Selinux

Blueprints First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Blueprints First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Note Before using this information and the product it supports, read the information in â€Å"Notices† on page 17. First Edition (August 2009)  © Copyright IBM Corporation 2009. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Introduction . . . . . . . . . . . . . v First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server . . . . . . . . . . . . 1 Scope, requirements, and support Security-Enhanced Linux overview Access control: MAC and DAC SELinux basics. . . . . . SELinux and Apache . . . . Installing and running HTTPD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1 1 2 5 5 HTTPD and context types . . . . . . . . . 5 HTTPD and SE Linux Booleans . . . . . . . 8 Configuring HTTPD security using SELinux . . . . 9 Securing Apache (static content only) . . . . . 9 Hardening CGI scripts with SELinux . . . . . 12 Appendix. Related information and downloads . . . . . . . . . . . . . 15 Notices . . . . . . . . . . . . . . 17 Trademarks . . . . . . . . . . . . . 18  © Copyright IBM Corp. 2009 iii iv Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Introduction This blueprint provides a brief introduction to basic Security-Enhanced Linux (SELinux) commands and concepts, including Boolean variables. In addition, the paper shows you how to increase the security of the Apache Web server with SELinux by using these concepts. Key tools and technologies discussed in this demonstration include security-enhanced Linux (SELinux), mandatory access control (MAC), getenforce, sestatus, getsebool, and setsebool. Intended audienceThis blueprint is intended for Linux system or network administrators who want to learn more about securing their systems with SELinux. You should be familiar with installing and configuring Linux distributions, networks, and the Apache Web server. Scope and purpose This paper provides a basic overview of SELinux, SELinux Boolean variables, and hardening Apache on Red Hat Enterprise Linux (RHEL) 5. 3. For more information about configuring RHEL 5. 3, see the documentation supplied with your installation media or the distribution Web site. For more information about SELinux, see â€Å"Related information and downloads,† on page 15.Software requirements This blueprint is written and tested using Red Hat Enterprise Linux (RHEL) 5. 3. Hardware requirements The information contained in this blueprint is tested on different models of IBM System x and System p hardware. For a list of hardware supported by RHEL 5. 3, see the documentation supplied with your Linux distribution. Author names Robert Sisk Other contributors Monza Lui Kersten Richter Robb Romans IBM Services Linux offers flexibility, options, and competitive total cost of ownership with a world class enterprise operating system.Community innovation integrates leading-edge technologies and best practices into Linux. IBM ® is a leader in the Linux community with over 600 developers in the IBM Linux Technology Center working on over 100 open source projects in the community. IBM supports Linux on all IBM servers, storage, and middleware, offering the broadest flexibility to match your business needs.  © Copyright IBM Corp. 2009 v For more information about IBM and Linux, go to ibm. com/linux (https://www. ibm. com/linux) IBM Support Questions and comments regarding this documentation can be posted on the developerWorks Security Blueprint Community Forum: http://www. bm. com/developerworks/forums/forum. jspa? forumID=1271 The IBM developerWorks ® discussion forums let you ask questions, share knowledge, ideas, and opinions about technologies and progr amming techniques with other developerWorks users. Use the forum content at your own risk. While IBM will attempt to provide a timely response to all postings, the use of this developerWorks forum does not guarantee a response to every question that is posted, nor do we validate the answers or the code that are offered. Typographic conventionsThe following typographic conventions are used in this Blueprint: Bold Identifies commands, subroutines, keywords, files, structures, directories, and other items whose names are predefined by the system. Also identifies graphical objects such as buttons, labels, and icons that the user selects. Identifies parameters whose actual names or values are to be supplied by the user. Identifies examples of specific data values, examples of text like what you might see displayed, examples of portions of program code like what you might write as a programmer, messages from the system, or information you should actually type.Italics Monospace Related ref erence: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x ® running Linux and PowerLinux. You can learn more about the systems to which this information applies. vi Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Scope, requirements, and support This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies.Systems to which this information applies System x running Linux and PowerLinux Security-Enhanced Linux overview Security-Enhanced Linux (SELinux) is a component of the Linux operating system developed primarily by the United States National Security Agency. SELinux provides a method for creation and enforcement of mandatory access control (MAC) policies. These policies confine users and processes to the minimal amount of privilege req uired to perform assigned tasks. For more information about the history of SELinux, see http://en. wikipedia. org/wiki/Selinux.Since its release to the open source community in December 2000, the SELinux project has gained improvements such as predefined Boolean variables that make it easier to use. This paper helps you understand how to use these variables to configure SELinux policies on your system and to secure the Apache httpd daemon. Related reference: â€Å"Scope, requirements, and support† This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. Access control: MAC and DAC Access level is important to computer system security.To compromise a system, attackers try to gain any possible level of access and then try to escalate that level until they are able to obtain restricted data or make unapproved system modifications. Because each user has some level of system access, every user account on your system increases the potential for abuse. System security has historically relied on trusting users not to abuse their access, but this trust has proven to be problematic. Today, server consolidation leads to more users per system. Outsourcing of Systems Management gives legitimate access, often at the system administrator level, to unknown users.Because server consolidation and outsourcing can be financially advantageous, what can you do to prevent abuse on Linux systems? To begin to answer that question, let's take a look at discretionary access control (DAC) and mandatory access control (MAC) and their differences. Discretionary access control (DAC), commonly known as file permissions, is the predominant access control mechanism in traditional UNIX and Linux systems. You may recognize the drwxr-xr-x or the ugo abbreviations for owner, group, and other permissions seen in a directory listing. In DAC, generally the resource owner (a user) controls who has access to a resour ce.For convenience, some users commonly set dangerous DAC file permissions that allow every user on the system to read, write, and execute many files that they own. In addition, a process started by a user can modify or delete any file to which the user has access. Processes that elevate their privileges high enough could therefore modify or delete system files. These instances are some of the disadvantages of DAC.  © Copyright IBM Corp. 2009 1 In contrast to DAC, mandatory access control (MAC) regulates user and process access to resources based upon an organizational (higher-level) security policy.This policy is a collection of rules that specify what types of access are allowed on a system. System policy is related to MAC in the same way that firewall rules are related to firewalls. SELinux is a Linux kernel implementation of a flexible MAC mechanism called type enforcement. In type enforcement, a type identifier is assigned to every user and object. An object can be a file or a process. To access an object, a user must be authorized for that object type. These authorizations are defined in a SELinux policy. Let's work through some examples and you will develop a better understanding of MAC and how it relates to SELinux.Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. SELinux basics It is a good practice not to use the root user unless necessary. However for demonstrating how to use SELinux, the root user is used in the examples in this blueprint. Some of the commands shown require root privileges to run them; for example, running getenforce and editing the /etc/selinux/config file. Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux.You can learn more about the systems to which this information applies. Run modes You can enable or disable SELinux policy enforcement on a Red Hat Enterprise Linux system during or after operating system installation. When disabled, SELinux has no effect on the system. When enabled, SELinux runs in one of two modes: v Enforcing: SELinux is enabled and SELinux policy is enforced v Permissive: SELinux is enabled but it only logs warnings instead of enforcing the policy When prompted during operating system installation, if you choose to enable SELinux, it is installed with a default security policy and set to run in the enforcing mode.Confirm the status of SELinux on your system. Like in many UNIX or Linux operating systems, there is more than one way to perform a task. To check the current mode, run one of the following commands: getenforce, sestatus, or cat /etc/selinux/config. v The getenorce command returns the current SELinux run mode, or Disabled if SELinux is not enabled. In the following example, getenforce shows that SELinux is enabled and enforcin g the current SELinux policy: [[email  protected] ~]$ getenforce EnforcingIf your system is displaying Permissive or Disabled and you want to follow along with the instructions, change the /etc/selinux/config file to run in Enforcing mode before continuing with the demonstration. Remember that if you are in Disabled mode, you should change first to Permissive and then to Enforcing. v The setstatus command returns the current run mode, along with information about the SELinux policy if SELinux is enabled. In the following example, setstatus shows that SELinux is enabled and enforcing the current SELinux policy: [[email  protected] ~]$ sestatus SELinux status: SELinuxfs mount: enabled /selinux Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Current mode: Mode from config file: Policy version: Policy from config file: enforcing enforcing 21 targeted v The /etc/selinux/config file configures SELinux and controls the mode as well as the active