What were you trying to do that didn't work?

I got an inquiry from a lab which helps us with attaining of Common criteria certification for RHEL 10.
They noticed that on RHEL 9.4 when non-root user tried to change a password of a different non-root user, this event was audited in /var/log/audit.log.
but on 10.0, this is no longer the case.

What is the impact of this issue to you?

It makes it harder to audit such events which might signal malicious system activity.

Please provide the package NVR for which the bug is seen:

pam-1.6.1-8.el10_0.x86_64

How reproducible is this bug?:

100%

Steps to reproduce

1. useradd user1
2. useradd user2
3. su user1
4. passwd user2
5. examine /var/log/audit/audit.log

Expected results

This was in Audit log on RHEL 9.4:
node=hostname type=USER_CHAUTHTOK msg=audit(1724369970.215:33083): pid=10903 uid=1001 auid=1001 ses=155 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 msg='op=attempted-to-change-password id=1001 exe="/usr/bin/passwd" hostname=hostname addr=? terminal=pts/1 res=failed'UID="user1" AUID="user1" ID="user1"

Actual results

No relevant audit log provided.