SecRuleEngine On
SecAuditEngine On
SecAuditLogType Serial
SecAuditLog /var/log/apache2/mod_security/modsec_audit.log
SecAuditLogParts ABCFHZ
SecDebugLog /var/log/apache2/mod_security/modsec_debug.log
SecDebugLogLevel 5

# block file access
SecRule REQUEST_URI "/etc/passwd"
SecRule REQUEST_URI "/etc/shadow"

# Intent is to block for this User Agent, "how" described in SecDefaultAction
SecRule REQUEST_HEADERS:User-Agent "nikto" "phase:2,block,msg:'Nikto Scanners Identified'"

### Administrator defines "how" to block (deny,status:403)...
SecDefaultAction phase:2,auditlog,deny,status:403