#!/usr/bin/env python3 """ MikroTik RouterOS .rsc Configuration Auditor ============================================= Offline static analysis tool for auditing exported RouterOS configuration files. Audits .rsc files for: - Security misconfigurations (100+ checks) - Syntax validation - Compliance gaps (CIS/NIST/ISO/PCI-DSS) - hAP-specific constraints (flash, HW offload, WiFi stability) Usage: python audit_rsc.py export.rsc # Default audit, text output python audit_rsc.py export.rsc --format json # JSON output python audit_rsc.py export.rsc --format html # HTML report python audit_rsc.py export.rsc --severity high # Only high+critical python audit_rsc.py export.rsc --check AUTH-001,FW-005 # Specific checks only python audit_rsc.py export.rsc --cve # Include CVE check python audit_rsc.py export.rsc --cve --cve-live # CVE + NVD live lookup python audit_rsc.py export.rsc --conflicts # Rule conflict analysis python audit_rsc.py export.rsc --ioc # IoC detection python audit_rsc.py export.rsc --lint script.rsc # Lint a separate script python audit_rsc.py export.rsc --skip-wifi # Skip WiFi checks python audit_rsc.py export.rsc --skip-routing # Skip routing checks """ import argparse import json import os import re import sys from collections import defaultdict from datetime import datetime from typing import Any, Dict, List, Optional, Tuple # ───────── New Module Imports ───────── from .cve_database import check_cve_for_version, CVE from .conflict_analyzer import ConflictAnalyzer, ConflictType, ConflictResult from .ioc_analyzer import IoCAnalyzer, IoCType, IoCResult from . import lint_rsc as linter from .device_profiles import detect_device, get_profile, DeviceProfile, DEVICE_PROFILES from .check_hardware_map import CHECK_HARDWARE_MAP, get_check_rules # ───────────────────────────────────── # ────────────────────────────── Audit Check Definitions ────────────────────────────── AUDIT_CHECKS: List[Dict[str, Any]] = [ # ═══ AUTHENTICATION & ACCESS CONTROL ═══ { "id": "AUTH-001", "domain": "general", "name": "Default admin user present", "severity": "Critical", "cvss": "9.8", "category": "Authentication & Access Control", "path": "/user", "description": "Default admin user exists without being disabled or removed", "detect": [ r"/user\s+add\s+.*?\bname=admin\b", r"/user\s+set\s+.*?\bname=admin\b(?!.*disabled=yes)", ], "remediation": ( "/user add name=localadmin group=full password=\n" "/user disable [find name=admin]" ), "compliance": {"cis": "1.1", "nist": "AC-2", "iso": "A.8.3", "pci": "2.1"}, }, { "id": "AUTH-002", "domain": "general", "name": "No password set on admin user", "severity": "Critical", "cvss": "10.0", "category": "Authentication & Access Control", "path": "/user", "description": "User accounts without password or with empty password", "detect": [ r"/user\s+add\s+.*?\bname=(\w+)\b(?!.*password=)", r"/user\s+set\s+.*?\bname=(\w+)\b(?!.*password=)", ], "remediation": ( "/user set [find name=] password=" ), "compliance": {"cis": "1.1", "nist": "IA-5", "iso": "A.8.5", "pci": "8.2"}, }, { "id": "AUTH-003", "domain": "general", "name": "Weak password patterns", "severity": "High", "cvss": "7.5", "category": "Authentication & Access Control", "path": "/user", "description": "Passwords use common words, short length, or default patterns", "detect": [ r"password=admin", r"password=1234", r"password=mikrotik", r"password=default", r"password=.{1,7}\b", ], "remediation": ( "Use passwords with minimum 12 characters, mixed case, numbers, and symbols.\n" "/user set [find name=] password=" ), "compliance": {"cis": "1.2", "nist": "IA-5(1)", "iso": "A.8.5", "pci": "8.2.1"}, }, { "id": "AUTH-004", "domain": "general", "name": "Users in full group without IP restrictions", "severity": "High", "cvss": "7.5", "category": "Authentication & Access Control", "path": "/user", "description": "Users with 'full' group membership not restricted to specific source IPs", "detect": [ r"/user\s+add\s+.*?\bgroup=full\b(?!.*address=)", r"/user\s+set\s+.*?\bgroup=full\b(?!.*address=)", ], "remediation": ( "/user set [find name=] address=" ), "compliance": {"cis": "3.1", "nist": "AC-6", "iso": "A.5.15", "pci": "7.1"}, }, { "id": "AUTH-005", "domain": "general", "name": "SSH weak-crypto enabled", "severity": "High", "cvss": "7.4", "category": "Authentication & Access Control", "path": "/ip ssh", "description": "SSH server configured with weak cryptography (strong-crypto=no)", "detect": [ r"/ip\s+ssh\s+set\s+.*?strong-crypto=no\b", ], "remediation": ( "/ip ssh set strong-crypto=yes" ), "compliance": {"cis": "3.2", "nist": "SC-8", "iso": "A.8.5", "pci": "2.2.3"}, }, { "id": "AUTH-006", "domain": "general", "name": "MAC-Telnet service enabled", "severity": "High", "cvss": "7.5", "category": "Authentication & Access Control", "path": "/tool mac-server", "description": "MAC-Telnet service is enabled, allowing L2 access without IP authentication", "detect": [ r"/tool\s+mac-server\s+set\s+.*?allowed-interface-list=all\b", r"/tool\s+mac-server\s+set\s+.*?allowed-interface-list=.*?(?!none)", ], "remediation": ( "/tool mac-server set allowed-interface-list=none\n" "/tool mac-server mac-winbox set allowed-interface-list=none" ), "compliance": {"cis": "3.3", "nist": "AC-17", "iso": "A.8.22", "pci": "2.2.3"}, }, { "id": "AUTH-007", "domain": "general", "name": "MAC-WinBox service enabled", "severity": "High", "cvss": "7.5", "category": "Authentication & Access Control", "path": "/tool mac-server mac-winbox", "description": "MAC-WinBox service enabled, allowing L2 WinBox access", "detect": [ r"/tool\s+mac-server\s+mac-winbox\s+set\s+allowed-interface-list=all\b", ], "remediation": ( "/tool mac-server mac-winbox set allowed-interface-list=none" ), "compliance": {"cis": "3.3", "nist": "AC-17", "iso": "A.8.22", "pci": "2.2.3"}, }, { "id": "AUTH-008", "domain": "general", "name": "MAC-Ping service enabled", "severity": "Medium", "cvss": "5.3", "category": "Authentication & Access Control", "path": "/tool mac-server ping", "description": "MAC-Ping enabled, allowing device discovery at L2", "detect": [ r"/tool\s+mac-server\s+ping\s+set\s+enabled=yes\b", ], "remediation": ( "/tool mac-server ping set enabled=no" ), "compliance": {"cis": "3.3", "nist": "CM-7", "iso": "A.8.9", "pci": "2.2.2"}, }, { "id": "AUTH-009", "domain": "general", "name": "WinBox exposed on WAN", "severity": "Critical", "cvss": "9.1", "category": "Authentication & Access Control", "path": "/ip service", "description": "WinBox service is accessible from WAN interface (no firewall restriction)", "detect": [ r"/ip\s+service\s+set\s+winbox\s+disabled=no\b", r"/ip\s+service\s+set\s+winbox\s+.*?address=\S+", ], "remediation": ( "/ip service set winbox address=" ), "compliance": {"cis": "3.4", "nist": "AC-17", "iso": "A.8.22", "pci": "2.2.3"}, }, { "id": "AUTH-010", "domain": "general", "name": "API/REST-API exposed on WAN", "severity": "Critical", "cvss": "9.1", "category": "Authentication & Access Control", "path": "/ip service", "description": "API or API-SSL service accessible from WAN", "detect": [ r"/ip\s+service\s+set\s+api\s+disabled=no\b", r"/ip\s+service\s+set\s+api-ssl\s+disabled=no\b", ], "remediation": ( "/ip service set api disabled=yes\n" "/ip service set api-ssl address=" ), "compliance": {"cis": "3.5", "nist": "AC-17", "iso": "A.8.22", "pci": "2.2.3"}, }, { "id": "AUTH-011", "domain": "general", "name": "No login attempt restrictions", "severity": "High", "cvss": "7.5", "category": "Authentication & Access Control", "path": "/ip firewall filter", "description": "No brute-force protection rules for management service access", "detect": [ r"/ip\s+firewall\s+filter\s+add\s+.