5.23. I just want to start with a basic configuration. Can you recommend a setup that will provide additional protection and still leave most of my system functioning as normal?

Make sure to select the following kernel options:

... [*] Security alert when execing unprotected programs before sealing [*] Do not execute unprotected programs before sealing lids ... [*] Allow switching LIDS protections ... [*] Allow reloading config. file

A good starting point would be to protect your init scripts, system binaries, and libraries (Note that these may vary depending upon your distro):

/sbin/lidsconf -A -o /etc/rc0.d -j READONLY /sbin/lidsconf -A -o /etc/rc1.d -j READONLY /sbin/lidsconf -A -o /etc/rc2.d -j READONLY /sbin/lidsconf -A -o /etc/rc3.d -j READONLY /sbin/lidsconf -A -o /etc/rc4.d -j READONLY /sbin/lidsconf -A -o /etc/rc5.d -j READONLY /sbin/lidsconf -A -o /etc/rc6.d -j READONLY /sbin/lidsconf -A -o /etc/init.d -j READONLY /sbin/lidsconf -A -o /etc/rc -j READONLY /sbin/lidsconf -A -o /etc/rc.local -j READONLY /sbin/lidsconf -A -o /etc/rc.sysconfig -j READONLY /sbin/lidsconf -A -o /bin -j READONLY /sbin/lidsconf -A -o /sbin -j READONLY /sbin/lidsconf -A -o /lib -j READONLY /sbin/lidsconf -A -o /usr/bin -j READONLY /sbin/lidsconf -A -o /usr/sbin -j READONLY /sbin/lidsconf -A -o /usr/lib -j READONLY

If /usr/local is on a separate partition, add the following ACLs also:

/sbin/lidsconf -A -o /usr/local/bin -j READONLY /sbin/lidsconf -A -o /usr/local/sbin -j READONLY /sbin/lidsconf -A -o /usr/local/lib -j READONLY

You should also disable CAP_SYS_RAWIO and CAP_SYS_PTRACE in the /etc/lids/lids.cap file. If you don't disable CAP_SYS_RAWIO, then someone can override the above file protections by writing directly to your devices.

If you are running the X Window System, please see above about getting X to work under LIDS.