policy. Changes to the /etc/selinux/config file become effective only after you reboot the system. In the following example, the file shows that the mode is set to enforcing and the current policy type is targeted. [[email  protected] ~]$ cat /etc/selinux/config # This file controls the state of SELinux on the system. SELINUX= can take one of these three values: # enforcing – SELinux security policy is enforced. # permissive – SELinux prints warnings instead of enforcing. # disabled – SELinux is fully disabled. SELINUX=enforcing # SELINUXTYPE= type of policy in use. Possible values are: # targeted – Only targeted network daemons are protected. # strict – Full SELinux protection. SELINUXTYPE=targeted To enable SELinux, you need to set the value of the SELINUX parameter in the /etc/selinux/config file to either enforcing or permissive. If you enable SELinux in the config file, you must reboot your system to start SELinux.We recommend that y ou set SELINUX=permissive if the file system has never been labeled, has not been labeled recently, or you are not sure when it was last labeled. Note that file system labeling is the process of assigning a label containing security-relevant information to each file. In SELinux a file label is composed of the user, role, and type such as system_u:object_r:httpd_sys_content_t. Permissive mode ensures that SELinux does not interfere with the boot sequence if a command in the sequence occurs before the file system relabel is completed. Once the system is up and running, you can change the SELinux mode to enforcing.If you want to change the mode of SELinux on a running system, use the setenforce command. Entering setenforce enforcing changes the mode to enforcing and setenforce permissive changes the mode to permissive. To disable SELinux, edit the /etc/selinux/config file as described previously and reboot. You cannot disable or enable SELinux on a running system from the command line; you can only switch between enforcing and permissive when SELinux is enabled. Change the mode of SELinux to permissive by entering the following command: [[email  protected] ~]$ setenforce permissiveRecheck the output from getenforce, sestatus, and cat /etc/selinux/config. v The getenforce command returns Permissive, confirming the mode change: [[email  protected] ~]$ getenforce Permissive v The sestatus command also returns a Permissive mode value: [[email  protected] ~]$sestatus SELinux status: SELinuxfs mount: Current mode: Mode from config file: Policy version: Policy from config file: enabled /selinux permissive enforcing 21 targeted v After changing the mode to permissive, both the getenforce and sestatus commands return the correct permissive mode.However, look carefully at the output from the sestatus command: [[email  protected] ~]$ cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enfo rcing – SELinux security policy is enforced. # permissive – SELinux prints warnings instead of enforcing. First Steps with Security-Enhanced Linux (SELinux) 3 # disabled – SELinux is fully disabled. SELINUX=enforcing # SELINUXTYPE= type of policy in use. Possible values are: # targeted – Only targeted network daemons are protected. # strict – Full SELinux protection.SELINUXTYPE=targeted [[email  protected] ~]$ The Mode from config file parameter is enforcing. This setting is consistent with the cat /etc/selinux/config output because the config file was not changed. This status implies that the changes made by the setenforce command does not carry over to the next boot. If you reboot, SELinux returns to run state as configured in /etc/selinux/conf in enforcing mode. Change the running mode back to enforcing by entering the following command: [[email  protected] ~]$ setenforce enforcing The following output confirms the mode change: [[email  pr otected] ~]$ getenforce EnforcingRelated reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. Security contexts The concept of type enforcement and the SELinux type identifier were discussed in the Overview. Let's explore these concepts in more detail. The SELinux implementation of MAC employs a type enforcement mechanism that requires every subject and object to be assigned a type identifier. The terms subject and object are defined in the Bell-La Padula multilevel security model (see http://en. wikipedia. rg/wiki/Bell-La_Padula_model for more information). Think of the subject as a user or a process and the object as a file or a process. Typically, a subject accesses an object; for example, a user modifies a file. When SELinux runs in enforcing mode, a subject cannot access an object unless the type identifier assigned to the subje ct is authorized to access the object. The default policy is to deny all access not specifically allowed. Authorization is determined by rules defined in the SELinux policy. An example of a rule granting access may be as simple as: allow httpd_t httpd_sys_content_t : file {ioctol read getattr lock};In this rule, the subject http daemon, assigned the type identifier of httpd_t, is given the permissions ioctol, read, getattr, and lock for any file object assigned the type identifier httpd_sys_content_t. In simple terms, the http daemon is allowed to read a file that is assigned the type identifier httpd_sys_content_t. This is a basic example of an allow rule type. There are many types of allow rules and some are very complex. There are also many type identifiers for use with subjects and objects. For more information about rule definitions, see: SELinux by Example in the â€Å"Related information and downloads,† on page 15 section.SELinux adds type enforcement to standard Linux distributions. To access an object, the user must have both the appropriate file permissions (DAC) and the correct SELinux access. An SELinux security context contains three parts: the user, the role, and the type identifier. Running the ls command with the –Z switch displays the typical file information as well as the security context for each item in the subdirectory. In the following example, the security context for the index. html file is composed of user_u as the user, object_r as the role, and httpd_sys_content_t as the type identifier [[email  protected] html]$ ls -Z index. tml -rw-r–r– web_admin web_admin user_u:object_r:httpd_sys_content_t index. html 4 Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information a pplies. SELinux and Apache Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies.Installing and running HTTPD Now that you have a general understanding of the SELinux security context, you can secure an Apache Web server using SELinux. To follow along, you must have Apache installed on your system. You can install Apache on Red Hat Linux by entering the following command: [[email  protected] html]$ yum install httpd Next, start the Apache http daemon by entering service httpd start, as follows: [[email  protected] html]$ service httpd start Starting httpd: Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux.You can learn more about the systems to which this information applies. HTTPD and context types Red Hat Enterprise Linux 5. 3, at th e time of this writing, uses selinux-policy-2. 4. 6-203. el5. This policy defines the security context for the http daemon object as httpd_t. Because SELinux is running in enforcing mode, entering /bin/ps axZ | grep httpd produces the following output: [[email  protected] html]$ ps axZ | grep http rootroot:system_r:httpd_t 2555 ? Ss 0:00 /usr/sbin/httpd rootroot:system_r:httpd_t 2593 ? S 0:00 /usr/sbin/httpd rootroot:system_r:httpd_t 2594 ? S 0:00 /usr/sbin/httpd root:system_r:httpd_t 2595 ?S 0:00 /usr/sbin/httpd root:system_r:httpd_t 2596 ? S 0:00 /usr/sbin/httpd root:system_r:httpd_t 2597 ? S 0:00 /usr/sbin/httpd root:system_r:httpd_t 2598 ? S 0:00 /usr/sbin/httpd root:system_r:httpd_t 2599 ? S 0:00 /usr/sbin/httpd root:system_r:httpd_t 2600 ? S 0:00 /usr/sbin/httpd The Z option to ps shows the security context for the httpd processes as root:system_r:httpd_t, confirming that httpd is running as the security type httpd_t. The selinux-policy-2. 4. 6-203. el5 also defines several file security context types to be used with the http daemon. For a listing, see the man page for httpd_selinux.The httpd_sys_content_t context type is used for files and subdirectories containing content to be accessible by the http daemon and all httpd scripts. Entering ls –Z displays the security context for items in the default http directory (/var/www/), as follows: [[email  protected] ~]$ ls -Z /var/www/ | grep html drwxr-xr-x root root system_u:object_r:httpd_sys_content_t html First Steps with Security-Enhanced Linux (SELinux) 5 The /var/www/html directory is the default location for all Web server content (defined by the variable setting of DocumentRoot /var/www/html in the /etc/httpd/conf/httpd. conf http configuration file).This directory is assigned the type httpd_sys_content_t as part of its security context which allows the http daemon to access its contents. Any file or subdirectory inherits the security context of the directory in which it is created; therefo re a file created in the html subdirectory inherits the httpd_sys_content_t type. In the following example, the root user creates the index. html file in the /root directory. The index. html inherits the security root:object_r:user_home_t context which is the expected security context for root in RHEL 5. 3. [[email  protected] ~]$ touch /root/index. html [[email  protected] ~]$ ls -Z /root/index. tml -rw-r–r– root root root:object_r:user_home_t /root/index. html If the root user copies the newly created index. html file to the /var/www/html/ directory, the file inherits the security context (httpd_sys_content_t) of the html subdirectory because a new copy of the file is created in the html subdirectory: [[email  protected] ~]$ cp /root/index. html /var/www/html [[email  protected] ~]$ ls -Z /var/www/html/index. html -rw-r–r– root root user_u:object_r:httpd_sys_content_t /var/www/html/index. html If you move the index. html file instead of copying it, a new file is not created in the html subdirectory and index. tml retains the user_home_t type: [[email  protected] ~]$ mv -f /root/index. html /var/www/html [[email  protected] ~]$ ls -Z /var/www/html/index. html -rw-r–r– root root user_u:object_r:user_home_t /var/www/html/index. html When a Web browser or network download agent like wget makes a request to the http daemon for the moved index. html file, with user_home_t context, the browser is denied access because SELinux is running in enforcing mode. [[email  protected] ~]# wget localhost/index. html –21:10:00– http://localhost/index. html Resolving localhost†¦ 127. 0. 0. 1 Connecting to localhost|127. 0. 0. 1|:80†¦ onnected. HTTP request sent, awaiting response†¦ 403 Forbidden 21:10:00 ERROR 403: Forbidden. SELinux generates error messages in both /var/log/messages and /var/log/httpd/error_log. The following message in /var/log/httpd/error_log is not very helpful because it t ells you only that access is being denied: [Wed May 20 12:47:57 2009] [error] [client 172. 