Yeah I think you can definitely find which process sets environment variables (I think you just need to intercept execve or whatever). The real problem is finding which processes use the environment variables. That's extremely difficult, if not impossible.
Right. Iirc the environment is put on the stack of a new process shortly after. Though I'd want to do this from very early on and then track how the environment changes. I thought of ftrace because it can be enabled/configured in a kernel parameter and as such will already capture information shortly after boot. But maybe it would be easier to work with ebpf or ptrace.
