The following features of Solaris BSM auditing are provided to interpret the audit records:
The audit ID assigned to a user's processes stays the same even when the user ID changes
Each session has an audit session ID
Full path names are saved in audit records
Because each audit record contains an audit ID that identifies the user who generated the event, and because full path names are recorded in audit records, you can look at individual audit records and get meaningful information without looking back through the audit trail.
Solaris BSM processes have an additional user identification attribute not associated with processes in the standard Solaris release: the audit ID. A process acquires its audit ID at login time, and this audit ID is inherited by all child processes.
Solaris BSM processes have an audit session ID assigned at login time. The ID is inherited by all child processes.
The Solaris BSM audit records contain all the relevant information about an event and do not require you to refer to other audit records to interpret what occurred. For example, an audit record describing a file event contains the file's full path name starting at the root directory and a time and date stamp of the file's opening or closing.