mikrotik-rsc-auditor 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 MikroTik RSC Auditor Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,287 @@
+<!-- markdownlint-disable MD033 MD041 -->
+
+# 🔍 MikroTik RouterOS .rsc Auditor
+
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
+[![Python 3.10+](https://img.shields.io/badge/python-3.10+-blue.svg)](https://www.python.org/downloads/)
+[![Pi Skill](https://img.shields.io/badge/pi-skill-purple)](https://github.com/nicolodavis/pi)
+[![Checks](https://img.shields.io/badge/checks-108-success)](scripts/audit_rsc.py)
+[![CLI](https://img.shields.io/badge/CLI-ready-brightgreen)](README.md)
+
+**Offline static analysis tool for auditing MikroTik RouterOS .rsc configuration files — 108 security checks across 9 domains, CVSS v3.1 scoring, compliance mapping (CIS/NIST/ISO/PCI-DSS), conflict detection, IoC detection, and script linting.**
+
+---
+
+## ✨ Features
+
+| Feature | Description |
+|---------|-------------|
+| 🔒 **108 Security Checks** | Authentication, services, firewall, system hardening, networking, routing, WiFi, scripts, compliance |
+| 📊 **CVSS v3.1 Scoring** | Every finding scored with severity (Critical/High/Medium/Low/Info) and CVSS vector |
+| 🏛️ **Compliance Mapping** | CIS RouterOS Benchmark, NIST SP 800-53, ISO 27001, PCI-DSS per-finding cross-references |
+| 🚨 **Conflict Detection** | 8 rule conflict types — unreachable rules, NAT bypasses, orphan marks, duplicates, and more |
+| 🕵️ **IoC Detection** | 10 compromise indicators — scheduler backdoors, DNS hijacking, cryptominers, C2 patterns |
+| 📝 **Script Linter** | 15+ rules with scope-aware context suppression, guard tracking, CI-ready exit codes |
+| 🧩 **Zero Dependencies** | Pure Python stdlib — install on any system with Python 3.10+ |
+| 🤖 **Pi Agent Integration** | Installable as a pi skill with interactive onboarding for first-time users |
+
+---
+
+## 🚀 Quick Start
+
+```bash
+# Install from PyPI
+pip install mikrotik-rsc-auditor
+
+# Audit a RouterOS export
+mikrotik-audit export.rsc
+
+# Or use directly from source
+python scripts/audit_rsc.py export.rsc
+```
+
+---
+
+## 📖 Usage
+
+### Basic Audit
+
+```bash
+mikrotik-audit export.rsc
+```
+
+### JSON Output
+
+```bash
+mikrotik-audit export.rsc --format json
+```
+
+### HTML Report
+
+```bash
+mikrotik-audit export.rsc --format html -o report.html
+```
+
+### Severity Filter (High+Critical only)
+
+```bash
+mikrotik-audit export.rsc --severity high
+```
+
+### Specific Checks
+
+```bash
+mikrotik-audit export.rsc --check AUTH-001,FW-003
+```
+
+### CVE Vulnerability Check
+
+```bash
+mikrotik-audit export.rsc --cve
+```
+
+### Live NVD CVE Lookup (requires internet)
+
+```bash
+export NVD_API_KEY=your_key
+mikrotik-audit export.rsc --cve --cve-live
+```
+
+### Conflict Detection
+
+```bash
+mikrotik-audit export.rsc --conflicts
+```
+
+### IoC / Compromise Detection
+
+```bash
+mikrotik-audit export.rsc --ioc
+```
+
+### Lint a Script (development-time validation)
+
+```bash
+mikrotik-audit export.rsc --lint my-script.rsc
+```
+
+### All Features
+
+```bash
+mikrotik-audit export.rsc --cve --conflicts --ioc --format html -o full-report.html
+```
+
+---
+
+## ⚙️ CLI Flags
+
+| Flag | Type | Description | Default |
