CT-Ops

Host Management

How to use CT-Ops host management tabs for users, groups, settings, tags, terminal policy, and collection overrides.

The Management area controls how CT-Ops classifies, collects from, and allows access to a host. Use it when the question is not “what is wrong?” but “how should CT-Ops treat this machine?”

The area includes three host detail tabs:

TabWhat it is for
UsersReview discovered local OS accounts and SSH key counts for this host.
GroupsAdd or remove this host from host groups used for batch operations and filtering.
SettingsChange host-specific data collection, Docker retention, Docker image scanning, tags, and terminal access policy.

This page has no charts. It is made up of filters, tables, forms, switches, selectors, and cards that change host-level policy.

Users tab

The Users tab shows local OS account data for this host. It appears when the host’s local-user collection setting is enabled. If local-user collection is off, the host detail page does not render this tab’s user table.

Use this tab when reviewing SSH key exposure, service account ownership, stale accounts, privileged accounts, or account drift after a host change.

Users filters

The filters update the table query and the table refreshes every 30 seconds.

ControlWhat it does
Search by usernameFilters local users by username text. Leave blank to return all usernames for the selected type and status.
TypeFilters by All types, Human, Service, or System.
StatusFilters by All statuses, Active, Disabled, or Missing.

Users table

Select a user row to open that local user’s detail page for deeper account and SSH key review.

ColumnMeaning
UsernameLocal OS username reported by the agent. Displayed in monospace so similar account names are easier to compare.
UIDNumeric local user ID when reported. A dash means the agent did not report a UID.
ShellLogin shell path when reported. A dash means no shell value is available.
TypeCT-Ops classification: Human, Service, or System.
StatusCurrent account state: Active, Disabled, or Missing. Missing means CT-Ops previously knew about the account but the latest discovery did not report it.
SSH KeysCount of SSH keys associated with the account. A dash means zero keys.
Last SeenLast time the account was observed by local-user discovery, using the configured display date format. Never means no observation timestamp is stored.

If no accounts match the filters, the table shows No local users discovered yet and explains that users appear after an agent local-user discovery check.

Groups tab

The Groups tab shows host groups this host belongs to. Groups are useful for targeting batch operations, organising hosts by ownership or environment, and scoping operational workflows. Adding a host to the correct group makes future patching, scripts, service actions, and reports easier to run safely.

Groups controls

Control or fieldWhat it does
Add to GroupOpens a dialog listing groups the host is not already in. The top button is disabled when the host already belongs to every available group.
Empty-state Add to GroupAppears when the host is not in any groups and opens the same dialog.
Group nameOpens that host group’s detail page.
Group descriptionOptional group description shown below the name.
Trash buttonRemoves this host from that group. The button is disabled while a removal request is running.
Dialog AddAdds this host to the selected group. The button shows a spinner while the request is running, then the dialog closes and group lists refresh.
CloseCloses the add dialog without changing membership.

If the host is already in every available group, the dialog says the host is already in all available groups.

Settings tab

The Settings tab controls host-specific collection and management settings. Operators with write access can save collection, Docker, and tag changes where their role allows it. The Terminal Access card is admin-only.

Some controls inherit global settings:

Host controlGlobal setting
Data CollectionInherits Agent Defaults when a host has no host-specific collection settings.
TagsHost tags interact with default tags documented in Agent Defaults.
Docker Retention and Docker Image ScanningInherit Docker Container Settings.
Terminal AccessRequires instance terminal access to be enabled in Terminal Access Settings.
Host Editor AccessUses per-host path policies. Linux permissions still apply to the connected SSH user.

Data Collection

The Data Collection card chooses what data this host collects and reports. Changes are saved to host metadata and take effect on the next agent heartbeat or scheduled check cycle.

When a host has no saved host-specific collection settings, CT-Ops falls back to the instance defaults. The built-in defaults are CPU on, memory on, disk on, and local users off.

SettingDefault when no instance default existsWhat it controls
CPU UsageOnWhether CPU utilisation percentage is collected and reported for this host.
Memory UsageOnWhether memory utilisation percentage is collected and reported for this host.
Disk UsageOnWhether disk-space utilisation is collected and reported for this host.
Local UsersOffWhether CT-Ops creates or enables local user discovery and SSH key scan checks. Turning it off disables existing local user and SSH key checks if they exist.
SaveDisabled until a local change existsPersists the collection settings. The button changes to Saving… while the request is in flight and shows Saved after success.

