I've been trying to rebuild the 2.4.20-8 kernel under RedHat 9 without loadable module support (for security reasons). In the 'make menuconfig' process, in the "Loadable module support" section, I un-select "Enable Loadable Module Support".

Here are my exact steps:

RedHat 9
kernel-source-2.4.20-20.9

cd /usr/src/linux-2.4
make mrproper
cp configs/kernel-2.4.20-i686-smp.config ./.config
make oldconfig
make menuconfig
(the only config change made is to disable loadable module support)
make dep
make bzImage

During the make, I get the following error:

make[4]: Entering directory `/usr/src/linux-2.4.20-20.9/drivers/addon/aep'
gcc -D__KERNEL__ -I/usr/src/linux-2.4.20-20.9/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=2 -march=i686 -nostdinc -iwithprefix include -DKBUILD_BASENAME=paep -c -o paep.o paep.c
In file included from paep.c:85:
paep.h:75:2: #error "MODULE not defined, I guess you don't want to recompile the entire kernel !"
make[4]: *** [paep.o] Error 1
make[4]: Leaving directory `/usr/src/linux-2.4.20-20.9/drivers/addon/aep'
make[3]: *** [first_rule] Error 2
make[3]: Leaving directory `/usr/src/linux-2.4.20-20.9/drivers/addon/aep'
make[2]: *** [_subdir_aep] Error 2
make[2]: Leaving directory `/usr/src/linux-2.4.20-20.9/drivers/addon'
make[1]: *** [_subdir_addon] Error 2
make[1]: Leaving directory `/usr/src/linux-2.4.20-20.9/drivers'
make: *** [_dir_drivers] Error 2

--

Is this the proper way to disable Loadable module support? If not, what should I be doing? Thanks...

To do that you must compile a custom kernel with the specific drivers for your equipment, filesystems + netfilter. It will have be an alternate boot as it will be too big for a set of boot disks.

You will to have a large investment of time to make it work. First, I suggest you learn how use a rescue CD, and how to make a self booting CD version of your kernel on CD as a boot disk.

In fact, you may think about doing that boot disk and testing it on CD before ever using the command "make install".

You need to go through the entire configuration making sure nothing is marked as M(odule). Everything you need will have to be installed in the kernal. Good luck, never got it to work without modules.

Well, first think what specific security risk you want to want to address. Virus loadable modules? I'm not kidding, it's a risk, and it's the ULTIMATE way to attack a system, if done right, it can be made totally undetectable. You control every aspect of the system, and can subvert and defeat all detection tools.

That said, I have not yet seen an attack that uses this (I have a cert in Unix security administration, and everywhere it's mentioned as a hypothetical risk,
so far). So if after after *all other* measures, such as tripwiring your system, making key config files immutable, read-only mounting /boot and /usr, a firewall, the whole 9 yards, you STILL feel it's an unacceptable risk, go ahead.

You will not be able, I think, to produce a non-modular kernel from the unchanged config file. The RH-premade kernel has all kinds of support for everything imaginable, small matter with modules, but if you compile everything in, the kernel will be way too big. So you need to tailor your kernel to the essentials, disable all other network hardware not on your system, IDE chipsets not on your system, go through the configuration with a fine comb and weed out stuff. The remaining drivers previously compiled as modules must then be changed to be compiled in. I don't know if globally disabling module support does that, but I doubt it. Then you might have a chance to get a kernel that's small enough.

I went through part of this exercise to make a Rescue CD that Eqwatz mentions, goto http://www.phenix.bnl.gov/~purschke/RescueCD/ (yes, that's my page) for a self-service self-made R-CD and some of the ramifications. For that bare-bones rescue system, I got the kernel size down to about 800k, but it took some doing.

My gut feeling is, it's overly paranoid, and it's not a substitute for other standard measures, some listed above.

Hope it helps,

mlp

hi there,
aren't u missing "make clean" before and after "make mrproper"? yeah.. i know it jus cleans... but you never know!!! atleast thats what the Kernel-HOWTO says! Well as of me, i'm into kernel recompiling as well. i had pretty much followed the 'howto' as
1. make clean
2. make mrproper
3. make clean
4. make menuconfig
5. nohup make bzImage & tail -f nohup.out

btw i'm still at it. After quite a long hours on my 75MHz system, it seemed kinda hung up(even with nohup! or may be i'm wrong ). The following were the final messages:
***************
tools/build -b bbootsect bsetup compressed/bvm/linux.out CURRENT > bzImage
Root device is (3,2)
Boot sector 512 bytes
Setup is 4930 bytes
system is 870 kB
make[1]: Leaving directory /usr/src/linux-2.4.20-8/arch/i386/boot
**********
Shouldn't it come to the command automatically? or is it normal. Anyway i got out with "<cntrl>+c" key...btw bzImage is there in the directory /usr/src/linux-2.4.20-8/arch/i386/boot. Even though i started of with a suggestion for redhatdude, excuse me for putting my question here. I would continuing the remaining steps as get home in the evening....btw my sys spec are:
--------------------------------
*Intel/Triton-II i430HX
*k586-P75
*4GB hdd
*CMI 8738 sound card
*SiS 6202(1MB) graphics card
* Dynalink 1456VQH-R - HCF modem
---------------------------------------
Thanx very much for your help in advance

Cheers,
me