Function classify_systemd_unit

pub fn classify_systemd_unit(unit_name: &str, exec_start: &str) -> bool

Expand description

Classify whether a systemd unit is suspicious.

Suspicious if:

exec_start contains a suspicious pattern, OR
unit_name looks like a randomized hex name (8+ lowercase hex chars + extension), OR
exec_start contains base64 indicators.

Not suspicious if exec_start starts with a safe prefix or the unit name is from a known system service.

classify_systemd_unit