In addition to Grsecurity + PAX you can use SELinux. It's main purpose is to separate daemons and minimize privilege escalation in case of buggy daemon. Each daemon has defined role - set of operations it can do (for example files access, network, capabilities etc.). When someone breaks into such daemon he can do only operations allowed in this daemon's role.
There is "Reference policy" - standard policy to be used on SELinux systems. I have one server with it and there are no problems. Most commonly used daemons have good policies. Desktop applications have worse policies, but it shouldn't bother you. Regards, Marek Wróbel -- [email protected] mailing list