+|------|------|-------------|---------|
+| `file` | positional | Path to `.rsc` configuration file | required |
+| `--format` | choice | Output format: `text`, `json`, `html` | `text` |
+| `--severity` | choice | Minimum severity: `critical`, `high`, `medium`, `low`, `info` | all |
+| `--check` | string | Comma-separated check IDs to run (e.g., `AUTH-001,FW-003`) | all |
+| `--cve` | flag | Enable CVE vulnerability check using static database | off |
+| `--cve-live` | flag | Enable live NIST NVD API lookup (requires internet) | off |
+| `--conflicts` | flag | Enable 8-type rule conflict analysis | off |
+| `--ioc` | flag | Enable 10-type compromise indicator detection | off |
+| `--lint` | string | Path to a `.rsc` script file to lint (used alongside the config file) | — |
+| `--skip-wifi` | flag | Skip WiFi security checks (for non-wireless devices) | off |
+| `--skip-routing` | flag | Skip routing security checks (BGP/OSPF) | off |
+| `-o, --output` | path | Save report to file instead of stdout | — |
+
+---
+
+## 🤖 Pi Agent Interactive Mode
+
+When installed as a pi agent skill, the auditor offers **interactive onboarding** on first run:
+
+1. **Device Role** — Home router / Office gateway / Enterprise / ISP — determines security baseline
+2. **Services in Use** — Multi-select which features this device provides (WiFi, NAT, DHCP, VPN, routing, CAPsMAN)
+3. **Audit Scope** — Quick review / Standard / Compliance — controls check depth
+4. **Conditional Follow-ups** — Compliance framework, WiFi type, routing profile (only if relevant)
+
+Answers are saved to `~/.config/mikrotik-auditor/profile.yml` — subsequent runs are fully silent.
+
+```bash
+# Install as pi skill
+pi install npm:@scope/mikrotik-rsc-auditor
+
+# Run interactively (first time)
+mikrotik-audit export.rsc
+# → asks 3-4 questions, then runs tailored audit
+```
+
+---
+
+## 📋 Report Formats
+
+### Text Report
+Terminal-friendly output with severity grouping, score, top-5 executive summary, and per-finding remediation commands. Includes safety warnings for high-risk changes.
+
+### JSON Report
+Structured machine-readable output for pipeline integration:
+
+```json
+{
+  "meta": { "device_model": "C53UiG+5HPaxD2HPaxD", "version": "7.22.3" },
+  "score": { "score": 72, "grade": "B", "by_severity": { "Critical": 0, "High": 2 } },
+  "findings": [
+    {
+      "id": "AUTH-005",
+      "name": "SSH weak-crypto enabled",
+      "severity": "High",
+      "cvss": "7.5",
+      "category": "Authentication & Access Control",
+      "remediation": "/ip ssh set strong-crypto=yes"
+    }
+  ]
+}
+```
+
+### HTML Report
+Self-contained dark-mode compatible HTML with color-coded severity badges, score display, and remediation blocks.
+
+---
+
+## 🏛️ Compliance Frameworks
+
+| Framework | Coverage |
+|-----------|----------|
+| **CIS RouterOS Benchmark v1.x** | 42 controls mapped |
+| **NIST SP 800-53** | 30+ controls (AC, AU, IA, SC, SI, PE, CP) |
+| **ISO 27001** | 25+ controls (A.8, A.9, A.10, A.12, A.13, A.17) |
+| **PCI-DSS** | 15+ requirements (1, 2, 4, 6, 7, 8, 10, 11) |
+
+---
+
+## 📁 Project Structure
+
+```
+mikrotik-rsc-auditor/
+├── scripts/
+│   ├── audit_rsc.py              # Main entry point (2,860 lines)
+│   ├── cve_database.py            # CVE lookup + NVD API (1,111 lines)
