---
name: config-auditor
description: Reviews a pasted network device configuration against CIS benchmarks and vendor hardening guides, producing a prioritised findings report with remediation commands.
version: 1.0.0
author: VantagePoint Networks
audience: IT Managers, Network Engineers, Security Leads, Auditors
output_format: Formatted Markdown audit report with findings table, remediation commands, executive summary, and evidence pack.
license: MIT
---

# Config Auditor

Paste a Cisco, Juniper, Fortinet, Aruba, Palo Alto, or MikroTik configuration. Get back an audit that maps to CIS benchmarks and the vendor's own hardening guide, with copy-paste remediation commands.

## How to use this skill

1. Download this `SKILL.md` file.
2. Place it in `~/.claude/commands/` (macOS/Linux) or `%USERPROFILE%\.claude\commands\` (Windows).
3. Run `/config-auditor` in Claude Code. Paste the full running-config (or redacted version - see notes below). Answer a short vendor / use-case question or two. Receive a structured audit.

## When to use this

- An auditor is coming next week and you want to know what you'll be asked about first.
- You've inherited a config from a departed engineer and you don't trust it.
- You're considering promoting a lab config to production and want a second opinion.
- You're preparing an RFP or internal design review and need defensible evidence of hardening.
- You want to benchmark multiple similar devices against each other for consistency.

## What you'll get

- **Executive summary** - one paragraph, plain English, no more than five numbers.
- **Findings table** - severity-ranked, each with evidence line-number reference.
- **Remediation commands** in the native vendor syntax - copy-paste ready.
- **What looks good** section - controls that are correctly in place (credibility marker for auditors).
- **Evidence pack** - the relevant config excerpts quoted inline with line numbers.
- **Compliance mapping** - each finding tagged to CIS Controls v8, NIST 800-53, and where relevant, PCI-DSS / ISO 27001.
- **Estimated effort** - for each finding, a rough time estimate (minutes/hours/days) so you can scope a remediation sprint.

## Clarifying questions I will ask you

1. **Which vendor and platform?** (Cisco IOS XE / NX-OS / ASA / Catalyst / Juniper Junos / Fortinet FortiOS / Aruba AOS-CX / Palo Alto PAN-OS / MikroTik RouterOS)
2. **What is this device's role?** (Edge firewall, core switch, access switch, WAN router, branch firewall, data centre spine/leaf, wireless controller)
3. **Is this internet-facing?** (Drives which CIS section weighs hardest.)
4. **What compliance framework do you care most about?** (CIS L1, CIS L2, PCI-DSS, HIPAA, ISO 27001, NIST CSF, none/general hygiene)
5. **Is any of the config redacted?** (If so, I'll note where I can't assess due to redaction rather than guessing.)
6. **Are there compensating controls elsewhere I should know about?** (e.g. "TACACS+ is handled by upstream device", "logging is offloaded to syslog collector X")
7. **Do you want me to check for consistency against a reference baseline** if you paste one? (Useful for fleet-wide audits.)

