...
The software inventory, operating system, and general configuration parameters of all computers deployed to users and computing labs are recorded in software we purchase from Dell Computing, called KBox. The KBox helps us, among other things, package up software for easy installation. Often a particular piece of software will require a special license key, or it will need to be pointed at a particular device on campus. The KBox can automate these configuration steps. It can also tell us if, for example, a piece of software needs updating and it can (usually) perform the update. This is particularly useful when a serious security issue has been discovered.
ITS staff and a few student workers can see KBox data. We need to see it in order to understand and diagnose software issues that users call us about. We also use it to get software installed to all the right places in the right ways, with the right license keys and settings. And we use it to find machines that are not updating their software correctly and are therefore exposing users to possible compromise, or opening the user and Carleton up to licensing violations.
...
All attempts at authenticating are logged, not only by individual computers, but also by applicable enterprise applications (e.g., Colleague, OnBase, Advance, Slate, the Carleton website), domain controllers, our web-based login pages, and associated dual-factor authentication services (Duo). These systems need to record who logged in, when, and from where not only for auditing and troubleshooting purposes, but also to afford us an extra measure of assurance, when the data is pooled and analyzed, that the people logging in are who they say they are. Access to this data is limited to application managers and/or to a few core systems staff and the IT security officer. Alerts are generated when anomalous logins and automatic lockouts (rapid spikes, logins from impossibly disparate physical locations, lockouts due to dual-factor failures, etc.) are detected.
Network-Level Logging
In general, nearly all devices through which Carleton network traffic passes log that traffic. These logs typically include the source and destination IP address, MAC address, and various other relevant details. Additional detail gets logged for WiFi via /wiki/spaces/itskb/pages/26119999. This data, collectively, allows us to locate and fix problems and bottlenecks, and it helps us diagnose problems when we (or our users) discover them. We normally don’t look at this data in detail unless there is a problem, such as a user experiencing frequent WiFi disconnects. The number of people who can do see this data is very limited (a few core systems and networking staff and the IT security officer).
The Firewall
Additionally, ITS protects the campus with a central /wiki/spaces/itskb/pages/26119002, which inspects traffic as it flows through and looks for infiltration attempts, brute-force scans of our network, and other hostile activity, and logs and/or outright blocks that activity, depending on its severity. ITS does not examine logs produced by the firewall, except when performing forensics, troubleshooting, or examining alert notices. The number of people who can do this is limited to a few core systems staff and the IT security officer.
...
Individual machines (Linux servers, Windows servers, and Windows desktops) also log what they are doing, locally. There are, for one thing, antivirus and local firewall logs. There are also general system logs. These latter logs are written not only to local disk, but also forwarded to a central syslog server, then on to a central repository (Splunk). Every time a Windows machine executes a program, it is also Windows program executions are recorded separately, along with the policy that applies to it and for some departments that handle a lot of sensitive data and have requested it, we actually limit what programs can be installed and run (AppLocker). ITS knows nothing about what the programs being executed are really doing. But we do use the basic information provided in logs to detect malware-related infestations, and also to perform forensics when and if hostile activity is discovered.
...