+│   ├── conflict_analyzer.py       # 8 conflict types (1,551 lines)
+│   ├── conflict_explanations.py   # User-friendly explanations (650 lines)
+│   ├── ioc_analyzer.py            # 10 IoC types (784 lines)
+│   ├── sanitize_rsc.py            # Config redaction for safe sharing (72 lines)
+│   └── lint_rsc.py                # Script linter with scope tracking (587 lines)
+├── references/
+│   ├── AUDIT_CHECKS.md            # 108-item audit checklist
+│   ├── SECURITY_BASELINE.md       # Secure configuration baseline
+│   ├── SYNTAX_REFERENCE.md        # RouterOS .rsc syntax reference
+│   ├── COMPLIANCE_MAPPING.md      # CIS/NIST/ISO/PCI-DSS crosswalk
+│   ├── EXAMPLES.md                # Idempotent scripting patterns
+│   └── SCRIPTING_PITFALLS.md      # Common RouterOS scripting mistakes
+├── examples/
+│   ├── sanitized-export.rsc       # Sanitized real-world export
+│   ├── minimal-config.rsc         # Minimal secure configuration
+│   └── vulnerable-config.rsc      # Deliberately insecure demo config
+├── tests/                         # Test suite
+├── CHANGELOG.md                   # Release history
+├── CONTRIBUTING.md                # Contribution guide
+├── LICENSE                        # MIT license
+├── pyproject.toml                 # Python packaging
+└── README.md                      # This file
+```
+
+---
+
+## 📦 Installation
+
+### From PyPI (recommended)
+
+```bash
+pip install mikrotik-rsc-auditor
+```
+
+### Isolated with pipx
+
+```bash
+pipx install mikrotik-rsc-auditor
+```
+
+### From source
+
+```bash
+git clone https://github.com/your-org/mikrotik-rsc-auditor.git
+cd mikrotik-rsc-auditor
+pip install -e .
+```
+
+### As a pi agent skill
+
+```bash
+pi install npm:@scope/mikrotik-rsc-auditor
+```
+
+---
+
+## 📋 Requirements
+
+- Python 3.10 or later
+- **Zero external dependencies** — only Python standard library
+- For live CVE lookup: internet access + optional `NVD_API_KEY` environment variable
+- For linting: RouterOS script files (`.rsc`)
+
+---
+
+## 🤝 Contributing
+
+See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines on reporting bugs, suggesting features, and submitting pull requests.
+
+---
+
+## 📄 License
+
+MIT License — see [LICENSE](LICENSE) for full text.
+
+---
+
+## 🔗 Related
+
+- [MikroTik RouterOS Documentation](https://help.mikrotik.com/docs/)
+- [CIS RouterOS Benchmark](https://www.cisecurity.org/benchmark/mikrotik_routeros)
+- [NIST NVD](https://nvd.nist.gov/)
+- [Pi Agent Framework](https://github.com/nicolodavis/pi)

package/SKILL.md

@@ -0,0 +1,289 @@
+---
+name: mikrotik-rsc-auditor
+description: "Audit MikroTik RouterOS configuration files (.rsc) for security issues, compliance gaps, syntax errors, and configuration best practices. Performs comprehensive offline static analysis of exported RouterOS configs. Use when auditing .rsc files, reviewing RouterOS security, or assessing MikroTik device configurations for compliance hardening."
+---
+
+# MikroTik RouterOS .rsc Auditor
+
+Expert-level offline static analysis skill for auditing MikroTik RouterOS exported configuration files (`.rsc`). Covers 100+ audit checks across 9 security domains with CVSS-based severity scoring, compliance mapping (CIS/NIST/ISO/PCI-DSS), and generated remediation scripts.
