# [MACF-6290] Enable MAC framework
+sudo pacman -S --noconfirm --needed apparmor apparmor.d-git
+sudo systemctl enable --now apparmor
+
+# [FILE-6344] Restricting process details to users
+## Editing fstab
+if ! grep -q '^proc\s\+/proc\s\+proc\s\+' /etc/fstab; then
+    echo '# /proc' | sudo tee -a /etc/fstab > /dev/null
+    echo 'proc    /proc    proc    defaults,hidepid=2,gid=wheel    0 0' | sudo tee -a /etc/fstab > /dev/null
+else
+    sudo sed -i 's|^proc[[:space:]]\+/proc[[:space:]]\+proc[[:space:]]\+.*$|proc    /proc    proc    defaults,hidepid=1,gid=wheel    0 0|' /etc/fstab
+fi
+## Remount /proc to apply changes immediately
+sudo mount -o remount /proc
+
+# [FILE-6374] Check mount options
+# if /dev/shm is not in /etc/fstab, add it with the correct options
+if ! grep -q '^tmpfs\s\+/dev/shm\s\+tmpfs\s\+' /etc/fstab; then
+    echo '# /dev/shm' | sudo tee -a /etc/fstab > /dev/null
+    echo 'tmpfs    /dev/shm    tmpfs    rw,nosuid,nodev,noexec    0 0' | sudo tee -a /etc/fstab > /dev/null
+else
+    sudo sed -i 's|^tmpfs[[:space:]]\+/dev/shm[[:space:]]\+tmpfs[[:space:]]\+.*$|tmpfs    /dev/shm    tmpfs    rw,nosuid,nodev,noexec    0 0|' /etc/fstab
+fi
+# Remount /dev/shm to apply changes immediately
+sudo mount -o remount /dev/shm
+# Replace /tmp mount
+if ! grep -q '^tmpfs\s\+/tmp\s\+tmpfs\s\+' /etc/fstab; then
+    echo '# /tmp' | sudo tee -a /etc/fstab > /dev/null
+    echo 'tmpfs    /tmp    tmpfs    rw,nosuid,nodev,noexec    0 0' | sudo tee -a /etc/fstab > /dev/null
+else
+    sudo sed -i 's|^tmpfs[[:space:]]\+/tmp[[:space:]]\+tmpfs[[:space:]]\+.*$|tmpfs    /tmp    tmpfs    rw,nosuid,nodev,noexec    0 0|' /etc/fstab
+fi
+# Remount /tmp to apply changes immediately
+sudo mount -o remount /tmp
+
+# [FILE-6430] Disable mounting of some filesystems
+sudo tee /etc/modprobe.d/fs_blacklist.conf > /dev/null <<EOL
+Blacklist unnecessary filesystem modules to reduce attack surface
+
+# Cramfs (Compressed ROM filesystem)
+blacklist cramfs
+install cramfs /bin/false
+
+# HFS and HFS+ (Apple filesystems)
+blacklist hfs
+install hfs /bin/false
+
+blacklist hfsplus
+install hfsplus /bin/false
+
+# JFFS2 (Journaling Flash Filesystem)
+blacklist jffs2
+install jffs2 /bin/false
+
+# SquashFS (Compressed read-only filesystem, often used for live media/AppImage)
+blacklist squashfs
+install squashfs /bin/false
+
+# UDF (Universal Disk Format, used for optical media like DVD/BD)
+blacklist udf
+install udf /bin/false
+EOL
+
+# [BANN-7126] Add legal banner to /etc/issue
+sudo tee /etc/issue > /dev/null <<EOL
+********************************************************************
+*                  WARNING - UNAUTHORIZED ACCESS                  *
+*                                                                  *
+* Unauthorized access to this computer system is strictly          *
+* prohibited. Individuals accessing, using, or modifying this      *
+* system without explicit authorization will be subject to legal   *
+* action and prosecuted to the fullest extent of the law.          *
+*                                                                  *
