timer_dnf-automatic_enabled doesn't remediate via Ansible on RHEL 9

[comps]

Description of problem:

Running Ansible remediation on "host-os" (the SUT itself),

TASK [Enable timer dnf-automatic] **********************************************
changed: [localhost] => {"changed": true, "enabled": true, "name": "dnf-automatic.timer", "state": "started", "status": {"AccuracyUSec": "1min", "ActiveEnterTimestampMonotonic": "0", "ActiveExitTimestampMonotonic": "0", "ActiveState": "inactive", "After": "-.mount sysinit.target time-set.target time-sync.target", "AllowIsolate": "no", "AssertResult": "no", "AssertTimestampMonotonic": "0", "Before": "shutdown.target timers.target dnf-automatic.service", "CanClean": "state", "CanFreeze": "no", "CanIsolate": "no", "CanReload": "no", "CanStart": "yes", "CanStop": "yes", "CollectMode": "inactive", "ConditionResult": "no", "ConditionTimestampMonotonic": "0", "Conflicts": "shutdown.target", "DefaultDependencies": "yes", "Description": "dnf-automatic timer", "FailureAction": "none", "FixedRandomDelay": "no", "FragmentPath": "/usr/lib/systemd/system/dnf-automatic.timer", "FreezerState": "running", "Id": "dnf-automatic.timer", "IgnoreOnIsolate": "no", "InactiveEnterTimestampMonotonic": "0", "InactiveExitTimestampMonotonic": "0", "JobRunningTimeoutUSec": "infinity", "JobTimeoutAction": "none", "JobTimeoutUSec": "infinity", "LastTriggerUSecMonotonic": "0", "LoadState": "loaded", "Names": "dnf-automatic.timer", "NeedDaemonReload": "no", "NextElapseUSecMonotonic": "infinity", "OnClockChange": "no", "OnFailureJobMode": "replace", "OnSuccessJobMode": "fail", "OnTimezoneChange": "no", "Perpetual": "no", "Persistent": "yes", "RandomizedDelayUSec": "1h", "RefuseManualStart": "no", "RefuseManualStop": "no", "RemainAfterElapse": "yes", "Requires": "sysinit.target -.mount", "RequiresMountsFor": "/var/lib/systemd/timers", "Result": "success", "StartLimitAction": "none", "StartLimitBurst": "5", "StartLimitIntervalUSec": "10s", "StateChangeTimestampMonotonic": "0", "StopWhenUnneeded": "no", "SubState": "dead", "SuccessAction": "none", "TimersCalendar": "{ OnCalendar=*-*-* 06:00:00 ; next_elapse=(null) }", "Transient": "no", "Triggers": "dnf-automatic.service", "Unit": "dnf-automatic.service", "UnitFilePreset": "disabled", "UnitFileState": "disabled", "WakeSystem": "no", "Wants": "network-online.target"}}

results in a following oscap xccdf eval FAILing when checking the rule, claiming that dnf-automatic.timer is inactive.

The fact that a VM-based Ansible test didn't have this issue might indicate a (Beaker) environment specific issue, or maybe some incompatibility with older RHELs, ie. different unit file naming or disabled-by-default service that we never enable, or perhaps an external override (in /etc ?) that would inactivate the service.

Some more investigation is needed, sorry.

Run on 9.0 or 9.2 as

--rhel 9.2 --arch x86_64 --test /hardening/host-os/ansible/anssi_bp28_minimal

SCAP Security Guide Version:

master @ 60a184a

Operating System Version:

RHEL-9.0 EUS and RHEL-9.2 EUS

Additional Information/Debugging Steps:

Can't attach report html / ARF xml here since both contain internal hostnames and IP addresses, given that the scan was done on the Beaker system itself, not in a nested VM. Please use the reproducer above.

[Mab879]

This appears to now be happening on RHEL 9.6 as well.