The fi statement in the following part of the remediation script is unnecessary and causes the script to halt.

###############################################################################

BEGIN fix (200 / 243) for 'xccdf_org.ssgproject.content_rule_display_login_attempts'

###############################################################################
(>&2 echo "Remediating rule 200/243: 'xccdf_org.ssgproject.content_rule_display_login_attempts'")t
sed -i --follow-symlinks "/pam_lastlog.so/d" /etc/pam.d/postlogin
fi #This is the unnecessary statement.

echo "session [default=1] pam_lastlog.so nowtmp showfailed" >> /etc/pam.d/postlogin
echo "session optional pam_lastlog.so silent noupdate showfailed" >> /etc/pam.d/postlogin

END fix for 'xccdf_org.ssgproject.content_rule_display_login_attempts'

This was a known bug and it has been fixed (https://bugzilla.redhat.com/show_bug.cgi?id=1661709). By the bugzilla, the fix is supposed to land on RHEL7.7 which will be released soon. If you do want to wait and do fix the bash remediation on your own, just change to:

(>&2 echo "Remediating rule 200/243: 'xccdf_org.ssgproject.content_rule_display_login_attempts'")
if $(grep -q "^session.*pam_lastlog.so" /etc/pam.d/postlogin) ; then
        sed -i --follow-symlinks "/pam_lastlog.so/d" /etc/pam.d/postlogin
fi

echo "session     [default=1]   pam_lastlog.so nowtmp showfailed" >> /etc/pam.d/postlogin
echo "session     optional      pam_lastlog.so silent noupdate showfailed" >> /etc/pam.d/postlogin
# END fix for 'xccdf_org.ssgproject.content_rule_display_login_attempts'

If you think this solution is not enough, please reopen the issue.