*?connection-state=new\s+.*?(?:dst-port|port).*(?:22|8291)", ], "negate": True, "remediation": ( "Add brute-force detection rules:\n" "/ip firewall filter add chain=input protocol=tcp dst-port=22,8291 \\\n" " connection-state=new src-address-list=ssh_blacklist action=drop \\\n" " comment=\"Drop brute-force sources\"\n" "/ip firewall filter add chain=input protocol=tcp dst-port=22,8291 \\\n" " connection-state-new src-address-list=ssh_stalker action=add-src-to-list \\\n" " address-list=ssh_blacklist address-list-timeout=1h \\\n" " comment=\"Escalate stalker to blacklist\"" ), "compliance": {"cis": "4.4", "nist": "AC-7", "iso": "A.8.5", "pci": "8.3"}, }, { "id": "AUTH-012", "domain": "general", "name": "Default management ports unchanged", "severity": "Low", "cvss": "3.7", "category": "Authentication & Access Control", "path": "/ip service", "description": "Management services using default ports (SSH:22, WinBox:8291, WWW:80)", "detect": [ r"/ip\s+service\s+set\s+ssh\s+.*?port=22\b", r"/ip\s+service\s+set\s+winbox\s+.*?port=8291\b", r"/ip\s+service\s+set\s+www\s+.*?port=80\b", ], "remediation": ( "/ip service set ssh port=2222 comment=\"SSH alternate port\"\n" "Note: changing ports is security-through-obscurity; focus on ACLs." ), "compliance": {"cis": "3.6", "nist": "CM-6", "iso": "A.8.9", "pci": "2.2"}, }, { "id": "AUTH-013", "domain": "general", "name": "RoMON enabled", "severity": "Medium", "cvss": "5.9", "category": "Authentication & Access Control", "path": "/romon", "description": "RoMON protocol enabled, allowing remote monitoring without authentication", "detect": [ r"/romon\s+set\s+enabled=yes\b", ], "remediation": ( "/romon set enabled=no" ), "compliance": {"cis": "3.7", "nist": "CM-7", "iso": "A.8.9", "pci": "2.2.2"}, }, { "id": "AUTH-014", "domain": "general", "name": "No password policy enforcement", "severity": "Medium", "cvss": "5.9", "category": "Authentication & Access Control", "path": "/user settings", "description": "No minimum password length or complexity requirements configured", "detect": [ r"/user\s+settings\s+set\s+.*?minimum-password-length=", ], "negate": True, "remediation": ( "/user settings set minimum-password-length=12" ), "compliance": {"cis": "1.2", "nist": "IA-5(1)", "iso": "A.8.5", "pci": "8.2.1"}, }, { "id": "AUTH-015", "domain": "general", "name": "User accounts without expiry configured", "severity": "Low", "cvss": "3.3", "category": "Authentication & Access Control", "path": "/user", "description": "User accounts without configured expiration", "detect": [ r"/user\s+add\s+.*?\bname=(\w+)\b(?!.*?disabled=yes)(?!.*?last-logged-in)", ], "remediation": ( "Set password expiration via external management; RouterOS lacks native password expiry." ), "compliance": {"cis": "1.3", "nist": "AC-2(2)", "iso": "A.8.3", "pci": "8.1"}, }, { "id": "AUTH-016", "domain": "general", "name": "Sensitive policies too permissive", "severity": "High", "cvss": "7.1", "category": "Authentication & Access Control", "path": "/user group", "description": "User groups configured with overly broad policies (full/read/write/policy/test/sniff/sensitive/reboot combined)", "detect": [ r"/user\s+group\s+set\s+.*?policy=.*?full\b", r"/user\s+group\s+add\s+.*?policy=.*?full\b", ], "remediation": ( "Create specific groups with minimal policies:\n" "/user group add name=monitor policy=read,test\n" "/user group add name=operator policy=read,write,policy,reboot\n" "/user set [find group=full] group=operator" ), "compliance": {"cis": "1.4", "nist": "AC-6", "iso": "A.5.15", "pci": "7.2"}, }, { "id": "AUTH-017", "domain": "general", "name": "SSH idle timeout not configured", "severity": "Medium", "cvss": "5.3", "category": "Authentication & Access Control", "path": "/ip ssh", "description": "SSH idle timeout not set — sessions can remain open indefinitely", "detect": [ r"/ip\s+ssh\s+set\s+.*?idle-timeout=\d+[smhd]\b", ], "negate": True, "remediation": "/ip ssh set idle-timeout=10m", "compliance": {"cis": "3.5", "nist": "AC-11", "iso": "A.8.5", "pci": "8.1.8"}, }, { "id": "AUTH-018", "domain": "general", "name": "RADIUS AAA not configured for admin auth", "severity": "Medium", "cvss": "4.6", "category": "Authentication & Access Control", "path": "/radius", "description": "No RADIUS server configured for centralized admin authentication", "detect": [ r"/radius\s+add\s+.*?address=\d+\.\d+\.\d+\.\d+\b", ], "negate": True, "remediation": ( "/radius add address= secret= service=login\n" "/user aaa set use-radius=yes" ), "compliance": {"cis": "7.1", "nist": "AC-2(1)", "iso": "A.8.5", "pci": "8.3"}, }, # ═══ SERVICE HARDENING ═══ { "id": "SRV-001", "domain": "general", "name": "DNS remote requests allowed (open resolver)", "severity": "High", "cvss": "7.5", "category": "Service Hardening", "path": "/ip dns", "description": "DNS server configured to accept remote requests, creating an open DNS resolver", "detect": [ r"/ip\s+dns\s+set\s+.*?allow-remote-requests=yes\b", ], "remediation": ( "/ip dns set allow-remote-requests=no" ), "compliance": {"cis": "5.1", "nist": "SC-7", "iso": "A.8.12", "pci": "2.2.2"}, }, { "id": "SRV-002", "domain": "general", "name": "Bandwidth server enabled", "severity": "Medium", "cvss": "5.3", "category": "Service Hardening", "path": "/tool bandwidth-server", "description": "Bandwidth testing server enabled, consuming resources and potentially used for DoS amplification", "detect": [ r"/tool\s+bandwidth-server\s+set\s+enabled=yes\b", ], "remediation": ( "/tool bandwidth-server set enabled=no" ), "compliance": {"cis": "5.2", "nist": "CM-7", "iso": "A.8.9", "pci": "2.2.2"}, }, { "id": "SRV-003", "domain": "general", "name": "Proxy service enabled", "severity": "High", "cvss": "7.5", "category": "Service Hardening", "path": "/ip proxy", "description": "Web proxy service enabled, creating an open proxy if not restricted", "detect": [ r"/ip\s+proxy\s+set\s+enabled=yes\b", ], "remediation": ( "/ip proxy set enabled=no" ), "compliance": {"cis": "5.3", "nist": "CM-7", "iso": "A.8.9", "pci": "2.2.2"}, }, { "id": "SRV-004", "domain": "general", "name": "SOCKS service enabled", "severity": "High", "cvss": "7.5", "category": "Service Hardening", "path": "/ip socks", "description": "SOCKS proxy enabled, potential for traffic tunneling and compromise", "detect": [ r"/ip\s+socks\s+set\s+enabled=yes\b", ], "remediation": ( "/ip socks set enabled=no" ), "compliance": {"cis": "5.4", "nist": "CM-7", "iso": "A.8.9", "pci": "2.2.2"}, }, { "id": "SRV-005", "domain": "general", "name": "UPnP enabled", "severity": "High", "cvss": "7.4", "category": "Service Hardening", "path": "/ip upnp", "description": "UPnP enabled, allowing internal devices to open firewall holes automatically", "detect": [ r"/ip\s+upnp\s+set\s+enabled=yes\b", ], "remediation": ( "/ip upnp set enabled=no" ), "compliance": {"cis": "5.5", "nist": "CM-7", "iso": "A.8.9", "pci": "2.2.2"}, }, { "id": "SRV-006", "domain": "general", "name": "Neighbor discovery enabled on WAN", "severity": "Medium", "cvss": "5.3", "category": "Service Hardening", "path": "/ip neighbor discovery", "description": "Neighbor discovery (MNDP) enabled on WAN-facing interfaces, leaking device info at L2", "detect": [ r"/ip\s+neighbor\s+discovery\s+set\s+.