Make sure to select the following kernel options:
... [*] Security alert when execing unprotected programs before sealing [*] Do not execute unprotected programs before sealing lids ... [*] Allow switching LIDS protections ... [*] Allow reloading config. file |
/sbin/lidsconf -A -o /etc/rc0.d -j READONLY /sbin/lidsconf -A -o /etc/rc1.d -j READONLY /sbin/lidsconf -A -o /etc/rc2.d -j READONLY /sbin/lidsconf -A -o /etc/rc3.d -j READONLY /sbin/lidsconf -A -o /etc/rc4.d -j READONLY /sbin/lidsconf -A -o /etc/rc5.d -j READONLY /sbin/lidsconf -A -o /etc/rc6.d -j READONLY /sbin/lidsconf -A -o /etc/init.d -j READONLY /sbin/lidsconf -A -o /etc/rc -j READONLY /sbin/lidsconf -A -o /etc/rc.local -j READONLY /sbin/lidsconf -A -o /etc/rc.sysconfig -j READONLY /sbin/lidsconf -A -o /bin -j READONLY /sbin/lidsconf -A -o /sbin -j READONLY /sbin/lidsconf -A -o /lib -j READONLY /sbin/lidsconf -A -o /usr/bin -j READONLY /sbin/lidsconf -A -o /usr/sbin -j READONLY /sbin/lidsconf -A -o /usr/lib -j READONLY |
/sbin/lidsconf -A -o /usr/local/bin -j READONLY /sbin/lidsconf -A -o /usr/local/sbin -j READONLY /sbin/lidsconf -A -o /usr/local/lib -j READONLY |
You should also disable CAP_SYS_RAWIO and CAP_SYS_PTRACE in the /etc/lids/lids.cap file. If you don't disable CAP_SYS_RAWIO, then someone can override the above file protections by writing directly to your devices.
If you are running the X Window System, please see above about getting X to work under LIDS.