16. 1. 100] (13) Permission denied: access to /index. html denied The following error message in /var/log/messages is more helpful because it tells you why SELinux is preventing access to the /var/www/html/index. html file – a potentially mislabeled file.Furthermore, it provides a command that you can use to produce a detailed summary of the issue. May 20 12:22:48 localhost setroubleshoot: SELinux is preventing the httpd from using potentially mislabeled files (/var/www/html/index. html). For complete SELinux messages. run sealert -l 9e568d42-4b20-471c-9214-b98020c4d97a Entering sealert –l 9e568d42-4b20-471c-9214-b98020c4d97 as suggested in the previous error message returns the following detailed error message: [[email  protected] ~]$ sealert –l 9e568d42-4b20-471c-9214-b98020c4d97 Summary: SELinux is preventing the httpd from using potentially mislabeled files (/var/www /html/index. html).Detailed Description: SELinux has denied httpd access to potentially mislabeled file(s) (/var/www/html/index. html). This means that SELinux will not allow httpd to use these files. It is common for users to edit files in their home directory or tmp directories and then 6 Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want httpd to access this files, you need to relabel them using restorecon -v ’/var/www/html/index. tml’. You might want to relabel the entire directory using restorecon -R -v ’/var/www/html’. Additional Information: Source Context root:system_r:httpd_t Target Context root:object_r:user_home_t Target Objects /var/www/html/index. html [ file ] Source httpd Source Path /usr/sbin/httpd Port Host loc alhost. localdomain Source RPM Packages httpd-2. 2. 3-22. el5 Target RPM Packages Policy RPM selinux-policy-2. 4. 6-203. el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name localhost. localdomain Platform Linux localhost. ocaldomain 2. 6. 18-128. 1. 10. el5 #1 SMP Wed Apr 29 13:55:17 EDT 2009 i686 i686 Alert Count 24 First Seen Fri May 15 13:36:32 2009 Last Seen Wed May 20 12:47:56 2009 Local ID 9e568d42-4b20-471c-9214-b98020c4d97a Line Numbers Raw Audit Messages host=localhost. localdomain type=AVC msg=audit(1242838076. 937:1141): avc: denied { getattr } for pid=3197 comm=†httpd† path=†/var/www/html/index. html† dev=dm-0 ino=3827354 scontext=root:system_r:httpd_t:s0 context=root:object_r:user_home_t:s0 tclass=file host=localhost. localdomain type=SYSCALL msg=audit(1242838076. 37:1141): arch=40000003 syscall=196 success=no exit=-13 a0=8eaa788 a1=bfc8d49c a2=419ff4 a3=2008171 items=0 ppid=3273 pid=3197 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm=†httpd† exe=†/usr/sbin/httpd† subj=root:system_r:httpd_t:s0 key=(null) Although called a summary, this output is a very detailed report that provides the necessary commands to resolve the issue. As shown below, entering /sbin/restorecon -v ’/var/www/html/index. html as suggested not only resolves the problem, but also explains how you should change the security context for the /var/www/html/index. tml file. [[email  protected] ~]$ restorecon -v ’/var/www/html/index. html’ /sbin/restorecon reset /var/www/html/index. html context root:object_r:user_home_t:s0-; root:object_r:httpd_sys_content_t:s0 The previous restorecon -v command changed the security context of /var/www/html/index. html from root:object_r:user_home_t to root:object_r:httpd_sys_content_t. With a root:object_r:httpd_sys_content_t security context, the http dae mon can now access /var/www/html/index. html. Use a Web browser or wget to make another request to the httpd daemon for the index. html file with a restored security context.This time, the request is permitted: [[email  protected] ~]# wget localhost/index. html –21:09:21– http://localhost/index. html Resolving localhost†¦ 127. 0. 0. 1 Connecting to localhost|127. 0. 0. 1|:80†¦ connected. HTTP request sent, awaiting response†¦ 200 OK Length: 0 [text/html] Saving to: ’index. html’ First Steps with Security-Enhanced Linux (SELinux) 7 [ ] 0 –. -K/s in 0s 21:09:21 (0. 00 B/s) – ’index. html’ saved [0/0] Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies.HTTPD and SELinux Booleans SELinux has a set of built-in switches named Booleans or conditional policies t hat you can use to turn specific SELinux features on or off. Entering the getsebool -a | grep http command lists the 23 Booleans related to the http daemon, which are a subset of the 234 Booleans currently defined in the selinux-policy-2. 4. 6-203. el5 policy. These 23 Booleans allow you to customize SELinux policy for the http daemon during runtime without modifying, compiling, or loading a new policy. You can customize the level of http security by setting the relevant Boolean values or toggling between on and off values. [email  protected] ~]$ getsebool -a | grep http allow_httpd_anon_write –> off allow_httpd_bugzilla_script_anon_write –> off allow_httpd_mod_auth_pam –> off allow_httpd_nagios_script_anon_write –> off allow_httpd_prewikka_script_anon_write –> off allow_httpd_squid_script_anon_write –> off allow_httpd_sys_script_anon_write –> off httpd_builtin_scripting –> on httpd_can_network_connect –> off httpd_can _network_connect_db –> off httpd_can_network_relay –> off httpd_can_sendmail –> on httpd_disable_trans –> off httpd_enable_cgi –> on httpd_enable_ftp_server –> off httpd_enable_homedirs –> on httpd_rotatelogs_disable_trans –> off httpd_ssi_exec –> off httpd_suexec_disable_trans –> off httpd_tty_comm –> on httpd_unified –> on httpd_use_cifs –> off httpd_use_nfs –> off SELinux provides three command-line tools for working with Booleans: getsebool, setsebool, and togglesebool. The getsebool –a command returns the current state of all the SELinux Booleans defined by the policy.You can also use the command without the –a option to return settings for one or more specific Booleans entered on the command line, as follows: [[email  protected] ~]$ getsebool httpd_enable_cgi httpd_enable_cgi –> on Use setsebool to set the current state of one or more Booleans by specifying the Boolean and its value. Acceptable values to enable a Boolean are 1, true, and on. Acceptable values to disable a Boolean are 0, false, and off. See the following cases for examples. You can use the -P option with the setsebool command to write the specified changes to the SELinux policy file. These changes are persistent across reboots; unwritten changes remain in effect until you change them or the system is rebooted. Use setsebool to change status of the httpd_enable_cgi Boolean to off: [[email  protected] ~]$ setsebool httpd_enable_cgi 0 8Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Confirm status change of the httpd_enable_cgi Boolean: [[email  protected] ~]$ getsebool httpd_enable_cgi httpd_enable_cgi –> off The togglesebool tool flips the current value of one or more Booleans. This tool does not have an option that writes the changes to the policy file. Changes remain in effect until changed or the system is reb ooted. Use the togglesebool tool to switch the status of the httpd_enable_cgi Boolean, as follows: [[email  protected] ~]$ togglesebool httpd_enable_cgi httpd_enable_cgi: active Confirm the status change of the httpd_enable_cgi Boolean: [[email  protected] ~]$ getsebool httpd_enable_cgi httpd_enable_cgi –> onRelated reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. Configuring HTTPD security using SELinux Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. Securing Apache (static content only) The default Red Hat Enterprise Linux 5. 3 installation with SELinux running in enforcing mode provides a basic level of Web server security. You can increase that security level with a little effort.Because security is related to the function of the system, let's start with a Web server that only serves static content from the /var/www/html directory. 1. Ensure that SELinux is enabled and running in enforcing mode: [[email  protected] ~]$ sestatus SELinux status: SELinuxfs mount: Current mode: Mode from config file: Policy version: Policy from config file: enabled /selinux enforcing enforcing 21 2. Confirm that httpd is running as type httpd_t: [[email  protected] html]$ /bin/ps axZ root:system_r:httpd_t 2555 ? root:system_r:httpd_t 2593 ? root:system_r:httpd_t 2594 ? root:system_r:httpd_t 2595 ? root:system_r:httpd_t 2596 ? root:system_r:httpd_t 2597 ? root:system_r:httpd_t 2598 ? root:system_r:httpd_t 2599 ? root:system_r:httpd_t 2600 ? grep http Ss 0:00 httpd S 0:00 httpd S 0:00 httpd S 0:00 httpd S 0:00 httpd S 0:00 httpd S 0:00 httpd S 0:00 httpd S 0:00 httpd 3. Confirm that the /var/www/html directory is assigned the httpd_sys_content_t con text type: [[email  protected] ~]$ ls -Z /var/www/ drwxr-xr-x root root root:object_r:httpd_sys_script_exec_t cgi-bin drwxr-xr-x root root root:object_r:httpd_sys_content_t error drwxr-xr-x root root root:object_r:httpd_sys_content_t html First Steps with Security-Enhanced Linux (SELinux) 9 drwxr-xr-x drwxr-xr-x drwxr-xr-x root root root:object_r:httpd_sys_content_t icons root root root:object_r:httpd_sys_content_t manual webalizer root root:object_r:httpd_sys_content_t usage 4.Confirm that the content to be served is assigned the httpd_sys_content_t context type. For example: [[email  protected] ~]$ ls -Z /var/www/html/index. html -rw-r–r– root root root:object_r:httpd_sys_content_t /var/www/html/index. html Use a Web browser or wget to make a request to the httpd daemon for the index. html file and you should see that permission is granted. To increase the level of protection provided by SELinux, disable any httpd-related features that you do not want by turning off their corresponding Boolean. By default, the following six Boolean are set to on. If you do not need these features, turn them off by setting their Boolean variables to off. [email  protected] ~]# getsebool -a|grep http|grep â€Å"–> on† httpd_builtin_scripting –> on httpd_can_sendmail –> on httpd_enable_cgi –> on httpd_enable_homedirs –> on httpd_tty_comm –> on httpd_unified –> on httpd_can_sendmail If the Web server does not use Sendmail, turn this Boolean to off. This action prevents unauthorized users from sending e-mail spam from this system. httpd_enable_homedirs When this Boolean is set to on, it allows httpd to read content from subdirectories located under user home directories. If the Web server is not configured to serve content from user home directories, set this Boolean to off. httpd_tty_comm By default, httpd is allowed to access the controlling terminal.This action is necessary in certain situations where httpd must prompt the user for a password. If the Web server does not require this feature, set the Boolean to off. httpd_unified This Boolean affects the transition of the http daemon to security domains defined in SELinux policy. Enabling this Boolean creates a single security domain for all http-labeled content. For more information, see SELinux by Example listed under the â€Å"Related information and downloads,† on page 15 section. httpd_enable_cgi If your content does not use the Common Gateway Interface (CGI) protocol, set this Boolean to off. If you are unsure about using CGI in the Web server, try setting it to off and examine the log entries in the /var/log/messages file.The following example shows an error message from /var/log/messages resulting from SELinux blocking httpd execution of a CGI script: May 28 15:48:37 localhost setroubleshoot: SELinux is preventing the http daemon from executing cgi scripts. For complete SELinux messages. run sealert -l 0fdf4649-60df -47b5-bfd5-a72772207adc Entering sealert -l 0fdf4649-60df-47b5-bfd5-a72772207adc produces the following output: Summary: SELinux is preventing the http daemon from executing cgi scripts. Detailed Description: SELinux has denied the http daemon from executing a cgi script. httpd can be setup in a locked down mode where cgi scripts are not allowed to be executed. If the httpd server has been setup to not execute cgi scripts, this could signal a intrusion attempt.Allowing Access: If you want httpd to be able to run cgi scripts, you need to turn on the httpd_enable_cgi Boolean: â€Å"setsebool -P httpd_enable_cgi=1†³ 10 Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server The following command will allow this access: setsebool -P httpd_enable_cgi=1 Additional Information: Source Context root:system_r:httpd_t Target Context root:object_r:httpd_sys_script_exec_t Target Objects /var/www/cgi-bin [ dir ] Source httpd Source Path httpd Port Hos t localhost. localdomain Source RPM Packages httpd-2. 