*?discover=yes\b", r"/ip\s+neighbor\s+discovery-settings\s+set\s+.*?discover=yes\b", ], "remediation": ( "/ip neighbor discovery set interfaces=all discover=no\n" "/ip neighbor discovery set interfaces= discover=yes" ), "compliance": {"cis": "5.6", "nist": "CM-7", "iso": "A.8.20", "pci": "2.2.2"}, }, { "id": "SRV-007", "domain": "general", "name": "SNMP v1/v2c with public community", "severity": "High", "cvss": "7.5", "category": "Service Hardening", "path": "/snmp community", "description": "SNMP community 'public' configured with read access", "detect": [ r"/snmp\s+community\s+set\s+.*?\bname=public\b", r"/snmp\s+community\s+add\s+.*?\bname=public\b", ], "remediation": ( "/snmp community remove [find name=public]\n" "/snmp community add name=readonly address= security=authorized\n" "# Or disable SNMP entirely:\n" "/snmp set enabled=no" ), "compliance": {"cis": "5.7", "nist": "SI-4", "iso": "A.8.12", "pci": "2.2.2"}, }, { "id": "SRV-008", "domain": "general", "name": "Telnet service enabled", "severity": "High", "cvss": "7.4", "category": "Service Hardening", "path": "/ip service", "description": "Telnet service enabled (cleartext protocol, should be replaced by SSH)", "detect": [ r"/ip\s+service\s+set\s+telnet\s+disabled=no\b", r"/ip\s+service\s+enable\s+telnet\b", ], "remediation": ( "/ip service disable telnet" ), "compliance": {"cis": "5.8", "nist": "CM-7", "iso": "A.8.9", "pci": "2.2.3"}, }, { "id": "SRV-009", "domain": "general", "name": "FTP service enabled", "severity": "High", "cvss": "7.4", "category": "Service Hardening", "path": "/ip service", "description": "FTP service enabled (cleartext credentials, use SCP/SFTP instead)", "detect": [ r"/ip\s+service\s+set\s+ftp\s+disabled=no\b", r"/ip\s+service\s+enable\s+ftp\b", ], "remediation": ( "/ip service disable ftp" ), "compliance": {"cis": "5.9", "nist": "CM-7", "iso": "A.8.9", "pci": "2.2.3"}, }, { "id": "SRV-010", "domain": "general", "name": "PPTP server enabled", "severity": "Medium", "cvss": "5.9", "category": "Service Hardening", "path": "/ppp profile", "description": "PPTP VPN protocol enabled (insecure, use WireGuard or L2TP/IPsec instead)", "detect": [ r"/ppp\s+profile\s+set\s+.*?\bpptp\b", ], "remediation": ( "/ppp profile set [find name=default-encryption] use-encryption=yes\n" "/interface wireguard add name=wg0\n" "# Migrate PPTP users to WireGuard" ), "compliance": {"cis": "5.10", "nist": "SC-8", "iso": "A.8.22", "pci": "2.2.3"}, }, { "id": "SRV-011", "domain": "general", "name": "Cloud services enabled", "severity": "Medium", "cvss": "4.6", "category": "Service Hardening", "path": "/ip cloud", "description": "MikroTik cloud services enabled (DDNS, update-time), increasing attack surface", "detect": [ r"/ip\s+cloud\s+set\s+.*?ddns-enabled=yes\b", r"/ip\s+cloud\s+set\s+.*?update-time=yes\b", ], "remediation": ( "/ip cloud set ddns-enabled=no update-time=no" ), "compliance": {"cis": "5.11", "nist": "CM-7", "iso": "A.8.9", "pci": "2.2.2"}, }, { "id": "SRV-012", "domain": "general", "name": "SMB service enabled", "severity": "Medium", "cvss": "4.6", "category": "Service Hardening", "path": "/ip smb", "description": "SMB file sharing service enabled", "detect": [ r"/ip\s+smb\s+set\s+enabled=yes\b", ], "remediation": ( "/ip smb set enabled=no" ), "compliance": {"cis": "5.12", "nist": "CM-7", "iso": "A.8.9", "pci": "2.2.2"}, }, { "id": "SRV-013", "domain": "general", "name": "Unused interfaces not disabled", "severity": "Low", "cvss": "3.7", "category": "Service Hardening", "path": "/interface ethernet", "description": "Physical ethernet ports may be unused but still enabled", "detect": [ r"/interface\s+ethernet\s+set\s+.*?\bdisabled=no\b", ], "remediation": ( "/interface ethernet set [find name=etherX] disabled=yes\n" "Requires knowledge of which interfaces are in use." ), "compliance": {"cis": "1.1", "nist": "CM-7", "iso": "A.8.9", "pci": "2.2.2"}, }, { "id": "SRV-014", "domain": "general", "name": "WebFig/HTTP enabled without HTTPS", "severity": "Medium", "cvss": "5.9", "category": "Service Hardening", "path": "/ip service", "description": "HTTP (WWW) enabled while HTTPS (WWW-SSL) is disabled, exposing cleartext admin interface", "detect": [ r"/ip\s+service\s+set\s+www\s+disabled=no\b", r"/ip\s+service\s+disable\s+www-ssl\b", ], "remediation": ( "/ip service disable www\n" "/ip service enable www-ssl\n" "/ip service set www-ssl certificate=" ), "compliance": {"cis": "5.13", "nist": "SC-8", "iso": "A.8.22", "pci": "2.2.3"}, }, { "id": "SRV-015", "domain": "general", "name": "LCD not secured", "severity": "Low", "cvss": "2.2", "category": "Service Hardening", "path": "/lcd", "description": "LCD panel enabled without PIN protection (hardware-specific)", "detect": [ r"/lcd\s+set\s+enabled=yes\b(?!.*pin=)", ], "remediation": ( "/lcd set enabled=yes pin=" ), "compliance": {"cis": "5.14", "nist": "PE-3", "iso": "A.7.6", "pci": "9.1"}, }, { "id": "SRV-016", "domain": "general", "name": "DNS cache size not configured", "severity": "Low", "cvss": "3.3", "category": "Service Hardening", "path": "/ip dns", "description": "DNS cache size not explicitly configured — using potentially suboptimal default", "detect": [ r"/ip\s+dns\s+set\s+.*?cache-size=\d+\b", ], "negate": True, "remediation": ( "/ip dns set cache-size=4096\n" "# For large RAM devices (>512MB): cache-size=8192 recommended" ), "compliance": {"cis": "5.7", "nist": "SC-20", "iso": "A.8.12", "pci": "2.2"}, }, { "id": "SRV-017", "domain": "general", "name": "DNS query server TCP disabled", "severity": "Low", "cvss": "3.3", "category": "Service Hardening", "path": "/ip dns", "description": "DNS query-server-tcp not enabled — may cause issues with large DNS responses", "detect": [ r"/ip\s+dns\s+set\s+.*?query-server-tcp=yes\b", ], "negate": True, "remediation": "/ip dns set query-server-tcp=yes", "compliance": {"cis": "5.8", "nist": "SC-20", "iso": "A.8.12", "pci": "2.2"}, }, # ═══ FIREWALL & NETWORK SECURITY ═══ { "id": "FW-001", "domain": "general", "name": "No firewall filter rules defined", "severity": "Critical", "cvss": "10.0", "category": "Firewall & Network Security", "path": "/ip firewall filter", "description": "No firewall filter rules configured at all — device is completely unprotected", "detect": [ r"/ip\s+firewall\s+filter", ], "negate": True, "remediation": ( "Implement a defense-in-depth firewall ruleset:\n" "/ip firewall filter add chain=input connection-state=established,related action=accept \\\n" " comment=\"Allow established/related\"\n" "/ip firewall filter add chain=input connection-state=invalid action=drop \\\n" " comment=\"Drop invalid connections\"\n" "/ip firewall filter add chain=input protocol=icmp action=accept \\\n" " comment=\"Allow ICMP\"\n" "/ip firewall filter add chain=input dst-address-type=!local action=drop \\\n" " in-interface-list=WAN comment=\"Drop WAN to router\"" ), "compliance": {"cis": "4.1", "nist": "SC-7", "iso": "A.8.20", "pci": "1.1"}, }, { "id": "FW-002", "domain": "general", "name": "WAN input chain without default drop rule", "severity": "High", "cvss": "8.6", "category": "Firewall & Network Security", "path": "/ip firewall filter input", "description": "No default drop rule on WAN-facing input chain", "detect": [ r"/ip\s+firewall\s+filter\s+add\s+chain=input\s+.