Today’s operating systems like windows have many security features integrated that eliminate entire classes of bugs. They do address space randomization etc. Linux has failed to integrate grsecurity patch into mainline kernel which would enable those features for linux. Some people say it is because of performance but when you have configuration feature flip that kinda does not make sense.
Anyways while we hope that they integrate it one day if we run a webserver or a home computer having this patch gives us extra layer of security. If faulty software opens a vector of attack to your system somebody with zero day might have 0 chance of getting access to anything if security patch like grsecurity is in place. This might be because those who try to do so often work with limited options and rely on known locations in memory. Having address space randomized leaves them empty handed. You can start to see now why 0 day industry is fading business. It won’t hold for very long as security gets better.
So how do we have these nice features in NixOS. It is surprisingly simple to do that thanks to tools provided by NixOS. All you have to do is to put following line into your configuration.nix
boot.kernelPackages = pkgs.linux_grsec_server_latest;
and then run
Now your server security has had a major boost.