How to configure pam_faillock in common-*?

I noticed that fedora/redhat has tool authselect/authconfig to configure pam_faillock in system-auth ,so it will work in system-wide auth phase.

Ubuntu use pam-auth-update to configure system-wide common-* , I didn't find a way to use pam-auth-update to add pam_faillock into common-* , because pam_faillock needs to configure both in authsucc and authfail conditions. So I have to configure pam_faillock to common-* manually, and common-* may be overrided by upgrading other pam module, such as libpam-sss.

Is there any methods to configure pam_faillock elegantly in ubuntu?

Bit late, but I've been looking into this myself and the below should work.

You'll need to create one or two pam-config files under /usr/share/pam-configs/

This one will enable the faillock functionality. You may just need to modify your /etc/security/faillock.conf file as needed.

# /usr/share/pam-configs/my_faillock
Name: Enforce failed login attempt counter
Default: no
Priority: 0
Auth-Type: Primary
Auth:
    [default=die]   pam_faillock.so authfail
    sufficient  pam_faillock.so authsucc

This one will notify (both cli and gui) if the account in question is locked.

# /usr/share/pam-configs/my_faillock_notify
Name: Notify of failed login attempts
Default: no
Priority: 1024
Auth-Type: Primary
Auth:
    requisite   pam_faillock.so preauth

After creating the above, you can enable with the pam-auth-update command.

I think technically, we aren't supposed to create files in this location, but it seems better than directly modifying files in /etc/pam.d/

See here for more info: https://wiki.ubuntu.com/PAMConfigFrameworkSpec