How to best verify /etc/pam.d/* file contents?

Testing the contents of /etc/pam.d/* files could be really useful to make sure these security-critical files end up with the settings we expect based on the Nix configuration. At this point I need some community advice before continuing, to make sure the tests ends up being useful and maintainable. Please see the link for the current approach and open questions, and feel free to answer either here or there.

Hosted by Flying Circus.