What does Yocto/OE provide to enable existing exploit mitigation techniques available in the kernel, toolchain and userspace? Things like ASLR, stack protector, secure user copy, disabling ptrace, ...
Do I have to configure these things by hand or is there something in Yocto that will help me?
An documentation entry point addressing my questions can be found here: https://www.yoctoproject.org/docs/latest/dev-manual/dev-manual.html#making-images-more-secure
https://www.yoctoproject.org/docs/latest/dev-manual/dev-manual.html#security-flags describes how to compile programs with more secure compiler flags.
The flags enable the stack protector, FORTIFY_SOURCE, position independent code (for ASLR), string format checks and readonly relocations. It also maintains a blacklist of packages known not to build with these options. These are compiled with less stringent flags. These flags affect the user space.
Yocto does not offer a central switch to enable mitigations/hardening in the kernel itself. This has to be done manually via kernel config fragments.
A Yocto layer containing various means and tools to harden an image can be found here: https://git.yoctoproject.org/cgit/cgit.cgi/meta-security/tree/README