+
+## When to Use
+
+- A `.rsc` configuration export is provided for security review
+- Evaluating a RouterOS deployment for security hardening compliance
+- Pre-deployment audit of a configuration before applying to production
+- Post-incident forensic review of router configuration artifacts
+- Compliance audit mapping RouterOS config to CIS/NIST/ISO/PCI-DSS controls
+- Assessing MikroTik hAP, CCR, RB, or Cloud Core Router configurations
+
+**NOT for:**
+- Live SSH/REST API interaction with a running RouterOS device
+- Creating new `.rsc` scripts from scratch (see `mikrotik-routeros-rsc` skill)
+- Realtime traffic analysis or SNMP monitoring
+- Configuring CAPsMAN, BGP sessions, or other dynamic protocols
+
+## Audit Methodology
+
+The audit follows a 9-phase static analysis methodology applied to the entire `.rsc` file:
+
+```
+Phase 1:  Parse & Normalize     — Tokenize the .rsc, extract all config paths
+Phase 2:  Authentication Audit   — Users, groups, service ACLs, password policies
+Phase 3:  Service Surface Audit  — All enabled services, their bindings and ACLs
+Phase 4:  Firewall & RAW Audit   — Filter/NAT/Mangle rules, connection tracking
+Phase 5:  System Hardening Audit — Version, NTP, logging, updates, backups
+Phase 6:  Network Config Audit   — VLANs, bridges, DHCP, DNS, interfaces
+Phase 7:  Routing Security Audit — BGP/OSPF auth, filters, prefix limits
+Phase 8:  WiFi Security Audit    — Encryption, isolation, CAPsMAN, PMF
+Phase 9:  Script & Automation    — Script permissions, hardcoded secrets, scheduler
+```
+
+Each finding is assigned a severity using CVSS v3.1 principles adapted for configuration analysis:
+
+| Severity | Score Range | Impact | Example |
+|----------|-------------|--------|---------|
+| **Critical** | 9.0–10.0 | Immediate compromise | Default admin, no firewall, WAN services exposed |
+| **High** | 7.0–8.9 | Significant weakness | Open DNS resolver, SNMP public, no brute-force protection |
+| **Medium** | 4.0–6.9 | Defense-in-depth gap | No remote syslog, NTP not configured, bridge MTU misconfig |
+| **Low** | 0.1–3.9 | Informational | System identity not set, LCD not configured |
+| **Info** | 0.0 | Reference only | RouterOS version reported, model identified |
+
+## Audit Check Categories
+
+### 1. Authentication & Access Control (AUTH) — 18 checks — Critical
+Default admin, weak/no passwords, users without IP restrictions, SSH crypto, MAC-services (telnet/winbox/ping), WinBox/API on WAN, login restrictions, password policies, RoMON, permissive policies.
+
+### 2. Service Hardening (SRV) — 17 checks — High
+DNS open resolver, bandwidth server, proxy/SOCKS/UPnP, neighbor discovery on WAN, SNMP v1/v2c public, Telnet/FTP/PPTP, cloud services, SMB, WebFig HTTP, unused interfaces.
+
+### 3. Firewall & Network Security (FW) — 17 checks — Critical/High
+Missing default rules, no WAN drop, no established/related, brute-force protection, bogon filtering (RAW), IPv6 firewall, FastTrack, port knocking, unrestricted WAN access, ICMP rate limiting, DSTNAT controls, broadcast blocking, connection tracking limits.
+
+### 4. System Hardening (SYS) — 10 checks — High
+RouterOS version (CVE check), identity, NTP, local logging, remote syslog, update policy, unsigned packages, support output, backup configuration.
+
+### 5. Network Configuration (NET) — 9 checks — Medium
+Bridge VLAN filtering, DHCP security, DHCP lease storage on flash-constrained, DNS cache poisoning, MTU, VRRP/HA, hAP ac² offload considerations.
+
+### 6. Routing Security (ROUTE) — 9 checks — Medium/High
+BGP MD5 auth, OSPF auth, routing filters, BGP TTL security, prefix limits, dynamic routing on WAN, default route resilience, loopback router ID.
+
+### 7. WiFi Security (WIFI) — 13 checks — High/Medium
+Insecure encryption (WEP/TKIP), WPS, guest isolation, hidden SSID, per-band security, client isolation, CAPsMAN encryption, access lists, PMF, password strength, DFS radar handling, hAP ac² flash crisis.
+
+### 8. Script & Automation (SCRIPT) — 9 checks — Medium
+Excessive permissions, hardcoded credentials, single-instance guards, error handling, global variable pollution, destructive commands.
+
+### 9. Compliance Mapping (COMP) — 6 info checks
+CIS crosswalk, NIST SP 800-53, ISO 27001, PCI-DSS, Mitre ATT&CK, CVSS scoring.
