5.23. I just want to start with a basic configuration. Can you recommend a setup that will provide additional protection and still leave most of my system functioning as normal?

Make sure to select the following kernel options:
  ...
  [*]    Security alert when execing unprotected programs before sealing
  [*]      Do not execute unprotected programs before sealing lids
  ...
  [*]    Allow switching LIDS protections
  ...
  [*]      Allow reloading config. file
A good starting point would be to protect your init scripts, system binaries, and libraries (Note that these may vary depending upon your distro):
/sbin/lidsconf -A -o /etc/rc0.d                  -j READONLY
/sbin/lidsconf -A -o /etc/rc1.d                  -j READONLY
/sbin/lidsconf -A -o /etc/rc2.d                  -j READONLY
/sbin/lidsconf -A -o /etc/rc3.d                  -j READONLY
/sbin/lidsconf -A -o /etc/rc4.d                  -j READONLY
/sbin/lidsconf -A -o /etc/rc5.d                  -j READONLY
/sbin/lidsconf -A -o /etc/rc6.d                  -j READONLY
/sbin/lidsconf -A -o /etc/init.d                 -j READONLY
/sbin/lidsconf -A -o /etc/rc                     -j READONLY
/sbin/lidsconf -A -o /etc/rc.local               -j READONLY
/sbin/lidsconf -A -o /etc/rc.sysconfig           -j READONLY

/sbin/lidsconf -A -o /bin                        -j READONLY
/sbin/lidsconf -A -o /sbin                       -j READONLY
/sbin/lidsconf -A -o /lib                        -j READONLY

/sbin/lidsconf -A -o /usr/bin                    -j READONLY
/sbin/lidsconf -A -o /usr/sbin                   -j READONLY
/sbin/lidsconf -A -o /usr/lib                    -j READONLY
If /usr/local is on a separate partition, add the following ACLs also:
/sbin/lidsconf -A -o /usr/local/bin              -j READONLY
/sbin/lidsconf -A -o /usr/local/sbin             -j READONLY
/sbin/lidsconf -A -o /usr/local/lib              -j READONLY

You should also disable CAP_SYS_RAWIO and CAP_SYS_PTRACE in the /etc/lids/lids.cap file. If you don't disable CAP_SYS_RAWIO, then someone can override the above file protections by writing directly to your devices.

If you are running the X Window System, please see above about getting X to work under LIDS.