*?\baction=drop\b.*?\bin-interface", ], "negate": True, "remediation": ( "/ip firewall filter add chain=input in-interface-list=WAN action=drop \\\n" " comment=\"Drop all WAN input by default\"" ), "compliance": {"cis": "4.2", "nist": "SC-7(5)", "iso": "A.8.20", "pci": "1.2"}, }, { "id": "FW-003", "domain": "general", "name": "No established/related connection rule", "severity": "High", "cvss": "7.5", "category": "Firewall & Network Security", "path": "/ip firewall filter input", "description": "No rule to accept established/related connections in input chain", "detect": [ r"/ip\s+firewall\s+filter\s+add\s+chain=input\s+.*?\bconnection-state=established,related\b", ], "negate": True, "remediation": ( "/ip firewall filter add chain=input connection-state=established,related \\\n" " action=accept comment=\"Allow established/related\"" ), "compliance": {"cis": "4.3", "nist": "SC-7", "iso": "A.8.20", "pci": "1.2"}, }, { "id": "FW-004", "domain": "general", "name": "No brute-force protection", "severity": "High", "cvss": "7.5", "category": "Firewall & Network Security", "path": "/ip firewall filter", "description": "No address-list based brute-force protection rules for management services", "detect": [ r"/ip\s+firewall\s+filter\s+add\s+.*?src-address-list=.*?blacklist\b.*?action=drop\b", ], "negate": True, "remediation": ( "See AUTH-011 for brute-force protection rules." ), "compliance": {"cis": "4.4", "nist": "AC-7", "iso": "A.8.5", "pci": "8.3"}, }, { "id": "FW-005", "domain": "general", "name": "No bogon filtering in RAW table", "severity": "High", "cvss": "7.5", "category": "Firewall & Network Security", "path": "/ip firewall raw", "description": "RAW table does not filter bogon IPs (RFC1918, loopback, multicast) on WAN interface", "detect": [ r"/ip\s+firewall\s+raw\s+add\s+chain=prerouting\s+.*?\bdst-address=.*?\baction=drop\b", ], "negate": True, "remediation": ( "/ip firewall raw add chain=prerouting dst-address=10.0.0.0/8 action=drop \\\n" " in-interface-list=WAN comment=\"Drop RFC1918\"\n" "/ip firewall raw add chain=prerouting dst-address=172.16.0.0/12 action=drop \\\n" " in-interface-list=WAN comment=\"Drop RFC1918\"\n" "/ip firewall raw add chain=prerouting dst-address=192.168.0.0/16 action=drop \\\n" " in-interface-list=WAN comment=\"Drop RFC1918\"\n" "/ip firewall raw add chain=prerouting dst-address=127.0.0.0/8 action=drop \\\n" " in-interface-list=WAN comment=\"Drop loopback\"\n" "/ip firewall raw add chain=prerouting protocol=tcp dst-port=22 action=drop \\\n" " in-interface-list=WAN src-address-list=blacklist comment=\"Drop blacklist\"" ), "compliance": {"cis": "4.5", "nist": "SC-7(5)", "iso": "A.8.20", "pci": "1.2"}, }, { "id": "FW-006", "domain": "general", "name": "IPv6 firewall not configured", "severity": "High", "cvss": "7.5", "category": "Firewall & Network Security", "path": "/ipv6 firewall filter", "description": "IPv6 firewall rules not configured (if IPv6 is enabled)", "detect": [ r"/ipv6\s+firewall\s+filter", ], "negate": True, "remediation": ( "/ipv6 firewall filter add chain=input connection-state=established,related action=accept\n" "/ipv6 firewall filter add chain=input connection-state=invalid action=drop\n" "/ipv6 firewall filter add chain=input protocol=icmpv6 action=accept\n" "/ipv6 firewall filter add chain=input action=drop comment=\"Drop all IPv6 input default\"" ), "compliance": {"cis": "4.6", "nist": "SC-7(11)", "iso": "A.8.20", "pci": "1.2"}, }, { "id": "FW-007", "domain": "general", "name": "FastTrack not configured", "severity": "Low", "cvss": "3.3", "category": "Firewall & Network Security", "path": "/ip firewall filter", "description": "FastTrack connection acceleration not configured for established connections", "detect": [ r"/ip\s+firewall\s+filter\s+add\s+.*?\baction=fasttrack-connection\b", ], "negate": True, "remediation": ( "/ip firewall filter add chain=forward connection-state=established,related \\\n" " action=fasttrack-connection comment=\"FastTrack established\"\n" "Note: FastTrack works with NAT but bypasses queue trees, mangle rules, and per-connection queuing." ), "compliance": {"cis": "4.7", "nist": "SC-7", "iso": "A.8.20", "pci": "1.2"}, }, { "id": "FW-008", "domain": "general", "name": "Port knocking not configured for WAN services", "severity": "Medium", "cvss": "5.9", "category": "Firewall & Network Security", "path": "/ip firewall filter", "description": "Management services on WAN lack port knocking protection", "detect": [ r"/ip\s+firewall\s+filter\s+add\s+.*?port-knocking\b", ], "negate": True, "remediation": ( "See MikroTik port knocking examples at:\n" "https://help.mikrotik.com/docs/spaces/ROS/pages/154042369/Port+knocking" ), "compliance": {"cis": "4.8", "nist": "AC-17", "iso": "A.8.20", "pci": "1.2"}, }, { "id": "FW-009", "domain": "general", "name": "WAN-side management access unrestricted", "severity": "Critical", "cvss": "9.1", "category": "Firewall & Network Security", "path": "/ip firewall filter", "description": "Management services (SSH, WinBox, API) reachable from WAN without restriction", "detect": [ r"/ip\s+firewall\s+filter\s+add\s+chain=input\s+.*?\bin-interface=ether1\b(?!.*action=drop)", ], "remediation": ( "Add interface-list-based restriction:\n" "/interface list add name=WAN\n" "/interface list member add interface=ether1 list=WAN\n" "/interface list add name=LAN\n" "/interface list member add interface=bridge1 list=LAN\n" "/ip firewall filter add chain=input in-interface-list=WAN action=drop \\\n" " comment=\"Drop all WAN input\"\n" "/ip firewall filter add chain=input in-interface-list=LAN \\\n" " protocol=tcp dst-port=22,8291 action=accept comment=\"Allow mgmt from LAN\"" ), "compliance": {"cis": "4.2", "nist": "AC-17(2)", "iso": "A.8.20", "pci": "1.2"}, }, { "id": "FW-010", "domain": "general", "name": "Forward chain too permissive", "severity": "High", "cvss": "7.5", "category": "Firewall & Network Security", "path": "/ip firewall filter forward", "description": "No firewall restrictions in forward chain (inter-VLAN traffic unrestricted)", "detect": [ r"/ip\s+firewall\s+filter\s+add\s+chain=forward\s+.*?\baction=accept\b", ], "remediation": ( "/ip firewall filter add chain=forward in-interface-list=LAN \\\n" " out-interface-list=LAN connection-state=established,related action=accept\n" "/ip firewall filter add chain=forward in-interface-list=LAN \\\n" " out-interface-list=WAN action=accept\n" "/ip firewall filter add chain=forward action=drop comment=\"Drop all forward default\"" ), "compliance": {"cis": "4.9", "nist": "SC-7", "iso": "A.8.21", "pci": "1.3"}, }, { "id": "FW-011", "domain": "general", "name": "NAT rules with overly broad source", "severity": "Medium", "cvss": "5.9", "category": "Firewall & Network Security", "path": "/ip firewall nat", "description": "Source NAT rules using source=0.0.0.0/0 should be scoped to LAN subnets", "detect": [ r"/ip\s+firewall\s+nat\s+add\s+chain=srcnat\s+.