Is server hardening with grsecurity really necessary on the CentOS 6.3 environment?

grsecurity (a.k.a. grsec) isn't really a program - it's a hardening suite for Linux.

It includes the following:

• A fully comprehensive Role-Based Access Security (RBAC) system.
• grsec-hardened kernel patches.
• Enhanced PaX implementation.
• chroot restrictions (misc features to prevent malware from escaping a chroot jail)
• General system security improvements.

These features are designed to prevent shellcode from being successful on the system. The restrictions in chroot and other system features help prevent untrusted processes (e.g. httpd) from performing tasks they shouldn't.

Here's a few examples of practical improvements:

• Prevention of ptrace and other IPC mechanisms between processes that shouldn't be talking to each other.
• Forensics capabilities via /proc/[pid]/ipaddr
• httpd can be placed in chroot jail with highly restrictive permissions (no kill, no pid/sid set, sysctl writes, etc. outside of chroot)
• Full fine-grained auditing of processes, users, groups and other entities.
• Ability to completely hide kernel-mode processes from user-mode.

The most difficult and powerful part of configuring grsec is the RBAC system. It relies on you to properly and fully configure the privileges and abilities of certain processes. By default, this is a fairly restrictive set. This can often crash and kill certain processes, often with no obvious reason. However, if you tune it correctly, it's an incredible security measure.

It's great for high security scenarios, and I highly suggest installing grsec with RBAC disabled first to give it a go. Set up a proper chroot for your services (httpd at least, preferably SQL / mail daemons too) so that the entire system won't get pwned due to a vulnerability in a single daemon.

There's way too much to cover in a single answer, so I suggest you read through the grsec wikibook.

As to whether you need it - it depends. It's complex to configure (includes a kernel recompile from source, plus a lot of auto-training and manual config editing) and will take a significant amount of time to fully set up, but the result is that you gain a huge amount of resistance against remote code execution vulnerabilities in service daemons and the kernel itself. Figure out how much time you want to dedicate to protecting yourself from such attacks, and go from there.