2. 3-22. el5 Target RPM Packages httpd-2. 2. 3-22. el5 Policy RPM selinux-policy-2. 4. 6-203. l5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name httpd_enable_cgi Host Name localhost. localdomain Platform Linux localhost. localdomain 2. 6. 18-128. 1. 10. el5 #1 SMP Wed Apr 29 13:55:17 EDT 2009 i686 i686 Alert Count 1 First Seen Thu May 28 15:48:36 2009 Last Seen Thu May 28 15:48:36 2009 Local ID 0fdf4649-60df-47b5-bfd5-a72772207adc Line Numbers Raw Audit Messages host=localhost. localdomain type=AVC msg=audit(1243540116. 963:248): avc: denied { getattr } for pid=2595 comm=†httpd† path=†/var/www/cgi-bin† dev=dm-0 ino=5527166 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_sys_script_exec_t:s0 tclass=dir host=localhost. localdomain type=SYSCALL msg=audit(1243540116. 63:248): arch=40000003 syscall=196 success=no exit=-13 a0=8bd0a88 a1=bfc790bc a2=4 d0ff4 a3=2008171 items=0 ppid=2555 pid=2595 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=†httpd† exe=†httpd† subj=root:system_r:httpd_t:s0 key=(null) At the end of the previous output, listed under the Raw Audit Messages are these lines: â€Å"scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_sys_script_exec_t:s0 tclass=dir† This output shows you that httpd attempted to access a subdirectory with the httpd_sys_script_exec_t context type. This type is the context type of /var/www/cgi-bin, the directory where httpd looks for CGI scripts. The httpd daemon, with a httpd_t context type, was unable to access this subdirectory because the httpd_enable_cgi variable is set to off.With this configuration, SELinux does not allow a user or process of type httpd_t to access a directory, file, or process of type httpd_sys_script_exec_t. Therefore, the http daemon was denied access to the CGI script located in /var/www/cgi-bin. If you find similar messages in your log file, set the httpd_enable_cgi Boolean to on. httpd_builtin_scripting If you did not configure Apache to load scripting modules by changing the /etc/httpd/conf/ httpd. conf configuration file, set this Boolean to off. If you are unsure, turn httpd_builtin_scripting to off and check the /var/log/messages file for any httpd-related SELinux warnings. See the description of httpd_enable_cgi for an example. PHP and other scripting modules run with the same level of access as the http daemon.Therefore, turning httpd_builtin_scripting to off reduces the amount of access available if the Web server is compromised. To turn off all six of these Booleans and write the values to the policy file by using the setsebool -P command follow these steps: 1. Enter the setsebool -P command: First Steps with Security-Enhanced Linux (SELinux) 11 [[email  protected] ~]# setsebool -P httpd_can_sendmail=0 httpd_enable_homedirs =0 httpd_tty_comm=0 httpd_unified=0 httpd_enable_cgi=0 httpd_builtin_scripting=0 2. Check all the Boolean settings related to httpd by entering getsebool –a | grep httpd. The following output shows that all Boolean are set to off, including the six previously described variables which default to on. [email  protected] ~]$ getsebool -a | grep httpd allow_httpd_anon_write –> off allow_httpd_bugzilla_script_anon_write –> off allow_httpd_mod_auth_pam –> off allow_httpd_nagios_script_anon_write –> off allow_httpd_prewikka_script_anon_write –> off allow_httpd_squid_script_anon_write –> off allow_httpd_sys_script_anon_write –> off httpd_builtin_scripting –> off httpd_can_network_connect –> off httpd_can_network_connect_db –> off httpd_can_network_relay –> off httpd_can_sendmail –> off httpd_disable_trans –> off httpd_enable_cgi –> off httpd_enable_ftp_server –> off httpd_enable _homedirs –> off httpd_rotatelogs_disable_trans –> off httpd_ssi_exec –> off httpd_suexec_disable_trans –> off httpd_tty_comm –> off httpd_unified –> off httpd_use_cifs –> off httpd_use_nfs –> off 3. Use a Web browser or wget to make another request to the httpd daemon for the index. html file and you should succeed. Rebooting your machine does not change this configuration. This completes the necessary basic SELinux settings for hardening a Web server with static content. Next, look at hardening scripts accessed by the http daemon. Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies.Hardening CGI scripts with SELinux In the previous section, you used SELinux Booleans to disable scripting because the Web server used only static content. Beginning with that configuration, you can enable CGI scripting and use SELinux to secure the scripts. 1. Confirm that your Web server is configured as described in section â€Å"Securing Apache (static content only)† on page 9. 2. Red Hat Enterprise Linux provides a CGI script that you can use for testing. You can find the script at /usr/lib/perl5/5. 8. 8/CGI/eg/tryit. cgi. Copy this script to the /var/www/cgi-bin/ directory, as follows: [[email  protected] ~]$ cp /usr/lib/perl5/5. 8. 8/CGI/eg/tryit. gi /var/www/cgi-bin/ 3. Make sure that the first line of the tryit. cgi script contains the correct path to the perl binary. From the which perl output shown below, the path should be changed to ! #/usr/bin/perl. [[email  protected] ~]# which perl /usr/bin/perl [[email  protected] ~]# head -1 /var/www/cgi-bin/tryit. cgi #! /usr/local/bin/perl 4. Confirm that /var/www/cgi-bin is assigned the httpd_sys_script_exec_t context type as follows: [[email  protected] ~]$ ls -Z /var/www/ | grep cgi-bin drwxr-xr-x root root root:object_r:httpd_sys_script_exec_t cgi-bin 12 Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server 5.Allow and confirm read and execute permission for the tryit. cgi script to all users: [[email  protected] cgi-bin]# chmod 555 /var/www/cgi-bin/tryit. cgi [[email  protected] cgi-bin]# ls -Z -r-xr-xr-x root root root:object_r:httpd_sys_script_exec_t tryit. cgi 6. Confirm that /var/www/cgi-bin/tryit. cgi is assigned the httpd_sys_script_exec_t context type: [[email  protected] ~]$ ls -Z /var/www/cgi-bin/tryit. cgi -r-xr-xr-x root root root:object_r:httpd_sys_script_exec_t /var/www/cgi-bin/tryit. cgi 7. Enable CGI scripting in SELinux and confirm that it is enabled: [[email  protected] cgi-bin]$ setsebool httpd_enable_cgi=1 [[email  protected] cgi-bin]$ getsebool httpd_enable_cgi httpd_enable_cgi –> on 8.Open a Web browser and type the Web server address into the location bar. Include the /cgi-bin/tryit. cgi in the URL. For example, type http://192. 168. 1. 100/cgi-bin/tryit. cgi. The tryit. cgi script should return output similar to Figure 1: Figure 1. Figure 1: A Simple Example 9. Provide test answers to the form fields and click Submit Query. The tryit. cgi script should return output similar to Figure 2: First Steps with Security-Enhanced Linux (SELinux) 13 Figure 2. Figure 2: A Simple Example with results Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies. 14Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Appendix. Related information and downloads Related information v Wikipedia: Security-Enhanced Linux http://en. wikipedia. org/wiki/Selinux v Bell-La Padula model http://en. wikipedia. org/wiki/Bell-La_Padula_model v NSA Security-Enhanced Linux http://www. nsa. gov/research/selinux /index. shtml v Managing Red Hat Enterprise Linux 5 presentation http://people. redhat. com/dwalsh/SELinux/Presentations/ManageRHEL5. pdf v developerWorks Security Blueprint Community Forum http://www. ibm. com/developerworks/forums/forum. jspa? forumID=1271 v Red Hat Enterprise Linux 4: Red Hat SELinux Guide http://www. linuxtopia. rg/online_books/redhat_selinux_guide/rhlcommon-section-0055. html v F. Mayer, K. MacMillan, D. Caplan, â€Å"SELinux By Example – Using Security Enhanced Linux† Prentice Hall, 2007 Related reference: â€Å"Scope, requirements, and support† on page 1 This blueprint applies to System x running Linux and PowerLinux. You can learn more about the systems to which this information applies.  © Copyright IBM Corp. 2009 15 16 Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Notices This information was developed for products and services offered in the U. S. A. IBM may not offer the products, s ervices, or features discussed in this document in other countries.Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents.You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U. S. A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION â€Å"AS IS† WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other progr ams (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation Dept. LRAS/Bldg. 903 11501 Burnet Road Austin, TX 78758-3400 U. S. A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.  © Copyright IBM Corp. 2009 17 For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Informatio n concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products.All of these names are fictitious and any similarity to the names and addresses used by an ac tual business enterprise is entirely coincidental. Trademarks IBM, the IBM logo, and ibm. com ® are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( ® and â„ ¢), these symbols indicate U. S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at Copyright and trademark information at www. ibm. com/legal/copytrade. html Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Java and all Java-based trademarks and logos are registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Linux is a trademark of Linus Torvalds in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, or service names may be trademarks or service marks of others. 18 Blueprints: First Steps with Security-Enhanced Linux (SELinux): Hardening the Apache Web Server Printed in USA