*?\bsrc-address=0\.0\.0\.0/0\b", ], "remediation": ( "/ip firewall nat set [find chain=srcnat] src-address=192.168.0.0/16\n" "# Or better, use specific LAN subnet" ), "compliance": {"cis": "4.10", "nist": "SC-7", "iso": "A.8.20", "pci": "1.2"}, }, { "id": "FW-012", "domain": "general", "name": "No ICMP rate limiting", "severity": "Medium", "cvss": "5.3", "category": "Firewall & Network Security", "path": "/ip firewall filter", "description": "No rate limiting on ICMP, could be used for DoS amplification", "detect": [ r"/ip\s+firewall\s+filter\s+add\s+chain=input\s+.*?protocol=icmp\s+.*?\blimit\b", ], "negate": True, "remediation": ( "/ip firewall filter add chain=input protocol=icmp limit=10,5:packets \\\n" " action=accept comment=\"Rate-limited ICMP\"" ), "compliance": {"cis": "4.11", "nist": "SC-7", "iso": "A.8.20", "pci": "1.2"}, }, { "id": "FW-013", "domain": "general", "name": "DSTNAT without source restriction", "severity": "Medium", "cvss": "6.1", "category": "Firewall & Network Security", "path": "/ip firewall nat", "description": "Destination NAT rules without src-address restriction expose internal services broadly", "detect": [ r"/ip\s+firewall\s+nat\s+add\s+chain=dstnat\b(?!.*src-address=)", ], "remediation": ( "/ip firewall nat add chain=dstnat dst-port= protocol=tcp \\\n" " in-interface=ether1 src-address= action=dst-nat \\\n" " to-addresses= to-ports=\n" "Always restrict DSTNAT with src-address when possible." ), "compliance": {"cis": "4.12", "nist": "SC-7", "iso": "A.8.20", "pci": "1.3"}, }, { "id": "FW-014", "domain": "general", "name": "Broadcast/multicast not blocked", "severity": "Low", "cvss": "3.7", "category": "Firewall & Network Security", "path": "/ip firewall filter forward", "description": "Broadcast and multicast traffic not explicitly blocked in forward chain", "detect": [ r"/ip\s+firewall\s+filter\s+add\s+chain=forward\s+.*?\bdst-address-type=broadcast\b", r"/ip\s+firewall\s+filter\s+add\s+chain=forward\s+.*?\bdst-address-type=multicast\b", ], "negate": True, "remediation": ( "/ip firewall filter add chain=forward dst-address-type=broadcast action=drop\n" "/ip firewall filter add chain=forward dst-address-type=multicast action=drop" ), "compliance": {"cis": "4.13", "nist": "SC-7", "iso": "A.8.20", "pci": "1.2"}, }, { "id": "FW-015", "domain": "general", "name": "RAW table not configured", "severity": "Low", "cvss": "3.7", "category": "Firewall & Network Security", "path": "/ip firewall raw", "description": "RAW prerouting chain not configured for pre-conntrack packet filtering", "detect": [ r"/ip\s+firewall\s+raw", ], "negate": True, "remediation": ( "/ip firewall raw add chain=prerouting in-interface-list=WAN \\\n" " action=notrack comment=\"Skip tracking for high-throughput WAN\"" ), "compliance": {"cis": "4.14", "nist": "SC-7", "iso": "A.8.20", "pci": "1.2"}, }, { "id": "FW-016", "domain": "general", "name": "Connection tracking limits not configured", "severity": "Medium", "cvss": "5.9", "category": "Firewall & Network Security", "path": "/ip firewall connection tracking", "description": "Connection tracking max-entries or TCP syncookies not configured", "detect": [ r"/ip\s+firewall\s+connection-tracking\s+set", ], "negate": True, "remediation": ( "/ip firewall connection-tracking set max-entries=16384 tcp-syncookie=yes" ), "compliance": {"cis": "4.15", "nist": "SC-7", "iso": "A.8.20", "pci": "1.2"}, }, { "id": "FW-017", "domain": "general", "name": "BGP TTL security not configured", "severity": "Medium", "cvss": "5.3", "category": "Firewall & Network Security", "path": "/routing bgp connection", "description": "BGP TTL security (GTSM) not configured — BGP sessions vulnerable to off-path attacks", "detect": [ r"/routing\s+bgp\s+connection\s+add\s+.*?ttl=\d+\b", ], "negate": True, "remediation": "/routing bgp connection set [find remote.address=] ttl=1", "compliance": {"cis": "4.16", "nist": "SC-7", "iso": "A.8.20", "pci": "1.2"}, }, # ═══ SYSTEM HARDENING ═══ # SYS-001 through SYS-009 { "id": "SYS-001", "domain": "general", "name": "RouterOS version check", "severity": "Info", "cvss": "0.0", "category": "System Hardening", "path": "export header", "description": "RouterOS version detected from export file header (no CVE analysis without live check)", "detect": [ r"#\s+\w+/\w+/\d+\s+\d+:\d+:\d+\s+by\s+RouterOS\s+(\d+\.\d+)", ], "remediation": "Check for CVEs at https://help.mikrotik.com and upgrade to latest stable.", "compliance": {"cis": "6.1", "nist": "SI-2", "iso": "A.8.8", "pci": "6.2"}, }, { "id": "SYS-002", "domain": "general", "name": "System identity not set to descriptive name", "severity": "Low", "cvss": "1.9", "category": "System Hardening", "path": "/system identity", "description": "System identity is not configured or is at default value (RouterOS)", "detect": [ r"/system\s+identity\s+set\s+name=(RouterOS|MikroTik)\b", ], "remediation": ( '/system identity set name="-"' ), "compliance": {"cis": "6.2", "nist": "CM-8", "iso": "A.8.9", "pci": "2.2"}, }, { "id": "SYS-003", "domain": "general", "name": "NTP not configured", "severity": "High", "cvss": "7.5", "category": "System Hardening", "path": "/system ntp client", "description": "NTP client not configured — logs will have incorrect timestamps", "detect": [ r"/system\s+ntp\s+client\s+set\s+enabled=yes\b", ], "negate": True, "remediation": ( "/system ntp client set enabled=yes primary-ntp=pool.ntp.org \\\n" " secondary-ntp=time.google.com" ), "compliance": {"cis": "6.3", "nist": "AU-8", "iso": "A.8.16", "pci": "10.4"}, }, { "id": "SYS-004", "domain": "general", "name": "Local logging not configured", "severity": "Medium", "cvss": "5.9", "category": "System Hardening", "path": "/system logging", "description": "System logging not configured for important topics (firewall, errors, critical)", "detect": [ r"/system\s+logging\s+add\s+topics=critical\b", r"/system\s+logging\s+add\s+topics=error\b", r"/system\s+logging\s+add\s+topics=firewall\b", ], "remediation": ( "/system logging add topics=info action=memory\n" "/system logging add topics=critical,error,warning action=memory\n" "/system logging add topics=ssh,winbox,account action=memory" ), "compliance": {"cis": "7.1", "nist": "AU-3", "iso": "A.8.15", "pci": "10.1"}, }, { "id": "SYS-005", "domain": "general", "name": "Remote syslog not configured", "severity": "Medium", "cvss": "5.9", "category": "System Hardening", "path": "/system logging action", "description": "No remote syslog server configured for centralized log aggregation", "detect": [ r"/system\s+logging\s+action\s+set\s+remote\s+.*?remote=\d+\.\d+\.\d+\.\d+\b", ], "negate": True, "remediation": ( "/system logging action set remote remote= \\\n" " remote-port=514 bsd-syslog=yes\n" "/system logging add topics=critical,error,warning,firewall,account \\\n" " action=remote comment=\"Send to SIEM\"" ), "compliance": {"cis": "7.2", "nist": "AU-9(2)", "iso": "A.8.15", "pci": "10.2"}, }, { "id": "SYS-006", "domain": "general", "name": "Auto-update check not configured", "severity": "Low", "cvss": "3.7", "category": "System Hardening", "path": "/system package update", "description": "RouterOS auto-update check channel not configured", "detect": [ r"/system\s+package\s+update\s+set\s+channel=stable\b", ], "negate": True, "remediation": ( "/system package update set channel=stable\n" "# Then periodically check:\n" "/system package update check-for-updates" ), "compliance": {"cis": "6.4", "nist": "SI-2", "iso": "A.8.8", "pci": "6.2"}, }, { "id": "SYS-007", "domain": "general", "name": "Unsigned packages allowed", "severity": "High", "cvss": "7.5", "category": "System Hardening", "path": "/system package update", "description": "RouterOS configured to allow unsigned packages", "detect": [ r"/system\s+package\s+update\s+set\s+.