diff --git a/Proxmox-8.sh b/Proxmox-8.sh
index a3c8a01..f5bbd75 100644
--- a/Proxmox-8.sh
+++ b/Proxmox-8.sh
@@ -25,7 +25,6 @@ systemctl mask debug-shell.service
 
 ## Avoid phased updates
 curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/apt/apt.conf.d/99sane-upgrades | tee /etc/apt/apt.conf.d/99sane-upgrades
-chmod 644 /etc/apt/apt.conf.d/99sane-upgrades
 
 # Setup NTS
 rm -rf /etc/chrony/chrony.conf
@@ -34,9 +33,7 @@ systemctl restart chronyd
 
 # Harden SSH
 curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/sshd_config.d/10-custom.conf | tee /etc/ssh/sshd_config.d/10-custom.conf
-chmod 644 /etc/ssh/sshd_config.d/10-custom.conf
 curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/ssh/ssh_config.d/10-custom.conf | tee /etc/ssh/ssh_config.d/10-custom.conf
-chmod 644 /etc/ssh/ssh_config.d/10-custom.conf
 mkdir -p /etc/systemd/system/ssh.service.d
 curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/sshd.service.d/local.conf | tee /etc/systemd/system/ssh.service.d/override.conf
 systemctl daemon-reload
@@ -74,21 +71,17 @@ proxmox-boot-tool refresh
 
 # Kernel hardening
 curl https://raw.githubusercontent.com/secureblue/secureblue/live/config/files/usr/etc/modprobe.d/blacklist.conf | tee /etc/modprobe.d/server-blacklist.conf
-chmod 644 /etc/modprobe.d/server-blacklist.conf
 sed -i 's/kernel_io_uring_disable = 2/#ernel_io_uring_disable = 2/g'
 curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysctl.d/99-server.conf | tee /etc/sysctl.d/99-server.conf
-chmod 644 /etc/sysctl.d/99-server.conf
 sysctl -p
 
 # Rebuild initramfs
 update-initramfs -u
 
 # Disable coredump
-umask 022
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | tee /etc/security/limits.d/30-disable-coredump.conf
 mkdir -p /etc/systemd/coredump.conf.d
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | tee /etc/systemd/coredump.conf.d/disable.conf
-umask 077
 
 # Harden SSH
 sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
diff --git a/RHEL-9.sh b/RHEL-9.sh
index 69c9e03..25e7a00 100644
--- a/RHEL-9.sh
+++ b/RHEL-9.sh
@@ -40,7 +40,9 @@ sudo chmod 700 /home/*
 
 # Setup NTS
 unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf | sudo tee /etc/chrony.conf
+sudo chmod 644 /etc/chrony.conf
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/sysconfig/chronyd | sudo tee /etc/sysconfig/chronyd
+sudo chmod 644 /etc/sysconfig/chronyd
 
 sudo systemctl restart chronyd
 
@@ -67,14 +69,15 @@ sudo sysctl -p
 sudo grubby --update-kernel=ALL --args='mitigations=auto,nosmt spectre_v2=on spectre_bhi=on spec_store_bypass_disable=on tsx=off kvm.nx_huge_pages=force nosmt=force l1d_flush=on spec_rstack_overflow=safe-ret gather_data_sampling=force reg_file_data_sampling=on random.trust_bootloader=off random.trust_cpu=off intel_iommu=on amd_iommu=force_isolation efi=disable_early_pci_dma iommu=force iommu.passthrough=0 iommu.strict=1 slab_nomerge init_on_alloc=1 init_on_free=1 pti=on vsyscall=none ia32_emulation=0 page_alloc.shuffle=1 randomize_kstack_offset=on debugfs=off lockdown=confidentiality module.sig_enforce=1 console=tty0 console=ttyS0,115200'
 
 # Disable coredump
-umask 022
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/security/limits.d/30-disable-coredump.conf | sudo tee /etc/security/limits.d/30-disable-coredump.conf
+sudo chmod 644 /etc/security/limits.d/30-disable-coredump.conf
 sudo mkdir -p /etc/systemd/coredump.conf.d
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/coredump.conf.d/disable.conf | sudo tee /etc/systemd/coredump.conf.d/disable.conf
-umask 077
+sudo chmod 644 /etc/systemd/coredump.conf.d/disable.conf
 
 # Setup DNF
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/dnf/dnf.conf | sudo tee /etc/dnf/dnf.conf
+sudo chmod 644 /etc/dnf/dnf.conf
 sudo sed -i 's/^metalink=.*/&\&protocol=https/g' /etc/yum.repos.d/*
 
 # Setup automatic updates
@@ -124,6 +127,8 @@ forward-zone:
   forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com
   forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com' | sudo tee /etc/unbound/unbound.conf
 
+sudo chmod 644 /etc/unbound/unbound.conf
+
 mkdir -p /etc/systemd/system/unbound.service.d
 echo $'[Service]
 MemoryDenyWriteExecute=true
@@ -144,6 +149,8 @@ SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete
 RestrictNamespaces=yes
 LockPersonality=yes' | sudo tee /etc/systemd/system/unbound.service.d/override.conf
 
+sudo chmod 644 /etc/systemd/system/unbound.service.d/override.conf
+
 sudo systemctl enable --now unbound
 
 # Setup yara
@@ -158,6 +165,7 @@ if [ "$virtualization" = 'none' ]; then
     sudo systemctl restart fwupd
     mkdir -p /etc/systemd/system/fwupd-refresh.service.d
     unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/systemd/system/fwupd-refresh.service.d/override.conf | sudo tee /etc/systemd/system/fwupd-refresh.service.d/override.conf
+    sudo chmod 644 /etc/systemd/system/fwupd-refresh.service.d/override.conf
     sudo systemctl daemon-reload
     sudo systemctl enable --now fwupd-refresh.timer
 fi
@@ -206,18 +214,22 @@ sudo firewall-cmd --lockdown-on
 
 sudo mkdir -p /etc/systemd/system/NetworkManager.service.d
 unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf | sudo tee /etc/systemd/system/NetworkManager.service.d/99-brace.conf
+sudo chmod 644 /etc/systemd/system/NetworkManager.service.d/99-brace.conf
 sudo systemctl daemon-reload
 sudo systemctl restart NetworkManager
 
 # irqbalance hardening
 sudo mkdir -p /etc/systemd/system/irqbalance.service.d
 unpriv curl https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/irqbalance.service.d/99-brace.conf | sudo tee /etc/systemd/system/irqbalance.service.d/99-brace.conf
+sudo chmod 644 /etc/systemd/system/irqbalance.service.d/99-brace.conf
 sudo systemctl daemon-reload
 sudo systemctl restart irqbalance
 
 # Setup notices
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue
+sudo chmod 644 /etc/issue
 unpriv curl https://raw.githubusercontent.com/TommyTran732/Linux-Setup-Scripts/main/etc/issue | sudo tee /etc/issue.net
+sudo chmod 644 /etc/issue.net
 
 # Final notes to the user
 output 'Server setup complete. To use unbound for DNS, you need to run the following commands:'