In some distributions such as Raspbian, by default a password is not required to use sudo. Obviously this is no good - so I suggest adding a step to ensure that a password is required.

This can be done like so, at least in Raspbian:

sudoedit /etc/sudoers.d/010_pi-nopasswd

Then remove the NO prefix to NOPASSWD, then save & exit.

Thanks. I will add this when I get a moment.

Also would like this due to the Raspbian default not requiring a password for sudo
Might also be useful to mention lastb to show failed login attempts.