An additional problem is that faillock requires a tmpfiles.d fragment to be installed to create the /run/faillock directory, because the module won't create it for itself if it's missing. The manpage doesn't mention this, so it's probably a bit of a surprise for an unsuspecting user.
On Fedora that looks like d /run/faillock 0755 root root - in /lib/tmpfiles.d/pam.conf. The result is that this directory is always present, even if the module is not in use.