How Sustainable Is A Wind Energy System Environmental Sciences Essay

A The literary significance of sustainability derived from the Latin word which means maintain or support. However, since 1980, sustainability has been used for environment and development related to environment. With the progress of engineering, human lives become more mechanised and modern. In this modern universe we depend on more in engineering than earlier, so more energy is required for our modernised society. To carry through our demands we burn fuel which we get from the natural reservoir. By firing this natural fuel non merely we destroy our natural resources, but besides we increase the C emanation in the environment. The simple definition â€Å" sustainability is bettering the quality of human life while populating within the transporting capacity of back uping eco-systems † , ( hypertext transfer protocol: //en.wikipedia.org/wiki/Sustainable_development ) . â€Å" a sustainable planetary society founded on regard for nature, cosmopolitan human rights, economic justness, and a civilization of peace. † ( hypertext transfer protocol: //www.earthcharterinaction.org/content/ ) Ethical issueA I choose I chose wind energy systems: is a sustainable and renewable energy which is produced from air current. This sustainable or renewable energy is energy which comes from natural resources: air current energy is one of the illustrations of sustainable energy. Wind energy is pollution free, sustainable signifier of energy which can assist us to cut down the traditional dodo based power coevals. Many industrialised states such as US, Canada recognised that air current energy is a lasting, sustainable economic and environmentally friendly, which secured energy monetary value and supply. Wind energy is a green energy which supports long term energy supply to our environment from renewable resources. Wind energy systems Using air current energy system to bring forth power is advantageous in many facets. On the other manus if fossil fuel is used as an energy beginning, it increases the carbon-di- oxide degree in the air and it is dearly-won. Wind energy is pollution free, sustainable signifier of energy which can cut down the traditional dodo fuel energy coevals. If we continue to bring forth the energy by firing the dodo fuel, there will be singular impact and alterations in the environment such as planetary heating, utmost conditions events ( such as inordinate inundation, draught etc ) , and atmospheric instability. Air pollution To bring forth air current energy, there is no demand of any signifier of fuel. Wind turbines are acquiring powered by air current, so wind energy green goodss zero emanation to the environment. Fossil fuel contributes to bring forth acerb rain, smog and every bit good as clime alteration. Harmonizing to western air current energy, â€Å" Using air current to bring forth adequate power for over 200 places ( 2,000,000 kWh ) of electricity alternatively of firing coal will go forth 900,000 kgs of coal in the land and cut down one-year nursery gas emanations by 2,000 metric tons. This is tantamount to taking 417 autos off the route or seting 10,000 trees. † ( hypertext transfer protocol: //www.westernwindenergy.com/s/Environment.asp ) Huge sum of green house gas emanation resulted acid rain which destroyed workss, aquatic environment, edifices etc. the chief causes for acerb rain is inordinate sum of sulphur-nitrogen compounds present in the air. These harmful sulphur-nitrogen compounds produced from mills, emanations from motor vehicles and from electricity coevals. Coal power works is the most unsafe agent of bring forthing green house gas. The green house gas from coal power works can go thousand of kilometers before it produce acerb rain. So it polluted our air non merely the mill environing but besides affect nearby state. There is no uncertainty that production of energy by fossil fuel is harm to our environment and life. Furthermore, during geographic expedition, transit, extraction of resources besides effects the environment. Lay waste toing consequence on Marine ecology and on wild life during transit of oil is already good known to everyone. So, this is the clip to switch to utilize alternate energy beginnings that is wind energy. By utilizing air current energy to bring forth power we can maintain the environment clean for our following coevals. Water From the American Wind Energy Association web site, it is found that little sum of H2O required comparison to coal works. â€Å" A typical coal works consumes about 0.49 gallons ( 1.90 liters ) * and an oil works consumes about 0.43 gallons ( 1.60 liters ) of pure H2O per kilowatt hr produced. Relatively, wind energy requires 0.001 gallons ( 0.004 liters ) * per kWh, this H2O is used to clean the turbine rotor blades when rainfall is deficient to unclutter off dust and insect build-up which would deform the form of the aerofoil and degrade public presentation. † ( hypertext transfer protocol: //www.awea.org/ ) Cost effectual -to green goods air current energy Producing air current energy is besides sustainable for environment and strong economic system. Global heating and contaminated environment impact the economic system in many ways. These are as follows: The US spends more than $ 20 billion a twelvemonth on lung-related unwellnesss associated with debauched air quality due to fossil-based power coevals. ( hypertext transfer protocol: //www.westernwindenergy.com/s/Environment.asp ) Hurricane, inundation harm 100s of house, destroys many lives. Pollution from fossil fuel destroys many marine lives such as fish, H2O works. Green house gases bit by bit increase the mean temperature in the Earth. It besides altering the conditions form in the universe, as a consequence we have flood, cyclone, and tsunami really often now a twenty-four hours. Childs are enduring lung disease which diseases create from air pollution. Low birth weight, premature birth and infant deceases besides result of smog. Lake H2O besides contaminated by quicksilver, a toxic heavy metal. However, wind power workss besides have some inauspicious consequence to the environment but the effects are much lower than fossil fuel energy.AFact and recommendations Energy is required in every facet from our day-to-day life to industrial intents. We should travel to utilize air current energy to bring forth power which is more sustainable. We need to believe about this alternate energy resources to carry through our demands while continuing the environments to maintain the environment clean for our future coevalss. Fig 1: adapted from wikipedia ( hypertext transfer protocol: //en.wikipedia.org/wiki/Sustainable_development ) Following are the recommendation to diminish the environmental pollution and move to utilize green energy that is wind energy: Production of energy utilizing renewable beginnings that is wind energy which led to cut down the green house gas emanation to the environment. Increase the environmental and ethical consciousness of the people to switch to green power. Environmental consciousness can be done by advertise the inauspicious consequence of dodo fuel energy. Mutuality regulations are required to maintain the environment clean. Government of different developed states need to hold to bring forth green energy by utilizing air current energy system. Merely few states now a twenty-four hours bring forth energy from wind energy systems. As green house gas can go few 100s of stat mis, it can impact many life every bit good destroy the ecological rhythm. Finally, its clip to travel air current energy system to bring forth power for the industrialised universe. Decision The chief intent to utilize weave energy system is to maintain clean our environment for the following coevals. The concluding end of utilizing air current energy is the manner to bring forth energy in a sustainable manner. Using air current energy to bring forth power non merely sustainable for the environment but besides economically feasible. Our nonsubjective, at this clip, is to impel the company into a outstanding market place. In this century, around the universe terrible emphasis is noticed in every sector either economic or environmental. Increase in Population is besides a large issue of this emphasis. Energy ingestion additions quickly with the addition of population. Peoples are non taken attention of their environment at good. To carry through the energy demand we destroy our environment but we besides destruct our life and sustainability of environment and economic system in this universe. Now is the clip to take attention of our life and environment by utilizing alternate air current energy systems to bring forth energy and power for our day-to-day life and for our industrialised society.

