by argan0n » Wed Mar 31, 2004 2:45 pm
Keep in mind that if you start it from rc.local that it won't be enabled during your boot process until the end as rc.local is usually ran last. So there could be a window of vunerability that an attacker could try to leverage. Much like boot scripts that turn on daemons and bring up the network before applying the firewall rules (as may needed sometimes). Enabling grsec at the beginning of your init cycle, I'm sure, will bring out other issues on the opposite end of the spectrum that would need testing.
Of course this all depends on your distro, setup, use, parnoia, etc.. but I think it is good to be aware of it. YMMV