*?allow-signed=no\b", ], "skip_if_version_ge": 7.0, "remediation": ( "/system package update set allow-signed=yes" ), "compliance": {"cis": "6.5", "nist": "SI-7", "iso": "A.8.25", "pci": "6.3"}, }, { "id": "SYS-008", "domain": "general", "name": "Support output not secured", "severity": "Low", "cvss": "3.3", "category": "System Hardening", "path": "/tool", "description": "Support/troubleshooting tools accessible without restriction", "detect": [ r"/tool\s+sniffer\b", ], "remediation": ( "Restrict sniffer and bandwidth test via firewall or disable." ), "compliance": {"cis": "6.6", "nist": "AU-9", "iso": "A.8.9", "pci": "10.7"}, }, { "id": "SYS-009", "domain": "general", "name": "Backup not configured", "severity": "Medium", "cvss": "5.5", "category": "System Hardening", "path": "/system backup", "description": "No scheduled backup configuration found", "detect": [ r"/system\s+backup\s+save\b", r"/export\s+file={SCHEDULED_BACKUP}", ], "remediation": ( "# Add scheduled backup via scheduler:\n" "/system scheduler add name=daily-backup interval=1d \\\n" ' on-event="/system backup save name=auto-backup; \\\n' ' /export file=auto-config" \\\n' " comment=\"Daily configuration backup\"" ), "compliance": {"cis": "6.7", "nist": "CP-9", "iso": "A.8.8", "pci": "11.5"}, }, { "id": "SYS-010", "domain": "general", "name": "IPv6 not explicitly disabled when unused", "severity": "Low", "cvss": "3.3", "category": "System Hardening", "path": "/ipv6", "description": "IPv6 not disabled — potential unused attack surface if IPv6 is not deployed", "detect": [ r"/ipv6\s+settings\s+set\s+disable-ipv6=yes\b", ], "negate": True, "remediation": ( "/ipv6 settings set disable-ipv6=yes" ), "compliance": {"cis": "6.8", "nist": "CM-7", "iso": "A.8.9", "pci": "2.2.2"}, }, # ═══ NETWORK CONFIGURATION ═══ { "id": "NET-001", "domain": "general", "name": "Bridge VLAN filtering not enabled with VLANs present", "severity": "High", "cvss": "7.1", "category": "Network Configuration", "path": "/interface bridge", "description": "VLAN interfaces exist but bridge VLAN filtering is not enabled", "detect": [ r"/interface\s+vlan\b", ], "context": "if /interface bridge vlan-filtering=no or not set", "remediation": ( "/interface bridge set [find name=bridge1] vlan-filtering=yes\n" "# Note: disables HW offload on hAP ac²!" ), "compliance": {"cis": "8.1", "nist": "SC-7", "iso": "A.8.21", "pci": "1.3"}, }, { "id": "NET-002", "domain": "general", "name": "DHCP server without secure options", "severity": "Medium", "cvss": "5.9", "category": "Network Configuration", "path": "/ip dhcp-server", "description": "DHCP server not configured with lease limits or authoritative flag", "detect": [ r"/ip\s+dhcp-server\s+add\s+.*?\bname=(\w+)\b(?!.*lease-time=)", r"/ip\s+dhcp-server\s+set\s+.*?\buse-radius=yes\b", ], "remediation": ( "/ip dhcp-server set [find] authoritative=yes lease-time=01:00:00" ), "compliance": {"cis": "8.2", "nist": "SC-7", "iso": "A.8.9", "pci": "1.3"}, }, { "id": "NET-003", "domain": "general", "name": "DHCP lease storage on disk enabled (flash warning)", "severity": "Low", "cvss": "3.3", "category": "Network Configuration", "path": "/ip dhcp-server config", "description": "DHCP lease persistence to disk enabled on flash-constrained hardware (hAP ac² risk)", "detect": [ r"/ip\s+dhcp-server\s+config\s+set\s+store-leases-on-disk=yes\b", ], "skip_unless_model_in": ["RBD52G", "RB750", "RB750P", "RB750GL", "RB750Gr3", "RB951", "hAP ac", "hAP ac²", "hAP ac2", "CRS", "CRS1"], "remediation": ( "/ip dhcp-server config set store-leases-on-disk=no" ), "compliance": {"cis": "8.3", "nist": "CM-6", "iso": "A.8.9", "pci": "2.2"}, }, { "id": "NET-004", "domain": "general", "name": "DNS cache poisoning protection not configured", "severity": "Medium", "cvss": "5.3", "category": "Network Configuration", "path": "/ip dns", "description": "DNS cache size limits or query pool restrictions not configured", "detect": [ r"/ip\s+dns\s+set\s+.*?cache-size=2048\b", r"/ip\s+dns\s+set\s+.*?use-doh=yes\b", ], "remediation": ( "/ip dns set cache-size=4096" ), "compliance": {"cis": "8.4", "nist": "SC-20", "iso": "A.8.12", "pci": "2.2"}, }, { "id": "NET-005", "domain": "general", "name": "No DNS forwarders configured", "severity": "Medium", "cvss": "5.3", "category": "Network Configuration", "path": "/ip dns", "description": "DNS servers (forwarders) not explicitly configured", "detect": [ r"/ip\s+dns\s+set\s+.*?servers=\d+\.\d+\.\d+\.\d+\b", r"/ip\s+dns\s+set\s+.*?servers=[0-9a-fA-F:]+\b", r"/ip\s+dns\s+set\s+.*?servers=[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}\b", ], "negate": True, "remediation": ( "/ip dns set servers=1.1.1.1,8.8.8.8" ), "compliance": {"cis": "8.5", "nist": "SC-20", "iso": "A.8.12", "pci": "2.2"}, }, { "id": "NET-006", "domain": "general", "name": "Bridge HW offload misconfiguration (hAP ac²)", "severity": "High", "cvss": "7.0", "category": "Network Configuration", "path": "/interface bridge", "description": "hAP ac² detected with bridge VLAN filtering — HW offload is disabled", "detect": [ r"#\s+.*?hAP\s+ac\b", r"/interface\s+bridge\s+set\s+.*?vlan-filtering=yes\b", ], "context": "If vlan-filtering=yes is set on hAP ac² (RBD52G), HW offload is disabled. Consider dual-bridge workaround.", "remediation": "See SECURITY_BASELINE.md section 9 for dual-bridge workaround.", "compliance": {"cis": "8.6", "nist": "CM-6", "iso": "A.8.9", "pci": "2.2"}, }, { "id": "NET-007", "domain": "general", "name": "MTU/fragmentation mismatch or PPPoE without MSS clamp", "severity": "Low", "cvss": "3.3", "category": "Network Configuration", "path": "/interface bridge, /interface pppoe-client", "description": "MTU values differ between bridge interface and member ports, or PPPoE client configured without MSS clamping", "detect": [ r"/interface\s+bridge\s+set\s+.*?mtu=(\d+)", r"/interface\s+pppoe-client\s+add\s+.*?mtu=", ], "remediation": ( "Ensure bridge MTU matches lowest port MTU minus L2 overhead.\n" "For PPPoE, add MSS clamp mangle rule:\n" "/ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn \\n" " tcp-mss=1452-65535 action=change-mss new-mss=1452 \\n" " comment=\"Clamp TCP MSS to 1452 for PPPoE\"" ), "compliance": {"cis": "8.7", "nist": "CM-6", "iso": "A.8.9", "pci": "2.2"}, }, { "id": "NET-008", "domain": "general", "name": "VRRP/HA not configured for critical services", "severity": "Info", "cvss": "0.0", "category": "Network Configuration", "path": "/ip address", "description": "No VRRP or HA configuration detected for default gateway", "detect": [ r"/ip\s+address\s+add\s+.