diff --git a/files/scripts/disablegeoclue.sh b/files/scripts/disablegeoclue.sh
new file mode 100755
index 00000000..aa7a602e
--- /dev/null
+++ b/files/scripts/disablegeoclue.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+# Tell build process to exit if there are any errors.
+set -oue pipefail
+
+echo "Disabling the location service"
+systemctl disable geoclue
+systemctl mask geoclue
diff --git a/files/scripts/example.sh b/files/scripts/example.sh
deleted file mode 100644
index fdb2e042..00000000
--- a/files/scripts/example.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/usr/bin/env bash
-
-# Tell this script to exit if there are any errors.
-# You should have this in every custom script, to ensure that your completed
-# builds actually ran successfully without any errors!
-set -oue pipefail
-
-# Your code goes here.
-echo 'This is an example shell script'
-echo 'Scripts here will run during build if specified in recipe.yml'
diff --git a/files/scripts/httpsmirrors.sh b/files/scripts/httpsmirrors.sh
new file mode 100755
index 00000000..f25477b6
--- /dev/null
+++ b/files/scripts/httpsmirrors.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+# Tell build process to exit if there are any errors.
+set -oue pipefail
+
+for repo in /etc/yum.repos.d/*.repo; do
+    sed -i 's/metalink?/metalink?protocol=https\&/g' "$repo"
+done
\ No newline at end of file
diff --git a/files/scripts/removesuid.sh b/files/scripts/removesuid.sh
new file mode 100755
index 00000000..08b69939
--- /dev/null
+++ b/files/scripts/removesuid.sh
@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+
+# Tell build process to exit if there are any errors.
+set -oue pipefail
+
+# Reference: https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#usrbinchage
+
+whitelist=(
+    # Needed for flatpak on no-userns images
+    "/usr/bin/bwrap"
+    # Requires cap_setuid if the suid bit is removed
+    "/usr/bin/gpasswd"
+    # "In effect, when the SUID bit is unset on /usr/bin/mount, mount(8) will never drop permissions. If /usr/bin/mount were to have a"
+    # "nonempty permitted capability set and its effective capability bit were set, then mount(8) would never have its effective " 
+    # "capability set cleared during execution, potentially allowing unprivileged users to perform actions they shouldn’t be able to perform"
+    # https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#can-we-replace-the-suid-bit-with-zero-or-more-file-capabilities-4
+    "/usr/bin/mount"
+    # Required for nvidia images
+    "/usr/bin/nvidia-modprobe"
+    # https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#can-we-replace-the-suid-bit-with-zero-or-more-file-capabilities
+    "/usr/bin/passwd"
+    # https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#why-does-this-binary-need-to-be-suid-root-9
+    "/usr/bin/pkexec"
+    # https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#can-we-replace-the-suid-bit-with-zero-or-more-file-capabilities-6
+    "/usr/bin/su"
+    # https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#can-we-replace-the-suid-bit-with-zero-or-more-file-capabilities-6
+    "/usr/bin/sudo"
+    # See /usr/bin/mount
+    "/usr/bin/umount"
+    # https://gitlab.freedesktop.org/polkit/polkit/-/issues/168
+    "/usr/lib/polkit-1/polkit-agent-helper-1"
+    # https://github.com/secureblue/secureblue/issues/119
+    "/usr/lib64/libhardened_malloc-light.so"
+    "/usr/lib64/libhardened_malloc-pkey.so"
+    "/usr/lib64/libhardened_malloc.so"
+    # Required for chrome suid sandbox on no-userns images
+    "/usr/lib64/chromium-browser/chrome-sandbox"
+    # https://github.com/secureblue/secureblue/issues/119
+    "/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc-light.so"
+    "/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc-pkey.so"
+    "/usr/lib64/glibc-hwcaps/x86-64/libhardened_malloc.so"
+    "/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc-light.so"
+    "/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc-pkey.so"
+    "/usr/lib64/glibc-hwcaps/x86-64-v2/libhardened_malloc.so"
+    "/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc-light.so"
+    "/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc-pkey.so"
+    "/usr/lib64/glibc-hwcaps/x86-64-v3/libhardened_malloc.so"
+    "/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc-light.so"
+    "/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc-pkey.so"
+    "/usr/lib64/glibc-hwcaps/x86-64-v4/libhardened_malloc.so"
+    # Requires cap_setgid,cap_setuid if the SUID bit is removed
+    "/usr/sbin/grub2-set-bootflag"
+    # See /usr/bin/mount
+    "/usr/sbin/mount.nfs"
+    # https://gist.github.com/ok-ryoko/1ff42a805d496cb1ca22e5cdf6ddefb0#why-does-this-binary-need-to-be-suid-root-6
+    "/usr/sbin/pam_timestamp_check"
+)
+
+
+is_in_whitelist() {
+    local binary="$1"
+    for allowed_binary in "${whitelist[@]}"; do
+        if [ "$binary" = "$allowed_binary" ]; then
+            return 0
+        fi
+    done
+    return 1
+}
+
+find /usr -type f -perm /4000 |
+    while IFS= read -r binary; do
+        if ! is_in_whitelist "$binary"; then
+            echo "Removing SUID bit from $binary"
+            chmod u-s "$binary"
+            echo "Removed SUID bit from $binary"
+        fi
+    done
+
+systemctl enable setcapsforunsuidbinaries.service
diff --git a/files/scripts/setfilepermissions.sh b/files/scripts/setfilepermissions.sh
new file mode 100755
index 00000000..4aec0843
--- /dev/null
+++ b/files/scripts/setfilepermissions.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+# Tell build process to exit if there are any errors.
+set -oue pipefail
+
+chmod 440 /usr/etc/sudoers.d/timeout
\ No newline at end of file
diff --git a/recipes/recipe-lxqt.yml b/recipes/recipe-lxqt.yml
index 98287528..5c79c004 100644
--- a/recipes/recipe-lxqt.yml
+++ b/recipes/recipe-lxqt.yml
@@ -12,7 +12,6 @@ modules:
   - from-file: lxqt-packages.yml
   - from-file: common-files.yml
   - from-file: sec-scripts.yml
-  - from-file: lxqt-scripts.yml
   - type: ulxqt-signing
   - from-file: sddm-systemd.yml
   - from-file: common-services.yml