Hi all,
I ran into something that I suspect a lot of people here will recognise. LibreNMS is a fantastic monitoring tool — but to get a truly complete picture of a network, you usually end up bolting extra tooling onto it, and that extra tooling tends to come with a hefty price tag.
The good news is that LibreNMS already closes a lot of that gap by itself. The Oxidized integration in particular is excellent, and fits exactly what we need for config backups.
The one piece I still found missing: a proper compliance check on the device configs. I went looking for something that would fit our setup, and I could not really find a good option that did not cost serious money. While searching I also noticed this has been asked for here before — Compliance Reporting (#2138) from 2015, which was moved to the forum as Compliance Reporting.
So I got cooking. I now have a tool that works really well, and I would love to share it with the community — if there is interest in it.
What it does:
Read-only — it only checks configs, it never connects to or changes a device.
Reads configs straight from the existing Oxidized integration, so there is no second backup system to maintain.
Rules with one or more checks each (a check is “config contains X” or “config does not contain X”). A rule passes only when all of its checks pass — handy for things like a “trusted hosts” rule with one check per management subnet.
Rules can be scoped per device group and per OS, so a Cisco IOS hardening rule and a FortiGate rule can live side by side.
A daily scan via a cron command, plus an on-demand scan from the UI.
A results page in standard LibreNMS style: per device compliant / non-compliant / no config / no rules, with a drill-down that shows exactly which checks failed, and device names that link straight to the device page.
A few screenshot:
[ screenshot 1]
Results overview — per-device compliance at a glance, grouped by device group:
[ screenshot 2]
Drilling into a failed rule — it shows exactly which checks are missing:
[ screenshot 3]
Defining a rule with multiple checks (here a “trusted hosts” rule):
If this is something the community would find useful, I would be glad to share it and to work together on getting it into LibreNMS. Curious to hear your thoughts — is there interest in this?
Thanks!
3 Likes
Quick update — thanks for the interest so far!
I’ve put the code up on GitHub so anyone can try it:
https://github.com/Palerm0/librenms-config-compliance
It installs as a plugin (v2 plugin system) — the README walks through the Composer link step, enabling it, and pointing it at your existing Oxidized URL. It’s read-only: it only reads configs from Oxidized and never touches a device.
A short recap of where it stands now:
-
Rules scoped per device group and per OS, each with one or more checks (contains / does not contain, and “contains any of” / “none of” for the cases where the same line looks slightly different per site).
-
A daily scan via lnms config-compliance:scan, plus an on-demand scan.
-
Results in standard LibreNMS style, with a compliance score, a drill-down per failed rule, and device links back to the device page.
What I’d really like to explore: getting this into LibreNMS itself, so it’s available out of the box rather than as a separate install. I’m very happy to shape it toward whatever the maintainers feel is the right home for it — whether that’s a core feature or an officially listed plugin — and to do the work to meet the contribution guidelines.
Is that something the team would be open to? Glad to hear any thoughts on the approach, and of course feedback on the tool itself is very welcome.
Thanks!
2 Likes
This plugin will be the best to ensure config is as per standards.
however, while installing im getting an error and suggesting to add FORCE=1 , is it safe to do ?
cd /opt/librenms
composer config repositories.config-compliance
‘{“type”: “path”, “url”: “plugins-src/librenms-config-compliance”, “symlink”: true}’
composer require palerm0/librenms-config-compliance
./composer.json has been updated
Running composer update palerm0/librenms-config-compliance
LibreNMS\ComposerHelper::preUpdate
Running composer update is not advisable. Please run composer install to update instead.
If know what you are doing and want to write a new composer.lock file set FORCE=1.
If you don’t know what to do, run: composer install
lnms plugin:add is the way to add extra packages while not breaking updates and LibreNMS dependencies.
@murrant — thanks a lot for pointing this out, that’s exactly the right way and I appreciate you taking the time. I’ll publish the plugin to Packagist so lnms plugin:add works out of the box, and update the README to drop the composer require / FORCE=1 route entirely.
@RR1 — thank you for trying it, and apologies for the confusion! Please don’t use FORCE=1 — that path is not recommended, as Murrant is pointing out(LibreNMS warns about it for a reason). I’ll have the proper install command ready shortly; the fix is on my side, not yours. I’ll reply here as soon as it’s done so you can try the clean way.
Update
The plugin is on Packagist (https://packagist.org/packages/palerm0/librenms-config-compliance) and the README is updated. The recommended install is now:
sudo -u librenms /opt/librenms/lnms plugin:add palerm0/librenms-config-compliance
sudo -u librenms /opt/librenms/lnms plugin:enable config-compliance
@RR1 — that should give you a clean install without the FORCE=1 workaround.
Thanks for the patience! Let me know how it goes.
Greetings
Palermo
1 Like
@Palermo
Thanks for the update.
additionally need to run below commands, other wise webui is crashing after adding plugin
php artisan cache:clear
php artisan view:clear
php artisan route:clear
1 Like
@RR1 — glad it worked! Thanks for the heads-up I’ve added a short troubleshooting note in the README (v1.9.7) so the next person doesn’t get tripped up by the same thing:
sudo -u librenms php artisan cache:clear
sudo -u librenms php artisan view:clear
sudo -u librenms php artisan route:clear
Much appreciated
Small feature update: as of v1.10 the plugin integrates with LibreNMS alerting. 
After every scan it now writes a LibreNMS component per device (type config-compliance) with the compliance status, so you can alert on compliance drift through the normal LibreNMS alert rules and your existing transports (mail, Teams, etc.). The failed rule names end up in the alert details, so the notification tells you exactly what is wrong.
Example rule:
(or use macros.component_critical — that variant also honours the component’s ignore flag, handy for excluding a lab device.)
Status codes: 0 = compliant, 1 = no config found in Oxidized, 2 = non-compliant. Details in the README: https://github.com/Palerm0/librenms-config-compliance
Greetings
Palermo
Awesome!
I’ve been using Batfish, but having compliance integrated directly in LibreNMS sounds great.
Gonna give it a spin.
