Logging password changes

Is there a way to log changes to user passwords?

If I change my password I want it to be logged somewhere.
It doesn't go in /var/log/messages...it doesn't go in /var/log/secure,
the only place it goes is /etc/shadow and I can see the last time
a user changed his/her password by typing "chage -l userid"
which gives the date of the last password change.

That isn't quite good enough I don't think for the Gov't C2 Audit req'ments
so I was wondering if anyone knew how to setup pam or something to
log when a user changes his/her password into say /var/log/messages
or something?

Comments

Re:Logging password changes

Dave,

I don't have an answer but I did find this information about using pam to store password changes:

http://lists.debian.org/debian-user/2000/04/msg00248.html

Hope it's relevant!

Re:Logging password changes

I know pam can be configured with a database that stores old encrypted passwords and won't let you change back to one in the list. I could setup the ability to do that, then only allow one password change per day. Running a chage -l UID command in a cron job to see which ID's changed.
Gov't C2 auditing requires that the system log (somewhere) any password changes. One of the auditing questions is..."Log in as a user. Change to an acceptable password. Was the change logged?" Maybe pam can provide more info into the syslog somehow? It does say when users logon logoff, why couldn't a change to passwords be logged?

Re:Logging password changes

I think you can use something like Tripwire to log when the shadow file changes, but I think due to the very reason of being secure, password changes are not logged due to the possiblity of being hijacked.