Iron Bank: Hardened Containers for the DoD

I just took a look at <a href="https:&#x2F;&#x2F;repo1.dso.mil&#x2F;dsop&#x2F;redhat&#x2F;ubi&#x2F;9.x&#x2F;ubi9" rel="nofollow">https:&#x2F;&#x2F;repo1.dso.mil&#x2F;dsop&#x2F;redhat&#x2F;ubi&#x2F;9.x&#x2F;ubi9</a> and <a href="https:&#x2F;&#x2F;repo1.dso.mil&#x2F;dsop&#x2F;opensource&#x2F;apache&#x2F;apache2" rel="nofollow">https:&#x2F;&#x2F;repo1.dso.mil&#x2F;dsop&#x2F;opensource&#x2F;apache&#x2F;apache2</a>, and it seems that the &quot;hardening&quot; these do is almost entirely stupid. It&#x27;s stuff like adding an obnoxiously long banner at the beginning of every session, disabling ChaCha20&#x2F;Poly1305, adding a bunch of password policies to PAM even for containers where there are no accounts that can be logged into with passwords, disabling Ctrl+Alt+Del even though that always gets handled by the host and not containers, forcing SSH to only allow &quot;aes256-ctr,aes192-ctr,aes128-ctr&quot; as ciphers, and installing usbguard and sudo even though these make no sense inside of containers. The only time I think these would be helpful is if you had a legal requirement to be DISA STIG compliant.