+
+## Interactive Onboarding
+
+When the user invokes the skill on a `.rsc` file without providing additional context, use `ask_user_question` to gather missing information. This tailors the audit to the specific device and deployment, reducing false positives and irrelevant findings.
+
+### Tier 1 Questions (Essential — ask on first run, skip if profile exists)
+
+**Question 1: Device Role** — Determines the security baseline severity:
+- Home Router → relaxed defaults (WAN-side UPnP = Info, not Critical)
+- Office/SMB Gateway → medium hardening (VLAN isolation, VPN checks enabled)
+- Enterprise Router → maximum hardening (RADIUS, 802.1X, logging checks = Critical)
+- ISP/DC Router → carrier-grade (BGP security, minimal attack surface focus)
+
+**Question 2: Services in Use** — Multi-select; unused services get N/A (excluded from report):
+- Internet Gateway / NAT
+- WiFi Access Point (2.4GHz, 5GHz, or both)
+- DHCP Server
+- DNS Server
+- VPN Server (L2TP/IPsec, SSTP, WireGuard, OpenVPN)
+- Dynamic Routing (BGP, OSPF)
+- CAPsMAN Controller
+
+**Question 3: Audit Scope** — Controls check depth:
+- Quick Review → top 15 critical/high checks only (~2 seconds)
+- Standard Audit → all 108 checks with full scoring
+- Compliance Focus → filtered to selected framework
+
+### Tier 2 Questions (Conditional — ask only if relevant)
+
+**If Compliance Focus selected:** Which framework? (CIS / NIST / ISO / PCI-DSS)
+
+**If WiFi selected:** Deployment type? (Home/SOHO / Office-Enterprise / Public Hotspot)
+
+**If Routing selected:** Profile? (Single ISP / Multi-homed BGP / Internal OSPF)
+
+### Profile Persistence
+
+Save answers to `~/.config/mikrotik-auditor/profile.yml` after the first run:
+
+```yaml
+version: 1
+device_role: "office"
+services:
+  - nat
+  - wifi
+  - dhcp
+audit_scope: "standard"
+compliance: "cis"
+routing: null
+wifi_type: "home"
+cve_check: "offline"
+```
+
+On subsequent runs, if the profile exists, skip all questions and use saved values (silent mode). Offer to re-interview if the user passes `--reconfigure`.
+
+### Answer → Audit Mapping
+
+| Answer | Effect |
+|--------|--------|
+| `device_role = "home"` | Relaxed severity for WAN-side UPnP, management access |
+| `device_role = "enterprise"` | RADIUS, 802.1X, logging checks become Critical severity |
+| `services = ["wifi"]` | WiFi checks are active. Missing encryption → Critical |
+| `services = []` | WiFi checks set to N/A — excluded from report |
+| `services = ["routing"]` | BGP/OSPF authentication checks enabled |
+| `audit_scope = "quick"` | Only top 15 findings by CVSS score |
+| `audit_scope = "compliance"` | Filter to compliance-mapped checks only |
+| `cve_check = "offline"` | Pass `--cve` to audit_rsc.py |
+| `cve_check = "live"` | Pass `--cve --cve-live` to audit_rsc.py |
+
+### Implementation Note
+
+All interactivity lives in this SKILL.md — the Python tools remain pure CLI with no interactive logic. The `ask_user_question` tool is a pi agent capability. Profile reading/writing is done via `bash` commands (`cat`, `write`). This separation keeps the CLI tool chainable in pipelines while the skill provides the interactive UX.
+
+## Response Approach
+
+1. **Check for profile** — If `~/.config/mikrotik-auditor/profile.yml` exists, read it silently. If not, enter interactive onboarding (see Interactive Onboarding section).
