I just took a look at https://repo1.dso.mil/dsop/redhat/ubi/9.x/ubi9 and https://repo1.dso.mil/dsop/opensource/apache/apache2, and it seems that the "hardening" these do is almost entirely stupid. It's stuff like adding an obnoxiously long banner at the beginning of every session, disabling ChaCha20/Poly1305, adding a bunch of password policies to PAM even for containers where there are no accounts that can be logged into with passwords, disabling Ctrl+Alt+Del even though that always gets handled by the host and not containers, forcing SSH to only allow "aes256-ctr,aes192-ctr,aes128-ctr" as ciphers, and installing usbguard and sudo even though these make no sense inside of containers. The only time I think these would be helpful is if you had a legal requirement to be DISA STIG compliant.
I just took a look at https://repo1.dso.mil/dsop/redhat/ubi/9.x/ubi9 and https://repo1.dso.mil/dsop/opensource/apache/apache2, and it seems that the "hardening" these do is almost entirely stupid. It's stuff like adding an obnoxiously long banner at the beginning of every session, disabling ChaCha20/Poly1305, adding a bunch of password policies to PAM even for containers where there are no accounts that can be logged into with passwords, disabling Ctrl+Alt+Del even though that always gets handled by the host and not containers, forcing SSH to only allow "aes256-ctr,aes192-ctr,aes128-ctr" as ciphers, and installing usbguard and sudo even though these make no sense inside of containers. The only time I think these would be helpful is if you had a legal requirement to be DISA STIG compliant.