Use host-specific collection settings for exceptions. For example, disable a noisy collection area on one machine while leaving the global defaults intact for the rest of the estate.

Local-user collection

Local-user collection can collect every local account or only selected usernames. Use selected-user monitoring when you need evidence for privileged or important accounts but do not want every local account surfaced for the host.

The local-user options appear only when Local Users is enabled.

Mode or controlWhat it does
Monitor all usersStores mode: all. The agent reports every local user account it discovers.
Monitor specific usersStores mode: selected. CT-Ops keeps the selected username list with this host’s collection settings.
Username inputAdds a username to the selected-user list. Press Enter or select the plus button. Blank values are ignored.
Plus buttonAdds the trimmed username. It is disabled while the input is blank and ignores duplicate usernames already in the list.
Username chip remove buttonRemoves one username from the selected-user list.
No users added yetIndicates selected mode is enabled but the selected username list is empty.

The host form does not impose a stricter username syntax on this list. Use exact OS usernames so the agent-side discovery result can match the intended accounts.

Docker retention

The Docker Retention card overrides how long raw Docker container metric samples are kept for this host. It appears when Docker retention settings can be loaded.

Global retention is configured in Docker Container Settings. The built-in global fallback is 30 days.

Field or controlWhat it does
Inherited defaultInstance-level Docker metric retention period in days.
Host overrideCurrent per-host override, or None when the host inherits the global default.
Effective retentionFinal retention period CT-Ops will use for this host. It is the host override when set, otherwise the inherited default.
Retention overrideSelects Inherit default, 7 days, 14 days, 30 days, 60 days, 90 days, 180 days, or 1 year.
SavePersists the selected override. It is disabled until the selection differs from the stored host override.
Clear overrideSaves a null override and returns the host to the inherited default. It is disabled when the current override is already None.

Server validation allows an integer retention override from 1 to 365 days, or null to inherit. Use retention overrides when a high-value host needs longer container evidence, or a dense container host needs shorter retention to control storage.

Docker image scanning

The Docker Image Scanning card controls whether this host participates in Docker image vulnerability scanning.

Global scan policy is configured in Docker Container Settings. The built-in global fallback is enabled, server-side Grype mode, every 24 hours, up to 3 images per cycle, with a 600 second timeout.

Field or controlWhat it does
Global settingWhether Docker image scanning is enabled at the instance level.
Scanner modeShows Server Grype when CT-Ops performs central Grype analysis, or Host local when the host runs scanner tooling locally.
Host overrideShows Disabled when this host has a disable override, otherwise Inherited.
Effective scanningFinal enabled/disabled result after combining the global setting and the host disable override. If global scanning is disabled, effective scanning is disabled even when the host inherits.
Disable on this hostPer-host boolean override. Turn it on for dense Docker hosts, sensitive images, or hosts without scanner binaries.
Inherited scan cadenceShows the inherited interval hours, maximum images per cycle, and timeout seconds.
Last immediate scan requestShows the timestamp of the last Scan now request when one exists.
SavePersists the host disable override. It is disabled until the switch differs from the stored value.
Scan nowRecords an immediate Docker image scan request timestamp for this host. It is disabled when effective scanning is disabled or while a request is running.

Use Scan now after rebuilding or pulling images, or when investigating a vulnerability report. A successful request shows Scan requested and the saved timestamp appears as the last immediate scan request.

Tags

Tags attach key-value metadata to the host. Use tags for ownership, environment, criticality, location, application, compliance scope, or any other classification that helps filtering and reporting.

The tag editor is visible to all users who can view the Settings tab, but it is read-only for non-admins. Only admins see the save control.

ControlWhat it does
Existing tag chipShows a key:value assignment on the host.
Chip remove buttonRemoves that assignment from the local edit set before save.
KeyTag key, such as env, owner, or criticality. Press Enter to move focus to Value.
Key suggestionsShows up to 8 existing keys that prefix-match the typed text, ordered by usage.
ValueTag value, such as prod, platform, or high. Press Enter to add the pair.
Value suggestionsShows up to 10 existing values for the current key that prefix-match the typed text.
AddAdds the trimmed key-value pair to the local edit set. It is disabled until both fields contain text.
SaveReplaces the host’s persisted tag set with the local edit set. It is disabled until local changes exist.

