You can detect if someone runs passwd using inotifywait, but as far as I know, you can't control its behaviour this way.
On your own server however, you can replace the real passwd program with your script, which invokes the real passwd program then. This may imply several security risks, so I wouldn't do that, and I wouldn't even try to list all the risks. Still if you feel like doing such thing, an expect script like this could work as a replacement:
#!/usr/bin/expect set timeout -1 set new_passwd "" log_user 0 spawn /usr/bin/passwd.real log_user 1 stty -echo expect { -re "current.*password" { expect_user -re "(.*)\n" send "$expect_out(1,string)\n" exp_continue } -re "new.*password:" { expect_user -re "(.*)\n" set new_passwd $expect_out(1,string) send "$new_passwd\n" exp_continue } -re "passwd:.*unchanged" { set new_passwd "" interact } -re "passwd:.*updated successfully" { interact } } stty echo if { $new_passwd != "" } { send_user "New password for user '$env(USER)'/'$env(LOGNAME)': $new_passwd\n" #system my_password_manipulation_script.sh $env(USER) $env(LOGNAME) $new_passwd } After renaming passwd to passwd.real, you would place this script into /usr/bin/passwd and give it normal running permission (0755). Suid bit is not necessary (and would be another security issue), as this script is just a frontend to the real passwd program.
The script works on Debian Jessie (8.4), on other systems you may have to adjust the matching keywords (current.*password, new.*password, etc). Also you would comment out the last send_user line, and uncomment the system call, where you actually propagate the password.
Once again: try to consider all the security implications, before you do this! Also, your users should probably know, that you may be able to get their passwords unencrypted. Maybe it would be nicer, if you saved this script as eg. mypasswd (and it would spawn passwd then), and asked your users to change password using mypasswd. This would make it clear, that they're not using the original passwd.