Summarize King’s Arguments

The purpose of this essay paper is to examine Dr. Martin Luther King Jr.’s Letter from a Birmingham Jail.   The paper will examine parts of King as a preacher as well as an advocate for Civil Rights.   His use of dictation and dialogue to the people will be a major point in this paper.   Not only will King’s writing present the inner teachings of King’s strive for equality among all people and the way in which humanity suffers but the predicament of racism during the Civil Right’s Movement will also be a major theme in this paper as it applies to King’s work. By indicating that he is a â€Å"fellow clergyman†, King tells the members of the local parishes that they should respect him. King calls the other clergymen â€Å"men of genuine good† and calls their intentions sincere. This is to set his argument as one of discourse, rather than an attack. King tells of his position to indicate his reasoning for being in Alabama. It is his duty to see that all Southern states are represented by the conference. The rationale behind the current War on Terror follows this motif. Between the negotiations and the demonstrations, King began a series of workshops on non-violence. Then he followed that by a Christmas season boycott of local stores.   â€Å"Justice too long delayed, is justice denied† is the most personally inspiring pathos King included here. This simple phrase sums the whole of the civil rights movement. A white moderate is a person of Caucasian descent who is â€Å"more concerned with order than justice.† King finds fault in their logic. He feels that they are deluded into believing that stability of society is safer than justice for all people. They believe that â€Å"the Negro should wait† for a better time to assert their rights. King also feels that â€Å"lukewarm acceptance is much more frustrating than outright rejection.† Another group that disappoints King is the white Christians who fail to support his efforts. King was disappointed that his non-violent efforts were seen as extremist actions. He also felt disappointed with is inability to motivate the white Christians to his cause. Because the modern manifestation of the Christian church had lost its sacrificial nature and its authenticity. The early days of the American Civil Rights movement were days of non-violent protests. The simple acts, such as the Montgomery Bus Boycott and the Freedom Marches, used large numbers of Black Americans in ways that affected the white establishment economically and morally to achieve change. However, as the movement went on, increasing numbers of Black Americans began to become disenfranchised with the non-violence, and almost placating nature of the movement under Martin Luther King Jr. and others. This feeling of powerlessness led to the formation of a more militant movement. The birth of the Black Panthers, and other Black Power organizations, came from frustration at the slowness of change seen through the non-violent protests as well as from the emerging black identity of strength, confidence and power. The other influence which created the Black Power movement was the understanding of many black American youth, that the deaths of African-Americans meant nothing to the American population as a whole. The deaths of many blacks, directly resulting from racial murders and revenge for Civil Rights protests, garnered next to no reaction from the public at large. In contrast, the deaths of white Americans, even if suspected to be by a black man, would create mass outrage. King was troubled by the clergy’s praising of the Birmingham Police for â€Å"keeping order†. However, with the dogs attacking the non-violent protestors, King felt that they should have instead commented on the â€Å"Negro sit-Inners†. This disproportionate standard nurtured a feeling that without strong leadership, and defense, the black man would lose the escalating war for civil liberties. While the motives and actions of the nationwide Student Non-violent Coordination Committee saw small victories throughout the country, its lack of firm power at local levels left many, especially non-student American blacks, without a cause to follow. The growing feeling of separation within the Civil Rights movement itself began to cause stratification within the movement. The emergence of SNCC leader, Stokely Carmichael, was the first major break within the SNCC. Carmichael, as described by Allen Matusow, was â€Å"[h]andsome, volatile, eloquent and fearless [and] became a magnet in the SNCC for the militant and proto-nationalists†. (Matusow 1984, 352) The rise of Carmichael was solidified, when in May of 1966, Carmichael and his adherents successfully took over the SNCC from its former, and far more docile leader John Lewis. This allowed for Carmichael to issue the call for all â€Å"black Americans to begin building independent political, economic and cultural institutions that will control and use as instruments of social chance in this country†. (Matusow 354) The many and diverse organizations that were created during the civil rights movement of the 1960’s, each, in their own ways, effected the outcome of that decade. Some of the organizations based their philosophies on empowerment, others on revenge, and still others on the legal advocacy of oppressed individuals. However, one group, in particular, was involved in the most trying and violent events of the movement – and maintained their stand for non-violent protest to effect change. The Southern Christian Leadership Conference was founded by Martin Luther King Jr. in 1957. The organization functioned as â€Å"as an umbrella organization of affiliates, rather than seeking individual membership†. (King Encyclopedia) This allowed the SCLC to gain influence in multiple states. King used the ability of the SCLC to enter the fray of Birmingham Alabama in 1963. The union of blacks churches throughout the Southern States, allowed for a strong base of support for King’s non-violent confrontation of the white establishment. Though his work would see him arrested, and many of his fellow protestors beaten, injured and even hospitalized, the basic ideal of the SCLC never wavered. During the height of the civil rights movement, the rise of the concept of Black Power – a more militant and empowered movement – began to take hold in many American cities. The direct assault on the established power of white America that the Black Panther Party promised influenced many young blacks to follow their ideology. This became a struggling point for the Southern Christian Leadership Conference, in that their strict adherence to the non-violent messages of Martin Luther King Jr. were increasingly being seen as weak. Also, the dependence that the SCLC had on the white churches of the South was also seen as a problem point for many in the movement. Despite the hurdles that the Southern Christian Leadership Conference was forced to confront, they ideology of King’s vision was maintained – even after his assassination. The death of King was a strong blow against the organization. The momentum that the group had gained under the guidance of Martin Luther King Jr. was stalled and the group nearly imploded. However, the words of King lived on through his death. In his final speech, the evening before his murder, King rallied the minds and emotions of his followers. The words of the speech, which came to be known as the â€Å"Promised Land† speech, spoke of his eventual death. Through his final words, King told his followers that the life of a man is meaningless without that man having lived up to his potential. The work of King, and the SCLC, continues to this day. And though, there are organizations which are more recognized, such as the NAACP, the Southern Christian Leadership Conference confronted the face of oppression directly, and without violent retaliation. The ability for the organization to achieve its goals, and see the world that King envisioned, allows them to be seen as the most effective of the era. WORK CITED King, Martin Luther. â€Å"Letter from a Birmingham Jail†. Estate of   Ã‚  Ã‚  Ã‚   Martin Luther King Jr. April 16, 1963. â€Å"Southern Christian Leadership Conference: SCLC†. The King   Ã‚  Ã‚  Ã‚   Encyclopedia. The King Center. Date of Access: March 30,   Ã‚  Ã‚  Ã‚   2006.

Human Resources Management Essay Example | Topics and Well Written Essays - 2250 words - 1

Human Resources Management - Essay Example When businesses can call on the most advanced technology available to man to get benefits for their organization, any company can have access to the same development and production tools as their competition and in such cases the worth of human resources becomes extremely important. In the real world, two companies can have the same computers and software, the same quality of raw materials, even the same machinery this is used for production but if one of them has better employees, then that company will have an advantage over the other. With training, labor and human resources have the advantage that they can grow with the company and while other equipment might have to be replaced with time, human resources only improve in quality with experience and training. Moreover, with effective training they can improve their skill set to play larger roles for the company and take on more responsibility. Training might also be nothing less than a necessity for the company when the business model changes to a certain level or when the company is looking to enter new markets where the existing skill set of the employees is insufficient. Undoubtedly, the advantages connected with training have been recounted by many HR related professionals but there is also a significant investment involved in training and developing human resources which may not turn out to be as loyal to the company as expected. With regard to training, GE comes across as a very good company and it has been used as a shining example of a good company by several business gurus. For example, Colvin (2006) and Demos (2006) both admire the company as well as its human resource management and give it the title of being one of the most admired companies in the world. Jack Welch, the long time CEO of the company stated clearly in his book titled Winning that the training provided by GE becomes a large part of the reason why the company is so well respected because training employees, â€Å"Motivates

Music in Arts Education Research Paper Example | Topics and Well Written Essays - 1000 words

Music in Arts Education - Research Paper Example Everywhere you look, someone is listening to music. In today’s day and age, children starting at the young ripe age of six, all the way to nineteen have ear buds permanently glued to their ears. Parents can hardly get a word in because they know their son or daughter is lost in their own world of music. Music varies, and it varies because children have different tastes. Each child has its own perception of what music should look, feel, sound, taste, and even smell like. For many, music brings back memories. Some of them are good, but much too often, bad. Without music, children feel that their world is being invaded. So they may use music as a safety net; a way to connect with their inner souls, and with people around them. Music is a window into the next dimension. Each child adapts to their own style, genre, and even musical essence. A lot of music is used to depict feeling, sensory connection, and telling of a story. Without music today, young children, preteens, and adoles cents feel disconnected from the world. We educators and adults may not understand why students are hooked on music, but if we take time to reflect, we too will remember the importance of our own quiet times we spent being enthralled with the newest album, CD, or cassette tape featuring our favorite group; boy, girl or singles band. All we must do is reminisce and we too will be transported back to what we now may see is â€Å"foreign† and not as important. When music is taught in the classroom, it can at times be considered boring, redundant and trite. Students lose heart because teachers are lacking the connection. Many times students are told what instrument they will play, when they will play it or how. But, when does the creativity begin to flow? When can students create their own rules when learning about music? Music is often taught via a textbook. Students learn about the baroque time, the neo-classical time, and the more prominent times that seem to be less pertinent to students today. Teachers stay away from time periods they are unfamiliar with mainly because they were not taught it in â€Å"teacher† college. But they are missing the connection with students. They fail to bridge the gap between music from the past and music today. If we want our students to appreciate music for what it is worth, it is important for us to start becoming more relevant for the students. Instead of focusing so much on standards and benchmarks required, maybe think about branching out and having a little bit of fun. National testing and school performance tables have been focusing so much on the core subjects that they have left out other subjects that seem less important such a music and the arts. Just because students are not tested on these things, does not mean they are less important. Unless of course a school is only focused on scores. When students study music, they learn about many different cultures. An appreciation for diversity comes to the foref ront and students learn to get along in a more harmonious manner. Students don’t only learn to get along but they learn self-discipline which is a very hard thing to do today because of the amount of overly stimulating activities students are involved in on a daily basis. Take T.V. for example. When kids watch TV, they do just that; watch. They do not interact with the television; they become complacent and are fed information. They are