Validation requires a non-empty key up to 100 characters and a non-empty value up to 500 characters. CT-Ops stores only one value per key on a resource: duplicate keys are deduplicated case-insensitively, with the last value winning.

Consistent tags make host lists, reports, and operational handoffs easier to search and understand. Default host tags are configured in Agent Defaults, but per-host tags are the most specific layer and should be used for deliberate exceptions.

Host editor settings

The Host Editor Access card is admin-only. It defines the outer policy boundary for the host file editor shown under Tools -> SFTP.

CT-Ops uses this policy to decide which paths can be requested through the browser editor when global SFTP Security Settings require CT-Ops allowlists and denylists. It does not replace Linux filesystem permissions: the SSH user used by the eventual file operation must still be able to read or write the target file on the remote host.

ControlWhat it does
Enable Host EditorAllows eligible users to use the SFTP tab for this host when global SFTP path policy is active. When disabled in that mode, the SFTP tab shows a denial state.
Allowed PathsAdds absolute paths or globs that may be opened through the editor, such as /etc/nginx/** or /var/log/myapp/*.log.
Path modeSets a path to Read only, Read/write, or Sudo write. Read-only paths cannot be checked for write operations.
Remove path buttonRemoves one allowed path rule from the local edit set.
Blocked PathsOne blocked path or glob per line. Blocked paths win over allowed paths when an allowed rule also matches. Leave this empty to rely only on the allowlist.
Add recommended deniesPopulates the blocked path field with visible examples for common sensitive files, including shadow password files, SSH keys, private keys, and .env files. Admins can edit or remove these entries before saving.
SavePersists the host editor policy and records an audit event.

Use allowed paths for operational areas engineers are expected to maintain, such as service configuration directories or application config folders. Use blocked paths for secrets, credential stores, private keys, and customer-data locations that should not be exposed through a browser editor even when the underlying Linux account could technically read them.

If global SFTP path policy mode is set to Use host permissions only, this host-level allowlist and denylist is not applied to SFTP file operations. The global SFTP host availability setting can still disable SFTP for this host, or invert access so only selected hosts can launch SFTP.

Terminal settings

Terminal settings control whether terminal access is enabled for this host and which users are allowed to use it. The same card shows trusted SSH host keys and pending host keys that may need explicit trust.

The Terminal Access card is shown only to instance administrators. Host terminal access also depends on instance-wide terminal access in Terminal Access Settings, user role, and SSH host-key trust.

Field or controlWhat it does
Enable TerminalAllows or blocks terminal sessions for this host. The host-level default is enabled unless the host metadata explicitly disables it.
Allowed UsersOptional host allowlist. Leave empty to allow every user who already has sufficient role-based terminal access.
User selectorLists instance users who are not already in the allowlist. Agent users are excluded.
Plus buttonAdds the selected user to the local allowlist edit set. It is disabled until a user is selected.
User chip remove buttonRemoves one user from the local allowlist edit set.
No restrictions messageMeans the allowlist is empty and all eligible users can access the host terminal, subject to global terminal access, role checks, and SSH host-key trust.
SSH Host KeysShows trusted SSH host-key algorithm and SHA-256 fingerprint values reported by the agent.
No SSH host key messageMeans the agent has not reported a trusted SSH host key yet.
SSH host key changed warningAppears when the agent reports pending SSH host keys that do not match the trusted keys. Terminal sessions stay blocked until an admin verifies and trusts the new key.
Trust new SSH host keyPromotes pending host keys to trusted keys, clears the changed status, and writes an audit event.
SavePersists host terminal enablement and allowlist changes. It is disabled until local changes exist.

Terminal access requires at least engineer-level membership. If the instance terminal master switch is off, no host can be opened. If the host switch is off, this host cannot be opened even when the instance setting is on. If the allowlist has entries, the current user’s ID must be in the list.

Use pending SSH host-key review carefully. Trust a pending key only when you expect the host key change; unexpected changes can indicate rebuilding, replacement, misrouting, or a security issue.

Docker retention and image scanning

Docker settings can override container data retention and Docker image scanning behaviour for a host. Operators can also request a Docker image scan from this area.

Use retention overrides when one host needs longer or shorter container history than the instance default. Use image scanning controls when vulnerability scanning should be paused or forced for a specific host.

How management helps infrastructure control

Management settings keep host data useful and access controlled. They help operators classify infrastructure, minimise noisy collection, enforce terminal access boundaries, and make host-level exceptions explicit rather than hidden.