*?interface=\S+\b", ], "remediation": "Evaluate if high-availability is needed for this deployment.", "compliance": {"cis": "8.8", "nist": "CP-9", "iso": "A.8.8", "pci": "1.2"}, }, { "id": "NET-009", "domain": "general", "name": "Default gateway without check-gateway=ping", "severity": "Medium", "cvss": "5.5", "category": "Network Configuration", "path": "/ip route", "description": "Default route does not use gateway health checking", "detect": [ r"/ip\s+route\s+add\s+.*?gateway=\d+\.\d+\.\d+\.\d+(?!.*check-gateway=ping)", ], "remediation": ( "/ip route set [find dst-address=0.0.0.0/0] check-gateway=ping" ), "compliance": {"cis": "8.9", "nist": "CP-9", "iso": "A.8.8", "pci": "1.2"}, }, # ═══ ROUTING SECURITY ═══ { "id": "ROUTE-001", "domain": "routing", "name": "BGP without MD5 authentication", "severity": "High", "cvss": "7.4", "category": "Routing Security", "path": "/routing bgp connection", "description": "BGP connections without TCP MD5 signature authentication", "detect": [ r"/routing\s+bgp\s+connection\s+add\s+.*?remote\.address=\d+\.\d+\.\d+\.\d+(?!.*tcp-md5-key=)", ], "remediation": ( "/routing bgp connection set [find remote.address=] \\\n" " tcp-md5-key=" ), "compliance": {"cis": "9.1", "nist": "SC-8", "iso": "A.8.20", "pci": "1.2"}, }, { "id": "ROUTE-002", "domain": "routing", "name": "OSPF without authentication", "severity": "High", "cvss": "7.4", "category": "Routing Security", "path": "/routing ospf interface-template", "description": "OSPF interface templates without authentication configured", "detect": [ r"/routing\s+ospf\s+interface-template\s+add\s+.*?\bnetwork=\d+\.\d+\.\d+\.\d+/\d+\b", ], "remediation": ( "/routing ospf interface-template set [find network=] \\\n" " authentication=md5 authentication-key=" ), "compliance": {"cis": "9.2", "nist": "SC-8", "iso": "A.8.20", "pci": "1.2"}, }, { "id": "ROUTE-003", "domain": "routing", "name": "Routing filters not applied", "severity": "Medium", "cvss": "5.9", "category": "Routing Security", "path": "/routing bgp connection", "description": "BGP/OSPF connections without input or output routing filters", "detect": [ r"/routing\s+bgp\s+connection\s+add\s+.*?(?!(?:input|output)\.filter=)", ], "remediation": ( "/routing filter rule add chain=bgp-in rule=\"if (protocol == bgp) { reject }\"\n" "/routing bgp connection set [find] input.filter=bgp-in" ), "compliance": {"cis": "9.3", "nist": "SC-7", "iso": "A.8.20", "pci": "1.2"}, }, { "id": "ROUTE-004", "domain": "routing", "name": "BGP TTL security not configured", "severity": "Medium", "cvss": "5.3", "category": "Routing Security", "path": "/routing bgp connection", "description": "BGP connections without TTL security (GTSM/ttl=1)", "detect": [ r"/routing\s+bgp\s+connection\s+add\s+.*?\bttl=\d+\b", ], "negate": True, "remediation": ( "# For directly connected eBGP peers:\n" "/routing bgp connection set [find remote.address=] ttl=1" ), "compliance": {"cis": "9.4", "nist": "SC-7", "iso": "A.8.20", "pci": "1.2"}, }, { "id": "ROUTE-005", "domain": "routing", "name": "BGP prefix limits not configured", "severity": "Medium", "cvss": "5.3", "category": "Routing Security", "path": "/routing bgp connection", "description": "BGP connections without max-prefix limits (memory exhaustion risk)", "detect": [ r"/routing\s+bgp\s+connection\s+add\s+.*?\bmax-prefix=\d+\b", ], "negate": True, "remediation": ( "/routing bgp connection set [find remote.address=] max-prefix=1000" ), "compliance": {"cis": "9.5", "nist": "SC-7", "iso": "A.8.20", "pci": "1.2"}, }, { "id": "ROUTE-006", "domain": "routing", "name": "Dynamic routing on WAN interfaces", "severity": "Medium", "cvss": "5.9", "category": "Routing Security", "path": "/routing ospf interface-template", "description": "Dynamic routing protocols enabled on WAN-facing interfaces", "detect": [ r"/routing\s+ospf\s+interface-template\s+add\s+.*?network=.*?0\.0\.0\.0", ], "remediation": ( "Use passive-interface or restrict OSPF to specific network prefixes." ), "compliance": {"cis": "9.6", "nist": "SC-7", "iso": "A.8.20", "pci": "1.2"}, }, { "id": "ROUTE-007", "domain": "routing", "name": "Default route without backup", "severity": "Low", "cvss": "3.7", "category": "Routing Security", "path": "/ip route", "description": "Only one default route defined without backup", "detect": [ r"/ip\s+route\s+add\s+.*?dst-address=0\.0\.0\.0/0\b", ], "remediation": ( "/ip route add dst-address=0.0.0.0/0 gateway= \\\n" " routing-mark=backup distance=2 check-gateway=ping" ), "compliance": {"cis": "9.7", "nist": "CP-9", "iso": "A.8.8", "pci": "1.2"}, }, { "id": "ROUTE-008", "domain": "routing", "name": "Loopback interface not configured for router ID", "severity": "Low", "cvss": "2.2", "category": "Routing Security", "path": "/interface bridge", "description": "No loopback interface defined for router ID stability in dynamic routing", "detect": [ r"/interface\s+bridge\s+add\s+name=loopback\b", ], "negate": True, "remediation": ( "/interface bridge add name=loopback\n" "/ip address add address=10.255.255.1/32 interface=loopback\n" "Use loopback IP for router-id in dynamic routing protocols." ), "compliance": {"cis": "9.8", "nist": "CM-6", "iso": "A.8.9", "pci": "1.2"}, }, { "id": "ROUTE-009", "domain": "routing", "name": "Routing filters not implemented for route filtering", "severity": "Medium", "cvss": "5.9", "category": "Routing Security", "path": "/routing filter rule", "description": "No custom routing filter chains defined", "detect": [ r"/routing\s+filter\s+rule\s+add\s+chain=\w+\b", ], "negate": True, "remediation": ( "Create routing filter rules for prefix filtering, community manipulation, and route-maps." ), "compliance": {"cis": "9.3", "nist": "SC-7", "iso": "A.8.20", "pci": "1.2"}, }, # ═══ WIFI SECURITY ═══ { "id": "WIFI-001", "domain": "wifi", "name": "Insecure encryption (WEP/TKIP) configured", "severity": "High", "cvss": "8.1", "category": "WiFi Security", "path": "/interface wireless security-profile", "description": "WiFi security profile uses WEP or TKIP encryption, which are compromised", "detect": [ r"/interface\s+wireless\s+security-profile\s+set\s+.*?authentication-types=.*?\bwep\b", r"/interface\s+wireless\s+security-profile\s+set\s+.*?authentication-types=.*?\btkip\b", r"/interface\s+wifi\s+security\s+set\s+.*?authentication-types=.*?\btkip\b", ], "remediation": ( "/interface wifi security set [find] authentication-types=wpa2-psk,wpa3-psk\n" "Use only CCMP (AES) encryption." ), "compliance": {"cis": "10.1", "nist": "SC-8", "iso": "A.8.22", "pci": "4.1"}, }, { "id": "WIFI-002", "domain": "wifi", "name": "WPS enabled", "severity": "High", "cvss": "7.4", "category": "WiFi Security", "path": "/interface wireless", "description": "WiFi Protected Setup (WPS) enabled, vulnerable to PIN brute-force attacks", "detect": [ r"/interface\s+wireless\s+set\s+.*?\bwps-mode=(?:pin|push-button|enabled)\b", r"/interface\s+wifi\s+set\s+.*?\bwps=(?:enabled|pin|push-button)\b", ], "remediation": ( "/interface wireless set [find] wps-mode=disabled" ), "compliance": {"cis": "10.2", "nist": "CM-7", "iso": "A.8.9", "pci": "2.2.2"}, }, { "id": "WIFI-003", "domain": "wifi", "name": "Guest network without isolation", "severity": "High", "cvss": "7.5", "category": "WiFi Security", "path": "/interface wifi configuration", "description": "Guest WiFi network without client isolation, allowing lateral movement", "detect": [ r"/interface\s+wifi\s+configuration\s+(?:add|set)\s+.