+2. **Parse** the `.rsc` file — extract all configuration paths, commands, and parameters
+3. **Apply context** — Use profile answers to tailor check relevance, severity, and scope
+4. **Run audit checks** against each configuration domain in order (AUTH → SRV → FW → SYS → NET → ROUTE → WIFI → SCRIPT → COMP)
+5. **Assign severity** to each finding using the CVSS-based scale, adjusted by device role and hardware profile
+6. **Generate remediation** — produce the exact RouterOS CLI commands to fix each finding
+7. **Score the config** — overall security score (0–100) with per-category breakdown
+8. **Generate reports** — structured JSON, raw text, and Markdown report format with severity grouping
+9. **Map to compliance frameworks** — cross-reference each finding to CIS/NIST/ISO/PCI-DSS controls
+10. **Save profile** — If this was an interactive run, save answers to profile.yml for next time
+
+## Report Structure
+
+Every audit produces a structured report with these sections:
+```
+1.  Meta — device model, RouterOS version, export timestamp, software ID
+2.  Risk Score — overall (0-100) with per-category heatmap
+3.  Critical Findings — immediate action required (list with CVSS, path, fix)
+4.  High Findings — significant security weaknesses (list with CVSS, path, fix)
+5.  Medium Findings — defense-in-depth gaps (list with CVSS, path, fix)
+6.  Low Findings — informational (list)
+7.  Compliance Map — CIS/NIST/ISO/PCI-DSS control mappings per finding
+8.  Summary Statistics — counts by severity, category hits, false positive notes
+9.  Remediation Commands — per-finding RouterOS CLI commands (consolidation planned)
+10. Hardware Profile — detected device model and applied profile details
+```
+
+## Safety Guardrails
+
+- **DO NOT** output actual credentials, keys, or certificates found in configs — mask with `[REDACTED]`
+- **DO NOT** suggest `system reset-configuration` unless explicitly requested
+- **DO NOT** recommend firmware downgrades without CVE justification
+- **DO NOT** recommend blocking essential services without understanding the deployment context
+- **ALWAYS** classify findings with severity and note when context may change risk level
+- **ALWAYS** include the exact config path in findings for reproducible reference
+- **ALWAYS** provide remediation CLI commands for every actionable finding
+
+## Limitations & Assumptions
+
+- Offline analysis cannot verify live state — only what was exported. Some checks (e.g., port knocking state, brute-force detection) inherently require live access.
+- Export file format assumptions: assumes standard `/export` output; `hide-sensitive=yes` masks passwords; `verbose=yes` includes defaults; `compact=yes` (default) omits default values.
+- If `hide-sensitive` was used, password-related checks show `[REDACTED]` values, which must be noted as indeterminate.
+- RouterOS v7 vs v6 syntax differences are flagged but both are validated against their respective grammar.
+- hAP ac² flash space cannot be determined from a config export — requires live `/system resource print`.
+- Device model detection from export header is best-effort (model line may be truncated or absent). When no profile matches, a generic profile is used with default severity and no hardware-specific exclusions.
+
+## References
+
+- [references/AUDIT_CHECKS.md](references/AUDIT_CHECKS.md) — Complete 100+ item audit checklist with per-check rationale, query, and fix
+- [references/SECURITY_BASELINE.md](references/SECURITY_BASELINE.md) — Secure configuration baseline with service-by-service safe defaults
+- [references/SYNTAX_REFERENCE.md](references/SYNTAX_REFERENCE.md) — RouterOS .rsc syntax and validation rules
+- [references/COMPLIANCE_MAPPING.md](references/COMPLIANCE_MAPPING.md) — CIS/NIST/ISO/PCI-DSS control mapping reference
+- [references/EXAMPLES.md](references/EXAMPLES.md) — Idempotent RouterOS scripting patterns with copy-paste ready code
+- [references/SCRIPTING_PITFALLS.md](references/SCRIPTING_PITFALLS.md) — Common RouterOS scripting mistakes and safe alternatives
+- [references/HARDWARE_COMPATIBILITY.md](references/HARDWARE_COMPATIBILITY.md) — Hardware compatibility matrix with device profiles, severity adjustments, and per-family check applicability for 15+ MikroTik device families
+- [scripts/audit_rsc.py](scripts/audit_rsc.py) — Python tool for automated offline .rsc audit with HTML/JSON/TXT reports
+
+## Related Tools
+
+The following companion scripts extend the auditor with specialized analysis capabilities:
+
+- [scripts/cve_database.py](scripts/cve_database.py) — CVE lookup tool for RouterOS versions. Uses a static database of 9+ known CVEs (CVE-2018-14847 through CVE-2024-23895) with version parsing, wildcard/range matching, and severity scoring. Supports optional live NIST NVD API v2.0 lookup with 24-hour caching. Integrated via `--cve` and `--cve-live` flags.
