Using PAM to log password changes?

[declan]

Hi, on a lab computer another user (who is a sudoer) changed my password without my permission. I'm pretty positive it was her, though I can't conclusively prove it. I had my friend, who is another sudoer on the machine, fix it and make me a sudoer now too.

So everything is fine, but I want solid proof in case this happens again. I know I can see when people have been logged in with the command 'last', but I would need to correlate that to the actual password change time. So I'd like to have the system log whenever someone (eg, her) sudo's to change another user's (eg, mine) password.

I was told I can do this with PAM, but I looked at the documentation and it seemed to be mostly more about authentication and stuff, and I couldn't figure out how to log it. Can anyone help me?

Thanks!

Edit: also, I'm aware that there's nothing I can do to prevent this happening again as long as she has root access. But I want proof in case it happens again.

[Freston]

Hi and welcome to the forums!

My system logs exactly what you ask in /var/log/secure

And I'm running Slackware, so no PAM