How to Configure sudo and Sudoers on RHEL 7
On a Red Hat Enterprise Linux 7 system, it is a fundamental security best practice to avoid performing routine administrative tasks directly as the root user. The sudo utility allows designated regular users to execute specific commands — or all commands — with root-level privileges, while maintaining a full audit trail of who ran what and when. This tutorial covers everything you need to know about configuring sudo on RHEL 7, from editing the sudoers file safely with visudo to creating per-user and per-group rules, using the sudoers.d drop-in directory, and understanding how sudo logging works.
Prerequisites
- A running RHEL 7 system with root access
- The
sudopackage installed (it is included by default on RHEL 7) - Basic knowledge of Linux users and groups
Verify sudo is installed:
rpm -q sudoIf it is not installed:
sudo yum install sudoStep 1: Understanding the sudoers File Syntax
The main configuration file for sudo is /etc/sudoers. It uses a specific syntax to define who can run what commands, as which user, and from which hosts. The general format of a rule is:
WHO WHERE=(AS_WHOM) WHATBreaking this down:
- WHO — the user or group that the rule applies to. Groups are prefixed with
%. - WHERE — the hostname or
ALLfor any host. - AS_WHOM — which user to run the command as (typically
ALLorroot). - WHAT — the command or list of commands, or
ALLfor full access.
For example, a rule granting user alice full sudo access on any host looks like:
alice ALL=(ALL) ALLStep 2: Using visudo to Edit the Sudoers File
Never edit /etc/sudoers directly with a regular text editor. A syntax error in this file can lock every user out of sudo, potentially making the system unrecoverable without physical access. Always use visudo, which validates the syntax before saving.
sudo visudovisudo opens the file in the default editor (usually vi on RHEL 7). To change the editor temporarily:
sudo EDITOR=nano visudoTo set the default editor permanently for visudo, add this to /etc/sudoers:
Defaults editor=/usr/bin/nanoStep 3: Granting Access via the wheel Group
RHEL 7 ships with a pre-configured rule that grants full sudo access to members of the wheel group. This is the recommended approach for granting administrative access to trusted users. The relevant line in /etc/sudoers is:
%wheel ALL=(ALL) ALLThis line is present but commented out by default in some configurations. Run visudo and ensure it is uncommented. Then add users to the wheel group:
# Add user 'alice' to the wheel group
sudo usermod -aG wheel alice
# Verify group membership
id aliceAfter adding the user to wheel, they can run commands with sudo and will be prompted for their own password:
sudo systemctl restart httpdStep 4: Adding Individual User sudo Access
If you need to grant a specific user sudo access without adding them to the wheel group — perhaps because you want to restrict which commands they can run — you can add a dedicated rule in visudo:
# Full sudo access for a specific user
bob ALL=(ALL) ALL
# Allow bob to only restart specific services
bob ALL=(root) /usr/bin/systemctl restart httpd, /usr/bin/systemctl restart nginx
# Allow bob to run commands as any user, without password (explained in Step 5)
bob ALL=(ALL) NOPASSWD: ALLTo restrict commands, always use the full path to the executable. You can find the path with:
which systemctlStep 5: Using the NOPASSWD Option
In some automation scenarios, such as deployment scripts or monitoring agents, you need a service account to run commands via sudo without interactive password prompts. Use the NOPASSWD tag for this purpose.
# Allow deploy user to restart services without a password
deploy ALL=(root) NOPASSWD: /usr/bin/systemctl restart myapp, /usr/bin/systemctl status myapp
# Allow a specific user to run all commands without password (use with caution)
jenkins ALL=(ALL) NOPASSWD: ALLSecurity note: Use NOPASSWD: ALL only for tightly controlled service accounts on secure systems. For any human user account, always require password confirmation.
Step 6: Configuring Defaults Settings
The Defaults directive in /etc/sudoers controls global sudo behavior. RHEL 7 includes several defaults out of the box. Some commonly useful settings:
# Require users to re-authenticate after 15 minutes of inactivity (default is 5)
Defaults timestamp_timeout=15
# Require password even for commands run with NOPASSWD by a different user
Defaults !visiblepw
# Send mail to root when a user runs sudo (if mail is configured)
Defaults mail_always
# Log all sudo activity to a custom file in addition to syslog
Defaults logfile=/var/log/sudo.log
# Show a lecture message on the first use of sudo
Defaults lecture=always
# Preserve specific environment variables when switching to root
Defaults env_keep += "HOME EDITOR PAGER"
# Restrict sudo to a specific secure PATH
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/binApply changes by saving through visudo. No service restart is required — sudo reads its configuration on each invocation.
Step 7: Using the sudoers.d Drop-in Directory
Managing all rules in a single /etc/sudoers file can become unwieldy on systems with many users or applications. RHEL 7’s sudoers includes support for a sudoers.d directory, where you can place individual rule files. This is enabled by the following line in the default /etc/sudoers:
#includedir /etc/sudoers.dDespite the leading #, this is not a comment — it is a directive that includes all files in /etc/sudoers.d/. To add a rule for user alice:
sudo visudo -f /etc/sudoers.d/aliceAdd the rule:
alice ALL=(ALL) ALLRules in /etc/sudoers.d/ must not contain a . (dot) or ~ in their filename, or they will be silently ignored. Set correct permissions:
sudo chmod 0440 /etc/sudoers.d/alice
sudo chown root:root /etc/sudoers.d/aliceList existing drop-in files:
ls -la /etc/sudoers.d/Step 8: Understanding sudo Logging and Auditing
Every sudo command is logged by default. On RHEL 7, these logs go to /var/log/secure via the authpriv syslog facility. You can monitor them like so:
# View recent sudo activity
sudo grep 'sudo' /var/log/secure | tail -20
# Watch for sudo events in real time
sudo tail -f /var/log/secure | grep sudoA typical log entry looks like:
May 17 10:23:45 hostname sudo[12345]: alice : TTY=pts/0 ; PWD=/home/alice ; USER=root ; COMMAND=/usr/bin/systemctl restart httpdIf you configured a dedicated log file with Defaults logfile=/var/log/sudo.log, you can review it directly:
sudo tail -f /var/log/sudo.logFor more comprehensive audit trails that are tamper-evident and integrated with the Linux Audit subsystem, consider enabling the pam_tty_audit module, which records keystrokes during sudo sessions.
Conclusion
Properly configured sudo is a cornerstone of Linux system security and operational discipline on RHEL 7. You have learned how to use visudo safely, grant access through the wheel group, create fine-grained per-user command restrictions, use the NOPASSWD option for automated accounts, configure global defaults, and manage rules modularly through the sudoers.d directory. Always follow the principle of least privilege: grant users only the specific commands they need rather than blanket ALL access wherever possible. Pair sudo configuration with regular audits of /var/log/secure and a strong password policy to maintain a hardened administrative environment.