*?client-isolation=no\b", r"/interface\s+wireless\s+(?:add|set)\s+.*?\bisolate=yes\b", ], "remediation": ( "/interface wifi datapath add name=guest-dp client-isolation=yes\n" "/interface wifi configuration set [find ssid=Guest] datapath=guest-dp" ), "compliance": {"cis": "10.3", "nist": "SC-7", "iso": "A.8.21", "pci": "1.3"}, }, { "id": "WIFI-004", "domain": "wifi", "name": "Broadcast SSID disabled (hiding SSID)", "severity": "Low", "cvss": "3.3", "category": "WiFi Security", "path": "/interface wireless", "description": "SSID broadcast disabled (security-through-obscurity, may cause client issues)", "detect": [ r"/interface\s+wireless\s+set\s+.*?\bhide-ssid=yes\b", ], "remediation": "Enable SSID broadcast. Hidden SSID provides no security and can cause client connectivity problems.", "compliance": {"cis": "10.4", "nist": "CM-6", "iso": "A.8.21", "pci": "4.1"}, }, { "id": "WIFI-005", "domain": "wifi", "name": "Same security profile across bands", "severity": "Medium", "cvss": "4.6", "category": "WiFi Security", "path": "/interface wifi configuration", "description": "WiFi security profile configured — manual review needed to verify different profiles per band", "detect": [ r"/interface\s+wifi\s+configuration\s+(?:add|set)\s+.*?\bsecurity=\S+\b", ], "negate": False, "remediation": ( "Create separate security profiles per band:\n" "/interface wifi security add name=sec-24 authentication-types=wpa2-psk\n" "/interface wifi security add name=sec-5 authentication-types=wpa2-psk,wpa3-psk" ), "compliance": {"cis": "10.5", "nist": "CM-6", "iso": "A.8.9", "pci": "4.1"}, }, { "id": "WIFI-006", "domain": "wifi", "name": "Client isolation not configured on guest SSID", "severity": "High", "cvss": "7.5", "category": "WiFi Security", "path": "/interface wifi datapath", "description": "Guest SSID datapath without client-isolation", "detect": [ r"/interface\s+wifi\s+datapath\s+(?:add|set)\s+.*?\bname=\w*guest\w*\b(?!.*client-isolation=yes)", r"/interface\s+wifi\s+configuration\s+(?:add|set)\s+.*?\bssid=.*?[Gg]uest.*?(?!.*client-isolation=yes)", ], "remediation": ( "/interface wifi datapath set [find name=guest-dp] client-isolation=yes" ), "compliance": {"cis": "10.3", "nist": "SC-7", "iso": "A.8.21", "pci": "1.3"}, }, { "id": "WIFI-007", "domain": "wifi", "name": "CAPsMAN without TLS encryption", "severity": "High", "cvss": "7.4", "category": "WiFi Security", "path": "/caps-man", "description": "CAPsMAN control channel without TLS encryption", "detect": [ r"/caps-man\s+set\s+enabled=yes\b(?!.*certificate=)", r"/interface\s+wifi\s+capsman\s+set\s+enabled=yes\b(?!.*ca-certificate=)", ], "remediation": ( "Configure CAPsMAN with TLS:\n" "/caps-man manager set enabled=yes certificate=" ), "compliance": {"cis": "10.6", "nist": "SC-8", "iso": "A.8.20", "pci": "4.1"}, }, { "id": "WIFI-008", "domain": "wifi", "name": "WiFi access list not configured", "severity": "Medium", "cvss": "4.6", "category": "WiFi Security", "path": "/interface wifi access-list", "description": "No MAC or L2 access list configured for WiFi interfaces", "detect": [ r"/interface\s+wifi\s+access-list\s+add\b", ], "negate": True, "remediation": ( "/interface wifi access-list add mac-address= action=accept\n" "/interface wifi access-list add action=reject comment=\"Default deny\"" ), "compliance": {"cis": "10.7", "nist": "AC-2", "iso": "A.8.3", "pci": "7.1"}, }, { "id": "WIFI-009", "domain": "wifi", "name": "Management Frame Protection (PMF) not enabled", "severity": "Medium", "cvss": "5.3", "category": "WiFi Security", "path": "/interface wifi security", "description": "PMF (802.11w) not enabled — management frames can be spoofed for deauth attacks", "detect": [ r"/interface\s+wifi\s+security\s+set\s+.*?\bmanagement-protection=required\b", r"/interface\s+wireless\s+security-profile\s+set\s+.*?\bmanagement-protection=key\b", ], "negate": True, "remediation": ( "/interface wifi security set [find] management-protection=required" ), "compliance": {"cis": "10.8", "nist": "SC-8", "iso": "A.8.22", "pci": "4.1"}, }, { "id": "WIFI-010", "domain": "wifi", "name": "WiFi password too weak or default", "severity": "High", "cvss": "7.5", "category": "WiFi Security", "path": "/interface wifi security", "description": "WiFi passphrase appears weak, short, or default", "detect": [ r"passphrase=\S{1,7}\b", r"passphrase=(12345678|password|admin|default|mikrotik|wifi)\b", ], "remediation": ( "Set passphrase to min 12 random characters:\n" "/interface wifi security set [find] passphrase=" ), "compliance": {"cis": "10.9", "nist": "IA-5", "iso": "A.8.5", "pci": "8.2"}, }, { "id": "WIFI-011", "domain": "wifi", "name": "DFS channels configured without radar handling", "severity": "Info", "cvss": "0.0", "category": "WiFi Security", "path": "/interface wifi channel", "description": "DFS channels in use—radar events may cause long 5GHz outages", "detect": [ r"/interface\s+wifi\s+channel\s+add\s+.*?\bfrequency=52\b", r"/interface\s+wifi\s+channel\s+add\s+.*?\bfrequency=56\b", r"/interface\s+wifi\s+channel\s+add\s+.*?\bfrequency=60\b", r"/interface\s+wifi\s+channel\s+add\s+.*?\bfrequency=64\b", r"/interface\s+wifi\s+channel\s+add\s+.*?\bfrequency=100\b", r"/interface\s+wifi\s+channel\s+add\s+.*?\bfrequency=104\b", ], "remediation": ( "If using DFS channels, ensure ROS ≥7.15+ for reselect-interval.\n" "Prefer non-DFS channels for 5GHz access points." ), "compliance": {"cis": "10.10", "nist": "CM-6", "iso": "A.8.9", "pci": "2.2"}, }, { "id": "WIFI-012", "domain": "wifi", "name": "hAP ac² wifi-qcom-ac package (flash exhaustion)", "severity": "Medium", "cvss": "5.0", "category": "WiFi Security", "path": "device model", "description": "hAP ac² device detected with wifi-qcom-ac package — 16MB flash constraint", "detect": [ r"#\s+.*?hAP\s+ac\b", r"model\s*=\s*RBD52G", ], "context": "Requires live /system resource print to confirm flash space.", "remediation": ( "On hAP ac²: disable DHCP lease disk storage, consider replacement with ax².\n" "Check /system resource print for free flash space before any upgrade." ), "compliance": {"cis": "10.11", "nist": "CM-6", "iso": "A.8.6", "pci": "2.2"}, }, { "id": "WIFI-013", "domain": "wifi", "name": "hAP ax²/ax³ WiFi stability concern (ROS <7.19.2)", "severity": "High", "cvss": "7.5", "category": "WiFi Security", "path": "export header", "description": "hAP ax²/ax³ detected on RouterOS <7.19.2 — known 5GHz disconnection issue", "detect": [ r"#\s+.*?by RouterOS\s+7\.(?:1[0-8]|1[0-9])\.", r"model\s*=\s*(?:C52iG|C53UiG)", ], "remediation": ( "Upgrade to RouterOS ≥7.19.2 to fix SA Query timeout / 5GHz disconnections.\n" "Tested fix: 7.19.2 resolves the AX WiFi instability regression." ), "compliance": {"cis": "10.12", "nist": "SI-2", "iso": "A.8.8", "pci": "6.2"}, }, # ═══ SCRIPT & AUTOMATION ═══ { "id": "SCRIPT-001", "domain": "general", "name": "Scripts with excessive permissions", "severity": "High", "cvss": "7.1", "category": "Script & Automation", "path": "/system script", "description": "Scripts configured with 'full' or too many combined policy flags", "detect": [ r"/system\s+script\s+add\s+.*?policy=.*?full\b", r"/system\s+script\s+set\s+.*?policy=.*?full\b", ], "remediation": ( "/system script set [find name=