+
+- [scripts/conflict_analyzer.py](scripts/conflict_analyzer.py) — Rule conflict detection for firewall, NAT, and mangle configurations. Detects 8 conflict types: unreachable rules, NAT bypasses firewall, orphan routing marks, interfaces not in interface lists, address list conflicts, missing FastTrack, shadowed rules, and duplicate rules. Integrated via `--conflicts` flag.
+
+- [scripts/ioc_analyzer.py](scripts/ioc_analyzer.py) — Indicator of Compromise (IoC) detection for signs of active RouterOS compromise. Checks for: scheduler fetch backdoors (VPNFilter pattern), SOCKS/HTTP proxies (Meris botnet), suspicious files, unknown admin users, DNS hijacking, mangle sniff rules, cryptominer indicators, and C2 patterns (IP:port, Telegram, Discord webhooks). Integrated via `--ioc` flag.
+
+- [scripts/lint_rsc.py](scripts/lint_rsc.py) — Heuristic script linter for pre-deployment validation of .rsc scripts. Features scope-tracking engine (5 scope kinds), context-aware suppression, and 15+ rules across 5 categories. Detects destructive commands, unconditional bulk removes, unguarded `add` operations, fixed numeric IDs, bare `import` usage, `:delay` in loops, and credential leakage in `:log` statements. Integrated via `--lint` flag.
+
+- [scripts/device_profiles.py](scripts/device_profiles.py) — Device profile definitions for 15+ MikroTik hardware families. Detects device model from export header and tailors audit checks (severity adjustments, N/A exclusions, special hardware checks) to the specific platform. Powers the Hardware Compatibility system.
+
+## Hardware Compatibility
+
+The auditor includes a hardware-aware device profile system that automatically tailors all 108 security checks to the specific MikroTik device being audited.
+
+### How It Works
+
+When processing an `.rsc` export, the auditor extracts the device model from the export header (`# model = ...`) and matches it against a library of 15+ device profiles covering all major MikroTik families:
+
+| Family | Examples | Key Difference |
+|--------|----------|----------------|
+| **hAP** | ac², ax², ax³, lite | WiFi checks, flash-constrained models, AX stability |
+| **CCR** | CCR1036, CCR2004, CCR2216 | No WiFi, BGP/OSPF critical, FastTrack unsupported on TileGX |
+| **CRS** | CRS3xx, CRS1xx/2xx | No WiFi, HW offload, switch ACL bypass considerations |
+| **RB** | RB750Gr3, RB4011, RB5009 | Varies: some no WiFi, LCD on 4011, containers on 5009 |
+| **cAP/wAP** | cAP ac/ax, wAP ac/ax | CAPsMAN native, some flash-constrained |
+| **CPE** | LHG, SXT, mANTBox | Outdoor, PtP encryption, no LCD |
+| **CHR/x86** | Virtual, bare metal | No hardware constraints, license throughput limits |
+
+### What Gets Tailored
+
+- **N/A exclusion**: WiFi checks are skipped on CCR, CRS, RB5009, and other non-WiFi devices
+- **Severity adjustment**: Flash-constrained devices (hAP ac², hAP lite) get elevated severity for flash exhaustion checks. BGP security is Critical on ISP/DC routers
+- **Hardware-specific checks**: AX stability warnings apply only to hAP ax²/ax³, LCD PIN checks only to devices with displays
+- **Threshold tuning**: Connection tracking limits, DNS cache sizes, and ICMP rate limits are adjusted based on available RAM and CPU architecture
+
+### Supported Platforms
+
+See [references/HARDWARE_COMPATIBILITY.md](references/HARDWARE_COMPATIBILITY.md) for the complete device profile reference, including detailed specifications, detection regex, severity adjustment rules, and per-family check applicability matrices.
