... and why not ship SuSe with NSAs Security-Enhanced Linux as an add-on? it's a very good piece of work IMHO.
The first thing that comes to my mind is do you even know what NSA SELinux is? If you did you wouldn't be asking SuSE to make it standard. It's very complex. Configuring the security templates/etc/etc is extremely non-trivial.
anyway, i can't speak for the SuSE people but the problem with patches (and programs) is that new versions tend to pop-up every second day, the more serious problem is that secholes tend to pop-up every day. you simple can't keep a distro up-to-date, especially if it's delivered in a box so to speak.
Uhhh? The actual number of exploitable security holes in the Linux kernel itself is quite low. There are more problems in various applications such as Sendmail, but realistically it's not to bad.
up-to-date manual patching is always the best way.
Yup. On all 1,000 machines. Better not make any mistakes. Manual is definetely the way to go (note: this is how apache.org got hacked into). Especially when it's a long weekend and you're not at work. Thankfully you do not have to do much regression testing with SuSE patches (unlike say Microsoft) and mostly automated install will be fine.
/Thomas
Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/