Out of curiosity, anyone ever worked with an hardened OpenBSD or Linux + GRSec server farm? How do you handle updates? It must a sysadmin deployment nightmare.
It's not that bad once you have it set up. PaX causes most issues.
You run a custom repo with two packages, your compiled linux-grsec kernel, and a package that contains paxd and paxd exceptions for your typical binaries. Once you find a stable grsecurity kernel config you don't really have much to worry about.
When new updates are released, test them on your test tier with your existing PaX rules and exemptions, and if they pass tests push them into prod. Worst case scenario you disable PaX (and its memory protections) in emergency cases or rollback to the known good version. If you are running "unattended-upgrades" or something else and letting your tiers autopatch themselves, well, that's dangerous to stability in and of itself.
I run -grsec-patched kernels on all of my personal workstations as well. That's when grsec can be a pain.
I do manual upgrades on my machines because I only have a few and they're different enough that automation wouldn't help, buuuut... You can use release(8) and autoinstall(8) with pxe to deploy create and deploy OpenBSD upgrades/installs. In between releases, you can follow the -stable branch of the ports tree and use dpb(1) to generate updated binary packages, which all your machines can then install.
I don't operate a server farm but OpenBSD updates are pretty easy. Just do `pkg_add -Uu`.
If your dependencies are minimal, keeping OpenBSD up-to-date is actually pretty relaxing. Don't need to install security patches all the time as with Linux.
You run a custom repo with two packages, your compiled linux-grsec kernel, and a package that contains paxd and paxd exceptions for your typical binaries. Once you find a stable grsecurity kernel config you don't really have much to worry about.
When new updates are released, test them on your test tier with your existing PaX rules and exemptions, and if they pass tests push them into prod. Worst case scenario you disable PaX (and its memory protections) in emergency cases or rollback to the known good version. If you are running "unattended-upgrades" or something else and letting your tiers autopatch themselves, well, that's dangerous to stability in and of itself.
I run -grsec-patched kernels on all of my personal workstations as well. That's when grsec can be a pain.