Assess the impact of re-introducing rent control on the market for Coursework

Assess the impact of re-introducing rent control on the market for housing - Coursework Example There are cases when the owners build the houses in order to offer these in rents to the individuals so as to meet the increasing demand for housing (Besanko and Braeutigam, 2013). The owners fix the rent for the houses in order to earn some profit but there is a concept of rent control that imposes a ceiling on the rent in cases when the owners charge an exceptionally high rent (Besanko and Braeutigam, 2013). Hence, the paper aims at carrying out a study on the market structure of the housing market and the impacts of the policies adopted for rent control. The paper also offers a scope to understand the microeconomic theory related to the rent control. The structure of the housing market is based on the model that considers various aspects such as the availability of cheap credit that in turn increases the demand for houses in the international market (Glaeser and Luttmer, 2003). As a result, there is a relative price of the houses due to low availability of the houses. However, there was a high availability of low quality houses which forced the investors to raise the prices of the houses in order to earn high profit. These features are essential for the Life-Cycle model of Housing where the prices of houses match with the quality of the houses available in the international market (Krugman and Wells, 2012). On the contrary, the characteristics of the buyers willing to purchase the houses differ based on the age, wealth and income they earn. In order to bring in equilibrium within the market, the prices of the houses are equalized with the quality of the available houses and also it is based on the demand and supply aspects in th e housing market. Thus, the study suggests that the distribution of the houses depends on the numbers of buyers as well as the quality of houses available in the market. Further, the suitability of the available houses to the buyers is also an essential factor that increases the number of buyers willing to

Info technology Essay Example | Topics and Well Written Essays - 500 words

Info technology - Essay Example This article mainly focuses on the approach to be implemented to improve the Supply Chain Management in order to effectively cut down on excess costs. The author discusses how different companies implement the present Supply Chain Management principle and expect different and better results whereas this is not possible. The author states in this article that to gain better profit margins and to gain a better hold over the market, each company has to come up with its own Supply Chain Management principle which suits that company. Despite the changes such as Globalization, Real-Time Supply Chain Process, Lean Management for Waste Reduction, Accounting Rules and Transparency of sales and acceptance, companies present since ninety years back function the same way as they did then. The author suggests the old business principles to be dropped and new improvised ones be implemented. The approach should be more of a strategy than being jut a principle. The first step is to design the a new architecture for the Supply Chain Management. The second step is to define the process, people and technology. The third step is to use resources effectively. The fourth and the final step is to include the scope, breadth and complexity of supply chains. Discussion: Supply Chain Management involves co-ordinating and integrating the flow of materials, information and finances from supplier to manufacturer to retailer to consumer both within and among companies (Ayers, 2000). The product flow involves the flow or movement of raw materials from the supplier to the manufacturer and the movement of products from the manufacturer to the wholesaler to retailer to the consumer. The information flow involves the flow of information such as transmitting orders and updating the status of delivery. Flow of finances includes transfer of credit, payment schedules, etc. Supply Chain Management makes use of

Development of Professional Policing Essay Example | Topics and Well Written Essays - 2000 words

Development of Professional Policing - Essay Example The emphasis here was on training and skills needed to prevent crime and maintain order. The journey was a long and arduous one for professional policing as its proponents and detractors fought tooth and nail to promote or prevent its development. The transition phase was a turbulent one as the debate raged on, with arguments flowing thick and fast between those who called for reform and their opponents. In the protracted battle that was to follow the detractors initially gained the upper hand and were able to stall many parliamentary measures that were proposed to establish more professional and effective policing. Eventually the tide turned in favour of the reformers, and the New Police took firm root in English society. A critical analysis of the arguments for and against the development of professional policing in nineteenth century England can prove to be very illuminating for the student of police history. Towards the end of its tenure, and sometime at the beginning of the nineteenth century the Old police received a lot of criticism and was tried on the charges of inadequacy, inefficiency, corruption and dereliction of duty. There were voices calling out for reform and the establishment of improved policing, meanwhile, the criticism continued to pour in. Critchley (1967) insisted that during those times of inept policing there was real "danger of a total relapse into barbarity" (cited by Godfrey and Lawrence, 2005, p.17). Rawlings (2002, p. 108) also mentions the criticism against the London night watchmen, "the almost useless, decrepit, and inefficient tribe of watchmen with which for the most part, the streets of the metropolis may rather be said to be infested rather than protected". The reasons were many for the charges against the old police. The parish constables were selected on a rotation basis and they could hire deputies, who were usually poorly qualified to satisfactorily perform the task at hand. John Wade in response to this practice said, "The office has fallen into the hands of the lowest class of retailers and costardmongers, who make up the deficient allowance of their principals by indirect sources of emolument" (cited by Rawlings, 2002, p.109). Once the term of office was over they had to resume their role in the community as ordinary citizens and go back to their former occupations. Therefore not surprisingly most of the constables, being aware of this fact were more concerned with currying favour with the locals and conforming to popular opinion than preventing crime and implementing measures that were unpalatable to local taste. Sometimes victims were unable to pay for the services of the constable and the criminal would not be apprehended. Fur thermore, according to Godfrey and Lawrence (2005, p.14), they were not assured a steady or lucrative income, so "they may well have been less willing to act on their own initiative and more willing simply to do the minimum required of them". In other words due to the lack of a financial incentive, the constables did not perform their functions adequately and for the same reason they were not above criminal

Critical Discussion Essay Example | Topics and Well Written Essays - 1750 words

Critical Discussion - Essay Example In discussing the influence of educational pioneers from social and political points of view, Ornstein takes positions as a progressivist on one hand (New-tone) and a postmodernist (Ultra-New-Tone) on the other. The arguments are centered around the effects of education, reflected in the society and the above quote, is used to support Mr Ultra-New-Tone's radical position. Michel Apple's statement may be understood to mean that, schools and other institutions of Education have a significant control over the social and economic systems, within which they operate. The justification for this is, schools are knowledge centers and their primary responsibility lies in the proper dissemination of knowledge. Most of child's life is spent in the school and what is taught here shapes their behaviors in the social system that they otherwise live in. The phrase 'cultural capital', can be used to encompass various types of knowledge, skills, talent etc, the possession of which provides a certain status in the society (http://en.wikipedia.org/wiki/Cultural_capital). It can be thought of as the tangible and intangible effects of culture on the Society. In proposing that there are inequities in culture capi... It can be thought of as the tangible and intangible effects of culture on the Society. In proposing that there are inequities in culture capital, just as there is an 'unequal distribution of economic capital', Apple seems to imply that the current systems of education are the reasons why the inequalities exist and hence they need to change so that they can be overcome. Ornstein has used this implication in his argument supporting the radical view, that a revolutionary change in the system is required and that the focus be shifted from one of ranking and testing to one of freedom in learning. The basis of the arguments by the radicals stems from the fundamental belief that: the conservative philosophy in Education is too objective to be democratic whereas the radicals subjective approach broadens the scope of 'standards' and lends itself to be an ideal equalizer. The postmodernists also hold that continuous and rapid change is necessary to adapt to the exponential growth, in information that the contemporary generation is forced to keep pace with. According to Ornstein, what is implied by Michael Apple's rather dramatic statement that 'schools ... shape our lives and take control over us', is that 'in the technological societies' that we live in, it is imperative that, radical reforms are made with an immediate sense of urgency. The Postmodernists versus the Educational Pioneers and Progressivism The debate about whether radical reform is required, to narrow the perceived inequality in distribution of knowledge or if this can be better achieved by adhering to time-tested principles laid out by educational pioneers can be conducted on various planes: (1) Effect that

Germany 1789-1900 Research Paper Example | Topics and Well Written Essays - 1000 words

Germany 1789-1900 - Research Paper Example Despite the endowment, a rift between the high class and lower class prevailed leading to divergence, apparent contradiction, and violent collision of thoughts. The contest for recognition and right of control promulgated a series of unconnected struggles hence the birth of movements including the German confederation. The paper is a discussion on the different revolutionary and independence movements from 1789 to 1900 In the mid nineteenth century, cultural, social and economic tensions rose between Germany and other parts of Europe. The shear problems had reached a crisis stage and each section was looking for backdoor solutions that favour their interest. Undeniably, political reality was fast becoming unavoidable; however, the industrial revolution worsened the situation (Meuschel 21). The industrial revolution brought a series of signs, as the democratic changes threatened the survival of existing government, a factor that needed further scrutiny. Several democratic principles including independence of the judiciary, press freedom and representation in the legislature was fast becoming a problem (GÃ ¶rner 61). With the promises coming and going an acceleration of liberal movements gained stage. From January-February 1848, a revolt in Paris led to overturn of King Louis Philip, a situation that triggered Germany to explode. It began with an uprising from peasant revolts in the Baden and Bavar ia. Notably, the wavelike revolution spread down to Rhine land and ultimately to military head of Prussia (Berlin). At this point, it started becoming a problem putting pressure on the ruling government. Being so strong, many monarchs agreed to installation of basic democratic requirements (Peterson 46). In response, the intellectual fathers and leaders of the revolution met in Heidelberg, to ensure fruits from the revolution land in the right hands. A follow-up meeting in Frankfurt led to

Strategies for People Management Essay Example | Topics and Well Written Essays - 2000 words

