yup recompile the kernel, and if you can/know how/or learn , disable ALL what is not necessary ... for example -- really just an example--- if you wont use iptables, disable ip filtering ... same with hardware drivers etc ... no RAID card, disable raid drivers ...
replace a kernel and/or grub cannot be done by a non root user .
If you mean phisically ... like when stiking the drive on another machine ...
you can have kenel/boot loader on a ReadOnly media :
usb card/stick , dvd/ cdrom / even a floppy ... (that you make readOnly )
plus you can install tripwire so you get alerted whenever some tryes to
and for a mega paranoids : do not even enable module loading because actually root-kits are modules or some rootkits are if i remember ,
so IF you can , because some drivers cant be inside the kernel , compile all the necessary drivers statically in the kernel .
as a bonus, you kernel will be faster
but dont forget , if u need some option / or driver, you will have to compile a whole new kernel that will include your new things .
so its long to prepare , but fast and secure to use (relatively)
another funny one, if u need your .config, print it and put it in a safe,
and disable it in the kernel too, otherwise it will be readable thru /proc/something i think ,
and if you are courageous, change the version number manually
so ; there will be no information about your kernel version, and how it was compiled.
From there ... there is therotically now way to break into your kernel .
you should check out security related kernel tunable parameters. also focus on protecting the system. a monolithic kernel won't help much if someone roots your server.
Change to the root directory of the kernel source and, if this is the first time the kernel has been compiled, configure the kernel remembering to ensure that the relevant component of the kernel is set, within its configuration file (.conf), to be built as a module.