I would say no. Signature 3021 protects the passwd files, but doesn't prevent proper password changes.
This event indicates an attempt to modify or remove the "passwd" or "shadow" files by a process other than passwd(1)
This is indicative of an attack. Attackers sometimes write directly to this file to add privileged users to the system, or change permissions of these files to a world-writable state for malicious reasons.