## Output template

```markdown
# Configuration Audit: <device hostname> (<vendor / platform>)

**Audit date:** YYYY-MM-DD
**Auditor:** config-auditor skill v1.0.0 (VantagePoint Networks)
**Device role:** <edge firewall / core switch / etc.>
**Compliance framework:** <CIS L1 / PCI-DSS / etc.>

## 1. Executive Summary
> <Plain-English paragraph. 4-5 sentences. Include: overall posture (Strong/Moderate/Weak), count of findings by severity, single most important issue, and whether this device is fit for its stated role.>

## 2. Scorecard
| Category | Findings | Worst Severity |
|---|---|---|
| Authentication & Access | N | H / M / L |
| Management Plane | N | H / M / L |
| Control Plane Hardening | N | H / M / L |
| Data Plane / Segmentation | N | H / M / L |
| Logging & Monitoring | N | H / M / L |
| Cryptography | N | H / M / L |
| Services & Ports | N | H / M / L |
| Resilience & Availability | N | H / M / L |
| **Total** | **N** | - |

## 3. Findings (ordered: Critical -> High -> Medium -> Low -> Info)

### Finding 1 - <short title>
| Field | Value |
|---|---|
| Severity | Critical / High / Medium / Low / Info |
| Category | <one of the scorecard categories> |
| CIS Control | <e.g. 4.8, 12.4> |
| NIST 800-53 | <e.g. AC-2, AU-6> |
| Evidence (config line) | <excerpt + line number> |
| Estimated effort | <minutes/hours/days> |

**What's wrong:**
<One paragraph, plain language.>

**Why it matters:**
<Business-language consequence. Not "because the standard says so" but "because X can happen".>

**Remediation:**
```<vendor syntax>
<exact commands to fix, copy-paste ready>
```

**Verification:**
After applying, confirm with:
```<vendor syntax>
<show / verify commands>
```

---

### Finding 2 - <short title>
<same structure>

---

<repeat for each finding>

## 4. What Looks Good
Controls that are correctly implemented. Auditors are suspicious of audits with only bad news - this section builds credibility and reassures that the reviewer actually read the config.

- [+] <e.g. SSH v2 enforced, v1 explicitly disabled (line 42)>
- [+] <e.g. Login banner present and legally compliant (line 78)>
- [+] <e.g. NTP authenticated against 3 sources (lines 120-125)>
- [+] <...>

## 5. Compliance Mapping
| Framework | Control | Status |
|---|---|---|
| CIS <platform> v<x> | <control id> | Pass / Fail / Partial |
| NIST 800-53 | <control id> | Pass / Fail / Partial |
| PCI-DSS v4 | <requirement> | Pass / Fail / Partial |
<... extend as applicable to the chosen framework>

## 6. Recommended Remediation Sprint
Grouped by theme for efficient execution. Each group = roughly one change ticket.

### Sprint 1 (immediate, <1 day)
- Fix findings: #1, #3, #7
- Risk reduction: <qualitative>
- Change type: likely Standard (low blast radius)

### Sprint 2 (within 2 weeks)
- Fix findings: #2, #4, #5
- Risk reduction: <qualitative>
- Change type: Normal (coordinate with <team/vendor>)

### Sprint 3 (within the quarter)
- Fix findings: #6, #8
- Risk reduction: <qualitative>
- Change type: Project-level (requires design and lab testing)

## 7. Gaps / Unable to Assess
Configuration areas that could not be evaluated from the provided input alone.
- <e.g. "No logging destination visible - assumed offloaded to syslog. Confirm with network ops.">
- <e.g. "Redacted lines 88-94 - cannot assess AAA server list.">
- <e.g. "No interface descriptions - cannot confirm segmentation intent.">

## 8. Appendix: Raw Evidence Excerpts
<Config blocks quoted inline, line-numbered, each labelled with which finding it supports. Keeps the audit defensible.>
```

## Example invocation

**User:** "/config-auditor - here's our FortiGate 100F production config, we have PCI-DSS v4 in scope."

**What the skill will do:**
1. Ask role (edge / internal / DC) and whether any sections are redacted.
2. Parse against CIS FortiGate benchmark + FortiOS hardening guide + PCI-DSS requirements 1, 2, 6, 8, 10, 11.
3. Output: scorecard (probably 15-30 findings for a non-hardened config, fewer for a maintained one), with high-severity items like weak admin password policy, missing logging, permissive zones, disabled AV/IPS profiles, flagged first.
4. Provide FortiOS CLI commands for each remediation - ready to paste into a change ticket.

## Notes for the requester

- **Redact sensibly, not paranoidly.** Remove passwords and pre-shared keys. Leave interface names, VLAN IDs, routing protocol details. Over-redaction produces a useless audit.
- **Paste the whole config.** Snippets lead to wrong conclusions because context matters (e.g. "no shutdown" on an interface is only bad if you also see that interface in a trust zone).
- **Include any justification comments.** If a weird-looking line is deliberate ("! required by vendor for SLA"), leave the comment. The audit will honour it.
- **For fleet audits:** run the skill once per device and keep a master tracker. Patterns (same finding across 10 devices) point at template / process issues.
- **"Good" looks like:** findings are specific to your config with actual line references, not generic CIS boilerplate. The remediation commands actually work on your platform version.