We use grsec on our shell servers, and have enabled the following features. There is a remote possibility that they may interfere with your applications; so we have documented which features we enable in order to avoid any surprises.
CONFIG_GRKERNSEC_IO=y
- disables ioperm/iopl calls which could modify running kernel
CONFIG_GRKERNSEC_BRUTE=y
- prevents rapid respawning of apache and ssh daemons (when someone's
bruteforcing)
CONFIG_GRKERNSEC_EXECLOG=y
- logs all execs
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
- logs execs in chroots
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
- logs *un)mounts
CONFIG_GRKERNSEC_SIGNAL=y
- logs signals like sigsegv
CONFIG_GRKERNSEC_FORKFAIL=y
- logs failed forks
CONFIG_GRKERNSEC_TIME=y
- logs time changes
CONFIG_GRKERNSEC_PROC_IPADDR=y
- saves each process owner's IP address in /proc/PID/ipaddr
CONFIG_GRKERNSEC_SHM=y
- shared memory protections
CONFIG_GRKERNSEC_TPE=y
- ability to restrict certain users to only running trusted executables
CONFIG_GRKERNSEC_RANDNET=y
- larger entropy pool
CONFIG_GRKERNSEC_SOCKET=y
CONFIG_GRKERNSEC_SOCKET_ALL=y
CONFIG_GRKERNSEC_SOCKET_CLIENT=y
CONFIG_GRKERNSEC_SOCKET_SERVER=y
- fine-grainer control who gets access to sockets
CONFIG_GRKERNSEC_SYSCTL=y
- allow runtime tuning of all options through sysctl