palerm0/librenms-config-compliance

Config compliance checks for LibreNMS, based on Oxidized backups

Maintainers

Package info

github.com/Palerm0/librenms-config-compliance

Language:Blade

pkg:composer/palerm0/librenms-config-compliance

Statistics

Installs: 0

Dependents: 0

Suggesters: 0

Stars: 1

Open Issues: 0

Security

Advisories: 0

Aikido package health analysis

v1.9.5 2026-06-03 09:42 UTC

Requires

GPL-3.0-or-later ab4c693194559758a207b71ef16a947d71068e2a

  • Palerm0

plugincompliancelibrenmsoxidized

This package is auto-updated.

Last update: 2026-06-03 09:45:25 UTC

README

A LibreNMS plugin that checks per device whether certain rules are present or absent in the configuration. Configurations are read from Oxidized — the plugin does not connect to your devices and does not change anything.

  • Read-only — only checks, never fixes
  • Daily scan via a cron job
  • Own storage in JSON files (storage/app/config-compliance/)
  • LibreNMS style — uses the standard LibreNMS layout

Version: v1.9.5 · License: GPL-3.0-or-later

Requirements

  • LibreNMS with plugin system v2 (recent version)
  • A working Oxidized integration — check that the Configs tab of a device shows the current config
  • PHP 8.2 or higher

Installation

The plugin is installed as a Composer package. Publishing on Packagist is not needed — you link the folder locally.

  1. Place the librenms-config-compliance folder somewhere on the server, for example in /opt/librenms/plugins-src/librenms-config-compliance.

  2. As the librenms user, run the following in the LibreNMS folder:

    cd /opt/librenms

composer config repositories.config-compliance \
  '{"type": "path", "url": "plugins-src/librenms-config-compliance", "symlink": true}'

composer require palerm0/librenms-config-compliance

  3. In LibreNMS go to Overview » Plugins and set Config Compliance to enabled.

  4. A menu item Config Compliance now appears under the plugin menu.

Configuration

  1. Open the plugin page, click the gear button (top right) and fill in the Oxidized URL (e.g. http://127.0.0.1:8888) — the same URL as under Global Settings » External Settings » Oxidized. The page shows a status line that confirms whether Oxidized is reachable, or warns if it is not configured or cannot be reached.

  2. Add your rules under Compliance rules. Per rule:

    Field Meaning
    Name Short description, e.g. "NTP configured"
    Group Which LibreNMS device group the rule applies to (* = all)
    OS Which device OS the rule applies to (* = all)
    Checks One or more checks — see below

    Every rule has one or more checks. For each check you pick a Type and a Pattern:

    Type Passes when
    Contains the pattern is present in the config
    Does not contain the pattern is absent
    Contains any of at least one of the listed patterns is present (one per line)
    Contains none of none of the listed patterns is present (one per line)

    The rule as a whole passes only if all checks pass. The "any of" / "none of" types take one pattern per line and are handy when the same thing looks slightly different per device or location (e.g. a firewall object name that varies between sites).

    A rule applies to a device when both Group and OS match. Tip: the exact OS name (such as ios, vrp, fortigate) is shown in the OS column of the results table after the first scan. In the editor the rules are grouped into collapsible sections per OS, so a long list stays tidy; rules with OS * sit in an "All OS" section at the bottom.

    In the results table two coloured badges show the state: Failed checks per device (green 0 / orange 1–5 / red more than 5) and, per failed rule, the number of failed checks (orange = partly, red = all failed). Click a failed rule name to expand it and see exactly which checks failed. Device names link straight to the device page in LibreNMS.

  3. Click Scan now for an immediate scan.

Daily scan via cron

Add a line to /etc/cron.d/librenms:

# Config compliance scan, every day at 06:00
0 6 * * *   librenms   /opt/librenms/lnms config-compliance:scan >> /opt/librenms/logs/config-compliance.log 2>&1

Running it manually also works:

/opt/librenms/lnms config-compliance:scan

Statuses

Status Meaning
Compliant At least one rule applies and they all pass
Non-compliant One or more rules do not pass
No rules No rule applies to this device
No config No config in Oxidized — check the Oxidized backup

A device that is down in LibreNMS is still scanned against its last known config, and gets an extra grey Down label next to its status.

LibreNMS updates

./daily.sh can overwrite the plugin link via Composer. Add the two composer commands from step 2 to your post-update.sh, so the plugin is automatically re-linked after a LibreNMS update.

Files

librenms-config-compliance/
├── composer.json
├── routes/web.php
├── resources/views/
│   ├── menu.blade.php          Menu item
│   └── page.blade.php          The plugin page
└── src/
    ├── ConfigComplianceProvider.php   Bootstrap file (registers everything)
    ├── ComplianceEngine.php           Core logic: rules, scan, storage
    ├── Console/ScanCommand.php        The 'lnms config-compliance:scan' command
    ├── Controllers/CompliancePageController.php
    └── Hooks/MenuEntry.php            Menu hook

The plugin keeps its data in storage/app/config-compliance/: settings.json, rules.json, results.json and history.json.