I have to wonder if the author is a U.F.O. TV series fan: http://ufoseries.com/guide/sid.html

This is an AIDE BSD clone[1]. I'm not sure how many people run these tools on their systems these days. Current systems are highly dynamic, I'm not sure about the amount of protection an intrusion detection system based on file changes offers today.

[1] http://aide.sourceforge.net/

NetBSD has already had kernel-level file signature integrity for a while in the form of Veriexec [1], I assume this is a continuation of established precedent.

[1] https://www.netbsd.org/docs/guide/en/chap-veriexec.html

For what it's worth:

"The syntax is borrowed from the old aide program, without any of the disadvantages of aide (GPL, default verbosity, static database usage, no fs flags checking, GNU regexps, unusual digest types)."

The idea of a dynamic system is to have a static set of binaries and auto adjusting configs. There are lots of areas where file based IDS works. In fact config management tends to pivot off of file changes.

Pretending its too complex to be secure is a logical fallacy.

Perhaps considered to be part of a best or reasonable effort?

A friend who was configuring some systems containing healthcare personally identifiable information (PII) included a similar tool in its defenses.

It could be useful in an embedded environment provided you can feed it a hash whitelist. There are probably tons of routers and other hardware out there with little to no runtime integrity checking simply because it costs engineering effort to implement.