+* Authorized users should have no expectation of privacy. All      *
+* activity on this system is monitored, recorded, and may be used  *
+* as evidence in criminal or civil proceedings.                    *
+********************************************************************
+\n\l
+EOL
+
+# [HRDN-7220] Don't install /usr/bin/as by adding it to NoExtract
+if ! grep -q '^NoExtract\s*=\s*/usr/bin/as' /etc/pacman.conf; then
+    sudo sed -i '/^\[options\]/a NoExtract = /usr/bin/as' /etc/pacman.conf
+fi
+
+# [HRDN-7222] Restricting compilator access to root user only
+sudo chown 700 /usr/bin/as
+sudo chmod 700 /usr/bin/gcc
+sudo chmod 700 /usr/bin/g++
+sudo chmod 700 /usr/bin/cc
+sudo chmod 700 /usr/bin/c++
+sudo chmod 700 /usr/bin/ld
+sudo chmod 700 /usr/bin/lld
+sudo chmod 700 /usr/bin/clang
+
+# [PKGS-7320] Checking for package auditing tools
+sudo pacman -S --noconfirm --needed arch-audit
+
+# [FILE-7524] Ensuring file permissions
+sudo chmod 600 /etc/ssh/sshd_config
+sudo chmod 700 /etc/cron.hourly
+
+# [AUTH-9230] Ensure password hashing algorithm is set to YESCRYPT and hashing rounds to minimum of 5000 and maximum of 5000000
+sudo sed -i 's/^ENCRYPT_METHOD .*/ENCRYPT_METHOD YESCRYPT/' /etc/login.defs
+sudo sed -i 's/^SHA_CRYPT_MIN_ROUNDS .*/SHA_CRYPT_MIN_ROUNDS 5000/' /etc/login.defs
+sudo sed -i 's/^SHA_CRYPT_MAX_ROUNDS .*/SHA_CRYPT_MAX_ROUNDS 5000000/' /etc/login.defs
+
+# [AUTH-9262] Password strength checking tool is installed
+sudo pacman -S --noconfirm --needed libpwquality
+sudo tee /etc/security/pwquality.conf > /dev/null <<EOL
+# PAM pwquality configuration file
+retry = 3
+difok = 6
+minlen = 14
+dcredit = -1
+ucredit = -1
+ocredit = -1
+lcredit = -1
+EOL
+
+sudo sed -i '/^password\s*required\s*pam_unix.so\s*try_first_pass\s*nullok\s*shadow/i password   required                    pam_pwquality.so' /etc/pam.d/system-auth
+
+# [AUTH-9286] Ensure minimum days between password changes is 7 or more and maximum days is 90 or less
+sudo sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 7/' /etc/login.defs
+sudo sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' /etc/login.defs
+
+# [AUTH-9328] Ensure default user umask is 027 or more restrictive
+sudo sed -i 's/^UMASK.*/UMASK 027/' /etc/login.defs
+
+# [ACCT-9622] Enable process accounting
+sudo pacman -S --noconfirm --needed acct
+sudo systemctl enable --now acct
+
+# [ACCT-9626] Enable sysstat to collect accounting data
+sudo pacman -S --noconfirm --needed sysstat
+sudo systemctl enable --now sysstat-collect.timer sysstat-rotate.timer
+
+# [ACCT-9628] Enable auditd to collect audit data
+sudo systemctl enable --now auditd audit-rules
+
+# [ACCT-9630] Configure auditd rules
+sudo tee /etc/audit/rules.d/hardening.rules > /dev/null <<EOL
+# Monitor attempts to change system time
+-w /etc/localtime -p wa -k time-change
+
+# Monitor attempts to change user/group info (password changes)
+-w /etc/passwd -p wa -k user-info
+-w /etc/shadow -p wa -k user-info
+-w /etc/group -p wa -k user-info
+-w /etc/gshadow -p wa -k user-info
+
+# Make the configuration immutable (must be the last line)
+-e 2
+EOL