In adapting your first patch, I narrowed things down a bit. I search /etc/pam.d files containing only a-z0-9A-Z, which I believe should catch all the active pam.d files but not editor backups, .pam-new files and the like. I also specifically recommend looking at pam_faillock.
--Sam
