These logs are stored indefinitely; access is very restricted.
to whom? what you have to keep in mind is that computers operate as single minded entities. when you approach a machine like that: security is currently an afterthought. this tells me that there is somebody that holds access above the other users, basically missing the point here.
I can look this password up if my role allows it, but the lookup is also logged
Again, that means that there's somebody administering the logging system. and I almost assure you that even if their logins are listed somewhere: they have full access to remove those entries and make it look like it never happened.
as a hypothetical situation, say I have a machine that stores credit card numbers on a DSS approved network that's locked down in the ways you describe above. at the admin level, it would take me minutes to provision a machine to replicate the target. I don't mean replicate as in contents, I mean replicate to the network view.
the replicated machine can be tunneled into place and act as if it was the machine in question. as the admin: I already know what traffic flows the machine needs to produce on a regular basis (SNMP uptime's, network traffic counters, heartbeats, etc) so I can inject artificial traffic in it's place.
at this point, I can reverse firewall the unit preventing it for calling for help or reporting the changes I make. I can snapshot the drive and move it offsite, while making the changes to the snapshot to remove my presence from the machine and set the loader to write over itself with the snap. reboot into the snap and pull the zombie as the machine comes back up:
and what will the monitoring/auditing/reporting software see? nothing. everything will check out, MAC addresses will match, SNMP keys will match, even the statistics reported will look like they fit into the graphs.
Until CPU's are made to understand the "two key" approach to authentication, any machine will be susceptible to weak physical security.