+
+The profile data and detection logic live in [scripts/device_profiles.py](scripts/device_profiles.py), which can be extended with new device profiles as MikroTik releases new hardware.
+
+## Development Workflow
+
+For engineers developing and deploying RouterOS scripts, the following workflow integrates auditing at every stage:
+
+```
+Step 1: Write script with idempotent patterns
+  → Follow the patterns in references/EXAMPLES.md
+  → Review references/SCRIPTING_PITFALLS.md for common mistakes
+
+Step 2: Lint the script before deployment
+  → python scripts/lint_rsc.py my-script.rsc --strict
+  → Fix any errors and warnings before proceeding
+
+Step 3: Dry-run the import on target device
+  → /import file=my-script.rsc verbose=yes dry-run
+  → Review output for unexpected changes
+
+Step 4: Import with :onerror wrapper for safety
+  → :onerror e in={ /import file=my-script.rsc } do={ :log error "Failed: $e" }
+  → This catches both import parse errors and script execution errors
+
+Step 5: Audit the deployed configuration
+  → Export config: /export hide-sensitive file=audit-export
+  → Run full audit: python scripts/audit_rsc.py audit-export.rsc --cve --conflicts --ioc
+  → Review findings and apply remediation commands
+```
+
+This workflow ensures that scripts are safe to import (steps 1–4) and the resulting configuration is secure (step 5). The `audit_rsc.py` tool with the new `--cve`, `--conflicts`, `--ioc`, and `--lint` flags provides end-to-end coverage from development to post-deployment.
+
+## Related Skills
+
+- `mikrotik-routeros-rsc` — Creating and editing RouterOS scripts (complementary; this skill audits what that skill creates)
+- `security-auditor` — General security auditing framework (this skill specializes for MikroTik/RouterOS)
+- `vulnerability-scanner` — Vulnerability scanning methodology (this skill focuses on config-specific findings)

package/examples/minimal-config.rsc

@@ -0,0 +1,55 @@
+# Minimal secure config — baseline for testing
+# RouterOS 7.22.3 — hAP ax³
+/interface bridge
+add admin-mac=xx:xx:xx:xx:xx:01 auto-mac=no name=bridge
+/interface list
+add name=WAN
+add name=LAN
+/interface list member
+add interface=ether1 list=WAN
+add interface=bridge list=LAN
+/ip address
+add address=192.168.88.1/24 interface=bridge
+/ip dhcp-server
+add address-pool=default-dhcp interface=bridge name=defconf
+/ip pool
+add name=default-dhcp ranges=192.168.88.10-192.168.88.254
+/ip dhcp-server network
+add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
+/ip dns
+set cache-size=2048KiB servers=9.9.9.9,149.112.112.9
+/ip firewall filter
+add action=fasttrack-connection chain=forward connection-state=established,related
+add action=accept chain=input connection-state=established,related
+add action=accept chain=forward connection-state=established,related
+add action=drop chain=input connection-state=invalid
+add action=drop chain=forward connection-state=invalid
+add action=accept chain=input protocol=icmp
+add action=drop chain=input in-interface-list=!LAN
+add action=drop chain=forward in-interface-list=WAN connection-nat-state=!dstnat connection-state=new
+/ip firewall nat
+add action=masquerade chain=srcnat out-interface-list=WAN
+/ip service
+set ftp disabled=yes
+set ssh disabled=no address=192.168.88.0/24
+set telnet disabled=yes
+set www disabled=yes
+set winbox address=192.168.88.0/24
+/ip ssh
+set strong-crypto=yes
+/tool mac-server
+set allowed-interface-list=LAN
+/tool mac-server mac-winbox
+set allowed-interface-list=LAN
+/ip neighbor discovery-settings
+set discover-interface-list=LAN
+/system ntp client
+set enabled=yes
+/system ntp client servers
+add address=de.pool.ntp.org
+/system clock
+set time-zone-name=Europe/Berlin
+/system identity
+set name=minimal-router
+/ip dns static
+add address=192.168.88.1 name=router.lan type=A