A setuid wrapper around passwd would prevent normal (non-root, non-sudo) users from running passwd directly:
-r-sr-xr-x 1 auditor bin 10240 Oct 30 11:47 passwd -r-x------ 1 auditor bin 28376 Oct 30 11:46 passwd.orig The only catch is it can't be a shell script, which adds another (trivial) layer of complexity to its maintenance. The (very small) danger with monitoring /etc/master.passwd is that a user could change his password more than once while your logging code is logging the change.