Strategies for People Management - Essay Example There have been numerous research efforts in this area and a lot of organizations are devising strategies aimed at bringing more women into the upper levels of workforce. In its response to the DTI consultation on productivity indicators, the EOC has submitted that, â€Å"The achievement of gender equity is central to the three key elements of economic growth – an increased labour supply; flexibility, so as to be able to adjust to new growth opportunities; and rewarding workers according to their performance and skills.† (http://www.eoc.org.uk). Our main aim in HR terms is the recruitment, retention and development of the very best and creative staff and to provide them high quality support to strengthen our strategy of maintaining the cutting edge of functional ability. The challenge we presently face in HR is to maintain our present staff strength so that we can sustain our present momentum and stay ahead of our competitors. The shortage of skilled workforce is the main problem in UK and within the next years the position is likely to get worse rather than improve. The factors of aging, migration to other jobs, disparity between staff etc are some of the key issues that may serve the create shortage of manpower in our organisation. While we recognise that women constitute a proportionate portion of our research staff , photographers, copy writers, editors etc and do play a key role in delivering our overall strategic aims, their numbers in the middle and senior level executives are much less than their male counterparts. Our strategy, therefore, must reinforce the importance we attach in achieving equality of representation of both genders in the higher echelons of staff structure. Our present strategy is primarily focused on recruitment and retention, reward and recognition, training, learning and development, action to tackle poor performance, review of staffing needs. While our efforts in the area of reward, recognition

Environmental factors affecting Nespresso in China Essay Example for Free

Environmental factors affecting Nespresso in China Essay The micro environment on the other hand comprises the industry and market.   Religion, education, ethnicity, education and language, age group, family, cross cultural differences. In 1978, the Chinese government introduced a birth control policy of one child per family. (Newsweek 2014) This in the long run will reduce both sales and labor availability for Companies especially foreign brands like nespresso. The business culture in china is based on strong family ties and cultural network. Guanxi is a Chinese business practice of favoring a family and close friends prior to doing business. This could be unfavorable to foreign businesses like nespresso and other western companies. LEGAL FACTORS. Foreign trade laws, land ownership laws, patent and trademark laws, piracy laws, lobbying laws. According to reports, foreign firms cannot and do not acquire land as all land remains the property of the Chinese government. However the lease system provides foreign firms and corporation access to land for about a period of 50years after which the lease can be renewed. There was a case of McDonalds in Beijing who were forced out of their property by the government during the contract period (China unique, 2013). This spells an unstable working environment for nespresso. ECONOMIC FACTORS Economic factors include, Unemployment rate, exchange rate, inflation, interest rate, consumer discretionary income, labor cost. Unemployment: According to the ministry of human resources and social security of the PRC, there has been a significant decrease in unemployment rate in China from 4. 10 in the last quarter of 2013 to 4 percent in the second quarter of 2013 (Trading economics, 2014). This will increase salaries and wages due to scarcity of labor as only few of the population are unemployed. Similarly, Chinas inflation rate as reported by National Bureau of Statistics of China was at 2. 50 percent in January 2014 (Bloomberg business week Jan. 2014). This has caused a reduction in unemployment and an increase in wages. This might mean an increase in sales for western brands like nespresso and luxurious brands. According to ban and company luxury goods purchases has slowed down by 7percent as Chinese shoppers now do their luxury shopping abroad (Ban and company 2013). This might not be too good for foreign companies in china but it shows how passionate Chinese are for luxury brands. Chinas GDP were recorded at 7. 7 percent (9. 4 trillion USD) in the fourth quarter of 2013. (Bloomberg business week Jan. 2014) The above information shows that China’s economic environment would promote and facilitate business activities. (Trading economies, 2014). Lower unemployment rate implies high purchasing power of customers. Inflation will affect nespresso because suppliers will demand more. High interest rate means high return on investment. The higher consumer’s discretionary income, the higher their purchasing power especially for premium products like the nespresso brand. POLITICAL FACTORS. Factors present in the political environment include Political Stability, government involvement, trade barriers (tariff and non-tariff) Political stability: The three decades of reform in china has led to both a political and social landscape. (China daily Feb 2014). China has a unique form of political risk which is a constant battle between the central government and local government over applicable laws. For Nespesso, this stability and a clear understanding of local law would guarantee a stable business environment in the long run. Government involvement: The purpose of this is to protect domestic firms. (Protectionism). Government may impose barriers (tariff and non-tariff) on imports or foreign investment in order to protect domestic industries and to reduce competition. Although china has continuously opened its market for foreign investors, it has also place restriction on some foreign businesses in certain industries. For instance the restriction on American producers of autos, beef and steel into its market. (Bloomberg news April 2013) TECHNOLOGY. Technology when applied to work makes it easier, quicker and sometimes more efficient. The level of technology. Technology is inputs that improves an organization’s output. Technological factors includes machinery, communication, internet penetration, transport and logistics, social infrastructure. Internet penetration and logistics. See question 2 THE MICRO ENVIRONMENT INDUSTRY ANALYSIS PORTER’S FIVE FORCES. Local suppliers include; Yunnan Zheng coffee co ltd, Baoshan Yatong coffee commercial co. ltd, Dehong Hogu coffee co ltd, Yunnan Changshengda investment co. ltd, Kunming Qianxi industry and trade co ltd, Acme Fate international ltd (Alibaba, 2014). This shows that the supplier power is low because there are so many suppliers in the industry. Power of buyers (customers): With over 14million people in shanghai and other major cities of china and the tea drinking tradition of the Chinese people, there tend to be a high buyer power amongst customers. Also, the quest for luxurious band amongst Chinese consumers tend to influence buying power Competitors: The level of competition in china is high not just for coffee consumption but also for other hot drinks. In terms of luxurious coffee key players include Starbucks, costa, McDonalds, 85 degrees, pacific coffee etc. research from Mintel has shown that there has been an increase in the number of cafes from 15,898 to 31,283 between 2007 and 2012. (China briefing, 2013). Threat of new entrants: With the existence of so many players in the coffee industry it can be concluded that there is high threat of new entrants because it may seem that coffee business in China is attractive. Analysts say there will be a continuous increase in the consumption of instant coffee. (Euro monitor international). Industry rivalry: Competition is intense in the coffee industry in china as key player continue to compete in different ways. According to reports, there is a continuous fight for market share, who has more coffee shops etc. As Starbucks plans to have 1500 stores in china, costa coffee has stated their intention to increase its number to 2500 by 2018. Nestle and Starbucks has been competing for dominance of china’s coffee market for the last decade. While nestle has focused on being a ubiquitous brand, Starbucks has targeted the upper middle class. (Context china) QUESTION TWO According to reports, China has 618million internet users. 80percent of this number are mobile internet users. (ZDnet, 2014). The outbreak of mobile internet users drove the number from 500million as at December 2013. With this number of internet users, a firm would have no problem carrying out online sales, advertising, or communicating with its customers. A report by adage confirms that Taoboa and Tmall, two of china’s largest e-commerce company broke their last year’s sales record via the internet. Therefore many firms are capitalizing on the power of the internet by doing series of online promotion. (Adage, 2013) Online retail sale according to Bloomberg, went up by 2percent last year (adage, 2013). The surging internet purchase indicates that Chinese consumers are moving away from bricks and mortar outlets for their shopping. Opportunities of online CRM and sales include; Wider reach. Using the internet, nespresso can keep up with a large number of its customers on a daily or weekly bases. Advertising. Nespresso can also use the internet to advertise its product to millions of customers at the same time. This could be cheaper to operate too. Segmenting purposes. The record of customers and their previous purchase can help nespresso in automatically segmenting it customers based on purchase history Feedback and adjustment. Customer feedbacks is very important as these information can be used in making services or products better. Despite the attractive and promising nature of using the internet, investors and firms should also consider the drawbacks of using the internet for sales and communication. The Chinese government recently just imposed a new law regarding e-Commerce in China. The law stipulates that real names registration of sellers on third party platforms, strict seven days return policy, and also online payment market place must safeguard user’s privacy. (Pac net services, 2014) Another report says the government is imposing a law where all consumer to consumer online trading would have to register for a business license and  also pay taxes (China daily, 2014) Legal system. There are different legal restriction and regulation from government and regulatory bodies. Payment environment: the cash payment culture of the Chinese creates difficulties for online shopping. International credit cards are not accepted in most online shops. There is unavailability of credit card payment in most transactional websites. The online payment system in china is still at an infant stage. Logistics network environment: there is a restriction on foreign investment of logistics companies. Limited choices of delivery therefore, much more time is spent on delivery (jitm, 2007). QUESTION THREE Despite the large number of internet users I personally would recommend that nespresso adopt another marketing strategy as it will be very harmful to assume that the nespresso club would work in the Chinese market. From careful observation of the forces at work in the Chinese market environment, I can say that there is high level of government protectionism and regulation on internet businesses (Ecommerce) that tends to favor Chinese owned firms and businesses. Report has it that not only were a lot of websites blocked in china, there were also a Chinese replacement. Sites blocked include Facebook, yahoo, google, twitter, YouTube etc. according to report, the British newspaper The Guardian along with The New York times and Bloomberg news has been blocked in china for over a year. Motives for this act remains unknown (Taipei Times, 2014). Nespresso’s use of the internet is limited as not so much can be achieved due to interference by the government therefore using the internet could hinder performance as there is too much interference from the government. Nespresso should adapt its marketing mix to overcome the current situation of internet insecurity so as to reduce reliance on the internet. Though the internet can be used to position the nespresso brand image in the minds of the consumers for sales, or advertising or customer relationship but it won’t be wise business decision to apply the nespresso club concept in China because the government can decide blacklist them just like the case of Facebook. Nespresso should create more awareness about its brand to the Chinese public especially the less educated ones explaining the difference between house coffee and the nespresso brand Lastly, since there is already a tea drinking tradition amongst the Chinese population, nespresso should consider a local adaptation which involves offering other kinds of hot drinks so as to have a variety of products for it ever growing tea drinking customers.