diff --git a/hardening.nix b/hardening.nix
index ffe9089..74b1c83 100644
--- a/hardening.nix
+++ b/hardening.nix
@@ -47,6 +47,8 @@ in
 
     aviallon.hardening.expensive = mkIf cfg.hardcore (mkForce true);
 
+    security.sudo.execWheelOnly = true;
+
     services.openssh.permitRootLogin = "prohibit-password";
 
     security.apparmor.enable = true;