What is the best way to monitor who changes passwords, or what passwords get changed? Is there a way to send that over to Syslog?
An example would be someone logs in as themselves, changes to root (which I capture by loging auth and auth.info) and then changes a password.
Do I need to put an ACL on the passwd executable?
Would the flavor of Unix matter (in this case, AIX)?
Change passwd command. But this would not be a complete solution.
Modify system's way of paswords storing - then you could add whatever you like there.
I guess that both options could be too complicated for you. In that case you could simplify the simple solution (1) - replace passwd command with a shell script that redirects the parameters to the correct passwd command that would be renamed/relocated. Users can still call the right passwd unless some ACL rules are set for the object.