|
|
|
|
|
|
by micaksica
3491 days ago
|
|
|
It's not that bad once you have it set up. PaX causes most issues. You run a custom repo with two packages, your compiled linux-grsec kernel, and a package that contains paxd and paxd exceptions for your typical binaries. Once you find a stable grsecurity kernel config you don't really have much to worry about. When new updates are released, test them on your test tier with your existing PaX rules and exemptions, and if they pass tests push them into prod. Worst case scenario you disable PaX (and its memory protections) in emergency cases or rollback to the known good version. If you are running "unattended-upgrades" or something else and letting your tiers autopatch themselves, well, that's dangerous to stability in and of itself. I run -grsec-patched kernels on all of my personal workstations as well. That's when grsec can be a pain. |
|
|